From e0d8794df7f0611ab23e2ce4fed4478361b7425a Mon Sep 17 00:00:00 2001 From: OPSXCQ Date: Thu, 8 Feb 2018 13:06:34 -0300 Subject: [PATCH] update --- textfiles.com/phreak/PHREAKING/confrnce.txt | 226 + textfiles.com/phreak/PHREAKING/dict.txt | 631 + textfiles.com/phreak/PHREAKING/dictiona | 423 + textfiles.com/phreak/PHREAKING/diverter.txt | 106 + textfiles.com/phreak/PHREAKING/dlbust.txt | 92 + textfiles.com/phreak/PHREAKING/do-not | 35 + textfiles.com/phreak/PHREAKING/elfhack.txt | 58 + textfiles.com/phreak/PHREAKING/euroblue.phk | 196 + textfiles.com/phreak/PHREAKING/ffpp.phk | Bin 0 -> 7673 bytes textfiles.com/phreak/PHREAKING/fieldphr.txt | 193 + textfiles.com/phreak/PHREAKING/freakusa.txt | 84 + textfiles.com/phreak/PHREAKING/freknum.txt | 407 + textfiles.com/phreak/PHREAKING/hack.3.txt | 155 + textfiles.com/phreak/PHREAKING/hack.txt | 717 + textfiles.com/phreak/PHREAKING/hackerab.txt | 165 + textfiles.com/phreak/PHREAKING/haiku.txt | 38 + textfiles.com/phreak/PHREAKING/histphre.txt | 294 + textfiles.com/phreak/PHREAKING/info5.hac | 72 + textfiles.com/phreak/PHREAKING/intervie.phk | 523 + textfiles.com/phreak/PHREAKING/jc.phreak | 837 + textfiles.com/phreak/PHREAKING/johnny.phk | 33 + textfiles.com/phreak/PHREAKING/lawsofph.txt | Bin 0 -> 4762 bytes textfiles.com/phreak/PHREAKING/mail-frd.mia | 211 + textfiles.com/phreak/PHREAKING/manual1.txt | 6599 ++++++++ textfiles.com/phreak/PHREAKING/manual2.txt | 6474 ++++++++ textfiles.com/phreak/PHREAKING/morality | 48 + textfiles.com/phreak/PHREAKING/morality.txt | 47 + textfiles.com/phreak/PHREAKING/nb90s1.txt | 36 + textfiles.com/phreak/PHREAKING/obsphrk.txt | 3482 ++++ textfiles.com/phreak/PHREAKING/part1_tx.txt | 745 + textfiles.com/phreak/PHREAKING/part2_tx.txt | 1621 ++ textfiles.com/phreak/PHREAKING/part3_tx.hac | 1454 ++ textfiles.com/phreak/PHREAKING/ph08.txt | 631 + textfiles.com/phreak/PHREAKING/phb | 13075 +++++++++++++++ textfiles.com/phreak/PHREAKING/phbook.txt | 660 + textfiles.com/phreak/PHREAKING/phk90s.txt | 409 + textfiles.com/phreak/PHREAKING/phmanual.txt | 5602 +++++++ textfiles.com/phreak/PHREAKING/phoneb.phk | 1335 ++ textfiles.com/phreak/PHREAKING/phonehac.phk | 54 + textfiles.com/phreak/PHREAKING/phphil.txt | 116 + textfiles.com/phreak/PHREAKING/phrakman.txt | 13465 +++++++++++++++ textfiles.com/phreak/PHREAKING/phreagui.txt | 362 + textfiles.com/phreak/PHREAKING/phreahel.txt | 84 + textfiles.com/phreak/PHREAKING/phreak.in1 | 201 + textfiles.com/phreak/PHREAKING/phreak.inf | 366 + textfiles.com/phreak/PHREAKING/phreak.phk | 336 + textfiles.com/phreak/PHREAKING/phreak.txt | 236 + textfiles.com/phreak/PHREAKING/phreak1.bok | 166 + textfiles.com/phreak/PHREAKING/phreak1.doc | 254 + textfiles.com/phreak/PHREAKING/phreak101.phk | 207 + textfiles.com/phreak/PHREAKING/phreak2.txt | 356 + textfiles.com/phreak/PHREAKING/phreak28.phk | 113 + textfiles.com/phreak/PHREAKING/phreak90.txt | 406 + textfiles.com/phreak/PHREAKING/phreakbi.txt | 240 + textfiles.com/phreak/PHREAKING/phreaker.fun | 385 + .../phreak/PHREAKING/phreakers.dicti | 408 + textfiles.com/phreak/PHREAKING/phreakgo.hac | 91 + textfiles.com/phreak/PHREAKING/phreakh.ist | 474 + textfiles.com/phreak/PHREAKING/phreakhi.phk | 87 + textfiles.com/phreak/PHREAKING/phreakin.one | Bin 0 -> 11442 bytes textfiles.com/phreak/PHREAKING/phreakin.phk | 121 + textfiles.com/phreak/PHREAKING/phreakin.two | Bin 0 -> 12263 bytes textfiles.com/phreak/PHREAKING/phreakin.usa | 76 + textfiles.com/phreak/PHREAKING/phreakla.phk | 55 + textfiles.com/phreak/PHREAKING/phreakman.hac | 12446 ++++++++++++++ textfiles.com/phreak/PHREAKING/phreakri.txt | 167 + textfiles.com/phreak/PHREAKING/phreaks.txt | 340 + textfiles.com/phreak/PHREAKING/phrecol.txt | 94 + textfiles.com/phreak/PHREAKING/phrfun.phk | 383 + textfiles.com/phreak/PHREAKING/phrkbas1.txt | 119 + textfiles.com/phreak/PHREAKING/phrkbeef.phk | 270 + textfiles.com/phreak/PHREAKING/phrkhis.txt | 52 + textfiles.com/phreak/PHREAKING/phrkhist | 219 + textfiles.com/phreak/PHREAKING/phrkrule.phk | 173 + textfiles.com/phreak/PHREAKING/phrkusa.txt | 70 + textfiles.com/phreak/PHREAKING/phrman.txt | 13053 +++++++++++++++ textfiles.com/phreak/PHREAKING/phukphrd.phk | 138 + textfiles.com/phreak/PHREAKING/pkman.txt | 13467 ++++++++++++++++ textfiles.com/phreak/PHREAKING/pkmanual1.phk | 2299 +++ textfiles.com/phreak/PHREAKING/pkmanual2.phk | 1779 ++ textfiles.com/phreak/PHREAKING/pkmanual3.phk | 2361 +++ textfiles.com/phreak/PHREAKING/pkmanual4.phk | 2276 +++ textfiles.com/phreak/PHREAKING/pkmanual5.phk | 1981 +++ textfiles.com/phreak/PHREAKING/pkmanual6.phk | 2781 ++++ textfiles.com/phreak/PHREAKING/pmanual1.txt | 6993 ++++++++ textfiles.com/phreak/PHREAKING/pnet.phk | 138 + textfiles.com/phreak/PHREAKING/ptech.txt | 122 + textfiles.com/phreak/PHREAKING/real.phr | 266 + textfiles.com/phreak/PHREAKING/realpwoc.txt | 360 + textfiles.com/phreak/PHREAKING/rodeguid.txt | 307 + textfiles.com/phreak/PHREAKING/rodphk.txt | 295 + textfiles.com/phreak/PHREAKING/rodphk1.txt | 295 + textfiles.com/phreak/PHREAKING/sanatm.txt | 114 + textfiles.com/phreak/PHREAKING/scam.txt | 32 + textfiles.com/phreak/PHREAKING/tap-int.1 | 725 + textfiles.com/phreak/PHREAKING/tap-int.2.1 | 292 + textfiles.com/phreak/PHREAKING/tap-int.2.2 | 495 + textfiles.com/phreak/PHREAKING/tap-int.3.1 | 982 ++ textfiles.com/phreak/PHREAKING/tap-int.3.2 | 1015 ++ 99 files changed, 133272 insertions(+) create mode 100644 textfiles.com/phreak/PHREAKING/confrnce.txt create mode 100644 textfiles.com/phreak/PHREAKING/dict.txt create mode 100644 textfiles.com/phreak/PHREAKING/dictiona create mode 100644 textfiles.com/phreak/PHREAKING/diverter.txt create mode 100644 textfiles.com/phreak/PHREAKING/dlbust.txt create mode 100644 textfiles.com/phreak/PHREAKING/do-not create mode 100644 textfiles.com/phreak/PHREAKING/elfhack.txt create mode 100644 textfiles.com/phreak/PHREAKING/euroblue.phk create mode 100644 textfiles.com/phreak/PHREAKING/ffpp.phk create mode 100644 textfiles.com/phreak/PHREAKING/fieldphr.txt create mode 100644 textfiles.com/phreak/PHREAKING/freakusa.txt create mode 100644 textfiles.com/phreak/PHREAKING/freknum.txt create mode 100644 textfiles.com/phreak/PHREAKING/hack.3.txt create mode 100644 textfiles.com/phreak/PHREAKING/hack.txt create mode 100644 textfiles.com/phreak/PHREAKING/hackerab.txt create mode 100644 textfiles.com/phreak/PHREAKING/haiku.txt create mode 100644 textfiles.com/phreak/PHREAKING/histphre.txt create mode 100644 textfiles.com/phreak/PHREAKING/info5.hac create mode 100644 textfiles.com/phreak/PHREAKING/intervie.phk create mode 100644 textfiles.com/phreak/PHREAKING/jc.phreak create mode 100644 textfiles.com/phreak/PHREAKING/johnny.phk create mode 100644 textfiles.com/phreak/PHREAKING/lawsofph.txt create mode 100644 textfiles.com/phreak/PHREAKING/mail-frd.mia create mode 100644 textfiles.com/phreak/PHREAKING/manual1.txt create mode 100644 textfiles.com/phreak/PHREAKING/manual2.txt create mode 100644 textfiles.com/phreak/PHREAKING/morality create mode 100644 textfiles.com/phreak/PHREAKING/morality.txt create mode 100644 textfiles.com/phreak/PHREAKING/nb90s1.txt create mode 100644 textfiles.com/phreak/PHREAKING/obsphrk.txt create mode 100644 textfiles.com/phreak/PHREAKING/part1_tx.txt create mode 100644 textfiles.com/phreak/PHREAKING/part2_tx.txt create mode 100644 textfiles.com/phreak/PHREAKING/part3_tx.hac create mode 100644 textfiles.com/phreak/PHREAKING/ph08.txt create mode 100644 textfiles.com/phreak/PHREAKING/phb create mode 100644 textfiles.com/phreak/PHREAKING/phbook.txt create mode 100644 textfiles.com/phreak/PHREAKING/phk90s.txt create mode 100644 textfiles.com/phreak/PHREAKING/phmanual.txt create mode 100644 textfiles.com/phreak/PHREAKING/phoneb.phk create mode 100644 textfiles.com/phreak/PHREAKING/phonehac.phk create mode 100644 textfiles.com/phreak/PHREAKING/phphil.txt create mode 100644 textfiles.com/phreak/PHREAKING/phrakman.txt create mode 100644 textfiles.com/phreak/PHREAKING/phreagui.txt create mode 100644 textfiles.com/phreak/PHREAKING/phreahel.txt create mode 100644 textfiles.com/phreak/PHREAKING/phreak.in1 create mode 100644 textfiles.com/phreak/PHREAKING/phreak.inf create mode 100644 textfiles.com/phreak/PHREAKING/phreak.phk create mode 100644 textfiles.com/phreak/PHREAKING/phreak.txt create mode 100644 textfiles.com/phreak/PHREAKING/phreak1.bok create mode 100644 textfiles.com/phreak/PHREAKING/phreak1.doc create mode 100644 textfiles.com/phreak/PHREAKING/phreak101.phk create mode 100644 textfiles.com/phreak/PHREAKING/phreak2.txt create mode 100644 textfiles.com/phreak/PHREAKING/phreak28.phk create mode 100644 textfiles.com/phreak/PHREAKING/phreak90.txt create mode 100644 textfiles.com/phreak/PHREAKING/phreakbi.txt create mode 100644 textfiles.com/phreak/PHREAKING/phreaker.fun create mode 100644 textfiles.com/phreak/PHREAKING/phreakers.dicti create mode 100644 textfiles.com/phreak/PHREAKING/phreakgo.hac create mode 100644 textfiles.com/phreak/PHREAKING/phreakh.ist create mode 100644 textfiles.com/phreak/PHREAKING/phreakhi.phk create mode 100644 textfiles.com/phreak/PHREAKING/phreakin.one create mode 100644 textfiles.com/phreak/PHREAKING/phreakin.phk create mode 100644 textfiles.com/phreak/PHREAKING/phreakin.two create mode 100644 textfiles.com/phreak/PHREAKING/phreakin.usa create mode 100644 textfiles.com/phreak/PHREAKING/phreakla.phk create mode 100644 textfiles.com/phreak/PHREAKING/phreakman.hac create mode 100644 textfiles.com/phreak/PHREAKING/phreakri.txt create mode 100644 textfiles.com/phreak/PHREAKING/phreaks.txt create mode 100644 textfiles.com/phreak/PHREAKING/phrecol.txt create mode 100644 textfiles.com/phreak/PHREAKING/phrfun.phk create mode 100644 textfiles.com/phreak/PHREAKING/phrkbas1.txt create mode 100644 textfiles.com/phreak/PHREAKING/phrkbeef.phk create mode 100644 textfiles.com/phreak/PHREAKING/phrkhis.txt create mode 100644 textfiles.com/phreak/PHREAKING/phrkhist create mode 100644 textfiles.com/phreak/PHREAKING/phrkrule.phk create mode 100644 textfiles.com/phreak/PHREAKING/phrkusa.txt create mode 100644 textfiles.com/phreak/PHREAKING/phrman.txt create mode 100644 textfiles.com/phreak/PHREAKING/phukphrd.phk create mode 100644 textfiles.com/phreak/PHREAKING/pkman.txt create mode 100644 textfiles.com/phreak/PHREAKING/pkmanual1.phk create mode 100644 textfiles.com/phreak/PHREAKING/pkmanual2.phk create mode 100644 textfiles.com/phreak/PHREAKING/pkmanual3.phk create mode 100644 textfiles.com/phreak/PHREAKING/pkmanual4.phk create mode 100644 textfiles.com/phreak/PHREAKING/pkmanual5.phk create mode 100644 textfiles.com/phreak/PHREAKING/pkmanual6.phk create mode 100644 textfiles.com/phreak/PHREAKING/pmanual1.txt create mode 100644 textfiles.com/phreak/PHREAKING/pnet.phk create mode 100644 textfiles.com/phreak/PHREAKING/ptech.txt create mode 100644 textfiles.com/phreak/PHREAKING/real.phr create mode 100644 textfiles.com/phreak/PHREAKING/realpwoc.txt create mode 100644 textfiles.com/phreak/PHREAKING/rodeguid.txt create mode 100644 textfiles.com/phreak/PHREAKING/rodphk.txt create mode 100644 textfiles.com/phreak/PHREAKING/rodphk1.txt create mode 100644 textfiles.com/phreak/PHREAKING/sanatm.txt create mode 100644 textfiles.com/phreak/PHREAKING/scam.txt create mode 100644 textfiles.com/phreak/PHREAKING/tap-int.1 create mode 100644 textfiles.com/phreak/PHREAKING/tap-int.2.1 create mode 100644 textfiles.com/phreak/PHREAKING/tap-int.2.2 create mode 100644 textfiles.com/phreak/PHREAKING/tap-int.3.1 create mode 100644 textfiles.com/phreak/PHREAKING/tap-int.3.2 diff --git a/textfiles.com/phreak/PHREAKING/confrnce.txt b/textfiles.com/phreak/PHREAKING/confrnce.txt new file mode 100644 index 00000000..9034d85a --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/confrnce.txt @@ -0,0 +1,226 @@ +*{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{} + + BEING INVOLVED WITH A CONFERENCE IS ONE OF THE PHONE PHREAK'S PHUNNEST + ACTIVITIES. + +*{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{} + + AS FAR AS I KNOW, THERE WERE PHREAK CONFERENCES LONG BEFORE I WAS BORN, +AND THERE WILL CONTINUE TO BE CONFERENCES LONG AFTER I LEAVE THE PHREAKING +WORLD. THEY ARE ONE OF THE BEST MEANS THAT I KNOW OF TO ACTUALLY HEAR AND +TALK TO YOUR PHELLOW PHREAKS. THIS IS BECAUSE YOU DO NOT HAVE TO WORRY ABOUT +YOUR SCC COMING OVER TO THE RECEIVER'S HOUSE AND ASKING, "WHO IN THE PHUCK +CALLED YOU AT X:XX FROM X???" THEY ARE OBVIOUSLY BETTER THAN BULLETIN BOARDS. + + THE EARLIEST CONFERENCE THAT I KNOW OF IS THE "2111" CONFERENCE. +AS RON ROSENBAUM PUT IT, "...THE LAST BIG CONFERENCE--THE HISTORIC '2111' +CONFERENCE--HAD BEEN ARRANGED THROUGH AN UNUSED TELEX TEST-BOARD TRUNK +SOMEWHERE IN THE INNARDS OF A 4A SWITCHING MACHINE IN VANCOUVER, CANADA. FOR +MONTHS, PHONE PHREAKS COULD M-F THEIR WAY INTO VANCOUVER, BEEP OUT 604 (THE +VANCOUVER AREA CODE) AND THEN BEEP OUT 2111 (THE INTERNAL PHONE-COMPANY CODE +FOR TELEX TESTING), AND FIND THEMSELVES, AT ANY TIME, DAY OR NIGHT, ON AN +OPEN WIRE TALKING WITH AN ARRAY OF PHONE PHREAKS FROM COAST TO COAST, +OPERATORS FROM BERMUDA, TOKYO, AND LONDON WHO ARE PHONE PHREAK SYMPATHIZERS, +AND MISCELLANEOUS GUESTS AND TECHNICAL EXPERTS. THE CONFERENCE WAS A MASSIVE +EXCHANGE OF INFORMATION. PHONE PHREAKS PICKED EACH OTHER'S BRAINS CLEAN, +THEN DEVELOPED NEW WAYS TO PICK THE PHONE COMPANY'S BRAINS CLEAN..." + + THIS TYPE OF CONFERENCE WAS THE STANDARD OF ALL THE EARLY CONFERENCES, +SINCE BACK THEN THERE WAS NO SUCH THING AS THE NOW FAMOUS "ALLIANCE +TELECONFERENCE LINES." IT IS UNDERSTANDABLE HOW THE PHREAKS MUST HAVE FELT +WHEN THE TRUNKS WERE CLOSED. THIS IS AGAIN ILLUSTRATED, "LAST APRIL 1, +HOWEVER, THE LONG VANCOUVER CONFERENCE WAS SHUT OFF. THE PHONE PHREAKS KNEW +IT WAS COMING. VANCOUVER WAS IN THE PROCESS OF CONVERTING TO A STEP-BY-STEP +FROM A 4A AND THE 2111 TELEX CIRCUIT WAS TO BE WIPED OUT IN THE PROCESS. THE +PHONE PHREAKS LEARNED THE ACTUAL DAY ON WHICH THE CONFERENCE WOULD BE ERASED +ABOUT A WEEK AHEAD OF TIME OVER THE PHONE COMPANY'S INTERNAL-NEWS AND +SHOP-TALK RECORDING. + + FOR THE NEXT FRANTIC SEVEN DAYS EVERY PHONE PHREAK IN AMERICA WAS ON +AND OFF THE 2111 CONFERENCE TWENTY-FOUR HOURS A DAY. PHONE PHREAKS WHO WERE +JUST LEARNING THE GAME OR DIDN'T HAVE M-F CAPABILITY WERE BOOSTED UP TO THE +CONFERENCE BY MORE EXPERIENCED PHREAKS SO THEY COULD GET A GLIMPSE OF WHAT IT +WAS LIKE BEFORE IT DISAPPEARED. TOP PHONE PHREAKS SEARCHED DISTANT AREA +CODES FOR NEW CONFERENCE POSSIBILITIES WITHOUT SUCCESS. FINALLY IN THE EARLY +MORNING OF APRIL 1,THE END CAME. + + 'I COULD FEEL IT COMING A COUPLE OF HOURS BEFORE MIDNIGHT,' RALPH +REMEMBERS. 'YOU COULD FEEL SOMETHING GOING ON IN THE LINES. SOME STATIC +BEGAN SHOWING UP, THEN SOME WHISTLING WHEEZING SOUND. THEN THERE WERE BREAKS. +SOME PEOPLE GOT CUT OFF AND CALLED RIGHT BACK IN , BUT AFTER A WHILE SOME +PEOPLE WERE FINDING THEY WERE CUT OFF AND COULDN'T GET BACK IN AT ALL. IT +WAS TERRIBLE. I LOST IT ABOUT 1 A.M., BUT MANAGED TO SLIP IN AGAIN AND STAY +ON UNTIL THE THING DIED . . . I THINK IT WAS ABOUT FOUR IN THE MORNING. THERE +WERE FOUR OF US STILL HANGING ON WHEN THE CONFERENCE DISAPPEARED INTO NOWHERE +FOR GOOD. WE ALL TRIED TO M-F UP TO IT AGAIN OF COURSE, BUT WE GOT SILENT +TERMINATION. THERE WAS NOTHING THERE.'" + + ALMOST BRINGS TEARS TO YOUR EYES, DON'T IT? NOW A DAYS, CONFERENCES +ARE MAJORLY BUSINESS ORIENTED. THE MAJOR VENDOR, YOU MIGHT SAY, IS A THING +CALLED ALLIENCE TELECONFERENCING. THIS IS A OFFSPRING OF AMERICAN BELL, +WHICH IN TURN WAS BORN OF AT&T. IF YOU WANT TO CALL UP ALLIENCE, THEY HAVE +NUMBERS IN THE CITIES THEY HAVE CONFERENCE LINES IN: + + 213-481-2388 LISTED AS AMERICAN BELL TELECONFERENCING + 312-938-0926 LISTED AS AT&T TELECONFERENCE + 914-365-0123 LISTED AS TELECONFERENCE + 713-655-2101 LISTED AS AMERICAN BELL TELECONFERENCING + *THESE NUMBERS ARE, OF COURSE, JUST TO THE BUSINESS OFFICE* + +HOW TO SET UP A CONFERENCE: + + THIS IS FOR THOSE OF YOU WHO DON'T KNOW, NOTHING NEW, SO THOSE OF YOU +WHO DO, YOU MIGHT WANT TO SKIP OVER IT. + + FIRST OF ALL YOU NEED TO FIND A NUMBER THROUGH WHICH YOU CAN BOX OUT +OF, IN OTHER WORDS A NUMBER THAT WILL ACCEPT 2600 AND RELEASE YOU ONTO AN +OPERATOR TRUNK. THESE ARE SOME OF THE ONES THAT I KNOW OF: + + 604-555-1212 B.C. DA + 403-555-1212 ALBERTA DA + 306-555-1212 SASKATCHEWAN DA + 204-555-1212 MANITOBA DA + 807-555-1212 ONTARIO DA + 705-555-1212 ONTARIO DA + 416-555-1212 DA + 613-555-1212 DA + 819-555-1212 QUEBEC DA + 418-555-1212 " " + 514-555-1212 " " + 709-555-1212 NEW FOUNDLAND DA + 506-555-1212 NEW BRUNSWICK DA + 902-555-1212 NOVA SCOTIA DA + +AS YOU CAN PROBABLY TELL, I HAVE JUST LISTED ALL OF THE DA#'S FOR CANADA AND +ITS SURROUNDING AREAS. *NOTE* NONE OF THE U.S. DA#'S WORK, BUT A PHEW 800'S +WORK FINE. + + NOW YOU CALL UP ONE OF THE ABOVE NUMBERS. BEFORE THE TRUNK DROPS +(YOU WILL KNOW THIS BY THE SOUND OF A CACHUNK) THERE IS STATIC WHILE THE CALL +IS BEING PLACED, NOW IS THE TIME TO BLOW 2600. AFTER DOING SO, THE LINE WILL +GO SORT OF AN "EEEE-CACHUNK." ONCE HEARING THIS, YOU CALL UP THE CONFRENCE +LINE OF YOUR CHOICE: + + 213-080-1050 ALLIENCE L.A. + 312-001-1050 ALLIENCE CHICAGO + 914-042-1050 ALLIENCE STONY POINT ? + 713-033-1050 ALLIENCE HOUSTON + +THIS IS DONE BY HITTING KP THEN THE NUMBER OF THE CONFERENCE LINE THEN +ST. IF ALL GOES WELL YOU WILL HEAR A COUPLE OF CACHUNKS THEN M-F IN KP AND ANY +A/C+XXX-XXXX AS THE BILLING LINE. AFTER DOING THIS YOU WILL HEAR A COMPUTER +GENERATED WOMAN'S VOICE THAT SAYS, "WELCOME TO ALLIANCE TELECONFERENCING IN +'X' (X BEING THE CITY WHICH YOU CALLED TO). YOU MAY DIAL DURING ANNOUNCEMENTS +FOR FASTER SET UP. PLEASE ENTER THE NUMBER OF PEOPLE TO BE IN YOUR +CONFERENCE. +DIAL NOW PLEASE." YOU DO THIS WITH YOUR REGULAR TOUCH-TONE FONE. NO MORE +BOXING IS INVOLVED. YOU CAN HAVE ANYWHERE FROM 2 TO 59 PEOPLE ON YOUR +CONFERENCE, ALTHOUGH IT IS A GOOD IDEA TO SET IT UP FOR AROUND 25-30 PEOPLE +SO AS NOT TO DRAW ATTENTION TO YOURSELF BY SETTING UP FOR 59 OR OTHER VAST +AMOUNTS. + + THIS IS IF ALL HAS GONE WELL. SOMETIMES YOU GET A BUSY SIGNAL, MEANING +THAT ALL THE CONFERENCE LINES ARE BUSY, BUT SHOULD BE OPEN LATER, WHENEVER WHO +IS USING THEM HANGS UP. OTHER TIMES YOU MAY GET "WE'RE SORRY, BUT YOUR CALL +DID NOT GO THROUGH, WILL YOU TRY YOUR CALL AGAIN PLEASE." I HAVE GOTTEN THAT +RECORDING JUST TRYING TO M-F THROUGH 514(QUEBEC) SO I DON'T KNOW WHAT THE DEAL +IS IF YOU GET IT BEFORE YOU ENTER THE CONFERENCE TRUNK. WHEN YOU GET THE +'WE'RE SORRY' THING OFF OF THE CONFERENCE TRUNK, YOU CAN PRETTY MUCH SAY THAT +THAT CONFERENCE IS DOWN FOR THE WEEKEND OR FOR THE REST OF THE NIGHT AS +ALLIANCE HAS BUSIED IT OUT. + + ONCE YOU ARE ON THE CONFERENCE YOU CAN DIAL IN ANYONE YOU WISH +NORMALLY, IE: 1+A/C+NUMBER. ONCE YOU CONNECT YOU CAN EITHER LET THEM IN ON +THE CONFERENCE BY HITTING THE '#' OR HANG THEM UP BY HITTING '*'. (REMEMBER +POUND TO ADD, STAR TO CANCEL (HA!)) YOU CAN ALSO TRANSFER CONTROL TO SOMEONE +ON THE CONFERENCE BY DIALING '6' THEN 1+A/C+NUMBER. + + THERE ARE SOME DANGERS THAT COME WITH THIS FUN, OF COURSE. ONE IS +THE FEDERAL LAWS THAT SETTING UP ONE LIKE THIS BREAKS. I AM NOT SURE WHICH +ONE(S) EXACTLY, I JUST KNOW THAT THEY EXIST. THEY ONLY COVER THE ORIGINATOR, +AND THE PERSON(S) HAVING CONTROL OVER THE CONFERENCE, SO YOU DON'T HAVE TO +WORRY THAT IF THE FBI BUSTS THE ORIGINATOR THAT YOU ARE NEXT IF YOU JUST +ANSWERED YOUR PHONE. + + THERE IS ALSO THE FACT THAT YOU MAY BE PILING UP TROUBLE CARDS ON YOUR +LINE IF YOU WERE STUPID ENOUGH TO SET IT UP FROM YOUR HOUSE FONE. ONE WAY +AROUND THIS IS TO GO MOBILE WITH TAPES, OR TO SET IT UP THROUGH A CHEESE BOX, +OR THROUGH A PBX. ESPECIALLY STUPID, JUST FLAT OUT BLITHERING WOULD BE THE +PERSON WHO SET UP A CONFERENCE ON AN ESS EXCHANGE, CAUSE, AS FLASH HOSER, +THAT PHREAK FROM THE GREAT WHITE NORTH PUT IT, "ESS IS BAD NEWS!" YOU WILL +BE TRACED WITHIN A MATTER OF SECONDS FROM THE M-F TONES REGISTERING ON YER +TELCO COMP, SO DON'T THINK THEY MIGHT NOT NOTICE IT. + + ALSO, NEVER GIVE OUT NUMBERS WHILE ON A CONFERENCE. IF YOU MUST GIVE +OUT A NUMBER, OR EVEN A FIRST NAME, FIRST HANG UP, THEN HAVE THE PERSON IN +CONTROL CALL YOU BACK, AND THEN GIVE HIM-HER THE INFO BEFORE THEY ADD YOU +BACK IN. THE REASON FOR THIS IS THAT THE CONFERENCE OPERATOR COULD VERY WELL +BE LISTENING IN. IF YOU EVER HAPPEN UPON THIS MENACE OF AN OPERATOR, BLOW +2600 TO HER OR SHE WILL KICK YOU OFF THE CONFERENCE LINE. + + NEVER CALL FBI AGENTS! AND IF YOU MUST, NEVER DO IT THROUGH THE +CONFERENCE!! ONCE YOU ADD THEM THEY WILL STAY ON UNTIL IT DIES! LET SOMEONE +WITH 3-WAY LET THEM IN THROUGH A SCC OR SOMETHING. IF A FED DOES HAPPEN TO +GET ON YOUR LINE, THEY WILL TRY ALL THEY CAN TO GET ANYTHING! THEY ACCOMPLISH +THIS BY ONE OF THREE MEANS: + + 1)BEING QUIET WITH A RECORDER GOING, TO GET NUMBERS, NAMES, INFO +DISCLOSED, ETC. + 2)A SECTOR TAP PLACED ON THE LINE, YOU WILL HEAR WEIRD BEEPS, BUZZES, +CLICKS EVERY NOW AND THEN. THEY SEEM TO THINK THAT THEY WILL GET SOMETHING +FROM THIS, BUT AS FAR AS I KNOW IT USED TO WORK, BUT NOW DOESN'T, AND BESIDES, +IT IS ILLEGAL FOR THEM TO USE ONE SO IT WOULDN'T HOLD UP IN A COURT ANYWAY. + 3)THE THIRD WAY, AND MOST DEADLY, IS SOMETHING FOUND BY AND STILL +UNDER INVESTIGATION BY THE RESEARCHER AND {}MOB RULES{}. IT CONSISTS OF KP +AND TWO OTHER M-F TONES PLAYED INTO THE CONFERENCE LINE. IT CAUSES A PHONE +NUMBER AND ST TO BE SPILLED BACK, IN OTHER WORDS YOU HEAR SOME ONE ON THE +CONFERENCE'S TELEPHONE NUMBER PLAYED BACK FOR YOU IN M-F TONES. IT IS NOT +YET KNOWN WHOSE NUMBER GETS SPILLED BACK, NOR I IT KNOWN FROM WHERE IT IS +SPILLED FROM, ALTHOUGH IT IS PROBABLY FROM ALLIANCE. ALL THAT IS KNOWN IS +THAT A NUMBER DOES GET SPILLED BACK, AND THAT IS ALL THAT THE FEDS NEED, JUST +ONE NUMBER. THE TONES THAT THE FEDS WILL SEND FORTH ARE "KP+ A COMBINATION +OF THE M-F TONES 4&6 AND 7&9" SO IT WOULD BE KP+46+79. EXPERIMENT, AS THIS +COULD REALLY HELP IN KNOWING WHAT THEY CAN DO TO US EXACTLY. + + OPERATORS ARE PHUN PEOPLE TO GET ON CONFERENCES, AS THEY ARE SO +PHUCKING STUPID. YOU CAN GO AHEAD AND LET THEM IN ON A CONFERENCE CAUSE THEY +CANNOT DO ANYTHING DESPITE THE FACT THAT THEY WOULD LIKE FOR YOU TO THINK +THEY CAN. GET A BUNCH OF DA'S ON THE LINE AND LET THEM ASK EACH OTHER, "WHAT +CITY PLEASE." ANOTHER THING TO DO TO OPERATORS IS TO GET ONE ON THE LINE AND +MAKE HER THINK THAT YOU ARE ANOTHER OPERATOR, SAY SOMETHING LIKE "TSPS #125, +BOSTON," AND SEE WHAT THEY DO. YOU MIGHT ALSO WANT TO CALL UP WESTERN UNION, +SATELCO, OR LDS OPERATORS AND BUG THEM. OTHER PHUN THINGS TO GET ON THE +CONFERENCES ARE TELEX OFFICES, COMPUTER COMPANIES, STEVE WOZNIAC, WORLD-WIDE +RECORDINGS, MILITARY BASES, AND THE EVER POPULAR # OF MY OWN, THE WHITEHOUSE +SIGNAL!! + + HERE ARE COMPANIES YOU MIGHT WANT TO CALL FOR MORE INFORMATION ON +THEIR TELECONFERENCING AND PICTURE PHONE SERVICES: + + AT&T 212-393-9800 + COLORADO VIDEO 303-444-3972 + DAROME CONNECTION 203-797-1300 + DAROME INC. 815-943-5481 + FTC SERVICES 212-699-9730 + HOLIDAY INN HI-NET 901-362-4505 + INFOLINK 312-291-2900 + MISAR INDUSTRIES 714-540-2477 + TELECONCEPTS 212-355-7113 + VIDEO STAR CONNECTIONS 404-257-0121 + + THESE COMPANIES ARE VENDORS OF SERVICES OR PRODUCTS OR ARE SUPPLIERS OF +EQUIPMENT TO TELECONFERENCING SERVICES. IF SOME ARE NO LONGER IN OPERATION, +PLEASE LET ME KNOW. + + LASTLY, I HAVE AN ALTERNATIVE TO BOXING THAT I SAW IN A MESSAGE POSTED +BY JOHN DOE. YOU CALL UP A TSPS AND SAY "THIS IS MR. X FROM X, AND I'D LIKE +TO SET UP A TELECONFERENCE. TELL HER THE BILLING LINE AND PARTY, WHICH WOULD +BE A FRIEND ON A LOOP WAITING FOR THE OPERATOR TO CALL UP AND ASK IF THIS WAS +KNOWN TO BE THE BILLING LINE, HE-SHE WILL ACCEPT GLADLY. THEN ONCE SHE PUTS +YOU UP TO THE CONFERENCE LINES, TELL HER TO GO AHEAD AND RELEASE THE LINE, AS +YOU KNOW WHAT TO DO FROM HERE ON. IT SOUNDS GOOD, BUT AS TO WHETHER IT WILL +WORK OR NOT, I AM NOT SURE. + + I HOPE THAT THIS LITTLE (HA) TUTORIAL HAS BEEN OF SOME HELP AND HAS +PROVIDED YOU WITH SOME INFORMATION TO HELP FURTHER YOUR CAREERS AND THAT IT +WILL COME IN HANDY AT SOME TIME OR ANOTHER.FURTHER YOUR CAREERS AND THAT IT diff --git a/textfiles.com/phreak/PHREAKING/dict.txt b/textfiles.com/phreak/PHREAKING/dict.txt new file mode 100644 index 00000000..6abdd0aa --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/dict.txt @@ -0,0 +1,631 @@ + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ PHREAKER'S /-/ + /-/ PHUNHOUSE /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ BY: /-/ + /-/ THE TRAVELER /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + THE LONG AWAITED PREQUIL TO PHREAKER'S GUIDE HAS FINALLY ARRIVED. +CONCEIVED FROM THE BOREDOM AND LONELINESS THAT COULD ONLY BE DERIVED FROM: +THE TRAVELER! BUT NOW, HE HAS RETURNED IN FULL STRENGTH (AFTER A SMALL +VACATION) AND IS HERE TO 'WORLD PREMIERE' THE NEW FILES EVERYWHERE. STAY +COOL. THIS IS THE PREQUIL TO THE FIRST ONE, SO JUST RELAX. THIS IS NOT MADE +TO BE AN EXCLUSIVE ULTRA ELITE FILE, SO KINDA CALM DOWN AND WATCH IN THE +BACKGROUND IF YOU ARE TOO COOL FOR IT. + +/-/ PHREAK DICTIONARY /-/ + + HERE YOU WILL FIND SOME OF THE BASIC BUT NECESSARY TERMS THAT SHOULD BE + +KNOWN BY ANY PHREAK WHO WANTS TO BE RESPECTED AT ALL. + + PHREAK : 1. THE ACTION OF USING MISCHEVIOUS AND MOSTLY ILLEGAL + WAYS IN ORDER TO NOT PAY FOR SOME SORT OF TELE- + COMMUNICATIONS BILL, ORDER, TRANSFER, OR OTHER SERVICE. + IT OFTEN INVOLVES USAGE OF HIGHLY ILLEGAL BOXES AND + MACHINES IN ORDER TO DEFEAT THE SECURITY THAT IS SET + UP TO AVOID THIS SORT OF HAPPENING. [FR'EAKING]. V. + + 2. A PERSON WHO USES THE ABOVE METHODS OF DESTRUCTION AND + CHAOS IN ORDER TO MAKE A BETTER LIFE FOR ALL. A TRUE + PHREAKER WILL NOT NOT GO AGAINST HIS FELLOWS OR NARC + ON PEOPLE WHO HAVE RAGGED ON HIM OR DO ANYTHING + TERMED TO BE DISHONORABLE TO PHREAKS. [FR'EEK]. N. + + 3. A CERTAIN CODE OR DIALUP USEFUL IN THE ACTION OF + BEING A PHREAK. (EXAMPLE: "I HACKED A NEW METRO + PHREAK LAST NIGHT.") + + SWITCHING SYSTEM: 1. THERE ARE 3 MAIN SWITCHING SYSTEMS CURRENTLY EMPLOYED + IN THE US, AND A FEW OTHER SYSTEMS WILL BE MENTIONED + AS BACKGROUND. + + A) SXS: THIS SYSTEM WAS INVENTED IN 1918 AND WAS + EMPLOYED IN OVER HALF OF THE COUNTRY UNTIL 1978. IT + IS A VERY BASIC SYSTEM THAT IS A GENERAL WASTE OF + ENERGY AND HARD WORK ON THE LINESMAN. A GOOD WAY TO + IDENTIFY THIS IS THAT IT REQUIRES A COIN IN THE PHONE + BOOTH BEFORE IT WILL GIVE YOU A DIAL TONE, OR THAT NO + CALL WAITING, CALL FORWARDING, OR ANY OTHER SUCH + SERVICE IS AVAILABLE. STANDS FOR: STEP BY STEP + + B) XB: THIS SWITCHING SYSTEM WAS FIRST EMPLOYED IN 1978 + IN ORDER TO TAKE CARE OF MOST OF THE FAULTS OF SXS + SWITCHING. NOT ONLY IS IT MORE EFFICIENT, BUT IT + ALSO CAN SUPPORT DIFFERENT SERVICES IN VARIOUS FORMS. + XB1 IS CROSSBAR VERSION 1. THAT IS VERY LIMITED AND + IS HARD TO DISTINGUISH FROM SXS EXCEPT BY DIRECT VIEW + OF THE WIRING INVOLVED. NEXT UP WAS XB4, CROSSBAR + VERSION 4. WITH THIS SYSTEM, SOME OF THE BASIC THINGS + LIKE DTMF THAT WERE NOT AVAILABLE WITH SXS CAN BE + ACCOMPLISHED. FOR THE FINAL STROKE OF XB, XB5 WAS + CREATED. THIS IS A SERVICE THAT CAN ALLOW DTMF PLUS + MOST 800 TYPE SERVICES (WHICH WERE NOT ALWAYS + AVAILABLE.) STANDS FOR: CROSSBAR. + + C) ESS: A NIGHTMARE IN TELECOM. IN VIVID COLOR, ESS IS + A PRETTY BAD THING TO HAVE TO STAND UP TO. IT IS + QUITE SIMPLE TO IDENTIFY. DIALING 911 FOR EMERGENCIES, + AND ANI [SEE ANI BELOW] ARE THE MOST COMMON FACETS OF + THE DREAD SYSTEM. ESS HAS THE CAPABILITY TO LIST IN A + PERSON'S CALLER LOG WHAT NUMBER WAS CALLED, HOW LONG + THE CALL TOOK, AND EVEN THE STATUS OF THE CONVERSATION + (MODEM OR OTHERWISE.) SINCE ESS HAS BEEN EMPLOYED, + WHICH HAS BEEN VERY RECENTLY, IT HAS GONE THROUGH + MANY KINDS OF REVISIONS. THE LATEST SYSTEM TO DATE IS + ESS 11A, THAT IS EMPLOYED IN WASHINGTON D.C. FOR + SECURITY REASONS. ESS IS TRULY TROUBLE FOR ANY + PHREAK, BECAUSE IT IS 'SMARTER' THAN THE OTHER + SYSTEMS. FOR INSTANCE, IF ON YOUR CALLER LOG THEY SAW + 50 CALLS TO 1-800-421-9438, THEY WOULD BE ABLE TO DO + A CN/A [SEE LOOPHOLES BELOW] ON YOUR NUMBER AND + DETERMINE WHETHER YOU ARE SUBSCRIBED TO THAT SERVICE + OR NOT. THIS MAKES MOST CALLS A HAZARD, BECAUSE + ALTHOUGH 800 NUMBERS APPEAR TO BE FREE, THEY ARE + RECORDED ON YOUR CALLER LOG AND THEN RIGHT BEFORE YOU + RECEIVE YOUR BILL IT DELETES THE BILLINGS FOR THEM. + BUT BEFORE THAT THE ARE OPEN TO INSPECTION, WHICH IS + ONE REASON WHY EXTENDED USE OF ANY CODE IS DANGEROUS + UNDER ESS. SOME OF THE BOXES [SEE BOXING BELOW] ARE + UNABLE TO FUNCTION IN ESS. IT IS GENERALLY A MENACE + TO THE TRUE PHREAK. STANDS FOR: ELECTRONIC SWITCHING + SYSTEM. BECAUSE THEY COULD APPEAR ON A FILTER + SOMEWHERE OR MAYBE IT IS JUST NICE TO KNOW THEM + ANYWAYS. + + A) SSS: STROWGER SWITCHING SYSTEM. FIRST + NON-OPERATOR SYSTEM AVAILABLE. + + B) WES: WESTERN ELECTRONICS SWITCHING. USED ABOUT 40 + YEARS AGO WITH SOME MINOR PLACES OUT WEST. + + BOXING: 1) THE USE OF PERSONALLY DESIGNED BOXES THAT EMIT OR + CANCEL ELECTRONICAL IMPULSES THAT ALLOW SIMPLER + ACTING WHILE PHREAKING. THROUGH THE USE OF SEPARATE + BOXES, YOU CAN ACCOMPLISH MOST FEATS POSSIBLE WITH + OR WITHOUT THE CONTROL OF AN OPERATOR. + + 2) SOME BOXES AND THEIR FUNCTIONS ARE LISTED BELOW. + ONES MARKED WITH '*' INDICATE THAT THEY ARE NOT + OPERATABLE IN ESS. + + *BLACK BOX: MAKES IT SEEM TO THE PHONE COMPANY THAT + THE PHONE WAS NEVER PICKED UP. + + BLUE BOX : EMITS A 2600HZ TONE THAT ALLOWS YOU TO DO + SUCH THINGS AS STACK A TRUNK LINE, KICK + THE OPERATOR OFF LINE, AND OTHERS. + + RED BOX : SIMULATES THE NOISE OF A QUARTER, NICKEL, + OR DIME BEING DROPPED INTO A PAYPHONE. + + CHEESE BOX : TURNS YOUR HOME PHONE INTO A PAY PHONE TO + THROW OFF TRACES (A RED BOX IS USUALLY + NEEDED IN ORDER TO CALL OUT.) + + *CLEAR BOX : GIVES YOU A DIAL TONE ON SOME OF THE OLD + SXS PAYPHONES WITHOUT PUTTING IN A COIN. + + BEIGE BOX : A SIMPLER PRODUCED LINESMAN'S HANDSET THAT + ALLOWS YOU TO TAP INTO PHONE LINES AND + EXTRACT BY EAVESDROPPING, OR CROSSING + WIRES, ETC. + + PURPLE BOX : MAKES ALL CALLS MADE OUT FROM YOUR HOUSE + SEEM TO BE LOCAL CALLS. + + ANI [ANI]: 1) AUTOMATIC NUMBER IDENTIFICATION. A SERVICE + AVAILABLE ON ESS THAT ALLOWS A PHONE SERVICE [SEE + DIALUPS BELOW] TO RECORD THE NUMBER THAT ANY CERTAIN + CODE WAS DIALED FROM ALONG WITH THE NUMBER THAT WAS + CALLED AND PRINT BOTH OF THESE ON THE CUSTOMER BILL. + 950 DIALUPS [SEE DIALUPS BELOW] ARE ALL DESIGNED + JUST TO USE ANI. SOME OF THE SERVICES DO NOT HAVE + THE PROPER EQUIPMENT TO READ THE ANI IMPULSES YET, + BUT IT IS IMPOSSIBLE TO SEE WHICH IS WHICH WITHOUT + BEING BUSTED OR NOT BUSTED FIRST. + + DIALUPS [DY'L'UPS]: 1) ANY LOCAL OR 800 EXTENDED OUTLET THAT ALLOWS INSTANT + ACCESS TO ANY SERVICE SUCH AS MCI, SPRINT, OR AT&T + THAT FROM THERE CAN BE USED BY HANDPICKING OR USING + A PROGRAM TO REVEAL OTHER PEOPLES CODES WHICH CAN + THEN BE USED MODERATELY UNTIL THEY FIND OUT ABOUT + IT AND YOU MUST SWITCH TO ANOTHER CODE (PREFERRABLY + BEFORE THEY FIND OUT ABOUT IT.) + + 2) DIALUPS ARE EXTREMELY COMMON ON BOTH SENSES. SOME + DIALUPS REVEAL THE COMPANY THAT OPERATES THEM AS + SOON AS YOU HEAR THE TONE. OTHERS ARE MUCH HARDER + AND SOME YOU MAY NEVER BE ABLE TO IDENTIFY. A SMALL + LIST OF DIALUPS: + + 3) CODES: CODES ARE VERY EASILY ACCESSED PROCEDURES + WHEN YOU CALL A DIALUP. THEY WILL GIVE YOU SOME SORT + OF TONE. IF THE TONE DOES NOT END IN 3 SECONDS, + THEN PUNCH IN THE CODE AND IMMEDIATELY FOLLOWING THE + CODE, THE NUMBER YOU ARE DIALING BUT STRIKE THE + '1' IN THE BEGINNING OUT FIRST. IF THE TONE DOES + END, THEN PUNCH IN THE CODE WHEN THE TONE ENDS. + THEN, IT WILL GIVE YOU ANOTHER TONE. PUNCH IN THE + NUMBER YOU ARE DIALING, OR A '9'. IF YOU PUNCH IN + A '9' AND THE TONE STOPS, THEN YOU MESSED UP A + LITTLE. IF YOU PUNCH IN A TONE AND THE TONE + CONTINUES, THEN SIMPLY DIAL THEN NUMBER YOU ARE + CALLING WITHOUT THE '1'. + + 4) ALL CODES ARE NOT UNIVERSAL. THE ONLY TYPE THAT I + KNOW OF THAT IS TRULY UNIVERSAL IS METROPHONE. + ALMOST EVERY MAJOR CITY HAS A LOCAL METRO DIALUP + (FOR PHILADELPHIA, (215)351-0100/0126) AND SINCE THE + CODES ARE UNIVERSAL, ALMOST EVERY PHREAK HAS USED + THEM ONCE OR TWICE. THEY DO NOT EMPLOY ANI IN ANY + OUTLETS THAT I KNOW OF, SO FEEL FREE TO CHECK + THROUGH YOUR BOOKS AND CALL 555-1212 OR, AS A MORE + DEVIOUS MANOR, SUBSCRIBE YOURSELF. THEN, NEVER USE + YOUR OWN CODE. THAT WAY, IF THEY CHECK UP ON YOU DUE + TO YOUR CALLER LOG, THEY CAN USUALLY FIND OUT THAT + YOU ARE SUBSCRIBED. NOT ONLY THAT BUT YOU COULD SET + A PHREAK HACKER AROUND THAT AREA AND JUST LET IT + HACK AWAY, SINCE THEY USUALLY GROUP THEM, AND, AS A + BONUS, YOU WILL HAVE THEIR LOCAL DIALUP. + + 5) 950'S. THEY SEEM LIKE A PERFECTLY COOL PHREAKERS + DREAM. THEY ARE FREE FROM YOUR HOUSE, FROM PAYPHONES, + FROM EVERYWHERE, AND THEY HOST ALL OF THE MAJOR LONG + DISTANCE COMPANIES (950-1044 , 950-1077 + , 950-1088 , 950-1033 .) WELL, THEY AREN'T. THEY WERE DESIGNED FOR + ANI. THAT IS THE POINT, END OF DISCUSSION. + + + PHREAKER'S DICTIONARY + ^^^^^^^^^^^^^^^^^^^^^ + +A & A BUREAU--ABUSE AND ANNOYANCE BUREAU. THE PERSONNEL IN THIS +LINE OF WORK SPEND THEIR TIME HELPING CUSTOMERS GET RID OF NUTS, +OBSCENE CALLERS, HARASSING COLLECTORS, ETC. + +ACCESS--THE EXISTENCE OF PATHS WITHIN A NETWORK FROM AN INPUT +TERMINAL TO A SET OF OUTPUT TERMINALS IN THE ABSENCE OF TRAFFIC +IS INDICATED BY THE TERM, ACCESS. FULL ACCESS PERMITS CONNECTING +TO ALL OUTPUT TERMINALS BY UNIQUE PATHS; MULTIPLE ACCESS +INDICATES THAT ALL OUTPUT TERMINALS CAN BE REACHED IN MORE THAN +ONE WAY; PARTIAL ACCESS REFERS TO THE ABILITY TO REACH ONLY A +FRACTION OF THE OUTPUT TERMINALS. + +ACCESSIBILITY--(AVAILABILITY)--THE NUMBER OF TRUNKS OF THE +REQUIRED ROUTE IN A SWITCHING NETWORK WHICH CAN BE REACHED FROM +AN INLET. + +ADAPTOR--A DEVICE DESIGNED TO SWITCH A NUMBER OF VOICE-FREQUENCY +TELEPHONE CHANNELS COMING FROM A NON-TIME-DIVISION SWITCHING +SYSTEM TO A TIME-DIVISION MULTIPLEX HIGHWAY. + +ALTERNATE ROUTING--A PROCEDURE BY WHICH SEVERAL ROUTES INVOLVE +DIFFERENT SWITCHING STAGES OR SWITCHING NETWORKS. USUALLY THE +ROUTE HAVING THE FEWEST SWITCHING STAGES IS TESTED FIRST. + +ANALOG TRANSMISSION--THE TRANSMISSION OF CONTINUOUSLY VARIABLE +SIGNALS RATHER THAN DESCRETELY VARIABLE SIGNALS. PRIOR TO THE USE +OF DIGITAL ENCODING AND PCM, IT WAS THE ONLY WAY OF TRANSMITTING +VOICE SIGNALS OVER TELEPHONE CHANNELS. + +AREA CODE--A THREE-DIGIT PREFIX DIALED AHEAD OF THE NORMAL +SEVEN-DIGIT TELEPHONE NUMBER TO PERMIT DIRECT DISTANCE DIALING. + +ASYNCHRONOUS SYSTEM--A SYSTEM IN WHICH THE TRANSMISSION OF EACH +INFORMATION CHARACTER IS INDIVIDUALLY SYNCHRONIZED USUALLY BY THE +USE OF START AND STOP ELEMENTS. + +AVERAGE HOLDING TIME--THE AVERAGE DURATION OF A CALL EXPRESSED IN +SECONDS OR MINUTES. + +BIT--THE SMALLEST BINARY UNIT OF INFORMATION. A CONTRACTION OF +THE WORDS BINARY DIGIT. + +BIT RATE--THE RATE OR SPEED AT WHICH BITS ARE TRANSMITTED. BITS +PER SECOND IS A COMMON MEASURE. + +BLOCKING (CONGESTION)--A CONDITION WHERE THE IMMEDIATE +ESTABLISHMENT OF A NEW CONNECTION IS IMPOSSIBLE DUE TO THE LACK +OF AVAILABLE PATHS, OR THE INABILITY TO INTERCONNECT TWO IDLE +NETWORK TERMINALS BECAUSE SOME OF THE APPLICABLE LINKS BETWEEN +THEM ARE USED FOR OTHER CONNECTIONS. + +BOOLEAN ALGEBRA--A FORM OF NONQUANTITATIVE ALGEBRA FOR DEALING +WITH LOGIC FUNTIONS, ORIGINALLY EXPRESSED BY BRITISH +MATHEMATICIAN GEORGE BOOLE (1815-1864). +B.O.S.--BUSINESS OFFICE SUPERVISOR. SHE'S THE BOSS TO THE SERVICE +REPS. + +BROADBAND EXCHANGE (BEX)--PUBLIC SWITCHED COMMUNICATION SYSTEM +FEATURING FULL DUPLEX (FDX) CONNECTIONS OF VARIOUS BANDWIDTHS. A +WESTERN UNION FACILITY. + +B.S.I.--BUSINESS SERVICES INSTRUCTOR. A TRAFFICE EMPLOYEE WHO +WILL COME OUT AND TEACH YOU HOW TO USE YOUR PHONE SYSTEM. + +BUSY HOUR--AN UNINTERRUPTED PERIOD OF 60 MINUTES IN WHICH THE +TOTAL TRAFFIC OF A SAMPLE IS A MAXIMUM. + +BYTE--A UNIT OF INFORMATION IN ELECTRONIC COMPUTER TERMINOLOGY +CONSISTING OF 8 BITS, REFERRED TO AS EXTENDED BINARY CODED +DECIMAL INFORMATION OF AN EBCDIC CODE. + +CALL CONGESTION RATIO--THE RATIO OF THE TIME DURING WHICH +CONGESTION EXISTS TO THE TOTAL TIME CONSIDERED. IT IS AN ESTIMATE +OF THE PROBABILITY THAT AN EXTERNAL OBSERVER WILL FIND A SYSTEM +IN A CONGESTED CONDITION. + +CALLING RATE--AVERAGE CALLS PER SUBSCRIBER PER HOUR. + +CALL STORE--THE MEMORY SECTION OF A STORED PROGRAM CONTROL +SWITCHING SYSTEM IN WHICH TEMPORARY INFORMATION USED IN THE +PROCESSING OF CALLS THROUGH THE EXCHANGE IS CONTAINED. IT IS ALSO +REFERRED TO AS THE PROCESS STORE. + +CENTRAL OFFICE--EXCHANGES WHERE SUBSCRIBER LINES AND PRIVATE +BRANCH EXCHANGE LINES TERMINATE. THERE THEY ARE SWITCHED TO +PROVIDE THE DESIRED CONNECTION WITH OTHER SUBSCRIBERS. SUCH AN +EXCHANGE IS CALLED AN END OFFICE AND IS DESIGNATED AS A CLASS 5 +OFFICE IN THE U.S. + +CENTRAL PROCESSOR--THE MAIN COMPUTER ELEMENT OF A STORED PROGRAM +CONTROL SWITCHING SYSTEM, WHICH UNDER THE DIRECTION OF THE STORED +PROGRAM ESTABLISHES SWITCHING NETWORK CONNECTIONS AND ALSO +MONITORS AND ANALYZES THE SYSTEM TO INSURE PROPER OPERATION. +ROUTINE PROCESS TESTING, MAINTENANCE AND ADMINISTRATIVE FUNTIONS +ARE ALSO CARRIED OUT. + +CENTREX--A PABX SYSTEM IN WHICH THE SWITCHING EQUIPMENT IS +LOCATED CENTRALLY AND AWAY FORM THE LOCATION BEING SERVED. DIRECT +INWARD DIALING (DID) AND DIRECT OUTWARD DIALING (DOD) AS WELL AS +AUTOMATIC NUMBER IDENTIFICATION (ANI) ARE PROVIDED BY SUCH A +SYSTEM. + +CHARACTERS--THE ELEMENTS OF A MESSAGE. ONE COMPUTER CHARACTER +CONSISTS OF 8 BITS OR 1 BYTE AND IS KNOWN AS AN EBCDIC CHARACTER. + +CIRCUIT SWITCHING--TELECOMMUNICATIONS SWITCHING IN WHICH THE +INCOMING AND OUTGOING LINES ARE CONNECTED BY A PHYSICAL PATH, AS +THROUGH CROSSPOINTS OR SWITCH CONTACTS. +CLASS OF SERVICE--THE SERVICES AND FACILITIES OFFERED TO EACH +INDIVIDUAL TERMINAL CONNECTED TO A SYSTEM. THIS INFORMATION IS +USUALLY STORED WITH THE DIRECTORY OR EQUIPMENT NUMBERS OF THE +ASSOCIATED TERMINAL, AND IS ACCESSED BY THE CALL PROCESSORS WHEN +A CONNECTION IS REQUIRED TO OR FROM THAT TERMINAL. + +CLOCK--EQUIPMENT TO PROVIDE A TIME BASE FOR A SWITCHING SYSTEM. +IN TIME-DIVISION SWITCHING IT IS USED TO CONTROL SAMPLING RATES, +DURATION OF SIGNAL DIGITS, ETC. + +C.O.A.M.E.--CUSTOMER OWNED AND MAINTAINED EQUIPMENT. + +CODEC--THE COMBINATION OF A CODER AND DECODER, AS USED IN +TIME-DIVISION SWITCHING SYSTEMS TO CODE THE INCOMING MESSAGE AND +DECODE THE MESSAGE BEING RETURNED TO THE CALLER. IT IS A +CONTRACTION OF THE WORDS, CODER AND DECODER. + +COMMON CONTROL--AN EXCHANGE CONTROL METHOD IN WHICH THE DIALED +SIGNALS ARE RECEIVED AND REGISTERED SEPARATELY FROM THE SWITCHING +ELEMENTS BEFORE THEY ARE USED TO CONTROL THESE SWITCHES. ALSO +DEFINED AS A CONTROL METHOD, WHICH IDENTIFIES THE INPUT AND +OUTPUT TERMINALS OF THE SWITCHING NETWORK AND THEN CAUSES A +CONNECTING PATH TO BE ESTABLISHED BETWEEN THEM. SUCH SYSTEMS ARE +ALSO DESIGNATED AS MARKER SYSTEMS. + +CONCENTRATION STAGE--A SWITCHING STAGE IN WHICH A NUMBER OF INPUT +LINES ARE CONNECTED TO A SMALLER NUMBER OF OUTPUT LINES OR +TRUNKS, AS IN THE CONNECTION OF A LARGE NUMBER OF SUBSCRIBER +LINES TO A SMALLER NUMBER OF TRUNKS BASED ON THE GRADE OF SERVICE +DESIRED. + +CONGESTION FUNCTION--ANY FUNCTION USED TO RELATE THE DEGREE OF +CONGESTION TO THE TRAFFIC INTENSITY. + +CONNECTING ROW--ALL THOSE CROSSPOINTS DIRECTLY ACCESSIBLE FROM AN +INLET. ONLY ONE CONNECTION CAN BE ESTABLISHED VIA A CONNECTING +ROW AT ANY INSTANT. + +COUPLER--A DEVICE USED TO PREVENT ELECTRICAL FLASHBACK AND +MAINTAIN NORMAL ELECTRICAL FLOW ON A TELEPHONE LINE. USED AS A +BUFFER BETWEEN C.O.A.M.E. AND TELEPHONE COMPANY EQUIPMENT. + +CROSSBAR SWITCH--A SWITCH HAVING A PLURALITY OF VERTICAL PATHS, A +PLURALITY OF HORIZONTAL PATHS AND ELECTROMAGNETICALLY OPERATED +MECHANICAL MEANS FOR CONNECTING ANY OF THE VERTICAL PATHS WITH +THE HORIZONTAL PATHS. + +CROSSPOINT--A CROSSPOINT COMPRISES A SET OF CONTACTS THAT +OPERATES TOGETHER AND EXTENDS THE SPEECH AND SIGNAL WIRES OF THE +DESIRED CONNECTION. EACH CONNECTION IN A SPACE-DIVISION SWITCHING +NETWORK IS ESTABLISHED BY CLOSING ONE OR MORE CROSSPOINTS. + +CROSSTALK--AN UNWANTED TRANSFER OF SIGNALS FROM ONE CIRCUIT TO +ANOTHER AS MAY OCCUR BETWEEN SWITCHING ELEMENTS OR CIRCUIT +WIRING. + +C.W.A.--THE COMMUNICATION WORKERS OF AMERICA. THE C.W.A. +REPRSENTS 90 PERCENT OF THE UNIONIZED TELCO WORK FORCE. + +DAY-TO-BUSY HOUR RATIO--THE RATIO OF THE 24 HOUR DAY TRAFFIC +VOLUME TO THE BUSY HOUR TRAFFIC VOLUME. IN SOME COUNTRIES THE +RECIPROCAL OF THIS RATIO IS USED. + +D.D.D.--DIRECT DISTANCE DIALING. ALSO KNOWN AS ONE-PLUS DIALING. + +DELAY SYSTEM--A SWITCHING SYSTEM IN WHICH A CALL ATTEMPT, WHICH +OCCURS WHEN ALL ACCESSIBLE PATHS FOR THE REQUIRED CONNECTION ARE +BUSY, IS PERMITTED TO WAIT UNTIL A PATH BECOMES AVAILABLE. + +DIAL PULSE--THE SIGNALING PULSE WHICH IS FORMED BY THE +INTERRUPTION OF THE CURRENT IN THE DC LOOP OF A CALLING +TELEPHONE. SUCH INTERRUPTIONS ARE PRODUCED BY THE BREAKING OF THE +DIAL PULSE CONTACTS OF THE CALLING TELEPHONE SUBSET DURING THE +DIALING PROCESS. + +DIAMOND-RING TRANSLATOR--AN ARRAY OF RING-TYPE INDUCTION COILS +ASSOCIATED WITH CODED WIRING IN SUCH A MANNER THAT THE +TRANSLATION OF DIRECTORY NUMBERS TO EQUIPMENT NUMBER OR VICE +VERSA CAN BE ACCOMPLISHED IN AN EXCHANGE. IT IS NAMED AFTER ITS +ORIGINATOR, T.L.DIMOND OF THE BELL TELEPHONE LABORATORIES. + +DIRECT CONTROL--AN EXCHANGE CONTROL METHOD IN WHICH PULSES, +DIALED BY THE SUBSCRIBERS, CONTROL DIRECTLY THE ROUTE SELECTION +SWITCHES OF THE SYSTEM. FOR EACH DIGIT DIALED THE EQUIVALENT OF +ONE SET OF SELECTOR SWITCHES IS REQUIRED WITH THIS CONTROL +METHOD. + +DIRECTOR--A CONTROL ELEMENT WHICH PROVIDES A MEASURE OF COMMON +CONTROL IN STEP-BY-STEP OR STROWGER EXCHANGES. + +DISTRIBUTING FRAME--A STRUCTURE FOR TERMINATING THE WIRES OF A +TELEPHONE EXCHANGE IN SUCH A MANNER THAT CROSS-CONNECTIONS CAN BE +MADE READILY. EXAMPLES ARE THE MAIN DISTRIBUTION FRAME (MDF) AT +THE ENTRY OF AN EXCHANGE, INTERMEDIATE DISTRIBUTION FRAMES (IDF) +BETWEEN SECTIONS OF AN EXCHANGE, AND POWER DISTRIBUTION FRAMES +(PDF). + +DISTRIBUTION STAGE--A SWITCHING STAGE BETWEEN A CONCENTRATION +STAGE AND OUTLETS AND SERVES AS A MEANS OF SELECTING TRUNKS TO +THE DESIRED TERMINATIONS. + +DUV--DATA UNDER VOICE (AT&T SYSTEM). ELECTROMECHANICAL SWITCHING +SYSTEM--AN EXCHANGE SYSTEM IN WHICH BOTH THE SPEECH PATHS AND THE +CONTROL EQUIPMENT ARE SWITCHED BY ELECTROMECHANICAL +COMPONENTS--SUCH AS RELAYS, ROTARY SWITCHES, ETC. + +ELECTRONIC SWITCHING SYSTEM--AN EXCHANGE SYSTEM IN WHICH AT LEAST +THE CONTROL EQUIPMENT IS COMPOSED OF ELECTRONIC CIRCUITS AND +COMPONENTS, GENERALLY OF A SOLID-STATE TYPE. + +EMD SWITCH--THE SPEECH-PATH SWITCHING ELEMENT USED IN A SIEMENS +ROTARY SWITCHING SYSTEM. EMD IS AN ABBREVIATION OF +EDELMETALL-MOTOR-DREHWAHLER, WHICH TRANSLATES IN ENGLISH TO +NOBLE-METAL MOTOR SWITCH. + +END OFFICE--A CENTRAL OFFICE OR CLASS 5 OFFICE. + +ENTRAIDE--A SWITCHING SYSTEM INPHICH OUTLETS FROM A GIVEN +CONNECTING STAGE ARE CONNECTED TO INLETS OF THE SAME OR A +PREVIOUS STAGE. IN SUCH SYSTEMS CALLS MAY TRAVERSE A STAGE MORE +THAN ONCE. USUALLY THESE REENTERING LINKS ARE USED AS LAST CHOICE +PATHS AND THE RESULTING NETWORK IS HETEROGENEOUS. SUCH AN +ARRANGEMENT IS USED IN ITT'S PENTACONTA CROSSBAR SYSTEM. + +ERLANG--THE UNIT OF TRAFFIC INTENSITY, WHICH IS MEASURED IN +CALL-SECONDS PER SECOND OR CALL-MINUTES PER MINUTE. ALSO, ONE +ERLANG EQUALS 3600 CALL-SECONDS PER HOUR. IT IS NAMED AFTER A. K. +ERLANG, THE DANISH ENGINEER AND MATHEMATICIAN WHO FIRST ADOPTED +IT. + +ESS--ELECTRONIC SWITCHING SYSTEM. + +EXCHANGE--ALL NUMBERS WITHIN A GIVEN THREE-DIGIT PREFIX AREA. CAN +ALSO BE USED TO DESCRIBE A GEOGRAPHICAL AREA THE SIZE OF A CITY. + +FX--FOREIGN EXCHANGE CALLS. THE TERM APPLIED TO CALLS MADE TO A +CENTRAL OFFICE OTHER THAN THE ONE LOCATED IN THE CALLING CUSTOMER +AREA. + +H.C. INSTRUMENT--AN ORDINARY TELEPHONE WITH NO EXTRAS. + +I.D.E.W.--INTERNATIONAL BROTHERHOOD OF ELECTRICAL WORKERS. A +UNION THAT REPRESENTS SEVEN PERCENT OF ALL UNIONIZED TELEPHOE +WORKERS. + +INTERSTATE--TELEPHONE SERVICE THAT CROSSES STATE LINES. SUCH +SERVICES COME UNDER THE JURISDICTION OF THE F.C.C. + +INTRASTATE--TELEPHONE SERVICES THAT REMAIN WITHIN THE BOUNDARES +OF A STATE. SUCH SERVICES COME UNDER THE JURISDICTION OF THE +P.S.C. + +JOINT PRACTICES--AN INTER-COMPANY GUIDE AKIN TO THE GENEVA RULES +OF WAR. THE J.P. COVERS SUCH THINGS AS INTERVALS, OFFERINGS, AND +PROCEDURES. + +K.K.6--SIX-BUTTON TELEPHONE. THE STANDARD TELEPHONE FOUND IN MOST +OFFICES. THE K.K.6 CAN HANDLE FIVE LINES. THE SIXTH BUTTON IS +USED FOR HOLD. + +LAYOUT CARD--SCHEMATIC DRAWINGS OF THE ELECTRICAL CIRCUITS +REQUIRED FOR A TELEPHONE INSTALLATION. +LINK (TRUNK) THE CONNECTION BETWEEN THE TERMINALS OF ONE SWITCH +AND THE TERMINALS ON A SWITCH OF THE NEXT STAGE CORRESPONDING TO +A SINGLE TRANSMISSION PATH. + +LINK (ONE-WAY AND TWO-WAY)--A ONE-WAY LINK IS USED ONLY FOR THE +ESTABLISHMENT OF CONNECTIONS IN ONE DIRECTION, WHILE A TWO-WAY +LINK IS USED FOR THE ESTABLISHMENT OF CONNECTIONS IN EITHER +DIRECTION. + +LINK SYSTEM--A SYSTEM IN WHICH: (1) THERE ARE AT LEAST TWO +CONNECTING STAGES; (2) A CONNECTION IS MADE OVER ONE OR MORE +LINKS; (3) THE LINKS ARE CHOSEN IN A SINGLE LOGICAL OPERATION; +AND (4) LINKS ARE SEIZED ONLY WHEN THEY CAN BE USED IN MAKING A +CONNECTION. + +LOGIC FUNCTION--THE RELATIONSHIP OF TWO OR MORE BOOLEAN VARIABLES +AS EXPRESSED BY BOOLEAN ALGEBRA. + +LOGIC GATES--ELECTRICAL OR ELECTRONIC CIRCUITS WHICH CONTROL THE +TRANSFER OF SIGNALS AND PRODUCE THE REQUIRED OUTPUTS FOR SPECIFIC +INPUT COMBINATIONS TO IMPLEMENT BOOLEAN LOGIC FUNCTIONS. + +LOGIC (HARD-WIRED)--CONTROL LOGIC IN AN EXCHANGE, WHICH IS WIRED +IN CIRCUIT FORM. + +LOGIC (SOFT-WIRED)--CONTROL LOGIC IN AN EXCHANGE, WHICH IS HELD +IN SOFTWARE COMPUTER PROGRAMS. + +LONG DISTANCE--TECHNICALLY, ANY CALL THAT TERMINATES MORE THAN +SEVENTEEN MILES FROM THE SOURCE. + +LONG LINES--A DIVISION OF AT&T RESPONSIBLE FOR THE DAY-TO-DAY +OPERATION OF THE LONG DISTANCE NETWORK. WHILE THE LOCAL TELCO +HANDLES ALL MAINTENANCE, LONG LINES DIRECTS OVERALL SUPERVISION. + +LOOP DISCONNECT PULSING--SUBSET DIAL PULSING IN WHICH THE +SUBSCRIBER DC LOOP IS INTERRUPTED TO PRODUCE PULSES FOR SIGNALING +AN EXCHANGE. + +MARKER--CIRCUITS WHICH INCORPORATE THE FUNCTION OF BUSY TESTING, +LOCATING AND FINALLY CONTROLLING THE ESTABLISHMENT OF A +PARTICULAR PATH THROUGH THE SWITCHING NETWORK. + +MARKETING REP--THE SALES PEOPLE OF THE BELL COMPANIES. ALSO KNOWN +AS ACCOUNT EXECUTIVE. + +MARKING--THE USE OF ELECTRICAL POTENTIALS AND GROUNDS AT CERTAIN +POINTS IN A SWITCHING NETWORK TO CONTROL ITS OPERATION. + +MATRIX--A SIMPLE SWITCHING NETWORK IN WHICH A SPECIFIED INLET +(MATRIX ROW) HAS ACCESS TO A SPECIFIED OUTLET (MATRIX COLUMN) VIA +A CROSSPOINT PLACED AT THE INTERSECTION OF THE ROW AND COLUMN IN +QUESTION. A COMPLETE MATRIX IS ONE IN WHICH EACH INLET HAS ACCESS +TO EACH OUTLET, WHILE AN INCOMPLETE MATRIX IS ONE IN WHICH EACH +INLET MAY HAVE ACCESS TO ONLY SOME OF THE OUTLETS. + +MEAN DELAY OF CALLS DELAYED--THE TOTAL WAITING TIME OF ALL CALLS +DIVIDED BY THE NUMBER OF DELAYED CALLS. + +MESSAGE SWITCHING--A METHOD OF RECEIVING AND STORING A MESSAGE +FOR A MORE APPROPRIATE TIME OF RETRANSMISSION. WITH SUCH A +METHOD, NO DIRECT CONNECTION IS ESTABLISHED BETWEEN THE INCOMING +AND OUTGOING LINES AS IN THE CASE OF CIRCUIT SWITCHING. + +MULTIFREQUENCY SIGNALING--SIGNALING BETWEEN SUBSCRIBERS AND THE +CENTRAL OFFICE THROUGH A COMBINATION OF AUDIO FREQUENCIES, AS +WITH PUSHBUTTON DIALING. ALSO, IN MANY CASES SIGNALING BETWEEN +EXCHANGES IS ACCOMPLISHED BY COMBINATIONS OF FREQUENCIES. + +MULTIGROUP--A COMBINATION OF TWO OR MORE PCM MULTIPLEX CHANNELS. + +NONLISTED NUMBERS--TELEPHONE NUMBERS THAT DO NOT APPEAR IN THE +DIRECTORY BUT THAT ARE AVAILABLE IF THE INQUIRER CALLS DIRECTORY +ASSISTANCE. + +NONPUBLISHED NUMBERS--TELEPHONE NUMBERS NOT MADE AVAILABLE TO THE +PUBLIC. ALSO KNOWN AS SILENT NUMBERS. + +OCCUPANCY--THE AVERAGE PROPORTION OF TIME THAT A TRAFFIC CARRYING +FACILITY IS BUSY. + +PACKET SWITCHING--ESSENTIALLY THE SAME AS MESSAGE-SWITCHING. + +PANEL-SWITCHING SYSTEM--A COMMON CONTROL ELECTROMECHANICAL +SWITCHING SYSTEM, WHICH WAS USED WIDELY IN THE U.S. PRIOR TO ITS +VIRTUAL REPLACEMENT BY CROSSBAR AND OTHER SYSTEMS. THE BANKS OF +SELECTORS TAKE THE FORM OF FLAT VERTICAL PANELS, FROM WHICH THE +NAME OF THE SYSTEM WAS DERIVED. SOME PANEL INSTALLATIONS ARE +STILL IN USE IN THE U.S. + +PATH--A SET OF LINKS JOINED IN SERIES TO ESTABLISH A CONNECTION. +PATHS DIFFER IF ONE OR MORE LINKS DIFFER. + +P.B.X.--PRIVATE BRANCH EXCHANGE. COMMONLY KNOWN AS A SWITCHBOARD. +MINI-CENTRAL OFFICE EQUIPMENT FOR BUSINESS CUSTOMERS WITH FROM 10 +TO 2,000 TELEPHONES. + +PRIMARY CENTER--A SWITCHING CENTER CONNECTING TOLL CENTERS, WHICH +CAN ALSO SERVE AS A TOLL CENTER FOR ITS LOCAL END OFFICES. IN THE +U.S. IT IS DEFINED AS A CLASS 3 OFFICE. + +PRIVATE AUTOMATIC BRANCH EXCHANGE (PABX)--A PRIVATE AUTOMATIC +TELEPHONE EXCHANGE WHICH PROVIDES FOR THE CONNECTION OF CALLS +GOING TO AND COMING FROM THE PUBLIC TELEPHONE NETWORK (USUALLY A +CENTRAL OFFICE EXCHANGE) AS WELL AS INTRAEXCHANGE CALLS BETWEEN +THE SERVED EXTENSIONS. + +PROBABILITY OF DELAY--THE PROBABILITY THAT A CALL ATTEMPT, IF +OFFERED, CANNOT BE COMPLETED IMMEDIATELY. + +PROBABILITY OF LOST CALLS (PROBABILITY OF LOSS)--THE PROBABILITY +THAT A CALL ATTEMPT, IF OFFERED, WILL BE LOST. + +PROGRAM STORE--THE MEMORY SECTION OF A STORED PROGRAM CONTROL +SWITCHING IN WHICH SEMI-PERMANENT INSTRUCTIONS AND TRANSLATIONS +ARE CONTAINED. THESE ARE FED TO THE CENTRAL PROCESSOR TO PERMIT +IT TO PROVIDE STORED PROGRAM CONTROL. + +PUBLIC SWITCHED NETWORK--ANY SWITCHING SYSTEM THAT PROVIDES +CIRCUIT SWITCHING FACILITIES FOR USE BY THE PUBLIC. TELEPHONE, +TELEX, TWX, AND BROADBAND SWITCHED NETWORKS ARE THE PUBLIC +SWITCHED NETWORKS IN THE U.S. + +PULSE AMPLITUDE MODULATION (PAM)--A FORM OF PULSE MODULATION IN +WHICH A NUMBER OF CHANNELS ARE MULTIPLEXED BY TIME SAMPLING, BUT +ONE IN WHICH THE PULSE AMPLITUDES VARY IN ACCORDANCE WITH THE +AMPLITUDE OF THE ANALOG SIGNAL LEVELS. + + LATA: LOCAL ACCESS TRANSFERENCE AREA. SOME PEOPLE WHO LIVE IN LARGE CITIES +OR AREAS MAY BE PLAGUED BY THIS PROBLEM. FOR INSTANCE, LET'S SAY YOU LIVE IN THE +215 AREA CODE UNDER THE 542 PREFIX (AMBLER, FORT WASHINGTON). IF YOU WENT TO +DIAL IN A BASIC METRO CODE FROM THAT AREA, FOR INSTANCE, 351-0100, THAT MIGHT +NOT BE COUNTED UNDER UNLIMITED LOCAL CALLING BECAUSE IT IS OUT OF YOUR LATA. +FOR SOME LATA'S, YOU HAVE TO DIAL A '1' WITHOUT THE AREA CODE BEFORE YOU CAN +DIAL THE PHONE NUMBER. THAT COULD PROVE A HASSLE FOR US ALL IF YOU DIDN'T +REALIZE YOU WOULD BE BILLED FOR THAT SORT OF CALL. IN THAT WAY, SOMETIMES, IT IS +BETTER TO BE SAFE THAN SORRY AND PHREAK. + + THE CALLER LOG: IN ESS REGIONS, FOR EVERY HOUSEHOLD AROUND, THE PHONE +COMPANY HAS SOMETHING ON YOU CALLED A CALLER LOG. THIS SHOWS EVERY SINGLE NUMBER +THAT YOU DIALED, AND THINGS CAN BE ARRANGED SO IT SHOWED EVERY NUMBER THAT WAS +CALLING TO YOU. THAT'S ONE MAIN DISADVANTAGE OF ESS, IT IS MOSTLY COMPUTERIZED +SO A NUMBER SCAN COULD BE DONE LIKE THAT QUITE EASILY. USING A DIALUP IS AN EASY +WAY TO SCREW THAT, AND IS SOMETHING WORTH REMEMBERING. ANYWAYS, WITH THE CALLER +LOG, THEY CHECK UP AND SEE WHAT YOU DIALED. HMM... YOU DIALED 15 DIFFERENT 800 +NUMBERS THAT MONTH. SOON THEY FIND THAT YOU ARE SUBSCRIBED TO NONE OF THOSE +COMPANIES. BUT THAT IS NOT THE ONLY THING. MOST PEOPLE WOULD IMAGINE "BUT WAIT! +800 NUMBERS DON'T SHOW UP ON MY PHONE BILL!". TO THOSE PEOPLE, IT IS A NICE +THOUGHT, BUT 800 NUMBERS ARE PICKED UP ON THE CALLER LOG UNTIL RIGHT BEFORE THEY +ARE SENT OFF TO YOU. SO THEY CAN CHECK RIGHT UP ON YOU BEFORE THEY SEND IT AWAY +AND CAN NOTE THE FACT THAT YOU FUCKED UP SLIGHTLY AND CALLED ONE TOO MANY 800 +LINES. + diff --git a/textfiles.com/phreak/PHREAKING/dictiona b/textfiles.com/phreak/PHREAKING/dictiona new file mode 100644 index 00000000..164b0dce --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/dictiona @@ -0,0 +1,423 @@ +32 + +--------------------------------------- +[CTRL-S PAUSES/SPACE=QUIT] + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ PHREAKER'S /-/ + /-/ PHUNHOUSE /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ BY: /-/ + /-/ THE TRAVELER /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + THE LONG AWAITED PREQUIL TO PHREAKER'S GUIDE HAS FINALLY ARRIVED. +CONCEIVED FROM THE BOREDOM AND LONELINESS THAT COULD ONLY BE DERIVED FROM: +THE TRAVELER! BUT NOW, HE HAS RETURNED IN FULL STRENGTH (AFTER A SMALL +VACATION) AND IS HERE TO 'WORLD PREMIERE' THE NEW FILES EVERYWHERE. STAY +COOL. THIS IS THE PREQUIL TO THE FIRST ONE, SO JUST RELAX. THIS IS NOT MADE +TO BE AN EXCLUSIVE ULTRA ELITE FILE, SO KINDA CALM DOWN AND WATCH IN THE +BACKGROUND IF YOU ARE TOO COOL FOR IT. + +/-/ PHREAK DICTIONARY /-/ + + HERE YOU WILL FIND SOME OF THE BASIC BUT NECESSARY TERMS THAT SHOULD BE + +KNOWN BY ANY PHREAK WHO WANTS TO BE RESPECTED AT ALL. + + PHREAK : 1. THE ACTION OF USING MISCHEVIOUS AND MOSTLY ILLEGAL + WAYS IN ORDER TO NOT PAY FOR SOME SORT OF TELE- + COMMUNICATIONS BILL, ORDER, TRANSFER, OR OTHER SERVICE. + IT OFTEN INVOLVES USAGE OF HIGHLY ILLEGAL BOXES AND + MACHINES IN ORDER TO DEFEAT THE SECURITY THAT IS SET + UP TO AVOID THIS SORT OF HAPPENING. [FR'EAKING]. V. + + 2. A PERSON WHO USES THE ABOVE METHODS OF DESTRUCTION AND + CHAOS IN ORDER TO MAKE A BETTER LIFE FOR ALL. A TRUE + PHREAKER WILL NOT NOT GO AGAINST HIS FELLOWS OR NARC + ON PEOPLE WHO HAVE RAGGED ON HIM OR DO ANYTHING + TERMED TO BE DISHONORABLE TO PHREAKS. [FR'EEK]. N. + + 3. A CERTAIN CODE OR DIALUP USEFUL IN THE ACTION OF + BEING A PHREAK. (EXAMPLE: "I HACKED A NEW METRO + PHREAK LAST NIGHT.") + + SWITCHING SYSTEM: 1. THERE ARE 3 MAIN SWITCHING SYSTEMS CURRENTLY EMPLOYED + IN THE US, AND A FEW OTHER SYSTEMS WILL BE MENTIONED + AS BACKGROUND. + + A) SXS: THIS SYSTEM WAS INVENTED IN 1918 AND WAS + EMPLOYED IN OVER HALF OF THE COUNTRY UNTIL 1978. IT + IS A VERY BASIC SYSTEM THAT IS A GENERAL WASTE OF + ENERGY AND HARD WORK ON THE LINESMAN. A GOOD WAY TO + IDENTIFY THIS IS THAT IT REQUIRES A COIN IN THE PHONE + BOOTH BEFORE IT WILL GIVE YOU A DIAL TONE, OR THAT NO + CALL WAITING, CALL FORWARDING, OR ANY OTHER SUCH + SERVICE IS AVAILABLE. STANDS FOR: STEP BY STEP + + B) XB: THIS SWITCHING SYSTEM WAS FIRST EMPLOYED IN 1978 + IN ORDER TO TAKE CARE OF MOST OF THE FAULTS OF SXS + SWITCHING. NOT ONLY IS IT MORE EFFICIENT, BUT IT + ALSO CAN SUPPORT DIFFERENT SERVICES IN VARIOUS FORMS. + XB1 IS CROSSBAR VERSION 1. THAT IS VERY LIMITED AND + IS HARD TO DISTINGUISH FROM SXS EXCEPT BY DIRECT VIEW + OF THE WIRING INVOLVED. NEXT UP WAS XB4, CROSSBAR + VERSION 4. WITH THIS SYSTEM, SOME OF THE BASIC THINGS + LIKE DTMF THAT WERE NOT AVAILABLE WITH SXS CAN BE + ACCOMPLISHED. FOR THE FINAL STROKE OF XB, XB5 WAS + CREATED. THIS IS A SERVICE THAT CAN ALLOW DTMF PLUS + MOST 800 TYPE SERVICES (WHICH WERE NOT ALWAYS + AVAILABLE.) STANDS FOR: CROSSBAR. + + C) ESS: A NIGHTMARE IN TELECOM. IN VIVID COLOR, ESS IS + A PRETTY BAD THING TO HAVE TO STAND UP TO. IT IS + QUITE SIMPLE TO IDENTIFY. DIALING 911 FOR EMERGENCIES, + AND ANI [SEE ANI BELOW] ARE THE MOST COMMON FACETS OF + THE DREAD SYSTEM. ESS HAS THE CAPABILITY TO LIST IN A + PERSON'S CALLER LOG WHAT NUMBER WAS CALLED, HOW LONG + THE CALL TOOK, AND EVEN THE STATUS OF THE CONVERSATION + (MODEM OR OTHERWISE.) SINCE ESS HAS BEEN EMPLOYED, + WHICH HAS BEEN VERY RECENTLY, IT HAS GONE THROUGH + MANY KINDS OF REVISIONS. THE LATEST SYSTEM TO DATE IS + ESS 11A, THAT IS EMPLOYED IN WASHINGTON D.C. FOR + SECURITY REASONS. ESS IS TRULY TROUBLE FOR ANY + PHREAK, BECAUSE IT IS 'SMARTER' THAN THE OTHER + SYSTEMS. FOR INSTANCE, IF ON YOUR CALLER LOG THEY SAW + 50 CALLS TO 1-800-421-9438, THEY WOULD BE ABLE TO DO + A CN/A [SEE LOOPHOLES BELOW] ON YOUR NUMBER AND + DETERMINE WHETHER YOU ARE SUBSCRIBED TO THAT SERVICE + OR NOT. THIS MAKES MOST CALLS A HAZARD, BECAUSE + ALTHOUGH 800 NUMBERS APPEAR TO BE FREE, THEY ARE + RECORDED ON YOUR CALLER LOG AND THEN RIGHT BEFORE YOU + RECEIVE YOUR BILL IT DELETES THE BILLINGS FOR THEM. + BUT BEFORE THAT THE ARE OPEN TO INSPECTION, WHICH IS + ONE REASON WHY EXTENDED USE OF ANY CODE IS DANGEROUS + UNDER ESS. SOME OF THE BOXES [SEE BOXING BELOW] ARE + UNABLE TO FUNCTION IN ESS. IT IS GENERALLY A MENACE + TO THE TRUE PHREAK. STANDS FOR: ELECTRONIC SWITCHING + SYSTEM. BECAUSE THEY COULD APPEAR ON A FILTER + SOMEWHERE OR MAYBE IT IS JUST NICE TO KNOW THEM + ANYWAYS. + + A) SSS: STROWGER SWITCHING SYSTEM. FIRST + NON-OPERATOR SYSTEM AVAILABLE. + + B) WES: WESTERN ELECTRONICS SWITCHING. USED ABOUT 40 + YEARS AGO WITH SOME MINOR PLACES OUT WEST. + + BOXING: 1) THE USE OF PERSONALLY DESIGNED BOXES THAT EMIT OR + CANCEL ELECTRONICAL IMPULSES THAT ALLOW SIMPLER + ACTING WHILE PHREAKING. THROUGH THE USE OF SEPARATE + BOXES, YOU CAN ACCOMPLISH MOST FEATS POSSIBLE WITH + OR WITHOUT THE CONTROL OF AN OPERATOR. + + 2) SOME BOXES AND THEIR FUNCTIONS ARE LISTED BELOW. + ONES MARKED WITH '*' INDICATE THAT THEY ARE NOT + OPERATABLE IN ESS. + + *BLACK BOX: MAKES IT SEEM TO THE PHONE COMPANY THAT + THE PHONE WAS NEVER PICKED UP. + + BLUE BOX : EMITS A 2600HZ TONE THAT ALLOWS YOU TO DO + SUCH THINGS AS STACK A TRUNK LINE, KICK + THE OPERATOR OFF LINE, AND OTHERS. + + RED BOX : SIMULATES THE NOISE OF A QUARTER, NICKEL, + OR DIME BEING DROPPED INTO A PAYPHONE. + + CHEESE BOX : TURNS YOUR HOME PHONE INTO A PAY PHONE TO + THROW OFF TRACES (A RED BOX IS USUALLY + NEEDED IN ORDER TO CALL OUT.) + + *CLEAR BOX : GIVES YOU A DIAL TONE ON SOME OF THE OLD + SXS PAYPHONES WITHOUT PUTTING IN A COIN. + + BEIGE BOX : A SIMPLER PRODUCED LINESMAN'S HANDSET THAT + ALLOWS YOU TO TAP INTO PHONE LINES AND + EXTRACT BY EAVESDROPPING, OR CROSSING + WIRES, ETC. + + PURPLE BOX : MAKES ALL CALLS MADE OUT FROM YOUR HOUSE + SEEM TO BE LOCAL CALLS. + + ANI [ANI]: 1) AUTOMATIC NUMBER IDENTIFICATION. A SERVICE + AVAILABLE ON ESS THAT ALLOWS A PHONE SERVICE [SEE + DIALUPS BELOW] TO RECORD THE NUMBER THAT ANY CERTAIN + CODE WAS DIALED FROM ALONG WITH THE NUMBER THAT WAS + CALLED AND PRINT BOTH OF THESE ON THE CUSTOMER BILL. + 950 DIALUPS [SEE DIALUPS BELOW] ARE ALL DESIGNED + JUST TO USE ANI. SOME OF THE SERVICES DO NOT HAVE + THE PROPER EQUIPMENT TO READ THE ANI IMPULSES YET, + BUT IT IS IMPOSSIBLE TO SEE WHICH IS WHICH WITHOUT + BEING BUSTED OR NOT BUSTED FIRST. + + DIALUPS [DY'L'UPS]: 1) ANY LOCAL OR 800 EXTENDED OUTLET THAT ALLOWS INSTANT + ACCESS TO ANY SERVICE SUCH AS MCI, SPRINT, OR AT&T + THAT FROM THERE CAN BE USED BY HANDPICKING OR USING + A PROGRAM TO REVEAL OTHER PEOPLES CODES WHICH CAN + THEN BE USED MODERATELY UNTIL THEY FIND OUT ABOUT + IT AND YOU MUST SWITCH TO ANOTHER CODE (PREFERRABLY + BEFORE THEY FIND OUT ABOUT IT.) + + 2) DIALUPS ARE EXTREMELY COMMON ON BOTH SENSES. SOME + DIALUPS REVEAL THE COMPANY THAT OPERATES THEM AS + SOON AS YOU HEAR THE TONE. OTHERS ARE MUCH HARDER + AND SOME YOU MAY NEVER BE ABLE TO IDENTIFY. A SMALL + LIST OF DIALUPS: + + 1-800-421-9438 (5 DIGIT CODES) + 1-800-547-6754 (6 DIGIT CODES) + 1-800-345-0008 (6 DIGIT CODES) + 1-800-734-3478 (6 DIGIT CODES) + 1-800-222-2255 (5 DIGIT CODES) + + 3) CODES: CODES ARE VERY EASILY ACCESSED PROCEDURES + WHEN YOU CALL A DIALUP. THEY WILL GIVE YOU SOME SORT + OF TONE. IF THE TONE DOES NOT END IN 3 SECONDS, + THEN PUNCH IN THE CODE AND IMMEDIATELY FOLLOWING THE + CODE, THE NUMBER YOU ARE DIALING BUT STRIKE THE + '1' IN THE BEGINNING OUT FIRST. IF THE TONE DOES + END, THEN PUNCH IN THE CODE WHEN THE TONE ENDS. + THEN, IT WILL GIVE YOU ANOTHER TONE. PUNCH IN THE + NUMBER YOU ARE DIALING, OR A '9'. IF YOU PUNCH IN + A '9' AND THE TONE STOPS, THEN YOU MESSED UP A + LITTLE. IF YOU PUNCH IN A TONE AND THE TONE + CONTINUES, THEN SIMPLY DIAL THEN NUMBER YOU ARE + CALLING WITHOUT THE '1'. + + 4) ALL CODES ARE NOT UNIVERSAL. THE ONLY TYPE THAT I + KNOW OF THAT IS TRULY UNIVERSAL IS METROPHONE. + ALMOST EVERY MAJOR CITY HAS A LOCAL METRO DIALUP + (FOR PHILADELPHIA, (215)351-0100/0126) AND SINCE THE + CODES ARE UNIVERSAL, ALMOST EVERY PHREAK HAS USED + THEM ONCE OR TWICE. THEY DO NOT EMPLOY ANI IN ANY + OUTLETS THAT I KNOW OF, SO FEEL FREE TO CHECK + THROUGH YOUR BOOKS AND CALL 555-1212 OR, AS A MORE + DEVIOUS MANOR, SUBSCRIBE YOURSELF. THEN, NEVER USE + YOUR OWN CODE. THAT WAY, IF THEY CHECK UP ON YOU DUE + TO YOUR CALLER LOG, THEY CAN USUALLY FIND OUT THAT + YOU ARE SUBSCRIBED. NOT ONLY THAT BUT YOU COULD SET + A PHREAK HACKER AROUND THAT AREA AND JUST LET IT + HACK AWAY, SINCE THEY USUALLY GROUP THEM, AND, AS A + BONUS, YOU WILL HAVE THEIR LOCAL DIALUP. + + 5) 950'S. THEY SEEM LIKE A PERFECTLY COOL PHREAKERS + DREAM. THEY ARE FREE FROM YOUR HOUSE, FROM PAYPHONES, + FROM EVERYWHERE, AND THEY HOST ALL OF THE MAJOR LONG + DISTANCE COMPANIES (950-1044 , 950-1077 + , 950-1088 , 950-1033 .) WELL, THEY AREN'T. THEY WERE DESIGNED FOR + ANI. THAT IS THE POINT, END OF DISCUSSION. + + A PHREAK DICTIONARY. IF YOU REMEMBER ALL OF THE THINGS CONTAINED ON THAT +FILEUP THERE, YOU MAY HAVE A BETTER CHANCE OF DOING WHATEVER IT IS YOU DO. THIS +NEXT SECTION IS MAYBE A LITTLE MORE INTERESTING... + +BLUE BOX PLANS: +--------------- + + THESE ARE SOME BLUE BOX PLANS, BUT FIRST, BE WARNED, THERE HAVE BEEN 2600HZ +TONE DETECTORS OUT ON OPERATOR TRUNK LINES SINCE XB4. THE IDEA BEHIND IT IS TO +USE A 2600HZ TONE FOR A FEW VERY NAUGHTY FUNCTIONS THAT CAN REALLY MAKE YOUR DAY +LIGHTEN UP. BUT FIRST, HERE ARE THE PLANS, OR THE HEART OF THE FILE: + +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : + + STOP! BEFORE YOU DIEHARD USERS START PIECING THOSE LITTLE TONE TIDBITS +TOGETHER, THERE IS A SIMPLER METHOD. IF YOU HAVE AN APPLE-CAT WITH A PROGRAM +LIKE CAT'S MEOW IV, THEN YOU CAN GENERATE THE NECESSARY TONES, THE 2600HZ TONE, +THE KP TONE, THE KP2 TONE, AND THE ST TONE THROUGH THE DIAL SECTION. SO IF YOU +HAVE THAT I WILL ASSUME YOU CAN BOOT IT UP AND IT WORKS, AND I'LL DO YOU THE +FAVOR OF TELLING YOU AND THE OTHER USERS WHAT TO DO WITH THE BLUE BOX NOW THAT +YOU HAVE SOMEHOW CONSTRUCTED IT. THE CONNECTION TO AN OPERATOR IS ONE OF THE +MOST WELL KNOWN AND USED WAYS OF HAVING FUN WITH YOUR BLUE BOX. YOU SIMPLY DIAL +A TSPS (TRAFFIC SERVICE POSITIONING STATION, OR THE OPERATOR YOU GET WHEN YOU +DIAL '0') AND BLOW A 2600HZ TONE THROUGH THE LINE. WATCH OUT! DO NOT DIAL THIS +DIRECT! AFTER YOU HAVE DONE THAT, IT IS QUITE SIMPLE TO HAVE FUN WITH IT. BLOW A +KP TONE TO START A CALL, A ST TONE TO STOP IT, AND A 2600HZ TONE TO HANG UP. +ONCE YOU HAVE CONNECTED TO IT, HERE ARE SOME FUN NUMBERS TO CALL WITH IT: + + 0-700-456-1000 TELECONFERENCE (FREE, BECAUSE YOU ARE THE OPERATOR!) + (AREA CODE)-101 TOLL SWITCHING + (AREA CODE)-121 LOCAL OPERATOR (HEHE) + (AREA CODE)-131 INFORMATION + (AREA CODE)-141 RATE & ROUTE + (AREA CODE)-181 COIN REFUND OPERATOR + (AREA CODE)-11511 CONFERENCE OPERATOR (WHEN YOU DIAL 800-544-6363) + + WELL, THOSE WERE THE TONE MATRIX CONTROLLERS FOR THE BLUE BOX AND SOME +OTHER HELPFUL STUFF TO HELP YOU TO START OUT WITH. BUT THOSE ARE ONLY THE +FUNCTIONS WITH THE OPERATOR. THERE ARE OTHER K-FUN THINGS YOU CAN DO WITH IT. + + MORE ADVANCED BLUE BOX STUFF: + + OOPS. SMALL MISTAKE UP THERE. I FORGOT TONE LENGTHS. UM, YOU BLOW A TONE +PAIR OUT FOR UP TO 1/10 OF A SECOND WITH ANOTHER 1/10 SECOND FOR SILENCE BETWEEN +THE DIGITS. KP TONES SHOULD BE SENT FOR 2/10 OF A SECOND. ONE WAY TO CONFUSE THE +2600HZ TRAPS IS TO SEND PINK NOISE OVER THE CHANNEL (FOR ALL OF YOU THAT HAVE +DECENT BSR EQUALIZERS, THERE IS MAJOR PINK NOISE IN THERE.) USING THE OPERATOR +FUNCTIONS IS THE USE OF THE 'INWARD' TRUNK LINE. THAT IS WORKING IT FROM THE +INSIDE. FROM THE 'OUTWARD' TRUNK, YOU CAN DO SUCH THINGS AS MAKE EMERGENCY +BREAKTHROUGH CALLS, TAP INTO LINES, BUSY ALL OF THE LINES IN ANY TRUNK (CALLED +'STACKING'), ENABLE OR DISABLE THE TSPS'S, AND FOR SOME 4A SYSTEMS YOU CAN EVEN +RE-ROUTE CALLS TO ANYWHERE. + + ALL RIGHT. THE ONE THING THAT EVERY COMPLETE PHREAK GUIDE SHOULD BE WITHOUT +IS BLUE BOX PLANS, SINCE THEY WERE ONCE A VITAL PART OF PHREAKING. ANOTHER THING +THAT EVERY COMPLETE FILE NEEDS IS A COMPLETE LISTING OF ALL OF THE 800 NUMBERS +AROUND SO YOU CAN HAVE SOME MORE FUN. + + /-/ 800 DIALUP LISTINGS /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + ALL RIGHT, SET CAT HACKER 1.0 ON THOSE NUMBERS AND HAVE A FUCK OF A DAY. +THAT IS ENOUGH WITH 800 CODES, BY THE TIME THIS GETS AROUND TO YOU I DUNNO WHAT +STATE THOSE CODES WILL BE IN, BUT TRY THEM ALL OUT ANYWAYS AND SEE WHAT YOU GET. +ON SOME 800 SERVICES NOW, THEY HAVE AN OPERATOR WHO WILL ANSWER AND ASK YOU FOR +YOUR CODE, AND THEN YOUR NAME. SOME WILL SWITCH BACK AND FORTH BETWEEN VOICE AND +TONE VERIFICATION, YOU CAN NEVER BE QUITE SURE WHICH YOU WILL BE UP AGAINST. + + ARMED WITH THIS KNOWLEDGE YOU SHOULD BE HAVING A PRETTY GOOD TIME PHREAKING +NOW. BUT CLASS ISN'T OVER YET, THERE ARE STILL A COUPLE IMPORTANT RULES THAT YOU +SHOULD KNOW. IF YOU HEAR CONTINUAL CLICKING ON THE LINE, THEN YOU SHOULD ASSUME +THAT AN OPERATOR IS MESSING WITH SOMETHING, MAYBE EVEN LISTENING IN ON YOU. IT +IS A GOOD IDEA TO CALL SOMEONE BACK WHEN THE PHONE STARTS DOING THAT. IF YOU +WERE USING A CODE, USE A DIFFERENT CODE AND/OR SERVICE TO CALL HIM BACK. + + A GOOD WAY TO DETECT IF A CODE HAS GONE BAD OR NOT IS TO LISTEN WHEN THE +NUMBER HAS BEEN DIALED. IF THE CODE IS BAD YOU WILL PROBABLY HEAR THE PHONE +RINGING MORE CLEARLY AND MORE QUICKLY THAN IF YOU WERE USING A DIFFERENT CODE. +IF SOMEONE ANSWERS VOICE TO IT THEN YOU CAN IMMEDIATELY ASSUME THAT IT IS AN +OPERATIVE FOR WHATEVER COMPANY YOU ARE USING. THE FAMED '311311' CODE FOR METRO +IS ONE OF THOSE. YOU WOULD HAVE TO BE QUITE STUPID TO ACTUALLY RESPOND, BECAUSE +WHOEVER YOU ASK FOR THE OPERATOR WILL ALWAYS SAY 'HE'S NOT IN RIGHT NOW, CAN I +HAVE HIM CALL YOU BACK?' AND THEN THEY WILL ASK FOR YOUR NAME AND PHONE NUMBER. +SOME OF THE MORE SOPHISTICATED COMPANIES WILL ACTUALLY GIVE YOU A CARRIER ON A +LINE THAT IS SUPPOSED TO GIVE YOU A CARRIER AND THEN JUST HAVE GARBAGE FLOW +ACROSS THE SCREEN LIKE IT WOULD WITH A BAD CONNECTION. THAT IS A FEEBLE EFFORT +TO MAKE YOU THINK THAT THE CODE IS STILL WORKING AND MAYBE GET YOU TO DIAL +SOMEONE'S VOICE, A GOOD TEST FOR THE CARRIER TRICK IS TO DIAL A NUMBER THAT WILL +GIVE YOU A CARRIER THAT YOU HAVE NEVER DIALED WITH THAT CODE BEFORE, THAT WILL +ALLOW YOU TO DETERMINE WHETHER THE CODE IS GOOD OR NOT. FOR OUR NEXT SECTION, A +LIGHTER LOOK AT SOME OF THE THINGS THAT A PHREAK SHOULD NOT BE WITHOUT. A +VOCABULARY. A FEW MONTHS AGO, IT WAS A QUITE STRANGE WORLD FOR THE MODEM PEOPLE +OUT THERE. BUT NOW, A PHREAKER'S VOCABULARY IS ESSENTIAL IF YOU WANNA MAKE A +GOOD IMPRESSION ON PEOPLE WHEN YOU POST WHAT YOU KNOW ABOUT CERTAIN SUBJECTS. + + /-/ VOCABULARY /-/ + + - DO NOT MISSPELL EXCEPT CERTAIN EXCEPTIONS: + + PHONE -> FONE + FREAK -> PHREAK + + - NEVER SUBSTITUTE 'Z'S FOR 'S'S. (I.E. CODEZ -> CODES) + + - NEVER LEAVE MANY CHARACTERS AFTER A POST (I.E. HEY DUDES!#!@#@!#!@) + + - NEVER USE THE 'K' PREFIX (K-KOOL, K-RAD, K-WHATEVER) + + - DO NOT ABBREVIATE. (I GOT LOTSA WARES W/ DOCS) + + - NEVER SUBSTITUTE '0' FOR 'O' (R0DENT, L0ZER). + + - FORGET ABOUT YE OLD UPPER CASE, IT LOOKS RUGGYISH. + + ALL RIGHT, THAT WAS TO RELIEVE THE TENSION OF WHAT IS BEING DRILLED INTO +YOUR MINDS AT THE MOMENT. NOW, HOWEVER, BACK TO THE TEACHING COURSE. HERE ARE +SOMETHINGS YOU SHOULD KNOW ABOUT PHONES AND BILLINGS FOR PHONES, ETC. + + LATA: LOCAL ACCESS TRANSFERENCE AREA. SOME PEOPLE WHO LIVE IN LARGE CITIES +OR AREAS MAY BE PLAGUED BY THIS PROBLEM. FOR INSTANCE, LET'S SAY YOU LIVE IN THE +215 AREA CODE UNDER THE 542 PREFIX (AMBLER, FORT WASHINGTON). IF YOU WENT TO +DIAL IN A BASIC METRO CODE FROM THAT AREA, FOR INSTANCE, 351-0100, THAT MIGHT +NOT BE COUNTED UNDER UNLIMITED LOCAL CALLING BECAUSE IT IS OUT OF YOUR LATA. +FOR SOME LATA'S, YOU HAVE TO DIAL A '1' WITHOUT THE AREA CODE BEFORE YOU CAN +DIAL THE PHONE NUMBER. THAT COULD PROVE A HASSLE FOR US ALL IF YOU DIDN'T +REALIZE YOU WOULD BE BILLED FOR THAT SORT OF CALL. IN THAT WAY, SOMETIMES, IT IS +BETTER TO BE SAFE THAN SORRY AND PHREAK. + + THE CALLER LOG: IN ESS REGIONS, FOR EVERY HOUSEHOLD AROUND, THE PHONE +COMPANY HAS SOMETHING ON YOU CALLED A CALLER LOG. THIS SHOWS EVERY SINGLE NUMBER +THAT YOU DIALED, AND THINGS CAN BE ARRANGED SO IT SHOWED EVERY NUMBER THAT WAS +CALLING TO YOU. THAT'S ONE MAIN DISADVANTAGE OF ESS, IT IS MOSTLY COMPUTERIZED +SO A NUMBER SCAN COULD BE DONE LIKE THAT QUITE EASILY. USING A DIALUP IS AN EASY +WAY TO SCREW THAT, AND IS SOMETHING WORTH REMEMBERING. ANYWAYS, WITH THE CALLER +LOG, THEY CHECK UP AND SEE WHAT YOU DIALED. HMM... YOU DIALED 15 DIFFERENT 800 +NUMBERS THAT MONTH. SOON THEY FIND THAT YOU ARE SUBSCRIBED TO NONE OF THOSE +COMPANIES. BUT THAT IS NOT THE ONLY THING. MOST PEOPLE WOULD IMAGINE "BUT WAIT! +800 NUMBERS DON'T SHOW UP ON MY PHONE BILL!". TO THOSE PEOPLE, IT IS A NICE +THOUGHT, BUT 800 NUMBERS ARE PICKED UP ON THE CALLER LOG UNTIL RIGHT BEFORE THEY +ARE SENT OFF TO YOU. SO THEY CAN CHECK RIGHT UP ON YOU BEFORE THEY SEND IT AWAY +AND CAN NOTE THE FACT THAT YOU FUCKED UP SLIGHTLY AND CALLED ONE TOO MANY 800 +LINES. + + RIGHT NOW, AFTER ALL OF THAT, YOU SHOULD HAVE A PRETTY GOOD IDEA OF HOW TO +GROW UP AS A GOOD PHREAK. FOLLOW THESE GUIDELINES, DON'T SHOW OFF, AND DON'T +TAKE UNNECESSARY RISKS WHEN PHREAKING OR HACKING. + + /-/ CREDITS /-/ + + TO THE VIDEOSMITH - FOR SETTING ME STRAIGHT ON SOME SHIT. + TO THE LINESMAN - FOR TELLING ME TO UPLOAD IT TO HIS AE LINE. + TO MODERN MUTANT - FOR MAKING ME INTO A PHREAKING FREAK. + TO JACK THE NIBBLER- FOR THE BASIS OF THE BLUE BOX PLANS. + + /---------------------------------\ + \ BULLETIN BOARD LIST \ + \ --------------------- \ + \ SIRIUS CYBERNETIC'S BBSYSTEM \ + \ 808-521-3306 40MEGS \ + \---------------------------------/ + + LATER, + +THE TRAVELER + + +--------------------------------------- + +ENTER (1-47, M=MENU, Q=QUIT) : -*-*--*-*--*-*--*-*--*-*--*-*--*-*--*-*--*-*--*-*--*-*- + -*-*- THIS FILE HAS PASSED THROUGH: -*-*- + -*-*- -*-*- + -*-*- T H E H O U S E -*-*- + -*-*- -*-*- + -*-*- ITALIAN BAD BOYS HQ 210 MEGZ ON LINE -*-*- + -*-*- -*-*- + -*-*- ONLY 0-0 DAYS WAREZ NOT MORE !!!!!! -*-*- + -*-*- -*-*- + -*-*- GIVE US A CALL AT: NODE0 39-409-45542 -*-*- + -*-*- NODE1 39-409-46PRIVATE-*-*- + -*-*--*-*--*-*--*-*--*-*--*-*--*-*--*-*--*-*--*-*--*-*- +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + THIS FILE PASSED THROUGH.... + ____ _ ____ _ + __ / /____ ____ ______ __ __ / /____ __ + / / / // __ \ / __ \ / ____/ / / /\ / //\ / // __ \ /\ / / + / / / // /_/ // /_/ // / / /_/ / / /_/ // /_/ // /_/ // \/ / + / /_/ // __ _// __ // / / __ / / __ _// __ // __ // /\ / + / /// // / / // / / // / / / / / / / / // / / // / / // / / / + \____// / \/ \/ / / \/ / / \/ OF / / \/ \/ / / \/ / / \/ \/ + \/ \/ \/ \/ \/ \/ + ________ __ __ __ _____ __ __ ____ + /\ \ ____// / / / / // _ / / /_/ // __ \ + / \ \ _/ / / / / / / \ \\/ / __ // / / / + / /\ \ \ \ / /___ / /_/ / /\\ \ / / / // /_/ / + /__/\__\ \/ \____/ \____/ /____//_/ /_/ \_____\ + + 609-587-0656 +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= diff --git a/textfiles.com/phreak/PHREAKING/diverter.txt b/textfiles.com/phreak/PHREAKING/diverter.txt new file mode 100644 index 00000000..c98bd029 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/diverter.txt @@ -0,0 +1,106 @@ + +Title: Information On Diverters +Date: 9/13/88 +Time: 12:42 am + + +======================================= += Using Diverters = += = += By = += = += Blitzoid ?? & Galactus ** = += = += Of = += = += The Elite Hackers Guild = += = +======================================= + + +What Diverters Are: +------------------- + + Diverters, originally knows as "Chesse Boxes" were used in the sixties by +bookies and other illegal businesses to forward their calls. Diverters pre- +date call forwarding and simulate this custom calling feature with one major +advantage. Unlike call forwarding, a diverted call may be intercepted while +the phone rings or during conversation just by picking up the phone at the +diverter location. After diverters became popular in the crime sector, they +became a good way for professionals to recieve night time office calls at +home. For this reason may diverters are only up at night. + + +Locating Diverters: +------------------- + +1 - You can recognize a diverter fairly easily. A diverter will ring usually +one of two times then you may hear a tone, a moment of silence or a voice +saying something like "Please hold you call is being transferred". On some +diverters, there is no time laps before the second symptom. The second symptom +is another ring... sometimes of a different type. Finally and fatally, if you +wait after the person hangs up you will usually hear the diverter dial-tone +within a few seconds. + +2 - Diverters are often in step or crossbar office. But this is only a +guideline and not a rule. + +3 - Diverters often belong to: + + A: Physicians + B: Dentists + C: Real Estate Offices + D: Financial Advisers + E: 24 Hour Air Cond. Repair + F: 24 Hour Exterminators + G: 24 Hour Heater Repair + H: Insurance Agents + I: Wreckers + J: Anyone Else Of A 24 Hour Nature + + +How A Diverter Works: +--------------------- + + Simply put, a diverter is a small box connected to two phones. When phone +#1 rings, the diverter picks up phone #2 dials a number on it and patches the +two phones together. + + +Flaws To A Diverter: +-------------------- + + The most commonly known flaw is that if you hold on the line after being +hung up on you will usually hear the diverter dial-tone and you can usually +dial off of it. This is because you have not hung up on phone #1 and it is +still connected to phone #2. + + Another flaw is even better. If one person rings phone #2, and another +calls phone #1 the two parties will be connected. If either party hangs up, +the other will get a dial-tone belonging to the other phone (usually). + + Often you will have to hit your "1" key. This simulates a dial-tone and +fools the diverter into thinking that the phone is hung up. + + You can also sit ringing phone #2 and intercept their calls. One diverter I +found belonged to a mail order place and I intercepted calls, obtained credit +card numbers, then placed the orders myself so that noone would know what +happened. + + Hope This Phile Has Been Helpfull. Have Phun! + + +====================================== + +COURTESY OF PHREAK KLASS 2600 -- 806/799-0016 -- LOGIN: EDUCATE + +--------------------------------------- + + +The Alternate Universe BBS - [718] 326-0720 + Distributed in part by: + + Skeleton Crue 415-376-8060 located out of Moraga, California. + !!Get on the band wagon before it RUNS YOU DOWN!! +The very LAST bastion of Abusive Thought in all of the Suburbian West Coast... + (CH&AOS) \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/dlbust.txt b/textfiles.com/phreak/PHREAKING/dlbust.txt new file mode 100644 index 00000000..9711c079 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/dlbust.txt @@ -0,0 +1,92 @@ + +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # HOW PHONE PHREAKS ARE CAUGHT # +# from 2600 magazine V4 #7 July 1987 # +# written by NO SEVERANCE # +# typed by G. A. ELLSWORTH # +# # +#()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()(# + + Until about four months ago, I worked for a large long distance company. I was given the pink slip because some guy in my office found out that I did a little hacking in my spare time. It seems that most companies just aren't into that anymore. I feel I should do all I can to keep phreaks from getting caught by the IC's(Independent Carriers or Interexchange Companies). Remember: a safe phreak is an educated phreak. + When you enter an authorization code to access a long distance company's network there are a few things that happen. The authorization code number you enter is cross referenced in a list of codes. When an unassigned code is received the switch will print a report consisting of the authorization code, the date and time, and the incoming trunk number (if known) along with other miscellaneous information. + When an authorization code is found at the end of a billing cycle to have been "abused" in the switch, one of two things is done. Most of the time the code is removed from the database and a new code is assigned. But there are times when the code is flagged "abused" in the switch. This is very dangerous. Your call goes through, but there is a bad code report printed.(this is similar to an unassigned code report, but it also prints out the number being called.) You have no way to know this is happening but the IC has plenty of time to have the call traced. This just goes to show that you should switch codes on a regular basis and not use one till it dies. + + ACCESS + + There are several ways to access an IC's network. Some are safe and some can be deadly. + FEATURE GROUP A (FGA). This is a local dial-up to a switch. It is just a regular old telephone number (for example 871-2600). When you dial the number it will ring (briefly) and give a dial tone telling you to proceed. There are NO identifying digits (i.e. your telephone number) sent to a switch. The switchis signaled to give you a dial tone from the ringing voltage alone. The only way you could be caught hacking codes on an FGA would be if Telco (your local telephone company) were to put an incoming trap on the FGA number. This causes the trunk number your call came over to be printed out. From the trunk number Telco could tell which central office (CO) your call was coming from. From there Telco could put an outgoing trap in your CO which would print the number of the person placing the call to that number--that is provided that you are in an ESS or other Electronic Switch. This is how a majority of people are caught hacking codes on a FGA access number. + Next down the line we have Feature Group B (FGB). There are two FGB signalling formats called FGB-T and FGB-D. All FGBs are 950-XXXX numebers and Ihave yet to find one that doesn't use FGB-T format. + When you dial an FGB number your call can take two paths: 1) Large COs havedirect trunks going to the different IC's. This is more common in Electronic offices. 2) Your call gets routed through a large switch called a tandem, whichin turn has trunks to all the ICs. + When you dial an FGB-T number the IC's switch receives: KP+ST + This prompts the switch to give you a dial tone. The IC gets no informationregarding your phone number. The only thing that makes it easier to catch you is that with a direct trunk from your central office when you enter a bad code the IC knows what office your coming from. Then it's just a matter of seeing who is calling that 950 number. + On the other hand, when you dial an FBG-D number the switch receives: + +KP+(950-XXXX)+ST followed by + +KP+0+NXX-XXXX+ST or KP+0+NPA + +NXX-XXXX+ST + + The first sequence tells that there is a call coming in, the 950-XXXX (optional) is the same 950 number that you call. The second sequence contains your number (ANI-Automatic Number Identification). If the call comes over the trunk directly from your CO it will not have your NPA (Area Code). If the call is routed through a tandem it will contain your NPA number. FGB-D was originallydeveloped so that when you got the dial tone you could enter just the number youwere calling and your call would go through; thus alleviating authorization codes. FGB-D can also be used as FGB-T, where the customer enters a code but the switch knows where the call is coming from. This could be used to detect hackers, but has not been done, yet at least not to my switch. + FGB-D was the prelude to FEATURE GROUP D (FGD). FGD is the heart of Equal Access. Since FGD can only be provided by electronic offices, equal access is only available under ESS (or any other electronic office). FGD is the signalling used for both 1+ dialing (when you choose an IC over AT&T) and 10XXX dialing. The signalling format for FGD goes as follows: + +KP+II+10D(10 digits)+ST followed by + +KP+10D+ST + + The first sequence is called the identification sequence. This consists of KP. information digits(II), and the calling party's telephone number with NPA (10D ANI) finished up with ST. The second address seqeunce has KP, the called number (10D) followed by ST. There is a third FGD sequence not shown here whichhas to do with international calling--I may deal with this in a future article. When the IC's switch receives an FGD routing it will check the information digits to see if the call is approved and if so put the call through. Obviouslyif the information digits indicate the call is coming from a coin phone, the call will not go through. + + This is a list of information digits commonly used by Bell Operating Companies. +Code Sequence Meaning +00 identification Regular line, no special treatment +01 identification ONI(Operator Number Identification) mulitparty lines +02 identification ANI failure +06 identification Hotel or Motel +07 identification Coinless,hospital,inmate etc. +08 identification InterLATA restricted +10 address 10X test call +13 international 011-plus:direct distance dialed +15 international 01-plus:operator assisted +27 identification Coin +68 identification InterLATA-restricted hotel or motel +78 identification InterLATA-restricted hospital, coinless, inmate etc. +95 address 959-XXXX test call + + There is a provision with FGD so when you dial 10xxx# you will get a switchdial tone as if you dial a 950. Unfortunately, this is not the same as dialing a 950. The IC would receive: + +KP+II+10D(ANI)+ST +KP+ST + + The KP+ST gives you the dial tone, but the IC has your number by then. + + 800 NUMBERS + + Now that we have the feature groups down pat we will talk about 800 numbers. Invisible to your eyes, there are two types of 800 numbers. There are those owned by AT&T--which sells WATS service. There are also new 800 exchanges owned by the IC's. So far, I believe only MCI, US SPRINT, and WesternUnion have bought there own 800 exchanges. It is very important not to use codes on 800 numbers in an exchange owned by an IC. But first... + When you dial an AT&T 800 number that goes to an IC's switch the following happens. The AT&T 800 number is translated at the AT&T switch to an equivalent POTS (Plain Old Telephone Service). This number is an FGA number and as stated before does not know where you're calling from. They might know what your general region is since the AT&T 800 numbers can translate to different POTS numbers depending on where you're calling from. This is the beauty of FGA and AT&T WATS but this is also why it's being phased out. + On the other hand, IC-owned 800 numbers are routed as FGD calls--very deadly. The IC receives: + +KP+II+10D+ST + +KP+800 NXX XXXX+ST + + When you call an IC 800 number which goes to an authorization code-based service, you're taking a great risk. The IC's can find out very easily where you're calling from. If you're in an electronic central office your call can godirectly over an FGD trunk. When you dial and IC 800 number from a non-electronic CO your call gets routed through another switch, thus ending up with the same undesirable effect. + MCI is looking into getting an 800 billing service tariffed where a customer's 800 WATS bill shows the number of everyone who has called it. The way the IC's handle billing, if they wanted to find out who made a call to their800 number, that information would be available on billing tapes. The trick is not to use codes on an IC owned 800 + The way to find out who owns an 800 exchange is to call 800-NXX-0000 (NXX being the 800 exchange). If this is owned by AT&T you will get a message saying, "You have reached the AT&T Long Distance Network. Thank you for choosing AT&T. This message will not be repeated." When you call an exchange owned by an IC you will usually get a recording telling you that your call cannot be completed as dialed, or else you will get a recording with the name ofthe of the IC. If you call another number in an AT&T 800 exchange (i.e. 800-NXX-0172) the recording you get should always have an area code followed by a number and a letter, for example, "Your call cannot be completed as dialed. Please check the number and dial again. 312 4T." AS of last month, most AT&T recordings are done in the same female voice. An MCI recording will tell you to"Call customer service at 800-444-4444" followed by a switch number ("MCI 20G"). Some companies such as US Sprint, are redesigning their networks. Since the merger of US Telecom and GTE Sprint, US Sprint has had 2 seperate networks. The US Telecom side was Network 1 an dthe GTE side was Network 2. US Sprint will be joining the two, thus forming Network 3. When Network 3 takes effect there will be no more 950-0777 or 10777. All customers will have 14 digit travel cards (referred to as FON cards, or Fiber Optic Network cards) based on their telephone numbers. Customers who don't have equal access will be given seven digit "home codes". These authorization codes may only be used from your home town or city. The access number they will be pushing for travel code service will be 800-877-8000. This cutover was supposed to be completed by June27th, 1987 but the operation has been pushed back. + One last way to tell if the port you dialed is in an IC's 800 exchange is if it doesn't ring before you get the tone. When you dial an FGA number it willring shortly but when you dial 10XXX# you get the tone right away. Last but notleast, I will provide you with a list of 800 exchanges that are owned by IC's. Amajority of them are owned by MCI. + +1800-XXX-.... + MCI + +XXX=234,274,283,284,288,289,333365,444,456,627,666,678,727,759,777,825,876,888,937,950,955,999 + + US SPRINT + +XXX=347,366,699,877 + + WESTERN UNION XXX=988 + +And to avoid confusion, these are the AT&T 800 exchanges: + +XXX=202,212,221,222,223,225,227,228,231,232,233,235,237,238,241,242,243,245,247,248,251,252,253,255,257,258,262,263,265,267,268,272,282,292,302,213,321,322,323,325,327,328,331,332,334,336,338,341,342,343,344,345,346,348,351,352,354,356,358,361,362,363,367,368,372,382,387,392,402,412,421,422,423,424,426,428,431,432,433,435,437,438,441,442,443,445,446,447,448,451,452,453,457,458,461,462,463,456,468,471,482,492,502,512,521,522,523,524,525,526,527,528,531,532,533,535,537,538,541,542,543,544,545,547,548,551,552,553,554,555,556,558,561,562,563,565,567,572,582,592,602,612,621,622,624,626,628,631,632,633,634,635,637,638,641,642,643,645,647,648,652,654,661,662,663,665,667,672,682,692,702,712,722,732,742,752,762,772,782,792,802,812,821,882,824,826,828,831,832,833,835,841,842,843,845,847,848,851,852,854,855,858,862,872,874,882,892,902,912,922,932,942,952,962,972,982,992 + +(Other exchanges can be used by local phone companies--New Jersey Bell, MountainBell, etc.) + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/do-not b/textfiles.com/phreak/PHREAKING/do-not new file mode 100644 index 00000000..9b4048f0 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/do-not @@ -0,0 +1,35 @@ +We are having fun - Phreakin, hacking, stealing..... + +BUT - As we are having most fun - The feeds shows up / Why???? + +Here's some info on what to take care of: + +REGISTRATION OF PHONE CALLS: + +By the start of 1994 the Danish phone companies will register ALL national +calls. I don't know if other calls will be registred. +The companies says it will only allow people to get a printout of there +calls destination and duration. +But - As you may know PET (The police Intelligence Service) are tapping +phones in a large scale. So, they will deffenetly use this oppetunity +to monitor YOUR phone traffic. + + +COPIES OF PHONE CARDS: + +Don't try making copies of the phone cards used i pay phones. They may work +once - But the pay phones (This system i active in Denmark) communicate +with a central computer. If it detects two identical cards being used +with different amounts of credit left it will blacklist it. +I guess this kind of system is being used in other countries too. But I'm +not sure. +NOTE: All calls made from payphones using payphone-cards will in Denmark be +registred with: TIME, DATE, LASTING OF THE CALL, PLACE YOU ARE CALLING FROM +AND TO!!!!! + +So - Don't use these phones if you're in trouble or don't want anyone to know +about your call - Use normal payphones in stead. They will "only" log the +number ya calling. + + + NoCopyright 1994 Informer diff --git a/textfiles.com/phreak/PHREAKING/elfhack.txt b/textfiles.com/phreak/PHREAKING/elfhack.txt new file mode 100644 index 00000000..36e806a6 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/elfhack.txt @@ -0,0 +1,58 @@ + +How to phreak without fear! + + by The Elf + +Contact me on Demon Roach Underground. + +As far as I know this works only in Southwestern Bell's areas. That should +include Texas, Ok, Arkansas, NM and Louisanna. + +Materials needed: Shoes with rubber soles, Wirestrippers/cutters, + 3/8in open-end wrench, beige box, + and maybe a cordless phone. + +First off, this method is not fool proof and is safer in rural +areas than in big cities. Second, you need to know where the little green +cylinder that connects your house to the network is. If your area's setup +is anything like mine, there'll be a green protrusion every five hundred +feet down a rural road. If you aren't for sure which one is for your house +you can either report line problems and watch for the lineman to work on +your line and note what box he goes to or you can get a good cordless phone +and if the box is in range take it with you to the box, open the box up, +turn on the phone and verify that you have a dial-tone, the box will have +several pairs of wires sticking out of it (blues and oranges) and some of +them (the blues ones) will be connected. +These blue lines are primary lines. If you notice though, the blue +lines go into a insulator with a pair of unhooked orange wires, +secondary lines, that both go to houses. If you already have a legal second +line the orange pair should be hooked up too. +The post has a left set of terminals and a right side of terminals. +You ALWAYS hook up the wire with the white stripe on it to the left side! +Find your line by disconnecting wires and listening to the phone. When you +find yours, trace the blue wire down in to the ground and see it there's +a pair of orange wires that are in the same cable as the blues. Hook them +up by cutting off the capper and striping the wires. Now close up the box +after you make it look like it was inside and pick up any wire strippings +and then go home. +You're now hooked into another line! Now you need to interface +your house with the new line. +Most houses have a telephone network interface box. This is a +black, silver or beige box thats on the outside of the house. The newer +model boxes have two parts, one part for the linemen and another part for +the customers. You need to get in to both. Open up the box. +You should see the blue wires hooked up to the red and green lines +also you should see the orange wires sticking up unused. Strip them and +connect them to the yellow and black wires. The wire with the stripe goes +to the yellow wire. Now your house has a new line. +To access the other line you have two choices. You can either buy a +two line splitter and use both lines in your room, or you can just open up +the wall plate of the room that you'd want to use the new line in and +exchange the red and black and the yellow and green wires. +You're now ready to go. Chances are you'll be tied into an +existing phone line already so be careful in your usage during the night. +THe great thing about this is that you can now call long-distance for free! +No more code hacking! + +Enjoy! + diff --git a/textfiles.com/phreak/PHREAKING/euroblue.phk b/textfiles.com/phreak/PHREAKING/euroblue.phk new file mode 100644 index 00000000..b9d80113 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/euroblue.phk @@ -0,0 +1,196 @@ + +File: A HISTORY OF BRITISH PHREAKING + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ The History Of British Phreaking $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ The second in a series of $ + $ THE HISTORY OF.....philes $ + $ $ + $ Written and Uploaded by: $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ and $ + $ The Legion Of Doom! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +With thanks to Peter McIvers for the list of frequencies mentioned later in +this phile. + +NOTE: the British Post Office, is the U.S. equivelent of Ma Bell. + + In Britain, phreaking goes back to the early fifties, when the technique of +'Toll A drop back' was discovered. Toll A was an exchange near St. Pauls which +routed calls between London and nearby non-London exchanges. The trick was to + dial an unallocated number, and then depress the reciever-rest for 1/2 second. +This flashing initiated the 'clear forward' signal, leaving the caller with an +open line into the Toll A exchange. He could thjen dial 018, which forwarded +him to the trunk exchange- at that time, the first long distance exchange in +Britain- and foll ow it with the code for the distant exchange to which he +would be connect ed at no extra charge. + + The signals needed to control the UK network today were published in the +"Institution of Post Office Engineers Journal" and reprinted in the Sunday +Times (15 Oct. 1972). + + The signalling system they use: signalling system No. 3 uses pairs of +frequencies selected from 6 tones separated by 120Hz. With that info, the +phreaks made "Bleepers" or as they are called here in the U.S. "Blue Box", but +they do utilize different MF tones then the U.S., thus, your U.S. blue box that +you smuggled into the UK will not work, unless you change the frequencies. + + In the early seventies, a simpler system based on different numbers of +pulses with the same frequency (2280Hz) was used. For more info on that, try to +get ahold of: Atkinson's "Telephony and Systems Technology". + + The following are timing and the frequencies for boxing in the UK and other +foreign countries. Special thanks to Peter McIvers for the phollowing inpho: + +British "bleeper" boxes have the vaery same layout as U.S. blue boxes. The +frequencies are different, though. They use two sets of frequencies, forward +and backward. Forward signals are sent out by the bleeper box; the backward +signals may be ignored (it's sort of like using full duplex). The frequencies +are as follows: + +U.S.: +US: 700 900 1100 1300 1500 1700 +Forward: 1380 1500 1620 1740 1860 1980 Hz +Backward: 1140 1020 900 780 660 540 Hz + +for example, change the 900 Hz potentiometers in your box to 1500 Hz. All +numbers 1-0 (10) are in the same order as in an American box. The ones after +this are thier codes for operator 11, operator 12, spare 13, spare 14, and 15. +One of these is KP, one (probably 15) is Star; it won't be too hard to figure +out. The signals should carry -11.5dBm +/- 1dB onto the line; the frequencies +should be within +/- 4Hz (as is the British equipment). Also, the 1VF system is +still in operation in parts of the U.K. This would encode all signals 1 to 16 as binary numbers; for instance, a five is 0101. There are six intervals per +digit, each 50ms long r a total of 300ms. First is a start pulse of 2280 for +50ms. Then, using the example of five (0101), there is a 50ms pause, a 50ms +pulse of 2280, a 50ms pause, and a 50ms pulse of 2280. Finally, there is a +50ms pause that signals the end of the digit. The frequency tolerance on the +2280 Hz is +/- 0.3%; it is sent at -6 +/- 1dBm. An idle line is signaled by +the presence of a 3825Hz tone for more than 650ms. This must be within 4Hz. + +France uses the same box codes as the US, with an additional 1900Hz +acknowledgement signal, at -8.7 +/- 1dBm per frequency. + +Spain uses a 2 out of 5 mf code (same frequencies as US), with a 1700 Hz +acknowledge signal. + +Other places using the 1VF system are: +Australia, 2280Hz +/-6Hz, 35ms/digit at -6dB. +Germany, France: same as Australia; also, some 1VF systems in the UK. +Switzerland: same as Australia, only it uses 3000Hz, not 2280. +Sweeden: same as above, but at 2400Hz. +Spain: some parts use 1VF with 2500Hz. + +There is one other major system: the 2VF system. In this system, each digit is +35ms long. The number is encoded in binary as with the 1VF system. Using the +example of five (0101), here's how the American 2VF system was sent: +2400 pulse, pause, 2040 pulse, pause, 2400 pulse, pause, 2040 pulse, pause. The +digits and pauses are all 35ms long, for a total of 280ms per digit. Other +countries are still using a similar high/low pair with the same timings. Some +parts of Italy use the 1VF system with 2040Hz; some use the 2VF system with +2040 and 2400 (same as original US) Hz. The Netherlands uses a 2VF system with +2400 and 2500 Hz pulses. With the 2VF system, all frequencies should be within +2Hz. + +Also, here are some specs for American phone equipment: +Dial Tone: 350+440Hz, -17.5 to -14.5 dBm/tone. +Off-Hook (ROH): 1400+2060+2450+2600(!) on/off 5 times per second +Busy: 480+620Hz; solow busy: 0.5 +/- 0.05 sec = 1 period +(about twice a second), at -28.5 to -22.5 dBm/tone. + +Ring: 440+480 Hz at -23.5 to -20.5 dBm/tone. +A ring is modulated at 20 +/- 3Hz, 2sec on, 4sec off. + +Call waiting: 440Hz, on 1 second. + +Recorder Connection: 1400Hz, beeps every 15minutes. +Multiparty line ring: sam% frequency and modulation as ring, but 1sec on, 2sec +off (twice as fast). + + Now, back to British Phreaking:In the early days of British phreaking, the +Cambridge University Titan Computer was used to record and circulate numbers +found by the exhaustive dialing of local networks. These number s were used to +create a chain of links from local exchange to local exchange across the +country, bypassing the trunk circuits. Because the internal routing codes in +the UK network are not the same as those dialed by the caller, the phreaks had +to discover them by 'probe and listen' techniques or more commonly known in the +U.S.--SCANNING. What they did was put in likely signals and listened to find +out if they succeeded. The results of scanning were circulated to other +phreaks. Discovering each other took time at first, but evenutally the phreaks +became organized. The "TAP" of Britain was called "Undercurrents" which enabled +British phreaks to share the info on new numbers, equipment etc. + + To understand what the British british phreaks did, think of the phone +netowrk in three layers of lines: Local, trunk, and international. In the UK, +Subcriber Trunk Dialing (STD), is the mechanism which takes a call from the +local lines and (legitimately) elevates it to a trunk or international +level. The UK phreaks figured that a call at trunk level can be routed through +any number of exchanges, provided that the right routing codes were found and +used correctly. They also had to discover how to get from local to trunk level +either without being charged (which they did with a bleeper box) or without +using (STD). Chaining has already been mentioned but it requires long strings +of digits and speech gets more and more faint as the chain grows, just like +it does when you stack trunks back and forth accross the U.S. The way the +security reps snagged the phreaks was to put a simple 'printermeter' or as we +call it: a pen register on the suspects line, which shows every digit dialed +from the subscribers line. + + The British prefer to get onto the trunks rather than chaining. One way was +to discover where local calls use the trunks between neighboring exchanges, +start a call and stay on the trunk instead of returning to the local level on +reaching the distant switch. This again required exhaustive dialing and made +more work for Titan; it also revealed 'fiddles', which were inserted by Post +Office Engineers. What fiddling means is that the engineers rewired the +exchanges for thier own benefit. The equipment is modified to give access to a +trunk with out being charged, an operation which is pretty easy in Step by Step +(SXS) electromechanical exchanges, which were installed in Britain even in the +1970s (NOTE: I know of a back door into the Canadian system on a 4A CO., so if +you are on SXS or a 4A, try scanning 3 digit exchanges, ie: dial 999,998,997 +etc. and listen for the beep-kerchink, if there are no 3 digit codes which +allow direct access to a tandem in your local exchange and bypasses the AMA so +you won't be billed, not have to blast 2600 every time you wish to box a call. + + A famous British 'fiddler' revealed in the early 1970s worked by dialing 173. +The caller then added the trunk code of 1 and the subscribers local number. At +that time, most engineering test services began with 17X, so the engineers +could hide thier fiddles in the nest of service wires. When security reps +started searching, the fiddles were concealed by tones signalling: 'number +unobtainalbe' or 'equipment engaged' which switched off after a delay. The +necessary relays are small and easily hidden. + + $There was another side to phreaking In the UK in the sixties. Before STD was +widespread, many 'ordinary' people were driven to occasional phreaking from +sheer frustration at the inefficient operator controlled trunk system. +This came to a head during a strike about 1961 when operators could not be +reached. Nothing complicated was needed. Many operators had been in the habit +of repeating the codes as they dialled the requested numbers so people soon +learnt the numbers they called frequently. The only 'trick' was to know which +exchanges could be dialled through to pass on the trunk number. Callers also +needed a pretty quiet place to do it, since timing relative to clicks was important + + The most famous trial of British phreaks was called the Old Baily trial. Which +started on 3 Oct. 1973. What they phreaks did was to dial a spare number at a +local call rate but involving a trunk to another exchange Then they send a +'clear forward' to thier local exchange, indicating to it that the call is +finished;but the distant exchange doesn't realize because the caller's phone is +still Off the hook. They now have an open line into the distant trunk exchange +and sends to it a 'seize' signal: '1' which puts him onto its outgoing lines. +Now, if they know the codes, the world is open to them. All other exchanges +trust his local exchange to handle the billing; they just interpret the tones +they hear. Mean while, the local exchange collects only for a local call. The +investigators discovered the phreaks holding a conference somewhere in England +surrounded by various phone equipment and bleeper boxes, also printouts listing +'secret' Post Office codes. (They probably got them from trashing?) The judge +said: "some take to heroin, some take to telephones" for them phone phreaking +was not a crime but a hobby to be shared with phellow enthusists and discussed +with the Post Office openly over dinner and by mail. Their approach and +attitude to the worlds larges computer, the global telephone system, was that +of scientist s conducting experiments or programmers and engineers testing +programs and systems. The judge apeared to agree, and even asked them for +phreaking codes to use from his local exchange!!! + +Downloaded From P-80 Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/ffpp.phk b/textfiles.com/phreak/PHREAKING/ffpp.phk new file mode 100644 index 0000000000000000000000000000000000000000..fe9d4d012e6326e5d00f336d61a6f1e43f9f6e26 GIT binary patch literal 7673 zcmcJUZF3t}a)t95Rrn8Wr79%LBqGb!?pm>T3nD3zC5cptL&J_hZoCEzH9FpQP6@{uPRa8z5uJlz_l;$ragML@V`0{%#dW!o+b#1p1X7(jfEKBR#xQ(VYaSle6 z{<_-0^dih-cjr!@+%1Y&fs)g1JZfWHwFzMxU$x)A2|l*o32K35A_j^SW8Z ze7O2=pyu<3HZR;RYkL>lb<8@23(Q{*#Cj9+q92b|uIgEawu`&Ai>sga?P_u{v5Pf^ zg4mxrkMg%qAG4k;K0Cj(d0!m>$%6$uwY(9#Y;SAWo2!eq{K|))K*5Qp3w3%V3?Y>jv2(P!%%Pk&Vi-62z5v2kkm!F&}iRs51Gfaw~V9OYMmJ zeZtHyk-ufQiKLzcBq6rzB8Sm6{EV$Q?7S2~J=0q4$(~J1p(gK!>x5VC}C2f6>M0SFR29{D~ppmFqP$*)A>3iclexvv zl#ohE47Mn4P*IqNeTSLN34t0K3Qw1ZVA(?lD7voOwg9_Z9ue`h9-h$gz?)RkU8E5M z;Rr$PNF9-{Nr~5+C7G~(Ex`>`tQJ8gu*zt&Z_~3QWn?^p5fW%AVWw@?S3Phw0_TXSdLcZ49lYA}EA`V7s17 z(kuUrvedT~S)yk+t@4Q-4ie~slk{(5C-hpaDi;h@#Mc@%i=9#lAjJc!b(k#TR^2 zkW{gWo(i^mN)aqqs<{chPP$OtkvE{iYSXh*Q?78kU#F5)V5#6b9?jH5;t#o!g87zr zb~rr)z<>>R*cRcb>4p|mxxfneorxJlDD@UQ?Ra!Zc0sV6s}iX%%mGlV4=tyi>00|MBYp1rqK4Asy9+#`?D&~U_|4V}6uwB`b*g$sO5ib!$UOP%O_L!qSXBT)kC&}7!@ zo-%;bX!d+UwSfAr1;K{0An3e^q3gNvl8I%FmZ}9!@lFICpki|zLsgA}U8~BH93-8; zhUUbh!Ycq|hYlKN^ks*Y#Z?Mu@ew_`=Z)W@<9fd-F1x8^8KA9hdOE80Gsyye`WK%4lm z=_a)~9y^*_d-c}7w9`|5ef9XLSlI6S^Q(8L21R5D@E-RrE&=%#217kvh<24j=Ru#8 zN)KTJDjA+FDC@1A{rIEp3J4(Q;p>|uKKtqb2p;g*!H@jxIe993ar%x9GNu?dO}Wa-o8GbUL5mXg;RCfV=jf;M1;kK)pUH3*Q@R3)Tr2Wg_tf2 zc-hCa_Y7_OskqY}Qqk1pQzuGWsSO31OrzjR!{DF@*9T3Y^9_KUHkt*!g-LG%Vr7NI zx~f*8p{!#oR8h-H;YSsHf|KU**RWA%3eHWh zd5j%(b+8#~Hv{H?b_&F+;V`4IH|JNECw6giC3rE|$$PlyohU60rEy(jA;bPPwU|zf z6wK}0ub%##c2mhYh2@n~HT zN3K((uhV4UIhAEq{Lop>QeM1uB@r=6nHEB>+=r}2=2Rgydte^c($`X7RIka8#(9;2 zSy%x{PnFk?WkDhGW_}o==RW$y8|o%y&%>$)lht!qNbTXC$y6OI1RQFpk>C&Dq&YU> zodd5qrwgaTBNG(ED>AC|6r6u}w>=!!IL{RPHuXp{G&M`HDX<;L$@k|P8c5GOppwb&W{2l* zj_v$Rx)Zt`m_T!)gsG0rL-S~2=huPe9|?gj_G^z@bJ?keh)p!j{8jc0z=vnJku+cR zg98G$N8-mn}q6VVb|a@T8}Q@FB`Pq61Lns7q7>py;kurJhzX|w>mmnbtbu*nj*!T~%abYNf4Xf`lFb2!W*}N9@k+AdX5M+7q%yda)x_CL zrn`z5aC+&Qm_{p4`VeFiwC}fYLepHyrX;kik-qT=@e(dH9JT#|nZS?HQ?~YfzDWQ| zXkx7gXAr6TK#TAZ*X!zT1$HLhY6=p|(Bx#?k0DN9$OdI~5E5rKYDw+W*-awSps}P` zfE-@fbbv|={`;w?WF*mnP^w!VYUIRHLHJLd_E60vhaBzu5v(^;M^0GTpy>wD+d6iy zC+cMfR1S7|74cA~dw|5vXk!KlY25nd7rLazBy}*Zh5m;0_ft=ZF3ln;wDKF6pNs(H z97(u()x!onLj#Tm>S1p#(TztL^$oJUku*DD!0P`5a#3bjsBa;o$hI1UIqrefU;9GG z&7UjUX{ZrBB# zM4)W=K^vNqhMhI~ja|FP@e6xiGdOdKK@yvu-po}pX|qeW`dwdFYZLCz0>s$u^Z6%= zkcfs(K=)FkfqjQDc=H`$?5J^>VwyUTci=a`&{)1!cd9;h^ zi{pvWsoQfuzqjcO8LCukH-}z6KCL-0&W7{#0S};FjYU_lQ3iqx+i4VZnom$Du92;L zo8SFF`=9=gKf>w}6GvIoa^;*ZGyT4$zh|;Z=a=-FbYSTp0n!&M?5{PCM_ M4xT)D`t^A9H%g&rjQ{`u literal 0 HcmV?d00001 diff --git a/textfiles.com/phreak/PHREAKING/fieldphr.txt b/textfiles.com/phreak/PHREAKING/fieldphr.txt new file mode 100644 index 00000000..3ec7ca16 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/fieldphr.txt @@ -0,0 +1,193 @@ + Manuscript II + Field Phreaking + -=-=-=-=-=-=-=-=-=- + + + +Introduction: The purpose of this manuscript is to introduce useful phreaking +------------- techniques. These techniques have been developed by the Third + Cartel and have proved to be convenient and reliable. + +Field Phreaking Kit: +==================== + +The Field Phreaking Kit is a neccessity for the serious phreaker. Some +so-called phreaks get all of their information including codes from BBSs and +have an ego big enough to call themselves phreaks. The real phreak acquires +knowledge on his own through perseverence and ingenuity. Following is a list +of useful items for your Phreaking Kit: + +o Backpack: Get a nice one to hold all of your materials. +o Test Phone: Very Handy. We'll tell you how to get one or make one. +o Ratchet Set: Usually, you'll only need 7/16 and 3/8" size ratchets. +o Screwdrivers: Get medium and large screwdrivers, and a phillips head. +o Wire Cutters: Just in case you want to wipe out some lines. +o Pliers: For misc. stuff. +o Xacto or Pocket Knife: To strip or cut wires. +o Penlight: Nice and small; very useful for night work. +o Flashlight: If you need lots of light and have enough room in your pack. +o Gloves: Make sure you don't get shocked or leave your fingerprints around. +o Pencil and Paper: Write down locations, notes, numbers, etc. +------------------------------------------------------------------------------- + The Third Cartel carries the following optional materials in their Field Kit: +------------------------------------------------------------------------------- +o Walki-Talkies: For communications when yelling isn't possible or smart. +o Battery Operated Camara Flash: Good for flashing in someone's eyes at night + Will blind a telco guy for a few seconds. +o Mace/Dog Repellant: Spray in someone's eyes if they give you trouble. +o Smoke Bomb: Helpful to divert attention or scare. [drop in telco car] + [Mix 3 parts potassium nitrate with 2 parts sugar and melt] +o Matches: For smoke bomb or anything that is flammable. +o Bandana/Surgical Mask: Manholes are dusty; Wear these for easier breathing. +o Marker: Mark your "territory" on phone boxes. +o Fake Telco ID Card: Will make some people think that you work for telco. + +Organize your kit so you know where everything is and can get something quickly +when needed. You don't want to be fumbling for your mace when the gestapo is +about to get you. + + +Test Phone: +=========== + +The Test Phone is the most useful piece of equipment for Field Phreaking. You +can try to sneak into a telco Plant Department [truckyard] and get a real test +phone out of a truck like we did. If you'd rather not do this, don't worry; +making your own test phone is ultra-easy. + +First, get a telephone for your own purposes. Find the wire coming out of the +phone that is supposed to go to the wall's modular jack. It should be at least +three feet long for convienience. Cut off the modular jack at the end of the +wire. Strip the wire, and there should be two or four small wires inside. +Hook the two middle wires to alligator clips [preferably insulated]. You now +have a test phone! Very easy, indeed. Now let's see if you hooked everything +up ok. First find your phone box. It'll probably be on the outside of your +house. It's farly small, and you might need the ratchet to open it up. Once +you get it open, you should see some screws. These are the terminals for your +phone line. Hook the alligator clips to the two top terminals. If your phone +is ok, you should get a dial tone. Once you know that your phone is working, +a whole new world opens up to you! You can hook the phone up to your +neighbor's terminal and call long distance or yell at the operator on their +line. Be careful, though. You don't want to be talking to Sue in L.A. when +your neighbors are home and awake. If they pick up the phone when you're +already on, you could get into serious trouble. Of course, you could always +listen in on them! If you want, you can hook wires up to your neighbor's +terminal and lead them to your house. In case you didn't know, this is called +Beige Boxing. You can then hack computers on their line, call Dial-A-Prayer, +etc. Make sure to hide the wire well so that it won't be traced to your +house! + + +Manholes: +========= + +One way to get access to an abundance of phone lines is by getting into telco +manholes. You don't want to accidentally get in a sewer manhole, so the first +thing to do is find the differences between sewer and telephone manholes. If +you have trouble with this, here's a few tips that might help: +o Telco manhole covers are usually larger and heavier than other covers. +o Telco manholes are scarce compared to sewer manholes. So if there are + a lot of checkered manhole covers in your area, those are probably sewer + manholes. If there are only a handful of unmarked manhole covers in + your area, those probably contain phone lines. +o Go to your local telco Central Office [CO] and find out what the manhole + covers look like there. Find manhole covers that look the same in other + areas, and pick a convenient/safe manhole to explore. + +Getting into a manhole is a different story. Here in the Denver area, it takes +at least three people to get a manhole cover off. Hopefully it'll be easier +to do in your area. To open the manhole, you'll probably need at least two +crowbars [You could try using a pickaxe]. Get a group together to open the +manhole, using 2 or more people with crowbars to slide the cover off. You +might want to get a strong guy to push the manhole cover while the other people +with crowbars support it. If you know of a tool that was made specifically +for opening manholes, we'd appreciate it if you contacted us on some local +Denver boards and told us about it. Likewise, if you have a better system for +opening manholes, we'd be grateful for the information. + +Once you get the manhole cover off, shine a flahlight down to see if there's +a ladder going to the bottom. Try a different manhole if there's no ladder. +If you want to go down a manhole, don't forget to wear a bandana or surgical +mask over your mouth so that you don't choke on dust. Also bring a flashlight +so you can see what you're doing. Many times, there'll be a few inches of +water at the bottom, so you might also want to wear boots. + +Down in the manhole, you might find some equipment or manuals. Go ahead and +take them if you want; you deserve it! There should be some very large ABS +plastic tubes going across the "room" you're in. The phone lines are inside +these tubes. Attached to this tubing there will be some short, wide plastic +cylinders. There'll be screws holding these cylinders on to the tubing. +You'll need either a screwdriver or a ratchet to open a cylinder. If you +happen to get a cylinder open, congratulations! You now have access to +countless phone lines! We'll leave it to you to figure out what to do with all +of those wires. Surely you'll figure something out! [snip, snip!] + + +Exploring Telco Building Sites: +=============================== + +One of the best ways to get information about telco is by going to a Central +Office near you, exploring the trucks in a Plant Department, or "visiting" +other telco buildings. The phone company is careless in many ways. They +leave important, yet unshredded documents and computer printouts in their +open dumpsters. Their cars, vans, and repair vehicles are almost always left +unlocked. Inside their vehicles one can usually find manuals, test phones, +computer cards [usually for mainframes, almost never for personal comuters], +nice tool sets, etc.! It's almost as if they *want* to be ripped off! They +deserve bad treatment just for their negligence. If possible, we like to be +courteous to individual employees of telco. Most employees are fairly amiable +and don't deserve trouble. It's the beuracracy of telco that deserves to be +manhandled. Cheap practices such as monopolizing and the overpricing of +services is the general reason why we phreaks do what we do with such +determination. On with the show. + +Exploring Dumpters: Looking inside telco dumpters is probably the easiest way +to acquire useful information. Typycally, dumpters will be found outside a +Central Office. They are usually left open for the world to see. It's a good +idea to check a dumpster near you every day or two. You want to get your +printouts and such before they go to the garbage dump. Make sure that you +aren't pulling stuff out of the dumpster when the employees get out for the +day! If possible, check the dumpster after closing hours just to be safe. But +it's usually ok to get stuff out of it during working hours. You should find a +lot of useful information, including computer numbers, if you consistently +check the dumpsters. + +Exploring Plant Departments: Plant Department is just a strange name telco +made for a truckyard. You might need your 'ol wire cutters for this job. +Plan to stay up late for this mission, too. Around here, at least, the Plant +Department doesn't close until 11:30 to 11:45 p.m. If your local Plant +Department isn't bound by barbed-wire fences, you're lucky. If, unfortunately, +it's like ours, you'll have to find a way to get in. First, try to find breaks +in the fence where you might be able to slip through. If this isn't possible, +and you can't climb over the fence because there's barbed-wire at the top, get +out the [gasp!] wire cutters. Cut the barbed-wire and climb over the fence. +Quietly move around the truck yard, opening various trucks, taking whatever you +want. Although it might be hard, try to control yourself. Only take one item +per truck so that the fools don't get suspicious. You don't ever want them to +get suspicious, or you'll never be able to go back without fearing that they +might be watching the truckyard for intruders. Just take a testphone and a few +handy manuals. The testphone is usually in the back behind the passenger's +seat. Manuals should be in the glove compartment or between the two front +seats. The rest of the gadgets in the trucks have little or no practical uses +for phreaks. Too bad. Be cool and don't take anything you don't need. +Correction: Don't take anything you don't *really* want. Have phun with this, +and please let us know if you find any useful gadgets in a telco truck. We'd +like to hear from you! Look for a Field Phreaking II file soon. It should be +Manuscript III. + +------------------------------------------------------------------------------- + >>>>*Freddy*<<<< [The Only Living Peabody] + + The HORN + . <> . + .:.:.:.:.:.:.:. +If You Want To: ------------------------- |) / |) +Call Bone Cellar Look For More Third Cartel Files Soon! |si-\hotic |)athtub + -------------------------- -_-_-_-_-_-_-_-_-_- + 60:60:60:60::':':':' + =:-Distribute-:= + -=-=-1988-=-=-=-=-=-=-=-/-This File-\-=-=-=-=-=-=-=-1988-=-=- + \-Anywhere!-/ + [Talk About Gaudy, Eh?] +------------------------------------------------------------------------------- + diff --git a/textfiles.com/phreak/PHREAKING/freakusa.txt b/textfiles.com/phreak/PHREAKING/freakusa.txt new file mode 100644 index 00000000..bf72d9f2 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/freakusa.txt @@ -0,0 +1,84 @@ +"Phreakin' USA!" by John Fowler + +When you think "phone phreak," what kind of mental picture do you get? A +teenager holding a sound-making box up to a phone? Or someone who uses false +calling card numbers? The phone companies lose an estimated $80 million each +year on fraudulent phone calls (compared to a total budget of over $27 +billion!), but only a minute fraction is attributed to the above cases. So who +is causing all these losses? + +A phreak is officially defined as "One who causes information to be passed over +the phone without the phone company receiving due compensation." This applies +to more cases than most people expect. For example, calling a "ring-back" +system long distance just happens to be illegal, because you are passing +information (that you want to use the modem line) without paying the phone +company! This law is, of course, not enforcible, and even if it was, why +take someone to court over a matter of twenty cents lost? It's also illegal to +make a person-to-person call to yourself in order to let your spouse know you +arrived at a destination safely! Likewise, calling someone collect at a pay +phone, calling an operator to say you lost a dollar in a pay phone when you +didn't, and completing a call with another person over "test lines" (test lines +are in all exchanges, and if two people dial consecutive test lines, they may +talk to each other without any charge) are all illegal! Spreading all this out +along the entire phone network, it suddenly becomes a matter of millions of +dollars lost each year, even without those little boxes that simulate operator +tones! + +However, the common image of the phreak is someone who plays with red, black, +and blue boxes to somehow gyp the phone company into allowing a free call. +Each of these boxes, named after the color of the originals, has a different +function, and many times the boxes are confused with each other. A red box +is a device meant to be used only at pay phones. It simulates the sounds +of various coins dropping into the phone. When some pay phones hear this +sound, they automatically assume the a coin actually has dropped into the phone +and registers it. A black box is a device which converts any phone jack it is +hooked up to into a toll-free number. If Larry hooked up one, I and everyone +else could call the CPTBBS as if it were an 800 number, yet Larry would not +have to pay the excessive charges that an 800 number demands. With the +sophisticated scanning equipment the phone company has today, however, black +boxes can be detected after a while. + +The most infamous of the colored boxes is the blue box, which mimics the +operator tones to allow free calls from any phone. They cost only $25-$50 to +make, but can sell for up to $3000! Here's how it works: a phreak first dials +a no-charge number, such as an 800 number for a large corporation (if he wants +to add a little irony, he'll make it AT&T's 800-number!). The number rings +once, and then the phreak generates a pure 2600-cycle tone. This tells the +phone equipment that the call has dislodged and to be ready for the next call, +though the phreak remains on-line! The phreak then gives another tone telling +the equipment that a toll call is coming through (though in actuality it is +not). The phreak dials the number and is connected, but the billing equipment +never starts! When the phreak eventually hangs up, the records will only show +that he made a toll-free call. + +It would cost the phone companies approximately one billion dollars to change +the switching system so that the blue boxes would not work, so instead they +decided to invest in a scanning system that records all questionable calls. +Now that scanning system is so quick that it's almost suicide to use a black +or blue box at home. Phreaks can still get away with using blue boxes at +pay phones if the call is short, but that's about all. If someone is found +using a blue or black box at home now, the box is immediately confiscated, and +the phreak's service may be possibly disconnected. + +If someone offers to sell you one of these colored boxes for the standard +ridiculous price, I'd advise against it. You stand to lose much more than you +would gain in the long run. + +Reference: Kleinfield, Sonny; "The Biggest Company On Earth"; +published by Holt, Rinehart, and Winston; 1981; pp. 247-261. + + + + +X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X + Another file downloaded from: NIRVANAnet(tm) + + & the Temple of the Screaming Electron Jeff Hunter 510-935-5845 + Burn This Flag Zardoz 408-363-9766 + realitycheck Poindexter Fortran 510-527-1662 + My Dog Bit Jesus Suzanne d'Fault 510-658-8078 + New Dork Sublime Demented Pimiento 415-864-DORK + The Shrine Tom Joseph 408-747-0778 + + "Raw Data for Raw Nerves" +X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X diff --git a/textfiles.com/phreak/PHREAKING/freknum.txt b/textfiles.com/phreak/PHREAKING/freknum.txt new file mode 100644 index 00000000..fd9aa890 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/freknum.txt @@ -0,0 +1,407 @@ + + +Title: Super Phreak's Hacking and Phreaking Numbers +Date: 9/4/87 +Time: 12:09 pm + + + + + On this list: + Hacking and Phreaking Numbers + Various Numbers, Terminals, Stores + Telephone Services + Main Frames + Credit Card Validations + Phreaking (the real thing) + Conferance Starters + + + Super Phreak's + Hacking and Phreaking Numbers + <*-----------------------------*> + + EASY LINK............................................. 1-800-325-4112 + CITIBANK.............................................. 1-800-223-3312 + EXPORT/IMPORT BANK.................................... 1-800-424-5201 + ALCOHOL, TOBBACCO & FIREARMS.......................... 1-800-523-0677 + FEDERAL INFORMATION CENTER............................ 1-800-532-1556 + ARMS & SERVICE ENLISTED MOBL.......................... 1-800-325-4072 + COMBAT SUPPORT BRANCH................................. 1-800-325-4095 + ROPD USAR COMBAT ARMS DIVISION........................ 1-800-325-4890 + WHITE HOUSE PRESS (voice)............................. 1-800-248-0151 + SOCIAL SECURITY....................................... 1-800-432-3960 + PUGET SOUND NAVAL SHIPYARD............................ 1-800-426-5996 + GENERAL MOTORS........................................ 1-800-685-6790 + TELE-CONNECT (voice).................................. 1-800-255-2255 + FORD.................................................. 1-800-521-4120 + AMERICAN NETWORK (voice).............................. 1-800-227-0090 + THE SOURCE............................................ 1-800-828-6321 + RCA................................................... 1-800-526-3714 + IBM DISTRIBUTION...................................... 1-800-426-2222 + XEROX................................................. 1-800-828-6321 +-r MOTOROLA DITELL....................................... 1-800-323-4w6 + PC PURSUIT............................................ 1-800-835-3001 + TELCOR................................................ 1-800-231-3158 + UNKNOWN............................................... 1-800-521-0013 + + + UNIVERSITY OF LOUSVILLE............................... (502) 588-6020 + UNIVERSITY OF FLORIDA................................. (904) 392-5533 + 644-2261 + UNIVERSITY OF MASSACHUSETTS........................... (413) 545-1600 + UNIVERSITY OF NEW MEXICO.............................. (505) 227-3351 + UNIVERSITY OF PERUE................................... (317) 494-1900 + UNIVERSITY OF TEXAS................................... (214) 688-1400 + UNIVERSITY OF TEMPLE.................................. (215) 787-1010 + UNIVERSITY OF SAN DIEGO............................... (619) 293-4510 + UNIVERSITY OF HARTFORD................................ (203) 242-6492 + 242-6852 + UNIVERSITY OF MARYLAND................................ (301) 454-6111 + UNIVERSITY OF COLORADO................................ (303) 644-3841 + UNIVERSITY OF MINNESOTA............................... (714) 974-4020 + UNIVERSITY OF VIRGINIA................................ (703) 328-8086 + UNIVERSITY OF MICHIGAN................................ (313) 454-1000 + OAKLAND UNIVERSITY.................................... (313) 370-4399 300 B + 370-4312 1200 B 370-4300 1200 B + HARVARD UNIVERSITY.................................... (617) 732-1802 + 732-1251 + WAYNE STATE UNIVERSITY................................ (313) 577-2424 + LYOLA COLLEGE......................................... (213) 642-2706 + PRINCETON UNIVERSITY.................................. (609) 452-6736 + NORTHEASTE?+N UNIVERSITY............................... (617) 417-9203 + UNIVERSITY OF KY...................................... (313) 964-2500 + DARTMOUTH COLLEGE..................................... (603) 643-6310 + HONEYWELL UNIVERSITY.................................. (612) 870-6086 + POLY TECH UNIVERSITY.................................. (714) 598-4861 + AMARILLO UNIVERSITY................................... (806) 741-5951 + 741-6701 + MARSHALL UNIVERSITY WASHINGTON........................ (304) 696-6711 + NEW YORK STATE COLLEGE................................ (212) 777-7600 + 598-7001 + FORTWORTH SCHOOL...................................... (817) 332-8491 + FAIRFAX SCHOOL SYSTEM................................. (202) 256-9676 + OAK-COUNTY SCHOOLS.................................... (857) 950-1313 + LIVONIA SCHOOLS....................................... (313) 464-1234 + OAKLAND SCHOOLS....................................... (313) 857-9500 + ARBOR SCHOOLS......................................... (313) 769-8821 + REDFORD SCHOOLS....................................... (313) 494-1921 + GROSSE POINTE SCHOOLS................................. (313) 343-2000 + GROSSE POINTE SOUTH TIMESHARE (RECORDING)............. (313) 343-2340 + GROSSE POINTE NORTH HIGH SCHOOL....................... (313) 343-2350 + LOGIN: RS FUNCTIONS: HP1 HP3 + LOGIN: HOST HP2 MOIS + ROMULUS............................................... (313) 941-3308 + WAYNE COUNTY COMMUNITY COLLEGE........................ (313) 577-0335 + MACOMB COLLEGE COMPUTER............................... (313) 445-0260 + MACOMB COLLEGE COMPUER ROOM........................... (313) 445-7157 + LAWERANCE INSTITUTE................................... (313) 356-4040 + LOWELL UNIVERSITY..................................... (617) 459-0159 + LOGIN: HELLO ID: 9102002 + CONSULTANT FOR WAYNE STATE UNIVERSITY (vioce)......... (313) 577-4778 + MERIT COMPUTER NETWORK (WAYNE STATE UNIV.)............ (313) 577-0335 + THROUGH THIS YOU CAN CONTACT THE FOLLOWING SERVICES AND COLLEGES FOR NO CHARGE: + + MS=MICHIGAN STATE UNIV. OU=OAKLAND UNIV. + UB=UNIV. OF MICHIGAN UM=UNIV. OF MICHIGAN + WM=WESTERN MICHIGAN UNIV. WU=WAYNE STATE UNIV. + + Autonet ITI MAGNET MSU IBM + MSUnet MTU OU SECS RPI + Telenet UM CAVAX UM CLINFO UM CVVAX + UM DSC UM Engin Harris UMLIB UMLIB 300 + WMU-CAE WMU-Kanga WMU-Pooh WMU-Puff + WSU CSVAX WSU ET ZOOnet p + ZOOnet-KCollege + ZOOnet-KVCC + + ABA/NET ADPNS 261 ADPNS 3 ADPNS 446 + ADPNS 9 Alberta Automail Boeing + British Columbia BRS Cal Berkeley Calgary + Caltech HEP Carnegie DEC-20 Carnegie MICOM Carnegie 11/45 + Compuserve Comshare Cornell Dalhousie + Datapac info Dialcom Dialog Vers 1 Dialog Vers 2 + Dow Jones Guelph Illinois Illinois Cyber + LEXIS Manitoba Maryland Unix McGill + Minnesota Cyber Minnesota VAX MIT Multics MIT VM + Montreal Natl Lib Med New Brunswick Newsnet + NJIT EIES NLM Notre Dame NRC + NYTimes OAG Queens Rice + SDC SFU Simon Fraser Source + Source 11 Source 12 Source 13 Stanford STN Telenet Cust Serv Telenet Mail Telenet Telemail + Toronto TUCC UBC UQV + Victoria Washington Waterloo TSS Waterloo VM + Wilsonline Wisconsin MACC Wisconsin VAX Yale + + + GROSSE POINTE WOODS (voice)........................... (313) 343-2440 + CITY OF HARPER WOODS.................................. (313) 343-2500 + URI................................................... (401) 884-5970 + ARIZONA STATE......................................... (602) 965-7001 + LIBRARY............................................... (301) 528-3922 + 1st NATIONAL BANK..................................... (408) 248-8818 + MICHIGAN NATIONAL BANK................................ (313) 964-5808 + GENERAL MOTORS........................................ (313) 685-6709 + TELCO................................................. (203) 776-2516 + ITT DIALCOM NETWORK................................... (212) 947-7522 + LAW OFFICE............................................ (313) 964-5858 + AIRLINE............................................... (714) 775-2104 + TWA................................................... (213) 417-8987 + MA BELL............................................... (313) 651-9743 + IN PURSUIT OF - INFO ON PC PURSUIT & REGISTRATION..... (202) 689-2987 + TRW................................................... (305) 371-6382 + (408) 280-1901 + (602) 257-9054 + (714) 776-4511 + 638-3492 + 956-3370 + DOW JONES VIA TYMNET.................................. (313) 962-2870 + LOGIN: DOW1;; PW: 94K24W6TAN PW: FUN2KR9381 + WHITE HOUSE (voice)................................... (202) 456-1414 + RONALD REGAN (voice).................................. (202) 445-4616 + F.B.I. NET............................................ (412) 527-8291 + PENTAGON TACTICAL..................................... (202) 697-0814 + N.A.S.A. H.TEX........................................ (713) 483-4115 + N.A.S.A............................................... (806) 353-9901 + NUCLEAR COMMISSION (voice)............................ (404) 221-5519 + NAVY SHIPS INFORMATION (voice)........................ (213) 547-6801 + K.K.K................................................. (619) 723-8996 + ATLANTIC CITY CASSINO................................. (215) 564-6572 + US BUREAU OF STANDARDS................................ (303) 499-7111 + AIR FORCE............................................. (203) 748-3947 + PENTAGON.............................................. (202) 545-6706 + PENTAGON.............................................. (202) 553-0229 + DEFENSE DEPARTMENT.................................... (703) 781-4531, 4522 + WAR DEPARTMENT........................................ (401) 841-3436 + N.O.R.A.D............................................. (203) 748-3947 + N.A.S.A. (FLORIDA).................................... (806) 353-9901 + COMPUSERVE............................................ (313) 285-9207 + MICHCON............................................... (313) 271-3008 + UNINET................................................ (313) 358-5780 + (415) 937-2868 + APRANET............................................... (415) 327-5220 + TELENET............................................... (313) 268-6620 + 579-9162 + 965-6005 + AUTONET............................................... (313) 271-6950 + 663-7618 + 646-2237 + 1-800-225-8456 + 1-800-327-6764 + TYMNET................................................ (313) 962-2870 + 965-6005 + + Various Numbers, Terminals, Stores + <*----------------------------------*> + ABC NEW YORK FEED LINE................................ (212) 799-5017 + TELEMAIL.............................................. 1-800-424-9494 + NAVY FINANCE CENTER................................... 1-800-321-1082 + JOHNSON & JOHNSON..................................... 1-800-253-9892 + AT&T STOCK PRICES..................................... 1-800-882-1061 + STOCK QUOTES.......................................... (212) 986-1660 + (914) 997-1277 + (201) 623-0150 + (516) 794-1707 + STOCK MARKET REPORTS (voice).......................... (213) 541-2462 + (312) 939-1600 + (505) 883-6828 + RADIO SHACK........................................... (313) 964-5538 + WIERD EFFECTS!........................................ (213) 935-1111 + WIERD RECORDING....................................... (512) 472-4263 + INTERNATIONAL GRAPHICS................................ (612) 339-5200 + RVS CABLEVISION....................................... (414) 259-1233 + EDUCATIONAL RESEARCH.................................. (713) 792-7200 + SMITH & HENCHMAN...................................... (313) 964-2064 + McDONALDS............................................. (305) 764-4595 + REPAIR COMPUTER CENTER................................ (313) 881-0659 + PHONE COMPANY TEST LINE............................... (619) 748-0002 + SHUTTLE COMMUNICATIONS................................ (900) 410-6272 + MICHIGAN BELL NEWSLINE................................ (313) 223-7223 + ?????????????......................................... (313) 950-0777 + (TOUCH TONE CODE: 14730091) + + Telephone Services + <*------------------*> + + AT&T.................................................. (214) 742-1195 + AT&T CALLING CARD OPERATOR............................ 1-800-855-4008 + AMERICAN TELEPHONE.................................... (201) 221-6397 + BELL, SOUTHWESTERN.................................... (214) 742-1354 + 'y 742-1637 + BELL OF PENNSYLVANIA.................................. (215) 466-6680 + CHESAPEAKE TELE....................................... (202) 347-0999 + HAWIIAN TELE.......................................... (808) 533-4426 + GENERAL TELE.......................................... (213) 829-0111 + ILLINOIS BELL......................................... (312) 530-1755 + ILLINIOS BELL......................................... (312) 368-8000 + INDIANA BELL.......................................... (317) 265-8611 + MICHIGAN BELL......................................... (313) 223-7233 + 881-0659 + 964-4042 + 964-0042 + 924-9977 + 839-3373 + 961-8572 + 892-0060 + NEW ENGLAND BELL...................................... (207) 955-1111 + NEW JERSEY BELL....................................... (201) 483-3800 + NEW YORK TELEPHONE.................................... (212) 395-2200 + OHIO BELL............................................. (216) 822-6980 + WISCONSIN TELEPHONE................................... (414) 678-3511 + U.S. TELEPHONE........................................ (313) 950-1033 + UNKNOWN............................................... (800) 327-6713 + + Mainframes + <*----------*> + + AMERICAN EXPRESS...................................... 1-800-228-1111 + RSX-11................................................ 1-800-521-8426 + HP3000................................................ (303) 232-8555 + (415) 857-8193 + (215) 563-9213 (512) 385-4170 + (301) 881-6156 + 881-6157 + 881-6158 + COSMOS NY............................................. (212) 370-4304 + 394-1203 + DEPAUL................................................ (312) 939-7950 + DEVELCON.............................................. (415) 486-4959 + RCA/CMS............................................... (609) 734-3131 + NASUA................................................. (713) 483-2700 + DIALOG................................................ (212) 947-7522 + GIS................................................... (817) 625-6401 + RSTS/E................................................ (212) 369-5114 + (516) 586-2850 + (303) 447-2540 + (817) 877-0548 + (414) 476-8010 + 542-4494 + 543-0789 + OVL111................................................ (203) 527-0006 + RAPID DATA............................................ (212) 736-3377 + MILLERSVILLE UNIVAC................................... (717) 872-0911 + MIT................................................... (617) 258-8313 + LYRICS TIMESHARING.................................... (516) 567-8013 + MERADCOM.............................................. (703) 781-4520 + ENGINEERING COM....................................... (313) 964-2064 + MENLO PARK CORP....................................... (415) 361-2500 + DEC VAX............................................... (414) 445-4050 + DEC PDP-11/70......................................... (414) 476-8010 + DEC-10................................................ (315) 423-1313 + SEMAT COMPUTER........................................ (313) 964-2000 + BOND-NET.............................................. (313) 962-1102 + H.A.T.S............................................... (714) 962-3365 + ISO................................................... (515) 294-9440 + TSO................................................... (312) 996-5100 + VAX 11/44............................................. (619) 485-9888 + VM370................................................. (214) 742-3189 + WANG VS/80............................................ (303) 978-2111 + W.I.T.S............................................... (313) 769-8803 + WYLBUR................................................ (212) 246-7170 + WAYNE STATE........................................... (313) 577-0260 + UNIX.................................................. (609) 452-0025 + (415) 486-7020 + 486-7015 + JOSKES................................................ (214) 742-3999 + LAUSD................................................. (213) 742-8000 + FTS................................................... (313) 234-5612 + (213) 789-2000 + F.A.A................................................. (202) 347-3222 + COCIS................................................. (303) 447-2540 + AUSTIN COMPUTERS...................................... (512) 474-5011 + AUTOBAHN IMPORTS...................................... (817) 977-0663 + LYRICS TIMESHARE...................................... (516) 567-8013 + SLIPPERY ROCK OIL..................................... (412) 794-7601 + UNION OIL............................................. (201) 686-2425 + SHELL COMa............................................ (713) 795-1200 + + Credit Card Validation + <*----------------------*> + + CHARGE CARD ASSOCIATION............................... (313) 964-2018 + JC PENNY CREDIT CARD.................................. (303) 371-1296 + NTRCHA................................................ (214) 742-2636 + SEARS CREDIT CHECK.................................... (404) 885-3460 + VISA MERCHANT ID...................................... (313) 956-9600 + CREDIT CHECK.......................................... 1-800-228-1122 MASTERCARD/VISA....................................... 1-800-362-7171 + VISA CREDIT CHECK..................................... 1-800-228-1111 + MASTERCARD............................................ 1-800-292-2730 + CODE: 44360006-R + MICHIGAN BANK CARD.................................... 1-800-462-3420 + ??????????????........................................ 1-800-321-8067 + CODE: 370466 (TOUCH TONE CODE!) + + Phreaking + <*---------*> + + MCI (5 DIGIT CODE).................................... (313) 978-8100 + (313) 237-0603 + (313) 950-1022 + SPRINT (8 DIGIT CODE)................................. (313) 950-1000 + ALLNET................................................ (313) 950-1044 + LEXITEL............................................... (313) 950-1066 + SKYLINE (6 DIGIT CODE)................................ (313) 950-1088 + METROFONE (6 DIGIT CODE).............................. (313) 963-4847 + TRAVELNET (8 DIGIT CODE).............................. (313) 268-6620 + TRACING TEST (low-high (GOOD), high tone (BAD))....... (617) 494-9900 + (617) 890-9900 + TRAVELNET............................................. 1-800-521-8400 + SAY "YES" FOR VERIFICATION + PBX................................................... 1-800-221-3044 + DIAL CODE + 96 + 1 + DEST. (4 DIGIT CODE) + PBX................................................... 1-800-245-0033 + CODE: 356172 + PBX................................................... 1-800-345-0008 + A VERY GOOD PBX....................................... 1-800-446-4462 + CODES: 919194, 334447, 520585 + SOME DIVERTERS........................................ 1-800-433-5656 + 1-800-845-0031 + 1-800-325-9990 + 1-800-238-2847 + (312) 678-9923 + 678-9952 + + RCI COMPANY........................................... 1-800-922-0918 + AT TONE DIAL: CODE+DEST. + UNKNOWN............................................... 1-800-457-0047 + COULD BE CODES BUT THE NUMBER MAY NOT NEED THEM: + 272423, 868358, 958818, 762398 + METRO CODES.....................188-193....188-342....133-353........ + CONSUMER NAME AND ADDRESS (CNA)....................... (313) 223-8690 + SPRINT CODE................................................ 666666630 + + Conferance Starters + <*-------------------*> + + 0-700-456-1000 + 0-700-456-1001 + 0-700-456-1002 4 sites are Chicago, + 0-700-456-1003 New York, Dallas and + 0-700-456-1004 Los Angeles. + 0-700-456-2000 + 0-700-456-2001 + 0-700-456-2002 + 0-700-456-2003 + 0-700-456-2004 + +=============================================================================== + WRITEN: 03/23/86 UPDATED: 05/15/86 + + The list seen here is composed of many notes and research conducted +by THE JOYSTICK. I hope that you enjoy this list and please let me know if you find any errors in the listing or if you have an add +Time remaining = 37 +SAT JUN 07 6:57:58 PM +(>ition to it. + I keep this file as up-to-date as possible and I am not + + + The Joystick Later, screw up it's your fault not + responsible for any abuse and use of this file. + + + +Downloaded from The Land Of Fa II [716]/773-7526 + + + + Swashbucklers II 1-(416)-275-5593 diff --git a/textfiles.com/phreak/PHREAKING/hack.3.txt b/textfiles.com/phreak/PHREAKING/hack.3.txt new file mode 100644 index 00000000..6f47a048 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/hack.3.txt @@ -0,0 +1,155 @@ +Hacking + HACK AND PHREAK + =-=-=-=-=-=-=-= + FILE #3 + + BY: THE HYAENA + +PLEASE BE CAREFUL WHO YOU GIVE THIS FILE TOO... + +I'M NOW GOING TO DISCUSS HACKING VAX AND UNIX. + +TO BEGIN WITH UNIX IS A TRADEMARK OF BELL LABS, AND THAT COULD MEAN TROUBLE +FOR THOSE OF YOU WHO DON'T KNOW WHAT YOU ARE DOING. IF YOU ARE ON ANOTHER +UNIX-TYPE SYSTEM, SOME OF THE COMMANDS MAY VARY, BUT SINCE IT IS LICENSED TO +BELL, THERE CAN'T BE TOO MANY CHANGES. HACKING ONTO A UNIX SYSTEM IS VERY +DIFFICULT, AND IT IS GOOD TO HAVE AN INSIDE SOURCE, IF POSSIBLE. IT'S VERY +DIFFICULT TO HACK A VAX SINCE, AFTER YOU GET A CARRIER FROM A VAX, YOU SEE +"login:" THEY GIVE YOU NO CHANCE TO SEE WHAT THE LOGIN FORMAT IS. ALTHOUGH, +MOST COMMONLY THESE ARE SINGLE WORDS, UNDER 8 CHARACTERS, AND USUALLY THE +USER'S NAME. THERE IS HOWEVER A WAY AROUND THIS. MOST VAX HAVE AN ACCOUNT +CALLED "suggest" FOR PEOPLE TO USE TO MAKE A SUGGESTION TO THE SYSTEM ROOT +TERMINAL. THIS IS USUALLY WATCHED BY THE SYSTEM OPERATOR, BUT LATE AT NIGHT, +HE IS PROBABLY NOT AROUND. SO NOW WE CAN WRITE A PROGRAM TO SEND TO THE VAX, +THIS TYPE OF MESSAGE; A SCREEN FREEZE (CTRL-S), SCREEN CLEAR (SYSTEM +DEPENDANT), ABOUT 255 GARBAGE CHARACTERS, AND THEN A COMMAND TO CREATE A LOGIN +ACCOUNT, AFTER WHICH YOU CLEAR THE SCREEN AGAIN, THEN UNFREEZE THE TERMINAL. +WHAT THIS DOES IS THAT WHEN THE TERMINAL IS FROZEN, IT KEEPS A BUFFER OF WHAT +IS SENT. THE BUFFER IS ABOUT 127 CHARACTERS LONG, SO YOU OVERFLOW IT WITH +TRASH, AND THEN YOU SEND A COMMAND LINE TO CREATE AN ACCOUNT (SYSTEM +DEPENDANT). AFTER THIS YOU CLEAR THE BUFFER AND SCREEN AGAIN, THEN UNFREEZE +THE TERMINAL. THIS IS A BAD WAY TO DO IT, AND IT IS MUCH NICER IF YOU JUST +SEND A COMMAND TO THE TERMINAL TO SHUT THE SYSTEM DOWN, OR WHATEVER YOU ARE +AFTER. THERE IS ALWAYS AN ACCOUNT CALLED "root", WHICH IS THE MOST POWERFUL +ACCOUNT TO BE ON, SINCE IT HAS ALL THE SYSTEM FILES ON IT. IF YOU HACK YOUR +WAY ONTO THIS ONE, THEN EVERYTHING IS EASY FROM HERE ON. THE ABORT KEY ON THE +UNIX SYSTEM IS CRTL-D. WATCH HOW MANY TIMES YOU HIT THIS, SINCE IT IS ALSO +AWAY TO LOG OFF THE SYSTEM. SOME USEFUL THINGS TO KNOW ABOUT THE UNIX +ARCHITECHTURE; THE ROOT DIRECTORY, CALLED "root", IS WHERE THE SYSTEM RESIDES. +AFTER THIS COME A FEW 'SUB' ROOT DIRECTORIES, USUALLY TO GROUP THINGS, SUCH AS +STATS, PRIVATE STUFF, THE USER LOG, ETC. HERE. NEXT COMES THE SUPERUSER (THE +SYSTEM OPERATOR), AND THEN FINALLY THE NORMAL USERS. IN THE UNIX SHELL +EVERYTHING IS TREATED THE SAME. WHAT I MEAN BY THIS IS THAT YOU CAN ACCESS A +PROGRAM THE SAME WAY AS YOU ACCESS A USER DIRECTORY, AND SO ON. THE WAY THAT +THE UNIX SYSTEM WAS WRITTEN, IS THAT EVERYTHING, EVEN THE USERS, ARE JUST +PROGRAMS BELONGING TO THE ROOT DIRECTORY. THOSE OF US THAT CAN HACK ONTO THE +ROOT SMILE, SINCE YOU CAN SCREW EVERYTHING UP. THE MAIN LEVEL (OR EXEC LEVEL) +PROMPT ON THE UNIX SYSTEM IS THE $, AND IF YOU AREON THE ROOT, YOU HAVE A # +(SUPER-USER) PROMPT. NOW AS FOR A FEW BASICS OF THE SYSTEM; TO SEE WHERE YOU +ARE AND WHAT PATHS ARE ACTIVE IN REGUARDS TO YOUR USER ACCOUNT, TYPE "PWD". +THIS SHOWS YOUR ACCOUNT, SPERATED BY A SLASH WITH ANOTHER PATHNAME (ACCOUNT), +POSSIBLE MANY TIMES. TO CONNECT THROUGH TO ANOTHER PATH, OR MANY PATHS, YOU +WOULD TYPE "path1/path2/path3" AND THEN YOU ARE CONNECTED ALL THE WAY FROM +PATH 1 TO PATH 3. YOU CAN RUN THE PROGRAMS ON ALL THE PATHES THAT YOU ARE +CONNECTED TO. IF IT DOES NOT ALLOW YOU TO CONNECT TO A PATH, THEN YOU HAVE +INSUFFICIENT PRIVILEGES, OR THE PATH IS CLOSED AND STORED ON TAPE. YOU CAN +ALSO RUN PROGRAMS BY TYPING "path1/path2/path3/program-name". SINCE UNIX DOES +TREAT EVERYTHING AS A PROGRAM, THERE ARE A FEW COMMAND THAT YOU MAY HAVE TO +LEARN. TO SEE WHAT YOU HAVE ACCESS TO, YOU TYPE "ls" FOR LIST, THIS SHOWS THE +PROGRAMS THAT YOU CAN RUN. YOU CAN CONNECT TO THE ROOT DIRECTORY AND RUN ITS +PROGRAMS BY TYPING "/root". BY THE WAY, MOST UNIX SYSTEMS HAVE THEIR LOG FILE +ON THE ROOT, SO YOU CAN SET UP A WATCH ON THE FILE, WAITING FOR PEOPLE TO LOG +IN AND YOU GET THEIR PASSWORD AS IT PASSES THROUGH THE FILE. TO CONNECT TO A +DIRECTORY USE THE COMMAND "cd pathname". THIS ALLOWS YOU TO DO WHAT YOU WANT +WITH THE DIRECTORY. YOU MAY BE ASKED FOR A PASSWORD, BUT THIS IS A GOOD WAY +OF FINDING OTHER USERS NAMES TO HACK ONTO. THE WILDCARD CHARACTER IN UNIX, IF +YOU WANT TO SEARCH DOWN A PATH FOR A CERTAIN GAME OR PROGRAM, IS THE * SYMBOL. +"ls /*" SHOULD SHOW YOU WHAT YOU CAN ACCESS. THE FILE TYPES ARE THE SAME AS +ON A DEC. TO SEE WHAT IS IN A FILE TYPE "pr filename", STANDING FOR PRINT +FILE. IT'S A GOOD IDEA TO PLAY AROUND WITH THE PATHNAMES SO THAT YOU GET THE +HANG OF IT. THERE IS ALSO ON-LINE HELP AVAILABLE BY TYPE "help" OR HITTING ?. +IT'S A GOOD IDEA TO LOOK THROUGH ALL THE HELP FILES, SINCE IT MAY GIVE YOU +SOME INFO ON PATHNAMES AND THE COMMANDS USED ON THE SYSTEM. AS A USER, YOU +CAN CREATE OR DESTROY DIRECTORIES ON THE TREE BENEATH YOU. THIS MEANS THAT +ROOT CAN KILL EVERYTHING BUT ROOT, AND YOU CAN KILL EVERYTHING THAT IS BELOW +YOU. "mkdir pathname" IF FOR MAKING A DIRECTORY AND "rmdir pathname" IS FOR +KILLING A PATHNAME. REMEMBER THAT YOU ARE NOT ALONE ON THE SYSTEM. TYPE +"who" TO SEE WHO THE OTHER USERS ARE THAT ARE PRESENTLY LOGGED ONTO THE +SYSTEM. IF YOU WANT TO TALK TO THEM TYPE "write username" AND THIS WILL ALLOW +YOU TO CHAT. IF YOU WANT TO SEND MAIL TO ANOTHER USER TYPE "mail" AND THIS +WILL PUT YOU INTO THE MAIL SUB-SYSTEM. TO SEND MAIL TO ALL OF THE USERS ON +THE SYSTEM TYPE "wall" WHICH STANDS FOR WRITE ALL. ON SOME SYSTEMS ALL YOU +HAVE TO DO IS HIT THE RETURN KEY TO END THE MESSAGE, WHERE AS ON OTHERS YOU +WILL HAVE TO HIT CTRL-D. TO SEND A MESSAGE TO A SINGLE USER TYPE "write +username". IF YOU SEND THE SEQUENCE OF CHARACTERS THAT I DISCUSSED AT THE +BEGINNING, YOU CAN HAVE THE SUPER-USER TERMINAL DO TRICKS FOR YOU. IF YOU +WANT SUPER-USER PRIVELEGES, YOU CAN EITHER LOG IN AS ROOT, OR EDIT YOUR +ACCOUNT. IF YOU TYPE "su" THIS WILL GIVE YOU THE # PROMPT, AND THIS WILL +ALLOW YOU TO COMPLETELY BY-PASS THE PROTECTION. THE WONDERFUL SECURITY +CONSCIOUS DEVELOPERS AT BELL MADE IT VERY DIFFICULT TO DO ANYTHING WITHOUT +PRIVELEGES, BUT ONCE YOU HAVE THE PRIVELEGES, THERE IS ABSOLUTELY NOTHING THAT +CAN STOP YOU FROM DOING ANYTHING THAT YOU WANT. TO DOWN A UNIX SYSTEM TYPE +"chdir /bin" THEN "rm *" AND THIS WILL WIPE OUT THE PATHNAME BIN, WHERE ALL +THE SYSTEM MAINTENANCE FILES ARE. OR TRY TYPING "r -r" WHICH WILL RECURSIVELY +REMOVER EVERYTHING FROM THE SYSTEM EXCEPT THE REMOVE COMMAND. OR YOU CAN ALSO +TRY "kill -1,1" THEN "sync" AND THIS WILL WIPE OUT THE SYSTEM DEVICES FROM +OPERATION. NOW WHEN YOU GET BORED OF HACKING AT THE VAX SYSTEM, JUST KEEP +HITTING CTRL-D AND EVENTUALLY YOU WILL BE LOGGED OUT. SINCE BELL HAS 7 +LICENSED VERSIONS OF UNIX OUT, I HAVE DESCRIBED THE COMMANDS THAT ARE COMMON +TO ALL OF THEM. LASTLY, I RECOMMEND THAT YOU HACK ONTO THE ROOT OR BIN +DIRECTORY, SINCE THEY HAVE THE HIGHEST LEVELS OF PRIVELEGES, AND BESIDES +THERE IS NOT MUCH THAT YOU CAN DO WITHOUT THEM. + +NOW HERE'S A NICE LITTLE THING YOU CAN DO TO MAKE A 3-WAY PHONE, IE. TALK TO +TWO OTHER PEOPLE AT THE SAME TIME, KIND-OF LIKE CONFERENCE CALLING I GUESS. + +FIRSTLY, YOU WILL NEED 2 DIFFERENT TELEPHONE LINES IN YOUR HOUSE. NOW TAKE +OFF BOTH OF THE BOXES THAT COVER THE WIRES. +NEXT, TAKE THE GREEN AND RED WIRES FROM EACH BOX AND ATTACH A WIRE TO EACH OF +THESE. 1 WIRE TO GREEN AND 1 WIRE TO RED. DO THE SAME FOR THE OTHER BOX. +FINALLY, AFTER YOU HAVE 4 WIRES, 2 FROM EACH BOX, YOU HAVE TO GET A 2 WAY +SWITCH WITH 2 TERMINALS, AND THEN HOOK UP THE 2 GREEN WIRES TO ONE SIDE AND +THE 2 RED WIRES TO THE OTHER SIDE. NOW WHEN YOU SWITCH THE SWITCH, YOU SHOULD +HERE A DIAL TONE AND THEN YOU CAN DIAL OUT AND YOU WILL BE ABLE TO TALK TO 2 +PEOPLE AT THE SAME TIME. + +OK HERE'S SOMETHING THAT MOST OF YOU NEVER HEARD OF. I'LL DISCUSS SOME THINGS +THAT I KNOW ABOUT STEP LINES AND SOME INTERESTING THINGS THAT CAN BE DONE. + +FIRST, FIND OUT IF YOU HAVE STEP LINES IN YOUR PREFIX. A GOOD WAY OF DOING +THIS IS TO GO TO THE PAY PHONES AROUND YOUR HOME, AND IF THEY ARE ROTARY, THEN +YOU ARE IN LUCK, SINCE YOU HAVE STEP LINES. I USED TO HAVE STEP LINES IN MY +AREA, BUT UNFORTUNATELY NOT ANYMORE. WELL, ANYWAYS FOR THOSE OF YOU WITH STEP +LINES, DIAL '0' FROM YOUR HOME, THIS WILL NOT WORK ON PAY PHONES. YOU WILL +THEN HEAR A FEW SOUNDS LIKE COIN DROPPINGS. NOW IF YOU HIT THE HANG UP BUTTON +WHEN THE SECOND LAST COIN DROP IS HEARD, THEN THE OPERATOR WILL GET ON AND BE +VERY CONFUSED. I'LL TELL YOU WHY SHE IS CONFUSED LATER ON, BUT NOW SAY THAT +YOU ARE TRYING TO COMPLETE A CALL WHEN SHE GOT ON. SHE WILL ASK YOU FOR THE +NUMBER THAT YOU ARE TRYING TO CALL. TELL HER THE NUMBER, LONG DISTANCE OF +COURSE, AND THEN SHE WILL ASK YOU FOR YOUR NUMBER. SO JUST PICK A NUMBER OUT +OF YOUR HEAD, IT MUST BE IN YOUR PREFIX, AND TELL IT TO HER. NOW SHE WILL +BELIEVE YOU AND CONNECT YOU TO YOUR DESIRED NUMBER, WITH THE CHARGES GOING TO +THE FAKE NUMBER THAT YOU GAVE. NOW IF YOU DIDN'T HIT THE HANG UP BUTTON AT +THE RIGHT TIME, JUST TELL THE OPERATOR THAT YOU ARE SORRY AND GIVE SOME +BULLSHIT EXCUSE AND TRY AGAIN. +WHAT YOU DID, WAS SCREW UP THE AUTOMATIC NUMBER FIND THAT WAS BUILT INTO THE +FIRST STEP LINES. THIS IS WHAT WOULD TELL THE OPERATOR YOUR NUMBER, SO THAT +SHE COULD BILL YOU IF SHE HAD TO COMPLETE A CALL FOR YOU. THE OPERATOR WILL +GET SOME GARBAGE ON HER SCREEN THAT IS SUPPOSED TO BE YOUR NUMBER, BUT SINCE +YOU INTERUPTED THAT PROCESS, IT LOOKS REALLY STRANGE. +SOMETHING THAT IS REALLY FUN TO DO IS TO COMPLAIN TO THE OPERATOR THAT THIS IS +THE FOURTH TIME TODAY THAT YOU HAVE NOT BEEN ABLE TO GET THROUGH AN SHE WILL +GIVE YOU SOME STORY LIKE, "WE'RE SORRY BUT WE'VE HAD A COMPUTER MALFUNCTION +AND IT'S BEING FIXED RIGHT NOW." +I DON'T KNOW IF THE PHONE COMPANY KNOWS ABOUT THIS, BUT DON'T WORRY, THE WORST +THAT COULD HAPPEN IS THAT YOU WOULD GET A CALL FROM THE OPERATOR, ASKING WHY +YOU HAVE HUNG UP ON THE OPERATOR SO MANY TIMES. JUST GIVE HERE SOME EXCUSE +LIKE YOU ARE TEACHING YOUR KID SISTER TO USE THE PHONE, OR SOMETHING LIKE +THAT. + +END OF FILE #3... + + +[Time Left 00:39] 1. the_NeoPsychedelic_UnderGround_ Computer Philes: +Command ? MEMBER THAT YOU ARE NOT ALONE ON THE SYSTEM. TYPE +"who" TO SEE WHO THE OTHER USERS AR \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/hack.txt b/textfiles.com/phreak/PHREAKING/hack.txt new file mode 100644 index 00000000..d14a4131 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/hack.txt @@ -0,0 +1,717 @@ +This is a compilation of Texts by Dysphunxion.. Most of it was +actually typed by me.. like the intro.. the boxes explained.. +and the VMB Hacking.. the rest are just plans for boxes.. Some +may be on the older side but most still work!!! + +Now on with the show... + + + Xx-x-x-x-x-x-x-x-x-x-x-xX + I Table of Contents I + Xx-x-x-x-x-x-x-x-x-x-x-xX + + +Introduction to hacking. . . . . . . . . . . . . . . . . . . . 1 + +Phone Phreaking. . . . . . . . . . . . . . . . . . . . . . . . 2 + Basic Boxes Technically Explained . . . . . . . . . . . . 3 + (BLUE,3); (BLACK,4); (CHEESE,5) + Voice mail box hacking. . . . . . . . . . . . . . . . . . 6 + Blue Box Tones. . . . . . . . . . . . . . . . . . . . . . 9 + Scarlet box . . . . . . . . . . . . . . . . . . . . . . . 10 + Green Box . . . . . . . . . . . . . . . . . . . . . . . . 11 + Blotto Box. . . . . . . . . . . . . . . . . . . . . . . . 12 + + +Potpourri + Lunch Box . . . . . . . . . . . . . . . . . . . . . . . . 13 + + + + + + + + + INTRODUCTION TO HACKING + +Most people who have never hacked or are beginners think that +hackers are a small community of very knowledgeable computer +"geniuses" that randomly break into systems for fun and then +create havoc or steal information. I will speak of my own views +on hacking which shouldn't reflect the feelings of the entire +hacking community but I would guess a large amount. First of all +hacking is getting more and more risky everyday. Because of this, +hacking for fun isn't as safe as it used to be (although most of +my hacking is for fun). The reason people (people I know) hack is +because we believe in free information exchange. This means that +I should be able to freely access any information that is +available over the modem that I want. There are obvious reasons +why this can't be achieved, but if people have information that +is that sensitive then it should not be put out over the modem. +Now the second and biggest misconception about hacking is how the +hacker actually "hacks". Most people think that hacking is just +basically getting lucky and guessing a password that lets you +into a system. This is *very* untrue. Let us take an example that +you have just broken into the CIA's computer system. So suddenly +you get a -> prompt. Now what do you do?!? This is the difference +between the hacker and some kid that is good at guessing. The kid +may be able to guess a password, but if he doesn't know what to +do once he's in then he might as well have not even hacked the +password at all. So, the main objective of the hacker is to +concentrate on learning how to use a system. After he has done +that then he can figure out ways to get around certain kinds of +security and get to the stuff he wants. So what you should do is +read all the manual's and text files that you can get your hands +on. Because before you can defeat a system, you must know how it +works (this works for life in general). Ok, now you understand +what hacking is and how you should go about learning it. + + Phone Hacking + Basic Boxes Technically Explained + +BLUE + + The "Blue Box" was so named because of the color of the first +one found. The design and hardware used in the Blue Box is fairly +sophisticated, and its size varies from a large piece of +equipment to the size of a pack of cigarettes. The Blue Box +contains 12 or 13 buttons or switches that emit multi-frequency +tones characteristic of the tones used in the normal operation of +the telephone toll (long distance) switching network. The Blue +Box enables the user to place free long distance calls by +circumventing toll billing equipment. The Blue Box may be +directly connected to a phone line, or it may be acoustically +coupled to a telephone handset by placing the Blue Box's speaker +next to the transmitter or the telephone handset. To understand +the nature of a fraudulent Blue Box call, it is necessary to +understand the basic operation of the Direct Distance Dialing +(DDD) telephone network. When a DDD call is properly originated, +the calling number is identified as an integral part of +establishing the connection. This may be done either +automatically or, in some cases, by an operator asking the +calling party for his telephone number. This information is +entered on a tape in the Automatic Message Accounting (AMA) +office. This tape also contains the number assigned to the trunk +line over which the call is to be sent. The information relating +to the call contained on the tape includes: called number +identification, time of origination of call, and info that the +called number answered the call and time of disconnect at the end +of the call. Although the tape contains info with respect to many +different calls, the various data entries with respect to a +single call are eventually correlated to provide billing info for +use by your Bell's accounting department. The typical Blue Box +user usually dials a number that will route the call into the +telephone network without charge. For example, the user will very +often call a well-known INWATS (toll-free) customer's number. The +Blue Box user, after gaining this access to the network and, in +effect, "seizing" control and complete dominion over the line, +operates a key on the Blue Box which emits a 2600 Hertz (cycles +per second) tone. This tone causes the switching equipment to +release the connection to the INWATS customer's line. The 2600Hz +tone is a signal that the calling party has hung up. The Blue Box +simulates this condition. However, in fact the local trunk on the +calling party's end is still connected to the toll network. The +Blue Box user now operates the "KP" (Key Pulse) key on the Blue +Box to notify the toll switching equipment that switching signals +are about to be emitted. The user then pushes the "number" +buttons on the Blue Box corresponding to the telephone # being +called. After doing so he/she uses the "ST" (Start) key to tell +the switching equipment that signalling is complete. If the call +is completed, only the portion of the original call prior to the +'blast' of 2600Hz tone is recorded on the AMA tape. The tones +emitted by the Blue Box are not recorded on the AMA tape. +Therefore, because the original call to the INWATS # is toll- +free, no billing is rendered in connection with the call. +Although the above is a description of a typical Blue Box call +using a common way of getting into the network, the operation of +a Blue Box may vary in any one or all of the following respects: + +The Blue Box may include a rotary dial to apply the 2600Hz tone +and the switching signals. This type of Blue Box is called a +"dial pulser" or "rotary SF" Blue box. Getting into the DDD toll +network may be done by calling any other toll-free # such as +Universal Directory ASSistance (555-1212) or any number in the +INWATS network, either inter-state or intra-state, working or +non-working. Entrance into the DDD toll network may also be in +the form of "short haul" calling. A "short haul" call is a call +to any # which will result in a lesser amount of toll charges +than the charges for the call to be completed by the Blue Box. +For example, a call to Birmingham from Atlanta may cost $.80 for +the first 3 minutes while a call from Atlanta to Los Angeles is +$1.85 for 3 minutes. Thus, a short haul, 3-minute call to +Birmingham from Atlanta, switched by use of a Blue Box to Los +Angeles, would result in a net fraud of $1.05 for a 3 minute +call. A Blue Box may be wired into the telephone line or +acoustically coupled by placing the speaker of the Blue Box near +the transmitter of the phone handset. The Blue Box may even be +built inside a regular Touch-Tone phone, using the phone's push- +buttons for the Blue Box's signalling tones. A magnetic tape +recording may be used to record the Blue Box tones for certain +phone numbers. This way, it's less conspicuous to use since you +just make it look like a walkman or whatever, instead of a box. + + All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes, +must have the following 4 common operating capabilities: + +It must have signalling capability in the form of a 2600Hz tone. +This tone is used by the toll network to indicate, either by its +presence or its absence, an "on hook" (idle) or "off hook" (busy) +condition of the trunk. The Blue Box must have a "KP" tones that +unlocks or readies the multi-frequency receiver at the called end +to receive the tones corresponding to the called phone #. The +typical Blue Box must be able to emit M tones which are used to +transmit phone #'s over the toll network. Each digit of a phone # +is represented by a combination of 2 tones. For example, the +digit 2 is transmitted by a combination of 700Hz and 1100Hz. The +Blue Box must have an "ST" key which consists of a combination of +2 tones that tell the equipment at the called end that all digits +have been sent and that the equipment should start switching the +call to the called number. + +BLACK + + This Box was named because of the color of the first one +found. It varies in size and usually has one or two switches or +buttons. Attached to the telephone line of a called party, the +Black Box provides toll-free calling *to* that party's line. A +Black Box user tells other people beforehand that they will not +be charged for any call placed to him. The user then operates the +device causing a "non-charge" condition ("no answer" or +"disconnect") to be recorded on the telephone company's billing +equipment. A Black Box is relatively simple to construct and is +much less sophisticated than a Blue Box. NOTE: This will not work +on any type of Electronic Switching Systems, (ESS, DMS100 etc.) + +CHEESE + +This Box was named after the container in which the first one was +found. Its design may be crude or very sophisticated. Its size +varies; one was found the size of a half-dollar. A Cheese Box was +used most often by bookmakers or betters to place wagers without +detection from a remote location. The device inter-connects 2 +phone lines, each having different #'s but each terminating at +the same location. In effect, there are 2 phones at the same +location which are linked together through a Cheese Box. It is +usually found in an unoccupied apartment connected to a phone +jack or connecting block. The bookmaker, at some remote location, +dials one of the numbers and stays on the line. Various bettors +dial the other number but are automatically connected with the +book maker by means of the Cheese Box interconnection. If, in +addition to a cheese box, a Black Box is included in the +arrangement, the combined equipment would permit toll-free +calling on either line to the other line. If a police raid were +conducted at the terminating point of the conversations -the +location of the Cheese Box- there would be no evidence of +gambling activity. This device is sometimes difficult to +identify. Law enforcement officials have been advised that when +unusual devices are found associated with telephone connections +the phone company security representatives should be contacted to +assist in identification. + +(This probably would be good for a BBS, especially with the Black +Box set up. and if you ever decided to take the board down, you +wouldn't have to change your phone #. It also makes it so you +yourself cannot be traced. I am not sure about calling out from +one though.) + +VOICE MAIL BOX HACKING + +Hello again, and welcome to another œegions “f œucifer text file! +This text file has to do with hacking and scanning VMBs. The +reason I am writing this file is because I am very good at it, +and have had years of experience. In fact I have been called by +MCI for screwing them over by attacking and taking over a whole +damn system with a few friends of mine. Anyway, hacking VMBs is +very simple and basically safe, and not only that but they are +cool to have around. You can give them to friends, you can trade +them for access on bulletin boards, or you can use it for +yourself. As for this 'Tutorial on Hacking VMBs', we will be +talking about what systems to hack, how you go about hacking +them, default passwords, hints on better scanning, and having +your very own box. + +VMB, in case you don't know, stands for 'Voice Mail Box'. Now a +VMB is like an answering machine. You can use it for all sorts of +things. Most VMB systems are dialed though 800 numbers. People +call up the VMB system that you have a box on, and dial in your +box number and then leave you a message. Whenever you want to +check your box, you just call up, enter your password and read +your messages. Inside a VMB you can do whatever, you can leave +messages to others on the system, you can change your 'Out Going' +message, you can have guest boxes (Explained later), you can have +the box call your house when you get an Urgent message, you can +do a lot of things. In fact, on some systems you can even CALL +OUT through them, so they can be used as a code of sorts! They +are cool to have. + +You should scan/hack out Virgin Systems, this is another way of +calling a system that hasn't been hack out yet. Also, CINDI +Systems and ASPEN Systems have the best boxes and the most +options that VMB Systems can offer. I will be talking about ASPEN +System today since I know most about those. + +Okay once you've found your Virgin VMB System, you start to scan. +Just incase you don't know what scanning is, that means you +search for boxes that are hackable (Explained later on). Now you +dial up the system and when it picks up and the bitch starts to +talk, press the "#" key. It will then ask you for your box +number... now there are two different way the ASPEN System can be +configured: 1) a "3 Digit Box Number System" or 2) a "4 Digital +Box Number System". Now lets just say this system is a 3 Digit +System. Okay, when it asks for your Box Number, enter in 999, now +it will say one of three things: [These are known as 'Greeting +Names'] + +1. John Doe [Box owners name] +2. "Box Number 999 Is Not a Valid Box Number" +3. "Box Number 999" +Now, if it either says 1 or 2, go to box number +998...997...996...995..etc, but if it says 3, then you are lucky, +now it will ask you for your password, now you are probably +saying 'Oh no this is where it gets difficult'... well you are +WRONG! This part is easy. Here is a list of ASPEN Default +Passwords: + +* We will use box number 666 as an example box # + [ BN = Box Number ] + +List of Default Password: Combination Result + + 1-BN 1666 + BN+1 667 + 0-BN 0666 + BN-0 6660 + Most Common Äį BN 666 + +Now enter in a those defaults, try JUST the Box Number first, +ASPENs usually use that most. Now, if you try all those Defaults +and still can not get into that Voice Mail Box, then that means +that the box has been already taken, but the owner hasn't changed +his 'Generic Message', if you don't get in, you will just have to +search until you get in. + +Okay, once you get your first box, *DO NOT* change anything!! +That will come later. Your first box is, as what is known as a +'Scanning Box'! What you do with your Scanning Box is this: You +enter "3" from the main commands menu, and it will ask you for +the box number. Now that command is the "Check for Receipt" +command, what it does it check Box #xxx for mail from you. This +command is very convenient for us VMB Hackers. To use that +command to your advantage, you enter in box a box number and it +will say 1 of the three 'Greeting Names', like before, if it say +#3, then you write down that Box Number and hack it later. But if +it says 1 or 2, then just keep scanning! All boxes with the +number 3 Greeting Name is known as a 'Hackable Box'. Now you keep +scanning until you have gone all the way down to Box number 000 +or whatever is the lowest box it supports. Now, once you have +your list this is when all the fun starts! Now you are ready to +hack! + + +Hacking Out Your New Found 'Hackable' Boxes: + +Okay this is the easy part. After you spent most of your time by +scanning the system you should be used to the system and how it +works, that should make hacking the ASPEN all the easier. Now, if +you had a 'Scanning Box', you should know what the default +password was for your Scanning Box. Well if the password for your +Scanning Box was just the Box Number, then *EVERY* other hackable +box should have the SAME default password. VMB Systems have only +one default password, If one box has the BN for a Default PW, the +all the others will too. + +Okay, you call up the VMB System will the list of 'Hackable' +boxes by your side, and when the bitch is talking, press the "#" +key. When it asks you for your box number, enter in the first box +number on your list. When it asks for your password, enter in the +Default Password Sequence. Now if you don't get into that box, +it's not a problem, just keep going down your list. You should +get into a few. But remember, just because a box is marked +'Hackable', it doesn't mean you will definitely get into it. + +Okay, now you have a few dozen boxes. You can now use you +Scanning Box to do whatever you please. + +ASPEN Guest Boxes: + +Once you have a box of your own, you can give out 'Guest Boxes'. +Guest Boxes are like Sub Boxes in your box. In ASPEN you have 4 +of them. If you give out Guest Box #1 to John Doe, Mr. Doe can +call in, enter in the password YOU set for him, and leave you +messages, but not only that, you can leave messages to HIM! Which +means, if his is in New York, and you are in California, and +neither of you have codes to call each other, then you can leave +messages thru your 800 VMB. Here is a list and explanation of all +4 of the Guest Boxes: + +0. Main Box - Your Voice Mail Box! +1. Guest Box #1 - Can Leave & Receive Messages +2. Guest Box #2 - Can Leave & Receive Messages +3. Home Box - Can Leave & Receive Messages +4. Secretary Box - Can Check How Many Messages You Have & Receive +Messages + + +Hints On Better Scanning: +A lot of people say hacking and scanning for VMBs is too damn +hard... well that's because they are going at it all wrong, they +probably read some lame piece of text file on Hacking VMBs that +was about 500 bytes long. Well, here is a small list of hints on +better scanning and hacking: + +1. Do not use a Voice Mail Box hacking/scanning program (i.e.: +VMB v1.0, ASPEN v1.0, VMBHACK v2.3, etc..) 2. Do not hack in +random order (i.e.: B#999, 345, 810, etc) Always hack in order: +999, 998, 997, 996, 995...000. 3. Try to find out if it's virgin. +The newer the System, the better. +4. If you have a phone with memory dial, change one entry to the +number of the VMB System. 5. Don't hack the System Managers box +unless you really want to. + +Ideas of Things To Do With Your Extra Boxes: + +Well since you can have up to 500 extra Voice Mail Boxes, you +might not know what to do with them, here are a few ideas that +can help you out: + +1. Give them to friends +2. Sell them to friends +3. Offer them to sysops for better access +4. Trade them for HSTs or whatever +5. Use them as a Voice Verifying line (So you don't have to give +out your real voice number to BBSs when you apply!) + + + Blue Box Tones +In this short section I will attempt to list some tones that Ma +Bell uses and what they are. Well here goes: Blue box +frequencies: 2600 hz - used to get on/off trunk tone matrix to +use after 2600 hz. + 700: 1 : 2 : 4 : 7 : 11 : + 900: + : 3 : 5 : 8 : 12 : +1100: + : + : 6 : 9 : KP : +1300: + : + : + : 10 : KP2 : +1500: + : + : + : + : ST : + 900 :1100 :1300 :1500 : 1700 : +Use KP to start a call and ST (1500+1700) to stop. Use 2600 HZ to +disconnect. Red box freqs: 1700 hz and 2200 hz mixed together. A +nickel is 66 ms on (1 beep). A dime is 66ms on, 66ms off, 66ms on +(2 beeps) a quarter is 33ms on, 33ms off repeated 5 times. (Ms = +millisecond). For those of you who don't know, a red box +simulates money being put into a pay phone. You must put in some +money first though (the operator can tell if money was put in but +as to how much she lets the computer answer that. (Yeah for the +computer) TASI locking freq: TASI (time assignment speech +interpolation) is used on satellite trunks, and basically allows +more than one person to use a trunk by putting them on while the +other person isn't talking. Of course, you'd never hear the other +person talking on your trunk. When you start to talk, however, +the TASI controller has to find an open trunk for you. Because of +this, some of your speech is lost (because of the delay in +finding a trunk) this is called clipping. Well, if you were +transmitting data over a trunk, clipping would really mess up the +data. So there is something called a TASI locking frequency which +keeps the TASI from putting anyone else on your trunk or you on +anyone else's trunk. In any case the freq. is 1850 hz. (Sent +before the transmission). Have fun!!! + + +:%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: +:% %: +:% THE GREEN BOX %: +:% %: +:%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + + The Green Box generates useful tonessuch as COIN COLLECT, COIN RETURN, and +RINGBACK. These are the tones that ACTS or the TSPS operator would send to +the CO when appropriate. Unfortunately, the green box cannot be used at a +fortress station, but must be used by the CALLED party. The tones (hz) are: + + COIN COLLECT 700 + 1100 + COIN RETURN 1100 + 1700 + RINGBACK 700 + 1700 + + Before the called party sends any of these tones, an operator released +signal should be sent to alert the MF detectors at the CO. This can be done +by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed by a 60 ms +gap and then the appropriate signal for at least 900 ms. Also, do not forget +that the initial rate is collected shortly before the 3 minute period is up. + +:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-::-:-:-:-:-:-:-:-:-:-: -:-:-:-:-:-:-:-: + + +:%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: +:% %: +:% THE BLOTO BOX %: +:% %: +:%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +HOW TO BUILD A BLOTO BOX + +Finally, it is here! What was first conceived as a joke to fool the inncoent +phreakers around America has finally been concieved by the one phreak who is +the expert on lines and voltage: The Traveler. Other boxes by the Traveler +include the White Gold Box, the Aqua Box, The Diverti Box, and the Cold Box. +All of those plans will soon be available in a BBS/AE near you! +Well, for you people who are unenlightened about the Blotto Box, here is a +brief summery of a legend. + +--*-=> The Blotto Box <=-*-- +For years now every pirate has dreamed of the Blotto Box. It was at first +made as a joke to mock more ignorant people into thinking that the function +of it actually was possible. Well, if you are The Voltage Master, it is +possible. Originally conceived by King Blotto of much fame, the Blotto Box is +finally available to the public. +NOTE: The Traveler can not be responcable for the information disclosed in +the file! This file is strictly for informational purposes and should not be +actually built and used! Usage of this electronical impulse machine could +have the severe results listed below and could result in high federal +prosecution! +Again, The Traveler + +TAKES NO RESPONCABILITY! + +All right, now that that is cleared up, here is the basis of the box and +it's function. +The Blotto Box is every phreaks dream... you could hold AT&T down on it's +knee's with this device. Because, quite simply, it can turn off the phone +lines everywhere. Nothing. Blotto. No calls will be allowed out of an area +code, and no calls will be allowed in. No calls can be made inside it for +that matter. As long as the switchhing system stays the same, this box will +not stop at a mere area code. It will stop at nothing. The electrical +impulses that emit from this box will open every line. Every line will ring +and ring and ring... the voltage will never be cut off until the box/ +generator is stopped. This is no 200 volt job, here. We are talking +GENERATOR. Every phone line will continue to ring, and people close to the +box may be electricuted if they pick up the phone. +But, the Blotto Box can be stopped by merely cutting of the line or +generator. If they are cut off then nothing will emit any longer. It will +take a while for the box to calm back down again, but that is merely a +superficial aftereffect. Once again: Construction and use of this box is not +advised! The Blotto Box will continue as long as there is electricity to +continue with. +OK, that is what it does, now, here are some interesting things for you to +do with it... + +--*-=> The Blotto Box Functions and Installation <=-*-- +Once you have installed your Blotto, there is no turning back. The +following are the instructions for construction and use of this box. Please +read and heed all warnings in the above section before you attempt to +construct this box. + Materials: + +- A Honda portable generator or a main power outlet like in a + stadium or some such place. + +- A radio shack cord set for 400 volts that splices a female + plug into a phone line jack. + +- A meter of voltage to attach to the box itself. + +- A green base (i.e. one of the nice boxes about 3' by 4' that + you see around in your neighborhood. They are the main switch + boards and would be a more effective line to start with. + or: A regular phone jack (not your own, and not in your area code! + +- A soudering iron and much souder. + +- A remote control or long wooden pole. + +Now. You must have guessed the construction from that. If not, here goes, +I will explain in detail. Take the Honda Portable Generator and all of the +other listed equiptment and go out and hunt for a green base. Make sure it is +one on the ground or hanging at head level from a pole, not the huge ones at +the top of telephone poles. Open it up with anything convienent, if you are +two feeble that fuck don't try this. Take a look inside... you are hunting +for color-coordinating lines of green and red. Now, take out your radio shack +cord and rip the meter thing off. Replace it with the voltage meter about. A +good level to set the voltage to is about 1000 volts. Now, attach the voltage +meter to the cord and set the limit for one thousand. Plug the other end of +the cord into the generator. Take the phone jack and splice the jack part +off. Open it up and match the red and green wires with the other red and +green wires. NOTE: If you just had the generator on and have done this in the +correct order, you will be a crispy critter. Keep the generator off until you +plan to start it up. Now, sauder those lines together carefully. Wrap duck +tape or insultation tape around all of the wires. Now, place the remote +control right on to the startup of the generator. If you have the long pole, +make sure it is very long and stand back as far away as you can get and reach +the pole over. NOTICE: If you are going right along with this without reading +the file first, you sill realize now tHat your area code is about to become +null! Then, getting back, twitch the pole/remote control and run for your +damn life. Anywhere, just get away from it. It will be generating so much +electricity that if you stand to close you will kill yourself. The generator +will smoke, etc. but will not stop. You are now killing your area code, +because all of that energy is spreading through all of the phone lines around +you in every direction. +Have a nice day! + + +<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%> +<%> <%> +<%> Making the <%> +<%> <%> +<%> Lunch Box <%> +<%> ===== === <%> +<%> <%> +<%> Written, Typed and Created by: Dr. D-Code <%> +<%> <%> +<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%>^<%> + +Introduction +============ + +The Lunch Box is a VERY simple transmitter which can be handy for all sorts of +things. It is quite small and can easily be put in a number of places. I have +successfully used it for tapping fones, getting inside info, blackmail and +other such things. The possibilities are endless. I will also include the plans +for an equally small receiver for your newly made toy. Use it for just about +anything. You can also make the transmitter and receiver together in one box +and use it as a walkie talkie. + +Materials you will need +======================= + +(1) 9 volt battery with battery clip +(1) 25-mfd, 15 volt electrolytic capacitor +(2) .0047 mfd capacitors +(1) .022 mfd capacitor +(1) 51 pf capacitor +(1) 365 pf variable capacitor +(1) Transistor antenna coil +(1) 2N366 transistor +(1) 2N464 transistor +(1) 100k resistor +(1) 5.6k resistor +(1) 10k resistor +(1) 2meg potentiometer with SPST switch +Some good wire, solder, soldering iron, board to put it on, box (optional) + +Schematic for The Lunch Box +=========================== + +This may get a tad confusing but just print it out and pay attention. + + + + + + + +  + ! + 51 pf + ! + ---+---- ------------base collector + ! )( 2N366 +----+------/\/\/----GND + 365 pf () emitter ! + ! )( ! ! + +-------- ---+---- ! ! + ! ! ! ! ! + GND / .022mfd ! ! + 10k\ ! ! ! + / GND +------------------------emitter + ! ! ! 2N464 + / .0047 ! base collector + 2meg \----+ ! ! +--------+ ! + / ! GND ! ! ! + GND ! ! ! + +-------------+.0047+--------------------+ ! ! + ! +--25mfd-----+ + -----------------------------------------+ ! ! + microphone +--/\/\/-----+ + ---------------------------------------------+ 100k ! + ! + GND---->/<---------------------!+!+!+---------------+ + switch Battery + from 2meg pot. + + +Notes about the schematic +========================= + +1. GND means ground +2. The GND near the switch and the GND by the 2meg potentiometer should be + connected. +3. Where you see: )( + () + )( it is the transistor antenna coil with 15 turns of + regular hook-up wire around it. +4. The middle of the loop on the left side (the left of "()") you should run + a wire down to the "+" which has nothing attached to it. There is a .0047 + capacitor on the correct piece of wire. +5. For the microphone use a magnetic earphone (1k to 2k). +6. Where you see "[!]" is the antenna. Use about 8 feet of wire to broadcast + approx 300ft. Part 15 of the FCC rules and regulation says you can't + broadcast over 300 feet without a license. (Hahaha). Use more wire for an + antenna for longer distances. (Attach it to the black wire on the fone + line for about a 250 foot antenna!) + +Operation of the Lunch Box +========================== + +This transmitter will send the signals over the AM radio band. You use the +variable capacitor to adjust what freq. you want to use. Find a good unused +freq. down at the lower end of the scale and you're set. Use the 2 meg pot. to +the 2meg is for turning the Lunch Box on and off. When everything is adjusted, +turn on an AM radio adjust it to where you think the signal is. Have a friend +say some shit thru the Box and tune in to it. That's all there is to it. The +plans for a simple receiver are shown below: + +The Lunch Box receiver +====================== + +(1) 9 volt battery with battery clip +(1) 365 pf variable capacitor +(1) 51 pf capacitor +(1) 1N38B diode +(1) Transistor antenna coil +(1) 2N366 transistor +(1) SPST toggle switch +(1) 1k to 2k magnetic earphone + +Schematic for receiver +====================== + + [!] + ! + 51 pf + ! + +----+----+ + ! ! + ) 365 pf + (----+ ! + ) ! ! + +---------+---GND + ! + +---*>!----base collector----- + diode 2N366 earphone + emitter +----- + ! ! + GND ! + - + + + - battery + + + GND------>/<------------+ + switch + +Closing statement +================= + +This two devices can be built for under a total of $10.00. Not too bad. Using +these devices in illegal ways is your option. If you get caught, I accept NO +responsibility for your actions. This can be a lot of fun if used correctly. +Hook it up to the red wire (I think) on the fone line and it will send the +conversation over the air waves. If you have any problems or are confused, +leave me mail on:Hi-Times=702/832/7469 Warez House=702/827/9273 + +______________________________________________________________________________ + Sysops of other systems may use the file as long as none of it is altered. +______________________________________________________________________________ + + This has been a High Mountain Hackers Production- (c) 1985 by HMH Industries +______________________________________________________________________________ + diff --git a/textfiles.com/phreak/PHREAKING/hackerab.txt b/textfiles.com/phreak/PHREAKING/hackerab.txt new file mode 100644 index 00000000..9dde5eae --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/hackerab.txt @@ -0,0 +1,165 @@ + +Phreaker Abatement + +The Goal + + +The goal of phreaker abatement is to prevent the intrusion of +uninvited outside parties into the telecommunication systems of +your company. + +If you and your company are doing "catch-up", then proceed +to the IMMEDIATE ACTIONS section of this document. If you and +your company have performed (or have in process) each of the items +in the immediate section, proceed to the really important item +of providing a telecommunications policy. If you and your company +have performed the above items then it is time to really get to +work and eliminate the remaining loop-holes that a phreaker may +enter. + +In the short term, this process may mean a great deal of work. +None of the work should cause any outage for the users of your +system. + +In the long term, this process will provide a level of security +that cannot be achieved in any other way. You will know your system +and be able to manage it. + +Without this or some other similar process, the phreaker will +eventually find your system. There is no gurantee that the phreaker +will be able to enter your system. However, I rather think it +is prudent to act to prevent damage and/or expense. + +I do not believe this is the only solution. There are many others, +and if you would like to share those procedures and ideas, drop +me a message. I also will enter credit for ideas, if permission +is granted at the time of submission. If there is not credit permission, +I will sift the information and enter parts in this document with +an anon credit. + +Immediate Actions + + +The following is a list of items that should be done immediately: +Passwords + + +Change all default passwords +Use the maximum length passwords +Use a password generator to create random, convoluted passwords +Change all maintenance passwords at least each 30 days +Do not use the same passwords at different sites. +Make sure you have control of ALL passwords + + +Serial Ports + + +Locate every system serial port (maintenance, admin, etc.) +Trace these to their destination. Make sure there are no connections +you cannot identify. Make sure there is no bridging. +Clearly identify each modem connection. +Protect each sio port with a protection device. Such as a +call back protection device. + + +DISA + + +If you can disconnect disa, do it. +If you cannot disconnect disa then do the following: + +Change all passwords each month. +Issue individual passwords, if possible. +Change the disa number if it has been compromised. +Never publish the disa number. +The attendant should never give the disa number to anyone. +Set the disa to send no tone as a start signal rather than +a tone. + + + + +Voice Mail + + +Make sure your software will not allow call forwarding. +Make sure there are no voice mail boxes you cannot identify +Make sure the passwords are changed every 30 days +Make sure there is no visitor mail box. + + +Codes to Deny +Contact your long distance carrier and have them deny service to: + + 700 prefixes + 809 prefix - if you do not do business in the Caribbean deny this area code. More telephone fraud is reported on calls to this area than to all other locations in the world combined. + 976 and 976 look alike prefixes. + 900 prefixs. + 011 (international calls) if you do not normally do international business. My tracks on the pay per call croud indicates that they are moving from the 800 pay per call in favor of the 011 call. + +Make sure that you deny access to each of the above in your own machine. Additionally, deny all 800 and 888 pay per call lines. +One of the better ways to do the deny is to use an allow table that will not output the required digits. Looks like it works but don't. May even escape notice if the phreaker has access to the maintenance port. + +Telecommunications Policy + +To effectively achieve this goal, a long term, strategy must be +developed and the approval of upper management obtained. This +action will give the document the weight of POLICY. The following +are recommendations for policy from Northern Telcom. There is +no hard and fast rule that all elements are required or that these +are the only elements that could be included. + +Risk Assessment +Define Responsibilities +Authority +Identify Protection Resources +Procedures +Audit +Enforce Policy +Publish Incidents +Balance +Ownership + + +This really is not a telecommunications policy but is some kind of security +policy. Truely what is needed is a policy that will meet the needs of the +current company configuration, and adjust for future growth. Readers are +invited to use the above items in the generation of a policy. + +If your company has a policy and would share with the readers of this site, +please forward via fax, snail mail or otherwise. No payment for the +document is possible. + +Long Term Security items + + + +Now that the items above are achieved or in progress, we need to seek out +any phreakers. Keeping them out was the original goal. But it would have +been useless to get them out and not be able to secure the system. + +Activate the SMDR. Make it active both incoming and outgoing. Check any +calls of long duration or high cost. Check any calls that are not within +working hours. Check for any calls to a 900, 976 (or look alike), 800 pay +per call line, or area code 809. Check any 011 calls or calls to other +common carriers. + +Note: To make matters far more confusing, the Area Code 809 has split! +The new area codes for Antigua and Barbuda is 268. The old code is also +still in effect. If you block 809, block 268 also. Check your smdr for +area code 268 also. + +Question: Can anyone explain why eight prefixes need their very own area +code. This was done with little prior notice. + +Check the phone bills. Go over the bills with regularity and question all +items on the bill. + +There are a number of items I will leave out at this point to avoid +phreaking. A closing comment: + +Give me a call or an eMail if you have a question. I charge for analysis. +I do not charge for questions. + + diff --git a/textfiles.com/phreak/PHREAKING/haiku.txt b/textfiles.com/phreak/PHREAKING/haiku.txt new file mode 100644 index 00000000..42e464ac --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/haiku.txt @@ -0,0 +1,38 @@ + Some Phreaking Haikus + By The Slipped Disk + For The Sherwood Forest ][ + + Connection Boxed + +A phreak types the access code. The fone begins to ring. + The link is done. The black box lights up. + Nearby, The line is traced. The call does not register. + + + Raid Looped + + The men break in. The fone starts to sing. + Badges are flashed. Another joins in. +The Diskettes are eliminated. The Silent connects the conference. + + + Rainy Power + + The Hacker is working. The surge travels swiftly. + It is raining outside. They are unsuspecting. + The roof is leaking. The lights flicker briefly. + + + 99XX Diet + + The numbers are dialed. The time is morning. + A recording is found. The hacker is hungry. + The number is used. The Twinkies are swallowed. + + + Backup Problem + + The time is crucial. a phreaker is in. + The Disk is erased. The files are set off. + Did I copy it before? Soon, a missle launches. + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/histphre.txt b/textfiles.com/phreak/PHREAKING/histphre.txt new file mode 100644 index 00000000..ec120d1b --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/histphre.txt @@ -0,0 +1,294 @@ +THE HISTORY OF PHREAKING +------------------------ + +DID YOU KNOW THAT PHREAKING STARTED FROM THE MOST UNLIKELY SOURCE...... CAP'N +CRUNCH CEREAL! + +YES, IN THE 1960'S A TOY WHISTLE WAS PLACED IN THE FAMOUS CEREAL. +UNFORTUNATELY (NOT FOR US), THE WHISTLE GENERATED 2,600 CYCLE-TONE, DUDE! A +YOUNG MAN WHO HAD JUST ENTERED THE USAF AS A RADIO TECH., WAS FASCINATED WHEN +HE DISCOVERED THAT BY BLOWING THE WHISTLE INTO THE FONE AFTER DIALING ANY +LONG-DISTANCE # AND HEARING THE DIS-CONNECT SIGNAL, THE TRUNK WOULD REMAIN +OPEN WITHOUT TOLL CHARGES ACCOUNTING, AND FROM THEN ON, ANY NUMBER COULD BE +DIALED REPEATEDLY. 800 #'S (INWATS) , WERE LATER USED AS THE STARTER CALL TO +AVOID ANY CHARGES. HE USED THIS TO CALL HOME WHILE STATIONED IN ENGLAND. +THE CAP'N PRACTICED FOR YEARS. HE REPORTEDLY WOULD PLACE CALLS AROUND THE +WORLD TO HIMSELF. HE WOULD THEN TALK AND HERE HIMSELF 20 SEC. LATER. HE WENT +ON TO DISCOVER THE OPERATOR CODES INCLUDING AUTO-RELAY (OPERATOR INTERRUPT, OR +VERIFY BUSY). THUS, EAVESDROPPING INTO CONVERSATIONS. HE CLAIMED TO LISTEN IN +ON THE FOLLOWING: + +1. PRES. OF THE USA + +2. FBI WHEN IT WAS AFTER PATTY HEARST + +3. THE SECT. OF DEFENSE + + AUTOVON. (EXPLAINED IN ANOTHER VOL.) + +CAP'N CRUNCH WAS THRUST INTO THE SPOTLIGHT WITH AN ARTICLE IN ESQUIRE. +THE TERM "BLUE BOX" CAME ABOUT BECAUSE THE FIRST ONE THAT WAS CAPTURED WAS +THAT COLOR. THE CAP'N SOON WENT BEYOND THE SIMPLE WHISTLE TO MORE COMPLICATED +DEVICES. + +THOUSANDS OF PHREAKS CHANCED UPON AN UNUSED TELEX TEST BOARD TRUNK LINE IN A +4A SWITCHING MACHINE IN VANCOUVER. DIALING AREA CODE 604 FOLLOWED BY 2111 +PLACED YOU IN AN INTERNATIONAL PARTY LINE. + +SOON MORE SOPHISTICATED BOXES FOLLOWED. IN '77, THE PHONE COMP. INSTALLED THE +FIRST OF THEIR MORE SOPH. EQUIP. IT HAS INCREASED THE RISK, BUT BY NO MEANS +STOPPED IT. BELL NOW HAS A SYSTEM THAT WILL PRODUCE A RECORDED VOICE TELLIN YA +TO STOP, RECORDS PART OF CONVERSATION, AND BILLS THE CALL TO THE NUMBER. +THOSE NUMBERS ARE THEN PRINTED OUT WITH THE TIME AND DATE. + +BELL NOW HAS 74 CENTRALIZED TICKET INVESTIGATION (CTI). ONE OF THESE ALONE +PERFORMS 7000 INVESTIGATIONS A DAY. + +CRUNCH WAS CAUGHT A NUMBER OF TIMES, INCLUDING A TOP SECRET MANUAL IN HIS +CLOSET DESCRIBING THE NCIC. (NATIONAL CRIME INFORMATION CENTER: COVERED +LATER). AFTER 3 CONVICTIONS AND A FEW YEARS IN JAIL, HE PACKED IT UP FOR A JOB +IN A SOFTWARE COMPANY OR SOMETHING LIKE THAT. BUT DO YOU BELIEVE THAT? +SOMEWHERE, SOMETIME, I HAVE AN EERIE FEELING THAT HE IS OUT THERE. +(Ed. note. Captain Crunch went to work for Apple Computer.) + +IN FRONT, AND I'M SURE HE'S STILL THERE. +SO NEXT TIME YOU BLUE BOX OR PHREAK, THINK OF THAT GUY LIVING NEXT DOOR, WHO +KNOWS. + +*************************************** TRIVIA ****************************** + +JOE THE WHISTLER, BLIND SINCE BIRTH, WAS ABLE TO WHISTLE THE PERFECT TONES +WITHIN THE 2% ERROR RANGE ESTABLISHED. REPORTEDLY PHREAKS WOULD CALL HIM UP TO +TUNE THEIR BOXES. NOW WORKS FOR THE FONE COMPANY AFTER A, SHALL WE SAY, AN +ILLUSTRIOUS CAREER. + +********************************** RECORD PHREAK **************************** + +UNKNOWN PHREAK CALLED: + +1. PRESIDENT + +2. ARMY COMMANDANT IN RUSSIA + +3. USAF SAC SQUADRON ALMOST CAUSING AN AIR ALERT. + +BIGGEST CALL I KNOW OF WAS EXECUTED BY + +HIM: $19,000 12 HOUR CALL TO.... + + + [A PHREAK HISTORY..BY THE ROGUE] + [from the book Out of the Inner] + [Circle by Bill Landreth, also ] + [known as "The Cracker". Phun! ] + +Our home computers can contact computers thousands of miles away because +they can use devices called modems that enable them to "hear" and translate +sounds sent over the nation's [and the world's] telephone communication +system. Like all giant networks, however, the telephone system has it's +weak points, and one lies in the fact that a computer-to-computer hookup +can occur without the knowledge of either the phone company or the invade +machine. This is the weakness that makes the telephone system and most +computer systems vulnerable to hackers. + +In the 1970s, before personal computers became as common as they are now, +the telephone system itself was explored by a group of hackers who called +themselves phone phreaks. The ethical and technical predecessors of +today's hackers, the phone phreaks were anarchic "musicians" who delighted +in using flutes, whistles and any other sound generators that worked to +enter and explore the worldwide telephone network. + +The phone phreaks were far less organized and widespread than today's +hackers are, and, in the beginning, none of them even knew of each other's +existence. The cult itself came into being in the late 1960s, partly +because of "phone hackers" at MIT and Stanford, where there were large +computer centers and nests of hackers, and partly because of a brilliant +young man in Tennessee named Joe Engressia. + +Joe was the first phone phreak to achieve media notoriety, when a 1971 +Esquire magazine article told the world about him and his co-horts. Like +many other early phone phreaks, Joe is blind. He was only twenty-two when +the article was published, but he had been tweaking the phone system since +the age of eight. Telephones had always fascinated him, and Joe also +happens to be one of those rare individuals who are born with perfect +pitch. One day, by accident, he discovered how this gift could help him +manipulate some of the most sophisticated and widespread technology in the +world. + +He was dialing recorded messages, partly because it was the only way he +knew of to call around the world for free, and partly because it was a +favorite pastime. He was whistling while listening to a recorded +announcement when suddenly the recording clicked off. Someone with less +curiosity might have assumed it was just one of those weird things the +telephone company does to you, but Joe had an idea. He fooled around with +some of their numbers and discovered that he could switch off any recorded +message by whistling a certain tone. + +He called the local telephone company and asked why tape recorders stopped +working when he whistled into the telephone. He didn't fully understand +the explanation that was given to him at the time [remember, he was only +eight years old], but it sounded as though he had stumbled into a whole new +world of things to do and explore. And to a bright eight-year-old, an +easily explored world, no farther away than his telephone, was, indeed, and +intriguing discovery. + +Joe was able to control some of the telephone company's global switching +network--which is what he stumbled upon with his whistling--because of a +decision American Telephone & Telegraph (AT&T) made sometime in the 1950's. +Their long-term, irreversible, multibillion-dollar decision was to base +their long-distance switching on a series of specific, audible tones called +a multifreqency system (known to phreaks as "MF") is a way for numbers that +designate switching paths to be transmitted as tones similar to the sounds +touch-tone phones make. Certain frequencies are used to find open lines, to +switch from local to long distance trunks, and, essentially, to do most of +the jobs a human operator is able to do. + +Undoubtedly, the decision-makers at AT&T did not give a moment's thought to +the possibility that the system might someday fall before a blind eight- +year old with perfect pitch, but Joe found that he could maneuver his way +through the system by whistling that one specific tone at the right time. +His motivation was not to steal free telephone calls, but to find his way +around the network and to learn how to extend his control over it. + +Joe explored for years, but he never thought of himself as an enemy of the +phone system. He loved the system. His dream was to work for the telephone +company someday, and he often tried to tell the company about bugs he +discovered in the system. But he finally ran a foul of his intended +employer when he was caught whistling up phone calls for fellow college +students. + +The publicity surrounding Joe's case had an unfortunate [for the telephone +company] side effect: it led to the creation of the phone-phreak network. +Soon after the story hit the papers, Joe began to get calls from all over +the country. Some of the callers were blind, most were young, and all of +them had one thing in common: and enormous curiosity about the telephone +system. Joe put his callers in touch with one another, and these scattered +experimenters soon found that they had stumbled upon several different ways +to use the MF system as the ticket to a world of electronic globe-trotting. + +Joe Engressia may have been the "phounding phather" of the phone phreaks, +but just as one discovery often leads to another and another, it soon +happened that someone else discovered a very large error made by the Bell +Telephone System in 1954. The Bell System's technical journal had +published a complete description of the multi-freqency system, including +the specific frequencies and descriptions of how the frequencies were used. + +Once the frequencies became public knowledge, phreaks began to use pipe +organs, flutes, and tape recorders to create the tones that gave them +control over the telecommunications network. And then came the ultimate +irony: The news spread that a simple toy whistle included as a giveaway in +boxes of Cap'n Crunch cereal produced a pure 2600-cycle tone of one of the +holes in the whistle was taped shut. Using the whistle at just the right +point in the process of making a connection, phreaks could call each other +whenever and wherever they wanted without having to pay the phone company. + +One of the more curious and inventive phreaks using the Cap'n Crunch +whistle was John draper, a young Air Force technician stationed overseas. +Draper used the whistle for free calls to his friends in the United States. +He was interested in the way this bizarre tool worked, so he began +experimenting with the system and found that he could use the whistle and +his knowledge of the switching network to route his calls in peculiar ways. + +He began by calling people who worked inside the telephone system. They +weren't aware that he was and outsider, so he was able to start gathering +"intelligence." Soon, he was calling Peking and Paris, and routing calls +to himself around the world. He set up massive clandestine conference +calls that phreaks around around the world could join and drop out of at +will. Soon, he became known to the phreak underground as Cap'n Crunch. + +Cap'n Crunch soon found out from other electronically minded phreaks that +it was possible to build specially tuned electronic-tone generators that +could reproduce the MF frequencies. A few electronic wizards began to +circulate the generators, which were first known as "MF boxes" because the +reproduced the multifreqency tones, and later came to be called "Blue +Boxes," as they are today. + +The number of phreaks grew, and as they added their own discoveries to the +collection of phreak knowledge, the cult's power to manipulate the system +steadily increased. Then, in October 1971, the whole underground scene, +from Joe Engressia to Cap'n Crunch, became well know to the outside world. +Esquire magazine published "Secrets of the Little Blue Box" by Ron +Rosenbaum, a journalist who had encountered the top phreaks of the time. +Cap'n Crunch was characterized somewhat romantically in Rosenbaum's piece +as a roving prankster who drove the author around in his specially equipped +van, pausing frequently at public telephones to phone locations around the +world: the American embassy in Moscow, a group of blind teen-age phreaks in +Canada, a public telephone in Trafalgar Square. + +After the article was published [though not as a direct result], Crunch was +arrested twice, convicted, and ended up spending four months at the federal +prison in Lompoc, California in 1976, and two at Northampton State Prison +in Pennsylvania in 1977. While he was in prison, several mob-connected +inmates tried to enlist him in a commercial blue-box venture. Draper/Crunch +declined. The convicts broke his back and knocked out his front teeth. + +After he left prison, Draper quit phreaking and decided to start +programming. An old friend by the name of Steve Wizniak seemed to be doing +pretty well with a piece of hardware he called the Apple and Draper started +writing software for Apple Computer. He developed a word-processing +program known as EasyWriter and gained another niche in the technological +Hall of Fame in 1981, when EasyWriter was selected as the first word- +processing program available for the IBM PC. Now, Cap'n Crunch makes a +legitimate living under a new handle, Cap'n Software. + + [TAP] + +During his trial, John Draper claimed [and still claims] that his interest +in phreaking was strictly devoted to learning about the workings of complex, +worldwide communication-switching networks. There were other phreaks, +thought, of a more political mind, who saw this method of technological +trespassing as a tool for spreading anarchy, and one radical branch of the +phreak fraternity grew out of the political group of the late sixties and +early seventies known as the Yippees. + +On May Day, 1971, the founding Yippee, Abbie Hoffman, and a phone phreak +who used the handle Al Bell started a subversive publication, called the +Youth International Party Line, which focused on information about cracking +the phone network. A few years later, its name was changed to +Technological Acetones Program [TAP], when the technological phreaks +separated from their more politically oriented counterparts. TAP was +purely anarchist. Through it phreaks learned how to make plastic +explosive, how to obtain phony birth certificates and illicit airline +tickets, and how to abuse credit cards. It published circuit diagrams of +blue boxes, and it's members specialized in gaining and trading hard-to-get +phone numbers--the Vatican, for example, or the Kremlin. TAP even secured +the phone number of the American Embassy in Teheran after it was seized by +students during the "hostage crisis" of 1980, posted the number, and +invited phreaks to call the Embassy in tehran and "tell off" the +revolutionary guards... + +In the late 1970s the phreak who had been most closely associated with TAP +also became a well-known hacker with the aliases Richard Cheshire and +Cheshire Catalyst. Often employed as a computer consultant by large +corporations who are unaware of his secret identity, Cheshire has a +widespread, carefully cultivated network of cohorts inside the telephone +company and other institutions. Avoiding what he calls "dark-side hacking" +that results in damage to data, Cheshire claims that there are some kinds +of information that even TAP will not publish. For example, Cheshire once +told a friend of mine: "A few years ago, before the Progressive magazine +actually published the plans for making a hydrogen bomb, we were approached +by someone who had similar plans. I decided that anything like the +hydrogen bomb, which has the capability of destroying the phone network, is +not in our interests." + +Cheshire also mentioned an incident in which a hacker he knew stumbled upon +the data-processing facilities of a sop-secret American seismic station in +Iceland, a facility for monitoring Soviet nuclear testing. The hacker got +out as soon as he realized where he was--"We try to stay away from that +stuff," Cheshire said. He also remarked, "I once Invited the CIA to attend +a public lecture of mine, and there were a couple of guys at the talk, +seated toward the back who definitely turned a couple of shades of green +when I told about the Icelandic station." + + YOU CAN SUBSCRIBE TO T.A.P. NEWSLETTER BY SENDING $8.00 TO: + + TAP + ROOM 603 + 147 WEST 42ND STREET + NEW YORK, NY 10036 + +NOTE: that address above is the old one. I have heard various rumors that +TAP went down and is soon coming back up. If you can steal $8.00 dollars +to stuff in an envelope, it's worth a try... I'll try to get the new +address if I can... Later on, The Rogue. + diff --git a/textfiles.com/phreak/PHREAKING/info5.hac b/textfiles.com/phreak/PHREAKING/info5.hac new file mode 100644 index 00000000..c487c247 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/info5.hac @@ -0,0 +1,72 @@ +55 + +_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ +_- -_ +_- -_ +_- PHREAKING -_ +_- -_ +_- BY: -_ +_- THE VKR & OTALP YCRAZY PLATO -_ +_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ + +THE HISTORY OF PHREAKING +------------------------ + +DID YOU KNOW THAT PHREAKING STARTED FROM THE MOST UNLIKELY SOURCE...... + CAP'N CRUNCH CEREAL! + +YES, IN THE 1960'S A TOY WHISTLE WAS PLACED IN THE FAMOUS CEREAL. UNFORTUNATELY ( +NOT FOR US), THE WHISTLE GENERATED 2,600 CYCLE-TONE, DUDE! A YOUNG MAN WHO HAD JU +ST ENTERED THE USAF AS A RADIO TECH., WAS FASCINATED WHEN HE DISCOVERED THAT BY B +LOWING THE WHISTLE INTO THE FONE AFTER DIALING ANY LONG-DISTANCE # AND HEARING TH +E DISCONNECT SIGNAL, THE TRUNK WOULD REMAINOPEN WITHOUT TOLL CHARGES ACCOUNTING, +AND FROM THEN ON, ANY NUMBER COULD BE DIALED REPEATEDLY. 800 #'S (INWATS) ,WERE L +ATER USED AS THE STARTER CALL TO AVOID ANY CHARGES. HE USED THIS TO CALL HOME WHI +LE STATIONED IN ENGLAND. + +THE CAP'N PRACTICED FOR YEARS. HE REPORTEDLY WOULD PLACE CALLS AROUND THE WORLD T +O HIMSELF. HE WOULD THEN TALK AND HERE HIMSELF 20 SEC. LATER. HE WENT ON TO DISCO +VER THE OPERATOR CODES INCLUDING AUTO-RELAY (OPERATOR INTERUPT, OR VERIFY BUSY). +THUS, EAVESDROPPING INTO CONVERSATIONS. HE CLAIMED TO LISTEN IN ON THE FOLLOWING +: +1. PRES. OF THE USA +2. FBI WHEN IT WAS AFTER PATTY HEARST +3. THE SECT. OF DEFENSE + + AUTOVON. (EXPLAINED IN ANOTHER VOL.) + +CAP'N CRUNCH WAS THRUST INTO THE SPOTLITE WITH AN ARTICLE IN ESQUIRE. + +THOUSANDS OF PHREAKS CHANCED UPON AN UNUSED TELEX TEST BOARD TRUNK LINE IN A 4A S +WITCHING MACHINE IN VANCOUVER. DIALING AREA CODE 604 FOLLOWED BY 2111 PLACED YOU +IN AN INTERNATIONAL PARTY LINE. + +SOON MORE SOPHISTICATED BOXES FOLLOWED. IN '77, THE PHONE COMP. INSTALLED THE FIR +ST OF THEIR MORE SOPH. EQUIP. IT HAS INCREASED THE RISK, BUT BY NO MEANS STOPPED +IT. BELL NOW HAS A SYSTEM THAT WILL PRODUCE A RECORDED VOICE TELLIN YA TO STOP, R +ECORDS PART OF CONVERSATION, AND BILLS THE CALL TO THE NUMBER. THOSE NUMBERS ARE + THEN PRINTED OUT WITH THE TIME AND DATE. + +BELL NOW HAS 74 CENTRALIZED TICKET INVESTIGATION (CTI). ONE OF THESE ALONE PERFOR +MS 7000 INVESTIGATIONS A DAY. + +CRUNCH WAS CAUGHT A NUMBER OF TIMES, INCLUDING A TOP SECRET MANUAL IN HIS CLOSET + DESCRIBING THE NCIC. (NATIONAL CRIME INFORMATION CENTER: COVERED LATER). AFTER 3 + CONVICTIONS AND A FEW YEARS IN JAIL, HE PACKED IT UP FOR A JOB IN A SOFTWARE CO +MPANY OR SOMETHING LIKE THAT. BUT DO YOU BELIEVE THAT? SOMEWHERE, SOMETIME, I HAV +E AN EERIE FEELING THAT HE IS OUT THERE. + +IN FRONT, AND I'M SURE HE'S STILL THERE. + +SO NEXT TIME YOU BLUE BOX OR PHREAK, THINK OF THAT GUY LIVING NEXT DOOR, WHO KNOW +S. + +*************************************** + TRIVIA +*************************************** +JOE THE WHISTLER, BLIND SINCE BIRTH, WAS ABLE TO WHISTLE THE PERFECT TONES +WITHIN THE 2% ERROR RANGE ESTABLISHED. REPORTEDLY PHREAKS WOULD CALL HIM UP TO TU +NE THEIR BOXES. NOW WORKS FOR THE FONE COMPANY AFTER A, SHALL WE SAY, AN ILLUSTRI +OUS CAREER. + +Which file (L=List): \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/intervie.phk b/textfiles.com/phreak/PHREAKING/intervie.phk new file mode 100644 index 00000000..9e7829ea --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/intervie.phk @@ -0,0 +1,523 @@ +(: {Interview's & Conversations} :) +:) {with famous phreaks/hackers} (: +(: by The Infiltrator :) + +From the WHAT IS THIS AND WHO ARE YOU department. + + This is a series of files about conversations I have had with some of the +better known phreaks and hackers in the NY area, specifically those that I met +at TAP. I was a regular at TAP until everyone but the "950 Kode Kids", Richard +and Agent 6 left. Richard for those uneducated enough to not know, is Chesire +Cat, and 6 and a group of 60's throwbacks are the new regulars. The old group +has more or less become extinct. (Chesire and 6 were also the old group, but +the people who left are the ones who counted, and I used to go there to listen +to. Now I don't go anymore eithr.) TAP used to be the publication and the Fri. +night meetings. For the last 2 years its been just the meetings, since the +newsletter stopped being published. + + During those 2 years there have been a small group of individuals who I +thought to be the most interesting to talk to at the time. Central among those: +Tuc (on the few occasions he did show up there), Lord Digital and Paul Maud'dib. +I also met a large number of losers with large opinions of themselves. Central +among those: Broadway Hacker (I think, the only person I really learned to +consistantly disklike at TAP while he was there.), The Surge (on his few guest +appearances.), MadMan, Criminal Element, The Phantom and others. People that +passed through for a day or two included: + + Big Brother : Thought himself very funny, nobody spoke with him and I guess +feeling embarassed, he left after about 2 hours of talking to the only person +who came with him. + + BIOC Agent 003 : Very businesslike, carries a briefcase filled with 500 xerox +copies of everything, which he freely hands out. Altogether a nice guy, if a +bit weird. + + Sharp Razor : Typical LOD members, heavily opinionated about everyone and +everything in the world, mostly offensive to people there, unless they were some +of the previously mentioned regulars, who he would kiss up to, only to call them +losers the moment they left the table. + + King Blotto : He seemed like a nice person who knew what he was talking +about, fit right into greenwich village since he came sporting multi-colored +hair and a bicycle chain for a belt. Have to wonder what people think of him +back in the midwest. + + The 950 kode kids : This group includes, The Ninja NYC, Ginn Fizz, The +Jackel, and a grouping of others that come and go. + + And a large group of people I refer to as "LODITES in training", typically 14- +21 yr olds carrying around 50 lbs of manuals they promptly turned over to the +cheif LODdy present. These included: X-Man, The Knipper, Doctor Who (who now +hates LOD i think.) and other less noticables. + + + Who am I? I'm a 19 year old Hunter College student, who started attending the +weekly meetings to learn how to make free phone calls or "be a phreak" and +learned what being a "real phreak" was all about during my 2 years there. This +is just a text file from some of my notes, the "interviews" when they appear +were done with a tape recoder (walkman) I had turned on and hooked to a mic +under my collar. The the people being recorded had no knowledge of this fact. +All the quotes are word for word reproductions of what was said. There is no +professional formatting, or fancy text graphics, just some notes slapped +together on what I have heard along with my comments. I also would not consider +any of the mentioned peolpe my friends, rather people I grew to know and have +good conversations with over the Friday nights. You cannot call someone your +friend if you essentially know nothing about them and are basically untrusted. + +Conversation with Chesire Catalyst (Held at TAP.) +{Chesire is the ex-editor and publisher of TAP.} + +(Me: is what i said, An: is what he answered, this is usually about 5 minutes +into a otherwise "normal" conversation. Richard is about 6' tall, black hair & +beard, look like he should have been a truck driver instead of a phreak.) + +ME: So is there any chance of TAP coming back together? +AN: Not by me, I don't have the time, or the funds. It never made me any money + it was more of a public service that I can't afford to do anymore. +ME: Wasn't someone else supposed to take it over? +AN: Yes, Tuc was going to take it, but that's on hold right now, it doesn't + really look like it's going to happen though. With 2600 gone also, there is + nothing there to take the space of TAP at the present time. +ME: So it looks as if TAP has died after all these years? +AN: Well TAP isn't that easy to kill! I'm sure it will re-surface in one form + or another sometime in the next decade. +ME: Oh good, I have something to look forward to in the 90's. What about you? + Do you still phreak or what do you do for a living now? +AN: Oh no, I was much to closely related with the magazine to do any of that + any more. I give lectures on security and appear on talk shows and seminars + that concern our hobby. I'm also a technical consultant for various firms. +ME: Ok, thanks. + +Convo with Tuc: (Held at TAP) + +{Tuc is a phone phreak/hacker I have taked to on and off over the last 2 years + he has matured from a fat over-exertive person, into a normal human being who + is nice to talk to.} + +(Tuc is about 6'1", used to be fat but has thinned out in the last year, black +hair, no beard, about 20 I'd guesstimate, I never asked him.) + +ME: You look good, lost a lot of weight. +AN: Thanks, I gained a lot of it in college on the junk food. +ME: How'd you manage to lose it? +AN: Took up jogging and lost it again. +ME: Ok, So what is happening with Fargo 4a now? +AN: We plan to go on a member drive and regroup. +ME: Do you actually have any hopes of it coming together? +AN: Well it's more of just something to do for fun, it won't be that hard to + get into the club at this time. +ME: What do you think of the current phreak world compared to the one of say + 2 years ago? +AN: Well everyone hates everyone now, there is no unity, there is only endless + war and threats and disorganazation. Mostly there are people who don't want + to learn anything, but only wish to join a large group and spend the rest + of their time signing it under their handle. +ME: Like LOD +AN: Like LOD +ME: Are you a member of LOD? +AN: No, I'm not and never will be. +ME: What do you think of LOD? +AN: I really can't say anything about that, but I'm not a member, that should + speak for something. +ME: Ok, I understand. Who else here do you consider to be any good? +AN: Well there is Paul and LD, that's about it, if you mean people in our own + underground. They (Meaning richard, agent 6, and others) are also very good + in certain areas and know a lot. + +{At "they" he meant chesire cat and others. Paul and LD refer to Paul Maud'dib + and Lord Digital} + +ME: Well thank's for your time + + +Convo with Lord Digital: {Held in the computer section of B.Dalton's on 15th +st. In NY, about 9 months after the last time I saw him at TAP. He has seemed +to also mature, from a "I'm god, Fuck you" attitude, into a more easy going +human being.} + +(Lord Digital is about 6'1", was pear shaped the last time I saw him, seems +to have lost a good 50 lbs. He has black hair, is the only person I have met +in my life who consistantly wears a tie and designer shirts. If you know what +Steve Jobs or Rob Lowe look like, you know what LD looks like.) + +ME: Hey, almost didn't recognize you, lost a lot of weight. +AN: Hum, who're you? +ME: TAP remember? +AN: Oh right, Ok I remember you now. +ME: How'd you manage to lose so much weight so fast? +AN: Took up Shotokan. +ME: ? Karate? +AN: Yeah, subset thereof, more mind over mind/body control though. +ME: Oh, walk over fire and kill people and all that? +AN: Nooooooo, the kill people is just a sort of anti-thesis to acupuncture, + hurt instead of heal, etc. Just knowledge of where to hit and why. As + for anything else, it's up to you to decide. Forget it. +ME: Subject dropped. Saw your story in Sundays businessweek, congratulations. + +{One of his companies was profiled in a business section of a local paper, I + know it's name because I brought a 1200 modem from him a year ago.} + +AN: Aha, thanks. It's not a big deal, that paper isn't exactly the Times and + the yearly growth was just normal. Only thing that turned them on was that + we started it when I was 15 & he was 17. Sort of '2 local kids make big + bucks in computer enterprize!'. +ME: Well better then I'm doing. Speaking of that, have you seen all the loser + files going around? Your name appears on 1 or 2 of them. +AN: Yeah I was shown one of them, only thing I recall was being pissed as + having my role model listed as Donald Trump. The least they could have + done was given me a decent person I supposedly worship, like Mark Rich. +ME: Who? +AN: Sigh, nevermind. Suffice to say, most of it are the delusions of some bored + 14 yr. old Loser. In order to know all this about everyone, I would guess + one of Carl's idiot friends, or someone like Eric. I Don't know or care. +ME: Then it was correct? +AN: No, but the geographic locations were fairly accurate, so were a lot of + things the typical rodent would not know. There were a lot of errors, but + what it comes down to is; how does this cretin know anything about me to + begin with? answer; he talks with someone I talk to. Probably Carl, but + who really gives a shit, I don't. +ME: Carl as in Criminal Element? Isn't he a loser? +AN: Yeah, CE, well I have no comment's as to what he may or may not know about + phreaking, I am friends with Carl, it's not like Hi! CE!!?, This is LD!!!! + got some cool info? If he knows something or not, doesn't really matter. + He knows enough people that DO know what they're doing, that he doesn't + need to know something if he doesn't care. So effectively speaking he has + access to a large amount of information. +ME: And he doesn't? +AN: Talk to him about it, not me. Only thing that bothers me is the large loser + ratio he speaks with. Wouldn't matter in itself, except these people turn + around distort everything and write C000l Text philez about it. +ME: Like when you were busted and 'died' last year? +AN: Yeah, I've never been busted, nor have I died lately. +ME: Well I know from what people have told me that your father is well off, but + is any of that in the file true? Do you make a lot of money? +AN: Well why would you care? I really don't have any comments about anything + that links my personna to my real ventures. But let's put it this way, if + you have 50k and saturate penny stocks that you know are going to go up, + then you have to be brain dead to not make at least 500% of your investment + every year. However this is all paper, if you liquidize then your broker + gets a slice, taxes throw out half the rest and if you're legally a minor + then even more gets chopped since your parents have to co-sign all that. +ME: I'm not familliar with all that, what about Blue Chip stock? +AN: That's something to use instead of a bank, IBM, WANG, are rock. Nothing + they do will ever have any kind of substantial loss. AT&T more or less + the same. NYNEX also became worth a lot more since diversiture. +ME: Ok, sorry to intrude, I'd really like to ask you about a subject that + generates a lot of interest these days. Phantom Access. Is it real or what? +AN: Hahaha, swell. Yeah it's real. +ME: Care to elaborate? +AN: Ok, the name itself "Phantom Access", is now the registered trademark of a + third party who thought it was nice and wanted exclusive rights to it. The + name, not the programs. The programs are, if you can imagine something like + a small Dbase III related to modem usage and file integration. These are + for the Apple with a Cat, there are a lot of versions, I don't really know + who has what at this point, I basically told my friends that they are free + to do whatever they want with them. +ME: Are there any other versions for other machines or what did you mean by lot + of versions? +AN: Well mine uses mousetext, windows, 256K, clock, hard disk, 212 card and + an optional 2400 modem. The simplest version uses 1 disk drive, 40 columns + and a ][+ with 48k. There are versions for the Amiga, I was never involved + with the Mac, I never had an interest in the machine, the programs for it + were by someone else. +ME: Paul Maud'dib? +AN: No comment +ME: Ok, no problem. What exactly does it do? and why did you write it and why + all the secrecy? +AN: Ok, I just thought of everything I might want a hacker to do. By hacker I + mean in a global sense Telecom Expert System, not a code finder for Sprint. + There was a small pre-processor I did that had about 50 commands added to + basic, like tone generation, wait, test, else, endif, etc, states. Then I + went ahead and did a full fledged hacker, it will literally hack anything + ever devised. It's excellent and apparently no-one has ever thought of + many of the functions. I mean just in the last year have audio-test hackers + come out for the cat. We were doing this 4 years ago. The primary reason + for some of the techniques in it, were to insure no high-profiles on + digital switching systems. Then I wrote an intelligent scanner that worked + with the hackers, then an ascii hacker. +ME: Yes, sounds great. You might be interested, just lately there has been a + ascii hacker made by others. Hackamatic I think. +AN: Yeah I know, i've seen it. Actually ascii hackers have been out for + a long time, just they aren't distributed. Originally I had planned some + thing much like it, but made to work with the hackers & scanner, faster and + less kludgey. But I talked about it with Paul, he just said Wrong, dumb + move, use pattern matching, make it intelligent, not something slow and + useless. At the time I was 15, I though Huffman code & godelization of + text files were just swell and Unix was god. I was unfamilliar with any + real AI techniqes or langauges. So I went out and read some of Knuth's + books, learned lisp and some prolog, and about 2 weeks later came up with + something much better. +ME: How good is Paul, really? +AN: That's a difficult question, in comparision to what you'd call phreaks or + hackers, he is much better. But that's not saying much. +ME: How would you catagorize yourself? +AN: I wouldn't, I don't seek to be integrated into whatever structure they + have set up. +ME: Ok, in comparison to their structures, how would you say you and Paul + would fit it? +AN: Better then 99%, there is always the unknown 1% that someone might be doing + something that would just blow me away. I doubt it, but it's possible and + it's happened before. Also, I wouldn't catogarize myself with Paul, he has + greater general knowledge of some fields that I don't. And visa versa, so + it works out well. During the final writing of the hacker though, it was + really helpful to be able to read 50 different things, see how to mix them + into the 1 thing I needed, and then talk it over with him, usually I can + come up with something he never thought of and he points out stupid moves + on my part. And suggests improvments. +ME: Who are the 1% that impressed you? +AN: Nobody well known, usually just people I'd meet in obscure places, like + some kid I met at an electronics store, who walked out and said, hey those + look like parts for a blue box. I just started talking to him, and after + a few minutes, got the impression that he was either totaly confused or + lying. Then I found out his father is a SCC switchman. So I ended up with + several feet of manuals, 100's of dialups for things in nyc, and gave him + some cosmos manuals which he wanted. It ws very profitable from my end of + it anyway. +ME: I always wondered were all that came from. +AN: ha, yeah, well you can trash from now until 1990, or you can just order the + fucking things from AT&T, I'm on their mailing lists with a maildrop as a + TIRM director. They just keep sending more and more junk. +ME: What did the SCC guy teach you about? +AN: Various things, and cleared up a lot of misconceptions about ANI and how + it actually works, auto-verify, things like that, which I really didn't + know the answers to. He had it as sort of a hobby as well, he was on some + cosmos kick, and I helped him out, so he was grateful. He also had an apple + and to most normal people, you mention free software, and they get this + happy expression. Future 40 yr. old new wares kids being born. +ME: Speaking of that, what do you think of the pirate world? To my knowledge + you are one of the only phreaks to ever be in any large pirate group. + {Apple Mafia} +AN: Well that wasn't through any real involement. I just happened to be friends + with a lot of the people and at the time it was a new idea. (A group), so I + said why not. +ME: What do you think of pirates? did you crack software? +AN: Hahahahaha, yeah dude, I crack the latest!. No, sorry, I don't mean to + insult pirates, just I find it hard to take anyone involved in an endless + cycle of getting new wares, in any kind of serious perspective. I mean Ok, + when I first thought of all the software I could have for free, it was like + being let loose in the vault of bank, or a 7 yr old in a toy store. Whether + people admit it or not, they are new wares kids at first. But also being + realistic, you discover that 95% of all software is useless to you, ok it + might be good for something, but why do *I* need it? the rest is just trash + period. Then there's the 5% I use. I outgrew piracy in about 2 months, most + normal people do as well. Or they become crackers and start cranking out + the wares. +ME: What do you think of the crackers? +AN: It varies, I can understand being interested in programming and protection + schemes, but to actually waste all that time on cracking garbage, just to + get losers to idolize you is pathetic. +ME: Do you still talk to any of the pirates? +AN: Not really, the pirates I talked to are largely gone from the pirate world + as I said, most people outgrow it. If you mean people who were pirates that + I talk to, then there's Zero Page, Mr. Xerox, etc. I mean a LOT of people + WERE pirates, but that doesn't really mean anything at this point, I WAS + a pirate, everyone who has ever gotten software for free was/is a pirate. +ME: Ok, I mean people who are cracking right now, do you talk to any of them? +AN: Not really, most of them came into existance a very short time ago, And I + have no reason to talk to them or associate with them. +ME: So you don't get new software anymore? +AN: Yeah I do, a friend of mine brings over a box ever week or so, usually it + ends up as 20 blank sides, but sometimes there is something decent out in + apple software. I mean I DO use AppleWorks and some new utilities. There's + no reason to not use machines I allready own. +ME: Can you say who you still DO talk to? +AN: Well I suppose it doesn't really matter, Captain Avatar, who I think is now + calling himself Skip Rooney, or some such name. Sigh. +ME: In other word's idiot's. +AN: No, not really, he's just someone who likes software, good for him, who am + I to say that he shouldn't like it? +ME: True I guess, what about crackers? +AN: I think he does crack, I don't know/care. I also know Gadget Master. +ME: How did you meet him? People regard him as a big loser who mis-cracks wares + that are copya. +AN: I don't know and as I've said, I really don't care, I first talked to him + a few years ago when I was still aware of the pirate world, he started out + in something like late '83 I think. He's ok as a person, I really couldn't + care less if the new wares kids love him or hate him. As far as I know he + does it for himself, not for the benefit of others. So what other people + think of him is inconsequential. +ME: Where do you think the pirate world has gone lately, and about the sides + forming in both worlds? +AN: Well as far as I'm told the pirate world has gone downhill a LOT, I don't + know. As far as hatred, most phreaks regard pirates as lowlifes who have + nothing to do with their time. Which is to an extent true. Pirates regard + phreaks as code abusers and losers who cannot program. Which is also to + an extent true, at least of the newer phreaks. It is really easy to + become well known for having essentially no skills, it's like, what do you + know? I know Tuc!. That's just keen, WHAT do you know? I just told you, I + know Tuc, I even know where he lives, and am joining a new super elite + board tomorrow! I'm cool!. Everything seems to be cyclical, building up + to it's absolute zenith at late '83, with the ending of securityland and + the original OSUNY. Everything thereonward has been less impressive then + that which came before it, I mean Sherwood Forest (The original run by + Magnetic Surfer {The TKOS board}) was good, Plovernet was good, LOD was + good. But they still did not compare, everything usually disintegrated + into people quoting manuals at each other and a bunch of "We're the + eliteist people in the whole universe" patting each other on the back + kind of messages on the club subs. +ME: So your saying no-one really knows that much? +AN: No, not at all, there are many competant people out there, but compared to + just about any professional we didn't have that much knowledge. Most hackers + have a basic understaning of more OS's then the average DP person will ever + have to learn, but no concrete knowledge of how it works. Usually someone + will specialize in 1 OS and the other people in the group will handle the + others, so it works out more or less. But phreaking is different, OS's are + easy to learn because there is a lot of easily accessible published doc- + umentation available on it. Technical AT&T manuals usually constitute + trade secrets, and are hard to get. Or WERE had to get, now I have almost + infinite access. But I'm talking about the average phreak who knows what + he is doing. As opposed to the average elite poser, who can quote every + # to every "elite" 1 drive board in the univere, and every word of every + file ever written backwards and forwards, yet fail to understand anything. + The poser won't care about the knowledge, just how his name ranks in comp- + arision with other elite posers. +ME: So what do you think of LOD and people like Blotto, I think that from some + of the messages I've seen posted Mr. Xerox contends they are complete + losers? +AN: Well I don't know, I'm not familliar with the group LOD or even if it + exists anymore. +ME: What about Blotto? and blottoland, were you also on the LOD club board? + I've heard that you also don't like Blotto? +AN: I don't even know Blotto, it's hard to dislike someone you have never + spoken with. I have no idea as to his skill, but assume he is competant + in whatever he is doing. +ME: Do you KNOW ABOUT Blotto and newsweek? and what about the boards? +AN: I only know about Blotto through Paul, from what I know he is ok as a + person, I know nothing of his skill or lack thereof. I was on LOD when + it opened in March of '84, or April, whatever. I called a few times, then + didn't call back for about 6 months, by then I think the # had changed + 3 times. I've seen the final LOD club only board, since Paul was still + a member {Paul quit LOD}, and remote sysop of it, it wasn't impressive, + but it wasn't bad either. The same for Blottoland. As for Newsweek, I + don't know why he's being hassled about it, HE didn't have any say on + anything as I recall. If the elite posers had reacted unlike idiot's + for a change nothing would have happened, just another story. Instead of + that they threatened his life, his wifes life, and the next week, boom + prime time "hackers threaten life of Richard Sandza" The original article + became a series of articles, ad infinitum. As for the other newsweek crap, + I would sum it up as losers getting caught and trying to cash in on the + media coverage. It's like "hey I'm lame, I just go busted, why not get on + TV at least?". Hardly people who qualify as any kind of spokespeople for + hackers or phreaks. +ME: What about the phreaks and pirates who appeared on TV also? +AN: If that's what you want, it's easy. Media people love you, I mean you + know Mike {11 news reporter who shows up at TAP.}, you agree to appear + on TV, next day, your on TV, and have 45 seconds to say anything you want + to say, complete with shadowmask, voicemask, free lunch, rides, and a vhs + of the show, and any other shows that you want. The only people he has been + able to convince are the local code mongers, if you remember he asked to + NOT have a shadow or voice mask, so his friends could see his face on TV. + Gosh mom look! +ME: So what do you think of current boards and new phreaks? Also why are you + no longer on boards? Oh yeah, also what was Metronet? +AN: Geez, lot's of questions, ok 1985 has been the year of the radical ultra + elite private board with cool software and spinning cursors and filters, + and users/sysops composed of idiots. EVERY loser in the world with 2 drives + is putting up a elite private board. In a way it's amusing, but sad too. + New phreaks usually start as inexperianced and move into the status of full + time elite posers. Ask yourself this: why do people call boards? To gain + knowledge, talk to their peers, ask questions of better phreaks and to form + radical elite groups! Now as it stands, they will never find anything other + then losers who claim to be something they are not. They believe that all + knowledge is hidden in the elite g-sections of all the best boards. Which + is of course bullshit, frequently the people who transcribed the manuals + managed to fuck it up along the way, didn't even understand it themselves + but just copied it word for word from somwhere. It's easy to run into a + person somewhere and say something involving their latest file, and they + will just look at you and ask what you're talking about. They wrote it yet + dont' understand it, actually let me take they back, they copied it and + fail to understand it. I no longer call boards because I have no reason + to call them. There is nothing out there I need to learn, no-one I need to + talk to, the only people I would talk to on boards, I call voice. So why + call boards? Just for a good laugh maybe, that's about it. +ME: You're saying that no-one out there know's more then you? And what about + metronet. +AN: No, not in the least, everyone knows more about a given subject that is + their specialty then someone else does. But what it comes down to, is + that if I DID want to learn something, I would not call a board or any + thing of the sort. I would get a manual on it and learn it. End of story. + If at the point I wanted some additional tips, I'd call a friend and ask. + As for Metronet, I was simply friends with Terminus, I have no idea why + he freaked out, insulted everyone, took his board down and dissapeared. + But I haven't spoken with him since he was in Paris sometime last May. +ME: Ok, what about the quality of files, where would you suggest a new phreak + start out? And how did you start out? +AN: Argh, again the long questions. I have to get going in a minute, but Ok. + The quality of new files is shit, nothing usefull is being written, I've + seen some of the newer files, it's like, are these people joking or what? + 101 way to spell leech, how to be a phreak, the real pirates guide, a guide + to hacking/phreaking/carding/anything, and they are all total shit. I mean + if people regard these as testimonials on how to card or whatever, then its + no wonder so many of them get busted. Where to start, well go to Shadio + Rack, and buy: understanding telephone electronics. Then get ahold of Don's + files, read and understand them. I KNOW, everyone says they are innacurate, + and plagerised or whatever. But what did they want him to do? make it up + as he went along? of course it has to be simillar with something. The fact + is, even though there are some mistakes, 95% of the text is extremely use- + ful for begginers. No-One has to this date done better job. For specialisd + knowledge you can branch off to files that deal with hat subject matter. + For example: Blue Boxing is covered in about 50 files at any given time, + but the best and most technically correct ones are probably those by Tabas. + I started out, as you put it. When I was about 6, my father was a nuclear + physicist before getting into business. And used to work for NCAR. (Natnl + Center of something or another.) They were one of the first 3 organazations + to get a Cray-1 and I hung around and started doing thing like running + stupid little programs on punch cards through it. I was supposed to just + run their's through, but in reality I could do whatever I wanted to. So I + had fun. Everything I did until 1979 dealt with mainframes. Then someone + introduced me to an Apple, and I ended up hanging around with Magnetic + Surfer (Old phreak). Who also had an apple, running with a casette tape & + a micromodem II. It was fun, there were like 30 boards out then PERIOD. + It was sort of the begining of everything, Rather nice. +ME: How old are you anyway? +AN: Old... almost 18 +ME: Whew, well compared to a lot of people out there your quite young. +AN: It depends. There's a point where you reach a level that you can really do + just about anything. It's not 1 set of skills, but combine a phreak, a + hacker and a pirate, into 1 person. And that person is effectively unstop- + able. He can do just about anything he wants to. But at that point you + usually decide what course you want your life to take. You can easily + become a sucessful computer criminal. Or you can enter the real world with + a host of extra skills that give you an incredible edge over anyone in the + information age. +ME: So what do you think of all the "Elite" 19-25 year olds still out there? +AN: Well, if people started later, then they might still be there at that age, + or they might just enjoy calling boards & joining things just for the fun of + it. If on the other hand they have been into it for 5 years and are still + serious about the entire Rad K000l I'm Elite, cycle, then they are either + complete social outcasts, or losers. If at that point you find that having + some kid in Pig's Knuckle Idaho, idolize you. Is the most important part + of your life, then you have some serious problems. I wish them the best of + luck, and may they all eventually grow up and get real lives. +ME: That sounds about right. Also what did you mean by "can do anything" you + mean get at any information? +AN: Yeah. +ME: With Phantom Access? +AN: Nooo, look Phantom Access is nice, it's good tool, but I only need so many + codes for so many systems. I set it up for 1 night, and have enough codes + to last 5 years. I have no use for a scanner unless I am looking for some + thing particular in a specific ANC. And there are much eaisier ways of + getting a PW then setting up a hacker. They are all essentially toys. + Granted, they are very nice toys, but it's much faster to socially eng- + ineer whatever you might need. I no longer play with systems just for + the hell of it, unless I am in the process of learning them, in which case + I get a real account from my local ACM office. +ME: But why a combination of the three? +AN: Ok, simple, it's a deadly combination. Security people are used to dealing + with hackers, ok make the OS as bulletproof as possible, let's assume they + miraculously achive perfection. Secure system. Now the weak link is users, + it HAS to have users to access the information. So now the weak link is + their pw's. A pirate can program his machine to do anything he wants it to + do, since he is presumably adept enough to write whatever quickie hacker + he might need for the situation. So now you begin to play with getting an + account from one of the users, what is another weak link? the phone lines + themselves. On mechanical systems it's more of a hassle, but still within + reason, but on digital systems it's one large software program with all + kinds of neat functions. +ME: Right, you and Paul are the leading experts on ESS I heaÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿright's reserved. {} + +don't like being exposed +for being the losers that they are. + + +{} (C) 1985 by The Infiltrator. All \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/jc.phreak b/textfiles.com/phreak/PHREAKING/jc.phreak new file mode 100644 index 00000000..6db30985 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/jc.phreak @@ -0,0 +1,837 @@ +View Files... + +[ Select File, or ? ]: 13 + +..The Liberator- 914/353-4256.. + + +<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> +<*> Joe Cosmo Presents..... <*> +<*> <*> +<*> Methods of Phreaking and Telco Security Measures <*> +<*> <*> +<*> June 16, 1988 1:30 am <*> +<*> <*> +<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> + + +(formatted to 80 Columns) + + + + Dedication: This phile is dedicated to all those great phreakers who +taught me all of this, and to all of the newcomers being born to the phreak +world. For the legends, it is here as their legacy, and for the newcomers, I +hope they will use it as their guide in times of trouble, and may there +always be phreakers in the world. + + +TABLE OF CONTENTS +CHAPTER + I. Introduction: What Telephone Fraud Is + II. Who Does It and Why + III. The Systems That Are Fooled + IV. Electronic Toll Fraud + How Boxes Work + The Blue Box + Operation of a Blue Box + Pink Noise + The Black Box + The Red Box + The Cheese Box + V. Divertors + VI. Private Branch Exchanges + VII. Specialized Common Carriers + SCC Extenders List +VIII. PC Pursuit + How to Originate a PC Pursuit Call + IX. Cellular Phone Fraud + ESN Tampering + Obtaining ESN's + X. CN/A's + CN/A List + XI. Loops + XII. Alliance Teleconferencing + Billing an Alliance Conference + Starting a Conference +XIII. Telephone System Security Measure + ESS Detection Devices + Automatic Number Identification and Centralized + Automatic Message Accounting Tapes + Dialed Number Recorders + Trap Codes + Stopping an FBI Trace + Common Channel Inter-office Signaling + XIV. Laws Governing the Rights of Phreakers + XV. Conclusion + + + + + I. Introduction: What Telephone Fraud Is + Telephone fraud is illegally using the communication facilities of +telephone companies. This is commonly known as "phreaking." The writer's +purpose is to explore the methods of phreaking, and the various security +measures of telephone companies. + + + II. Who Does It and Why + The majority of people who phreak are owners of modems (MOdulators +DEModulators, devices which allow computers to communicate over telephone +lines) and are usually between the ages of twelve and seventeen. When the +person reaches age eighteen, he or she usually stops, since after that age, +if the person in caught, the penalty can become very serious, such as time in +prison, and fines starting at $8000. + Scattered throughout the country are many different computer bulletin +board systems, or BBS's. These are computer systems established by private +users or large organizations for the exchange of public and private messages +and software. Most are not a local call, though. Since the normal user calls +about ten different BBS's, with even the lowest long-distance rates, the +phone bill each month can range from $100 to $1000. The solution is to +phreak. When these people learn how to phreak, they also realize that besides +making free long-distance calls from their home, they can also make free +calls from payphones. They also find that there are many other facilities +that they can used without paying. + + + III. The Systems That Are Fooled + Their are three types of telephone operating systems in the U.S., Step +by Step (SxS), Crossbar (XB), and Electronic Switching System (ESS). They are +described in detail in the following paragraphs. + + Step by Step + Step by Step (SxS) was the first switching system used in America, +adopted in 1918 and until 1978 Bell had over 53% of all exchanges using Step +by Step. A long, and confusing train of switches is used for SxS switching. + + Disadvantages +A. The switch train may become jammed, blocking calls. +B. No DTMF (Dual-Tone Multi-Frequency), to be discussed later. +C. Much maintenance and much electricity. +D. No "Touch-Tone" dialing. + + Identification +A. No pulsing digits after dialing or "Touch Tone". +B. Much static in the connections. +C. No Speed calling, Call forwarding, and other services. +D. Pay-phone wants money first before dial-tone. + + Crossbar + Crossbar has been Bell's primary switcher after 1960. Three types of +Crossbar switchings exist, Number 1 Crossbar (1XB), Number 4 Crossbar (4XB), +and Number 5 Crossbar (5XB). A switching matrix is used for all of the phones +in an area. When someone calls, the route is determined and is connected with +the other phone. The matrix is positioned in horizontal and vertical paths, +organizing the train of switches more effectively, and therefore, stopping +the equipment from jamming. There are no definite distinguishing features of +Crossbar switchings from Step by Step. + + + Electronic Switching System + ESS is the most advanced system employed, and has gone through many +kinds of revisions. The latest system to date is ESS 11a, which is used in +Washington D.C. for security reasons. ESS is the country's most advanced +switching system, and has the highest security system of all. With its many +special features, it is truly the phreaker's nightmare. + + Identification +A. Dialing 911 for emergencies. +B. Dial-tone first for pay-phones. +C. Calling services, including Call forwarding, Speed dialing, and Call + waiting. +D. Automatic Number Identification for long-distance calls (ANI), to be + discussed later. +E. "Touch Tone" + + + IV. Electronic Toll Fraud + The ETF's are electrical devices used to get free long-distance calls. +The devices are more commonly known as colored boxes, and using them is known +as "boxing." Boxing is one of the oldest way to phreak, and therefore, it is +also the most dangerous, since the telephone companies are very much aware of +their existence. Colored boxes are not used only for phreaking. There are +many types which have other uses (such as the Tron Box, which lowers your +electric bill), so only those used in telephone fraud will be discussed. + + How Boxes Work + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. This is because pulse (rotary) digits are created by causing breaks +in the DC current. Since long distance calls call for routing through +various switching equipment and AC voice amplifiers, pulse dialing cannot be +used to send the destination number to the end local office (CO). + Eventually, the demand for faster and more efficient long distance +service caused Bell to make a multi-billion dollar decision. They had to +create a signaling system that could be used on the LD Network. They had two +options: + +[1] To send all the signaling and supervisory information (eg., ON and OFF +HOOK) over separate data links. This type of signaling is referred to as +out-of-band signaling. + +[2] To send all the signaling information along with the conversation using +tones to represent digits. This type of signaling is called in-band +signaling. + +The second seemed to be the most economical choice, and so, it was +incorporated in ESS. + Then, in the 1960's, when the first ESS systems were employed, a toy +whistle was put in each box of Captain Crunch Cereal as a premium. A young +radio technician in the United States Air Force became fascinated with the +whistle when he discovered that by blowing it into the telephone after +dialing any long distance number, the trunk line would remain open without +toll charges accounting. From then on, any number could be dialed for free. +The truth was that the whistle produced a perfect-pitch 2600 Hz tone, the one +used to signify a disconnect in ESS switching equipment. To overcome the +initial charge for the for the long distance call, he later used toll-free +800 numbers. + Being a skilled technician, Captain Crunch (he began to use the name as +an alias) soon went beyond the simple whistle and experimented with other +frequencies, creating many of the boxes discussed in the following +paragraphs. + + The Blue Box + The "Blue Box" was so named because of the color of the first one +discovered by the authorities. The design and hardware used in the Blue Box +is very sophisticated, and its size varies from a large piece of apparatus to +a miniaturized unit that is approximately the size of a "king size" package +of cigarettes. + The Blue Box contains 12 or 13 buttons or switches that emit the +multi-frequency tones used in the normal operation of the telephone toll +(long distance) switching network. In effect, the the Blue Box can let a +person become the operator of a phone line. The Blue Box enables its user to +originate fraudulent toll calls by circumventing (fooling) toll billing +equipment. The Blue Box may be directly connected to a phone line, or it may +be acoustically coupled to a telephone handset by placing the Blue Box's +speaker next to the transmitter, or the telephone handset. + + Operation of a Blue Box + To understand the steps of a fraudulent Blue Box call, it is necessary +to understand the basic operation of the Direct Distance Dialing (DDD) +telephone network. When a DDD call is originated, the calling number is +identified as an integral part of establishing the connection. This may be +done either automatically by ANI in ESS, or in some cases, by an operator +asking the calling party for his telephone number. This information is +entered on a tape in the Centralized Automatic Message Accounting (CAMA) +office. This tape also contains the number assigned to the trunk line over +which the call is to be made. The information relating to the call contained +on the tape includes the called number's identification, time of origination +of the call, and if the called number answered the call. The time of +disconnect is also recorded. The various data entries with of the call are +correlated to provide billing information for use by the caller's telephone +company's accounting department. + The typical Blue Box user usually dials a number that will route the +call into the telephone network without charge. For example, the user will +very often call a well-known INWATS (toll-free) number. The Blue Box user, +after gaining this access to the network when somebody picks up and in +effect, "seizing" control of the line, operates a key on the Blue Box which +emits a 2600 Hertz (cycles per second, abbreviated as Hz) tone. This tone +causes the switching equipment to release the connection to the INWATS +customer's line. The 2600 Hz tone is the signal to the switching system that +the calling party has hung up. In fact though, the local trunk on the calling +party's end is still connected to the toll network. The Blue Box user now +operates the "KP" (Key Pulse) key on the Blue Box to notify the toll +switching equipment that switching signals are about to be emitted. The user +then pushes the "number" buttons on the Blue Box corresponding to the +telephone number being called. After doing so, he/she operates the "ST" +(Start) key to tell the switching equipment that signaling is complete. If +the call is completed, only the portion of the original call prior to the +operation of the 2600 Hz tone is recorded on the CAMA tape. The tones emitted +by the Blue Box are not recorded on the CAMA tape. Therefore, because the +original call to the INWATS number is toll-free, no billing is rendered in +connection with the call. + + The above are the steps in a normal operation of a Blue Box, but they +may vary in any one of the following ways: + +A. The Blue Box may include a rotary dial to apply the 2600Hz tone and the +switching signals. This type of Blue Box is called a "dial pulser" or "rotary +SF" Blue box. + +B. A magnetic tape recording may be used to record the Blue Box tones. Such a +tape recording could be used in lieu of a Blue Box to fraudulently place +calls to the phone numbers recorded on the magnetic tape. + + All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes, +must have the following four common operating capabilities: + +A. It be able to emit the 2600 Hz tone. This tone is used by the toll network +to indicate, either by its presence or its absence, an "on hook" (idle) or +"off hook" (busy) condition of a trunk line. + +B. The Blue Box must have a "KP" tones that unlocks or readies +the multi-frequency receiver at the called end to receive the +tones corresponding to the called phone number. + +C. The Blue Box must be able to emit DTMF, tones used to transmit phone +numbers over the toll network. Each digit of a phone number is represented by +a combination of two tones. For example, the 2 is 700 Hz and 900 Hz. + +D. The Blue Box must have an "ST" key which consists of a combination of two +tones that tell the equipment at the called end that all digits have been +sent and that the equipment should start connecting the call to the called +number. + + The following is a chart of the multi-frequency (MF) tones produced by +the normal Blue Box. + +700 : 1 : 2 : 4 : 7 : 11 : 2600 X +900 : + : 3 : 5 : 8 : 12 : +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : + + The "Dial Pulser" or "Rotary SF" Blue Box requires only a dial +with a signalling capability to produce a 2600 Hz tone. + + + Pink Noise + Since telephone companies have such advanced equipment to detect Blue +Boxes, to help avoid detection "pink noise" is sometimes added to the 2600 Hz +tone. + Since 2600 Hz tones can be simulated in speech, the detection equipment +of the switching system must be attentive not to misinterpret speech as a +disconnect signal. Thus, a virtually +pure 2600 Hz tone is required for disconnect. This is also the reason why the +2600 Hz tone must be sent rapidly; sometimes, it will not work when the +person called is speaking. It is feasible, though, to send some "pink noise" +along with the 2600 Hz. Most of this energy should be above 3000 Hz. The +pink noise will not reach the toll network, where we want our pure 2600 Hz to +hit, but it will go through the local CO and thus, the fraud detectors. + + The Black Box + The Black Box is the easiest type to build. The box stops a call from +being charged to some one only if it is hooked to the line of the person +being called. + In the normal telephone cable, there are four wires: a red, a green, a +black, and a yellow. The red & green wires are often referred to as tip (T) +and ring (R). + When a telephone is on-hook (hung up) there is approximately 48 volts of +DC current (VDC) flowing through the tip and ring. When the handset of a +phone is lifted, switches close, causing a loop to be connected (which is +known as the "local loop,") between the telephone and the CO. Once this +happens DC current is able to flow through the telephone with less +resistance. This causes a relay to energize and signal to other CO equipment +that service is being requested. Eventually, a dial tone is emitted. This +also causes the 48 VDC to drop down into the vicinity of 13 volts. The +resistance of the loop also drops below the 2500 ohm level. Considering that +this voltage and resistance drop is how the CO detects that a telephone was +taken off hook, how a Black Box works is by allowing the voltage to drop +enough to allow talking, but not enough to signal to the CO equipment to +start billing. To do this, a 10,000 Ohm, .5 Watt resistor is incorporated in +the local loop on the called party's line. + + The Red Box + A Red Box is a device that simulates the sound of a coin being accepted +by a payphone. When a coin is put in the slot of a payphone, the first +obstacle is the magnetic trap. This will stop any light-weight magnetic +slugs. If it passes this, the coin is then classed as a nickel, dime, or +quarter. Each coin is then checked for appropriate size and weight. If these +tests are passed, it will then travel through a nickel, dime, or quarter +magnet as proper. These magnets start an eddy current effect which causes +coins of the appropriate characteristics to slow down so they will follow the +correct trajectory. + If all goes well, the coin will follow the correct path, striking the +appropriate totalizer arm, causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). The +totalizer then causes the coin signal oscillator to readout a dual-frequency +signal indicating the value deposited to the Automated Coin Toll Service +computer (ACTS) or the Traffic Service Position System (TSPS) operator. These +are the tones emitted by the Red Box. + For a quarter, five beep tones are outpulsed for 66 milliseconds (ms). A +dime causes two beep tones for 33 ms, while a nickel causes one beep tone at +also 33 ms. A beep consists of two frequencies, 2200 Hz and 1700 Hz. As with +a Blue Box, Red Box tones can be recorded on a magnetic tape. + Since any call from a payphone is originated with a "ground test," in +which the TSPS operator or the ACTS computer checks for the presence of the +first coin inserted into the phone, by verifying use of the magnetic, weight, +and size traps, when using a Red Box, it is necessary to put in at least one +coin. + + The Cheese Box + A Cheese Box lets a normal telephone emulate a payphone. By emulating a +payphone, using a blue box now becomes safe, because if the CO equipment +recognizes the call as one from a payphone, it does not record it on a CAMA +tape. Since a normal telephone does not have a slot to enter coins, a Red Box +is needed to generate the sound of a coin dropping. + + V. Divertors + A divertor is a special service that allows businesses to "divert" calls +if no one answers after a certain number of rings. For example, a person +calls a company, and nobody answers. After about three rings, a few clicks +are heard, then a few fainter rings are heard. The building receiving the +call has changed from the company to another building, usually somebody's +house. What has happened is that the call has been re-routed from building A +to building B. In effect, the number called is not really changed, but +instead, building A has answered the call, called building B, and connected +the two lines together. If the person in building B disconnects, the caller +is still connected to building A. With the way the divertor equipment works +in the telephone company, the phone line of building A will then emit a dial +tone and the caller has total control of the line, and can originate another +call, charging it to building A. + + + VI. Private Branch Exchanges + A Private Branch Exchange (PBX) is a system of out-WATS (Wide Area +Telephone Service) lines and in-WATS lines. An out-WATS line allows a +business to make as long-distance calls each month for a flat rate. An +in-WATS line is a toll-free number (800 number) that is also leased to +businesses for flat rates. PBX's save corporations much money when their +salesmen, distributors, and franchisees must make many calls from different +parts of the country. It works much like specialized common carriers (to be +discussed later). + First, the employee calls the company on the in-WATS line. The switching +equipment picks up the phone, and send a tone to the employee indicating for +him to enter the access code of the PBX. If the access code is correct, then +the line is connected to the out-WATS line, and the employee can make a call. + To use PBX's, phreakers must find the access code of the PBX. This can +be done very easily, since the code is usually only a few digits. One way is +to dial different combinations manually on the telephone keypad. The other +way is of the phreaker is the owner of a modem. A simple program can be +easily written to continuously dial digit combinations randomly or +sequentially. + + + VII. Specialized Common Carriers + Ever since the break up of AT&T's monopoly on long-distance service, +there have been many other corporations that compete with AT&T in the +long-distance market, including Sprint, MCI, All-net, ITT, and Metrophone. +These all boast opportunities for large savings on long-distance calls. These +companies are called specialized common carriers (SCC's). + SCC's cost less because they do not use the AT&T's cable-based systems, +but instead use microwave links. Some have also added fiber-optic lines to +their networks. + Another way they can save consumers money is by using AT&T's lines. +Instead of connecting calls by the shortest route, the carrier will use a +different route, so the call goes through places where the long-distance +traffic is heavy, and the rate is lower. The companies that do this are known +as "resellers." + Most SCC's work nearly the same as PBX's. The 800 number is called, a +tone is heard, the private identification number (PIN) is entered, and then +the call can be made. The length of the PIN number can range from four digit +to fourteen digits. + Besides 800 toll free numbers, in some areas, a 950 can be used. A 950 +works exactly the same as an 800 number, the only difference is that the +consumer must enter only seven digits before dialing his PIN number instead +of ten with a toll-free number. 950's are free of charge and can be used both +at home and at pay phones. + The PIN numbers can be found the same way as PBX access codes. Since the +number of digits in a PIN is so great, using a computer is much more common +practice than manual dialing. + The following pages are lists of SCC's and their dialups, formats, and +special points. Note that some have many different dialups. + + + +============================================================================= +[ SCC Extenders List ] +[ 0-9 - Number of digits in code ] +[ [ ] - Dial that exact number ] +[ # - Area code + Prefix + Suffix ] +[ : - Dial tone ] +[ + - ontinue dialing ] +============================================================================= +| Extender | Dialing Format | Company | Comments | +----------------------------------------------------------------------------- +| 800-223-0548 | 8+[1]+# | TDX | | +| 800-241-1129 | 8+[1]+# | TDX | | +| 800-248-6248 | 6+[1]+# | SumNet Systems | (800)824-3000 | +| 800-288-8845 | 7:[1]+# | TMC Watts | (800)999-3339 | +| 800-325-0192 | [1]+#+6 | MCI | 950-1986 | +| 800-325-1337 | 7:[1]+# | TMC Watts | | +| 800-325-7222 | 6+[1]+# | Max | (800)982-4422 | +| 800-325-7970 | 6+[1]+# | Max | (800)982-4422 | +| 800-327-4532 | 8+# | All-TelCo | | +| 800-327-9488 | #:13 | ITT | 950-0488 | +| 800-334-0193 | [9]+# | Piedmont | | +| 800-345-0008 | [0]+#:14 | US Sprint FON Cards |950-1033 also 9+#| +| 800-368-4222 | 8+# | Congress Watts Lines | | +| 800-437-7010 | 13 | GCI | | +| 800-448-8989 | 14+[1]+# | Call US | | +| 800-521-8400 | 8:# | TravelNet | 950-1088 (voice)| +| 800-541-2255 | 10 | MicroTel | | +| 800-547-1784 | 13 | AmericaNet | | +| 800-621-5640 | 6+[1]+# | ExpressTel | | +| 800-637-4663 | 5+[1]+# | TeleSave | | +| 800-821-6511 | 5+[1]+# | American Pioneer | (800)852-4154 | +| 800-821-6629 | 6+[1]+# | Max | (800)982-4422 | +| 800-821-7961 | 6+[1]+# | Max | (800)982-4422 | +| 800-826-7397 | 6:[1]+# | Call U.S. | | +| 800-858-4009 | 6+[1]+# | NTS | Voice | +| 800-862-2345 | 7:[1]+# | TMC | | +| 800-877-8000 | [0]+#:14 | US Sprint Calling Card|950-1033 also 9+#| +| 800-882-2255 | 6:[1]+# | AmeriCall | False Carrier | +| 800-950-1022 | [0]+#:14 | MCI Calling Card | | +| 800-992-1444 | 9+# | AllNet | 950-1444 | +============================================================================= + + + VIII. PC Pursuit + Many modem users know Telenet as a packet-switching network through +which they can connect to different telecommunication services throughout the +country for an hourly rate of $2. With PC Pursuit, Telenet uses the same +method as SCC's, but instead of using microwave links, the call is routed +through computers. Since it is routed through computers, the service can be +used by only owners of modems. Instead of paying the hourly rate, the +consumer needs only to pay a flat monthly rate of $25. + Using PC Pursuit is a little more difficult than using SCC's, because +now instead of combinations of only ten different characters (0-9), the whole +alphabet can be used in the access code. The following is a chart showing the +steps to originate a typical PC Pursuit call. + + How to Originate a PC Pursuit Call + First, the users dials the local Telenet Access Center, which can be +found by dialing Telenet customer service at 1-800-336-0437. + +Then: + +Note: (cr) signifies the carriage return on a computer keyboard. + +Network Shows | User Types | Explanation +__________________|____________________________|_____________________________ + | (cr) (cr) | +__________________|____________________________|_____________________________ +TELENET | | Telenet network called and +XXX XXX | | your network address. +__________________|____________________________|_____________________________ +TERMINAL= | "D1" (cr) | Enter "D1" or press (cr) +__________________|____________________________|_____________________________ +@ | For 300 bps: | CONNECT command. To access + | "C(sp)DIALXXX/3,XXXX(cr)" | a PC Pursuit city type a PC + | | Pursuit access code and + | For 1200 bps: | your user ID. + | "C(sp)DIALXXX/12,XXXX(cr)" | +__________________|____________________________|_____________________________ +PASSWORD= | "XXXXXX" (cr) | Type the password +__________________|____________________________|_____________________________ +DIALXXX/X | "ATZ" (cr) | You are now connected to the +CONNECTED | | PCP city. Type ATZ (upper). +__________________|____________________________|____________________________ +OK | "ATDTXXXXXXX" (cr) | Dials a number in PCP city +__________________|____________________________|____________________________ +CONNECT | | Your are now connected to + | | your destination computer. +__________________|____________________________|____________________________ + + If the number dialed is busy, the user will see BUSY. To call another +number in the same city, the user types "ATZ." The network will answer OK. +The user then types "ATDTXXXXXXX" (cr) to dial the next number. + To connect to a different PC Pursuit City, when the user sees BUSY, he +types "@" (cr). When a @ appears, "D" (cr) is entered. This disconnects the +user from the previous city. The user then follows the above procedures to +dial another city. + + IX. Cellular Phone Fraud + Cellular phones have evolved considerably from previous systems. +Signaling between mobile and base stations uses high-speed digital techniques +and involves many different types of digital messages. The cellular phone +contains its own Mobile Identification Number (MIN), which is programmed by +the seller or service shop and can be changed when, for example, the phone is +sold to a new user. In addition, the U.S. cellular standard incorporates a +second number, the Electronic Serial Number (ESN), which is intended to +uniquely and permanently identify the mobile unit. + According to the Electronic Industries Association (EIA) Interim +Standard IS-3-B, Cellular System Mobile Station Land Station Compatibility +Specification, the serial number is a 32-bit binary number that uniquely +identifies a mobile station to any cellular system. It must be factory-set +and not readily alterable in the field. The circuitry that provides the +serial number must be isolated from fraudulent contact and tampering. +Attempts to change the serial number circuitry should render the mobile +station inoperative. + The ESN was intended to solve two problems the industry observed with +its older systems. First, the number of subscribers that older systems could +support fell far short of the demand in some areas, leading groups of users +to share a single mobile number (fraudulently) by setting several phones to +send the same identification. Carriers lost individual user accountability +and their means of predicting and controlling traffic on their systems. + Second, systems had no way of automatically detecting use of stolen +equipment because thieves could easily change the transmitted identification. + In theory, the required properties of the ESN allow cellular systems to +check to ensure that only the correctly registered unit uses a particular +MIN, and the ESNs of stolen units can be permanently denied service +("hot-listed"). This measure is an improvement over the older systems, but +vulnerabilities remain. + + ESN Tampering + Although the concept of the unalterable ESN is laudable in theory, +weaknesses are apparent in practice. Many cellular phones are not +constructed so that attempts to change the serial number circuitry renders +the mobile station inoperative. Contrary to this statement, swapping of one +ESN chip for another in a unit that has been found to functione flawlessly +after the switch was made. + + Obtaining ESN's + Since most manufacturers are using industry standard Read-Only Memory +(ROM) chips for their ESNs, the chips are easily bought and programmed or +copied. In programming the ESN with a valid code is another matter. +Remembering that to obtain service from a system, a cellular unit must +transmit a valid MIN (telephone number) and (usually) the corresponding +serial number stored in the cellular switch's database. With the right +equipment, the ESN/MIN pair can be read right off the air because the mobile +transmits it each time it originates a call. Service shops can capture this +information using test gear that automatically receives and decodes the +reverse, or mobile-to-base, channels. + Another way to obtain the numbers is from service shops. Service shops +keep ESN/MIN records on file for units they have sold or serviced, and the +carriers also have these data on all of their subscribers. Unscrupulous +employees could compromise the security of their customers' telephones by +obtaining these records. + In many ways, trade in illegally obtained ESN/MIN pairs could, in the +future, resemble what currently transpires in the long distance telephone +business with AT&T credit card numbers and alternate long-distance carrier +(such as MCI, Sprint and Alltel) account codes. Code numbers are swapped +among friends, published on computer bulletin boards and trafficked by career +criminal enterprises. + + + X. CN/A's + CN/A's, which stands for Customer Names and Addresses, are bureaus that +exist so that authorized Bell employees can find out the name and address of +any customer in the Bell System. All phone numbers are maintained on file +including unlisted numbers. + To find the owner of any number, the person first must call the local +CN/A during business hours. Then he must pretend to be from a registered +business, and ask for the owner of the number. In some states, though, the +operator will ask for an ID number. In these cases, one must be guessed at. + There is also a type of reverse CN/A bureau, which is usually called a +NON PUB DA or TOLL LIB. With these numbers, somebody can find unpublished +numbers if the caller gives the operator the name and locality. These are +considerably harder to use, since the operator will then request the caller's +name, supervisors name, etc. + The following is a list of current CN/A's. + +_____________________________________________________________________________ + + 1988 CN/A List (subject to change) +_____________________________________________________________________________ + +Area: CN/A Area: CN/A Area: CN/A + 201: Classified 202: 304-343-7016 203: 203-789-6815 + 204: 204-949-0900 206: 206-345-4082 207: 617-787-5300 + 208: 303-293-8777 209: 415-781-5271 212: 518-471-8111 + 213: 415-781-5271 214: 214-464-7400 215: 412-633-5600 + 216: 614-464-0519 217: 217-789-8290 218: 402-221-7199 + 219: 317-265-4834 301: 304-343-1401 302: 412-633-5600 + 303: 303-293-8777 304: 304-344-8041 305: 912-752-2000 + 307: 303-293-8777 308: 402-221-7199 312: 312-796-9600 + 313: 313-424-0900 314: 816-275-8460 316: 913-276-6708 + 317: 317-265-4834 318: 504-245-5330 319: 402-221-7199 + 401: 617-787-5300 402: 402-221-7199 404: 912-752-2000 + 405: 405-236-6121 406: 303-293-8777 412: 412-633-5600 + 413: 617-787-5300 414: 608-252-6932 415: 415-781-5271 + 416: 416-443-0542 417: 816-275-8460 418: 614-464-0123 + 419: 614-464-0519 501: 405-236-6121 502: 502-583-2861 + 503: 206-345-4082 504: 504-245-5330 505: 303-293-8777 + 509: 206-345-4082 512: 512-828-2501 513: 614-464-0519 + 514: 514-394-7440 515: 402-221-7199 517: 313-424-0900 + 518: 518-471-8111 519: 416-443-0542 601: 601-961-8139 + 602: 303-293-8777 603: 617-787-5300 605: 402-221-7199 + 606: 502-583-2861 607: 518-471-8111 608: 608-252-6932 + 609: Classified 612: 402-221-7199 613: 416-443-0542 + 614: 614-464-0519 615: 615-373-5791 616: 313-424-0900 + 617: 617-787-5300 619: 415-781-5271 701: 402-221-7199 + 702: 415-543-2861 703: 304-344-7935 704: 912-752-2000 + 705: 416-443-0542 707: 415-781-5271 712: 402-221-7199 + 713: 713-961-2397 715: 608-252-6932 716: 518-471-8111 + 717: 412-633-5600 718: 518-471-8111 801: 303-293-8777 + 802: 617-787-5300 804: 304-344-7935 805: 415-781-5271 + 806: 512-828-2501 809: 404-751-8871 812: 317-265-4834 + 813: 813-228-7871 814: 412-633-5600 815: 217-789-8290 + 816: 816-275-8460 817: 214-464-7400 901: 615-373-5791 + 904: 912-752-2000 906: 313-424-0900 912: 912-752-2000 + 914: 518-471-8111 916: 415-781-5271 + 918: 405-236-6121 912: 912-752-2000 +_____________________________________________________________________________ + + + + XI. Loops + The loop is an alternative communication medium that has many +potential uses. Loops are phone lines that are connected when they are called +simultaneously. One use is when somebody wants another person to call them +back but is reluctant to give out their home phone number (eg., if they were +on a party line). + Loops are found in pairs that are usually close to each other (eg., +718-492-9996 and 718-492-9997). On a loop, one line is the high end, and the +other is the low end. The high end is always silent. The tone disappears on +the low end when somebody calls the high end. + It is truly only safe to use a loop during non-business hours. During +business, loops are used to test equipment by various telephone companies and +local CO's. + + + XII. Alliance Teleconferencing + Alliance Teleconferencing is an independent company which allows the +general public to access and use its conferencing equipment. + + Billing an Alliance Conference + Alliance Teleconferencing is accessed by dialing 0-700-456-1000 in most +states. In some states, the first and last digits of the suffix vary. There +are four main ways to use Alliance illegally. The first is through a PBX. +Some allow use of the 700 exchange, but many do not. + The second way is with a Blue Box. After seizing the line, +KP-0-700-456-1000-ST is dialed. The equipment now thinks that Alliance has +been dialed from a switchboard and bills the conference to it. + The third way is to a loop. After being connected to Alliance, the +caller contacts the operator by pressing 0. The caller then can ask for the +conference to billed to another number, giving the operator the number of the +high-end of a loop. The operator will then call the loop. A friend of the +phreaker must be prepared to answer the call by calling the low-end. When the +friend answers and accepts the billing, the conference will be billed to the +loop. + The fourth way is from a divertor. Since the divertor is a normal, +home-type line, the phreaker should not have any problems starting a +conference. + + + Starting a Conference + When Alliance answers, a two-tone combination is emitted. The caller +then types a two digit combination to tell the equipment how many people will +be in the conference, including the originator. Then either # is pressed to +continue or * is pressed to cancel the conference. To dial a each conferee, +the phreaker simply answers each prompt with the phone number of the +corresponding person. + To join the conference, the originator enters #, and to return to +control mode, he enters # again. To transfer control of the conference, +#+6+1+ the phone number of the person you wish to transfer the control to. To +end the conference, the phreaker presses the * button. + + + XIII. Telephone System Security Measures + To stop telephone fraud, there are many measures which telephone +companies can apply to identify and convict the phone phreaker. + + ESS Detection Devices + Telephone companies have had twenty years to work on detection devices; +therefore, they are well refined. Basically, the detection devices will look +for the presence of 2600 Hz where it does not belong, which is in the local +CO. It then records the calling number and all activity after the 2600 Hz. + + Automatic Number Identification and the Centralized Automatic Message + Accounting Tapes + Automatic Number Identification (ANI) is an implement in ESS that can +instantly identify the calling party. For every call that is made, +information including the numbers of the calling and receiving parties, the +time of origination of the call, if the called party answered the call, and +the time when the caller has hung-up is recorded on a tape in the Centralized +Automatic Message Accounting (CAMA) office. This includes wrong numbers, +toll-free numbers, and local calls. This tape is then processed for billing +purposes. + Normally, all free calls are ignored, but the billing equipment has been +programmed to recognize many different types of unusual activity. One checks +if a certain 800 number is called excessively. If the number is an SCC, the +equipment can instantly check if the caller is a subscriber of the SCC. If it +is not, it will alert the company of the illegal activity. Another is if +there is a call where the calling party has stayed off-hook for a large +amount of time, but the called party never answers. The equipment recognizes +this as possible use of a Black Box. + + Dialed Number Recorders + Placing a Dialed Number Recorders (DNR) on a telephone line is standard +procedure when telephone fraud is suspected. The most common DNR's can do the +following: print all touch tone digits sent (in suspected illegal use of an +SCC), print out all MF and record the presence of 2600hz on the line (in +suspected use of a Blue Box), and activate a tape recorder for a specific +amount of time. + + Trap Codes + Trap codes are decoy PIN numbers. If a telephone company find that a +certain PIN number is being used illegally, it will call the real owner and +notify him of the change in his account number. The company will then contact +the FBI to bring their telephone "lock in" trace equipment. + A lock in trace is a device used by the FBI to lock into the phone +user's location. Since all phone connections are held open by a certain +voltage of electricity, +the lock in trace works by patching into the line and generate the same +voltage into the lines. If the caller tries to hang up, voltage is retained. +The phone will continue to ring as if someone was calling even after the call +is disconnected. The trunk then remains open and the call can be traced. The +FBI sets its equipment so that the next time the PIN number is illegally +used, the call goes through, but while + the communication is proceeding, the +FBI traces the call. + + Stopping an FBI Trace. + Stopping a trace is quite simple. If the voltage in the line could be +lowered, the trace could not function, since lowering the voltage would also +probably short out the FBI voltage generator. Therefore, any appliance which +uses many volt can be connected to the red and green wires in a wall jack, +and the trace should be removed. + + Common Channel Inter-office Signaling + Besides detection devices, Bell has begun to gradually redesign the +network using out-of-band signaling. This is known as Common Channel +Inter-office Signaling (CCIS). Since this signaling method sends all the +signaling information over separate data lines, and does not use any form of +DTMF, all colored boxes do not work under it. Of course, until this +multi-million dollar project is totally complete, boxing will still be +possible. It will become progressively harder to find places to "box" off of, +though. + + + XIV. Laws Governing the Rights of Phreakers + Since phreaking is one-hundred percent illegal, once discovered, there +are not many laws protecting the phreaker. There are, however some laws +governing steps government agents may take to convict him. + The first law is the Section 605 of Title 47 of the United States Code. +This section forbids interception of communications, except by persons +outlined in Chapter 119, Title 18, which is a portion of the Omnibus Crime +Control and Safe Streets Act of 1968. + In this chapter, Section 2511 (2) (a) (i) says "It shall not be unlawful +under this chapter for an operator of a switchboard, or an officer, employee, +or agent of any communications carrier, whose facilities are used in the +transmission of a wire communication, to intercept, disclose, or use that +communication in the normal course of his employment, while engaged in any +activity which is a necessary incident to the rendition of his service of the +protection of the rights or property of the carrier of such communication." +This means that agents of telephone companies are allowed not only allowed to +tap lines without a warrant, but also allowed to disclose the recording of a +communication. + In the case United States vs. Sugden, the following ruling was made: +"For an unreasonable search and seizure to result from the interception of +the defendant's communication, he must have exhibited a reasonable +expectation of privacy. Where, as here, one uses a communication facility +illegally, no such expectation is required." This simply means that when you +make an illegal call, you have waved your right to privacy. + +[SuperTac/42]:View Files... + +[ Select File, or ? ]: 14 + +..The Liberator- 914/353-4256.. + + + + The only limit on tapping lines is that it must not be excessive. For +example, in the case Bubis vs. United States, the telephone company monitored +all of the defendant's phone calls for a period of four months. The court +acknowledged the phone company's right of the "protection of the rights and +property of the carrier of such communication," but ordered the evidence +suppressed because the extent of the monitoring was excessive. + Lastly, the limit of the monitoring was set. In the case United States +vs. Bubis, the court ruled, "Thus, it would appear that the tape recordings +of the defendant's conversation had been limited by the phone company to +establish that the calls were in +violation of the subscription agreement (were illegal), and to the +identification of the person using the phone, and for those purposes only, +then the tapes would have been admissible against the defendant." This means +that the telephone company cannot monitor more than the first five minutes of +the communication. + + + XV. Conclusion + With the advent of many new security features, in the near future, we +may see the end of phreaking. Incorporating CCIS has already begun to +eliminate the use of boxes. The use of longer codes may one day bring illegal +use of SCC's and PBX's to a minimum. Improvement in divertor and loop +equipment will ultimately bring an end to their abuse. Even though telephone +fraud could very well become a memory, in every teenage telecommunicator's +mind, there will always be a Captain Crunch, thinking of a way to "beat" the +system. Such legends as the Captain and Joe the Whistler (the blind phreaker +with perfect pitch), will be remembered forever. + + + +[SuperTac/42]: + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/johnny.phk b/textfiles.com/phreak/PHREAKING/johnny.phk new file mode 100644 index 00000000..2dd4b916 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/johnny.phk @@ -0,0 +1,33 @@ +Msg. :343 +About :WHEN I WAS YOUNG... +From :ROGER OLSON +To :ALL CALLS +Date :3/19/83 + +When I was young, and in my prime, I used to phreak all the time For the +beneifit of <> users on this BBS, the phone company did not go into +business yesterday! Some of us were phreaking i n the days of manual service. +Chicago, Illinois had manual service through the early fifties in a few +exchanges. As a twelve year old kid, my buddies and I <> to use the +payphone at the corner drugstore to phart around. The payphones were easy to +fool. "Area codes" and "direct dialing" of long distance calls did not start +anywhere until 1962...did know that? You called the operator for long +distance and she would say put x amount of coins in the box. We would put in +the first couple of quarters, and out would come the coat hanger which went up +the return slot (no traps on the doors then, like now) and the coat hanger +would trip the little metal catch box inside and return the quarters.."...just +a minute operator! I am looking for more change!!...." and the same quarters +would be used over and over until the two or three dollars desired had been +"deposited". Then, be quick and get the quarters out again before the operator +had a chance to collect them. The operator would grow impatient waiting for +you to get all the money "deposited", but as I got experienced with that bent +peice of wire I could get two bucks in the phone and out of the phone in record +time. The switchboards used for operating the coin phones had two special keys +- one to press for collecting the coins and one to press for returning the +coins. Sometimes the operator would also screw up and hit the return key by +accident after you were finished speaking on the call. Other times she would +screw up and collect on an incomplete call. They were so in those +days all you had to do was use a phone and say, "operator I have a credit +coming". They belived you! +Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/lawsofph.txt b/textfiles.com/phreak/PHREAKING/lawsofph.txt new file mode 100644 index 0000000000000000000000000000000000000000..148a83afaabf2a3c279120233c623abef78e8f12 GIT binary patch literal 4762 zcmb`L+iu%P5{7e4fbY<-v6J0_6!;uFz+Tvz81W!+29|b{*}E3m5*sGFxlPit^7Q*v zQ=)9|OpuF_4O-g7S)!yI#p;wyhs~>so4}#Oe`_{UpQqw|*``69$<2%9r^N)Jf zD8G0vB!5M_gI1+}D}vGYDE{z4XY%{$k(XMZK700F1b^(6CMr#S{&}LyQcVt~pFU6D zspG@r@%icL_~7W^SRQ_M>MD4huk`wzIypQYpT0dDzdblT<0#*=!l;EWOTQ9#budb+ z#Dm!0D&w6|g>F<l5!wHTOE?q+E(yf`dlQyJr1FCIA2(z(;geqi%ajS&Hj?8&8aS)0Xol(_~E2Ap)(b zY9Dm4L6iw$gn5@Na9Xvh=GIfc)Si3%BX~LP(XMA3gQvkOrJOCrhbbp{=X(DI<6cI%+ zUC+%2Ki6}B+1t-`t3?$c1_S8(*VSm(WkXPLo0dW!nxh`~v8IjV0K^b6bpOnLejjTX^`%ne;c14_~;t~BljMEK>2yj0FE3xOl_<#LhRfV6iUf^q-_ctjEE z4^t13+$>_}0g-Y*moN~$4&^kWO)Ac>+zRWGEhvO+L%i+%S_ggV3u{kfd;1n)IV- z5EnlS&W|gd!%FMmTay*eW^f9%OcV21mtY+>G7Ow9Q2XI=@G`@m zRDjvhx3RF3a5b@Fj#wuFu9<7*MO#>Rul6S1wRE1Ez+X&bC~Z%zWQKzIH2I_-M>H)I zu^Ez+!kWe4##JdW>*+T4u^!Yc{@dvw9z-r& zhJKI8f!K?{C2h=q8JhcXY{r(BiW=&(tEiy#)<;i9>c+1q^g52)G`SDJLIQ~^r5ddj^0t!D2L`KC6T{4n4 zN4DB_Q+u;e^v0fOoSLkQ(`!k#7{ys(sDU7@W&RYjJ^=}(U(SA-MKtgOlEH7i9;@g@ z@3R1-uTM3^E2xA)=Oi)nwFOyBnk+y*t$a>;?i9Un8|uB*wxKFdt~T&?P;wCFJp%;nNT<-3zuwT&6@I8 z(R5Q&+cY_%zdGtkENckI1RHjYT*7d>2aEg0DwDw@uPu7CidnaQ7yYe)8!yF=ku@2FBXBn76 zx(4YHMvR`488P>dL!z$PN@Ci#yQ&D=Ox7-V@X79Ios>^lIcl~}gKehVpeee_X}K9} z9drxZWC(4N+3y2e51*gxH#MfF>Dgitn74&x+hpgB%P3=4wrzk!v@G`Ut=vx3G3=iv zUoK};Ra$sP#!%DG#ENom_RWchx8tsGcyWF@+`NW6VZ0Ki$*WhdP$pkr$N&7xzP^e= zb;%TjYWq!47Uq%*8Zj+`uigzF{qdXIo4bEs-d;M>{=KdK5!L+^nPkQi&Jws;GN<%E zcPV=KeaYSvfR<9fn#DqW;C_Sc;dOd=FupkEUU+_Tif?zM^#i;YeH~=~+`Xc*^W*W! z;lWWX0sl#;O~&$Kze&zvX!rt5HagywN3zM#Cc@oAua8s#4B5C@85+5>GL|+bbjUOS zzIT3AntaKYS$kr)AX+wbmJ8cdBUngG@Plpiv5VQ+>0qLW4tQ0XSlsA00w^QrZeIz_ zzEPJSKaOYbzs}Uv)l^M?pU&QYn$nNr$#utE;X-V<=-@PH<>Eb#o1AnOmf2pu7}k3C znx#}Tnjs+ZIbN`&Hz9%Ep*YWDyUOjHbUgf fc2#)(ZtqU7)Gu;16KCa*Te;FVdlJoG+{6C^VJwyy literal 0 HcmV?d00001 diff --git a/textfiles.com/phreak/PHREAKING/mail-frd.mia b/textfiles.com/phreak/PHREAKING/mail-frd.mia new file mode 100644 index 00000000..d5105292 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/mail-frd.mia @@ -0,0 +1,211 @@ + + ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ + ³ÜÛÛÛÛÛÛÛÛÜ ÜÛÛÜ ÜÛÛܳ + ³ÛÛÛß ßÛÛÛ ÛÛÛÛ ÛÛÛÛ³ + ³ÛÛÛÜ ÜÛÛÛ ÜÛÛÛÛÛÛÛÜ ÛÛÛÛ ÛÛÛÛ³ + ³ÛÛÛÛÛÛÛÛÛß ÛÛÛÛßßßÛÛÛÛ ÛÛÛÛÜÛÜÛÛÛÛ³ + ³ÛÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ³ + ³ßÛÛß ÛÛÛ ÛÛÛ ßÛÛß ßÛÛß ³ + ³ ÛÛÛÛÜÜÜÛÛÛÛ ³ + ³ ßÛÛÛÛÛÛÛß ³ + ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ + ³ ÜÛÜ ³ + ³ ÛÛÛÛÛ ³ + ³ÜÛÛÜ ÜÛÛÜ ÛÛÛÛÛ ÜÛÛÛÛÛÛÛÜ ³ + ³ÛÛÛÛÛÜÛÛÛÛÛ ÛÛÛÛÛ ÛÛÛÛßßßÛÛÛÛ³ + ³ÛÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛ ÛÛÛÛÜÜÜÛÛÛÛ³ + ³ÛÛÛÛ ß ÛÛÛÛ ßÛß ÛÛÛÛÛÛÛÛÛÛÛ³ + ³ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ³ + ³ßÛÛß ßÛÛß ßÛÛß ßÛÛß³ + ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ + *Phreakers Of The World* + *Men In Anarchy* + * Never Pay 29 Cents Again * + *Written by .\\…sçr* + *October 10,1993* + + +---------- +Disclaimer +---------- + By reading this file you agree to take full responsibility for your +actions and that no blame shall be placed on either Phreakers Of The World/ +Men In Anarchy, or .\\aster for your actions. PoW/MiA denounces fraud, and +all other forms of criminal activity. This file is intended for Information and entertainment +purposes only. + +------------ +Introduction +------------ + If you've ever paid 29 Cents to mail a letter, you've been wasting your +money. In a recession year such as this one, especially, it's important not +to let your hard earned dollars (and cents) go to another beauracracy. + Twenty Nine Cents is not an aweful lot to save, but if you send ten +letters a week, you could save up to $150. If you send only 8 (The national +average) You could save $120, and so on. This file will describe the four +methods I know of for avoiding or greatly reducing postage fees. Be counted +and count your savings! + +Û²- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -²Û + + + All us Americans know that sometimes blind people can be discriminated +against. The government understands this too, and since mailing packages can +be expensive, the government has decided to allow blind people to send their +mail for free. "How Generous of Them!" You think. Wrong! They're paying +for it with your tax money! You pay your taxes, why shouldn't you be able +to send your packages free too? Well, now you can. Here's how to do it. + + Address your envelope like you normally would, but in the corner where +you would normally put the stamp, write in neat print "FREE MATTER FOR THE +BLIND." Now drop your package in one of those blue mailboxes you'll find +on any street corner. It really works. + + The government isn't being that nice, though. Packages stamped "FREE +MATTER FOR THE BLIND" are sent at library rate, which is below Third Class! +To send a letter locally will take anywhere from two to five days, national- +ly will take considerably longer. + +This is what your letter should look like: +_____________________________________________________________________________ +| The BeLL'S iNC BBS FREE MATTER FOR | +| PoW/Mia WoRLD HQ THE BLIND | +| [4o7.Need.ReFS], Il. | +| | +| | +| .\\…ggëç PoW/Mia FouNDeR | +| PoW/Mia FouNDeRSHiP | +| [7o8.PRi.VATe], Il. | +| | +| | +| | +_____________________________________________________________________________ + + + + +Û²- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -²Û + + This method is kind of obvious, but in my experience, it has worked. +However, it won't work if you're trying to send letters nationally, it'll +only work if the two addresses share the same post office. Write your +letter, and put it in the envelope. Now, instead of writing your name in +the return address spot, write your name in the addressee spot, on the +center of the page. Write the addressee's name in the return address spot. + Now drop it in the mailbox without any postage. Guess what's going +to happen. The letter will be returned to the sender who, in this case, +seems to be the addressee. + +Here's what your letter should look like: +_____________________________________________________________________________ +| .\\…ggëç PoW/Mia FouNDeR [Addressee] [No Stamps Here]| +| PoW/Mia FouNDeRSHiP | +| [708.PRi.VaTe], Il. | +| | +| | +| áll's I¤‡. ááS [Sender] | +| PoW/Mia WoRLD HQ | +| [4o7.NeeD.ReFs], Il. | +| | +| | +| | +_____________________________________________________________________________ + + +Û²- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -²Û + + Both of the above methods are slow, but if you'd like to send your mail +at normal first class rates, here's a way to do it. This way doesn't save +you money, though, unless the recipient agrees to give. + + Before sending your letter, coat the front side of the stamps with glue +(Elmer's works fine.) It's best to use a stiff bristled brush dipped in the +glue to coat the stamps with. It will take about twenty minutes to dry. +Once the stamps have dried, stick them on your letter and mail it. The glue +has created a coating that can not be seen by the eye, but will protect the +stamps from being destroyed by the cancellation mark. When the letter +arrives at it's destination, the recipient can remove the coating with water, +take the stamps off the envelope, and reuse the stamps. + + +This is a diagram of what your letter should look like. It'd look just like +a normal letter, you can see.. But the 29 Cent stamp must be coated with +glue. + +_____________________________________________________________________________ +| áll's I¤‡. ááS | 29 | +| PoW/Mia WoRLD HQ | Cent | +| [4o7.NeeD.ReFs], Il. | Stamp| +| |______| +| | +| .\\…ggëç PoW/Mia FouNDer | +| PoW/Mia FouNDeRSHiP | +| [7o8.PRi.VATe], Il. | +| | +| | +| | +_____________________________________________________________________________ + + + + +Û²- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -²Û + + The US Postal Service, as you may or may not be aware, is a private +corporation. Congress has the power to set postal rates, not the Post +Office. This is stated in Section 8 of the US Constitution. Last time +congress set postal rates, they set them at two cents. So two cents +is all you legally have to pay for mailing your letters. Try it out, +this really works! + Get some a set of those stamp letters with the alphabet on them, or +get the rubber stamps specially made up by your local printer. Use Red +ink to stamp "FIRST CLASS MAIL" and "NON-DOMESTIC" on the top or left +hand side of your envelope, and black or blue ink to stamp: +"TWO CENT POSTAGE + 12 STATUTES AT LARGE + CHAPTER 71, SECTION 23 + LOCAL/DROP LETTER + 81 U.S. STATUTE 613" +One of the keys to making this work is that it seem official looking. It +works for me, but if you drop twenty letters in the same mailbox all like +this, it's less likely to work. + +Your envelope should look like this: + +_____________________________________________________________________________ +| áll's I¤‡. ááS |2 Cent| +| PoW/Mia WoRLD HQ |Stamp | +| [4o8.NeeD.ReFs], Il. |______| +| Two Cent Postage| +| 12 Statutes at Large| +| FIRST CLASS MAIL MeGaDeTH PoW/Mia #2 Chapter 71, Section 23| +| NON-DOMESTIC PoW/Mia Site #2 Local/Drop Letter| +| [7o8.PRi.VATe], Il. 81 U.S. Statute 613| +| | +| | +| | +_____________________________________________________________________________ + +Û²- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -²Û + +Thank you for reading this PoW/Mia file, I hope it saves you many a 29 Cents. +Look out for other PoW/Mia files, coming to a bbs near you, but until then, +check out 7o8 Code aNaRCHy, Mia Anarchy, The PoW T-Files, and PoW +Viruses 1-6. Look out for the Official PoW/Mia Mag, coming to you sometime +This Year. + + .\\…sçr + PoW/Mia ’¤…r‡h¡sç/Phr…kr/PRëM…¥¡…/’—çhër + S˜s™p: áll's I¤‡. ááS + + /\/\…ggëç + PoW/Mia Fë—¤dr/’¤…r‡h¡sç/PRëM…¥¡…/’—çhër + +Û²- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -²Û + + [Pow/Mia]... Phreakers Of The World/Men In Anarchy [tm] + (C) Copyright 1993. All rights reserved. + +Û²- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -²Û + + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/manual1.txt b/textfiles.com/phreak/PHREAKING/manual1.txt new file mode 100644 index 00000000..d1fe1e74 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/manual1.txt @@ -0,0 +1,6599 @@ + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + The Official Phreaker's Manual V1.1 + Updated 2/14/87 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + The Official Phreaker's Manual + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Table of Contents + + ********************************************************************** + + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Appendixes + + ********************************************************************** + + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 4 + + + + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 5 + + + + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /\<\ /\<\ .. + . \>ad \>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + Page 6 + + + + + The Official Phreaker's Manual + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + Page 7 + + + + + The Official Phreaker's Manual + + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +explanation. Automated versions (ASI) with automatic voiceresponse units are +growing in use. + +Interrupt: The interruption on a phone line to disconnect and connect with +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + Page 8 + + + + + The Official Phreaker's Manual + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 9 + + + + + The Official Phreaker's Manual + + ============================================================ + _ _ _______ + | \/ | / _____/ + |_||_|etal / /hop + __________/ / + /___________/ + (314) 432-0756 + + Proudly Presents + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + Typed by Knight Lightning + + ============================================================ + +- A - + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + + + + + The Official Phreaker's Manual + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + +AUDIBLE RINGING TONE: An audible signal heard by the calling party during the +ringing-interval. + +AUTHORIZATION CODE: An identification number that the caller enters when +placing a call which is used for billing purposes. + +AUTHORIZED USER: A person, firm, organization, corporation or any other entity +authorized by the customer to send or receive communications over a specific +communications network. + +AUTO ANSWER: A machine feature that allows a transmission control unit or +station to automatically respond to a call that it receives. + +AUTOMATIC CALL +DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a +large volume of incoming calls to a group of attendants to the next available +"answering" position. + +AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined +set of dialing digits. + +AUTOMATIC IDENTIFICATION +OF OUTWARD DIALING (AIOD): A computer generated report showing all long +distance calls placed over AT&T's toll network. + +AUTOMATIC NUMBER +IDENTIFICATION (ANI): Automatic equipment at a local dial office used on +customer dialed calls to identify the calling-station. + +AUTOMATIC ROUTE +SELECTION (ARS): Least cost routing via AT&T CENTREX system. + + + +- B - + + + Page 11 + + + + + The Official Phreaker's Manual + +BAND: (1) The range of frequencies between two defined limits. (2) In reference +to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: +BANDWIDTH. + +BANDWIDTH: See BAND. + +BASEBAND: The total frequency band occupied by the aggregate of all the voice +and data signals used to modulate a radio carrier. + +BAUD: A unit of signaling speed. The speed in baud is the number of discrete +conditions conditions or signal elements per second. If each signal event +represents only one bit condition, then Baud is the same as bits per second. +When each signal event represents other than one bit, Baud does not equal bits +per second. + +BELL OPERATING COMPANY +(BOC) /BELL SYSTEMS +OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing +local service. + +BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long +Lines, Western Electric, and Bell Labs. + +BILLING NUMBER: The MCI term for the number which identifies a customer on a +billing location level, assigned to Network Service Customer (by COMS). +Assigned for each unique customer name and billing location. For internal use +only. + +BINARY: A number system that uses only two characters ("0" and "1"). + +BIT: A binary digit. The smallest unit of coded information. + +BITS PER SECOND (BPS): The rate at which data transmission is measured. + +BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to +the central offices are in use; or (2) all connecting connecting paths through +the PBX/switch are in use. + +BLOCKED ANI: ANI prohibited from completing a call over the MCI network. + +BREAK: A means of interrupting transmission, a momentary interruption of a +circuit. + +BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. + +BUS: A heavy conductor, or group of conductors, to which several units of the +same type of equipment may be connected. + +BUSY: The condition in which facilities over which a call is to be connected +are already in use. + +BUSY HOUR: The time of day when phone lines are most in demand. + +BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to +indicate that the terminal point of a call is already in use. + +BYTE: A group of binary digits that are processed by a computer as a unit. + + + Page 12 + + + + + The Official Phreaker's Manual + + + +- C - + + +CARRIER: High frequency current that can be modulated with voice or digital +signals for bulk transmission via cable or radio circuits. + +CARRIER SYSTEM: A system for providing several communications channels over a +single path. + +CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output +from a computer. + +CELLULAR MOBILE RADIO: A system providing exchange telephone service to a +station located in an auto or other mobile vehicle, using radio circuits to a +base radio station which covers a specific geographical area and as the vehicle +moves from one area to another, different base radio stations handle the call. + +CENTRAL OFFICE (CO): A telephone switching center that provides local access to +the public network. Sometimes referred to as: Class 5 office, end office, or +Local Dial Office. + +CENTREX, CO: PBX Service provided by a switch located at the telephone company +central office. + +CENTREX, CU: A variation on Centrex CO provided by a telephone company +maintained "Central Office" type switch located at the customer's premises. + +CENTRAL PROCESSING UNIT +(CPU): The control unit within a computer which handles all the intelligent +functions of the systems. In a telephone switch, directs all potions of the +system to carry out their appropriate functions. Synonym: Common Control. + +CHANNEL: A communication path via a carrier or microwave radio. + +CHARACTER: Any letter, digit, or special symbol. In data transmission would be +represented by a specific code made up of a group of binary digits. + +CIRCUIT: A path for the transmission of electromagnetic signals to include all +conditioning and signaling equipment. Synonym: Facility + +CIRCUIT SWITCHING: A switching system that completes a dedicated transmission +path from sender to receiver at the time of transmission. + +CLASS OF SERVICE/CLASS +MARK (COS): A subgrouping of telephone customers or users for the sake of rate +distinction or limitation of service. + +COAXIAL CABLE: A cable having several coaxial lines under a single protective +sheath. Usually used as a high capacity carrier in urban areas between +interexchange and toll offices. + +CODEC: Coder-Decoder. Used to convert analog signals to digital form for +transmission over a digital median and back again to the original analog form. + +COMMON CARRIER: A government regulated private company that provides the +general public with telecommunications services and facilities. + + Page 13 + + + + + The Official Phreaker's Manual + + +COMMON CHANNEL INTEROFFICE +SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated +Services Digital Network. It uses a separate data line to route interoffice +signals to provide faster call set-up and more efficient use of trunks. + +COMMON CONTROL SWITCHING +ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which +common controlled switching machines are used to route traffic over network +routes and access lines. The switching machine may be shared with other users +and is maintained by the telephone company. + +COMPUTER PORT/TKI PORT: The interface through which the computer connects to +the communications circuit. + +CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to +match transmission levels and impedances and which equalizes transmission and +delay to bring circuit losses, levels, and distortion within established +standards. + +CONFIGURATION: The combination of long-distance services and/or equipment that +make up a communications system. + +CONTROL UNIT (CU): The central processor of a telephone switching device. + +CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on +a corporate level. (Not all MCI customers have this). + +COST COMPONENT: The price of each type of long distance service and/or +equipment that constitutes a configuration. + +COST PER HOUR (CPH): Total cost of different services divided by total holding +time (in minutes). + +CROSS CONNECTION: The wire connections running between terminals on the two +sides of a distribution frame, or between binding posts in a terminal. + +CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit +to another circuit. + +CUSTOMER OWNED AND +MAINTAINED (COAM): Customer provided communications apparatus, and their +associated wiring. + +CUSTOMER +PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located +within the customer's part of a building. + +CUT: To transfer a service from one facility to another. + +CUT THROUGH: The establishment of a complete path for signaling and/or audio +communications. + + +- D - + +DATA: Any representation, such as characters to which a meaning is assigned. + + + Page 14 + + + + + The Official Phreaker's Manual + +DATA COMMUNICATIONS: The movement of coded information by means of electronic +transmission systems. + +DATA SET: A device which converts data into signals suitable for transmission +over communications lines. + +DATA TERMINAL: A station in a system capable of sending and/or receiving data +signals. + +DECIBEL (db): A unit of measurement represented as a ratio of two voltages, +currents or powers and is used to measure transmission loss or gain. + +DELAY DIAL: A dialing configuration whereby local dial equipment will wait +until it receives the entire telephone number before seizing a circuit to +transmit the call. + +DELTA MODULATION (DM): A variant of pulse code modulation whereby a code +representing the difference between the amplitude of a sample and t~he +amplitude of a previous one is sent. Operates well in the presence of noise, +but requires a wide frequency band. + +DEMODULATION: The process of retrieving data from a modulated signal. + +DIAL LEVEL: The selection of stations or services associated with a PBX using a +one to four digit code (e.g., dialing 9 for access to outside dial tone). + +DIAL PULSING: The transmitting of telephone address signals by momentarily +opening a DC circuit a number of times corresponding to the decimal digit which +is dialed. + +DIAL REPEATING TIE LINE/ +DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station +calling without use of the attendant. + +DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is +selected by a prearranged dialing code. + +DIAL TONE: A tone indicating that automatic switching equipment is ready to +receive dial signals. + +DIALING PLAN: A description of the dialing arrangements for customer use on a +networks. + +DIGITAL: Referring to the use of digits to formulate and solve problems, or to +encode information. + +DIMENSION CUSTOM +TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station +sets which use special buttons to access PBX features. + +DIRECT +DISTANCE DIALING (DDD): A toll service that permits customers to dial their own +long distance call without the aid of an operator. + +DIRECT +INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside +the system to directly dial a station within the system. + + + Page 15 + + + + + The Official Phreaker's Manual + +DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to +gain direct access to an exchange network. + +DROP: That direction of a circuit which looks towards the local operator. + +DRY CIRCUIT: A circuit which transmits voice signals and carries no direct +current. + +DUAL TONE +MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which +emits two distinct frequencies for each indicated digit. + +DUPLEX: Simultaneous two-way independent transmission. + +DX SIGNALING: A long-range bidirectional signaling method using paths derived +from transmission cable pairs. It is based on a balanced and symmetrical +circuit that is identical at both ends. This circuit presents an E&M lead +interface to connecting circuits. + + + + ============================================================ + +This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for +more G-philes from The MCI School of Telecommunications Management Reference +Guide coming soon. + + This has been a 2600 Club production + + +Thanx to Taran King + ============================================================ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 16 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ _______________________________ $ + $ | | $ + $ | ELECTRONIC TOLL FRAUD DEVICES | $ + $ |_______________________________| $ + $ $ + $ $ + $ TYPED AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ $ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL +FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT +BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD +DEVICES. (FOR OFFICIAL USE ONLY). + +THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE +GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". +THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. + + + +*BLUE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE +DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE +VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS +APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX +CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES +CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL +(LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE +FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE +BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY +COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE +TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE +DISCUSSED IN MORE DETAIL BELOW. + + TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO +UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE +NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS +IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE +EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY +FOR HIS TELEPHONE NUMBER. + THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING +(AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE +OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL +CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. +THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. + ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE +VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO +PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. + THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL +INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY + + Page 17 + + + + + The Official Phreaker's Manual + +OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX +USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" +CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX +WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE +SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. +THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX +SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING +PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW +OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING +EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES +THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING +CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE +SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY +THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS +RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON +THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS +TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. + ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A +COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY +IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: + +(A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE +SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY +SF" BLUE BOX. + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF +A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE +MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + Page 18 + + + + + The Official Phreaker's Manual + + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + + + + The Official Phreaker's Manual + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + Page 20 + + + + + The Official Phreaker's Manual + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you recei`e your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + A) SSS: Strowger Switching System. First non-operator system +available. + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + + Beige Box: A simpler produced linesman's handset that allows you to tap +into phone lines and extract by eavesdropping, or crossing wires, etc. + Purple Box: Makes all calls made out from your house seem to be local +calls. + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + Page 21 + + + + + The Official Phreaker's Manual + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. A small list of +dialups: + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : + + Page 22 + + + + + The Official Phreaker's Manual + +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator (hehe) +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + +/-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + + Page 23 + + + + + The Official Phreaker's Manual + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + Page 24 + + + + + The Official Phreaker's Manual + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + +File Level:5 + + /-/ Credits /-/ + + To The Videosmith- for setting me straight on some shit. + To The Linesman- for telling me to upload it to his AE line. + To Modern Mutant- for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------\ + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + \---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler +Zer0-g + + + + + + + Page 25 + + + + + The Official Phreaker's Manual + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + + +HOW TO BE A REAL PHREAK +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + + + + + The Official Phreaker's Manual + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + Page 27 + + + + + The Official Phreaker's Manual + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + Page 28 + + + + + The Official Phreaker's Manual + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--\ | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + + Page 29 + + + + + The Official Phreaker's Manual + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + +TOUCH-TONE & FREE CALLS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + + + Page 30 + + + + + The Official Phreaker's Manual + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. +ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + Page 31 + + + + + The Official Phreaker's Manual + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 32 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + --One Farad Cap, Atlantic Anarchist Guild + + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + Page 33 + + + + + The Official Phreaker's Manual + + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + Page 34 + + + + + The Official Phreaker's Manual + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +He presses the lower left-hand corner button which is marked "KP" on the face +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + Page 35 + + + + + The Official Phreaker's Manual + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ahsil Cfllins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + Page 36 + + + + + The Official Phreaker's Manual + +tells me. + +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And be +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's F~5 +and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + Page 37 + + + + + The Official Phreaker's Manual + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays with the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + Page 38 + + + + + The Official Phreaker's Manual + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A. +tandem. The L.A. tandem notices 2600 cycles are coming over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + Page 39 + + + + + The Official Phreaker's Manual + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + ++-- End first file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 40 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + Page 41 + + + + + The Official Phreaker's Manual + + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + Page 42 + + + + + The Official Phreaker's Manual + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +"Yes, sir. Who is this calling?" says the voice. + +"Yes. This is test board here in New York. We're calling to check out the +circuits, see what kind of lines you've got. Everything okay there in +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + Page 43 + + + + + The Official Phreaker's Manual + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + + + + + The Official Phreaker's Manual + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + Page 45 + + + + + The Official Phreaker's Manual + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + Page 46 + + + + + The Official Phreaker's Manual + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + Page 47 + + + + + The Official Phreaker's Manual + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + Page 48 + + + + + The Official Phreaker's Manual + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + ++-- End second file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + Page 49 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two +sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + Page 50 + + + + + The Official Phreaker's Manual + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthroufh: + b"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + Page 51 + + + + + The Official Phreaker's Manual + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to liv` out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + Page 52 + + + + + The Official Phreaker's Manual + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + Page 53 + + + + + The Official Phreaker's Manual + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + + + + + The Official Phreaker's Manual + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + Page 55 + + + + + The Official Phreaker's Manual + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + +"Well yes, I..." + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + + + + + The Official Phreaker's Manual + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + ++-- End third file of four --+ + + + + + + + + + + + + + + + + + + + + Page 57 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + Page 58 + + + + + The Official Phreaker's Manual + + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING ASCONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------\ /------\ /-----\ +!Operator!-- > ! S.A. ! --->! BOS ! +\--------/ \------/ \-----/ + ! + ! + V +/-------------\ +! Group Chief ! +\-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + + + + + + Page 88 + + + + + The Official Phreaker's Manual + + 2600 Magazine's story on the Private Sector Bust + Uploaded by Elric of Imrryr + Lunatic Labs Unlimited + :::::::::::::::::::::::::::::::::::::::::::::::: + +Typed By Shooting Shark : The following article appeared in the August, 1985 +issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. +Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle +Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article +follows. + +SEIZED! +2600 Bulletin Board is Implicated in Raid on Jersey Hackers + + On July 12, 1985, law enforcement officials seized the Private Sector BBS, +the official computer bulletin board of 2600 magazine, for "complicity in +computer theft," under the newly passed, and yet untested, New Jersey Statute +2C:20-25. Police had uncovered in April a credit carding ring operated around +a Middlesex County electronic bulletin board, and from there investigated +other North Jersey bulletin boards. Not understanding subject matter of the +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been particularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the The just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 +212-982-9977/9979 +212-986-9977/9979 + + THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS +SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER +SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE +CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT +FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN +ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED +IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE +CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND +THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE +AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL +OTHER LOOPS ARE BUSY. + + 99XX SCANNING: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND +OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 +AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN +YOUR EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268: + +9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) +9936 - VOICE # TO THE TELCO CO +9937 - VOICE # TO THE TELCO CO +9941 - CARRIER +9960 - OSC. TONE (TONE SIDE LOOP) +9963 - TONE (STOPS: MUTED) +9966 - CARRIER +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + + Page 96 + + + + + The Official Phreaker's Manual + + MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL +INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE +REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN +THE EXCHANGE AND THE TELCO OPERATING COMPANY. + + WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES +WHEN YOU FIND ONE: + +1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK +EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE +BUT THE FUCKING CLICK IS SUPER ANNOYING. + +2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. + +3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY +AGAIN IN A MONTH OR SO) + +4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! + + MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. +IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE +SWITCH", IE, TURN OFF THE LOOP. + + SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED +NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE +NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. +268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 +FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 +(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S +DON'T SUPE EITHER. + + IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A +SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP +LINES (AS MENTIONED ABOVE). + IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE +BELOW: + + + NPA-NNX-99XX SCAN + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + _________________________________________________________ + | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | + |_______|____|____|____|____|____|____|____|____|____|____| + | 990 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 991 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 992 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 993 | | | | | | | | | | | + |_______|____|____|___|_J__| +___|____|____|____|____|____| + | 994 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 995 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 996 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + Page 97 + + + + + The Official Phreaker's Manual + + | 997 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 998 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 999 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU +SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN +THEM. FOR EXAMPLE: + +B - BUSY (TRY AGAIN AT ANOTHER TIME) +R - RINGS (TRY AGAIN AT ANOTHER TIME) +O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) +R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) +T - TONE ] TONE AT A LOWER # + IGNORE +I - IGNORE ] AT A HIGHER # = LOOP +V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. +C - CARRIER + + THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN +UNDERSTAND. + + NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A +MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF +A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER +EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) +634-9923/9924" SO, I@ AT FSRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. +IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" +NEXT TO EACH OTHER FOR A LOOP. + SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN +THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING +TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE +IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE +#'S! + ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR +EXAMPLE: "(713) 324-1799/1499" IS A LOOP. + +THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: + +1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A +TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS +SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! + +2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & +9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. + +3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. + + FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN +STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. + + +NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER +FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR +OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS + + Page 98 + + + + + The Official Phreaker's Manual + +MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. + + ANI + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT +WILL TELL YOU WHAT # YOU ARE CALLING FROM. + THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T +HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE +LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE +DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. +IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM +AREA TO AREA. + +HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: + +890-751-5191 +202-222-2222 +1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE +TO DIAL 1-990-1111) + + TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX +SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE +NEXT PART), TRY 1-9XX-1111. + ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR +NEIGHBOR WHO WORKS FOR THE FONE COMPANY. + + RING BACK + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL +THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF +THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 +SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL +RING. + IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP +FOR THE FIRST TIME (IE, AT THE FIRST TONE). + + OTHER RINGBACK #'S THAT I HAVE SEEN ARE: + +26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. +THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. + +890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. + +119911/11911/1199911 - GTE + +NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE + + + THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN +SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD +DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE +PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS +USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN +PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN +SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS +AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY + + Page 99 + + + + + The Official Phreaker's Manual + +SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD +THEN RINGBACK. + + TOUCH-TONE TEST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE +FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP +TWICE. +I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 + + COMING SOON: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE +NETWORK. + + + BREAK UP OF BELL: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT +AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED +HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD +"FONE NETWORK" FOR BELL SYSTEM. + + +AU REVOIR, + +*****BIOC +*=$=*AGENT +*****003 + +DECEMBER 8, 1983 + +ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, +& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN +DISTRIBUTING THIS TUTORIAL. + + + + + + + + + + + + + + + + + + + + + + Page 100 + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/manual2.txt b/textfiles.com/phreak/PHREAKING/manual2.txt new file mode 100644 index 00000000..9867d758 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/manual2.txt @@ -0,0 +1,6474 @@ + Page 106 + + + + + The Official Phreaker's Manual + +SHE WILL NEVER QUESTION A CALL AS LONG AS THE CALL IS WITHIN HER SERVICE AREA. +SHE CAN ONLY BE REACHED VIA OTHER OPERATORS OR BY A BLUE BOX. FROM A BB, YOU +WOULD DIAL KP+NPA+121+ST FOR THE INWARD OPERATOR THAT WILL HELP YOU CONNECT ANY +CALLS WITHIN THAT NPA AREA ONLY. (BLUE BOXING WILL BE DISCUSSED IN A FUTURE +PART OF BASIC TELCOM) + +DIRECTORY ASSISTANCE OPERATOR: +____________________________________________________________ + + THIS IS THE OPERATOR THAT YOU ARE CONNECTED TO WHEN YOU DIAL: 411 OR +NPA-555-1212. SHE DOES NOT READILY KNOW WHERE YOU ARE CALLING FROM. SHE DOES +NOT HAVE ACCESS TO UNLISTED #'S, BUT SHE DOES KNOW IF AN UNLISTED # EXISTS FOR +A CERTAIN LISTING. + + THERE IS ALSO A DIRECTORY ASSISTANCE FOR DEAF PEOPLE WHO USE +TELETYPEWRITERS IF YOU MODEM CAN TRANSFER BAUDOT (THE APPLE CAT CAN), THEN YOU +CAN CALL HER UP AND HAVE AN INTERESTING CONVERSATION WITH HER. THE # +IS:800/855-1155. SHE USES THE STANDARD TELEX ABBREVIATIONS SUCH AS GA FOR GO +AHEAD. THEY TEND TO BE NICER & WILL TALK LONGER THAN YOUR REGULAR OPERATORS. +ALSO, THEY ARE MORE VULNERABLE INTO BEING TALKED OUT OF INFORMATION THROUGH THE +PROCESS OF "SOCIAL ENGINEERING" AS CHESHIRE CATALYST WOULD PUT IT. + +OTHER OPERATORS HAVE ACCESS TO THEIR OWN DA BY DIALING KP+NPA+131+ST (MF). + + THIS IS A LITTLE OUT OF THE SCOPE OF THIS TUTORIAL, BUT MANY TELCO'S ARE +NOW CHARGING FOR CALLS TO DIR. ASST. YOU CAN BEAT THIS BY: + +(1) COUNT HOW MANY CALLS YOU MAKE TO DIRECTORY ASSISTANCE IN A BILLING PERIOD. +GO TO A FORTRESS FONE & DIAL DA. WHEN THE OPERATOR COMES ON, GIVE HER A NAME +THAT YOU KNOW HAS AN UNLISTED # OR ASK FOR A TOWN THAT ISN'T IN THE NPA. SHE +WILL THEN ASK FOR YOUR # SO SHE CAN CREDIT THE CALL TO YOU. GIVE HER YOUR HOME +#, SHE DOESN'T KNOW THAT YOU ARE MAKING A FREE CALL FROM THE FORTRESS. JUST +MAKE SURE THAT YOU DON'T CREDIT YOURSELF FOR MORE CALLS THAN YOU ACTUALLY MADE +OR YOU MIGHT HAVE A FEW PROBLEMS! + +(2) IF YOU HAVE A BAUDOT TERMINAL, USE THE 800 #, IT'S FREE & THERE IS ONE # +FOR ALL REQUESTS. + +C/NA OPERATORS: +____________________________________________________________ + + C/NA OPERATORS ARE OPERATORS THAT DO EXACTLY THE OPPOSITE OF WHAT DIRECTORY +ASSISTANCE OPERATORS ARE FOR. SEE PART II, FOR MORE INFO ON C/NA & #'S. IN MY +EXPERIENCES, THESE OPERATORS KNOW MORE THAN THE DA OP'S DO & THEY ARE MORE +SUSCEPTIBLE TO "SOCIAL ENGINEERING." IT IS POSSIBLE TO BULLSHIT A C/NA +OPERATOR FOR THE NON-PUB DA # (IE, YOU GIVE THEM THE NAME & THEY GIVE YOU THE +UNLISTED #). THIS IS DUE TO THE FACT THAT THEY ASSUME YOUR ARE A PHELLOW +COMPANY EMPLOYEE. + +INTERCEPT OPERATOR: +____________________________________________________________ + + THE INTERCEPT OPERATOR IS THE ONE THAT YOU ARE CONNECTED TO WHEN THERE ARE +NOT ENOUGH RECORDINGS AVAILABLE TO TELL YOU THAT THE # HAS BEEN DISCONNECTED OR +CHANGED. SHE USUALLY SAYS, "WHAT # YOU CALLIN' ? " WITH A FOREIGN ACCENT. +THIS IS THE LOWEST OPERATOR LIFEFORM. EVEN THOUGH THEY DON'T KNOW WHERE YOU +ARE CALLING FROM, IT IS A WASTE OF YOUR TIME TO TRY TO VERBALLY ABUSE THEM +SINCE THEY USUALLY UNDERSTAND VERY LITTLE ENGLISH. + + Page 107 + + + + + The Official Phreaker's Manual + + +OTHER OPERATORS: +____________________________________________________________ + +AND THEN THERE ARE THE: +MOBILE +SHIP-TO-SHORE +CONFERENCE +MARINE VERIFY, "LEAVE WORD & CALL BACK," +ROUT & RATE (KP+NPA+141+ST) & OTHER SPECIAL OPERATORS WHO HAVE ONE PURPOSE OR +ANOTHER IN THE NETWORK. + + PROBLEMS WITH AN OPERATOR? ASK TO SPEAK TO THEIR SUPERVISOR... WHICH IS +THE EQUIVALENT OF THE MADAME IN A WHOREHOUSE (IF YOU WILL EXCUSE THE ANALOGY). + + BY THE WAY, SOME CO'S THAT WILL ALLOW YOU TO DIAL A 1 OR 0 AS THE 4TH +DIGIT, WILL ALSO ALLOW YOU TO CALL SPECIAL OPERATORS WITHOUT A BLUE BOX. THIS +IS VERY RARE THOUGH! FOR EXAMPLE, 212-121-1111 WILL GET YOU A NY INWARD +OPERATOR. + +OFFICE HIERARCHY +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + EVERY SWITCHING OFFICE OFFICE IN NORTH AMERICA (THE NPA SYSTEM), IS +ASSIGNED AN OFFICE NAME & CLASS. THERE ARE FIVE CLASSES OF OFFICES NUMBERED 1 +THROUGH 5. YOUR CO IS MOST LIKELY A CLASS 5 OR END OFFICE. ALL LONG-DISTANCE +(TOLL) CALLS ARE SWITCHED BY A TOLL OFFICE WHICH CAN BE A CLASS 4, 3, 2, OR 1 +OFFICE. THERE IS ALSO A 4X OFFICE CALLED AN INTERMEDIATE POINT. THE 4X OFFICE +IS A DIGITAL ONE THAT CAN HAVE AN UNATTENDED EXCHANGE ATTACHED TO IT (KNOWN AS +A REMOTE SWITCHING UNIT-RSU). + + THE FOLLOWING CHART WILL LIST THE OFFICE #, NAME, & HOW MANY OF THOSE +OFFICES EXISTED IN NORTH AMERICA IN 1981. + +CLASS NAME ABB # EXISTING +----- ---------------- --- ------------ +1 REGIONAL CENTER RC 12 +2 SECTIONAL CENTER SC 67 +3 PRIMARY CENTER PC 230 +4 TOLL CENTER TC 1,30 +4P TOLL POINT TP ? +4X INTERMEDIATE PT IP ? +5 END OFFICE EO 19,000 +R RSU RSU ? + + WHEN CONNECTING A CALL FROM ONE PARTY TO ANOTHER, THE SWITCHING EQUIPMENT +USUALLY TRIES TO FIND THE SHORTEST ROUTE BETWEEN THE CLASS 5 END OFFICE OF THE +CALLER & THE CLASS 5 END OFFICE OF THE CALLED PARTY. IF NO INTER-OFFICE TRUNKS +EXIST BETWEEN THE 2 PARTIES, IT WILL THEN MOVE UPTO THE NEXT HIGHEST OFFICE FOR +SERVICING (CLASS 4). IF THE CLASS 4 OFFICE CANNOT HANDLE THE CALL BY SENDING +IT TO ANOTHER CLASS 4 OR 5 OFFICE, IT WILL BE SENT TO THE NEXT OFFICE IN THE +HIERARCHY (3). THE SWITCHING EQUIPMENT FIRST USES THE HIGH-USAGE INTEROFFICE +TRUNK GROUPS, IF THEY ARE BUSY IT THEN GOES TO THE FINAL TRUNK GROUPS ON THE +NEXT HIGHEST LEVEL. IF THE CALL CANNOT BE CONNECTED THEN, YOU WILL PROBABLY GET +A RE-ORDER (120IPM BUSY SIGNAL) SIGNAL. AT THIS TIME, THE GUYS AT NETWORK +OPERATIONS ARE PROBABLY SHITTING IN THEIR PANTS AND TRYING TO AVOID THE DREADED +NETWORK DREADLOCK (AS SEEN ON TV!). + + + Page 108 + + + + + The Official Phreaker's Manual + + IT IS ALSO INTERESTING TO NOTE THAT 9 CONNECTIONS IN TANDEM IS CALLED +RING-AROUND-THE ROSY AND IT HAS NEVER OCCURRED IN TELEPHONE HISTORY. THIS +WOULD CASE AN ENDLESS LOOP CONNECTION. [ A NEAT WAY TO REALLY SCREW-UP THE +NETWORK]. + + THE 10 REGIONAL CENTERS IN THE US & THE 2 IN CANADA ARE ALL INTERCONNECTED. +THEY FORM THE FOUNDATION OF THE ENTIRE TELEPHONE NETWORK. SINCE THERE ARE ONLY +12 OF THEM, THEY ARE LISTED BELOW: + +CLASS 1 REGIONAL OFFICE LOCATION NPA +---------------------------------- --- +DALLAS 4 ESS 214 +WAYNE, PA 215 +DENVER 4T 303 +REGINA NO.2 SP1-4W [CANADA] 306 +ST. LOUIS 4T 314 +ROCKDALE, GA 404 +PITTSBURGH 4E 412 +MONTREAL NO.1 4AETS [CANADA] 504 +NORWICH, NY 607 +SAN BERNARDINO, CA 714 +NORWAY, IL 815 +WHITE PLAINS 4T, NY 914 + + THE FOLLOWING DIAGRAM DEMONSTRATES HOW THE VARIOUS OFFICES MAY BE +CONNECTED: + + _________________________ + _|_ _|_ _|_ REGIONAL + | | | | | | OFFICES + | 1 | <=--=> | 1 | <=--=> | 1 | <<==------ + |___| |___| |___| + | OTHERS\/ + _________________|_______________________| + _|_ _|_ _|_ _|__ _|_ +| | | | | | | | | | +| 2 | | 3 | | 4 | | 4P | | 5 | +|___| |___| |___| |____| |___| + | | | | + |____ | _|__ | + _|_ _|_ | __|_ _|_ \ +| || || | || | |_____ +| 3 || 4 || | 4X || 5 | _|__ _|_ +|___||___|| |____||___|| || | + | | | 4X || 5 | + __|_ | |____||___| + | ||_____________ + | 5R | _______|_________ + |____| | | | + _|_ _|_ _|_ __|_ + | | | | | | | | + | R | | 4 | | 5 | | 5R | + |___| |___| |___| |____| + +NOTE: THE PRECEDING DIAGRAM USED SPECIAL SYMBOLS FROM AN APPLE //E THAT MAY NOT +BE VIEWED AS I INTENDED THEM IF YOU ARE NOT USING AN APPLE//E OR //C. + +SWITCHING EQUIPMENT + + Page 109 + + + + + The Official Phreaker's Manual + +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NETWORK, THERE ARE 3 MAJOR TYPES OF SWITCHING EQUIPMENT. THEY ARE +KNOWN AS: STEP, CROSSBAR, & ESS. + + +STEP-BY-STEP (SXS) +____________________________________________________________ + + THE STEP-BY-STEP, A/K/A THE STROWGER SWITCH OR TWO-MOTION SWITCH, WAS +INVENTED IN 1889 BY AN UNDERTAKER NAMED ALMON STROWGER. HE INVENTED THIS +MECHANICAL SWITCHING EQUIPMENT BECAUSE HE FELT THAT THE BIASED OPERATOR WAS +ROUTING ALL REQUESTS FOR AN 'UNDERTAKER' TO HER HUSBAND'S BUSINESS. BELL +STARTED USING THIS SYSTEM IN 1918 AS OF 1978, OVER 53% OF THE BELL EXCHANGES +USED THIS METHOD OF SWITCHING. + + STEP-BY-STEP SWITCHING IS CONTROLLED DIRECTLY BY THE DIAL PULSES WHICH MOVE +A SERIES OF SWITCHES (CALLED THE SWITCH TRAIN) IN ORDER. WHEN YOU FIRST PICK UP +THE FONE UNDER SXS, A LINEFINDER ACKNOWLEDGES THE REQUEST (SOONER OR LATER) BY +SENDING A DIAL TONE. IF YOU THEN DIALED 1234, THE EQUIPMENT WOULD FIRST FIND +AN IDLE SELECTOR SWITCH. IT WOULD THEN MOVE VERTICALLY 1 PULSE, IT WOULD THEN +MOVE HORIZONTALLY TO FIND A FREE SECOND SELECTOR, IT WOULD THEN MOVE 2 VERTICAL +PULSES, STEP HORIZONTALLY TO FIND THE NEXT SELECTOR, ETC. THUS THE FIRST +SWITCH IN THE TRAIN TAKES NO DIGITS, THE SECOND SWITCH TAKES 1 DIGIT, THE THIRD +SWITCH TAKES 1 DIGIT, & THE LAST SWITCH IN THE TRAIN (CALLED THE CONNECTOR) +TAKES THE LAST 2 DIGITS & CONNECTS YOUR CALLS. A NORMAL (10,000 LINE) EXCHANGE +REQUIRES 4 DIGITS (0000-9999) TO CONNECT A LOCAL CALL & THUS IT TAKES 4 +SWITCHES TO CONNECT EVERY CALL (LINEFINDER, 1ST & 2ND SELECTORS, & THE +CONNECTOR) . + + WHILE IT WAS THE FIRST, SXS SUCKS FOR THE FOLLOWING REASONS: + +[1] THE SWITCHED OFTEN BECOME JAMMED THUS THE CALLS OFTEN BECOME BLOCKED. + +[2] YOU CAN'T USE DTMF (DUAL-TONE MULTI-FREQUENCY A/K/A TOUCH-TONE) DIRECTLY. +IT IS POSSIBLE THAT THE TELCO MAY HAVE INSTALLED A CONVERSION KIT BUT THEN THE +CALLS WILL GO THROUGH JUST AS SLOW AS PULSE, ANYWAY! + +[3] THEY USE A LOT OF ELECTRICITY & MECHANICAL MAINTENANCE. (BAD FROM TELCO +POINT OF VIEW) + +[4] EVERYTHING IS HARDWIRED. + + THEY CAN STILL HOOK UP PEN REGISTERS & OTHER SHIT ON THE LINE SO IT IS NOT +EXACTLY A PHREAK HAVEN. + +YOU CAN IDENTIFY SXS OFFICES BY: + +(1) LACK OF DTMF OR PULSING DIGITS AFTER DIALING DTMF. + +(2) IF YOU GO NEAR THE CO, IT WILL SOUND LIKE A TYPEWRITER TESTING FACTORY. + +(3) LACK OF SPEED CALLING, CALL FORWARDING, & OTHER CUSTOMER SERVICES. + +(4) FORTRESS FONES THAT WANT YOUR MONEY FIRST (AS OPPOSED TO DIAL TONE FIRST +ONES). + + THE PRECEDING DON'T NECESSARILY IMPLY THAT YOU HAVE SXS BUT THEY SURELY + + Page 110 + + + + + The Official Phreaker's Manual + +GIVE EVIDENCE THAT IT MIGHT BE. ALSO, IF ANY OF THE ABOVE CHARACTERISTICS +EXIST, IT CERTAINLY ISN'T ESS! ALSO, SXS HAVE PRETTY MUCH BEEN ERADICATED FROM +LARGE METROPOLITAN AREAS SUCH AS NYC (212). + +CROSSBAR: +____________________________________________________________ + + THERE ARE 3 MAJOR TYPES OF CROSSBAR SYSTEMS CALLED: NO. 1 CROSSBAR (1XB), +NO. 4 CROSSBAR (4XB), & NO. 5 CROSSBAR (5XB). 5XB HAS BEEN THE PRIMARY END +OFFICE SWITCH OF BELL SINCE THE 60'S AND THUS IT IS IN WIDE-USE. + + CROSSBAR USES A COMMON CONTROL SWITCHING METHOD. WHEN THERE IS AN INCOMING +CALL, A STORED PROGRAM DETERMINES ITS ROUTE THROUGH THE SWITCHING MATRIX. + + IN CROSSBAR, THE BASIC OPERATION PRINCIPLE IS THAT A HORIZONTAL & A +VERTICAL LINE ARE ENERGIZED IN A MATRIX KNOWN AS THE CROSSPOINT MATRIX. THE +POINT WHERE THESE 2 LINES MEET IN THE MATRIX IS THE CONNECTION. + + +ESS +____________________________________________________________ + +ELECTRONIC SWITCHING SYSTEM (ESS) THE PHREAK'S NIGHTMARE COME TRUE (OR ORWELL'S +PROPHECY AS 2600 PUTS IT) + + ESS IS BELL'S MOVE TOWARDS THE AIRSTRIP ONE SOCIETY DEPICTED IN ORWELL'S +1984. WITH ESS, EVERY SINGLE DIGIT THAT YOU DIAL IS RECORDED--EVEN IF IT IS A +MISTAKE. THEY KNOW WHO YOU CALL, WHEN YOU CALL, HOW LONG YOU TALKED FOR, & +PROBABLY WHAT YOU TALKED ABOUT (IN SOME CASES). ESS CAN (AND IS) ALSO +PROGRAMMED TO PRINT OUT #'S OF PEOPLE WHO MAKE EXCESSIVE CALLS TO 800 #'S OR +DIRECTORY ASSISTANCE. THIS IS CALLED THE "800 EXCEPTIONAL CALLING REPORT." ESS +COULD ALSO BE PROGRAMMED TO PRINT OUT LOGS OF WHO CALLS CERTAIN #'S--LIKE A +BOOKIE, A KNOWN COMMUNIST, A BBS, ETC THE THING TO REMEMBER WITH ESS IS THAT IT +IS A SERIES OF PROGRAMS WORKING TOGETHER. THESE PROGRAMS CAN BE VERY EASILY +CHANGED TO DO WHATEVER THEY WANT IT TO DO. ONE PHREAK WHOM I KNOW HAS SOME ESS +SOURCE CODE LISTING WHICH IS INCREDIBLY COMPLEX (AS WELL AS DOCUMENTED--GRACIAS +DIOS). THIS SYSTEM MAKES THE JOB OF BELL SECURITY, THE FBI, NSA, & OTHER +ORGANIZATIONS THAT LIKE TO INVADE PRIVACY INCREDIBLY EASY. + + WITH ESS, TRACING IS DONE IN MICROSECONDS (EINE AUGENBLICK) & THE RESULTS +ARE PRINTED AT THE CONSOLE OF A BELL GESTAPO OFFICER. ESS WILL ALSO PICK UP +ANY "FOREIGN" TONES ON THE LINE SUCH AS 2600 HZ! + + BELL PREDICTS THAT THE COUNTRY WILL BECOME TOTALLY ESS BY THE 1990'S. + + YOU CAN IDENTIFY ESS BY THE FOLLOWING WHICH ARE USUALLY ESS FUNCTIONS: + +[1] DIALING 911 FOR HELP. +[2] DIAL-TONE-FIRST FORTRESSES. +[3] CUSTOM CALLING SERVICES SUCH AS:CALL FORWARDING, SPEED DIALING, & CALL +WAITING. (ASK YOUR BUSINESS OFFICE IF YOU CAN GET THESE.) +[4] ANI (AUTOMATIC NUMBER IDENTIFICATION) ON LD CALLS. + + PHREAKING DOES NOT COME TO A COMPLETE HALT UNDER ESS THOUGH--JUST BE VERY +CAREFUL, THOUGH!!! + + DUE TO THE FACT THAT ESS SENDS A COMPUTER GENERATED "ARTIFICIAL RING," +WHERE THE VOICE IS NOT CONNECTED DIRECTLY TO THE CALLED PARTIES LINE UNTIL HE + + Page 111 + + + + + The Official Phreaker's Manual + +PICKS UP, BLACK BOXES & INFINITY TRANSMITTERS WILL NOT WORK! + +NOTE: ANOTHER INTERESTING WAY TO FIND OUT WHAT TYPE OF EQUIPMENT YOU ARE ON IS +TO RAID THE TRASH CAN OF YOU LOCAL CO--THIS ART WILL DISCUSSED IN A SEPARATE +ARTICLE SOON. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN THE PART V, WE WILL START TO TAKE A LOOK AT TELEPHONE ELECTRONICS. + +FURTHER READING: + +FOR MORE INFORMATION ON THE ABOVE TOPICS, I SUGGEST THE FOLLOWING: + +NOTES ON THE NETWORK, AT&T, 1980. + +UNDERSTANDING TELEPHONE ELECTRONICS,TEXAS INSTRUMENTS, 1983. + +AND SUBSCRIPTIONS TO: + +TAP, ROOM 603, 147 W 42 ST, NEW YORK, NY 10036. SUBSCRIPTIONS ARE +$10/YEAR.#BACK ISSUES ARE $0.75. THE CURRENT ISSUES IS #90 (JAN/FEB 1984) + +2600, BOX 752, MIDDLE ISLAND, NY 11953. SUBSCRIPTIONS ARE $10/YEAR. BACKISSUES +ARE $1 EACH. THE CURRENT ISSUE IS #4 (APRIL 1984). + +THEY ARE BOTH EXCELLENT SOURCES OF ALL SORTS OF INFORMATION (PRIMARILY +PHREAKING/HACKING). + +NOTE: FOR THE MOST PART, I HAVE ASSUMED THAT YOU HAVE READ MY PREVIOUS 3 +COURSES IN THE BASIC TELCOM SERIES. + +HASTA LUEGO, + +*****BIOC +*=$=*AGENT +*****003 + +APRIL 13, 1984 [THE YEAR OF BIG BROTHER] + +<<=-FARGO 4A-=>> + + + + + + + + + + + + + + + + + + Page 112 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART V * + * * + ************************************************************ + + +PREFACE: + + PREVIOUS INSTALLMENTS OF THIS SERIES WERE FOCUSED ON TELEPHONY FROM A +NETWORK POINT-OF-VIEW. PART V WILL DEAL WITH TELEPHONE ELECTRONICS FOCUSING +PRIMARILY ON THE SUBSCRIBER'S TELEPHONE. HERE-IN-AFTER SIMPLY REFERRED TO AS +"FONE." + +WIRING: +____________________________________________________________ + + ASSUMING A STANDARD ONE-LINE FONE, THERE ARE USUALLY 4 WIRES THAT LEAD OUT +OF THE FONE SET. THESE ARE STANDARDLY COLORED RED, GREEN, YELLOW, & BLACK. +THE RED & GREEN SIRES ARE THE TWO THAT ARE ACTUALLY HOOKED UP TO YOUR CO. THE +YELLOW WIRE IS SOMETIMES USED TO RING DIFFERENT FONES ON A PARTY LINE (IE, ONE +#, SEVERAL FAMILIES--FOUND PRIMARILY IN RURAL AREAS WHERE THEY PAY LESS FOR THE +SERVICE AND THEY DON'T USE THE FONE AS MUCH); OTHERWISE, THE YELLOW IS USUALLY +JUST IGNORED. ON SOME TWO-LINE FONES, THE RED & GREEN WIRES ARE USED FOR THE +FIRST FONE # AND THE YELLOW & BLACK ARE USED FOR THE SECOND LINE. IN THIS CASE +THERE MUST BE AN INTERNAL OR EXTERNAL DEVICE THAT SWITCHES BETWEEN THE TWO +LINES AND PROVIDES A HOLD FUNCTION. (SUCH AS RADIO SHACK'S OUTRAGEOUSLY PRICED +2 LINE & HOLD MODULE-9. + + IN TELEPHONY, THE RED & GREEN WIRES ARE OFTEN REFERRED TO AS TIP (T) & RING +(R). THE TIP IS USUALLY THE MORE POSITIVE OF THE TWO WIRES. THIS NAMING GOES +BACK TO THE OLD OPERATOR CORD BOARDS WHERE ONE OF THE WIRES WAS THE TIP OF THE +PLUG AND THE OTHER WAS THE RING (OF THE BARREL). + A ROTARY FONE (AKA DIAL OR PULSE) WILL WORK FINE REGARDLESS WHETHER THE RED +(OR GREEN) WIRE IS CONNECTED THE TIP(+) OR RING(-). A TOUCH-TONE (TM) FONE IS +A DIFFERENT STORY, THOUGH. IT WILL NOT WORK EXCEPT IF THE TIP(+) IS THE GREEN +WIRE. [ALTHOUGH, SOME OF THE MORE EXPENSIVE DTMF FONES DO HAVE A RECTIFIER +BRIDGE WHICH COMPENSATES FOR POLARITY REVERSAL.] THIS I WHY UNDER CERTAIN +(NON-DIGITAL) SWITCHING EQUIPMENT YOU CAN REVERSE THE RED & GREEN WIRES ON A +TOUCH-TONE FONE AND RECEIVE FREE DTMF SERVICE. EVEN THOUGH IT WON'T BREAK DIAL +TONE, REVERSING THE WIRES ON A ROTARY LINE ON A DIGITAL SWITCH WILL CAUSE THE +TONES TO BE GENERATED. + +VOLTAGES, ETC. +____________________________________________________________ + + WHEN YOUR TELEPHONE IS ON-HOOK (IE, HUNG UP) THERE IS APPROXIMATELY 48 +VOLTS OF DC CURRENT (VDC) FLOWING THROUGH THE TIP & RING. WHEN THE HANDSET OF +A FONE IS LIFTED A FEW SWITCHES CLOSE WHICH CAUSE A LOOP TO BE CONNECTED (KNOWN +AS THE "LOCAL LOOP") BETWEEN YOUR FONE & THE CO. ONCE THIS HAPPENS DC CURRENT +IS ABLE TO FLOW THROUGH THE FONE WITH LESS RESISTANCE. THIS CAUSES A RELAY TO +ENERGIZE WHICH CAUSES OTHER CO EQUIPMENT TO REALIZE THAT YOU WANT SERVICE. +EVENTUALLY, YOU SHOULD END UP WITH A DIAL TONE. THIS ALSO CAUSES THE 48 VDC TO +DROP DOWN INTO THE VICINITY OF 13 VOLTS. THE RESISTANCE OF THE LOOP ALSO DROPS +BELOW THE 2500 OHM LEVEL. + + Page 113 + + + + + The Official Phreaker's Manual + + + AS OF NOW, YOU ARE PROBABLY SAYING TO YOURSELF THAT THIS IS ALL NICE AND +TECHNICAL BUT WHAT THE HELL GOOD IS THE INFORMATION. WELL, ALSO CONSIDER THAT +THIS VOLTAGE (& RESISTANCE) DROP IS HOW THE CO DETECTS THAT A FONE WAS TAKEN +OFF HOOK (PICKED UP). IN THIS WAY, THEY KNOW WHEN TO START BILLING THE CALLING +NUMBER. NOW WHAT DO YOU SUPPOSE WOULD HAPPEN IF A DEVICE SUCH AS A RESISTOR OR +A ZENER DIODE WAS PLACED ON THE CALLED PARTIES LINE SO THAT THE VOLTAGE WOULD +DROP JUST ENOUGH TO ALLOW TALKING BUT NOT ENOUGH TO START BILLING? FIRST OFF, +THE CALLING PARTY WOULD NOT BE BILLED FOR THE CALL BUT CONVERSATION COULD BE +PURSUED. SECONDLY, THE CO EQUIPMENT WOULD THINK THAT THE FONE JUST KEPT ON +RINGING. THE TELCO CALLS THIS A "NO-NO" (TOLL FRAUD TO BE MORE SPECIFIC) WHILE +PHONE PHREAKS AFFECTIONATELY CALL THIS MUTE A BLACK BOX. + + THE FOLLOWING ARE INSTRUCTIONS ON HOW TO BUILD A SIMPLE BLACK BOX. OF +COURSE, ANYTHING THAT PREVENTS THE VOLTAGE FROM DROPPING WOULD WORK. +YOU ONE OR TWO PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT RESISTOR. ANY ELECTRONICS STORE SHOULD STOCK THESE PARTS. + + NOW, CUT 2 PIECES OF WIRE (ABOUT 6 INCHES LONG) AND ATTACH ONE END OF EACH +WIRE TO ONE OF THE TERMINALS ON THE SWITCH. NOW TURN YOUR K500 (STANDARD DESK +FONE) UPSIDE DOWN AND TAKE OFF THE COVER. LOCATE THE 2 SCREWS ON THE NETWORK +BOX LABELED >F< AND >RR<. WRAP THE RESISTOR BETWEEN THE 2 SCREWS MAKING SURE +THAT IT DOESN'T TOUCH ANY OTHER TERMINALS!. NOW CONNECT ONE WIRE FROM THE +SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE +(DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE +FONE AND REPLACE THE COVER. + + PUT THE SWITCH IN A POSITION WHERE YOU RECEIVE A DIAL TONE. MARK THIS +POSITION NORMAL. MARK THE OTHER SIDE FREE. + + WHEN YOUR PHRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST A POSSIBLE. THIS WILL STOP THE RINGING (DO IT AGAIN IF IT +DOESN'T) WITH OUT STARTING THE BILLING. IT IS IMPORTANT THAT YOU DO IT QUICKLY +(LESS THAN ONE SECOND THEN PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE +FONE. KEEP ALL CALL SHORT AND PREFERABLY UNDER 15 MINUTES. + +NOTE: IF ANYONE PICKS UP AN EXTENSION IN THE CALLED PARTIES HOUSE AND THAT +FONE IS NOT SET FOR FREE THEN BILLING WILL START. + +NOTE: AN OLD WAY OF SIGNALING A PHRIEND THAT YOU ARE ABOUT TO CALL IS +MAKING A COLLECT CALL TO A NON-EXISTENT PERSON IN THE HOUSE. SINCE YOUR FRIEND +WILL NOT ACCEPT THE CHARGES, HE WILL KNOW THAT YOU ARE ABOUT TO CALL AND THUS +PREPARE THE BLACK BOX (OR VISA VERSA). + +WARNING: THE TELCO CAN DETECT BLACK BOXES IF THEY SUSPECT ONE ON YOUR LINE. +THIS IS DONE DUE TO THE PRESENCE OF AC VOICE SIGNAL AT THE WRONG DC LEVEL! + +PICTORIAL DIAGRAM: (STANDARD ROTARY K500 FONE) +____________________________________________________________ + + _____________________________________ +| | +***BLUE WIRE**>>F< | +| * * | +**WHITE WIRE** * | +| * | +| RESISTOR | +| * | + + Page 114 + + + + + The Official Phreaker's Manual + +| * | +| >RR<*******SWITCH**** | +| * | +****GREEN WIRE********************** | +| | +|_____________________________________| + +NOTE: THE BLACK BOX WILL NOT WORK UNDER ESS OR OTHER SIMILAR DIGITAL +SWITCHES SINCE ESS DOES NOT CONNECT THE VOICE CIRCUITS UNTIL THE FONE IS PICKED +UP (& BILLING STARTS). INSTEAD, ESS USES AN "ARTIFICIAL" COMPUTER GENERATED +RING. + +RINGING: +____________________________________________________________ + + TO INFORM A SUBSCRIBER OF AN INCOMING CALL, THE TELCO SENDS 90 VOLTS (RMS) +OF AC CURRENT DOWN THE LINE (AT AROUND 15 TO 60 HZ) IN STANDARD FONES, THIS +CAUSES A METAL ARMATURE TO BE ATTRACTED ALTERNATELY BETWEEN TWO ELECTRO-MAGNETS +THUS STRIKING 2 BELLS. OF COURSE, THE STANDARD BELL (PATENTED IN 1878 BY TOM +A. WATSON) CAN BE REPLACED BY A MORE MODERN ELECTRONIC BELL OR SIGNALING +DEVICE. + + ALSO, YOU CAN HAVE LIGHTS AND OTHER SIMILAR DEVICES IN LIEU OF (OR IN +CONJUNCTION WITH) THE BELL. A SIMPLE NEON LIGHT (WITH ITS CORRESPONDING +RESISTOR) CAN SIMPLY BE CONNECTED BETWEEN THE RED & GREEN WIRES (USUALLY L1 & +L2 ON THE NETWORK BOX) SO THAT IT LIGHTS UP ON INCOMING CALLS. A REGULAR 60 +WATT LIGHT BULB CAN ALSO BE HOOKED UP USING A SIMPLE (120 VAC) RELAY. + +WARNING: 90 & 120 VAC CAN GIVE QUITE A SHOCK. EXERCISE EXTREME CAUTION IF +YOU WISH TO FURTHER PURSUE THESE TOPICS. + + ALSO INCLUDED IN THE RINGING CIRCUIT IS A CAPACITOR TO PREVENT THE DC +CURRENT FROM INTERFERING WITH THE BELL [A CAPACITOR WILL PASS AC CURRENT WHILE +IT WILL PREVENT DC CURRENT FROM FLOWING (BY STORING IT)]. + ANOTHER REASON THAT THE TELCO HATES BLACK BOXES IS BECAUSE RINGING USES +ALOT OF COMMON-CONTROL EQUIPMENT, IN THE CO, WHICH USE ALOT OF ELECTRICITY. +THUS THE RINGING GENERATORS ARE BEING TIED UP WHILE A FREE CALL IS BEING MADE. +USUALLY CALLS THAT ARE ALLOWED TO RING FOR A LONG PERIOD OF TIME MAY BE +CONSTRUED AS SUSPICIOUS. SOME OFFICES MAY BE SET UP TO DROP A TROUBLE CARD FOR +LONG PERIODS OF RINGING THEN A "NO-NO" DETECTION DEVICE MAY BE PLACED ON THE +LINE. + INCIDENTALLY, THE TERM "RING TRIP" REFERS TO THE CO PROCESS INVOLVED TO +STOP THE AC RINGING SIGNAL WHEN THE CALLING FONE GOES OFF HOOK. + +NOTE: IT IS SUGGESTED THAT YOU ACTUALLY DISSECT FONES TO HELP YOU BETTER +UNDERSTAND THEM. IT WILL ALSO HELP YOU TO BETTER UNDERSTAND THE CONCEPTS HERE +IF YOU ACTUALLY PROVE THEM TO YOURSELF. FOR EXAMPLE, ACTUALLY TAKE THE VOLTAGE +READINGS ON YOUR FONE LINE [ANY SIMPLE MULTI-TESTER (A MUST) WILL DO.] +PHREAKING IS AN INTERACTIVE PROCESS NOT A PASSIVE ONE! + +DIALING: +____________________________________________________________ + + ON A STANDARD FONE, THERE ARE TWO COMMON TYPES OF DIALING: PULSE & DTMF. +OF COURSE, SOME PEOPLE INSIST UPON BEING DIFFERENT AND DON'T USE THE DT THUS +LEAVING THEM WITH MF (MULTI FREQUENCY, AKA OPERATOR, BLUE BOX) TONES. THIS IS +ANOTHER "NO-NO" AND THE TELCO SECURITY GENTLEMEN HAVE A SPECIAL KNACK FOR +DEALING WITH SUCH "PHREAKS" ON THE NETWORK. + + Page 115 + + + + + The Official Phreaker's Manual + + WHEN YOU DIAL ROTARY, YOU ARE ACTUALLY RAPIDLY BREAKING & RECONNECTING +(MAKING) THE LOCAL LOOP ONCE FOR EVERY DIGIT DIALED. SINCE THE PHYSICAL +CONNECTION MUST BE BROKEN, YOU CANNOT DIAL IF ANOTHER EXTENSION (OF THAT #) IS +OFF-HOOK. NEITHER OF THE FONES WILL BE ABLE TO DIAL PULSE UNLESS THE OTHER +HANGS UP. + ANOTHER TERM OFTEN REFERRED TO IN TELEPHONE ELECTRONICS IS THE BREAK RATIO. +IN THE US, THERE ARE 10 PULSES PER SECOND (MAX). WHEN THE CIRCUIT IS OPENED IT +IS CALLED THE BREAK INTERVAL. WHEN IT IS CLOSED IT IS CALLED THE MAKE INTERVAL. +IN THE US, THERE IS A 60 MILLISECOND (MS) BREAK PERIOD AND A 40 MS MAKE PERIOD. +(60+40=100 MS = 1/10 MINUTE). THIS IS REFERRED TO AS A 60% BREAK INTERVAL. +SOME OF THE MORE SOPHISTICATED ELECTRONIC FONES CAN SWITCH BETWEEN A 60% & A +67% BREAK INTERVAL. THIS IS DUE TO THE FACT THAT MANY FOREIGN NATIONS USE A +67% BREAK INTERVAL. + HAVE YOU EVER BEEN IN AN OFFICE OR A SIMILAR FACILITY AND SAW A FONE +WAITING TO BE USED FOR A FREE CALL BUT SOME ASSHOLE PUT A LOCK ON IT TO PREVENT +OUTGOING CALLS? + WELL, DON'T FRET PHELLOW PHREAKS, YOU CAN SIMULATE PULSE DIALING BY RAPIDLY +DEPRESSING THE SWITCHOOK. (IF YOU DEPRESS IT FOR LONGER THAN A SECOND IT WILL +BE CONSTRUED AS A DISCONNECT.) BY RAPIDLY SWITCHOOKING YOU ARE CAUSING THE +LOCAL LOOP TO BE BROKEN & MADE SIMILAR TO ROTARY DIALING! THUS IF YOU CAN +MANAGE TO SWITCHOOK RAPIDLY 10 TIMES YOU CAN REACH AN OPERATOR TO PLACE ANY +CALL YOU WANT! THIS TAKES ALOT OF PRACTICE, THOUGH. YOU MIGHT WANT TO PRACTICE +ON YOUR OWN FONE DIALING A FRIEND'S # OR SOMETHING ELSE. INCIDENTALLY, THIS +METHOD WILL ALSO WORK WITH DTMF FONES SINCE ALL DTMF LINES CAN ALSO HANDLE +ROTARY. + ANOTHER PROBLEM WITH PULSE DIALING IS THAT IT PRODUCES HIGH-VOLTAGE SPIKES +THAT MAKE LOUD NOISES IN THE EARPIECE AND CAUSE THE BELL TO "TINKLE." IF YOU +NEVER NOTICED THIS THEN YOUR FONE HAS A SPECIAL "ANTI-TINKLE" & EARPIECE +SHORTING CIRCUIT (MOST DO). IF YOU HAVE EVER DISSECTED A ROTARY FONE (A MUST +FOR ANY SERIOUS PHREAK) YOU WOULD HAVE NOTICED THAT THERE ARE 2 SETS OF CONTACT +THAT OPEN AND CLOSE DURING PULSING (ON THE BACK OF THE ROTARY DIAL UNDER THE +PLASTIC COVER). ONE OF THESE ACTUALLY OPENS AND +CLOSES THE LOOP WHILE THE OTHER MUTES THE EARPIECE BY SHORTING IT OUT. THE +SECOND CONTACTS ALSO ACTIVATES A SPECIAL ANTI-TINKLE CIRCUIT THAT PUTS A 340 +OHM RESISTOR ACROSS THE RINGING CIRCUIT WHICH PREVENTS THE HIGH VOLTAGE SPIKES +FROM INTERFERING WITH THE BELL. + DUAL TONE MULTI FREQUENCY (DTMF) IS A MODERN DAY IMPROVEMENT ON PULSE +DIALING IN SEVERAL WAYS. FIRST OF ALL, IT IS MORE CONVENIENT FOR THE USER +SINCE IT IS FASTER AND CAN BE USED FOR SIGNALING AFTER THE CALL IS COMPLETED +(IE, SCC'S, COMPUTERS, ETC.). ALSO, IT IS MORE UPTO PAR WITH MODERN DAY +SWITCHING EQUIPMENT (SUCH AS ESS) SINCE PULSE DIALING WAS DESIGNED TO ACTUALLY +MOVE RELAYS BY THE NUMBER OF DIGITS DIALED (IN SXS OFFICES). + + EACH KEY ON A DTMF KEYPAD PRODUCES 2 FREQUENCIES SIMULTANEOUSLY (ONE FROM +THE HIGH GROUP AND ANOTHER FROM THE LOW GROUP). + + _______________________________________________ +LOW GROUP | | | | | + 697 HZ-| Q | ABC | DEF | | + | 1 | 2 | 3 | A | + |___________|___________|___________|___________| + | | | | | + 770 HZ-| GHI | JKL | MNO | | + | 1 | 2 | 3 | B | + |___________|___________|___________|___________| + | | | | | + 852 HZ-| PRS | TUV | WXY | | + | 1 | 2 | 3 | C | + + Page 116 + + + + + The Official Phreaker's Manual + + |___________|___________|___________|___________| + | | OPERATOR | | | + 941 HZ-| | Z | | | + | * | 0 | # | D | + |___________|___________|___________|___________| + | | | | + 1209 HZ 1336 HZ 1477 HZ 1633 HZ + HIGH GROUP + +A PORTABLE DTMF KEYPAD IS KNOWN AS A WHITE BOX. + + THE FOURTH COLUMN (1633 HZ) IS NOT NORMALLY FOUND ON REGULAR FONES BUT IT +DOES HAVE SEVERAL SPECIAL USES. FOR ONE, IT IS USED TO DESIGNATE THE PRIORITY +OF CALLS ON AUTOVON, THE MILITARY FONE NETWORK. THESE KEY ARE CALLED: FLASH, +IMMEDIATE, PRIORITY, & ROUTINE (WITH VARIATIONS) INSTEAD OF ABCD. SECONDLY, +THESE KEYS ARE USED FOR TESTING PURPOSES BY THE TELCO. IN SOME AREA YOU CAN +FIND LOOPS AS WELL AS OTHER NEAT TESTS (SEE PART II) ON THE 555-1212 DIRECTORY +ASSISTANCE EXCHANGE. FOR THIS, YOU WOULD CALL UP AN DA IN CERTAIN AREAS [THAT +HAVE AN AUTOMATIC CALL DISTRIBUTOR (ACD)] AND HOLD DOWN THE "D" KEY WHICH +SHOULD BLOW THE OPERATOR OFF. YOU WILL THEN HEAR A PULSING DIAL TONE WHICH +INDICATES THAT YOU ARE IN THE ACD INTERNAL TESTING MODE. YOU CAN GET ON ONE +SIDE OF A LOOP BY DIALING A 6. THE OTHER SIDE IS 7. SOME PHREAKS CLAIM THAT +IF THE PERSON ON SIDE 6 HANGS UP, OCCASIONALLY THE EQUIPMENT WILL SCREW UP AD +START DIRECTING DIRECTORY ASSISTANCE CALLS TO THE OTHER SIDE OF THE LOOP. +ANOTHER ALLEGED TEST IS CALLED REMOB WHICH ALLOWS YOU TO TAP INTO LINES BY +ENTERING A SPECIAL CODE FOLLOWED BY THE 7 DIGIT NUMBER YOU WANT TO MONITOR. +THEN THERE IS THE POSSIBILITY OF MASS CONFERENCING. + ACD'S ARE BECOME RARE THOUGH. YOU WILL PROBABLY HAVE TO MAKE SEVERAL +NPA-555- 1212 CALLS BEFORE YOU FIND ONE. + YOU CAN MODIFY REGULAR FONES QUITE READILY SO THAT THEY HAVE A SWITCH TO +CHANGE BETWEEN THE 3RD AND 4TH COLUMNS. THIS IS CALLED A SILVER BOX (AKA GREY +BOX) AD PLANS CAN BE FOUND IN TAP AS WELL AS ON MANY BBS'S. + +TRANSMITTER/RECEIVER: +____________________________________________________________ + + WHEN YOU TALK INTO THE TRANSMITTER, THE SOUND WAVES FROM YOUR VOICE CAUSE A +DIAPHRAGM TO VIBRATE AND PRESS AGAINST THE CARBON GRANULES (OR ANOTHER SIMILAR +SUBSTANCE). THIS CAUSES THE CARBON GRANULES TO COMPRESS AND CONTRACT THUS +CHANGING THE RESISTANCE OF THE DC CURRENT FLOWING THROUGH IT. THEREFORE, YOUR +AC VOICE SIGNAL IS SUPERIMPOSED OVER THE DC CURRENT OF THE LOCAL LOOP. THE +RECEIVER WORKS IN A SIMILAR FASHION WHERE THE SIMPLE TYPES UTILIZE A MAGNET, +ARMATURE, & DIAPHRAGM. + +HYBRID/INDUCTION COIL: +____________________________________________________________ + + AS YOU MAY HAVE NOTICED, THERE ARE TWO WIRES FOR THE RECEIVER AND TWO FOR +THE TRANSMITTER IN THE FONE, YET THE LOCAL LOOP CONSISTS OF 2 WIRES INSTEAD OF +4. THIS 4-WIRE TO 2-WIRE CONVERSION IS DONE INSIDE THE FONE BY A DEVICE KNOWN +AS AN INDUCTION COIL WHICH USES COUPLING TRANSFORMERS. + THE REASON 2 SIRES ARE USED ON THE LOCAL LOOPS ARE BECAUSE IT IS ALOT +CHEAPER FOR THE TELCO. ALTHOUGH, ALL OF THE INTER-OFFICE TRUNKS UTILIZE 4 +WIRES. THIS IS NECESSARY FOR FULL DUPLEX (IE, SIMULTANEOUS CONVERSATION ON +BOTH SIDES) AND FOR AMPLIFICATION DEVICES. THERE ARE SIMILAR DEVICES IN THE +CO'S, KNOWN AS A HYBRID, THAT COUPLE THE 4-WIRE TRUNKS TO THE 2-WIRE LOCAL +LOOPS AND VISA-VERSA. + + + Page 117 + + + + + The Official Phreaker's Manual + +MISCELLANEOUS: +____________________________________________________________ + + IN THE TELEPHONE, THERE IS ALSO A BALANCING NETWORK CONSISTING OF A FEW +CAPACITORS & RESISTORS WHICH PROVIDE SIDETONE. SIDETONE ALLOWS THE CALLER TO +HEAR HIS OWN VOLUME IN THE RECEIVER. HE CAN THEN ADJUST HIS VOICE ACCORDINGLY. +THIS PREVENTS PEOPLE FROM SHOUTING OR SPEAKING TOO SOFTLY WITHOUT NOTICING IT. + +HOLD: +____________________________________________________________ + + WHEN A TELEPHONE GOES OFF HOOK, THE RESISTANCE DROPS BELOW 2500 OHMS. AT +THIS POINT, THE TELCO WILL SEND A DIAL TONE. TO PUT SOMEONE ON HOLD YOU MUST +PUT A 1000 OHM RESISTOR (1 WATT) ACROSS THE TIP & RING BEFORE IT REACHES THE +SWITCHOOK. IN THIS WAY, WHEN THE FONE IS HUNG UP (FOR HOLD) THE RESISTANCE +REMAINS BELOW 2500 OHMS WHICH CAUSES THE CO TO BELIEVE THAT YOU ARE STILL +OFF-HOOK. YOU CAN BUILD A SIMPLE HOLD DEVICE USING THE FOLLOWING PICTORIAL +DIAGRAM: + +(RED) O_________________________ + [L1] | | | + | | | + 1000 OHM | \ + | | \ + RESISTOR RINGING | + | CIRCUIT | -SWITCH + | | | HOOK + / | | + / SPST SWITCH | \ + | | \ + | | | + | | | +(GREEN) O__|_____________|______| + [L2] +--> TO REST OF FONE + +CONCLUSION: +____________________________________________________________ + +NOTE: MANY OF THE ELECTRONICS COMPONENTS OF NORMAL FONES (K500) ARE +ENCLOSED IN THE NETWORK BOX (WHICH SHOULDN'T BE OPENED). + + I HAVE ASSUMED THAT THE READER HAS A BASIC KNOWLEDGE OF ELECTRONICS. ALSO, +I HAVE ASSUMED THAT YOU HAVE READ THE 4 PREVIOUS INSTALLMENTS OF THIS SERIES +(AND HOPEFULLY ENJOYED THEM). + + IN PART VI, WE WILL TAKE A LOOK AT FORTRESS FONES. + +SUGGESTED FURTHER READING: +____________________________________________________________ + +ELECTRONICS COURSES A-D, TAP, @ $.75 EACH. + +ELECTRONIC TELEPHONE PROJECTS, A.J. CARISTI, HOWARD SAMS BOOKS. + +EVERYTHING YOU ALWAYS WANTED TO KNOW ABOUT 1633 HZ TONES BUT WERE AFRAID TO +ASK, THE MAGICIAN, TAP, ISSUE #62. + + + Page 118 + + + + + The Official Phreaker's Manual + +FREE BELL PHONE CALLS, TAP, FACT SHEET #2, @ $.50. + +FREE GTE PHONE CALLS, TAP, FACT SHEET #3, @ $.50. + +HOW TO MODIFY YOUR BELL TOUCH TONE FONE TO HAVE 1633 CYCLE TONES, TAP, ISSUE +#63. + +MODIFYING YOUR PHONE FOR 1633 HZ (NEW ELECTRONIC KEYPADS), FRED STEINBECK, TAP, +ISSUE #84. + +NOTES ON THE NETWORK, AT&T. + +THE PHONE BOOK, J. EDGAR HYDE. + +REGULATING THE TELEPHONE COMPANY IN YOUR HOME, RAMAPART MAGAZINE, JUNE 1972. + +REMOBS, TAP #91 (NOT YET PUBLISHED AS OF THIS WRITING). + +UNDERSTANDING TELEPHONE ELECTRONICS, TEXAS INSTRUMENTS. + +& OTHER ASSORTED SOURCES... + +TAP: ROOM 603/147 W 42 ST./NEW YORK, NY 10036. PLEASE SPECIFY BY BACKISSUE +#'S (NOT ARTICLE NAMES). ALL BACK-ISSUES ARE $1 EACH. SUBSCRIPTIONS ARE +$10/YEAR (10 ISSUES). SAY THAT BIOC AGENT 003 SENT YOU. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 119 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VI * + * * + ************************************************************ + +REVISED: 27-OCT-84 + +Preface: + + This article will focus primarily on the standard Western Electric +single-slot coin telephone (aka fortress fone) which can be divided into 3 +types: + +- Dial-Tone First (DTF) + +- Coin-First (CF): (ie, it wants your $ before you receive a dial tone) + +- Dial Post-Pay Service (PP): you pay after the party answers + +Depositing Coins (Slugs): +____________________________________________________________ + + Once you have deposited your slug into a fortress, it is subjected to a +gamut of tests. The first obstacle for a slug is the magnetic trap. This will +stop any light-weight magnetic slugs and coins. If it passes this, the slug is +then classified as a nickel, dime, or quarter. Each slug is then checked for +appropriate size and weight. If these tests are passed, it will then travel +through a nickel, dime, or quarter magnet as appropriate. These magnets set up +an eddy current effect which causes coins of the appropriate characteristics to +slow down so they will follow the correct trajectory. If all goes well, the +coin will follow the correct path (such as bouncing off of the nickel anvil) +where it will hopefully fall into the narrow accepted coin channel. + The rather elaborate tests that are performed as the coin travels down the +coin chute will stop most slugs and other undesirable coins, such as pennies, +which must then be retrieved using the coin release lever. + If the slug miraculously survives the gamut, it will then strike the +appropriate totalizer arm causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). + The totalizer then causes the coin signal oscillator to readout a +dual-frequency signal indicating the value deposited to ACTS (a computer) or +the TSPS operator. These are the same tones used by phreaks in the infamous red +boxes. + For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS). +A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone +at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz. + A relay in the fortress called the "B relay" (yes, there is also an 'A +relay') places a capacitor across the speech circuit during totalizer read-out +to prevent the "customer" from hearing the red box tones. + In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells +for a dime, and one gong (800 Hz) for a quarter are used instead of the modern +dual-frequency tones. + +TSPS & ACTS +____________________________________________________________ + + Page 120 + + + + + The Official Phreaker's Manual + + + While fortresses are connected to the CO of the area, all transactions are +handled via the Traffic Service Position System (TSPS). In areas that do not +have ACTS, all calls that require operator assistance, such as calling card and +collect, are automatically routed to a TSPS operator position. + In an effort to automate fortress service, a computer system known as +Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS +listens to the red box signals from the fones and takes appropriate action. It +is ACTS which says, "Two dollars please (pause) Please deposit two dollars for +the next ten seconds" (and other variations). Also, if you talk for more than +three minutes and then hang-up, ACTS will call back and demand your money. +ACTS is also responsible for Automated Calling Card Service. + ACTS also provide trouble diagnosis for craftspeople (repairmen +specializing in fortresses). For example, there is a coin test which is great +for tuning up red boxes. In many areas this test can be activated by dialing +09591230 at a fortress (thanks to Karl Marx for this information). Once +activated it will request that you deposit various coins. It will then identify +the coin and outpulse the appropriate red box signal. The coins are usually +returned when you hang up. + To make sure that there is actually money in the fone, the CO initiates a +"ground test" at various times to determine if a coin is actually in the fone. +This is why you must deposit at least a nickel in order to use a red box! + +Green Boxes: +____________________________________________________________ + + Paying the initial rate in order to use a red box (on certain fortresses) +left a sour taste in many red boxer's mouths thus the GREEN BOX was invented. +The green box generates useful tones such as COIN COLLECT, COIN RETURN, and +RINGBACK. These are the tones that ACTS or the TSPS operator would send to the +CO when appropriate. Unfortunately, the green box cannot be used at a fortress +station but it must be used by the CALLED party. + +Here are the tones: + +COIN COLLECT 700 + 1100 Hz +COIN RETURN 1100 + 1700 Hz +RINGBACK 700 + 1700 Hz + + Before the called party sends any of these tones, an operator released +signal should be sent to alert the MF detectors at the CO. This can be +accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed +by a 60 ms gap and then the appropriate signal for at least 900 ms. + Also, do not forget that the initial rate is collected shortly before the 3 +minute period is up. + Incidentally, once the above MF tones for collecting and returning coins +reach the CO, they are converted into an appropriate DC pulse (-130 volts for +return & +130 volts for collect). This pulse is then sent down the tip to the +fortress. This causes the coin relay to either return or collect the coins. + The alleged "T-Network" takes advantage of this information. When a pulse +for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded +somewhere. This is usually either the yellow or black wire. Thus, if the wires +are exposed, these wires can be cut to prevent the pulse from being grounded. +When the three minute initial period is almost up, make sure that the black & +yellow wires are severed; then hang up, wait about 15 seconds in case of a +second pulse, reconnect the wires, pick up the fone, hang up again, and if all +goes well it should be "JACKPOT" time. + + + Page 121 + + + + + The Official Phreaker's Manual + +Physical Attack: +____________________________________________________________ + + A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of +this is accounted for in the armor plating. Why all the security? Well, Bell +contributes it to the following: + + "Social changes during the 1960's made the multislot coin station a +prime target for: vandalism, strong arm robbery, fraud, and theft of service. +This brought about the introduction of the more rugged single slot coin station +and a new environment for coin service." + +As for picking the lock, I will quote Mr. Phelps: + + "We often fantasize about 'picking the lock' or 'getting a master +key.' Well, you can forget about it. I don't like to discourage people, but it +will save you from wasting alot of your time--time which can be put to better +use (heh, heh)." + + As for physical attack, the coin plate is secured on all four side by +hardened steel bolts which pass through two slots each. These bolts are in +turn interlocked by the main lock. + One phreak I know did manage to take one of the 'mothers' home (which was +attached to a piece of plywood at a construction site; otherwise, the permanent +ones are a bitch to detach from the wall!). It took him almost ten hours to +open the coin box using a power drill, sledge hammers, and crow bars (which was +empty -- perhaps next time, he will deposit a coin first to hear if it slushes +down nicely or hits the empty bottom with a clunk.) + Taking the fone offers a higher margin of success. Although this may be +difficult often requiring brute force and there has been several cases of back +axles being lost trying to take down a fone! A quick and dirty way to open the +coin box is by using a shotgun. In Detroit, after ecologists cleaned out a +municipal pond, they found 168 coin phones rifled. + In colder areas, such as Canada, some shrewd people tape up the fones using +duct tape, pour in water, and come back the next day when the water will have +froze thus expanding and cracking the fone open.In one case: + + "unauthorized coin collectors" where caught when they brought $6,000 in +change to a bank and the bank became suspicious... + + At any rate, the main lock is an eight level tumbler located on the right +side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since +there are 8 tumblers each with 5 possible positions) thus it is highly pick +resistant! The lock is held in place by 4 screws. If there is sufficient +clearance to the right of the fone, it is conceivable to punch out the screws +using the drilling pattern below (provided by Alexander Mundy in TAP) + + + + + + + + + + + + + + Page 122 + + + + + The Official Phreaker's Manual + + Chapter 5 + + What is covered in these last few articles, is the essence of phreaking, +blue boxing & equal access. These last articles, I hope will be the final +stage of phreak education for now. Basic telecommunications 7 is a brief intro +to the art of blue boxing, while Better Homes & Blue Boxing will cover it in +full. Equal access will be an interesting switch, it is installed in my area +already and I have been investigating it. One thought is to call MCI operators +and box through them, over MCI lines... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 123 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VII * + * * + ************************************************************ + +Preface: + + After most neophyte phreaks overcome their fascination with Metro codes and +WATS extenders, they will usually seek to explore other avenues in the vast +phone network. Often they will come across references such as "simply dial KP ++ 2130801050 + ST for the Alliance teleconferencing system in LA.". Numbers +such as the one above were intended to be used with a blue box; this article +will explain the fundamental principles of the fine art of blue boxing. + +Genesis: +____________________________________________________________ + + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. This is because pulse (aka rotary) digits are created by causing +breaks in the DC current (see Basic Telcom V). Since long distance calls +require routing through various switching equipment and AC voice amplifiers, +pulse dialing cannot be used to send the destination number to the end local +office (CO). + + Eventually, the demand for faster and more efficient long distance (LD) +service caused Bell to make a multi-billion dollar decision. They had to create +a signaling system that could be used on the LD Network. Basically, they had +two options: + +[1] To send all the signaling and supervisory information (ie, ON & OFF +HOOK) over separate data links. This type of signaling is referred to as +out-of-band signaling. + -or- +[2] To send all the signaling information along with the conversation +using tones to represent digits. This type of signaling is referred to as +in-band signaling. + + Being the cheap bastard that they naturally are, Bell chose the latter (and +cheaper) method -- IN-BAND signaling. They eventually regretted this, though +(heh, heh)... + +IN-BAND SIGNALING PRINCIPLES: +____________________________________________________________ + + When a subscriber dials a telephone number, whether in rotary or touch-tone +(aka DTMF), the equipment in the CO interprets the digits and looks for a +convenient trunk line to send the call on its way. In the case of a local +call, it will probably be sent via an inter-office trunk; otherwise, it will be +sent to a toll office (class 4 or higher -- see Telcom IV) to be processed. + + When trunks are not being used there is a 2600 Hz tone on the line; thus, +to find a free trunk, the CO equipment simply checks for the presence of 2600 +Hz. If it doesn't find a free trunk the customer will receive a re-order signal + + Page 124 + + + + + The Official Phreaker's Manual + +(120 IPM busy signal) or the "all circuits are busy..." message. If it does +find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the +called number or a special routing code to the other end or toll office. + + The tones it uses to send this information are called multi-frequency (MF) +tones. An MF tone consists of two tones from a set of six master tones which +are combined to produce 12 separate tones. You can sometimes hear these tones +in the background when you make a call but they are usually filtered out so +your delicate ears cannot hear them. These are NOT the same as touch-tones. + + To notify the equipment at the far end of the trunk that it is about to +receive routing information, the originating end first sends a Key Pulse (KP) +tone. At the end of sending the digits, #he originating end then sends a STart +(ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517 ++ ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to +signify a disconnect to the distant end. + +History: +____________________________________________________________ + + In the November 1960 issue of The Bell System Technical Journal, an article +entitled "Signaling Systems for Control of Telephone Switching" was published. +This journal, which was sent to most university libraries, happened to contain +the actual MF tones used in signaling. They appeared as follows: + +Digit Tones +----- ----- + 1 700 + 900 Hz + 2 700 + 1100 Hz + 3 900 + 1100 Hz + 4 700 + 1300 Hz + 5 900 + 1300 Hz + 6 1100 + 1300 Hz + 7 700 + 1500 Hz + 8 900 + 1500 Hz + 9 1100 + 1500 Hz + 0 1300 + 1500 Hz + KP 1100 + 1700 Hz + ST 1500 + 1700 Hz + 11 (*) 700 + 1700 Hz + 12 (*) 900 + 1700 Hz + KP2 (*) 1300 + 1700 Hz + +(*) Used only on CCITT SYSTEM 5 for special international calling. + + Bell caught wind of blue boxing in 1961 when it caught a Washington state +college student using one. They originally found out about blue boxes through +police raids and informants. In 1964, Bell Labs came up with scanning +equipment, which recorded all suspicious calls, to detect blue box usage. +These units were installed in CO's where major toll fraud existed. AT&T +Security would then listen to the tapes to see if any toll fraud was actually +committed. Over 200 convictions resulted from the project. Surprisingly +enough, blue boxing is not solely limited to the electronics enthusiast; AT&T +has caught businessmen, film stars, doctors, lawyers, college students, high +school students and even a millionaire financier (Bernard Cornfeld) using the +device. AT&T also said that nearly half of those that they catch are +businessmen. + + + Page 125 + + + + + The Official Phreaker's Manual + + Of course, phone phreaks have achieved an almost cult status. They have +also had their fair share of media. In October 1971, Esquire published the +infamous "Secrets of the Little Blue Box" article which featured phreaks such +as Captain Crunch, who took his name from the cereal which one gave away +whistles that produced a perfect 2600 Hz pitch; Joe Engressia, the blind +phreak; and Mark Bernay, one of the nation's first and oldest phreaks. Others +such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had +blue box backgrounds. 1971 also saw the publication of the first issue of YIPL, +the phone phreak newsletter, (now TAP) under the editorship of supreme yippie +Abbie Hoffman. + +Usage: +____________________________________________________________ + + To use a blue box, one would usually make a free call to any 800 number or +distant directory assistance (NPA-555-1212). This, of course, is legitimate. +When the call is answered, one would then swiftly press the button that would +send 2600 Hz down the line. This has the effect of making the distant CO +equipment think that the call was terminated and it leaves the trunk hanging. +Now, the user has about 10 seconds to enter in the telephone number he wished +to dial -- in MF, that is. The CO equipment merely assumes that this came from +another office and it will happily process the call. Since there are no records +(except on toll fraud detection devices!) of these MF tones, the user is not +billed for the call. When the user hangs up, the CO equipment simply records +that he hung up on a free call. + +Detection: +____________________________________________________________ + + Bell has had 20 years to work on detection devices; therefore, in this day +and age, they are rather well refined. Basically, the detection device will +look for the presence of 2600 Hz where it does not belong. It then records the +calling number and all activity after the 2600 Hz. If you happen to be at a +fortress fone, though, and you make the call short, your chances of getting +caught are significantly reduced (see Telcom VI). Incidentally, there have been +rumors of certain test numbers (see Telcom II) that hook directly into trunks +thus avoiding the need for 2600 Hz and detection! + + Another way that Bell catches boxers is to examine the CAMA (Centralized +Automatic Message Accounting) tapes. When you make a call, your number, the +called number, and time of day are all recorded. The same thing happens when +you hang up. This tape is then processed for billing purposes. Normally, all +free calls are ignored. But Bell can program the billing equipment to make note +of lengthy calls to directory assistance. They can then put a pen register +(aka DNR) on the line or an actual full-blown tap. This detection can be +avoided by making short-haul (aka local) calls to box off of. + + It is interesting to note that NPA+555-1212 originally did not return +answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes. +AT&T changed this though for "traffic studies!" + +CCIS: +____________________________________________________________ + + Besides detection devices, Bell has begun to gradually redesign the network +using out-of-band signaling. This is known as Common Channel Inter-office +Signaling (CCIS). Since this signaling method sends all the signaling +information over separate data lines, blue boxing is impossible under it. + + Page 126 + + + + + The Official Phreaker's Manual + + + While being implemented gradually, this multi-billion dollar project is +still strangling the fine art of blue boxing. Of course until the project is +totally complete, boxing will still be possible. It will become progressively +harder to find places to box off of, though. In areas with CCIS, one must find +a directory assistance office that doesn't have CCIS yet. Area codes in Canada +and predominately rural states are the best bets. WATS numbers terminating in +non-CCIS cities are also good prospects. + +Pink Noise: +____________________________________________________________ + + Another way that may help to avoid detection is too add some "pink noise" +to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the +detection equipment must be careful not to misinterpret speech as a disconnect +signal. Thus a virtually pure 2600 Hz tone is required for disconnect. + + Keeping this in mind, the 2600 Hz detection equipment is also probably +looking for pure 2600 Hz or else is would be triggered every time someone hit +that note (highest E on a piano =2637 Hz). This is also the reason that the +2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator +is saying "Hello, hello." It is feasible to send some "pink noise" along with +the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise +won't make it into the toll network (where we want our pure 2600 Hz to hit) but +it should make it past the local CO and thus the fraud detectors. + +Construction: +____________________________________________________________ + + While step-by-step details for the construction of a blue box is beyond the +scope of this tutorial, it is worthwhile to mention some of the details. + + First there are some alternatives but they are not as good as an actual +blue box. Many computers are capable of generating MF tones. Thus, your local +phriendly software pirate should have a program compatible for your computer. + + However, it is highly advisable not to box from home as stated in The Ten +Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86). + +I. Box thou not over thine home telephone wires, for those who doest must +surely bring the full wrath of the Chief Special Agent down upon thy heads. + + Another alternative that has a moderate success rate involves recording the +tones from a phriend with a box or computer onto a cassette tape. They can +then be used at a fortress. + + As for actual construction techniques, TAP has devoted many issues to blue +boxing. Basically, a blue box is merely a device capable of generating two +different tones simultaneously. There are two basic construction methods that I +will outline below for the electronics hobbyist. + + The first involves the use of two 555 timer chips (or a 556 -- i.e., two +555's in one chip). It offers excellent frequency and voltage stability. +Also, it does not need a diode matrix keypad but used double-pole switches +instead. Schematics for this type of box can be found in TAP issue #29. + + The other common box makes use of two Intersil 8038CC Function Generators. +It does require a diode matrix keypad though, potentiometers, an LM-100 voltage + + Page 127 + + + + + The Official Phreaker's Manual + +regulator, a 741 Op-amp, and a handful of other parts. The schematics for this +type of blue box can be found in TAP #26. Both designs draw about 20 ma of +current. + + Also, most blue boxes use telephone earpieces (with the varistor removed) +for speakers. These can be easily liberated from fortress fones with a small +coping saw. + + Usually, the hardest part about building a blue box is the calibration. A +frequency counter is a must and an oscilloscope won't hurt. + + Some boxes also take timing into account. It is feasible on the ESS +systems that they check to see if the digits are of uniform length. If they +aren't, they are probably from a blue box and a trouble card may be dropped. +With this in mind, the Bell standard for MF pulses and interdigit intervals is +around 75 ms. It varies with the equipment used since ESS can handle higher +speeds and doesn't need interdigit intervals. + +Applications: +____________________________________________________________ + + Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes +offer the entire network for exploration. Emergency break-ins, service +monitoring (aka taps), stacking tandems (the art of busying out all trunks +between two points), re-routing calls, conference calls, and much, much more +are all feasible. Although, Bell frequently changes these codes due to +phreaks. Here are some standard ones, though: + +Operator & Other Codes: +____________________________________________________________ + + (an optional NPA may proceed all of the numbers; otherwise, you will reach +the one local for the area where the call is originated) + +001 -- Trunk Access System +009 -- Rate Quote System +101 -- toll office test board +121 -- INWARD Operator + + This operator assists the local "0" operator in completing calls. (S)he +will do virtually anything for you providing it is within her NPA. + +131 -- Operator Directory assistance +141 -- Rout & Rate +141 defunct -- use KP + 800 + 141 +1212 + ST) + + These operators are very useful if you know how to mumble a few cryptic +phrases as compiled below (with thanks to Fred Steinbeck): To find out.....Area +Codes + + For example say , "Miami, Florida, numbers route, please." The R&R +operator will tell you "305 plus," meaning that 305 plus the seven digit number +will get you Miami. + +... Inward Operator City Codes + + Usually, the INWARD operator for an area is simply KP + NPA + 121 + +ST. In some area codes, though, there are several large cities and thus + + Page 128 + + + + + The Official Phreaker's Manual + +several inwards. To find the inward for a specific city, you would say "916 +756, operator route, please" to the R&R operator who will then tell you "916 +plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an +inward for Sacramento, CA (916-756). + +... City names + + If you want to know the city that corresponds to an area code and +exchange, you simply tell the R&R, "Place name, 914 390, please." In this +example, the R&R operator will respond with "White Plains, NY." + +... International Directory Assistance + + If you need a directory route for London, you could say +"International, London, England. TSPS directory route, please." The R&R +operator will respond with "Directory to London, England. Country code 44 plus +1 plus 986 plus 3611." Therefore to get a DA operator in London, you would +route yourself to an international sender and KP + 04419863611 + ST. + +... Country & City codes + + If you need to know the country and city code for an international +number you can say "International, Sydney, Australia, TSPS numbers route, +please" and get "Country code 61 plus 2." + +... International Inwards Routes + + To get routing codes for international inwards say "International, +London, England, TSPS inward route, please." The R&R Operator will respond with +"Country code 44 plus 121." + + Finally, to get language assistance for completing a foreign call you can +tell the foreign inward, "United States calling. Language assistance in +completing a call to (called party) at (called number)." + +151 -- Overseas incoming (212 +& 914+) +160-XX0 -- Various Overseas Operators +161 -- Trouble reporting operator (defunct) +181 -- Coin Refund Operator +18X -- Overseas senders + + To make an international call, one would KP + 011 + 0CC + ST where CC is +the country code. This will route you to the appropriate overseas sender. You +will then receive a 480 Hz dial tone. Here you enter KP + 0CC + city code + +local number + ST and the call is on its way. + + Country codes can be either 1, 2, or 3 digits but they must be padded for +three digits to create a pseudo-country code with extra zero's if necessary. +For example, England, country code 44, becomes 044. + + To see which international sender a certain country (lets use French +Guiana, country code 594, for example) goes through, you can dial KP + 011 + +594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you +will receive a recording saying which ISC (International Switching Center) it +is. For the example it will say, "This is the international switching center +in Pittsburg, PA -- This is a recording - 4121." You can actually route calls +to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to +since it may look suspicious if a call is sent through a sender that it + + Page 129 + + + + + The Official Phreaker's Manual + +shouldn't go through. Here are the senders: + +182 -- White Plains, NY +183 -- New York, NY +184 -- Pittsburg, PA +185 -- Orlando, FL +186 -- Oakland, CA +187 -- Denver, CO +188 -- New York, NY + + Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP, +ST3P, & ST2P keys. While they do exist the blue boxer need not concern himself +with them. The first three are used on CCITT System 5. This is the signaling +system that the International Senders use to send information to other +countries. These codes are usually added automatically just like the language +assistance digit [which distinguishes operator (or blue box) dialed calls from +customer dialed calls]. The STP, ST3P, & ST2P tones are used when equipment is +communicating with the TSPS. These also are automatically added when needed in +most cases. + +[see Telcom III for more on International Switching Centers (ISC)] + +11XXX -- miscellaneous operators +11501 -- universal cordboard operator +11511 -- conference operator +11521 -- mobile operator +11531 -- marine operator +11541 -- LD incoming switchboard +11551 -- leave word for time & charges (neat stuff) +11561 -- same as 11551 but for hotel/motels +11571 -- overseas operators (language assistance) + + The 11XXX series is interesting scanning material. + +Miscellaneous Routing Codes : +____________________________________________________________ + + Alliance Teleconferencing has several numbers, a few of which are listed +below: + +KP + 213 080 XXXX + ST +KP + 305 025 XXXX + ST +KP + 312 001 XXXX + ST +XXXX = 1050, 1100, or a few others + + Also, at KP + 317 009 + ST there is a MF tone checker. After the +beep-kerclunk, dial in KP + 999 1234567 890 + ST and it will repeat the digits +that you pulsed if they are of the right frequency. + +Tandem Scanning: +____________________________________________________________ + + To find all sorts of interesting things, you must look. Begin scanning +three digit codes in your area (i.e., KP + 000 + ST, KP + 001 + ST, etc.). Keep +track of all of your results. Sometimes you must probe things, send additional +digits and see what happens, send touch-tone, send it 2600 Hz, rip it apart. +You never know, you may run into something phun, like a computer that checks CC +numbers. + + Page 130 + + + + + The Official Phreaker's Manual + + + Incidentally, in some exchange you can dial inwards and other box codes +directly! For example, 914-121-1111 will get you a NY inward. The only problem +is that a 0 or 1 as the first digit of the exchange is usually *prohibited in +customer dialing. Somebody may have "accidentally" changed this screening code +on your ESS's computer, though -- you never know and it can't hurt to try. +WATS translation numbers also take up some of the 0XX & 1XX codes. + + Finally, certain tones on the blue box can also be used for other purposes. +An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN. +Thus every blue box is also a green box (see Telcom VI). + +Coming soon: + +Telcom VIII will deal with cordless phones, mobile phones, and other neat +things. + +Be careful and have phun, + +*****BIOC +*=$=*Agent +*****003 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 131 + + + + + The Official Phreaker's Manual + +The Mark Tabas encounter series presents: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + Better Homes and Blue Boxing + + Part I + + Theory of Operation + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To quote Karl Marx, blue boxing has always been the most noble form of +phreaking. As opposed to such things as using an MCI code to make a free fone +call, which is merely mindless pseudo-phreaking, blue boxing is actual +interaction with the Bell System toll network. It is likewise advisable to be +more cautious when blue boxing, but the careful phreak will not be caught, +regardless of what type of switching system he is under. + + In this part, I will explain how and why blue boxing works, as well as where. +In later parts, I will give more practical information for blue boxing and +routing information. + + To begin with, blue boxing is simply communicating with trunks. Trunks must +not be confused with subscriber lines (or "customer loops") which are standard +telefone lines. Trunks are those lines that connect central offices. Now, when +trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied +to them. If they are two-way trunks, there is 2600Hz in both directions. When a +trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the +side that is off-hook. The 2600Hz is therefore known as a supervisory signal, +because it indicates the status of a trunk; on hook (tone) or off-hook (no +tone). Note also that 2600Hz denoted SF (single frequency) signalling and is +"in-band." This is very important. "In-band" means that is is within the band +of frequencies that may be transmitted over normal telefone lines. Other SF +signals, such as 3700Hz are used also. However, they cannot be carried over the +telefone network normally (they are "out-of-band") and are therefore not able +to be taken advantage of as 2600Hz is. + + Back to trunks. Let's take a hypothetical phone call. You pick up your fone +and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll +assume that you are on #5 Crossbar switching and not in the 806 area. Your +central office (CO) would recognize that 806 is a foreign NPA, so it would +route the call to the toll centre that serves you. [For the sake of accuracy +here, and for the more experienced readers, note that the CO in question is a +class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending +on where you are in the country, the call would leave your toll centre (on more +trunks) to another toll centre, or office of higher "rank". Then it would be +routed to central office 806-258 eventually and the call would be completed. +Illustration: + +A---CO1-------TC1------TC2----CO2----B + +A=you +CO1=your central office +TC1=your toll office. +TC2=toll office in Amarillo. +CO2=806-258 central office. +B=your friend (806-258-1234) + + In this situation it would be realistic to say that CO2 uses SF in-band + + Page 132 + + + + + The Official Phreaker's Manual + +(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). +If you don't understand this, don't worry too much. I am pointing this out +merely for the sake of accuracy. The point is that while you are connected to +806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 +central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell +equipment that a call is in progress and the trunks are in use. + + Now let's say you're tired of talking to your friend in Amarillo +(806-258-1234) so you send a 2600Hz down the line. This tone travels down the +line to your friend's central office (CO2) where it is detected. However, that +CO thinks that the 2600Hz is originating from Bell equipment, indicating to it +that you've hung up, and thus the trunks are once again idle (with 2600Hz +present on them). But actually, you have not hung up, you have fooled the +equipment at your friend's CO into thinking you have. Thus,it disconnects him +and resets the equipment to prepare for the next call. All this happens very +quickly (300-800ms for step-by-step equipment and 150-400ms for other +equipment). + + When you stop sending 2600Hz (after about a second), the equipment thinks +that another call is coming towards it (e.g. it thinks the far end has come +"off-hook" since the tone has stopped. It could be thought of as a toggle +switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending +2600Hz, several things happen: + +1) A trunk is seized. + +2) A "wink" is sent to the CALLING end from the CALLED end indicating that the +CALLED end (trunk) is not ready to receive digits yet. + +3) A register is found and attached to the CALLED end of the trunk within about +two seconds (max). + +4) A start-dial signal is sent to the CALLING end from the CALLED end +indicating that the CALLED end is ready to receive digits. + +Now, all of this is pretty much transparent to the blue boxer. All he really +hears when these four things happen is a . So, seizure of a +trunk would go something like this: + +1> Send a 2600Hz +2> Terminate 2600Hz after 1-2 secs. +3> [beep][kerchunk] + + Once this happens, you are connected to a tandem that is ready to obey your +every command. The next step is to send signalling information in order to +place your call. For this you must simulate the signalling used by operators +and automatic toll-dialing equipment for use on trunks. There are mainly two +systems, DP and MF. However, DP went out with the dinosaur , so I'll only +discuss MF signalling. MF (multi-frequency) signalling is the signalling used +by the majority of the inter- and intra-lata network. It is also used in +international dialing known as the CCITT no.5 system. + + MF signalling consists of 7 frequencies, beginning with 700Hz and separated +by 200Hz. A different set of two of the 7 frequencies represent the digits 0 +thru 9, plus an additional 5 special keys. The frequencies and uses are as +follows: + +Frequencies (Hz) Domestic Int'l + + Page 133 + + + + + The Official Phreaker's Manual + +-------------------------------------- + 700+900 1 1 + 700+1100 2 2 + 900+1100 3 3 + 700+1300 4 4 + 900+1300 5 5 +1100+1300 6 6 + 700+1500 7 7 + 900+1500 8 8 +1100+1500 9 9 +1300+1500 0 0 + 700+1700 ST3p Code 11 + 900+1700 STp Code 12 +1100+1700 KP KP1 +1300+1700 ST2p KP2 +1500+1700 ST ST + + The timing of all the MF signals is a nominal 60ms, except for KP, which +should have a duration of 100ms. There should also be a 60ms silent period +between digits. This is very flexible, however, and most Bell equipment will +accept outrageous timings. + + In addition to the standard uses listed above, MF pulsing also has expanded +usages known as "expanded inband signalling" that include such things as coin +collect, coin return, ringback, operator attached, and operator released. KP2, +code 11, and code 12 and the ST_ps (STart "primes") all have special uses which +will be mentioned only briefly here. + + To complete a call using a blue box, once seizure of a trunk has been +accomplished by sending 2600Hz and pausing for the , one must +first send a KP. This readies the register for the digits that follow. For a +standard domestic call, the KP would be followed by either 7 digits (if the +call were in the same NPA as the seized trunk) or 10 digits (if the call were +not in the same NPA as the seized trunk). [Exactly like dialing a normal fone +call]. Following either the KP and 7 or 10 digits, a STart is sent to signify +that no more digits follow. Example of a complete call: + +1> Dial 1-806-258-1234 +2> wait for a call-progress indication (such as ring, busy, recording, etc.) +3> Send 2600Hz for about 1 second. +4> Wait for about 2 seconds while a trunk is seized. +5> Send KP+305+994+9966+ST + + The call will then connect if every-thing was done properly. Note that if a +call to an 806 number were being placed in the same situation, the area code +would be omitted and only KP+ seven digits+ST would be sent. + + Code 11 and code 12 are used in international calling to request certain +types of operators. KP2 is used in international calling to route a call other +than by way of the normal route, whether for economic or equipment reasons. + + STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS +signalling to indicate calling type of call (such as coin-direct dialed). + + This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and +learned from it. If you have any questions, comments, threats or insults, +please fell free to drop me a line. If you have noticed any errors in this text +(yes, it does happen), please let me know and perhaps a correction will be in + + Page 134 + + + + + The Official Phreaker's Manual + +order. Part II will deal mainly with more advanced principles of blue boxing, +as well as routings and operators. + + Note 1: other highly trunkable areas include: 816,305,813,609,205. I +personally have excellent luck boxing off of 609-953-0000. Try that if you have +any trouble. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 135 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part II + + Practical Applications + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood Part I of this series). + + The essential purpose of blue boxing in the beginning was merely to receive +toll services free of charge. Though this can still be done, blue boxing has +essentially outlived its usefulness in this area. Modern day "extenders" and +long distance services provide a safer and easier way to make free fone calls. +However, you can do things with a blue box that just can't be done with +anything else. For ordinary toll-fraud, a blue box is impractical for the +following reasons: + +1. Clumsy equipment required (blue box or equivalent) +2. Most boxed calls must be made through an extender. Not for safety reasons, +but for reasons I'll explain later. +3. Connections are often sacrificed because considerable distances must be +dialed to cross a seizable trunk, in addition to awkward routing. + + As stated in reason #2, boxed calls are usually made through an extender. +This is for billing reasons. If you recall from Part i, 2600Hz is used as a +"supervisory" signal. That is, it signals the status of a trunk--"on-hook" or +"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the +CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook +once again when the 2600Hz is terminated. The CALLED end recognizes that a +call is on the way and attaches a register, which interprets the digits which +are to be sent. Now, understand that even though your end has come off-hook (no +2600Hz present), the other end is still on-hook. You may wonder then, why, if +the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the +other way on the trunk, when there should be. This is correct. 2600Hz *IS* +present on the trunk when you seize it and afterwards, but you cannot hear it +because of a Band Elimination Filter (BEF) at your central office. + + Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed +coming the other way on the trunk because the CALLED end is still on-hook, but +you don't actually hear it because of a filter. However, the Bell equipment +knows it's there (they can "hear" it). The presence of the 2600Hz is telling +the billing equipment that your call has not yet been completed (i.e., the +CALLED end is still on-hook). When finally you do connect with your boxed call, +the 2600Hz from the called end terminates. This tells the billing equipment +that someone picked up the fone at the CALLED end and you should begin to be +billed. So you do start to get billed, but for the call to the trunk, NOT the +boxed call. Your billing equipment thinks that you've connected with the number +you used to seize the trunk. Illustration: + +1. You call 1+806-258-2222 (directly) +2. Status of trunks: + +<-----------------------------------> +(You) 806-258-2222 +No 2600Hz-------> <------------2600Hz + + When you seize a trunk (before the number you called answers) there is no + + Page 136 + + + + + The Official Phreaker's Manual + +affect on your billing equipment. It simply thinks that you're still waiting +for the call to complete (the CALLED end is still on-hook; it is ringing, busy, +going to recorder or intercept operator. + + Now, let's say that you've seized a trunk (806-258-2222) and for example, +KP+314+949+1705+ST. The call is routed from the tandem you seized to: +314-949-1705. Illustration: + +<------------------>O<---------------> +(You) 806 314-949 + tandem +No 2600Hz----------> <----------2600Hz + + Note that the entire path towards the right (the CALLED end) has no 2600Hz +present and is therefore "off-hook." The entire path towards the left (the +CALLING end) does have 2600Hz present on it, indicating that the CALLED end has +not picked up (or come "off-hook"). When 314-949-1705 answers, "answer +supervision" is given and the 2600Hz towards the left (the CALLING end) +terminates. This tells your billing equipment, which thinks that you're still +waiting to be connected with 806-258-2222, that you've finally connected. +Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an +aspiring young phone phreak. + + To avoid this, several actions may be taken. As previously mentioned, one may +avoid being charged for the number called to seize a trunk by using an extender +(in which case the extender will get billed). In some areas, boxing may be +accomplished using an 800 number, generally in the format of 800-858-xxxx (many +Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). +However, boxing off of 800 numbers is impossible in many areas. In my area, +Denver, I am served by #1A ESS and it is impossible for me to box off of any +800 number. + + Years ago, in the early days of blue boxing (before my time), phreaks often +used directory assistance to box off of because they were "free" long distance +calls. However, because of competitive long distance companies, directory +assistance surcharges are now $0.50 in many areas. It is additionally advised +that directory assistance numbers not be used to box from because of the +following: + + Average DA calls last under 2 minutes. When you box a call, chances are that +it will last considerably longer. Thus, the Bell billing equipment will make a +note of calls to directory assistance that last a long time. A call to a +directory assistant lasting for 4 hours and 17 minutes may appear somewhat +suspicious. + + Although the date, time, and length of a DA call do not appear on the bill, +it is recorded on AMA tape and will trip a trouble report if it were to last +too long. This is how most phreaks were discovered in the old days. Also, +sometimes too many calls lasting too long to one 800 number may raise a few +eyebrows at the local security office. + + Assuming you can complete a blue box call, the following are listed routings +for various Bell internal operators. These are in the format of KP+NPA+ +special routing+1X1+ST, which I will explain later. The 1X1 is the actual +operator routing, and NPA and NPA+ special routing are used for out-of-area +code calls and out-of-area code calls requiring special routing, respectively. + +KP+101+ST ...... Toll test board. + + Page 137 + + + + + The Official Phreaker's Manual + +KP+121+ST ...... Inward Operator. +KP+131+ST ...... Directory assistance. +KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few +others. It has been replaced with a universal rate & route number +800+141+1212. +KP+151+ST ...... Overseas completion operator (inbound). Works only in certain +NPAs, such as 303. +KP+181+ST ...... In some areas, toll station for small towns. + + Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you +would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 +trunk, an area code would be required. Thus, you would dial KP+312+121+ST. +Finally, some places in the network require special routing, in addition to an +area code. An example is Franklin Park, Ill. It requires a special routing of +032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward +operator. + + Special routings are in the format of 0XX. They are used primarily for load +balance, so that traffic flow may be evenly distributed. About half of the +exchanges in the network require special routing. Note that special routings +are NEVER EVER EVER used to dial normal telephone numbers, only operators. + + Operator functions: + +TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. +They are not used by operators, only switchmen. + +INWARD- Assists the normal TSPS (0+) operator in completing calls out of the +TSPS's area. Also, inwards perform emergency interrupts when the number to be +interrupted is out of the area code of the original (TSPS) operator. For +example, a 303 operator has a customer that needs an emergency interrupt on +215-647-6969. The 303 operator gets the routing for the inward that covers +215-647, since she cannot do the interrupt herself. The routing is found to be +only 215+ (no special routing required). So, the 303 operator keys +KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is +Denver. I need an emergency interrupt on 215-647-6969. My customer's name is +Mark Tabas." The inward will then do the interrupt (off the line, of course). +If the number to be interrupted had required special routing, such as, say, +312-456-1234 (spec routing 032), then the 303 operator would dial +KP+312+032+121+ST for the inward to do that interrupt. + +DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist +customers with obtaining telefone directory listings. Not much toll-fraud +potential here, except maybe $0.50. + +RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. +They assist normal (TSPS) operators with rates and routings (thus the name). +The only uses I typically have for them are the following: + + 1. Routing- + Information- In the above example, when the 303 operator needed to dial +an inward that served 215-647, she needed to know if any special routing was +required and, if so, what it was. Assuming she would use rate and route, she +would dial them and say nicely, "Operator's route, please, for 215-647." Rate & +route would respond with "215 plus." This means that the operator would dial +KP+215+121+ST to reach the inward that serves 215-647. If there were special +routing required, such as in 312-456, rate & route would respond with "312 plus +032 plus." In that case, the operator would dial KP+312+032+ST for the inward + + Page 138 + + + + + The Official Phreaker's Manual + +that serves 312-456. + + It is good practice to ask for "operator's route" specifically, as there are +also "numbers route" and "directory routes." If you do not specifically ask for +operator's route, rate & route will generally assume that is what you want +anyway. + +"Numbers" route refers to overseas calls. Example, you want to know how to +reach a number in Geneva, Switzerland (and you already have the number). You +would call routing and say "Numbers route, please, Geneva, Switzerland." The +operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark +41+22" has to do with billing, so disregard it. The 011+041 is access to the +overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing +for Geneva from the overseas sender. + +"Directory" routings are for directory assistance overseas. Example: you want a +DA in Rome, Italy. You would call rate & route and say, "Directory routing +please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 +STart." As in the previous example, the 011+039 is access to the overseas +gateway. The 039+1108 is a directory assistant in Rome. + + 2. Nameplace information- Rate & Route will give you the location of an NPA+ +exchange. Example: "Nameplace please, for 215-648." The operator would respond +with "Paoli, Pennsylvania." This isn't especially useful, since you can get the +same information (legally) by dialing 0, but using rate & route is often much +faster and it avoids having to hang up when you are already on a trunk. + +*NOTE* On Rate & Route: As a blue boxer, always ask for "IOTC" routings. +(e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them +that you want cordboard-type routings, not TSPS, because a blue boxer is +actually just a cordboard position (that Bell doesn't know about). + +OVERSEAS COMPLETION +OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of +calls coming in to the United States from overseas. There are KP+151+ST +operators only in a few NPAs in the country (namely 303). To use one, you would +seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for +example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." +[in a broken Indian accent]. She would connect you, and the bill would be sent +to Bangladesh (where I've been billing my KP+151+ST calls for two years). + +Other internal Bell Operators. + +KP+11501+ST ...... universal operator +KP+11511+ST ...... conference op +KP+11521+ST ...... mobile op +KP+11531+ST ...... marine op +KP+11541+ST ...... long distance terminal +KP+11551+ST ...... time & charges op +KP+11561+ST ...... hotel/motel op +KP+11571+ST ...... overseas (outbound) op + + These 115X1 operators are identical in routing to the 1X1 operators listed +previously, with one exception. If special routing is required (0XX), then the +trailing 1 is left off. + +Examples: + + + Page 139 + + + + + The Official Phreaker's Manual + +A 312 universal op ... KP+312+11501+ST +A Franklin Park (312-456) universal op (special routing 032 required)........ +KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. + +Purposes of 115X1 operators. + +UNIVERSAL- Used for collect/callback calls to coin stations. + +CONFERENCE- This is a cordboard conference operator who will set up a +conference for a customer on a manual operation basis. + +MOBILE- Assists in completion of calls to mobile (IMTS) type telefones. + +MARINE- Assists in completion of calls to ocean going vessels. + +LONG DISTANCE TERMINAL- Now obsolete.Was used for completion of long distance +calls. + +TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform +customer of exactly how much it cost. + +HOTEL/MOTEL- Handles calls to/from hotels and motels. + +OVERSEAS +COMPLETION (outbound)- assists in completion of calls to overseas points. Only +works in some, if any NPAs, because overseas assistance has been centralized to +IOCC (covered in Part III). + + Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that +you are a TSPS or cordboard operator assisting a customer with a call. DO NOT +DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these +operators! Find out what to do first. + + This concludes Part II. There is one final part in which I will explain +overseas dialing, IOCC (International Overseas Completion Centre), RQS +(Rate/Quote System), and some basic scanning. + + + + + + + + + + + + + + + + + + + + + + + + Page 140 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part III + + Advanced Signalling +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood parts i & ii before +proceeding to this part). + + In Parts I & II, I covered basic theory and domestic signalling and +operators. In this part I will explain overseas direct boxing, the IOCC, the +RQS, and some basic scanning methods. + +Overseas Direct Boxing. + + Calling outside of the United States and Canada is accomplished by using an +"overseas gateway." There are 7 over-seas gateways in the Bell System, and each +one is designated to serve a certain region of the world. To initiate an +overseas call, one must first access the gateway that the call is to be sent +on. To do this automatically, decide which country you are calling and find its +country code. Then, pad it to the left with zeros as required so it is three +digits. [Add 1, 2, or 3 zeros as required]. + +Examples: + +Luxembourg (352) is 352 (stays the same) +Spain (34) becomes 034 (1 zero added) +U.S.S.R. (7) becomes 007 (2 zeros added) + + Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit +padded country code that you just determined by the above method. [For +Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ +007+ST]. This is done to route you to the appropriate overseas gateway that +handles the country you are dialing. Even though every gateway will allow you +to dial every dialable country, it is good practice to use the gateway that is +designated for the country you are calling. + + After dialing KP+011+CC+ST (as CC is defined above) you should be connected +to an overseas gateway. It will acknowledge by sending a wink (which is audible +as a and a dial tone. Once you receive international dial +tone, you may route your call one of two ways: a) as an operator-originated +call, or b) as a customer-originated call. To go as a operator-originated call, +key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will +then be connected, providing the country you are calling can receive +direct-dialed calls. The U.S.S.R. is an example of a country that cannot. + +Example of a boxed int'l call: + +To make a call to the Pope (Rome, Italy), first obtain the country code, which +is 39. Pad it with zeros so that it is 039. Seize a trunk and dial +KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is +the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To +go as an operator-originated call, simply place a zero in front of the country +code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at +sender dial tone. Routing your call as operator-originated does not affect much +unless you are dialing an operator in a foreign country + + Page 141 + + + + + The Official Phreaker's Manual + + + To dial an operator in a foreign country, you must first obtain the operator +routing from rate & route for that country. Dial rate & route and if you're +trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, +please, for Yugoslavia." [In larger countries it may be necessary to specify a +city]. Rate & route will respond with, "38 plus 11029". So, dial your overseas +gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+11029+ST. +You should then get an operator in Yugoslavia. Note that you must prefix the +country code on the sender with a 0 because presumably only an operator here +can dial an operator in a foreign country. + + When you dial KP+011+CC+ST for an overseas gateway, it is translated to a +3-digit sender code of the format 18X, depending on which sender is designated +to handle the country you are dialing. The overseas gateways and their 3-digit +codes are listed below. + +182 ..... White Plains, NY +183 ..... New York, NY +184 ..... Pittsburg, PA +185 ..... Orlando, FL +186 ..... Oakland, CA +187 ..... Denver, CO +188 ..... New York, NY + + Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST +would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as +previously mentioned). To find out what sender you were routed to after dialing +KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. + + If you have difficulty in reaching a sender, call rate and route and ask for +a numbers route for the country you're dialing. Sometimes, KP+011+ padded +country code+ST will not work. I have found this in many 3-digit country +codes. Luxembourg, country code 352, for example, should be KP+011+352+ST +theoretically. But it is not. In this case, dial KP+011+ 003+ST for the +overseas gateway. If you have trouble, try dialing KP+00+ first digit of +country code+ST, or call rate The IOCC. + + Sometimes when you call rate and route and ask for an "IOTC numbers route" or +"IOTC operators route" for a foreign country, you will get something like +"160+700" (as in the case of the Soviet Union). This means that the country is +not dialable directly and must be handled through the International Overseas +Completion Centre (IOCC). For an IOCC routing, pad the country code to the +RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded +country code, plus ST. Examples: + +The U.S.S.R. (7) ...... KP+160+700+ST +Japan (81) ............ KP+160+810+ST +Uraguay (598) ......... KP+160+598+ST + + You will then be routed to the IOCC in Pittsburg, PA, who will ask for +country, city, and number being dialed. Many times they will ask for a +ringback [thanks to Telenet Bob] so have a loop ready. They will then place the +call and call you back (or sometimes put you through directly). Some calls, +such as to Moscow, take several hours. + +The Rate Quote System (RQS). + + The RQS is the operator's rate/quote system. It is a computer used by TSPS + + Page 142 + + + + + The Official Phreaker's Manual + +(0+) operators to get rate and route information without having to dial the +rate and route operator. In Part ii, I discussed getting an inward routing for +dialing-assistance and emergency interrupts from the rate and route operators +(KP+800+141+1212+ST). The same information is available from RQS. Say you want +the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to +access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with +RQS, you need to dial an NPA that is equipped with RQS first, such as 303. +Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink +() and then RQS dial tone. At RQS dial tone, for an inward +routing for 305-994 you would dial KP+06+305+994+ST. That is, +KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means +you would dial KP+305+033+121+ST for an inward that services 305-994. If no +special routing were required, RQS would have responded with "305 plus" and you +would simply dial: KP+305+121+ST for an inward. + + Another RQS feature is the echo feature. You can use it to test your blue +box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond +with voice identification of the digits it recognized, between the KP+07 and +ST. + + RQS can also be used for rates and directory routings, but those are seldom +needed, so they have been omitted here. + +Simple Scanning. + + If you're interested in scanning, try dialing on a trunk, routings in the +format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of +interesting things to be found there, as Doctor Who (413 area) can tell you. +Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan +area code 212, dial KP+212+ 11XX1+ST. + + There, now you know as much about blue boxing as most phreaks. If you read +and understand the material, and put aside preconceived ideas of what blue +boxing is that you may have acquired from inexperienced people or other +bulletin boards, you should be well on you way to an enlightening career in +blue boxing. If you follow the guidelines in Part I to box, you should have no +problem with the fone company. Comments made by "phreaks" on bulletin boards +that proclaim "tracing" of blue boxers are nonsense and should be ignored +(except for a passing chuckle). + +NOTE 1: CCIS and the downfall of blue boxing. + +CCIS stands for Common Channel Inter-office Signalling. It is a signalling +method used between electronic switching systems that eminiates the use of +2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places +cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will +not respond to any tones that you generate on the line. Eventually, all +existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In +this case, we'll all be boxing with microwave dishes. Until then (about 1995 by +current BOC/AT&T estimates), have fun! + +If you have ANY questions about this text, please feel free to drop me a line. +I will respond to all mail, messages, etc. Insults are also welcomed. And if +you discover anything interesting scanning, be sure to let me know. + +Mark Tabas +$LOD$ + + + Page 143 + + + + + The Official Phreaker's Manual + +This text was prepared in full by Mark Tabas for: + +K.A.O.S. +Philadelphia, PA. +[215-465-3593]. + +Any sysop may freely download this text and use it on his/her BBS, provided +that none of it be altered in any way. + +Technical acknowledgements: + +Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor +Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. + +References: + +1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. +2. Notes on the Network Bell System publication, 1983. +3. Engineering and Operations in the Bell System Bell System publication, +1983. +4. Notes on Distance Dialing Bell System publication, 1968. +5. Early Medieval Architecture. +....................................... +(c) February 6, 1900 Mark Tabas +....................................... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 144 + + + + + The Official Phreaker's Manual + + BY FRED STEINBECK (TAP #88) + + IT SEEMS THAT FEWER AND FEWER PEOPLE HAVE BLUE BOXES THESE DAYS, AND +THAT IS REALLY TOO BAD. BLUE BOXES, WHILE NOT ALL THAT GREAT FOR MAKING FREE +CALLS (SINCE THE TPC CAN TELL WHEN THE CALL WAS MADE, AS WELL AS WHERE IT WAS +TOO AND FROM), ARE REALLY A LOT OF FUN TO PLAY WITH. SHORT OF BECOMING A REAL +LIVE TSPS OPERATOR, THEY ARE ABOUT THE ONLY WAY YOU CAN REALLY PLAY WITH THE +NETWORK. + FOR THE FEW OF YOU WITH BLUE BOXES, HERE ARE SOME PHRASES WHICH MAY +MAKE LIFE EASIER WHEN DEALING WITH THE RATE & ROUTE (R&R) OPERATORS. TO GET +THE R&R OP, YOU SEND A KP + 141 + ST. IN SOME AREAS YOU MAY NEED TO PUT +ANOTHER NPA BEFORE THE 141 (I.E., KP + 213 + 141 + ST), IF YOU HAVE NO LOCAL +R&R OPS. + THE R&R OPERATOR HAS A MYRIAD OF INFORMATION, AND ALL IT TAKES TO GET +THIS DATA IS MUMBLING CRYPTIC PHRASES. THERE ARE BASICALLY FOUR SPECIAL +PHRASES TO GIVE THE R&R OPS. THEY ARE NUMBERS ROUTE, DIRECTORY ROUTE, OPERATOR +ROUTE, AND PLACE NAME. + YOU GET AN R&R AN AREA CODE FOR A CITY, ONE CAN CALL THE R&R OPERATOR +AND ASK FOR THE NUMBERS ROUTE. FOR EXAMPLE, TO FIND THE AREA CODE FOR CARSON +CITY, NEVADA, WE'D ASK THE R&R OP FOR "CARSON CITY, NEVADA, NUMBERS ROUTE, +PLEASE." AND GET THE ANSWER, "RIGHT... 702 PLUS." MEANING THAT 702 PLUS 7 +DIGITS GETS US THERE. + SOMETIMES DIRECTORY ASSISTANCE ISN'T JUST NPA + 131. THE WAY TO GET +THESE ROUTINGS IS TO CALL R&R AND ASK FOR "ANAHEIM, CALIFORNIA, DIRECTORY +ROUTE, PLEASE." OF COURSE, SHE'D TELL US IT WAS 714 PLUS, WHICH MEANS 714 + 131 +GETS US THE D.A. OP THERE. THIS IS SORT OF POINTLESS EXAMPLE, BUT I COULDN'T +COME UP WITH A BETTER ONE ON SHORT NOTICE. + LET'S SAY YOU WANTED TO FIND OUT HOW TO GET TO THE INWARD OPERATOR FOR +SACRAMENTO, CALIFORNIA. THE FIRST SIX DIGITS OF A NUMBER IN THAT CITY WILL BE +REQUIRED (THE NPA AND AN NXX). FOR EXAMPLE, LET US USEM 916 756. WE WOULD CALL +R&R, AND WHEN THE OPERATOR ANSWERED, SAY, "916 756, OPERATOR ROUTE, PLEASE." +THE OPERATOR WOULD SAY, "916 PLUS 001 PLUS." THIS MEANS THAT 916 + 001 + 121 +WILL GET YOU THE INWARD OPERATOR FOR SACRAMENTO. + DO YOU KNOW THE CITY WHICH CORRESPONDS TO 503-640? THE R&R OPERATOR +DOES, AND WILL TELL YOU THAT IT IS HILLSBORO, OREGON, IF YOU SWEETLY ASK FOR +"PLACE NAME, 503 640, PLEASE." + FOR EXAMPLE, LET'S SAY YOU NEED THE DIRECTORY ROUTE FOR SVEG, SWEDEN. +SIMPLY CALL R&R, AND ASK FOR, "INTERNATIONAL, BADEN, SWITZERLAND. TSPS +DIRECTORY ROUTE, PLEASE." IN RESPONSE TO THIS, YOU'D GET, "RIGHT... DIRECTORY +TO SVEG, SWEDEN. COUNTRY CODE 46 PLUS 1170." SO YOU'D ROUTE YOURSELF TO AN +INTERNATIONAL SENDER, AND SEND 46 + 1170 TO GET THE D.A. OPERATOR IN SWEDEN. + INWARD OPERATOR ROUTINGS TO VARIOUS COUNTRIES ARE OBTAINED THE SAME WAY +"INTERNATIONAL, LONDON, ENGLAND, TSPS INWARD ROUTE, PLEASE." AND GET "COUNTRY +CODE 44 PLUS 121." THEREFORE, 44 PLUS 121 GETS YOU INWARD FOR LONDON. + INWARDS CAN GET YOU LANGUAGE ASSISTANCE IF YOU DON'T SPEAK THE +LANGUAGE. TELL THE FOREIGN INWARD, "UNITED STATES CALLING. LANGUAGE ASSISTANCE +IN COMPLETING A CALL TO (CALLED PARTY) AT (CALLED NUMBER)." + R&R OPERATORS ARE PEOPLE ARE PEOPLE TOO, Y'KNOW. SO ALWAYS BE POLITE, +MAKE SURE USE OF 'EM, AND DIAL WITH CARE. + +NOTE: AS A RESULT OF THE BREAK-UP, R&R IS NOW KP+800+141+1212+ST + + + + + + + + + Page 145 + + + + + The Official Phreaker's Manual + + Verification + By Fred Steinbeck + +From TAP issue # 88 10-83 + + There has been a great deal of controversy in the realm of phreakdom over a +mysterious subject known under a number of different names, including +"Verification", "Autoverification", "Verify", "Autoverify", "Verify Busy", and +even "VFY BY". All of these names basically mean the same thing: the ability +to listen to another person's telephone line from any telephone in the +direct-dialable world. + Needless to say, Bell System is very tight lipped about knowledge regarding +verification. Indeed, the infamous book 'Notes on long distance dialing' ('68 +edition) says, "Care must be taken to insure that the customer never gains +verification capabilities." With a printed policy like that, you can imagine +what their real-world policy is like! Even their own rate and route operators +will not give verification on routing codes (at least in my experience), one +even responding, "What?! You must be crazy! We don't give those out!" Before +you get too far into this article, I will state simply: I don't know how to +verify. However, I have been fooling with various things related to it, and +collecting information on it for some time now. Therefore, while I can't do it +(yet), I may be able to point some other bright TAPer on the right track, and +perhaps he or she will show us all how. If you have knowledge not covered in +this article, but don't want to write an article on your own, please send your +ideas, comments, or information to Project Verify, C/O TAP Verify has also +been called "Autoverify", and I have no idea why. This is not, to my +knowledge, a Bell System term (at least I've never seen it in any manuals) As +far as I know, there is verify, which means being able to listen to speech +(kind of; see below) on a line, and there is the "Emergency Interrupt which +allows you to take part in the conversation taking place on the line in +question. It has been suggested that "Autoverify" is the same as an emergency +interrupt , but I tend to disagree with this idea. It should be noted that the +verification circuitry does not actually let an operator listen to a +conversation without making a beep on the line every so often. Instead, she +will hear encrypted speech. However, I believe with the proper methods, verify +can be converted to an emergency interrupt. + Verification is normally done either by your normal "0" (TSPS) operator, if +the call is in your home NPA (HNPA), or by an inward operator (IO). If the +call is outside your HNPA, your normal operator will call the IO for the +NPA,and say, "Verify Busy" or "Emergency Interrupt" please, 555 1212." The IO +will perform whatever magic he or she must, and then report back. If the call +is in your HNPA, though, the "0" operator can do the verification herself by +using the "VFY BY" key on her keyshelf. However, in some areas, the operator +uses a routing code to accomplish verification, and this the is loop hole we +shall attack. + It follows that if a IO or "0" operator can do it, so can we, with a blue box +Now, courtesy of Robert Allen (who brought it to my attention) and Susan +Thunder (who apparently discovered it), here is what used to work for getting +operators to hook you into conversations with other people (i.e.,let you listen +to them till you hung up): You'd call the operator and say "Operator, TSPS +Maintenance Engineer Calling. Ring forward to 001 + NPA + 7d, ring back to my +number, hit ring forward, no AMA, and then position release. + This creates some problems, and you must be familiar with the TSPS +console(by dialing "0"), you are on the "back", or incoming part of a loop. +When she places a call for you, the call goes out on the "forward", or outgoing +part of the loop. If an operator wants to make a call, she punches KP FWD +(keypulse forward), the number, and ST. Ring FWD puts a 90 volt ringing signal +across the forward part of the line (and may dial the number as well). The + + Page 146 + + + + + The Official Phreaker's Manual + +problem arises from the fact that I don't know if Ring FWD will actually dial a +call, and if there is some other subtle difference between it an KP FWD. + Let us assume ringing forward makes a call from the TSPS console to whatever +number is given. Ring back causes your phone to ring (it is assumed you hung +up after giving her your instructions; if you didn't you'd hear an annoying 90 +volts across the earpiece...) "No AMA" means "no automatic message accounting", +so nobody gets billed for the call, although it will show up on a tape +somewhere. "Position Release" removes the operator from the circuit, and +allows her to receive other calls. This leaves an unaccounted-for ring +forward. + The verification circuit, as you know, likes to encrypt conversation, which +is something we don't want. Well, the second Ring FWD sends another 90 volts +crashing against the verify circuitry, which Juda Gerad thinks removes the +voice encryption from the line, puts the operator (and you) in circuit, and +puts a beep tone on the line every five seconds. This seems to make sense, and +I am inclined to agree with him. + The bit about "....001 + NPA + 7D" causes the thought "MF routing code" to +spring immediately to mind. Now, the above trick was supposed to work in the +213 NPA. I have tried both "KP+001+213+7D+ST", and some other area codes. I +generally get nothing, a reorder signal, or a tandem recording. + Here's some food for thought: On an official Telco sheet I have, labeled " +213 NPA MF Routing Codes", 001 is listed as "VFY BY", or verify busy for the +213 NPA. 002 is listed for the 805 NPA. Ma Bell likes to have standardized +routing codes, such logical, then, that 001 would be a sort of "standard" +verify code, and other prefixes would be tacked on at 002,003, etc. However, I +have heard from a retired operator that verification codes are different from +area to area, and are not always nice numbers like 001, 002. Ah, well, a guy +can hope, can't he? + Some suggestions for future attacks on this dilemma: Everyone call your +operators and subtly ask questions. I have found the tend to give information +out easier if you ask for something that you would ordinarily have to be a +company employee to know about, such as rate steps, operator routings, etc. + Casually let slip that you used to be (or still are) an operator, or that +you work for company security. Also, you might want to blue box some codes +like 001 followed by your NPA and the last 7D of a busy number. If you get a +sort of "whispery noise", try blasting the line with a ringing signal (you +might piggyback another line onto yours and call the piggyback to generate the +90 volts) and see if that does anything. + + + + + + + + + + + + + + + + + + + + + + Page 147 + + + + + The Official Phreaker's Manual + + =================================== + EQUAL ACCESS AND THE AMERICAN DREAM + =================================== + + +by + +Mark Tabas +P.O. Box 620401 +Littleton, CO 80162 + +July 7, 1985 + + + + The American Dream means many things to many people. To the small, typical +businessman, it means building a good, strong business based on hard work and +perseverance; indeed, with nothing limiting his potential but he amount of work +he is willing to put into his business. To a large businessman, the American +Dream means living and working in a country where a single corporation can have +a profit exceeding the gross national product of an entire third world nation. + To the individual, the American Dream is the right to choose -- everything +from one's breakfast cereal to a long-distance service, as well as the formal +right outlined by our founding fathers: those of life, liberty, and the pursuit +of happiness. + To the phone phreak, I think the American Dream is, in a sort of twisted way, +the uninhibited pursuit of knowledge. This quest could scarcely remain +unchecked in many other countries. Analogous to this quest is the thriving of +the Bell System, which until January 1, 1984 consisted of the American +Telephone and Telegraph Company, the largest corporation in the history of the +world. Did the American Dream die on January first or did the divestiture of +AT&T cause a giant step forward for competition and free enterprise in the +United States? I do not know. I do know that the other nations of the world +were amazed that the United States would dissolve the entity that brought the +finest and most universal telephone system in the world, and did so at a time +when the majority of the rest of the world was still using two dixie cups and a +string. + The unfairness of the situation is that AT&T built the telephone system of +this nation and is now being bound and gagged and having its possessions +distributed to others, whom AT&T also wrought. All in the name of fairness, +free competition, and "equal access". Where was was MCI during the century +that AT&T built he communications system of this nation? Well, I believe in +Equal Access, Wholly. And, since I believe in equal access and its +implications for equality for all so strongly, I feel that MCI, Sprint, and +others should take the same amount of time to build their respective toll +networks: 100 years. Therefore, if the United States Justice Department were +truly the fair and just administrator that it portrays itself to be, MCI would +not have a hand in the long-distance cache until about 2080. That's only +fair. + There is no doubt that MCI is a sub-standard organization. They consist of +incompetent employees, inferior equipment, and an inferior marketing strategy. +They are mockingly imitative of AT&T, except in the quality of their service, +which is practically unusable. It is also interesting that with less than 2% +market share, MCI calls itself "the nation's long-distance company." The point +to this diatribe is this. It's time for these long-distance companies such as +MCI and Sprint to grow up. With Equal Access, they are going to become real +long-distance companies, not the joke organizations they are now, and I think +it may just take them one hundred years to do so. + + Page 148 + + + + + The Official Phreaker's Manual + + + ============ + Equal Access + ============ + + Equal Access, as it applies to the telecommunications industry, is "the +requirement that each Bell Operating Company provide exchange access to all +long-distance carriers that is equal in type and quality to that provided AT&T +communications." This is the official provision set forth by the United States +Justice Department in the Modification of the Final Judgment, August 24, 1982. +All this means is that each long-distance-distance company will have "equal +access" to all of the same types of services that AT&T currently enjoys. There +are four types of long-distance carrier services, divided into "feature +groups." They follow. + +FG A: "line side access." This is the standard 7-digit dialup+code (for +billing purposes) +destination telephone number. It is currently in use by +most long-distance carriers. + +FG B: "trunk side access." These are the 950 exchange numbers. They also +utilize an authorization code for billing. As with FG A, automatic number +identification (ANI) (i.e. calling number) is not provided to the carrier, but +will be in the future. + +FG C: "1+ dialing." Currently, only AT&T is able to get this type of +service. It is 1/0+7 of 10 digit direct long distance dialing. ANI (for +billing) is provided. + +FG D: "equal access." This will allow for 1/0+7 or 10 digit direct +long-distance dialing (presubscription carrier) and 10xxx+1/0+7 or 10 digit +long-distance dialing (alternate carrier). ANI for billing is provided at the +long-distance carrier's option. Billing may also be handled by the individual +long distance company or the local Bell Operating Company. + + Feature groups C and D are mutually exclusive (i.e. both cannot exist in a +particular area at the same time). Areas which have Feature Group C (AT&T +long-distance only) are non-Equal Access, and areas which have Feature Group D +(multiple long distance carriers) are Equal Access regions. + Feature Group B, the 950 exchange numbers will be used in areas in which it +is not feasible to provide with Equal Access, such as step-by-step offices +(yes, they CAN have 950 numbers), some crossbar offices, and some independent +telcos, which are not bound by the provisions of Equal Access and may provide +to their customers any type of long-distance service(s) they wish. The 950 +exchange is now active in many areas. It is mainly used as a universal +"roaming" access port for many long-distance carriers, but when an office is +converted to Equal Access, the 950 capability is removed. Thus, in an Equal +Access region, one cannot complete a call to a 950 telephone number. + I personally am looking very forward to Equal Access. My area is not +scheduled for full implementation of it until late 1985 or early 1986, and by +this time many of the alternate long distance carriers' networks will be in +place (or well under way). Think about what Equal Access means. Equality for +all long distance carriers. Access to common facilities, such as: busy-line +verification lines, Bell System information, signalling specifications. etc. +After full implementation of Equal Access, one will be able to take advantage +of and manipulate the services of more than just one carrier. It will no +longer be phreaks vs. AT&T. + When your area is ready to initiate Equal Access, you will receive a notice +in the mail informing you of some of the details of Equal Access, and will ask + + Page 149 + + + + + The Official Phreaker's Manual + +you to specify your choice of "primary carrier." In some cases you will need to +specify both inter-LATA carrier (IC), which handles calls out of your LATA +(Local Access and Transport Area), and an international carrier (INC), which +will handle calls destined for other countries. Recent market studies have +shown that between 80 and 90 per cent of residential customers will continue to +be served by AT&T for their long-distance service after Equal Access. So much +for competition. + You will probably be faced with many long-distance companies to choose from, +including but not limited to: AT&T, MCI, Sprint, ITT, Western Union, Dial U.S., +Call America, TMC, and U.S. Telephone. Whichever you choose will become your +"primary carrier." Your primary carrier will handle your call each time you +pick up you fone and dial 1+7 or 10 digits or 0+7 or 10 digits, inter-LATA +only. That is, if you dial a toll call that is within your LATA, it will be +handled by your local telephone company (Bell), not by your primary carrier, +even though it is a toll call. Let's use an example. The state of Colorado +consists of two LATAs. For this example, I will use three cities in Colorado: +Denver (in LATA1), Sterling (LATA1 also), and Colorado Springs (in LATA2). +Note here that even though Denver ad Sterling are in the same LATA, and Denver +and Colorado Springs are not, Sterling is actually much farther away from +Denver than Colorado Springs. This is because LATA boundaries were designed +giving consideration to high toll-traffic regions, to bring in revenue. Toll +traffic between Denver and Colorado Springs is very high, so the two cities +were placed in separate LATAs (or, more correctly, they were separated by a +LATA boundary). Toll traffic between Denver and Sterling is very low, of the +two cities were allowed to remain in the same LATA. Now, if everyone in +Colorado Springs were to pack up and move to Sterling (though who knows what +the hell for), the LATA boundaries in Colorado would be changed so that Denver +and Sterling were in different LATAs. The primary factor in determining LATAs +is money. + If I made a call to Sterling from my home in Denver, the call would be routed +entirely via Mountain Bell long-distance facilities. No long distance carrier +would be involved because Denver and Sterling are in LATA1. If I made a call +to Kelley, the blonde babe in Colorado Springs, the call would be handled by a +long distance carrier (in this case, AT&T) because Denver is in LATA1 and +Colorado Springs is in LATA2. Here is a table to simplify this: + +Customer dials LATA Carrier +----------------------------------------------------------------- +7 digits same Bell +1+7 digits same Bell +1+7 digits diff LD carrier (currently AT&T) +1+10 digits diff LD carrier (currently AT&T) +----------------------------------------------------------------- + + Note several things here. First, not all areas need to dial a 1 when dialing +any number, local or long distance, but the central offices will still discern +whether the call is in the same LATA as the customer or a different one and +handle the call appropriately. Secondly, some step-by-step offices require a +1+NPA to be dialed for calls within the same LATA and, in fact, all numbers +outside of the office itself. But, for the most part, the above table is +standard for common switching networks. + + ================== + Alternate Carriers + ================== + + Your normal long distance carrier will handle all your toll calls which cross +over LATA boundaries when you dial directly, 1+. If you wish to place your + + Page 150 + + + + + The Official Phreaker's Manual + +call via another carrier's network, whether for cost, quality, or circuit +availability reasons, you may do so in Equal Access regions. To access an +alternate long distance carrier after Equal Access, a customer dials +10xxx+1/0+7 or 10 digit telefone number. Note that xxx is the "carrier access +code (CAC)." A few CACs currently in use are listed below. + +220 ........ Western Union 666 ........ Lexitel +222 ........ MCI 777 ........ Sprint +333 ........ US Telefone 888 ........ SBS +444 ........ Allnet + + Thus, in an Equal Access region, to dial Fred in Orlando, a customer would +dial 1+305+994+9966 to place his call on his primary carrier, or to place it on +another network, he could dial: 10222+1+305+994+9966, and the call would go +over MCI facilities (in this case). Eventually, after many more long distance +services get into the act, there will be a directory of the various long +distance companies and their CACs, and deciding which carrier to use for any +particular call to get the bet rate will be beyond the ability of everyone +except phone phreaks. + + ================ + The 950 Exchange + ================ + + As discussed, the 950 central office exchange is currently a "roaming" access +port for various long distance carriers. In areas that have 950, the access to +carriers is standardized. Thus, someone travelling to several different areas +need only know the 950 number of the carrier he uses to access it from any area +(provided that it have 950 active). Originally, the 950 exchange was designed +to correspond with the 10xx carrier access code used for Equal Access. For +example, 950-1022 would be the same carrier as 1022 (+telephone number). +However, it was later found that the 100 codes available for use as 10xx CACs +would be insufficient to handle he number of long distance carriers. So, the +common carrier access code was increased by one digit, to 10xxx, thus +increasing the number of possible CACs to 1000. To keep the 950 exchange +consistent with the non CAC, the Bell Operating Companies have opted to change +the 950-10xx to 950-0xxx. The xxx in the 950-0xxx remains the same as the xxx +in the 10xxx carrier access code. The new modified 950 numbering pan is now +active in Philadelphia (Bell Atlantic) among other areas. + After Equal Access is well under way, the 950 exchange will be used in +certain areas that cannot be equipped for the standard Equal Access dialing +plans. This includes step-by-step, #1 crossbar, #5 crossbar, #2ESS, and #3ESS +offices. Customers in areas served by these types of switching equipment will +dial 950-0xxx, wait for acknowledgement tone from the carrier, and then dial a +"personal identification number" and destination telefone number,and the call +will be completed on the selected carrier's facilities. Initially, billing +will be handled by the carrier itself, and supervisory information and ANI will +not be provided by the local Bell Operating Company. + There are three main advantages to the 950 central office exchange and +protocol. They are: a) universal access for all areas, b) 950-exchange numbers +are "trunk side access." This means that the long distance carrier has direct +trunks going to it from a Bell toll office or local central office. These +trunks are interoffice lines, not customer type (POTS) lines, and supposedly +insure higher quality of connection. And, c) 950-exchange numbers are toll and +message unit free. On metered-usage (i.e., not "flat rate") customer lines, +they cost nothing. In most areas they are free from coin stations, with +Colorado as one notable exception. + + + Page 151 + + + + + The Official Phreaker's Manual + + ===== + Costs + ===== + + Each long-distance carrier must choose the type(s) of service it wishes to +provide to its customers. These different types of service were outlined +earlier as "Feature Groups." The costs of these Feature Groups vary directly +with the complexity and quality of the service itself. The following table +outlines the cost to the carrier of each available Feature Group. It is based +on the monthly rate per line for 9000 minutes of circuit use, and assumes the +carrier and Bell switch are 15 miles apart. + +FG non-Equal Access Equal Access +-------------------------------------------------------- +A $329.94 $709.20 +B 329.94 721.80 +C 752.40 ** N/A ** +D ** N/A ** 752.40 +-------------------------------------------------------- + + These figures are a lot more significant than they might appear. They +indicate that after Equal Access, in order to compete with the giants such as +AT&T, MCI, etc., smaller long distance companies will use Feature Group A or B +type service in order to provide significantly lower rates to their customers +than companies subscribing to Feature Group D service (like AT&T, MCI, etc). +This will cause a unique type of equilibrium to form. Customers willing to +dial an access number, authorization code, and destination number and put up +with lower quality service will be able to save a lot of money. This seems +faintly reminiscent of pre-Equal Access times.... + + ==================== + Directory Assistance + ==================== + + Each Bell Operating Company will be responsible for providing intra-LATA +operator services. When a customer dials (1)+411 or (1)+555+1212 for local +directory assistance, he will reach a Bell operator who will service requests +for listed numbers within the customer's LATA. Requests for numbers in LATAs +other than the calling customer's may be handled at the discretion of the local +operating company. Initially, the Bell Operating Companies will meet the +responsibility for providing directory assistance services by contracting it to +a long distance carrier or carriers (currently AT&T). All inter-LATA directory +assistance services will be provided by the inter-LATA carrier (IC). ICs may +also provide 800 Enterprise service or other toll free type directory +assistance services. See table. + +================================================================= +Intra-LATA: +================================================================= + HNPA 411/555-1212 BOC + *FNPA NPA+555-1212 BOC + HNPA 10xxx+555-1212 intra-LATA carrier + *FNPA 10xxx+NPA+555-1212 intra-LATA carrier + +================================================================= +Inter-LATA: +================================================================= + HNPA (10xxx)+1+555-1212 IC + + Page 152 + + + + + The Official Phreaker's Manual + + FNPA (10xxx)+1+NPA+555-1212 IC +================================================================= +* When LATA boundaries cross NPA boundaries (rare). +FNPA = Foreign Numbering Plan Area (area code). +HNPA = Home Numbering Plan Area (area code). + + At first glance, the above table appears somewhat complex. But, if you +understand the concept of LATAs and carriers, it is easily understood. +Essentially, all local Bell Operating Companies will maintain their own +directory assistance services. When a customer dials 411 or 555-1212, he will +reach a BOC directory assistant. Additionally, each long distance carrier that +wishes to provide directory assistance to its customers will also have DA +facilities. And, when a customer dials a directory assistant (NPA+555-1212) on +a carrier, he will reach an operator of that particular long distance carrier. +The key here is LATAs. If a customer wants to find a number that is within his +LATA, no long distance carrier is involved. It is handled strictly by the +Local Bell Operating Company. If a customer is seeking a number that is not +within his LATA, he must use the services of an inter-LATA (long-distance) +carrier. + + ====================== + TSPS Operator Services + ====================== + + Traffic Service Position System (TSPS) operator services will be handled much +in the same fashion as directory assistance services, with a few differences. +As with DAs, each Bell Operating Company and each inter-LATA carrier will +maintain its own TSPS operator facilities (or cordboard I suppose, if they +cannot afford TSPS). When a customer dials simply 0 (operator), he will reach +a BOC TSPS operator. The BOC TSPS will be able to handle all types of +intra-LATA operator-assisted traffic including (but not limited to): collect, +third party billing, Bell credit card, coin, verification and emergency +interrupt, and requests for emergency aid. BOC TSPS will be unable to complete +calls for customers outside of the customer's LATA. Thus, inter-LATA operator +assistance will be handled by an inter-LATA carrier TSPS (IC TSPS). An IC TSPS +will handle all previously mentioned types of calls that require inter-LATA +transport (i.e., the call originates and terminates in different LATAs). When +a customer dials 0+NXX-XXXXX or 0+NPA+NXX-XXXX, the central office will +determine if the call is destined for another LATA. If it is not, the call +will be sent to the Bell TSPS for appropriate handling. If the call is bound +for another LATA (and his determination is made based on the NXX or NPA+NXX), +then the call will be sent off to the customer's primary long-distance carrier +(since only 0+ was dialed). If the customer wishes to use a different +carrier's operator services, he would dial 10xxx+0+number, and the carrier +specified by the 10xxx carrier access code would receive the call. Note: if a +customer dials 10xxx+0+number, and the call is an intra-LATA call, he will get +a recording, "We're sorry, the number you dialed cannot be reached with the +carrier access code you dialed. Please check the code and try again or call +your carrier for assistance." (Western Electric KS-22550 central office tape +list no. 46.) Until the Bell Operating Companies can install their own TSPS +facilities and networks, they will (continue to) lease capacity from AT&T TSPS. +That is, AT&T will handle the intra-LATA traffic for the BOCs on a contract +basis. In the meantime, AT&T will continue to handle its own long-distance +operator services while the other inter-LATA carriers will have to implement +their own operator networks from scratch. My estimation is that you won't be +able to dial 10222+0 for an MCI TSPS operator until sometime around the year +2590. And even then they will probably be cordboard. + In addition to the changes in TSPS described above, there will be certain + + Page 153 + + + + + The Official Phreaker's Manual + +modifications to the software and hardware involved in the TSPS operator +system. Most critical, and of paramount importance to the telecommunications +enthusiast is changes in circuit associated signalling (CAS). This is +signalling to and from the TSPS facility. When a customer dials 0 (operator) or +10xxx+0 (IC operator), a succession of events occurs. First, the end office +seizes a trunk to the appropriate operator facility (this assumes that no +access tandem is involved). The operator service facility responds with a wink +(proceed signal) and the end office outpulses the CALLED number (or KP+ST if 0 +only dialed). The operator service (OS) facility will then come off-hook to +signal that it is ready to receive ANI information. The end office outpulses +the ANI information in the format of KP+II+7 digits+ST (or ST'). If there is +ANI failure, a KP+02+ST (or ST') will be sent. "ST'" stands for STart "prime", +and is indicative of a coin call (i.e., dial 0 from a coin station). A normal +ST terminating the ANI sequence means that the call is originating from a +noncoin station. See table for ultimate description. + +Inter-LATA calls MF-pulsed + +type of call customer dials cld num ANI +============================================================ +noncoin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST + +============================================================ +coin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST + operator assist 10xxx+0 KP+ST' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST + +============================================================================= +Intra-LATA calls +============================================================================= +noncoin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST' + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST' + +============================================================================= +coin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST' + operator assist 10xxx+0 KP+ST' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST' +============================================================================= +Note: ST=Start, ST'=STart prime, ST''=Start double prime, ST'''=STart triple +prime. + + Once again, the above table appears somewhat intimidating in its complexity. +All these STs, ST primes, etc. Actually, the only purpose of the starts is to +distinguish to the TSPS machine exactly what type of call the customer is +placing and from what type of telefone he is calling. "Special toll" calls are +collect, credit card, and third-party billing type calls. Here is an example +of a complete dialing and outpulsing sequence for an operator service call: + + Page 154 + + + + + The Official Phreaker's Manual + +from a coin fone, a customer dials 0+ (or 10xxx+) 303+979-9997. The central +office would seize a trunk to the operator service facility and outpulse: +KP+303+979-9997+ST'. This indicates to the operator service facility that the +call is a special toll call originating from a coin telephone. The OS facility +comes off-hook and the central office would then outpulse KP+00+232+9969+ST. +This is he ANI information, and the ST indicates that the call is inter-LATA +(if it were intra-LATA, the sequence would be terminated with ST' instead). + Perhaps now I should explain screening. Certain telefones are "screened" +against placing certain types of calls. A screening code is a two digit +information carrier. For instance, 00 is "identified line" (no special +treatment), 01 is multiparty ONI (operator number identification), 02 is ANI +failure, 06 is hotel/motel, 07 is coinless (hospital/inmate fone), 08 is +inter-LATA restricted, 68 is hotel inter-LATA restricted, 78 is coinless +(hospital inmate) inter-LATA restricted, etc. A 98 is an AT&T Charge-A-Call +fone (those blue fuckers). More screening codes are allocated as they are +needed. Note that the original TSPS screening design only allowed for single +digit information digits. They were later found to be insufficient. + I believe that the operator services have been adequately covered, so I will +now move on to other aspects of Equal Access. + + ============= + Routing Codes + ============= + + The TTC (terminating toll centre) and special routing codes will continue to +be used in inter-LATA networks. These 0xx and 1xx type codes, which sometimes +precede operator routing codes, will be assigned to various ICs on an +individual basis. When 0xx and 1xx codes serve as pseudo-central office code, +they will be coordinated such that it will avoid IC conflicts. The +Numbering/Dialing Planning Group of the Central Services Organization (sounds +like some sort of Communist governing body) will provide assistance where the +assignment of coordinated codes is necessary. + + ================== + Special Area Codes + ================== + + Special area codes, also called Service Area Codes (SACs) presented the +designers of Equal Access with an interesting problem. SACs are N00 type area +codes, such as 700, 800, and 900. They are used for special services and +unlike normal area codes, are not associated with a particular state or region. +Each long distance carrier will be allocated its own exchanges in each service +area code. Thus, when a customer places a call to a number in a service area +code, the central office will examine the exchange of the telefone number and +route the call over the proper carrier's facilities. The customer will be +totally oblivious to this process. Current SACs include 700 (teleconferencing), +800 (toll free services), and 900 (dial-it services). There are currently +plans under way to implement the 600 area code, although its exact uses are not +yet clear. + + ================ + Signalling to IC + ================ + + Each long distance carrier that wishes to serve a particular LATA must +establish a point of presence (POP) in that LATA. A carrier's POP is a toll +office that receives toll traffic destined for another LATA. A POP is a centre +for inter-LATA transport of toll traffic. This traffic will be directed to it + + Page 155 + + + + + The Official Phreaker's Manual + +from a Bell central office, either an end office or an access tandem (AT). An +access tandem is simply a Bell office which directs long distance traffic from +a number of local end offices to a number of different inter-LATA carriers. To +pass call details (such as called and calling numbers) from the Bell local +office to the inter-LATA carrier, a signalling system was designed that employs +current multifrequency (MF) signalling protocol. When a customer dials +10xxx+(1/0)+(NPA)+NXX+, the end office will seize a trunk to the appropriate IC +as determined by the 10xxx CAC (or primary carrier if no CAC is dialed). Note: +this happens as soon as the customer finishes dialing the exchange, even though +he may still be dialing the last four digits of he telefone number. After the +end office has seized a trunk to the IC, the IC will return a wink, which is +the signal to proceed. Then, the end office will send ANI information, in the +format of: KP+II+10 digit ANI+ST. If the carrier is not to receive ANI +information from the Bell Operating Company (i.e., they are not paying for it), +then only KP+ST is sent. Presumably, by now the customer has completed dialing +the last four digits of the destination telefone number, so the end office will +send: KP+7 or 10 digit CALLED number+ST. Note several things here: 1) The IC +does not send a wink when it is ready to receive CALLED number information. 2) +ANI information is ten digits, plus a two-digit screening code, and 3) The +central office's outpulsing to the IC overlaps the customer's dialing. + Some ANI screening codes include: 00 (identified POTS), 01 (ONI multiparty), +02 (ANI failure), 06 (hotel without room identification), 07 (coinless, +hospital, inmate, etc.), 08 (inter-LATA restriction), 10 (test call), 20 (AIOD +calls, listed DN sent), 27 (coin call), and 95 (test call). These are the same +or similar as the screening codes used in operator service signalling. + In addition to the domestic signalling design outlined above, a new +international signalling system has been designed for use with Equal Access. +It also uses two-stage, overlapping outpulsing. After a customer has completed +dialing (10xxx)+011+CC (CC is country code), the Bell end office will seize a +trunk to he appropriate IC (or international carrier, if direct routing is +available). The IC/INC will respond with a wink, and the end office will +outpulse: KP+1NX+YXX+CCC+ST. Each of these three groups of routing information +indicate something different abut the international call being placed. The 1NX +is the "international system routing code, one for each type of call routing." +I have absolutely no idea what that means, and no one I have talked to at Bell, +AT&T, MCI, CCITT, ITT, the CSO and FCC have any idea either. Next, the YXX is +the carrier routing code. It is actually XXX, Which is the three digits of the +10xxx CAC for the particular carrier being accessed. Finally, CCC is the +country code, padded with a zero if necessary. + One may wonder why the CAC is signalled forward when a trunk is seized +directly to the carrier itself. The reason for this is that in some cases a +direct trunk to the carrier is not available and the call must be routed +through an access tandem, which is responsible for routing calls to a variety +of different long distance carriers. + + ==================== + Switch Compatibility + ==================== + + Full-feature Equal Access will become available first for Western Electric +#1ESS switching systems. It will be available first in generic 1E8 (1AE8 for +#1A ESS). Later, generic 5E2 for #5ESS, generic 2B4 for #2B ESS, generic +BCS-16 for Northern Telecom DMS-100, and generics 209 and 302 for DMS-10 will +provide full-feature Equal Access capabilities in those types of end office +switching equipment. The Western Electric #4ESS, #1 and 1A ESS, #5ESS, and the +Northern Telecom DMS-200 machines which serve as toll offices or access tandems +will be capable of receiving the new Equal Access signalling format, after +required generic development. Other switches (such as all crossbar offices) + + Page 156 + + + + + The Official Phreaker's Manual + +will not be able to handle the new signalling format. + + ===== + LATAs + ===== + + LATAs, Local Access and Transport Areas, are the entire key to the +administration of Equal Access. They can be thought of as miniature area +codes. A telefone call can never cross a LATA boundary except on an inter-LATA +carrier. However, there are certain exceptions to this. For example, in the +state of Colorado, which consists of two LATAs, the local Bell Operating +Company (Mountain Bell), which serves as the intra-LATA (i.e., calls to/from +the same LATA) carrier, may also serve as inter-LATA (to/from different LATAs) +carrier within Colorado. + There are also exceptions in the corridor region of the New York/New +Jersey/Pennsylvania area. + The forty-eight continental United States consist of 161 LATAs. Some states, +such as Deleware, consist of only one LATA, while others, such as Illinois, can +have up to 14 or more. Each LATA is given a name. For instance, Pennsylvania +consists of six LATAs: Philadelphia, Capital, Northeast, Altoona, Pittsburgh, +and Erie (independent telco). + + ============== + A Few Thoughts + ============== + + In 1973, Chrysler, A&P, RCA, Phillips Petroleum, S.S. Kresge, Boeing +Aircraft, International Harvester, Woolworth's, Greyhound, Firestone, Litton, +and General Foods, among others, each reported annual profits of less than $150 +million. In that same year, the Telephone Company wrote off, as being +uncollectable, debts of $150 million. + In 1974, the Bell System had direct interests in at least 276 organizations, +many of them not related to the telefone industry. Bell also had interlocking +financial arrangements with such corporations as the Chase Manhattan Bank, IBM, +Prudential Insurance, Sears Roebuck, General Motors, U.S. Steel, and Lever +Brothers. Should the need have arisen, the Bell System in 1974 could have +exercised control of 400 billion dollars, fully one-third of that year's gross +national product. + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago Illinois, 1976. ISBN 0-8092-8008-6. + + There are many viewpoints as to the future course of the telefone industry. +The general consensus among most Telco employees is that the children of AT&T +(i.e., the seven regional holding companies into which the Bell System was +divided) will someday be reassembled into the original Bell System, and all +will be well and good in the world of telecommunications again. I tend to +disagree with this. I think that within three decades the entire telefone +industry will be consolidated and nationalized. It will be owned and operated +entirely by the United States Federal Government. This will accomplish several +goals of the government. First, the immense revenue from telefone services +will provide great financial resources for the federal government. Rates for +telefone services will skyrocket far out of the range of affordability, quality +of service will deteriorate to a point of unusability, and meanwhile +politicians will get rich. + Second, once the government controls the telefone system, monitoring the +general public will become infinitely easier. Big Brother will be able to keep +and eye, or rather, an ear on the general population, and giant step forward in + + Page 157 + + + + + The Official Phreaker's Manual + +ultimate government control of peoples' lives will be achieved. Most people +won't know anything about this, and even if they do, they won't give a shit +because by then the fucking government will have already invaded every +remaining private aspect of the individual's life. + To those who find it utterly unthinkable that the federal government would +ever assume control of the telefone industry, I would call attention to the +situation that existed between 1917 and 1919. During this time the government +controlled the phone system of the United States. J. Edward Hyde sums it up +beautifully: + + Between 1917 and 1919, the Federal Government did control the phone +industry. Since then, the most charitable historians have blamed the +subsequent mess on the First World War. Others blame it on the democrats. But +the fact is that it was a fiasco of the bureaucracy's own making, combined with +intracompany sabotage. + Today, in those countries where the phone service is nationally owned, the +service runs from poor to nonexistent. Would you want the government that gave +you the Russian wheat deals, Defense Department overruns, Amtrak, and the +Postal Service handling your phone problems? + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago, Illinois, 1976. ISBN 0-8092-8008-6, p. 170. + +Technical References: + +Notes on the BOC intra-LATA Networks. American Telephone & Telegraph Company, +1983. + +The Phone Book. J. Edward Hyde, 1976. + +Bell System Technical Journal. Volume 58, Number 5. + +Engineering and Operations in the Bell System. American Telephone & Telegraph +Company, 1983. + + +Acknowledgements: Karl Marx, Telenet Bob, and the scores of Telco employees +in Denver, White Plains, Omaha, and North Jersey who were very helpful in +patiently answering my many questions about Equal Access. + +Thanks to Mack the Knife for magnetic transfer of this illustrious file, a +tedious task for which I have no time. + +Thanks to the following printers for their cooperation and professional manner +in helping me with final production of this file: + +Kinko's Print Shop +7155 West Colfax +Lakewood, CO + +Office Products and Printing +5035 S. Kipling Suite B4 +Littleton, CO + +This has been a Mark Tabas Encounter Series production. Questions, comments, +and requests may be addressed to: + +Tabas + + Page 158 + + + + + The Official Phreaker's Manual + +P.O. Box 620401 +Littleton, CO 80162 + +Requests for copies of this or any other Encounter Series file are honored for +free, but please enclose a self-addressed medium sized first class mailing +envelope with 73 cents postage. + +Special thanks to Steve Reger, who was kind enough to shoot my neighbor's dog, +whose incessant barking constantly distracted me as I labored to complete this +file. + +(for Amy) cl/KIABB!/jd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 159 + + + + + The Official Phreaker's Manual + + Equal Access and Modem Autodialers by Shadow 2600 + + Now that AT&T is being divested of its local telephone companies, phone +customers across the nation have to choose their long distance carrier as equal +access is phased in. Advertising campaigns emphasize such aspects as low rates +and operator assistance, but no one mentions a factor that will affect modem +users who use auto dialers for long distance calls. Not all of the alternate +long distance carriers provide called party answering supervision on all calls. +Called party answering supervision basically has the telephone company start +billing only when the called party answers the telephone. However, many of the +alternate long distance companies still operate with the "fixed timeout" basis +for charging. That is, if a call is held for a fixed length of time (usually +30 seconds) the charging starts, whether or not the call was answered. This +could cause modem owners large bills if they use autodialers to make long +distance calls. Modems are usually set up to wait up to one minute when +attempting to make a call, and thus have to timeout through busy signals, long +call setup sequences, extender waits, and similar problems. This could result +in many billed but never answered calls. + + Some of the other carriers provide it on calls to some cities, and others +not support it at all. Only AT&T Communications provides called party +answering supervision on all calls to all points at this time. It is almost +impossible to get information on how a long distance company charges its calls +as as they don't want to reveal how their billing is handled. The alternate +carriers get called party supervision when the destination location goes equal +access. However, there has been no quick action on the part of the alternate +long distance companies to make use of the supervision data as they would have +to get equipment for passing the information back to the billing computer at +the originating point. Thus called party answering supervision information +often ends up being ignored by these carriers even when available. Another +point to remember is that called party answering supervision's availability +depends on whether the destination has equal access, not the originating +location. The lower long distance rates of alternate long distance rates must +be weighed against the time out problem as it affects autodialing modems. One +way to circumvent this is merely to set your modem to a shorter +waiting-for-connect time, but this may not provide enough time for the call to +go through. [For more information on this and other telecommunications topics +call the Private Sector BBS at (201) 366- 4431] + + + + + + + + + + + + + + + + + + + + + + Page 160 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #6 of 9 + + Toward Universal Information Services Via ISDN + ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ ~~~ ~~~~ + by Taran King + + From PROTO newsletter of AT&T Bell Laboratories + ------------------------------------------------------------ +Phase one, the Present. +~~~~~ ~~~~ ~~~ ~~~~~~~~ + The local network of today, although still largely voice-oriented, is already +on the path to Universal Information Services. Lightguide fiber is +dramatically expanding the capacity of local networks, helping to lower the +costs and increase the demand for high-band width, Information Age services. +And public networks are increasingly digital and geared for data and special + services. For example: + +o The AT&T Network Systems 5ESS (TM ) switch, designed by Bell +Laboratories, can serve as the hub of a local deployment of remote modules at +locations up to 100 miles from a host central office. + +o The Integrated Special Services Network (ISSN) is a channel network that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect System (DACS). + +o The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Today's public networks consist of multiple or overlay networks. The public +switched network, or circuit network, mainly for voice, is the base network. +Two kinds of overlay networks provide special services. Channel networks carry +private lines leased by large customers and transmit much of today's data and +image traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internally +to public networks for common channel signaling to set up, route and take down +calls, or to give customers information. "Overlay networks help +telecommunications companies efficiently meet growing demand for digital +transmission and special services," says Stan Johnston, Market Planning +Manager, Network Systems Evolution, in AT&T Network Systems. "Their integration +into a single network, however, would be still more effective." + +Phase two, the Integrated Services Digital Network (ISDN). +~~~~~ ~~~~ ~~~ ~~~~~~~~~~ ~~~~~~~~ ~~~~~~~ ~~~~~~~ ~~~~~~~ + The ISDN is a concept to which AT&T is committed - and it's the foundation +for Universal Information Services. The central idea of ISDN, as AT&T Network +Systems sees it, is to provide an individual user a link to the local central +office of generous band-width - a digital subscriber line that can carry +144,000 bits per second (sure beats 2400 baud!). The band-width is subdivided +into two 64,000-bit channels, which may carry voice or data or both, and one +16,000-bit channel for packetized signaling information or data transport. +Such a link provides convenient "integrated" network access by accommodating +voice, data and signaling over a single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber + + Page 161 + + + + + The Official Phreaker's Manual + +line, which provides 1.5 billion bits per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal, and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make important +progress toward the goal of Universal Information Services. But overlay +networks will continue to divvy up the transport job. And messages needing +less than 144,000 bits per second will not fill their allotted bandwidth, +leaving capacity under utilized. + +Phase three, Universal Information Services. +~~~~~ ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~ + Rooted in the fertile ground of 5ESS switches, ISDN equipment and +technologies such as wideband packet transport, Universal Information Services +will bear fruit during the 1990s. From a single kind of network will hang +services as different as apples, oranges and pears. Just as network access was +integrated in ISDN, transport functions will increasingly be integrated by +powerful new network equipment evolved from equipment developed for the ISDN. +Where customers once got standard-sized ISDN channels, they'll get big +bandwidth for large jobs, little bandwidth for small jobs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 162 + + + + + The Official Phreaker's Manual + + TOWARD UNIVERSAL INFORMATION SERVICES VIA ISDN + +Phase one, the present. The local network of today, although still largely +voice oriented, is already on the path to Universal Information Services. +Lightguide fiber is dramatically expanding the capacity of local networks, +helping to lower the costs and increase the demand for high-bandwidth, +Information Age services. And public networks are increasingly digital and +geared for data and special services. For example: + + * The AT&T Network Systems 5ESS switch, designed by Bell Laboratories, can +serve as the hub of a local digital network through deployment of remote +modules at locations up to 100 miles from a host central office. + + * The Integrated Special Services Network (ISSN) is a channel networks that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect Systems (DACS). + + * The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Todays public networks consist of multiple or overlay networks. The public +switched network, or circuit network, is the base network. Two kinds of +overlay networks provide special services. Channel networks carry private +lines leased by large customers and transmit much of today's data and image +traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internal to +public networks for common channel signaling to set up, route and take down +calls, or to give customers information. + "Overlay networks help telecommunications companies efficiently meet growing +demand for digital transmission and special services," says Stan Johnston, +Market Planning Manager, Network Systems Evolution, in AT&T Network Systems. +"Their integration into a signal network, however, would be still +more effective." + Phase two, the Integrated Services Digital Network (ISDN). The ISDN is a +concept to which AT&T is commited--and it's the foundation for Universal +Information Services. The central idea of ISDN, as AT&T Network Systems sees +it, is to provide an individual user a link to the local central office of +generous bandwidth--a digital subscriber line that can carry 144,000 bits per +second. The bandwidth is subdivided into two 64,000-bit channels, which may +carry voice or data or both, and one 16,000-bit channel for packetized +signaling information or data transport. Such a link provides convenient +"integrated" network access by accommodating voice, data and signaling over a +single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber +line, which provides 1.5 million bit per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make +important progress toward the goal of Universal Information Services. But + + Page 163 + + + + + The Official Phreaker's Manual + +overlay networks will continue to divvy up the transport job. And messages +needing less than 144,000 bits per second will not fill their allotted +bandwidth, leaving capacity underutilized. + Phase three, Universal Information Services. Rooted in the fertile ground +of 5ESS switches, ISDN equipment and technologies such as wideband packet +transport, Universal Information Services will bear fruit during the 1990s. +From a single kind of network will hang services as different as apples, +oranges and pears. Just as network access was integrated in ISDN, transport +functions will increasingly be integrated by powerful new equipment evolved +from equipment developed for the ISDN. Where customers once got standard- +sized ISDN channels, they'll get big bandwidth for large jobs, little bandwidth +for small jobs. + +*** retyped from PROTO, AT&T Bell Laboratories report to executives on new +technologies, without written permission from the editors. (heh, heh.) + +Subscriptions: $15.00 per year, published bi-monthly. Send check payable to +"Bell Laboratories PROTO," to PROTO Circulation Manager, Room 3E-230, 150 John +F. Kennedy Parkway, Short Hills, N.J. 07078. + +:LIQUID:CRYSTAL: +wisdom is safety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 164 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #7 of 9 + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ _ _ _______ @ + @ | \/ | / _____/ @ + @ |_||_|etal / /hop @ + @ __________/ / @ + @ /___________/ @ + @ Headquarters of Phrack Newsletter @ + @ (314) 432-0756 @ + @ Proudly Presents @ + @ MCI Overview @ + @ Written on 11/16/85 @ + @ by @ + @ @ + @ Knight Lightning & Taran King @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +MCI Communications Corporation, headquartered in Washington, D.C., provides a +full range of domestic and international telecommunications services, including +voice and data, telex and cable, paging and mobile telephone, and time +sensitive message delivery. + +Since its founding in 1968, MCI has grown to more than $1.6 billion in annual +sales and serves more than 1.9 million business, residential and government +customers through its four major business units: + +MCI Telecommunications + +MCI Airsignal + +MCI International + +MCI Digital Information Services + + +MCI TELECOMMUNICATIONS + + MCI Telecommunications provides domestic interstate long distance service +throughout all 50 states, plus Puerto Rico, the U.S. Virgin Islands, and major +calling areas of Canada. It is also authorized to provide varying degrees of +intrastate long distance service in some states. + +MCI also is the first long distance carrier other than AT&T to offer direct +dial service overseas. International telephone service is available to all +residential and commercial customers (with the exception of Private Line +customers). In October, 1984 the first international service agreements were +announced with the following countries: Argentina, Belgium, Brazil, East +Germany, Greece, United Arab Emirates, and the United Kingdom. + +Total capital investment in MCI's long distance network is approximately $2 +billion. MCI's network, the second largest in the U.S., employs microwave +optical fiber, satellite and various digital transmission technologies. + +Subscribers - Domestic Long Distance (as of 10/84) + + Page 165 + + + + + The Official Phreaker's Manual + +----------- ---------------------- +Residential 1.4 million +Commercial .3 million + Total 1.7 million + +Operations - (as of 10/84) +Network Miles...20,543 (microwave, optical fiber, satellite) +Circuits.......238,000 +Employees........9,500 (full-time, approx.) + +MCI AIRSIGNAL + +MCI Airsignal provides personal message delivery and car telephone services. +MCI Message Service is offered in more than 50 metropolitan areas. In 1984, +service will commence in New York City, Baltimore-Washington, Los Angeles, and +Chicago. MCI car telephone service is offered in 20 markets. + +Personal Message Delivery Service + +ALPHANUMERIC MESSAGE SERVICE + +Displays up to 40-character message using letters and/or numbers. Memory and +recall ability. Alerts subscriber with a silent visual alert or a soft tone. + +DISPLAY MESSAGE SERVICE + +Displays up to 24-digit message (e.g., phone number, stock quotes, sales +figures, coded messages). Memory and recall capability. Alerts customer to +message with a silent visual alert or a soft tone. + +TONE MESSAGE SERVICE + +Notifies customer of a message with a soft tone. + +VOICE MESSAGE SERVICE + +Receives message in actual voice of caller. + +EXPRESS MESSAGE SERVICE + +Receives and stores messages. Instantly alerts subscriber via pager when a +message is received. + +Car Telephone Service + +Enables customers to place calls to or receive calls from anywhere in the +world, 24 hours a day, as they travel in their cars. With the advent of new +cellular technology, both the quality and the accessibility of car telephone +service will vastly improve. + +MCI has thus far obtained franchises to operate a new kind of mobile phone +service, cellular telephone, in Minneapolis and Pittsburgh, and has received +favorable decisions from FCC administration law judges authorizing service in +Los Angeles, Denver-Boulder, and Kansas City. MCI has applied for licenses to +provide cellular service in 81 metropolitan areas. + +MCI Airsignal Branch Sales Offices + + + Page 166 + + + + + The Official Phreaker's Manual + +Personal Message Service/Conventional Mobile Phone Service + +Birmingham (205) 942-2924 +Sacramento (916) 444-2350 +Memphis (901) 682-9658 +Cleveland (216) 464-7311 +Dallas (214) 788-5111 +Fresno (209) 486-7410 +Las Vegas (702) 382-7461 +Denver (303) 778-7878 +Portland (503) 227-2556 +Philadelphia (215) 677-9845 +Atlanta (404) 252-2114 +West Florida (813) 875-3404 +Minneapolis (612) 544-8175 +Kansas City (913) 648-8090 +Miami (305) 491-0122 +Pittsburgh (412) 343-1611 +Houston (713) 464-2516 +Bakersfield (805) 832-2346 + +Cellular Telephone Offices + + Minneapolis-St. Paul (612) 544-3312 + Los Angeles (714) 527-0385 + Elsewhere in California (800) 344-3455 + Headquarters - Washington, D.C. (202) 429-9660 + + +MCI INTERNATIONAL + +MCI International provides private-line voice service to several overseas +countries, and data and message services, including telex, cablegram, leased +channel, and packet switching communications, to more than 200 overseas points. +MCI has moved into two new areas of service: International direct-dial +telephone service and international electronic mail and hard-copy delivery +services. + +International Record Services + +TELEX SERVICE (domestic and international) permits instantaneous, two-way, +written communications with other subscribers worldwide. Customers can send +messages at any time, even though the receiving terminal may be unattended. MCI +International offers access to its telex service from a variety of terminals +and networks; not only subscribers with telex terminals but also those with +communicating word processors, data terminals or computers that communicate +over telephone lines can take advantage of MCI International telex service. To +subscribers connected to its own telex network, MCI International offers World +Message Services--a package of communications offerings including telex, +cablegram and MCI Mail services. Various service enhancements are available to +save time, improve operating efficiency and simplify records keeping for telex +users. + +CABLEGRAM SERVICE, the traditional means of international written +communications, offers flexibility in delivery and economical rates for shorter +messages. Cablegrams can be delivered to virtually any overseas +point.Subscribers with telex terminals or various other types of equipment can +access and TELUS cablegram switch and take advantage of such service + + Page 167 + + + + + The Official Phreaker's Manual + +enhancements as abbreviated addressing and departmental billing. + +LEASED +CHANNEL SERVICE provides an exclusive line between a U.S. firm and it's +overseas office for private communications 24 hours a day. Each MCI +International leased channel is tailored to meet the needs of a specific +customer for teleprinter, facsimile, voice and/or data traffic. For subscribers +with several offices requiring private communications with each other, MCI +International offers a versatile message-switching service. Voice/data leases +can be configured to meet a whole array of communicating needs; for example, +one channel might carry data traffic from a computer at night, voice +communications during office hours, and simultaneous teleprinter messages at +any time. Data channels can handle requirements for traffic at any speed from +1200 bits per second to 1.544 megabits per second. + +IMPACS SERVICE uses packet-switching technology to provide international +communications service between data terminals and computers. Impacs offers +on-line, real-time connections and enables many types of incompatible systems +to communicate. Impacs service offers virtually error-free transmission +because of the error-detection and retransmission capability of the network. + +INSTALINK SERVICE allows businesses overseas to use regular telex equipment to +access remote computing systems and databases in the U.S. Subscribers can +retrieve data from a computer-based information service or use a computing +system connecting to a packet-switching network in the U.S. + +INTERNATIONAL +FACSIMILE SERVICE enables subscribers to send duplicates of original documents +overseas quickly and efficiently, even when neither the sender or the receiver +has facsimile transmission equipment, or when the sender and receiver have +incompatible equipment. + +DATEL SERVICE provides automatic or voice-coordinated data transmission at +speeds up to 2400 bits per second. Either digital or analog facsimile traffic +can be transmitted via Datel. Datel facilities are conditioned to ensure +high-quality transmission. The MCI International switching center allows +communications between incompatible terminals. + +MARITIME SERVICES provide instant, high--quality contact between ships at sea +or offshore rigs, and between these vessels and land-based subscribers +worldwide. + +International Voice Services + +PRIVATE +LINE SERVICE provides, fast, easy access to a single overseas location at an +economical monthly rate. This technically efficient system maximizes the use +of line capacity by recognizing idle time and assigning a speaker to a +transmission path only when the path is needed. Users can dial a four-digit +extension from a regular business phone to reach a key overseas location. + +International Mail Services + +WORLD +MESSAGE SERVICE subscribers can access the domestic electronic mail and +hard-copy delivery offerings of MCI Mail. In addition, MCI International is +developing fast, low-cost services that will deliver electronic messages and +high-quality printed documents worldwide. + + Page 168 + + + + + The Official Phreaker's Manual + + +Customer Service + +THE CUSTOMER TROUBLE REPORTING ASSISTANCE CENTER at MCI International addresses +customer concerns such as equipment maintenance and service performance +questions. Customer service specialists, on duty 24 hours a day on business +days, answer questions and electronically route service requests to technicians +nationwide. + +MCI DIGITAL INFORMATION SERVICES CORP. + +MCI Digital Information Services, MCI's newest unit, provides high-speed, +low-cost, time-sensitive message delivery (MCI Mail), either electronically or +via hard copy. + +MCI Mail provides time-sensitive document delivery to anyone, anywhere vial +MCI's long-distance telephone network. MCI Mail can reach a recipient +instantly, in four hours or less, or overnight by noon the next day. Prices +are as much as 90 percent lower than comparable time-sensitive mail delivery +services. MCI Mail can be delivered electronically, terminal to terminal, or +laser printed on letterhead stationery with the customer's signature. + +MCI Mail customers can even order gifts and services direct through MCI Mail, +ranging from software and paper for personal computers to investment advisory +services to travel specials. + +There are no sign-up, monthly service charges or "connect time" charges for MCI +Mail. MCI Mail can be used by virtually any personal computer, word processor, +electronic typewriter, data terminal, telex, or other digital communications +device. The service is accessed by a local telephone call or 800 number. + +MCI Mail + +INSTANT delivery to an "electronic" mailbox. + +FOUR-HOUR paper delivery by courier to 17 major metropolitan areas regardless +of point of origin. + +OVERNIGHT paper delivery by courier by noon the next day in 20,000 continental +U.S. cities. + +MCI LETTER transmitted electronically to the MCI digital postal center nearest +its destination, then delivered locally by the U.S. Postal Service. + +TELEX DISPATCH enables MCI Mail subscribers to transmit messages to the more +than 1.6 million telex subscribers worldwide. + +VOLUME MAIL enables customers to send large mailings in a variety of letter +formats, at substantial savings in delivery time and expense. + + ============================================================ + Look for more MCI Files coming to Metal Shop soon! + + This has been a Knight Lightning Presentation + ============================================================ + + + + + Page 169 + + + + + The Official Phreaker's Manual + + Reference Tables + + Just some notes that you will always try to find but can never! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 170 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue One, Phile #5 of 8 + + Using MCI Calling Cards + by + Knight Lightning + of the + 2600 Club! + +How to dial international calls on MCI: + + "Its easy to use MCI for international calling." + +1. Dial your MCI access number and authorization code (code = 14 digit number, +however the first 10 digits are the card holders NPA+PRE+SUFF). + +2. Dial 011 + +3. Dial the country code + +4. Dial the city code and the PRE+SUFF that you want. + +Countries served by MCI: + +Country code|Country code +-------------------------------------|-------------------------------- +Algeria..........................213 |New Zealand..................064 +Argentina........................054 |Northern Ireland.............044 +Australia........................061 |Oman.........................968 +Belgium..........................032 |Papua New Guinea.............675 +Brazil...........................055 |Qatar........................974 +Canada................Use Area Codes |Saudi Arabia.................966 +Cyprus...........................357 |Scotland.....................044 +Denmark..........................045 |Senegal......................221 +Egypt............................020 |South Africa.................027 +England..........................044 |Sri Lanka....................094 +German Democratic Republic |Sweden.......................046 +(East Germany)...................037 |Taiwan.......................886 +Greece...........................030 |Tanzania.....................255 +Jordan...........................962 |Tunisa.......................216 +Kenya............................254 |United Arab Emirates.........971 +Kuwait...........................965 |Wales........................044 +Malawi...........................265 | +====================================================================== + +Thats 33 countries in all. To get the extender for these calls dial 950-1022 or +1-800-624-1022. + +For local calling: + +1. Dial 950-10222 or 1-800-624-1022 + +2. Wait for tone + +3. Dial "0", the area code, the phone number, and the 14 digit authorization +code. You will hear 2 more tones that let you know you are connected. + + - Knight Lightning --> The 2600 Club! + + Page 171 + + + + + The Official Phreaker's Manual + +===================================================================== + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 172 + + + + + The Official Phreaker's Manual + + AT&T INTERNATIONAL DIALING COUNTRY CODES AS OF 2-17-85 + + FILE BY: Lock Lifter + +=========================+ + +*UNITED KINGDOM/IRELAND +------------------------------------ +IRELAND.........................353 +UNITED KINGDOM...................44 + +*EUROPE +------------------------------------ +ANDORRA..........................33 +AUSTRIA..........................43 +BELGIUM..........................32 +CYPRUS..........................357 +CZECHOLSLOVAKIA..................42 +DENMARK..........................45 +FINLAND.........................358 +FRANCE...........................33 +GERMAN DEMOCRATIC REPUBLIC.......37 +GERMANY, FEDERAL REPUBLIC OF.....49 +GIBRALTAR.......................350 +GREECE...........................30 +HUNGARY..........................36 +ICELAND.........................354 +ITALY............................39 +LIECHTENSTEIN....................41 +LUXEMBOURG......................352 +MONACO...........................33 +NETHERLANDS......................31 +NORWAY...........................47 +POLAND...........................48 +PORTUGAL........................351 +ROMANIA..........................40 +SAN MARINO.......................39 +SPAIN............................34 +SWEDEN...........................46 +SWITZERLAND......................41 +TURKEY...........................90 +VATICAN CITY.....................39 +YUGOSLAVIA.......................38 + +*CENTRAL AMERICA +------------------------------------ +BELIZE..........................501 +COSTA RICA......................506 +EL SALVADOR.....................503 +GUATEMALA.......................502 +HONDURAS........................504 +NICARAGUA.......................505 +PANAMA..........................507 + +*AFRICA +------------------------------------ +ALGERIA.........................213 +CAMEROON........................237 +EGYPT............................20 + + Page 173 + + + + + The Official Phreaker's Manual + +ETHIOPIA........................251 +GABON...........................241 +IVORY COAST.....................225 +KENYA...........................254 +LESOTHO.........................266 +LIBERIA.........................231 +LIBYA...........................218 +MALAWI..........................265 +MOROCCO.........................212 +NAMIBIA.........................264 +NIGERIA.........................234 +SENEGAL.........................221 +SOUTH AFRICA.....................27 +SWAZILAND.......................268 +TANZANIA........................255 +TUNISIA.........................216 +UGANDA..........................256 +ZAMBIA..........................260 +ZIMBABWE........................263 + +*PACIFIC +------------------------------------ +AMERICAN SAMOA..................684 +AUSTRAILIA.......................61 +BRUNEI..........................673 +FIJI............................679 +FRENCH POLYNESIA................689 +GUAM............................671 +HONG KONG.......................852 +INDONESIA........................62 +JAPAN............................81 +KOREA, REPUBLIC OF...............82 +MALAYSIA.........................60 +NEW CALEDONIA...................687 +NEW ZEALAND......................64 +PAPUA NEW GUINEA................675 +PHILIPPINES......................63 +SAIPAN..........................670 +SINGAPORE........................65 +TAIWAN..........................886 +THAILAND.........................66 + +*INDIAN OCEAN +------------------------------------ +PAKISTAN.........................92 +SRI LANKA........................94 + +*SOUTH AMERICA +------------------------------------ +ARGENTINA........................54 +BOLIVIA.........................591 +BRAZIL...........................55 +CHILE............................56 +COLOMBIA.........................57 +ECUADOR.........................593 +GUYANA..........................592 +PARAGUAY........................595 +PERU.............................51 + + Page 174 + + + + + The Official Phreaker's Manual + +SURINAME........................597 +URUGUAY.........................598 +VENEZUELA........................58 + +*NEAR EAST +------------------------------------ +BAHRAIN.........................973 +IRAN.............................98 +IRAQ............................964 +ISRAEL..........................972 +JORDAN..........................962 +KUWAIT..........................965 +OMAN............................968 +QATAR...........................974 +SAUDI ARABIA....................966 +UNITED ARAB EMIRATES............971 +YEMEN ARAB REPUBLIC.............967 + +*CARIBBEAN/ATLANTIC +------------------------------------ +FRENCH ANTILLES.................596 +GUANTANAMO BAY (US NAVY BASE)....53 +HAITI...........................509 +NETHERLANDS ANTILLES............599 +ST. PIERRE AND MIQUELON.........508 + +*INDIA +------------------------------------ +INDIA............................91 + +*CANADA +------------------------------------ +TO CALL CANADA, DIAL 1 + AREA CODE + +LOCAL NUMBER. + +*MEXICO +------------------------------------ +TO CALL MEXICO, DIAL 011 + 52 + CITY CODE+ LOCAL NUMBER. + +***NOTES :DO NOT FORGET ABOUT THE TIME DIFFERENCE WHEN CALLING OUTSIDE OF YOUR +TIME ZONE. CALLING CARDS CAN BE USED OVER SEAS TO CALL BACK INTO THE U.S. FOR +FURTHER INFORMATION CALL TOLL-FREE 1-800-874-0000. DIAL '#' AFTER THE COMPLETE +NUMBER TO MAKE THE CALL GO THROUGH FASTER. + + + + + + + + + + + + + + + + + Page 175 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * International Dialing Codes * + * Country + Routing * + * * + * (Typed by The Dagda Mor) * + * (Edited by The Jammer) * + * * + ************************************** + +To dial international calls: + +International Access Code + Country code + Routing code + +Example : + +To call Frankfurt, Germany, you would do the following: + +011 + 49 + 611 + (# wanted) + # sign(octothrope) + +The # sign at the end is to tell Bell that you are done entering in all the +needed info. + +Here is the list of Country Codes, listed next to the country, and the routing +codes listed next to the city. + +Andorra- 33 Argentina- 54 +------- --------- +all points- 078 Buenos Aires- 1 + + +Australia- 61 Austria- 43 +--------- ------- +Melbourne- 3 Innsbruck- 5222 +Sydney- 2 Vienna- 222 + + +Bahrain- 973 Belgium- 32 +------- ------- +no routing needed Antwerp- 31 + Brussels- 2 + + +Belize- 501 Bolivia- 591 +------ ------- +no routing needed La Paz- 2 + + +Brazil- 591 Chile- 56 +------ ----- +Brasilia-61 Santiago- 2 +Rio de Janeiro- 21 Valparaiso- 31 +Sao Paulo- 11 + + +China- 86 Colombia- 56 +----- -------- +Tainan- 62 none needed + + Page 176 + + + + + The Official Phreaker's Manual + +Taipei- 2 + + +Costa Rica- 506 Cyprus- 357 +----- ---- ------ +no routing needed Nicosia- 21 + + +Denmark- 45 Ecuador- 593 +------- ------- +Aalborg- 8 Cuenca- 4 +Copenhagen 1 or 2 Quito- 2 + + +El Salvador- 503 Fiji- 679 +---------- ---- +no routing needed none needed + + +France- 33 Germany- 49 +------ ------- +Bordeaux- 56 Berlin- 30 +Marseille- 91 Bonn- 228 +Nice- 93 Frankfurt- 661 +Paris- 1 Munich- 89 + + +German. Rep- 37 Greece- 30 +------- --- ------ +Berlin- 2 Athens- 1 + Rhodes- 241 + + +Guam- 671 Guatamala- 502 +---- --------- +no routing needed Guatemala City- 2 + + +Guyana- 592 Haiti- 509 +------ ----- +Georgetown- 02 Port Au Prince- 1 + + +Hoduras- 504 Hong Kong- 852 +------- ---- ---- +no routing needed Hong Kong- 5 + Kowloon- 3 + + +Indonesia- 62 Iran- 98 +--------- ---- +Jakarta- 21 Teheran- 21 + + +Iraq- 964 Ireland- 353 +---- ------- +Baghdad- 1 Dublin- 1 + Galway- 91 + + Page 177 + + + + + The Official Phreaker's Manual + + + +Israel- 978 Italy- 39 +------ ----- +Haifa- 4 Florence- 55 +Jerusalem- 2 Naples- 81 +Tel Aviv- 3 Rome- 6 + Venice- 41 + + +Ivory Coast- 225 Japan- 81 +----- ----- ----- +no routing needed Hiroshima- 822 + Tokyo- 3 + Yokohama- 45 + + +Kenya- 254 Korea- 82 +----- ----- +Nairobi- 2 Pusan- 51 + Seoul- 2 + + +Kuwait- 965 Liberia- 231 +------ ------- +no routing needed none needed + + +Libya- 218 Lechtenstein- 4 +----- ------------ +Tripoli- 21 All points- 75 + + +Luxembourg- 352 Malaysia- 60 +---------- -------- +no routing needed Kuala Lumpur- 3 + + +Monaco- 33 Netherlands- 31 +------ ----------- +All points- 93 Amsterdam- 20 + Rotterdam- 10 + The Hague- 70 + + +New Caledonia- 687 New Zealand- 64 +--- --------- --- ------- +no routing needed Auckland- 9 + Wellinton- 4 + + +Nicaragua- 505 Nigeria- 234 +--------- ------- +Managua- 2 Lagos- 1 + + +Norway- 47 Panama- 507 +------ ------ + + Page 178 + + + + + The Official Phreaker's Manual + +Bergen- 5 none needed +Oslo- 2 + + +Papua New Guinea-675 Paraguay- 595 +----- --- ------ -------- +no routing needed Asuncion- 21 + + +Peru- 51 Phillippines- 63 +---- ------------ +Arequipa- 542 Manila- 2 +Lima- 14 + +Portugal- 351 Romania- 40 +-------- ------- +Lisbon- 19 Bucuresti- 0 + + +San Marino- 39 Saudi Arabia- 966 +--- ------ ----- ------ +All points- 541 Riyadh- 1 + + +Senegal- 221 South Africa- 27 +------- ----- ------ +no routing needed Cape Town- 21 + Pretoria- 12 + + +Spain- 34 Sri Lanka- 94 +----- --- ----- +Barcelona- 3 Colombo- 1 +Canary Is.- 28 +Madrid- 1 +Seville- 54 + + +Suriname- 597 Sweden- 46 +-------- ------ +no routing needed Goteborg- 31 + Stockholm- 8 + + +Switzerland- 41 Tahiti- 689 +----------- ------ +Berne- 31 none needed +Geneva- 22 +Lucerne- 41 +Zurich- 1 + + +Thailand- 66 Tunisia- 216 +-------- ------- +Bangkok- 2 Tunis- 1 + + +Turkey- 90 United Arab + + Page 179 + + + + + The Official Phreaker's Manual + +------ Emirates- 971 +Istanbul- 11 -------- + Abu Dhabi- 2 + Ajman- 6 + Al Ain- 3 + Aweir- 49 + Dubai- 4 + Fujairah- 91 + Jebel Dhana- 5 + Sharjah- 6 + Umm-Al-Quwain- 6 + + +United Kingdom- 44 USSR- 7 +------ ------- ---- +Belfast- 232 Kiev- 044 +Cardiff- 222 Leningrad- 812 +Edinburgh- 31 Minsk- 017 +Glasgow- 41 Moscow- 095 +Liverpool- 51 Tallinn- 0142 +London- 1 + +Vatican City- 39 Venezuela- 58 +------- ---- --------- +All points- 6 Caracas- 2 + Maracaibo- 61 + +Yugoslavia- 38 +---------- +Belgrade- 11 +Zagreb- 41 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 180 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * MAX ACCESS PORTS * + * * + * (LEXITEL CORPORATION) * + * * + * WORD PROCESSED BY THE DAGDA MOR * + * * + ************************************** + +ADRIAN,MI............313-263-0191 LIVONIA, MI..........313-261-6970 +AKRON,OH.............216-275-9814 LOS ANGELES, CA......213-624-9041 +ANN ARBOR, MI........313-451-2121 LOUISVILLE, KY.......502-568-6204 +ATLANTA, GA..........404-525-1769 MARION, OH...........614-387-1011 +AVON LAKE, OH........216-933-2823 MCKEESPORT, PA.......412-664-4870 +BADEN, PA............412-869-1360 MENTOR, OH...........216-255-1645 +BALTIMORE, MD........301-444-7280 MIDDLETOWN, OH.......513-423-1066 +BEAVER FALLS, PA.....412-847-3640 MILWAUKEE, WI........414-933-1880 +BIRMINGHAM, MI.......313-649-0730 MINNEAPOLIS, MN......612-375-0280 +BOSTON, MA...........617-267-9134 MONESSEN, PA.........412-684-8710 +BUFFALO, NY..........716-854-0802 MORTON GROVE,IL......312-950-1066 +BUTLER, PA...........412-285-9081 NEWARK, NJ...........201-624-5040 +CANTON, OH...........216-455-1425 NEWARK, OH...........614-349-8754 +CHICAGO, IL..........312-950-1066 NEW CASTLE, PA.......412-656-9420 +CHILLICOTHE, OH......614-772-1066 NEW YORK, NY.........212-950-1066 +CINCINNATI, OH.......513-421-1880 OAK LAWN, IL.........312-950-1066 +CLEVELAND, OH........216-771-6614 PHILADELPHIA, PA.....215-751-9711 +COLUMBUS, OH.........614-950-1066 PITTSBURG, PA........412-391-9532 +DALLAS, TX...........214-653-1047 PLYMOUTH, MI.........313-451-2121 +DAYTON, OH...........513-223-0366 PONTIAC, MI..........313-332-0500 +DETROIT, MI..........313-950-1066 PORT HURON, MI.......313-982-7115 +ELK GROVE, IL........312-950-1066 PHOENIX, AZ..........602-242-0252 +ELYRIA, OH...........419-323-4431 QUEENS, NY...........718-204-7330 +FINDLAY, OH..........419-424-5934 SANDUSKY, OH.........419-625-1289 +GLEENSHAW, PA........412-486-7394 SHARON, PA...........412-983-0100 +GRAND RAPIDS, MI.....616-456-7925 SPRINGFIELD, OH......513-950-1066 +GREENSBURG, PA.......412-836-8110 STEUBENVILLE, OH.....614-283-1756 +HACKENSACK, NJ.......201-342-2815 ST. LOUIS, MO........314-289-9100 +HOUSTON, TX..........713-224-0982 ST. PAUL, WI.........612-375-0280 +INDIANA, PA..........412-349-8760 TOLEDO, OH...........419-255-1316 +INDIANAPOLIS, IN.....317-638-4442 TROY, OH.............513-335-2303 +KALAMAZOO, MI........616-342-0266 TURTLE CREEK, PA.....412-823-1500 +KANSAS CITY, MO......816-474-6193 WASHINGTON, DC.......202-479-4411 +KOKOMO, IN...........317-453-9932 WASHINGTON, PA.......412-225-1800 +LA GRANGE, IL........312-950-1066 WARREN, MI...........313-268-9120 +LANCASTER, OH........614-687-0159 XENIA, OH............513-376-2991 +LANSING, MI..........517-950-1066 YOUNGSTOWN, OH.......216-746-2021 +LAFAYETTE, IN........317-423-5492 ZANESVILLE, OH.......614-454-6815 + + + + + + + + + + + + Page 181 + + + + + The Official Phreaker's Manual + + ******************** METROFONE ACCESS NUMBERS ******************** + +ANAHEIM, CA (714)527-7055 LOS ANGELES, CA (213)992-8282 +ATLANTA, GA (404)223-1000 LOS ANGELES, CA (213)202-6117 +AUSTIN, TX (512)474-6057 MIAMI, FL (305)326-3300 +BALTIMORE, MD (301)659-7700 MILWAUKEE, WI (414)277-1805 +BEAUMONT, TX (713)833-9331 MINNEAPOLIS, MN (612)370-9000 +BOSTON, MA (617)482-3222 NEW ORLEANS, LA (504)566-8500 +BUFFALO, NY (716)852-9200 NEW YORK, NY (212)732-7430 +CHICAGO, IL (312)853-4700 NEWARK, NJ (201)645-9220 +CINCINNATI, OH (513)241-1747 OAKLAND, CA (415)836-6900 +CLEVELAND, OH (216)861-5163 OKLAHOMA CITY, OK (405)232-9011 +COLUMBUS, OH (614)224-0577 OMAHA, NE (402)422-1120 +CULVER CITY, CA (213)410-0078 PHILADELPHIA, PA (215)351-0100 +DALLAS, TX (214)742-4500 PITTSBURGH, PA (412)261-5720 +DAYTON, OH (513)228-1576 RENO, NV (702)329-1025 +DENVER, CO (303)623-5326 RICHMOND, VA (804)225-1920 +DETROIT, MI (313)963-4847 ST. LOUIS, MO (314)342-1130 +EL MONTE, CA (213)350-1028 SACRAMENTO, CA (916)443-6921 +ELK GROVE, IL (312)981-8870 SAN ANTONIO, TX (512)224-9600 +FT. LAUDERDALE, FL (305)462-3530 SAN DIEGO, CA (714)233-0327 +FT. WORTH, TX (817)338-1639 SAN FRANCISCO, CA (415)956-0162 +HACKENSACK, NJ (201)487-3155 SAN JOSE, CA (408)947-7606 +HARTFORD, CT (203)522-0003 SAN MATEO, CA (415)579-6001 +HAWTHORNE, NJ (201)427-1100 SANTA ANA, CA (714)972-9515 +HINSDALE, IL (312)986-0566 SEATTLE, WA (206)382-0910 +HOUSTON, TX (713)224-9417 SKOKIE, IL (312)679-8120 +HUNTINGTON BEACH, CA (714)972-8515 SYRACUSE, NY (315)474-3911 +INDIANAPOLIS, IN (317)635-6284 TOLEDO, OH (419)243-1046 +KANSAS CITY, KS (913)621-3186 WASHINGTON, DC (202)737-2051 +LONG ISLAND, NY (516)443-5402 +LOS ANGELES, CA (213)629-1026 + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 182 + + + + + The Official Phreaker's Manual + + Area Codes In Numerical Order, by The Jammer +______________________________________________________________________ + +201 Newark New Jersey 519 London Ontario +202 Washington D.C (all) 601 Mississippi (all) +203 Connecticut (all) 602 Arizona (all) +205 Alabama (all) 603 New Hampshire (all) +206 Seattle Washington 605 South Dakota (all) +207 Maine (all) 606 Winchester Kentucky +208 Idaho (all) 607 Binghamton New York +212 Bronx Nyc, New York 608 Madison Wisconsin +212 Manhattan Nyc, New York 609 Trenton New Jersey +213 Los Angeles California 612 St. Paul Minnesota +214 Dallas Texas 613 Ottawa Ontario +215 Philadelphia Pennsylvania 614 Columbus Ohio +216 Cleveland Ohio 615 Nashville Tennessee +217 Springfield Illinois 616 Grand Rapids Michigan +218 Duluth Minnesota 617 Boston Massachusetts +219 Gary Indiana 618 Alton Illinois +301 Maryland (all) 619 San Diego California +303 Colorado (all) 700 Teleconference (all) +304 West Virginia (all) 701 North Dakota (all) +305 Miami Florida 702 Nevada (all) +305 Orlando Florida 703 Alexandria Virginia +307 Wyoming (all) 704 Charlotte North Carolina +308 Abott Nebraska 705 North Bay Ontario +309 Peoria Illinois 712 Councilbluffs Iowa +312 Chicago Illinois 713 Houston Texas +313 Detroit Michigan 714 Anaheim California +314 St. Louis Missouri 715 Bay City Wisconsin +315 Syracuse New York 716 Buffalo New York +316 Wichita Kansas 716 Rochester New York +317 Indinapolis Illinois 717 Harrisburg Pennsylvania +318 Lake charles Lousiana 800 Toll Free (all) +319 Davenport Iowa 801 Utah (all) +401 Rhode Island (all) 802 Vermont (all) +402 Omaha Nebraska 803 South Carolina (all) +404 Atlanta Georgia 804 Richmond Virgina +405 Oklahoma City Oklahoma 805 Bakersfield California +406 Montana (all) 806 Amarillo Texas +408 San Jose California 807 Thunder Bay Ontario +412 Pittsburg Pennsylvania 808 Hawaii (all) +413 Springfield Massachusetts 809 Bermuda (all) +414 Milwaukee Wisconsin 809 Bahamas (all) +415 San Francisco California 809 Puerto Rico (all) +416 Toronto Onterio 809 Virgin Islands (all) +417 Joplin Missouri 812 Evansville Indiana +418 Quebec Quebec 812 Dade park Kentucky +419 Toledo Ohio 814 Johnston Pennsylvania +501 Arkansas (all) 815 Rockford Illinois +502 Frankfort Kentucky 816 Independence Missouri +503 Oregon (all) 817 Fort Worth Texas +504 New Orleans Louisiana 818 Burbank California +504 Baton Rouge Louisiana 819 Trois Riv. Quebec +505 New Mexico (all) 900 Dial-it (all) +507 Rochester Minnesota 901 Memphis Tennessee +509 Pullman Washington 904 Talahassee Florida +512 Austin Texas 906 Escanaba Michigan + + Page 183 + + + + + The Official Phreaker's Manual + +513 Cincinnati Ohio 907 Alaska (all) +514 Montreal Quebec 912 Savannah Georgia +515 Des Moines Iowa 913 Kansas City Kansas +516 Hempstead New York 915 El Paso Texas +517 Lansing Michigan 916 Sacramento California +518 Albany New York 918 Tulsa Oklahoma + 919 Raleigh North Carolina + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 184 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #5 of 9 + +Updated from November 26, 1985 +Tac Dialups taken from Arpanet +by Phantom Phreaker + + TAC DIALUPS SORTED BY LOCATION 26-NOV-85 + +State/Country 300 Baud 1200 Baud 1200 Type +------------- --------------- ----------------- --------- + + ALABAMA + Anniston Army Depot [M] + (ANNIS-MIL-TAC) (205) 235-6285 (R4) (205) 235-7650 B/V + (205) 237-5731 (R8) (205) 237-5731 (R8) B/V + (205) 237-5770 (R8) (205) 237-5779 (R8) B/V + (205) 237-5805 (R8) (205) 237-5805 (R8) B/V + + *Please note: When accessing the Anniston TAC you must first enter a + , then enter DDN . After you receive CLASS DDN START, + proceed as normal. + + Gunter AFS [M] + + (GUNTER-TAC) (205) 279-3576 + (205) 279-4682 + + Redstone Arsenal [M] + (MICOM-TAC) [none known] + + ARIZONA + Ft. Huachuca [M] + (HUAC-MIL-TAC) [none known] + + Yuma [M] + (YUMA-TAC) (602) 328-2186 (602) 328-2186 B/V + (602) 328-2187 (602) 328-2187 B/V + (602) 328-2188 (602) 328-2188 B/V + + CALIFORNIA (NORTHERN) + Alameda [M] + (ALAMEDA-MIL-TAC) [none known] + + Menlo Park [M] + (SRI-MIL-TAC) (415) 327-5440 (R3) (415) 327-5440 (R3) B + + (USGS3-TAC) [M] [no dialups] + + Moffett Field [M] + (AMES-TAC) [no dialups; contact NSC for access] + William Jones - (415) 694-6482 + (FTS) 494-6482 + (AV) 359-6482 + + Monterey [M] + (NPS-TAC) [none known] + + + Page 185 + + + + + The Official Phreaker's Manual + + Sacsamento [M] + (MCCLELLAN1-MIL-TAC) [none known] + (MCCLELLAN2-MIL-TAC) [none known] + + Stanford [A] + (SU-TAC) (415) 327-5220 + + CALIFORNIA (SOUTHERN) + China Lake [M] + (NWC-TAC) [none known] + + + Edwards AFB [M] + (EDWARD-MIL-TAC) [none known] + + El Segundo [M] + (AFSC-SD-TAC) (213) 643-9204 (213) 643-9204 B/V + + Los Angeles [A] + (USC-TAC) (213) 749-5436 + + Los Angeles [A] + (USC-ARPA-TAC) [none known] + + San Diego [M] + (ACCAT-TAC) (619) 225-1641 (R4) (619) 225-6903 V + (619) 225-6946 (R3) + (619) 223-2148 V + (619) 226-7884 (R2) + + Santa Monica + (RAND-ARPA-TAC) [A] + (213) 393-9230 + (213) 393-9237 + (213) 393-9238 + (213) 393-9239 + + (RAND2-MIL-TAC) [M] [none known] + + COLORADO + Denver Fed Ctr [M] + (USGS2-TAC) (303) 232-0206 (303) 232-0206 B/V + + Lowry Air Force Base [M] + (LOWRY-MIL-TAC) [none known] + + D.C. + Washington + [Andrews AFB] [M] + (AFSC-HQ-TAC) (301) 967-7930 (R16) (301) 967-7930 (R16) B + (301) 736-2990 (R4) (301) 736-2990 (R4) B + (301) 736-2998 (R2) (301) 736-2998 (R2) B + + (PENTAGON-TAC) (202) 553-0229 (R14) (202) 553-0229 (R14) B + + FLORIDA + Eglin AFB [M] + (AFSC-AD-TAC) (904) 882-8202 (904) 882-8202 B/V + + Page 186 + + + + + The Official Phreaker's Manual + + (904) 882-8201 (904) 882-8201 V + + MacDill AFB [M] + (MACDILL-MIL-TAC) [none known] + + Naval Air Station - Jacksonville [M] + (JAX1-MIL-TAC) [none known] + + Naval Air Station - Orlando [M] + (ORLANDO-MIL-TAC) [none known] + + GEORGIA + Robins AFB [M] + (ROBINS-TAC) (912) 926-2725 (912) 926-2725 B/V + (912) 926-2726 + (912) 926-3231 + (912) 926-3232 + (912) 926-2204 (912) 926-2204 B/V + HAWAII + Camp H.M. Smith [M] + (HAWAII2-TAC) (808) 487-5545 (808) 487-5545 B + + ILLINOIS + Scott AFB [M] + (SCOTT-TAC) [none known] + + (SCOTT2-MIL-TAC) [none known] + + KANSAS + Ft. Leavenworth [M] + (LVN-MIL-TAC) (913) 651-7041 (R8) (913) 651-7041 (R8) B + + LOUISIANA + Navy Regional Data Automation Center [M] + (NORL-MIL-TAC) (504) 944-7940 (504) 944-7940 B + (504) 944-7948 (R2) (504) 944-7948 (R2) B + (504) 944-7951 (R5) (504) 944-7951 (R5) B + (504) 944-8702 (R8) (504) 944-8702 (R8) B + + MARYLAND + Aberdeen Proving Ground [M] + (BRL-TAC) (301) 278-6916 (R4) (301) 278-6916 (R4) B/V + + Bethesda [M] + (DAVID-TAC) (202) 227-3526 (R16) (202) 227-3526 (R16) B/V + + Patuxent River [M] + (PAX-RV-TAC) (301) 863-4815 (301) 863-4815 B/V + (301) 863-4816 (301) 863-4816 B/V + (301) 863-5750 (R6) (301) 863-5750 (R6) B/V + + Silver Spring [M] + (WHITEOAK-MIL-TAC) (301) 572-5960 (R10) (301) 572-5960 (R10) B + (301) 572-5970 (R10) (301) 572-5970 (R10) B + + MASSACHUSETTS + Hanscom AFB [M] + (AFGL-TAC) (617) 861-3000 (R8) (617) 861-3000 (R8) B + + Page 187 + + + + + The Official Phreaker's Manual + + (617) 861-4965 (R8) (617) 861-4965 (R8) + + Cambridge + (BBN-MIL-TAC) [M] [none known] + + (BBN-ARPA-TAC) [A] [no dialup capability] + + (CCA-ARP-TAC) [A] [none known] + + (MIT-TAC) [A] + (617) 491-5669 (617) 258-6224 V + (617) 491-5708 (617) 258-6225 V + (617) 491-5734 (617) 258-6227 V + (617) 491-5819 (617) 258-6248 V + (617) 491-5826 + (617) 491-5841 + (617) 491-5849 + (617) 491-6769 + (617) 491-6772 + (617) 491-6937 + (617) 258-6241 + (617) 258-6242 + (617) 258-6243 + + MICHIGAN + U.S. Army Tank Automotive Command (TACOM) - Warren [M] + (TACOM-TAC) [none known] + + MISSOURI + St. Louis [M] + (STLA-TAC) [none known] + + NEBRASKA + Offutt AFB [M] + (SAC1-MIL-TAC) [none known] + + (SAC2-MIL-TAC) (402) 292-4638 (R10) (402) 292-4638 (R10) B + + (SAC-ARPA-TAC) [A] + (402) 294-2398 (402) 294-2398 B + (402) 291-2018 (402) 291-2018 B + (402) 292-7054 (402) 292-7054 B + + NEW JERSEY + Dover [M] + (ARDC-TAC) (201) 724-6731 (201) 724-6731 B/V + (201) 724-6732 (201) 724-6732 B/V + (201) 724-6733 (201) 724-6733 B/V + (201) 724-6734 (201) 724-6734 B/V + + Fort Monmouth [M] + (FTMONMOUTH1-MIL-TAC) (201) 544-2052 (201) 544-2052 B/V + (201) 544-2062 (201) 544-2062 B/V + (201) 544-2072 (201) 544-2072 B/V + (201) 544-2396 (201) 544-2396 B/V + (201) 544-2430 (201) 544-2430 B/V + + (FTMONMOUTH2-MIL-TAC) (201) 544-4254 (R3) (201) 544-2430 B + + Page 188 + + + + + The Official Phreaker's Manual + + (201) 544-2636 B + (201) 544-2638 B + (201) 544-2777 B + + NEW MEXICO + Albuquerque [M] + (AFWL-TAC) [none known] + + White Sands [M] + (WSMR-TAC) [no dialups; contact NSC for access] + Claude (Skeet) Steffey - (505) 678-1271 + (FTS) 898-1271 + (AV) 258-1271 + + NEW YORK + Griffiss AFB + (RADC-ARPA-TAC) [A] [no dialup capability] + + (RADC-TAC) [M] + (315) 339-4913 (R5) + (315) 337-2004 (315) 337-2004 B/V + (315) 337-2005 (315) 337-2005 B/V + + (315) 330-2294 (315) 330-2294 (FTS) 952 B/V + + (315) 330-3587 (315) 330-3587 (FTS) 952 B/V + + NORTH CAROLINA + Ft. Bragg [A] + (BRAGG-ARPA-TAC) (919) 396-1131 (R10) (919) 396-1426 (R5) B/V + (919) 396-1491 (R8) B/V + Ft. Bragg [M] + (BRAGG-MIL-TAC) [none known] + + OHIO + Wright-Patterson AFB [M] + (WPAFB-TAC) (513) 258-4218 + (513) 258-4219 + (513) 258-4987 + (513) 258-4988 + (513) 258-4989 + (513) 258-4990 + + (WPAFB2-MIL-TAC) (513) 257-2172 (R8) (513) 257-2172 (R8) B + (513) 257-2690 (R8) (513) 257-2690 (R8) B + (513) 257-3625 (R8) (513) 257-3625 (R8) B + + OKLAHOMA + Tinker AFB [M] + (TINKER-MIL-TAC) [none known] + + + PENNSYLVANIA + New Cumberland Army Depot [M] + (NCAD-MIL-TAC) [none known] + + (NCAD2-MIL-TAC) [none known] + + + Page 189 + + + + + The Official Phreaker's Manual + + TEXAS + Brooks AFB [M] + (BROOKS-AFB-TAC) (512) 536-3081 (R6) (512) 536-3081 (R6) B/V + + Richardson [A] + (COLLINS-TAC) (214) 235-2131 (214) 235-2131 B + (214) 235-2143 (214) 235-2143 B + (214) 235-2178 (214) 235-2178 B + (214) 235-2204 (214) 235-2204 B + (214) 235-2251 (214) 235-2251 B + (214) 235-2278 (214) 235-2278 B + + UTAH + Dugway Proving Ground [M] + (DUGWAY-MIL-TAC) [none known] + + Salt Lake City (University of Utah) [A] + (UTAH-TAC) (801) 581-3486 (801) 581-3486 B/V + + VIRGINIA + Alexandria [M] + (DARCOM-TAC) (202) 274-5300 (202) 274-5300 B + (202) 274-5320 (R6) (202) 274-5320 (R6) B + + Arlington + (ARPA1-MIL-TAC) [M] [none known] + + (ARPA2-MIL-TAC) [M] [none known] + + (ARPA3-TAC) [A] [no dialup capability] + + Dahlgren [M] + (NSWC-TAC) (703) 663-2162 (R8) (703) 663-2162 (R8) B + + Langley Air Force Base [M] + (LANGLEY-MIL-TAC) [none known] + + McLean [M] + (DDN-PMO-MIL-TAC) [none known] + + + (MITRE-TAC) [M] + (703) 442-8020 (R15) + (703) 893-0330 (R10) (703) 893-0330 (R10) B/V + + Norfolk [M] + (NORFOLK-MILTAC) (804) 423-0241 (R2) (804) 423-0241 (R2) B + (804) 423-0247 (R2) (804) 423-0247 (R2) B + (804) 423-0346 (R4) (804) 423-0346 (R4) B + (804) 423-0480 (804) 423-0480 B + (804) 423-0486 (R2) (804) 423-0486 (R2) B + (804) 423-0489 (804) 423-0489 B + (804) 423-0570 (804) 423-0570 B + (804) 423-0572 (R2) (804) 423-0572 (R2) B + (804) 423-0577 (R2) (804) 423-0577 (R2) B + (804) 423-0651 (804) 423-0651 B + (804) 423-0654 (R3) (804) 423-0654 (R3) B + (804) 423-0841 (R2) (804) 423-0841 (R2) B + + Page 190 + + + + + The Official Phreaker's Manual + + (804) 423-0845 (804) 423-0845 B + (804) 423-0849 (804) 423-0849 B + (804) 423-0858 (804) 423-0858 B + (804) 423-0950 (804) 423-0950 B + (804) 423-0952 (804) 423-0952 B + (804) 423-0955 (R3) (804) 423-0955 (R3) B + (804) 423-0959 (804) 423-0959 B + + Reston + (DCEC-ARPA-TAC) [A] [no dialups available] + + (DCEC-MIL-TAC) [M] + (703) 437-2892 (R5) (703) 437-2928 B + (703) 437-2925 (703) 437-2929 B + (703) 437-2926 + (703) 437-2927 + + WASHINGTON + Seattle [A] + (WASHINGTON-TAC) [no dialup capability] + + ENGLAND [M] + (CROUGHTON-MIL-TAC) [none known] + + GERMANY [M] + (FRANKFURT-MIL-TAC) + (M) 2311-5641 (R8) B + + (RAMSTEIN2-MIL-TAC) [none known] + + ITALY [M] + (AGNANO-MIL-TAC) + + JAPAN [M] + (BUCKNER-MIL-TAC) + + (ZAMA-MIL-TAC) + + KOREA [M] + (KOREA-TAC) (M) 264-4951 (R8) B + + PHILIPPINES [M] + (CLARK-MIL-TAC) + + SPAIN [M] + (MILNET-TJN-TAC) [none known] + + (ROTA-MIL-TAC) [none known] + + Notes: + + 1. "(R10)" following phone number indicates a rotary with 10 lines. + + 2. For alternate phone numbers, FTS=Federal Telephone System. + 3. (M)=Military DoD Telephone System. + + 4. [M] denotes a MILNET TAC and [A] denotes an ARPANET TAC. + + + Page 191 + + + + + The Official Phreaker's Manual + + 5. "1200 Type" refers to the modem compatibility for 1200 baud only: + B/V = Bell and Vadic + B = Bell 212A only + V = Vadic 3400 only + + 6. This list is contained in the file NETINFO:TAC-PHONES.LIST at + SRI-NIC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 192 + + + + + The Official Phreaker's Manual + + >>==========================<< + >>==> TELCO TEST NUMBERS <==<< + >>====> as of 5/16/85 <=====<< + >>=> compiled and updated <=<< + >>====> by Shadow 2600 <====<< + >>==========================<< + +011-44-61-2468011 : US dial tone then "When this system changes, this is the +new dial tone you hear" (UK is changing dialtone) + +201-226-0709 : alternating tones, then "warble" +201-267-9922 : sweep tone +201-267-9966 : 600 ohm termination +201-232-9924 : (tone 1,2,5-beep, bleep; 9,#- 1200 baud static, beep, bleep; +6-tone, higher tone, bleep) +201-232-9959 : tone 11 sec. silence, repeats... +201-233-9972 : multitude of clicks +201-233-9974 : busy 15 sec. then tone w/ clicks +201-241-9916 : hissing with clicks +201-328-9971 : 1000 hrtz tone +201-376-9907 : "is being checked for trouble. Please try again later" +201-464-9915 : low tone 15 sec, silence +201-464-9916 : low tone 2 sec, silence +201-464-9963 : buzz +201-464-9974 : busy 15 sec, low tone +201-543-9902 : "If you'd like to make a call, hang up and try it again." +201-543-9903 : "We're sorry, your call did not go through." +201-543-9904 : "the number you have dialed requires a .20 cents deposit." +201-655-9900 : "cannot be completed as dialed from the phone you are using" +201-769-0205 : People's Express Reservation system +203-771-4920 : telephone company employee newsline +207-866-4411 : 1000 hrtz tone +212-233-9980 : (tone 1,2,3,*-tone, higher tone, bloop; 5-tone, bloop; 9,#- +static,beep,bloop) +212-369-7003 : "you have reached 212-369-7003 in zone 3" (?) +212-799-5017 : ABC New York feed line +213-621-4141 : telephone employee newsline +213-935-1111 : sweep tone with echo at top of range (?) +215-489-0036 : tone, bloop (1,2,5-tone bloop, 3,6,9-tone, higher tone,tone) +215-489-0040 : "please check your instruction manual or call repair service for +assistance" +215-489-0042 : "if you like to make a call please hang up and try again" +215-489-0043 : "We're sorry, your call did not go through." +215-489-0044 : "The call you have made requires a 25 cent deposit" +215-489-0045 : "You must first dial a 1 when dialing this number." +215-489-0074 : LOUD tone, stops, repeats +215-489-0075 : 600 ohm termination (silence) +215-489-0078 : tone, silence +215-489-0080 : 600 ohm termination +215-489-0097 : tone, (lower pitched than -0078) silence (also at -0098) +215-489-0104 : 1000 hrtz tone +216-861-8300 : tone, then higher tone +301-256-9987 : 1000 hertz +301-546-7777 : "Due to Telephone Company facility trouble your call cannot be +completed at this time" +301-725-9904 : "deposit .20" +305-263-0000 : repeating bloop (keypress 2 : slow reorder w/ bloops, clicks) +305-994-9963 : pay fone instructions + + Page 193 + + + + + The Official Phreaker's Manual + +305-994-9966 : "telephone you are calling from is not in service" +312-222-9948 : tone (keypress 1,2,3,6,7,*-tone, high tone, bleep, +4-tone,bloop,9, #-static,beep,bloop) +312-222-9954 : "Test Center" +312-222-9990 : clicks, ticking like +312-222-9996 : LOUD tone, repeats +312-368-8000 : Illinois Bell Communicator (employee newsline) +312-592-0000 : tone (keypress 2222, then other digits, at re-order type * to +restart) (?) +313-223-7223 : telephone employee newsline +313-333-9981 : LOUD tone, silence +313-333-9989 : high tone (enter touchtones for a while, eventually get +"metallic" echo, then 5-high pitched tone, random re-orders) +313-333-9990 : beep, click repeats, with "winks" +313-333-9994 : tone bloop (keypress in 2-tone,bloop, 3-tone, higher tone,tone, +9-static, beep,bloop) +313-333-9995 : 600 ohm termination (silence) +313-333-9996 : weird siren/sweep tone, multi-frequency +313-430-4300 : beep, beep, beep, then reorder +313-698-9998 : sweep tone +314-247-5511 : Southwestern Bell Telenews (employee newsline) +315-471-9934 : "deposit 5 cents for next five minutes" +408-255-0081 : (any two 2,4,8,0-tone) +408-294-6969 : beep, click, computer voice repeats number +408-395-1110 : (tone 2-bleep,glitch; 3-beep,higher beep;#then number-loud +tone,bleep) +408-738-8190 : (tone 1,3,6,7,*-tone, high tone, tone;2-beep,cluck;9,#- +static,tone,beep) +408-745-6060 : high pitched tone, low tone then repeats +408-994-0044 : tone end of loop +412-633-3333 : telephone company employee newsline +414-628-0001 : continuous tone +414-628-0002 : continuous tone (higher pitched, sounds like muted dial) +414-628-0004 : high pitched tone, bloop, silence +414-628-0006 : brief very high tone (also -0007) (multiple keypresses of +2,5,8,0 tone repeats) +414-628-0010 : loud tone, stops, repeats... +414-628-0011 : loud tone, stops +414-628-0013 : 600 ohm termination (silence) (also -0017, two in an exchange?) +414-628-0014 : continuous tone (sounds like weird dial), eventually stops +414-628-0015 : LOUD tone, repeats +414-628-0028 : "Your call cannot be completed as dialed +414-678-3511 : Wisconsin Bell Newsline +414-781-0004 : high tone, silence (keypress 2,5-beep,bleep, 3,6-beep,longbeep, +bloop, 9-static,bloop) +415-284-1111 : one sweep, then silence +415-327-0046 : sweep tone +415-388-0037 : tone,bloop (keypress 2-tone,bloop, 3-tone,high tone,tone, +9-static,beep,bloop) +415-472-0046 : sweep w/ glitch at top +415-545-8800 : Pacific Bell Newsline +415-467-0097 : fast DTMF tones, keypress to repeat +415-777-0020 : 1000 hrtz tone +415-777-0037 : tone, bloop (keypress 2-beep,bloop, 3,6-tone,higher tone, +9-static,beep,bloop) +415-777-0046 : sweep tone with echo +415-777-0105 : tone,bloop (keypress 2-beep,bleep, 3,6-tone, higher tone, +tone,9-static,beep,bloop + + Page 194 + + + + + The Official Phreaker's Manual + +415-826-0022 : tone, click, tone (sounds like a busy) +415-994-0710 : multitude of clicks +512-472-2181 : "if you would like to make a call, please hang up and try +again" +512-472-4263 : garbled recording (?) +512-472-9833 : "you must first dial a 1 or 0 before calling this number" +512-472-9936 : "please check your instructions or call your business office for +assistance" +512-472-9941 : "insert 25 cents" +516-222-3825 : LOUD tone +516-234-9914 : New York Telephone Newsline +518-471-2272 : New York Telephone Newsline +518-789-3299 : weird busy, multitude of clicks +609-267-9966 : busy with clicks in background +609-267-9967 : 600 ohm termination (silence) +609-267-9968 : 1000 hrtz tone +609-267-9971 : LOUD tone, stops, repeats +609-267-9972 : rings with clicks in background (also -9973 and -9974) +609-877-9924 : high tone (tone in 1,2,5-tone, bloop; 3,6,*-tone, higher tone, +bleep; #-static, beep, bleep) +609-877-9929 : 1000 hrz tone +617-553-9953 : tone end of loop +617-890-9900 : sweep tone +617-955-1111 : telephone company employee newsline +619-748-0002 : tone increases in pitch, silence, repeats in monotone +619-748-0003 : sweep, repeat, hangs up +702-789-6711 : Nevada Bell Newsline +713-354-0000 : touch tone in #, then new #, then 5 - listed, 9 - unlisted) +713-482-3199 : "We're sorry, all circuit are busy now." +713-652-5111 : touch tones echo back "metallic", something about "drivers +licence number" replys in a female recorded voice +717-255-5555 : Bell of Pennsylvania "Inside Line" (employee newsline) +718-429-9900 : "Please slide a valid credit card through the slot now" +800-221-5959 : tone (# makes it ring) +800-228-8466 : Sensaphone (tm) demo (time etc. (EST) (wait 7+ rings)) +800-321-3048 : non-connecting loop with 800-321-3049 +800-321-3052 : loop (don't know where other end is) +800-321-6366 : Centagram's Voice Memo System (extension 100 for demo) +800-323-6321 : tone, stops, bloop repeats +800-327-0000 : "Announcement three, Dallas" (changes sometimes) +800-344-4001 : non-connecting loop with 800-344-4002 +800-524-0000 : "Announcement 1 Atlanta" +800-554-5924 : Cable News Network audio feed +800-824-8274 : "Enter your password service code" +802-955-1111 : telephone company newsline +808-533-4426 : Hawaiian Telephone Newsline +816-391-1122 : recorder (keypress 1-toggle on/off, 3-rewind, 4-stop, 7-play) +907-269-0955 : tone (sounds like extender, doesn't take touch tone (?)) +914-232-9901 : "Daytona, New York DMS-100 verification" +914-268-9901 : "Congers DMS 100 Verification" +914-268-9903 : "your call cannot be completed as dialed" +914-268-9968 : (keypress 2-high tone, 3-high, higher tone, 6,0-click, 7- hangs +up, sometimes 0,#,*-harmony) +914-359-9901 : repeats the number dialed ("914-359-9901") +914-359-9960 : weird tone, stops, clicks, repeats +914-623-9968 : (keypress 2,5-beep glitch, 3,6-tone highertone) +916-480-8000 : Pacific Bell Newsline + + + Page 195 + + + + + The Official Phreaker's Manual + + WHAT A TSPS CONSOLE LOOKS LIKE + +--- NON/COIN ---- ------------- COIN ------------- --------- HOTEL --------- + + ---- ---- ---- ---- ---- ---- ----- --- --- ---- +!VFY ! !OVER! !SCRN! !INWD! !EMER! !STA ! ! 0+ ! !DIAL! !STA ! ! 0+ ! +!DIAL! !POST! !TONE! !STA ! ! 0+ ! !DIAL! !QST ! ! ! ! ! ! ! + ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- + +----- OUTGOING TRUNKS ----- RING RELEASE + + ---- ---- ---- ---- ---- ----- ---- ---- ---- ---- +! DA ! !R&R ! !SWB ! !OGT ! !BACK! ! FWD ! !CALL! !T&C ! !NFY ! !CHG ! + ---- ---- ---- ---- ---- ----- ---- ---- ---- ! DUE! + ---- + --- ---- ---- ---- ---- ---- ---- ---- ---- ---- +!KEY ! !BACK! !FWD ! ! SR ! !MAKE! !MTCE! !POS ! !BACK! ! ! ! ! +!CLG ! ! ! ! ! ! ! !BUSY! !TRFR! ---- ---- ---- ---- + ---- ---- ---- ---- ---- ---- + + ----------------- AMA ----------------- + ---- ---- ---- ---- ---- ---- +STATION -----!PAID! !COL ! !SPL ! !SPL ! !AUTO! !DDD ! + ! ! ! ! !CLG ! !CLD ! !COL ! ! ! + ---- ---- ---- ---- ---- ---- + + ---- ---- ---- ---- ---- +PERSON ----- !PAID! !COL ! !SPL ! !SPL ! ! NO ! + ! ! ! ! !CLG ! !CLD ! !AMA ! + ---- ---- ---- ---- ---- + + ---- ---- ---- + !CLG ! !CLG ! !CLG ! + ! ! ! ! ! ! + ---- ---- ---- + + + + + + + + + + + + + + + + + + + + + + + + + Page 196 + + + + + The Official Phreaker's Manual + + Box Plans + + Hmm... I wonder! This is still under construction (Ha Ha). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 197 + + + + + The Official Phreaker's Manual + + THE INFINITY TRANSMITTER + + TYPED BY THE GHOST WIND + + FROM THE BOOK BUILD YOUR OWN + LASER, PHASER, ION RAY GUN & OTHER WORKING SPACE-AGE PROJECTS + BY ROBERT IANNINI (TAB BOOKS INC) + +Description: Briefly, the Infinity Transmitter is a device which activates a +microphone via a phone call. It is plugged into the phone line, and when the +phone rings, it will immediately intercept the ring and broadcast into the +phone any sound that is in the room. This device was originally made by +Information Unlimited, and had a touch tone decoder to prevent all who did not +know the code from being able to use the phone in its normal way. This +version, however, will activate the microphone for anyone who calls while it is +in operation. +NOTE: It is illegal to use this device to try to bug someone. It is also +pretty stupid because they are fairly noticeable. +Parts List: +Pretend that uF means micro Farad, cap= capacitor + +Part # Description +---- - ----------- +R1,4,8 3 390 k 1/4 watt resistor +R2 1 5.6 M 1/4 watt resistor +R3,5,6 3 6.8 k 1/4 watt resistor +R7/S1 1 5 k pot/switch +R9,16 2 100 k 1/4 watt resistor +R10 1 2.2 k 1/4 watt resistor +R13,18 2 1 k 1/4 watt resistor +R14 1 470 ohm 1/4 watt resistor +R15 1 10 k 1/4 watt resistor +R17 1 1 M 1/4 watt resistor +C1 1 .05 uF/25 V disc cap +C2,3,5,6,7 5 1 uF 50 V electrolytic cap or tant + (preferably non-polarized) +C4,11,12 3 .01 uF/50 V disc cap +C8,10 2 100 uF @ 25 V electrolytic cap +C9 1 5 uF @ 150 V electrolytic cap +C13 1 10 uF @ 25 V electrolytic cap +TM1 1 555 timer dip +A1 1 CA3018 amp array in can +Q1,2 2 PN2222 npn sil transistor +Q3 1 D4OD5 npn pwr tab transistor +D1,2 2 50 V 1 amp react. 1N4002 +T1 1 1.5 k/500 matching transformer +M1 1 large crystal microphone +J1 1 Phono jack optional for sense output +WR3 (24") #24 red and black hook up wire +WR4 (24") #24 black hook up wire +CL3,4 2 Alligator clips +CL1,2 2 6" battery snap clips +PB1 1 1 3/4x4 1/2x.1 perfboard +CA1 1 5 1/4x3x2 1/8 grey enclosure fab +WR15 (12") #24 buss wire +KN1 1 small plastic knob +BU1 1 small clamp bushing +B1,2 2 9 volt transistor battery or 9V ni-cad + + Page 198 + + + + + The Official Phreaker's Manual + + +Circuit Operation: Not being the most technical guy in the world, and not being +very good at electronics (yet), I'm just repeating what Mr. Iannini's said +about the circuit operation. The Transmitter consists of a high grain +amplifier fed into the telephone lines via transformer. The circuit is +initiated by the action of a voltage transient pulse occurring across the +phone line at the instant the telephone circuit is made (the ring, in other +words). This transient immediately triggers a timer whose output pin 3 goes +positive, turning on transistors Q2 and Q3. Timer TM1 now remains in this +state for a period depending on the values of R17 and C13 (usually about 10 +seconds for the values shown). When Q3 is turned on by the timer, a simulated +"off hook" condition is created by the switching action of Q3 connecting the +500 ohm winding of the transformer directly across the phone lines. +Simultaneously, Q2 clamps the ground of A1, amplifier, and Q1, output +transistor, to the negative return of B1,B2, therefore enabling this amplifier +section. Note that B2 is always required by supplying quiescent power to TM1 +during normal conditions. System is off/on controlled by S1 (switch). + A crystal mike picks up the sounds that are fed to the first two +transistors of the A1 array connected as an emitter follower driving the +remaining two transistors as cascaded common emitters. Output of the +array now drives Q1 capacitively coupled to the 1500 ohm winding of T1. +R7 controls the pick up sensitivity of the system. + Diode D1 is forward biased at the instant of connection and essentially +applies a negative pulse at pin 2 of TM1, initiating the cycle. D2 clamps +any high positive pulses. C9 dc-isolates and desensitizes the circuit. The +system described should operate when any incoming call is made without ringing +the phone. + +Schematic Diagram: Because this is text, this doesn't look too hot. Please +use a little imagination! I will hopefully get a graphics drawing of this +out as soon as I can on a Fontrix graffile. + +To be able to see what everything is, this character: | should appear as a +horizontal bar. I did this on a ][e using a ][e 80 column card, so I'm sorry if +it looks kinda weird to you. + +Symbols: + resistor: -/\/\/- switch: _/ _ + battery: -|!|!- capacitor (electrolytic): -|(- + capacitor (disc): -||- _ _ + transistor:(c) > (e) Transformer: )||( + \_/ )||( + |(b) _)||(_ + diode: |< + chip: ._____. + !_____! (chips are easy to recognize!) + + Dots imply a connection between wires. NO DOT, NO CONNECTION. +ie.: _!_ means a connection while _|_ means no connection. +---------------------------------------------------------------------------- + +.________________________to GREEN wire phone line +| +| .______________________to RED wire phone line +| | +| | ._________(M1)______________. +| | | | +| | | R1 | + + Page 199 + + + + + The Official Phreaker's Manual + +| | !__________/\/\/____________! +| | | _!_ C1 +| | |this wire is the amp ___ +| | |<=ground | R2 +| | | !___________________/\/\/_____________. +| | | ._______!_______. | +| | !___________________!4 9 11!_____________________________! +| | | | | | +| | !___________________!7 12._____________________________! +| | | | A1 | R3 | +| | !___________________!10 ____*8!_______.____/\/\/____________! ^ +| | | | / | | | | +| | | C4 | / | \ |2ma +| | !____||______. | / | /R4 B1 + +| | | || | | / | \ |!|! +| | | R7 | C2 | / | / | +| | !____/\/\/___!__)|__!8*_/ | | S1 | +| | | ^ | 6!_______! neg<__/.__! +| | | | C3 | | | C5 return | +| | | !_____|(___.__!3 | '-|(-| | +| | | | | 5 1!____________! | +| | | \ !_______._______! | B2|!|! +| | !________. R8 / | | + +| | | \ | | R6 |3ma +| | | !__________!____________________|_____/\/\/______! | +| | | R5 | | | v +| | !__/\/\/___________|____________________! | +| | | | | +| | | | | +| | | C6 | | +| | | |-)|-' R9 | +| | | !_________________/\/\/_______. | +| | | | | | +| | | Q1 _!_ | R10 | +| | !____________/ \____________________________!__/\/\/_____! +| | | | | +| | | | | +| | | C8 | | +| | !__________)|_______________________________|____________! +| | ! | | +| | / | | +| | -----| | | +| | | \ | | +| | | > | | +| | | | | | +| | | | | | +| | | !_____________. | | +| | | | | | +| | !__________. | | | +| | | | | | +| !________. | | ._____! | +| | | | | | +| | | | | | +| | | | | C7 | +| | | | '-|(-| | +| |_________|_________!_______.T1._________________| | +| | | 1500 )||( 500 | +| | | ohm )||( ohm | + + Page 200 + + + + + The Official Phreaker's Manual + +| | !______.)||(.__. | +| | | | | +| | | | | +| | | > | +| | | |/ | +| | | +----| Q3 | +| | | | |\ | +!____________________|_________|_______|______!__. D1 C9 | + | | | '-|<---|(------| | + .______________! | | | | + | | | | | + | .________________! | | | + | | | | | + \ | .________________! C11 | | + / | | .___||____________! | + R13 \ | | | || | | + / | | | | | + \ !___.___|_______________________! | | + | | | | | R16 | R15 | + | v | | !___/\/\/\________!___/\/\/_! + | neg | | | D2 | | + | return | | !_____|<__________! | + | B1,B2 | \ | | | + | | / | .____________!_. | + | | \R14 |C12 | TM1 2 | | + | | / !_||_!5 4!_______! + | | \ | || | | | + | | | !____!1 8!_______! + | | | | | 7 6 3 | | + | | | | !_____._.____._! | + | | | | | | | | + | | | | C13 | | | R17 | + | | | !___)|_____!_!____|__/\/\/__! + | | | | | | + !___________|___!_______________________|_________________! | + | | | | + | \ | C10 | + | /R18 !__________)|_______________! + | \ + | / + | | + !___O J1 + sense output + +Construction notes: Because the damned book just gave a picture instead of step +by step instructions, and I'll try to give you as much help as possible. Note +that all the parts that you will be using are clearly labeled in the schematic. +The perfboard, knobs, 'gator clips, etc are optional. I do strongly suggest +that you do use the board!!! It will make wiring the components up much much +easier than if you don't use it. + The knob you can use to control the pot (R7). R7 is used to tune the IT so +that is sounds ok over the phone. (You get to determine what sounds good) By +changing the value of C13, you can change the amount of time that the circuit +will stay open (it cannot detect a hang up, so it works on a timer.) A value of +100 micro Farads will increase the time by about 10 times. + The switch (S1) determines whether or not the unit is operational. Closed is +on. Open is off. The negative return is the negative terminals of the battery!! +The batteries will look something like this when hooked up: + + Page 201 + + + + + The Official Phreaker's Manual + + <-v_____. .______. ._____. .____-> + | | | | | | + __!___!__ | | __!___!__ + | + - | !_/ _! | + - | + | | switch ^ | | + | 9volts| | | 9volts| + !_______! neg return !_______! + + To hook this up to the phone line, there are three ways, depending upon what +type of jack you have. If it is the old type (non modular) then you can just +open up the wall plate and connect the wires from the transmitter directly to +the terminals of the phone. + If you have a modular jack with four prongs, attach the red to the negative +prong (don't ask me which is which! I don't have that type of jack... I've only +seen them in stores), and the green to the positive prong, and plug in. Try not +to shock yourself... + If you have the clip-in type jack, get double male extension cord (one with a +clip on each end), and chop off one clip. Get a sharp knife and splice off the +grey protective material. You should see four wires, including one green and +one red. You attach the appropriate wires from the IT to these two, and plug +the other end into the wall. + +Getting the IT to work: If you happen to have a problem, you should attempt to +do the following (these are common sense rules!!) Make sure that you have the +polarity of all the capacitors right (if you used polarized capacitors, that +is). Make sure that all the soldering is done well and has not short circuited +something accidently (like if you have a glob touching two wires which should +not be touching.) Check for other short circuits. Check to see if the battery +is in right. Check to make sure the switch is closed. + If it still doesn't work, drop me a line on one of the Maryland or Virginia +BBSs and I'll try to help you out. + +The sense output: Somehow or other, it is possible to hook something else up to +this and activate it by phone (like an alarm, flashing lights, etc.) + +As of this writing, I have not tried to make one of these, but I will. If you +actually get it working, leave me a note somewhere. + +I sure hope all you people appreciate this. + + +<<< the Ghost Wind >>> + + + + + + + + + + + + + + + + + + Page 202 + + + + + The Official Phreaker's Manual + + :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + : : + : SILVER BOX: AN ALTERNATE METHOD OF CONSTRUCTION : + : : + : BY: THE LOCK LIFTER--1/25/85 : + : : + :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + +PARTS & EQUIPMENT: +(1) POCKET TONE DIALER (RADIO SHACK CAT. NO. 43-138) +(2) SINGLE POLE DOUBLE THROW SWITCH (TOGGLE, THE SMALLER THE BETTER) +(3) SOLDERING IRON + + THIS MODIFICATION WILL ALLOW THE PRODUCTION OF A,B,C,&D TONES. WHEN YOU +FLIP THE SWITCH THE 3,6,9,&# KEYS WILL BECOME A,B,C,&D RESPECTIVELY. THE IC +INSIDE THE DIALER IS CAPABLE OF MAKING THESE TONES ALREADY, ALL WE MUST DO IS +CONNECT IT FULLY. THIS MOD CAN ALSO BE MADE TO MANY ELECTRONIC FONES THAT +CONTAIN A DTMF TONE ENCODING IC. THIS CHIP CAN BE IDENTIFIED BY THE NUMBER 5089 +OR S2559 OR MK5380 OR TCM5087N. PIN 9 OF THESE CHIPS IS THE FOURTH COLUMN +KEYPAD INPUT WHILE PIN 5 IS THE THIRD COLUMN. NOW ON WITH THE CONSTRUCTION. + +1) REMOVE THE BATTERY COVER, BATTERIES, AND THE SMALL SCREW. THE CASE SHOULD +NOW POP OPEN WITH A LITTLE PRESSURE. +2) OPEN THE CASE SO THAT THE HALF CONTAINING THE SPEAKER AND THE BATTERIES +IS ON YOUR LEFT WITH THE BATTERIES ON THE BOTTOM. YOU SHOULD NOW BE LOOKING AT +THE BACK OF 2 PRINTED CIRCUIT BOARDS. +3) FIND THE TWO ROWS OF SOLDER BEADS WHERE THE IC IS CONNECTED. THE UPPER +LEFT PIN OF THE 2 ROWS SHOULD HAVE NO SOLDER ON IT. THIS IS PIN 9 OF THE IC. +4) ATTACH A SHORT WIRE TO PIN 9. +5) SEE THE 8 GOLD WIRES GOING TO THE KEY PAD? UNSOLDER THE ONE 4TH FROM THE +LEFT AND CONNECT IT TO A SHORT WIRE. +6) SOLDER A SHORT WIRE INTO THE NOW VACANT HOLE IN THE KEYPAD PCB. +7) MELT OR DRILL A ROUND HOLE IN THE PLASTIC CASE FOR THE SWITCH. THE BEST +PLACE FOR THIS IS OPPOSITE THE SMALL PCB CONTAINING THE L.E.D. +8) INSERT THE SWITCH AND SCREW IT IN PLACE. +9) ATTACH THE WIRE FROM THE KEYPAD PCB TO THE CENTER OF THE SWITCH. ATTACH THE +OTHER TWO WIRES TO THE OTHER TWO POLES OF THE SWITCH. JUST CLOSE THE CASE, PUT +BACK IN THE SCREW AND BATTERIES. + +THE SWITCH WILL NOW ALLOW THE 3RD COLUMN KEYS TO PRODUCE BOTH 3RD AND FOURTH +COLUMN TONES. HAVE PHUN + + + + + + + + + + + + + + + + + + + Page 203 + + + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Well, this is just a page to protect the other pages. + I hope you enjoyed the book! + + + + + + + + + + + + + + + + + + + + + + + + + Page 204 + + + + + * DANSE MACABRE * (713) 324-2139 * C.A.B.A.L W.H.Q * diff --git a/textfiles.com/phreak/PHREAKING/morality b/textfiles.com/phreak/PHREAKING/morality new file mode 100644 index 00000000..a0b76410 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/morality @@ -0,0 +1,48 @@ +File: HACKER MORALITY + Read 33 times + + A lesson in phreaking and hacking morality: + + I find it truly discouraging when people, intelligent people seeking +intellectual challenges, must revert to becoming common criminals. The +fine arts of hacking and boxing have all but died out. Though you newcomers, +you who have appeared on the scene in the last year or two, may not realize it, +we had it much better. People didn't recognize our potential for destruction +and damage because we never flaunted it, nor did we exercise it. + + For hacking, it was the intellectual challenge which drove us to do it. +The thrill of bypassing or breaking through someone's computer security was +tremendous. It wasn't a case of getting a password from a friend, logging on, +and destroying an entire database. We broke in for the challenge of getting in +and snooping around WITHOUT detection. We loved the potential for destruction +that we gave ourselves, but never used. + + Today, after so much publicity, the fun has turned to true criminality. +Publicity we have received is abhorring. From WarGames to the headlined October +Raids, to the 414's, the Inner Circle, Fargo 4a, and the recent NASA +breakins--not to mention all the local incidents that never made the big +newspapers, like breakins at school computers or newspaper computers. TRW +credit information services claims hackers used the three stolen accounts to +aid them in abusing stolen credit cards. The thrill of entering and looking +around has shifted to criminal practicality--how can I make my bank account +fatter--how may I use this stolen credit card to its fullest--how could I take +revenge upon my enemies. + + And then there is the world of Phone Phreaking. The number of phreaks has +grown from an elite few, perhaps ten or twenty, to well over a thousand. +Still, there remain only about 10 or 20 good, longlasting phreaks. The rest +receive information and abuse its uses until the information is no longer valid +. +Even worse, they seek publicity! They WANT to be caught! Many even use their +real names on bulletin board systems to promote publicity. Meanwhile, the REAL +phone phreaks have been resting in the shadow of the rest, waiting for +phreaking to become so dangerous as to become a challenge once again. Once +security tightens and only the strong survive (phreak Darwinism?), phreaking +will be restored as a way to 'beat the system' without costing anyone anything. + + Hacking may soon be dead, but may phone phreaking live on! + + Big Brother + +Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open + diff --git a/textfiles.com/phreak/PHREAKING/morality.txt b/textfiles.com/phreak/PHREAKING/morality.txt new file mode 100644 index 00000000..d3bf730a --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/morality.txt @@ -0,0 +1,47 @@ +File: HACKER MORALITY + Read 33 times + + A lesson in phreaking and hacking morality: + + I find it truly discouraging when people, intelligent people seeking +intellectual challenges, must revert to becoming common criminals. The +fine arts of hacking and boxing have all but died out. Though you newcomers, +you who have appeared on the scene in the last year or two, may not realize it, +we had it much better. People didn't recognize our potential for destruction +and damage because we never flaunted it, nor did we exercise it. + + For hacking, it was the intellectual challenge which drove us to do it. +The thrill of bypassing or breaking through someone's computer security was +tremendous. It wasn't a case of getting a password from a friend, logging on, +and destroying an entire database. We broke in for the challenge of getting in +and snooping around WITHOUT detection. We loved the potential for destruction +that we gave ourselves, but never used. + + Today, after so much publicity, the fun has turned to true criminality. +Publicity we have received is abhorring. From WarGames to the headlined October +Raids, to the 414's, the Inner Circle, Fargo 4a, and the recent NASA +breakins--not to mention all the local incidents that never made the big +newspapers, like breakins at school computers or newspaper computers. TRW +credit information services claims hackers used the three stolen accounts to +aid them in abusing stolen credit cards. The thrill of entering and looking +around has shifted to criminal practicality--how can I make my bank account +fatter--how may I use this stolen credit card to its fullest--how could I take +revenge upon my enemies. + + And then there is the world of Phone Phreaking. The number of phreaks has +grown from an elite few, perhaps ten or twenty, to well over a thousand. +Still, there remain only about 10 or 20 good, longlasting phreaks. The rest +receive information and abuse its uses until the information is no longer valid +. +Even worse, they seek publicity! They WANT to be caught! Many even use their +real names on bulletin board systems to promote publicity. Meanwhile, the REAL +phone phreaks have been resting in the shadow of the rest, waiting for +phreaking to become so dangerous as to become a challenge once again. Once +security tightens and only the strong survive (phreak Darwinism?), phreaking +will be restored as a way to 'beat the system' without costing anyone anything. + + Hacking may soon be dead, but may phone phreaking live on! + + Big Brother + + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/nb90s1.txt b/textfiles.com/phreak/PHREAKING/nb90s1.txt new file mode 100644 index 00000000..3ddd63fe --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/nb90s1.txt @@ -0,0 +1,36 @@ +A NEWBIES GUIDE TO PHREAKING IN THE '90s +volume I + +I hate to do this part but as usuall...it's a must. Our Disclaimer: We in no way are responsible for any actions you take with the knowledge gained from this manual. It is intended for informational purposes only. Yadda, yadda yadda...just get to the manual. + +When I started phreaking I noticed how out of date and complicated many of the phreaking texts i read were. This is intended to be a new guide to phreaking in the '90s. It will include several other things besides just how to phreak, alhthough many sections will be devoted to that topic from before the phreak, during the phreak, and after the phreak. This guide will also concentrate on phreaker ethics, and several other related issues. + I. Explanation of what makes us do what we do and why we do it. + A.Intro + II. Before the phreak. + A. Tools + B. Location + III. During the phreak + A. What to do and how to do it + B. Novices exercises + C.Dozens of other things to do with fones + IV. After the phreak + A. Clean up and other assorted misc. + V. Conclusions + +If you are anything like I was when I started to learn, you just got internet access right? One of the first things you typed into your browser was hacking wasn't it? So at night and when your parents were away you poured over hacking text files and web pages. You understood less than half of what you read but it was interesting you wanted more of it. It led you to other areas of the electronic black arts didn't it? You saw words you've never seen before, things like phreaking or warez or carding or virii. You guessed at how to pronounce them, you guessed at what they ment. Then you started finding out more about them. Phreaking turned out to be telephone hacking in a sense. You read and read more and more about all of it. You read about different things about phones that you never knew before, the mere posibillity of which made you tingle. This is all in the spirit of hacking and phreaking, learning and the intense desire to know more, to know how things work. If you are anything like I was when I startd to learn, you wanted and needed an up to date, easy to understand text file. Well here it is. + +Phreaks have ethics, contrary to the belief of many a phone company. You've probably seen and read several different versions of the phreaks ethics and the 10 commandments of the phone phreak and other files. They are all good and all say the same thing more or less and I'm not going to rewrite them here. I have my own code of ethics, which is just a variation of the foundation rules set in place. NEVER cause intentional damage to a phone or phone system. If you insist on causing damage or it is unavoidable to attain your goal don't cause permenant or expensive damage. This kind of damage is never neccessary and should be avoided at all costs. As for the rest of the ethics it's up to you to decide how to procede, i can't force (nor would i try to) you to follow any code of ethics, however a phreak without ethics is just a jackass who knows something about phones. I can garuntee you that if you don't have a code of ethics, you will be black balled from the phreaking/hacking community. + +What do you need in the way of tools? For starters go to garage sales...find a phone that has the key pad on the reciever (the end of the phone you talk into and listen from). Now get yourself some phone cord. Cut off the modular plug (the phone jack. the little plastic thing the wires go into) on ONE end. You will see 4 different colors of wires red, green, yellow, and black. For the most part the important ones are the green and the red. Strip the casing from the four wires, now strip the insulation from the red and green wires...yellow and black too if you're bored. Get yourself some aligator clips...I prefer the color coded/insulated kind. Now attach the alligator clips to the wires..if you have color coded clips like I reccommend then put them on the corresponding color wire. Plug the cord into the phone you got at the garage sale. You now have the basic version of what is known as a beige box or a linemans handset. This is a neccessary tool for any phreak. Other tools I reccommend (as you progress in your training you'll figure out why) are: a 7/16 hex wrench, a phone cord stripping device (it's a bitch to strip those wires isn't it) wide assorment of phone connecters, and an assortment of small tools like pliers and wire clippers and screwdreivers. These are the BASIC tools. As you become more advanced you'll want more and more tools to build boxes (more on this later) and other things. But for your first phreak you'll only need the beige box you've built and a screw driver. + +First you need to find a secluded spot...this wasn't hard for me because I lived in a rural community, but it may be harder if you live in the city. The spot you choose for your first phreak should have access to a phone box (I used the one on the side of a house). If you're dealing with this kind of set up good, it's eaisier for the first phreak. Where I was the boxes on the houses where grey or green. As you become more advanced you'll move on to the big green or grey boxes you see along the road and other more complicated things. + +Now that you have the right tools and the location for your first phreak you're ready. This is how to proced. Open the box by unscrewing the screw labled open. Now you'll see a jumble of wires...no problem...find the red and green wires...if there is more than one set on these pick a set..any set. Now look at where the wires are attached...they are attached to some screw terminals right? good. Look at them closely see how the wire is stripped to fit around the terminal...see how the end of the wire is available to you. Attach your red aligator clip to the end of the red wire in the box...and the green to the green. Listen to your phone..hear the dial tone...if not make sure your clips are making good contact and are not touching each other. Now call a number...not your own house of course...and not a friend. CONGRATULATIONS you've just completed your first phreak. I know it wasn't much but it got you started didn't it. + + Now disconnect from the box and close it up...just the way you found it. If you haven't called any unusuall numbers like the 900 variety or the long distance kind the person you just phreaked off of will never know. However if you need to make long distance calls or anything of the like you now know how to do it at no cost to you. A word of caution is...don't always use the same house to phreak off of. + + This is the simplist form of phreaking. But it gives you a base to build off of. Think about the possibilities. You could get longer cords and connect them permentaely to a neighbor's house and barry the cord so you have instant access to their phone...or set up a recording device and every time they have a phone conversation you will know exactly what goes on in their lives...trust me it gets old after awhile unless you have very interesting neighbors. Pay phones offer dozens of opportunities to the phreak. You can make free calls with the right tones, get coins back, or turn it into your personal bank, and any other number of things. There are endless possibilities of things to do on phones. read the other text files out there and you will find out what they are. + + What the hell are boxes? I asked myself this question a lot. Boxes are devices the phreaks build to do litterally hundereds of different things. Boxes are identified by colors such as red and green and blue. They all serve a different purpose. Some boxes don't have anything to do with phreaking such as the chrome box...but they are usefull and provide great entertainment. Over the course of your learning you will find out about the different colors of boxes and their functions. Most boxes are easy and cheap to make and you'll learn to build them and use them effectively. + + This is the first in what we hope to be a series of texts for the newbie phreak in the '90s. We hope you enjoyed this file and you read the next one to be released soon. We would like to take this opportunity to welcome our newest writer Jester, we hope he can provide the underground with lots of great files. This has been another great file by Dial-Tone, and the rest of us here at ILS (Information Liberation Specialists). diff --git a/textfiles.com/phreak/PHREAKING/obsphrk.txt b/textfiles.com/phreak/PHREAKING/obsphrk.txt new file mode 100644 index 00000000..cadf910d --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/obsphrk.txt @@ -0,0 +1,3482 @@ +Subject: 3500 lines of obsolete phreaking stuff +Date: Thu May 12 13:13:03 1994 + + +This is something I put together a few years ago. None of it was +written by me. I spellchecked it, made a table of contents, and +converted from 20 column all-caps and removed K0oL spellings. + +I don't want comments, good or bad. I figured somebody might +want this, so I'm posting it, but that the extend of my involvement. + +I'm sorry about the control-L's. I don't know how to remove them. + + + xxxxxxxxxxxxxxxxxxxxxxxxxxx + Table of Contents + + + +Introduction to hacking. . . . . . . . . . . . . . . . . . . . 1 + +Phone Hacking. . . . . . . . . . . . . . . . . . . . . . . . . 2 + Basic Boxes Technically Explained . . . . . . . . . . . . 3 + (BLUE,3); (BLACK,4); (CHEESE,5) + Voice mail box hacking. . . . . . . . . . . . . . . . . . 6 + Blue Box Tones. . . . . . . . . . . . . . . . . . . . . . 9 + Customer name and address . . . . . . . . . . . . . . . . 9 + Lock In Trace . . . . . . . . . . . . . . . . . . . . . . 14 + Pinkish Box . . . . . . . . . . . . . . . . . . . . . . . 16 + Pearl Box . . . . . . . . . . . . . . . . . . . . . . . . 17 + Brown Box . . . . . . . . . . . . . . . . . . . . . . . . 19 + Scarlet box . . . . . . . . . . . . . . . . . . . . . . . 20 + Day-Glow. . . . . . . . . . . . . . . . . . . . . . . . . 20 + Gold Box Plans. . . . . . . . . . . . . . . . . . . . . . 22 + Green Box . . . . . . . . . . . . . . . . . . . . . . . . 23 + Blotto Box. . . . . . . . . . . . . . . . . . . . . . . . 23 + +Computer Hacking . . . . . . . . . . . . . . . . . . . . . . . 26 + Tymnet. . . . . . . . . . . . . . . . . . . . . . . . . . 27 + Telenet . . . . . . . . . . . . . . . . . . . . . . . . . 32 + Hacking Unix. . . . . . . . . . . . . . . . . . . . . . . 34 + Primenet. . . . . . . . . . . . . . . . . . . . . . . . . 36 + Hacking DECs. . . . . . . . . . . . . . . . . . . . . . . 44 + Crashing BBSs . . . . . . . . . . . . . . . . . . . . . . 45 + Credit bureaus. . . . . . . . . . . . . . . . . . . . . . 54 + File grabbing on large systems. . . . . . . . . . . . . . 64 + +Potpourri. . . . . . . . . . . . . . . . . . . . . . . . . . . 65 + Bugs. . . . . . . . . . . . . . . . . . . . . . . . . . . 66 + Wiretapping . . . . . . . . . . . . . . . . . . . . . . . 67 + Lunch Box . . . . . . . . . . . . . . . . . . . . . . . . 72 + Beep Time . . . . . . . . . . . . . . . . . . . . . . . . 76 + +Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . 77 + 8OO VMB Systems . . . . . . . . . . . . . . . . . . . . . 78 + Extenders . . . . . . . . . . . . . . . . . . . . . . . . 78 + Loops . . . . . . . . . . . . . . . . . . . . . . . . . . 79 + PBXs. . . . . . . . . . . . . . . . . . . . . . . . . . . 79 + Sweeps. . . . . . . . . . . . . . . . . . . . . . . . . . 79 + 1-800 modem numbers . . . . . . . . . . . . . . . . . . . 79 + Area Codes by State . . . . . . . . . . . . . . . . . . . 82 + INTRODUCTION TO HACKING + +Most people who have never hacked or are beginners think that +hackers are a small community of very knowledgeable computer +"geniuses" that randomly break into systems for fun and then +create havoc or steal information. I will speak of my own views +on hacking which shouldn't reflect the feelings of the entire +hacking community but I would guess a large amount. First of all +hacking is getting more and more risky everyday. Because of this, +hacking for fun isn't as safe as it used to be (although most of +my hacking is for fun). The reason people (people I know) hack is +because we believe in free information exchange. This means that +I should be able to freely access any information that is +available over the modem that I want. There are obvious reasons +why this can't be achieved, but if people have information that +is that sensitive then it should not be put out over the modem. +Now the second and biggest misconception about hacking is how the +hacker actually "hacks". Most people think that hacking is just +basically getting lucky and guessing a password that lets you +into a system. This is *very* untrue. Let us take an example that +you have just broken into the CIA's computer system. So suddenly +you get a -> prompt. Now what do you do?!? This is the difference +between the hacker and some kid that is good at guessing. The kid +may be able to guess a password, but if he doesn't know what to +do once he's in then he might as well have not even hacked the +password at all. So, the main objective of the hacker is to +concentrate on learning how to use a system. After he has done +that then he can figure out ways to get around certain kinds of +security and get to the stuff he wants. So what you should do is +read all the manual's and text files that you can get your hands +on. Because before you can defeat a system, you must know how it +works (this works for life in general). Ok, now you understand +what hacking is and how you should go about learning it. + + Phone Hacking + Basic Boxes Technically Explained + +BLUE + The "Blue Box" was so named because of the color of the first +one found. The design and hardware used in the Blue Box is fairly +sophisticated, and its size varies from a large piece of +equipment to the size of a pack of cigarettes. The Blue Box +contains 12 or 13 buttons or switches that emit multi-frequency +tones characteristic of the tones used in the normal operation of +the telephone toll (long distance) switching network. The Blue +Box enables the user to place free long distance calls by +circumventing toll billing equipment. The Blue Box may be +directly connected to a phone line, or it may be acoustically +coupled to a telephone handset by placing the Blue Box's speaker +next to the transmitter or the telephone handset. To understand +the nature of a fraudulent Blue Box call, t is necessary to +understand the basic operation of the Direct Distance Dialing +(DDD) telephone network. When a DDD call is properly originated, +the calling number is identified as an integral part of +establishing the connection. This may be done either +automatically or, in some cases, by an operator asking the +calling party for his telephone number. This information is +entered on a tape in the Automatic Message Accounting (AMA) +office. This tape also contains the number assigned to the trunk +line over which the call is to be sent. The information relating +to the call contained on the tape includes: called number +identification, time of origination of call, and info that the +called number answered the call and time of disconnect at the end +of the call. Although the tape contains info with respect to many +different calls, the various data entries with respect to a +single call are eventually correlated to provide billing info for +use by your Bell's accounting department. The typical Blue Box +user usually dials a number that will route the call into the +telephone network without charge. For example, the user will very +often call a well-known INWATS (toll-free) customer's number. The +Blue Box user, after gaining this access to the network and, in +effect, "seizing" control and complete dominion over the line, +operates a key on the Blue Box which emits a 2600 Hertz (cycles +per second) tone. This tone causes the switching equipment to +release the connection to the INWATS customer's line. The 2600Hz +tone is a signal that the calling party has hung up. The Blue Box +simulates this condition. However, in fact the local trunk on the +calling party's end is still connected to the toll network. The +Blue Box user now operates the "KP" (Key Pulse) key on the Blue +Box to notify the toll switching equipment that switching signals +are about to be emitted. The user then pushes the "number" +buttons on the Blue Box corresponding to the telephone # being +called. After doing so he/she uses the "ST" (Start) key to tell +the switching equipment that signalling is complete. If the call +is completed, only the portion of the original call prior to the +'blast' of 2600Hz tone is recorded on the AMA tape. The tones +emitted by the Blue Box are not recorded on the AMA tape. +Therefore, because the original call to the INWATS # is toll- +free, no billing is rendered in connection with the call. +Although the above is a description of a typical Blue Box call +using a common way of getting into the network, the operation of +a Blue Box may vary in any one or all of the following respects: + +The Blue Box may include a rotary dial to apply the 2600Hz tone +and the switching signals. This type of Blue Box is called a +"dial pulser" or "rotary SF" Blue box. Getting into the DDD toll +network may be done by calling any other toll-free # such as +Universal Directory ASSistance (555-1212) or any number in the +INWATS network, either inter-state or intra-state, working or +non-wrking. Entrance into the DDD toll network may also be in +the form of "short haul" calling. A "short haul" call is a call +to any # which will result in a lesser amount of toll charges +than the charges for the call to be completed by the Blue Box. +For example, a call to Birmingham from Atlanta may cost $.80 for +the first 3 minutes while a call from Atlanta to Los Angeles is +$1.85 for 3 minutes. Thus, a short haul, 3-minute call to +Birmingham from Atlanta, switched by use of a Blue Box to Los +Angeles, would result in a net fraud of $1.05 for a 3 minute +call. A Blue Box may be wired into the telephone line or +acoustically coupled by placing the speaker of the Blue Box near +the transmitter of the phone handset. The Blue Box may even be +built inside a regular Touch-Tone phone, using the phone's push- +buttons for the Blue Box's signalling tones. A magnetic tape +recording may be used to record the Blue Box tones for certain +phone numbers. This way, it's less conspicuous to use since you +just make it look like a walkman or whatever, instead of a box. + + All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes, +must have the following 4 common operating capabilities: + +It must have signalling capability in the form of a 2600Hz tone. +This tone is used by the toll network to indicate, either by its +presence or its absence, an "on hook" (idle) or "off hook" (busy) +condition of the trunk. The Blue Box must have a "KP" tones that +unlocks or readies the multi-frequency receiver at the called end +to receive the tones corresponding to the called phone #. The +typical Blue Box must be able to emit M tones which are used to +transmit phone #'s over the toll network. Each digit of a phone # +is represented by a combination of 2 tones. For example, the +digit 2 is transmitted by a combination of 700Hz and 1100Hz. The +Blue Box must have an "ST" key which consists of a combination of +2 tones that tell the equipment at the called end that all digits +have been sent and that the equipment should start switching the +call to the called number. + +BLACK + This Box was named because of the color of the first one +found. It varies in size and usually has one or two switches or +buttons. Attached to the telephone line of a called party, the +Black Box provides toll-free calling *to* that party's line. A +Black Box user tells other people beforehand that they will not +be charged for any call placed to him. The user then operates the +device causing a "non-charge" condition ("no answer" or +"disconnect") to be recorded on the telephone company's billing +equipment. A Black Box is relatively simple to construct and is +much less sophisticated than a Blue Box. NOTE: This will not work +on any type of Electronic Switching Systems, (ESS, DMS100 etc.) + +CHEESE +This Box was named after the container in which the first one was +found. Its design may be crude or very sophisticated. Its size +varies; one was found the size of a half-dollar. A Cheese Box was +used most often by bookmakers or betters to place wagers without +detection from a remote location. The device inter-connects 2 +phone lines, each having different #'s but each terminating at +the same location. In effect, there are 2 phones at the same +location which are linked together through a Cheese Box. It is +usually found in an unoccupied apartment connected to a phone +jack or connecting block. The bookmaker, at some remote location, +dials one of the numbers and stays on the line. Various bettors +dial the other number but are automatically connected with the +book maker by means of the Cheese Box interconnection. If, in +addition to a cheese box, a Black Box is included in the +arrangement, the combined equipment would permit toll-free +calling on either line to the other line. If a police raid were +conducted at the terminating point of the conversations -the +location of the Cheese Box- there would be no evidence of +gambling activity. This device is sometimes difficult to +identify. Law enforcement officials have been advised that when +unusul devices are found associated with telephone connections +the phone company security representatives should be contacted to +assist in identification. + +(This probably would be good for a BBS, especially with the Black +Box set up. and if you ever decided to take the board down, you +wouldn't have to change your phone #. It also makes it so you +yourself cannot be traced. I am not sure about calling out from +one though.) VOICE MAIL BOX HACKING + +Hello again, and welcome to another œegions f œucifer text file! +This text file has to do with hacking and scanning VMBs. The +reason I am writing this file is because I am very good at it, +and have had years of experience. In fact I have been called by +MCI for screwing them over by attacking and taking over a whole +damn system with a few friends of mine. Anyway, hacking VMBs is +very simple and basically safe, and not only that but they are +cool to have around. You can give them to friends, you can trade +them for access on bulletin boards, or you can use it for +yourself. As for this 'Tutorial on Hacking VMBs', we will be +talking about what systems to hack, how you go about hacking +them, default passwords, hints on better scanning, and having +your very own box. + +VMB, in case you don't know, stands for 'Voice Mail Box'. Now a +VMB is like an answering machine. You can use it for all sorts of +things. Most VMB systems are dialed though 800 numbers. People +call up the VMB system that you have a box on, and dial in your +box number and then leave you a message. Whenever you want to +check your box, you just call up, enter your password and read +your messages. Inside a VMB you can do whatever, you can leave +messages to others on the system, you can change your 'Out Going' +message, you can have guest boxes (Explained later), you can have +the box call your house when you get an Urgent message, you can +do a lot of things. In fact, on some systems you can even CALL +OUT through them, so they can be used as a code of sorts! They +are cool to have. + +You should scan/hack out Virgin Systems, this is another way of +calling a system that hasn't been hack out yet. Also, CINDI +Systems and ASPEN Systems have the best boxes and the most +options that VMB Systems can offer. I will be talking about ASPEN +System today since I know most about those. + +Okay once you've found your Virgin VMB System, you start to scan. +Just incase you don't know what scanning is, that means you +search for boxes that are hackable (Explained later on). Now you +dial up the system and when it picks up and the bitch starts to +talk, press the "#" key. It will then ask you for your box +number... now there are two different way the ASPEN System can be +configured: 1) a "3 Digit Box Number System" or 2) a "4 Digital +Box Number System". Now lets just say this system is a 3 Digit +System. Okay, when it asks for your Box Number, enter in 999, now +it will say one of three things: [These are known as 'Greeting +Names'] + +1. John Doe [Box owners name] +2. "Box Number 999 Is Not a Valid Box Number" +3. "Box Number 999" +Now, if it either says 1 or 2, go to box number +998...997...996...995..etc, but if it says 3, then you are lucky, +now it will ask you for your password, now you are probably +saying 'Oh no this is where it gets difficult'... well you are +WRONG! This part is easy. Here is a list of ASPEN Default +Passwords: + +* We will use box number 666 as an example box # + [ BN = Box Number ] + +List of Default Password: Combination Result + + 1-BN 1666 + BN+1 667 + 0-BN 0666 + BN-0 6660 + Most Common Äį BN 666 + +Now enter in a those defaults, try JUST the Box Number first, +ASPENs usually use that most. Now, if you try all those Defaults +and still can not get into that Voice Mail Box, then that means +that the box has been already taken, but the owner hasn't changed +his 'Generic Message', if you don't get in, you will just have to +search until you get in. + +Okay, once you get your first box, *DO NOT* change anything!! +That will come later. Your first box is, as what is known as a +'Scanning Box'! What you do with your Scanning Box is this: You +enter "3" from the main commands menu, and it will ask you for +the box number. Now that command is the "Check for Receipt" +command, what it does it check Box #xxx for mail rom you. This +command is very convenient for us VMB Hackers. To use that +command to your advantage, you enter in box a box number and it +will say 1 of the three 'Greeting Names', like before, if it say +#3, then you write down that Box Number and hack it later. But if +it says 1 or 2, then just keep scanning! All boxes with the +number 3 Greeting Name is known as a 'Hackable Box'. Now you keep +scanning until you have gone all the way down to Box number 000 +or whatever is the lowest box it supports. Now, once you have +your list this is when all the fun starts! Now you are ready to +hack! + + +Hacking Out Your New Found 'Hackable' Boxes: + +Okay this is the easy part. After you spent most of your time by +scanning the system you should be used to the system and how it +works, that should make hacking the ASPEN all the easier. Now, if +you had a 'Scanning Box', you should know what the default +password was for your Scanning Box. Well if the password for your +Scanning Box was just the Box Number, then *EVERY* other hackable +box should have the SAME default password. VMB Systems have only +one default password, If one box has the BN for a Default PW, the +all the others will too. + +Okay, you call up the VMB System will the list of 'Hackable' +boxes by your side, and when the bitch is talking, press the "#" +key. When it asks you for your box number, enter in the first box +number on your list. When it asks for your password, enter in the +Default Password Sequence. Now if you don't get into that box, +it's not a problem, just keep going down your list. You should +get into a few. But remember, just because a box is marked +'Hackable', it doesn't mean you will definitely get into it. + +Okay, now you hav a few dozen boxes. You can now use you +Scanning Box to do whatever you please. + +ASPEN Guest Boxes: + +Once you have a box of your own, you can give out 'Guest Boxes'. +Guest Boxes are like Sub Boxes in your box. In ASPEN you have 4 +of them. If you give out Guest Box #1 to John Doe, Mr. Doe can +call in, enter in the password YOU set for him, and leave you +messages, but not only that, you can leave messages to HIM! Which +means, if his is in New York, and you are in California, and +neither of you have codes to call each other, then you can leave +messages thru your 800 VMB. Here is a list and explanation of all +4 of the Guest Boxes: + +0. Main Box - Your Voice Mail Box! +1. Guest Box #1 - Can Leave & Receive Messages +2. Guest Box #2 - Can Leave & Receive Messages +3. Home Box -Can Leave & Receive Messages +4. Secretary Box - Can Check How Many Messages You Have & Receive +Messages + + +Hints On Better Scanning: +A lot of people say hacking and scanning for VMBs is too damn +hard... well that's because they are going at it all wrong, they +probably read some lame piece of text file on Hacking VMBs that +was about 500 bytes long. Well, here is a small list of hints on +better scanning and hacking: + +1. Do not use a Voice Mail Box hacking/scanning program (i.e.: +VMB v1.0, ASPEN v1.0, VMBHACK v2.3, etc..) 2. Do not hack in +random order (i.e.: B#999, 345, 810, etc) Always hack in order: +999, 998, 997, 996, 995...000. 3. Try to find out if it's virgin. +The newer the System, the better. +4. If you have a phone with memory dial, change one entry to the +number of the VMB System. 5. Don't hack the System Managers box +unless you really want to. + +Ideas of Things To Do With Your Extra Boxes: + +Well since you can have up to 500 extra Voice Mail Boxes, you +might not know what to do with them, here are a few ideas that +can help you out: + +1. Give them to friends +2. Sell them to friends +3. Offer them to sysops for better access +4. Trade them for HSTs or whatever +5. Use them as a Voice Verifying line (So you don't have to give +out your real voice number to BBSs when you apply!) + + + Blue Box Tones +In this short section I will attempt to list some tones that Ma +Bell uses and what they are. Well here goes: Blue box +frequencies: 2600 hz - used to get on/off trunk tone matrix to +use after 2600 hz. + 700: 1 : 2 : 4 : 7 : 11 : + 900: + : 3 : 5 : 8 : 12 : +1100: + : + : 6 : 9 : KP : +1300: + : + : + : 10 : KP2 : +1500: + : + : + : + : ST : + 900 :1100 :1300 :1500 : 1700 : +Use KP to start a call and ST (1500+1700) to stop. Use 2600 HZ to +disconnect. Red box freqs: 1700 hz and 2200 hz mixed together. A +nickel is 66 ms on (1 beep). A dime is 66ms on, 66ms off, 66ms on +(2 beeps) a quarter is 33ms on, 33ms off repeated 5 times. (Ms = +millisecond). For those of you who don't know, a red box +simulates money being put into a pay phone. You must put in some +money first though (the operator can tell if money was put in but +as to how much she lets the computer answer that. (Yeah for he +computer) TASI locking freq: TASI (time assignment speech +interpolation) is used on satellite trunks, and basically allows +more than one person to use a trunk by putting them on while the +other person isn't talking. Of course, you'd never hear the other +person talking on your trunk. When you start to talk, however, +the TASI controller has to find an open trunk for you. Because of +this, some of your speech is lost (because of the delay in +finding a trunk) this is called clipping. Well, if you were +transmitting data over a trunk, clipping would really mess up the +data. So there is something called a TASI locking frequency which +keeps the TASI from putting anyone else on your trunk or you on +anyone else's trunk. In any case the freq. is 1850 hz. (Sent +before the transmission). Have fun!!! + + + CUSTOMER NAME AND ADDRESS +The word CN/A stands for Customer's Name and Address ... Your +telephone company has set up little bureaus that will answer the +telephone all day and give numbers out to any authorized Bell +employees of the same city or any other city nationwide. The +bureau keeps everyone on file with their name and address, +INCLUDING those that are unlisted. So if you have a phone number +and you want to find out who owns it and where they live, you can +use this little handy system. In short, it is basically used to +get a persons real name and real address through just having a +phone number! + +Lets sayyou are constantly being bugged by some little dick and +you don't know his name or address, BUT you have his phone +number.. well you can get his Name & Address just by having his +telephone number! For example, lets say you have this dicks phone +number, and it's (212) 555-1873, then just do the following: + +Look up the CN/A Number for that NPA (NPA = AREA CODE) in the +list below. For this example, the NPA is 212 and the CN/A number +is 518-471-8111. So then call up the CN/A # (During regular +hours) and throw a line like, "Hello, This is Operator #321 from +the residential service center in California. And I need to get a +CN/A on a customer at 212-555-1873. Thank You."... Make sure not +too sound like a twelve year old dork or try and sound lame with +a really deep voice, just try to sound as real as possible. Okay, +if you got that far, and you sound pretty convincing, then the +CN/A operator should not in any means, ask questions and you +should get all the info you need! + + +Here is a list of just about EVERY CN/A Number in the Continental +United States, this list was supplied to Legions of Lucifer by +LawBreaker. + ÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ¿ +Area ³ Account ³ Telephone ³ Call ³ Time ³ Requests ³ +Code ³ Code ³ Number ³ Hours ³ Zone ³ per call ³ +ÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄ´ +201 ³ ³ (304)344-7935 ³ 8:00-4:10 ³ E ³ 3 ³ +202 ³ ³ (304)343-7016 ³ 8:30-4:10 ³ E ³ 3 ³ +203 ³ ³ (203)789-6815 ³ 8:10-4:45 ³ E ³ 7 ³ +204 ³ ³ (204)949-0900 ³ 8:30-4:45 ³ C ³ N/A ³ +205 ³ ³ (205)555-1212 ³ 24 hours ³ C ³ 2 ³ +206 ³ I47128 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +207 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +208 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +209 ³ 1659 or ³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³ +209 ³ 2826 ³ ³ ³ ³ N/A ³ +212 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +213 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³ +214 ³ SW5167 ³ (817)461-4769 ³ 8:00-4:50 ³ C ³ 3 ³ +215 ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³ +216 ³ 161 ³ (614)464-0511 ³ 8:00-5:00 ³ E ³ 3 ³ +217 ³ 700 ³ (217)789-8290 ³ 8:00-5:00 ³ C ³ 2 ³ +218 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ All ³ 2 ³ +219 ³ 161 ³ (317)265-4834 ³ 7:30-4:45 ³ E ³ 3 ³ +301 ³ ³ (304)343-7016 ³ 8:00-4:10 ³ E ³ 3 ³ +302 ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³ +303 ³ I47126 ³ (402)572-5858 ³ 8:00-5:00 ³ M ³ 5 ³ +304 ³ I47127 ³ (304)343-1401 ³ 8:00-4:10 ³ E ³ 3 ³ +305 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³ +306 ³ ³ (306)777-2878 ³ 8:00-12:00³ M ³ N/A ³ +307 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +308 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +309 ³ 700 ³ (217)789-8290 ³ 8:00-5:00 ³ C ³ 2 ³ +312 ³ 500 ³ (312)796-9600 ³ 24hours ³ C ³ 2 ³ +313 ³ 53423 or³ (313)424-0900 ³ 24 hours ³ E ³ 20 ³ +313 ³ 61728 ³ ³ ³ ³ N/A ³ +314 ³ SW1012 ³ (816)275-8460 ³ 8:30-4:30 ³ C ³ 3 ³ +315 ³ 111 ³ (518)471-8111 ³ 8:00-4:55 ³ E ³ 16 ³ +316 ³ SW2019 ³ (913)276-6708 ³ 8:00-4:45 ³ C ³ 3 ³ +317 ³ 161 ³ (317)265-4834 ³ 7:30-4:45 ³ E ³ 3 ³ +318 ³ ³ (318)555-1212 ³ 24 hours ³ C ³ 2 ³ +319 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +401 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +402 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +403 ³ ³ (403)493-6383 ³ 8:00-4:30 ³ M ³ N/A ³ +404 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³ +405 ³ SW4070 ³ (405)236-6121 ³ 7:30-4:15 ³ C ³ 3 ³ +406 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +407 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³ +408 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³ +409 ³ SW5167 ³ (713)961-2397 ³ 8:00-5:00 ³ C ³ 3 ³ +412 ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³ +413 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +414 ³ 767 ³ (608)252-6932 ³ 8:00-4:30 ³ C ³ 1-5 ³ +415 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³ +416 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³ +417 ³ SW1012 ³ (816)275-8460 ³ 8:30-4:30 ³ C ³ 3 ³ +418 ³ ³ (514)391-7440 ³ 8:30-4:45 ³ ³ N/A ³ +419 ³ 161 ³ (614)464-0511 ³ 8:00-5:00 ³ E ³ 3 ³ +501 ³ SW3006 ³ (405)236-6121 ³ 7:30-4:30 ³ C ³ 3 ³ +502 ³ ³ (502)555-1212 ³ 24 hours ³ E ³ 2 ³ +503 ³ I47128 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +504 ³ ³ (504)555-1212 ³ 24 hours ³ C ³ 2 ³ +505 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +506 ³ ³ (506)694-6541 ³8:15-4:30 ³ A ³ N/A ³ +507 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +508 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +509 ³ I47128 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +512 ³ SW5167 ³ (512)828-2501 ³ 9:00-5:00 ³ C ³ 3 ³ +513 ³ 161 ³ (614)464-0511 ³ 8:00-5:00 ³ E ³ 3 ³ +514 ³ ³ (514)391-7440 ³ 8:00-4:30 ³ E ³ N/A ³ +515 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +516 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +517 ³53423 or ³ (313)424-0900 ³ 24 hours ³ E ³ 20 ³ +517 ³ 61728 ³ ³ ³ ³ N/A ³ +518 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +519 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³ +601 ³ ³ (601)555-1212 ³ 24 hours ³ C ³ 2 ³ +602 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ M ³ 2 ³ +603 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +604 ³ ³ Contact Local ³ ³ ³ N/A ³ +604 ³ ³Business Office³ ³ ³ N/A ³ +605 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +606 ³ ³ (606)555-1212 ³ 24 hours ³ E ³ 2 ³ +607 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +608 ³ 767 ³ (608)252-6932 ³ 8:30-4:30 ³ C ³ 5 ³ +609 ³ ³ (304)344-7935 ³ 8:00-4:10 ³ E ³ 3 ³ +612 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +613 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³ +614 ³ 161 ³ (614)464-0511 ³ 8:00-5:00 ³ E ³ 3 ³ +615 ³ 13402 ³ (615)373-7663 ³ 8:00-4:10 ³ E ³ 3 ³ +616 ³53423 or ³ (313)424-0900 ³ 24 hours ³ E ³ 20 ³ +616 ³ 61728 ³ ³ ³ ³ N/A ³ +617 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +618 ³ 700 ³ (217)789-8290 ³ 8:00-5:00 ³ C ³ 2 ³ +619 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³ +701 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +702 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³ +703 ³ ³ (304)343-1401 ³ 8:00-4:10 ³ E ³ 3 ³ +704 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³ +705 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³ +707 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³ +708 ³ 500 ³ (312)796-9600 ³ 24 hours ³ C ³ 2 ³ +709 ³ ³ *NONE* ³ ³ ³ N/A ³ +712 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +713 ³ SW5167 ³ (713)961-2397 ³ 8:00-5:00 ³ C ³ 2 ³ +714 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³ +715 ³ 767 ³ (608)252-6932 ³ 8:00-4:30 ³ C ³ 5 ³ +716 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +717# ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³ +717@ ³6630109ATZ (717)245-6829 ³ ³ ³ N/A ³ +718 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +719 ³ I47127 ³ (402)572-5858 ³ 8:00-5:00 ³ M ³ 5 ³ +801 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³ +802 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +803 ³ 3402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³ +804 ³ ³ (304)343-1401 ³ 8:00-4:10 ³ E ³ 3 ³ +805 ³1659/2826³ (415)781-5271 ³ 8:30-5:00 ³ P ³ 5 ³ +806 ³ SW5167 ³ (512)828-2501 ³ 8:00-5:00 ³ C ³ 3 ³ +807 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³ +808 ³ ³ (800)852-8840 ³ 8:00-6:00 ³ E ³ N/A ³ +809 ³ ³ (800)852-8840 ³ 8:30-5:00 ³ E ³ N/A ³ +812 ³ 161 ³ (317)265-4834 ³ 8:30-4:45 ³ E ³ 3 ³ +813 ³ 13402 ³ (803)251-0046 ³ 8:30-4:30 ³ E ³ N/A ³ +813 ³GTE only ³ (813)442-7229 ³ 8:00-5:00 ³ E ³ N/A ³ +814 ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³ +815 ³ 700 ³ (217)789-8290 ³ 8:00-5:00 ³ C ³ 2 ³ +816 ³ SW1012 ³ (816)275-8460 ³ 8:00-4:45 ³ C ³ 3 ³ +817 ³ SW5167 ³ (817)461-4769 ³ 8:00-5:00 ³ C ³ 3 ³ +818 ³1659/2826³ (415)781-5271 ³ 6:45-5:00 ³ P ³ 5 ³ +819 ³ ³ (514)391-7440 ³ 8:00-4:30 ³ E ³ N/A ³ +901 ³ 13402 ³ (615)373-7663 ³ 8:00-4:10 ³ E ³ 3 ³ +902 ³ ³ (902)421-4110 ³ 8:15-4:45 ³ A ³ N/A ³³ +904 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³ +906 ³ 61728 ³ (313)424-0900 ³ 24 hours ³ E ³ 20 ³ +907 ³ ³ *NONE* ³ ³ ³ N/A ³ +912 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³ +913 ³ SW2019 ³ (913)276-6708 ³ 8:00-4:45 ³ C ³ 3 ³ +914 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³ +915 ³ SW5167 ³ (512)828-2501 ³ 8:00-5:00 ³ P ³ 5 ³ +916 ³1659/2826³ (415)781-5271 ³ 8:30-5:00 ³ P ³ 5 ³ +918 ³ SW4070 ³ (405)236-6121 ³ 7:30-4:10 ³ C ³ 3 ³ +919 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-5 ³ +ÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙ + + # - Bell of PA + @ - United + + Time Zones: P - Pacific 12:00 pm + M - Mountain 1:00 pm + C - Central 2:00 pm + E - Eastern 3:00 pm + A - Atlantic 4:00 pm + + Note: The account code for Centel and CONTEL is CNAT, United +Tel. is 6630109ATZ + Well, that's about it. I tried to find any mistakes that +might have occurred during typing, but there's bound to be one or +two around... Two things to note here: +1> California has 2 codes listed (1659 and 2826). The first is +for people in California, the second is for everyone else outside +of California obtaining a CNA in those area codes. + +2> Michigan ALSO has two codes. The first was the one currently +working when I last tried; the second is what the new code will +be if it hasn't been changed already... It's a totally automated +system, so try both codes. + + + Lock In Trace +A lock in trace is a device used by the F.B.I. to lock into the +phone users location so that he can not hang up while a trace is +in progress. For those of you who are not familiar with the +concept of 'locking in', then here's a brief description. The +F.B.I. can tap into a conversation, sort of like a three-way call +connection. Then, when they get there, they can plug electricity +into the phone line. All phone connections are held open by a +certain voltage of electricity. That is why you sometimes get +static and faint connections when you are calling far away, +because the electricity has trouble keeping the ine up. What the +lock in trace does is cut into the line and generate that same +voltage straight into the lines. That way, when you try and hang +up, voltage is retained. Your phone will ring just like someone +was calling you even after you hang up. (If you have call +waiting, you should understand better about that, for call +waiting intercepts the electricity and makes a tone that means +someone is going through your line. Then, it is a matter of which +voltage is higher. When you push down the receiver, then it see- +saws the electricity to the other side. When you have a person on +each line it is impossible to hang up unless one or both of them +will hang up. If you try to hang up, voltage is retained, and +your phone will ring. That should give you an understanding of +how calling works. Also, when electricity passes through a +certain point on your hone, the electricity causes a bell to +ring, or on some newer phones an electronic ring to sound.) So, +in order to eliminate the trace, you somehow must lower the +voltage level on your phone line. You should know that every time +someone else picks up the phone line, then the voltage does +decrease a little. In the first steps of planning this out, Xerox +suggested getting about a hundred phones all hooked into the same +line that could all be taken off the hook at the same time. That +would greatly decrease the voltage level. That is also why most +three-way connections that are using the bell service three way +calling (which is only $3 a month) become quite faint after a +while. By now, you should understand the basic idea. You have to +drain all of the power out of the line so the voltage can not be +kept up. Rather sudden draining of power could quickly short out +the F.B.I. voltage machine, because it was only built to sustain +the exact voltage necessary to keep the voltage out. For now, +imagine this. One of the normal Radio Shack generators that you +can go pick up that one end of the cord that hooks into the +central box has a phone jack on it and the other has an +electrical plug. This way, you can "flash" voltage through the +line, but cannot drain it. So, some modifications have to be +done. + +Materials +---------- +A BEOC (Basic Electrical Output Socket), like a small lamp-type +connection, where you just have a simple plug and wire that would +plug into a light bulb. One of cords metioned above, if you +can't find one then construct your own... Same voltage +connection, but the restrainer must be built in (I.E. The central +box) +Two phone jacks (one for the modem, one for if you are being +traced to plug the aqua box into) + +Procedure +---------- + All right, this is a very simple procedure. If you have the +BEOC, it could drain into anything: a radio, or whatever. The +purpose of having that is you are going to suck the voltage out +from the phone line into the electrical appliance so there would +be no voltage left to lock you in with. + +Take the connection cord. Examine the plug at the end. It should +have only two prongs. If it has three, still, do not fear. Make +sure the electrical appliance is turned off unless you want to +become a crispy critter while making this thing. Most plugs will +have a hard plastic design on the top of them to prevent you from +getting in at the electrical wires inside. Well, remove it. If +you want to keep the plug (I don't see why...) then just cut the +top off. When you look inside, Lo and Behold, you will see that +at the base of the prongs there are a few wires connecting in. +Those wires conduct the power into the appliance. So, you +carefully unwrap those from the sides and pull them out until +they are about an inch ahead of the prongs. If you don't want to +keep the jack, then just rip the prongs out. If you are, cover +the prongs with insulation tape so they will not connect with the +wires when the power is being drained from the line. Do the same +thing with the prongs on the other plug, so you have the wires +evenly connectd. Now, wrap the end of the wires around each +other. If you happen to have the other end of the voltage cord +hooked into the phone, stop reading now, you're too stupid to +continue. After you've wrapped the wires around each other, then +cover the whole thing with the plugs with insulating tape. Then, +if you built your own control box or if you bought one, then cram +all the wires into it and close it. That box is your ticket out +of this. Re-check everything to make sure it's all in place. This +is a pretty flimsy connection, but on later models when you get +more experienced at it then you can solder away at it and form +the whole device into one big box, with some kind of cheap Mattel +hand-held game inside to be the power connector. In order to use +it, just keep this box handy. Plug it into the jack if you want, +but it will slightly lower the voltage so it isn't connected. +When you plug it in, if you see sparks, unplug it and restart the +whole thing. But if it just seems fine then leave it. + +Now, so you have the whole thing plugged in and all... Do not use +this unless the situation is desperate! When the trace has gone +on, don't panic, unplug your phone, and turn on the appliance +that it was hooked to. It will need energy to turn itself on, and +here's a great source... The voltage to keep a phone line open is +pretty small and a simple light bulb should drain it all in and +probably short the F.B.I. computer at the same time. Happy boxing +and stay free! + + Pinkish Box + The function of a "Pink Box" is a hold button that allows music +or anything else to be played into the telephone while person is +on hold. This modification either be done right in the telephone +as a separate box. + +Materials Needed + +1. Some Bell wire or Phone wire +2. A SPST momentary switch RS # 275-1547 +3. 470 ohm resistor RS # 271-019 +4. 1 LED (Approx 5V) RS # 276-041 +5. An SCR, 2N5061 (Transistor) +6. Audio Transformer (Ratio 10K:600) +7. RCA phono Jack RS # 274-346 +8. Screw drivers, soldering irons, solder, Etc. + +1. Open the wall box and locate the RED and GREEN wires. +2. Take a piece or RED wire and strip tend and attach it to the +red lead on the wall box. Do the same for the GREEN. +3. Connect the GREEN wire to the ANODE of the LED. +4. Connect the CATHODE side of the LED the UPPER pin of the +primary side of the transformer. +5. Connect the pin directly across to one pole of the phono jack. +6. Connect the RED wire to one side of resistor and to the "C +pole" of the transistor. +7. Connect the open pin of the switch the other side of the +resistor and to the "G pole" of the transistor. Wiring Diagram + + RCA Jack X-former LED + _____ C A + Pole or Jack --/---! Top !---/--(*)--\------GREEN wire + -!View !- Primary --I---RED wire + Pole of Jack --/---!_____!---/-I (O) + I I + I [--I-----Pole of Switch + I +I--------/--m--Pole of Switch + + +Key to Symbols + +-- Wire +I Connection or wire +/ Connection or wire + + + _/ C pole of transistor --(*)-- +[_)-- G pole of transistor I + I A pole of transistor (O) Resister + I + _____ + ---! Top !--- + -! View!- Primary Transformer + ---!_____!--- + + Hook the RED and GREEN wires up to the appropriate terminals +and hook the RCA jack to the output on your stereo. Turn on your +stereo at a good volume. Now call a friend. To test the Box, +hold down the switch and hang up the phone. The LED should go +and your friend should hear music, If not then start over. The +hold is shut off if you pick up a phone on that line or your end +hangs up. + + Pearl Box +The Pearl Box:Definition - This is a box that may substitute for +many boxes which produce tones in hertz. The Pearl Box when +operated correctly can produce tones from 1-999hz. As you can +see, 2600, 1633, 1336 and other crucial tones are obviously in +its sound spectrum. + +Materials you will need in order to +build The Pearl Box: +===================================== +C1, C2:.5mf or .5uf ceramic disk + capacitors +Q1.....NPN transistor (2N2222 works + best) +S1.....Normally open momentary SPST + switch +S2.....SPST toggle switch +B1.....Standard 9-Volt battery +R1.....Single turn, 50k potentiometer +R2..... " " 100k potentiometer +R3..... " " 500k potentiometer +R4..... " " 1meg potentiometer +SPKR...Standard 8-ohm speaker +T1.....Mini transformer (8-ohm works + best) +Misc...Wire, solder, soldering iron, PC + board or perfboard, box to + contain the completed unit, + battery clip + +Instructions for building Pearl Box: +====================================== + +Since the instruction are EXTREMELY difficult to explain in +words, you will be given a schematic instead. It will be quite +difficult to follow but try it any way. There is also a Hi-Res +picture you can get that shows the schematic in great detail. + +Schematic for The Pearl Box + ++---+------------+---------+ + ! ! \ + C1 C2 \ + ! ! + + + + -----+T1 + !\ +------------+-+ + ! b c-------! + + ! Q1 ! +-S1- + ! e-----S2---+ ! SPKR + ! ! ! +---- + ! B1 ! + ! ! ! + ! +-------+ + !R1 R2 R3 R4! + /\/\ /\/\ /\/\ /\/\ + +--+ +--+ +--+ + +Now that you are probably thoroughly confused, let me explain a +few minor details. The potentiometer area is rigged so that the +left pole is connected to the center pole of the potentiometer +next to it. The middle terminal of T1 is connected to the piece +of wire that runs down to the end of the battery. + +Correct operation of The Pearl Box: +You may want to get some dry-transfer decals at Radio Shack to +make this job a lot easier. Also, some knobs for the tops of the +potentiometers may be useful too. Use the decals to calibrate the +knobs. R1 is the knob for the ones place, R2 is for the tens +place, R3 if for the hundreds place and R4 is for the thousands +place. S1 is for producing the all the tones and S2 is for power. + +Step 1: Turn on the power and adjust the knobs for the desired +tone. (Example: For 2600 hz- + R1=0:R2=0:R3=6:R4=2) + +Step 2: Hit the pushbutton switch and VIOLA! You have the tone. +If you don't have a tone recheck all connections and schematic. +If you still don't have a tone call Brainstorm BBS: 612-345-2815, +The Bay:415-775-2384 or Pirate's Harbor:617-720-3600 and leave me +e-mail stating what the scene is. + + + Brown Box + This is a fairly simple modification that can be made to any +phone. All it does is allow you to take any 2 lines in your house +and create a party line. So far I have not heard of any problems +with it from my friends that have set one up and I have not had +any either. There is one thing that you will notice when you are +one of the two people who is called by a person with this box. +The other person will sound a little bit faint. I could overcome +this with some amplifiers but then there wouldn't be very many of +these boxes made. I think that the convenience of having two +people on line at any one time will make up for the minor volume +loss. +Here is the diagram: +___________________________ +PART SYMBOL +--------------------------- +BLACK WIRE * +YELLOW WIRE = +RED WIRE + +GREEN WIRE - +SPDT SWITCH _/_ +VERTICAL WIRE | +HORIZONTAL WIRE _ + + * = - + + * = - + + * = - + + * = - + + * = - + + * ==_/_- + + *******_/_++++++ + | | + | | + | | + |_____PHONE____| + +In some houses the black and yellow are already wired in others +you will have to go out to your box and rewire it. A goo way to +figure out which line is which is to take the phone you are +looking for off the hook. Then you only need to take the red and +green wires entering your phone and hook them to the different +pairs of red and green going into the house. You can't hurt +anything in the phone or telephone by probing. When you find the +pair that you want take the black from your line and attach it to +the red of the other line then take the yellow and attach it to +the green line. Now you are all set to go. For people with rotary +phones you can have one person call you then place the second +call out to the other person. Though not a phreaker's tool, the +brown box can be fun. + + Scarlet box + The purpose of a Scarlet box is to create a very bad +connection, it can be used to crash a BBS or just make life +miserable for those you seek to avenge. + + Materials: 2 alligator clips, 3 inch wire, or a resister +(plain wire will create greatest amount of static) +(Resister will decrease the amount of static in proportion to the +resister you are using) +Step (1): Find the phone box at your victims house, and pop the +cover off. Step (2): Find the two prongs that the phone line you +wish to box are connected to. +Step (3): Hook your alligator clips to your (wire/resister). Step +(4): Find the lower middle prong and take off all wires connected +to it, I think this disables the ground and call waiting and +stuff like that. Step (5): Now take one of the alligator clips +and attach it to the upper most prong, and take the other and +attach it to the lower middle prong. Step (6): Now put the cover +back on the box and take off!! + + Day-Glow + A day-glow box is very easy to make, and very inexpensive to +build. It works like this: On the outside of every home that has +a phone, there is something called "the outside connection box," +which is where the house is connected to Ma Bell's network. This +ingenious device connects to a) your phone, b) the victim's +outside box. You should be starting to get the idea. + +Materials necessary: +1. Radio Shack modular conversion jack +2. A small experimenter's box (optional) +3. 1 foot of red wire. (better to overkill) +4. 1 foot of green wire. (same as above) +5. 2 medium alligator clips + +In order to construct this box, you will need all of the above +materials. Note that your wire does not necessarily have to be +red or green, but it is necessary that you be able to tell them +apart. Also, you might want to use thick, easily bent wire (audio +hookup wire works best) instead of bell wire. Now, on to the +construction. + +Remove the actual modular jack from the conversion box. This can +be done by pushing inward and then up, or you can just cut the +plastic. Remove the black and yellow wires from the jack. You can +either clip these or rip them out. To your newly isolated jack, +add the 1 foot wire extensions to the respective wires. Soldering +and then wrapping the connections with electrical tape works +best. Next, solder the alligator clips to the extended wires. If +you do not wish to solder them, then just wrap the clips with the +wire. Now, place this newly made contraption into a box +(optional). You may need to drill a few holes, and possibly +remove the alligator clips, but you should have read this file +first, anyway. + + The day-glow box will work with any phone. First, you need to +locate a house that has a phone. Next, (it's preferable to do +this at night) go up to the and locate the outside connection +box. Pop the cover off. Locate prong 3 and prong 4. You will +attach the green wire clip to prong 3. The red wire clip will go +to prong 4. Now, plug your phone (preferably a trimline or +ranger) into your modular plug. You may now either listen in on +the call (wire tap) OR you may call out to anywhere in the world. +If you are really daring, you can bring your computer with you. +Note: This box may also be used in conjunction with the lunch box +in order to make a perfect phone bug. + +Neat things you can do with your new box: +Call 976 numbers. This should be done very frequently. Also, I +find that after finding the victim's outside box, several calls +to the gay hotline will have interesting after-effects. Namely, +his parents wondering about him. Alliance teleconferencing can be +accomplished quite easily. Try it! Call 0-700-456-1000. Or, tell +the operator you'd like to initiate a conference. Of course, you +should place several calls to other countries. This can be +accomplished by looking in the front of your white pages for the +various country and city codes. You should be able to follow the +directions provided in there. + + Have you ever wondered what those 6ft tall cabinets with the +bell logo on them were for? Well, if you've never seen them, +here's a quick description: They are 6ft tall by 3ft wide, and +painted the dull phone company green. They can be opened quite +easily with a 7/16ths inch socket wrench. After turning the bold +over the handle, turn the handle to the right and pull. It should +open, displaying over 100 different lines. Occasionally, you can +find tech. manuals and test kits inside. They are usually located +near phone lines. Okay, now, once you have opened one of these +calling cabinets, locate the line of your choice. You will have +to take out both the orange and the white insulated screws. The +purple and white wires should come off along with the screws. The +lines go out to the house, and the screw posts are the actual +line. Now, you should clip the alligators to the posts, with one +part of the clip on the insulation, and on.]Now, you should clip +the alligators to the nep parteli. Oh, if you want the home to +remain connected, clip the wires inside the hole using the +alligator clips. By the way, the red terminal on your box goes to +the orange post, and the green one to the white post... if that +doesn't work, reverse the connection. Now, to find out the number +you have taken over, dial 380-55555555. Yes, that's eight fives. +A computer voice should tell you what number you are on. I hope +you can take it from here. Oh, in apartments, you can find the +calling cabinet in the basement... remember, this is not your +line, so do anything you want. Call the President or something. + + Gold Box Plans +Materials: + +2 10k OHM resistors +3 1.4k OHM resistors +2 2N3904 transistors +2 Photocells +2 LED's (Make sure they're real bright) +1 Box to contain it in that will not allow sunlight in it. +(some) wire. Red and green for easiness sake + +Light from the LED's must shine directly on the photocells. You +may have to have the LED touching the photocell for it to work. + +[The 1.4k resistor is variable and if the second part of the box +is skipped the box will still work but if someone picks up the +phone they may report it to the Phone Co. The 1.4k will give you +good reception with little risk of the Gestapo knocking at your +door. Take two green wires and strip the ends. Twist one end of +each together so they make one wire. Connect it to Green #1. +Label this 'Line #1'. Do the same but with red wire and attach it +to Red #1. Repeat the process for Red #2 and Green #2 and label +it 'Line #2'. Find two phone lines that are close together. Label +one of them 'Line #1'. Cut [the phone lines and take off the +outer covering. You'l see 4 colored wires inside. Cut the yellow +and black wire off and strip the red and green wires on both +lines. Line #1 should be in two pieces. Take the green wire of +one end and connect to one of the green wires on the box. Take +the other half of the phone line green wire and connect it to the +other green wires on the gold box. Do the same for the red wires +on the other line and the red wires on the box. Now, find out +what number you hooked up the gold box to. Go home and call it. +You should get a dial tone and you can dial out. If not, re-check +everything. If it still doesn't work, pack up and go home. Green Box + Paying the initial rate in order to use a red box (on certain +fortresses) left a sour taste in many red boxers mouths, thus the +green box was invented. The green box generates useful tones such +as COIN COLLECT, COIN RETURN, AND RINGBACK. These are the tones +that ACTS or the TSPS operator would send to the CO when +appropriate. Unfortunately, the green box cannot be used at the +fortress station but must be used by the CALLED party. Here are +the tones: + +COIN COLLECT 700+1100hz +COIN RETURN 1100+1700hz +RINGBACK 700+1700hz + +Before the called party sends any of these tones, an operator +release signal should be sent to alert the M detectors at the CO. +This can be done by sending 900hz + 1500hz or a single 2600 wink +(90 ms.) + +Also, do not forget that the initial rate is collected shortly +before the 3 minute period is up. + +Incidentally, once the above M tones for collecting and returning +coins reach the CO, they are convertedinto an appropriate DC +pulse (-130 volts for return and +130 for collect). This pulse is +then sent down the tip to the fortress. This causes the coin +relay to either return or collect the coins. The alleged "T- +network" takes advantage of this information. When a pulse for +coin collect (+130 VDC) is sent down the line, it must be +grounded somewhere. This is usually the yellow or black wire. +Thus, if the wires are exposed, these wires can be cut to prevent +the pulse from being grounded. When the three minute initial +period is almost up, make sure that the black and yellow wires +are severed, then hang up, wait about 15 seconds in case of a +second pulse, reconnect the wires, pick up the phone, an if all +goes well, it should be "JACKPOT" time. + + Blotto Box + For years now every pirate has dreamed of the Blotto Box. It +was at first made as a joke to mock more ignorant people into +thinking that the function of it actually was possible. Well, if +you are The Voltage Master, it is possible. Originally conceived +by King Blotto of much fame, the Blotto Box is finally available +to the public. + The Blotto Box is every phreak's dream... you could hold AT&T +down on its knee's with this device. Be +cause, quite simply, it can turn off the phone lines everywhere. +Nothing. Blotto. No calls will be allowed out of an area code, +and no calls will be allowed in. No calls can be made inside it +for that matter. As long as the switching system stays the same, +this box will not stop at a mere area code. It will stop at +nothing. The electrical impulses that emit from this box will +open every line. Every line will ring and ring and ring... the +voltage will never be cut off until the box/generator is stopped. +This is no 200 volt job, here. We are talking GENERATOR. Every +phone line will continue to ring, and people close to the box may +be electrocuted if they pick up the phone. + But, the Blotto Box can be stopped by merely cutting of the +line or generator. If they are cut off then nothing will emit any +longer. It will take a while for the box to calm back down again, +but that is merely a superficial aftereffect. Once again: +Construction and use of this box is not advised! The Blotto Box +will continue as long as there is electricity to continue with. + OK, that is what it does, now, here are some interesting things +for you to do with it... + + Once you have installed your Blotto, there is no turning back. +The following are the instructions for construction and use of +this box. Please read and heed all warnings in the above section +before you attempt to construct this box. + + Materials: +- A Honda portable generator or a main power outlet like in a +stadium or some such place. +- A radm r=L L5I Z] ] for 400 volts that splices a female plug +into a phone line jack. +- A meter of voltage to attach to the box itself. +- A green base (i.e. one of the nice boxes about 3' by 4' that +you see around in your neighborhood. They are the main switch +boards and would be a more effective line to start with. +or: regular phone jack (not your own, and not in your area +code! - A soldering iron and much solder. +- A remote control or long wooden pole. + + Now. You must have guessed the construction from that. If not, +here goes, I will explain in detail. Take the Honda Portable +Generator and all of the other listed equipment and go out and +hunt for a green base. Make sure it is one on the ground or +hanging at head level from a pole, not the huge ones at the top +of telephone poles. Open it up with anything convenient, if you +are two feeble then don't try this. Take a look inside... you are +hunting for color-coordinating lines of green and red. Now, take +out your radio shack cord and rip the meter thing off. Replace it +with the voltage meter about. A good level to set the voltage to +is about 1000 volts. Now, attach the voltage meter to the cord +and set the limit for one thousand. Plug the other end of the +cord into the generator. Take the phone jack and splice the jack +part off. Open it up and match the red and green wires with the +other red and green wires. NOTE: If you just had the generator on +and have done this in the correct order, you will be a crispy +critter. Keep the generator off until you plan to start it up. +Now, solder those lines together carefully. Wrap duck tape or +insulation tape around all of the wires. Now, place the remote +control right on to the startup of the generator. If you have the +long pole, make sure it is very long and stand back as far away +as you can get and reach the pole over. NOTICE: If you are going +right along with this without reading the file first, you should +realize now that your area code is about to become null! Then, +getting back, twitch the pole/remote control and run for your +damn life. Anywhere, just get away from it. It will be generating +so much electricity that if you stand to close you will kill +yourself. The generator will smoke, etc. but will not stop. You +are now killing your area code, because all of that energy is +spreading through all of the phone lines around you in every +direction. + Computer Hacking + TYMNET + +Introduction: + +Many people may or may not have heard of Tymnet. Tymnet is one of +the best information gathering networks that is around. It seems +as though it were set up with the hacker in mind, but we all know +this isn't true. After becoming experienced with the network, I +found there to be little information available to the newcomer, +with the exception of what is already available on the network, +but as we all know, this leaves the newcomer craving for more. As +this file was under construction, a great blow hit the hacker +community on the network; four of the most popular NUIs died +(NUIs to be discussed later). They were VIDEO, and the T.LLOYxx +Family. In hopes of having the community reborn, an additional +new NUI has been included. + +For more information regarding Tymnet, Telenet, and other PSNs, +consult the Leigon's of Lucifer Text File #10-11. Although other +information on PSNs is available from Leigon's of Lucifer, this +file was written in mind that the reader is unfamiliar with +Tymnet. Terminology that would appear to be new to the reader is +explained, in hopes that you will gain a greater knowledge of the +networks. + +Tymnet is an international network designed for two basic +reasons. One, to link computers worldwide in order to exchange +information. Two, so hackers can take advantage of the network +and connect to the as many computers available =). + +Tymnet is linked to computers throughout the world including most +major continents (North/South America, Asia, Europe, Africa, +Australia, etc.). Tymnet is referred to as a PSN, which is an +acronym for Packet Switching Network. A PSN is any network that +sends information via packets, in Tymnet's case, 128 byte +packets. + + The following is an example of a simple PSN, which +includes three major components: + + 1) The PAD (Your Local Dialup) + 2) The PSN (The network that you are currently on) + 3) The Host (The computer you connect to via the PSN) + +Use of a PSN is quite simple. First you must connect to your +local PAD, and sign in with a NUI. If the NUI is valid, a colon +prompt will follow (;), at which you may enter any NUA (NUAs to +be discussed later), depending on what level of access the NUI +has. The PSN then connects you to the Host, posing as a relay +between you and the host. If this appears confusing, read through +the rest of this file, and browse back through it, and possibly +you will understand the concept a bit better. + +Since Tymnet is not connected to nearly as many businesses as +Telenet, it turns to be more of a communication and information +gathering tool then a scanning one. Hackers on Tymnet, which can +be contacted on the many various chat systems are almost always +bound to have information to trade, or give away. Almost +everything is available, from telco, fraud, to hacking. + +Connecting to Tymnet: + +The first thing you must do is find your local Tymnet dialup. If +you already know your dialup, you can skip by this paragraph, and +move on. There are two ways to acquire your dialup. Voice, or +data. If you choose to find out your dialup voice, call 1- +(800)-222-0555. Use your touch-tone keypad and follow the voice +prompts. Data is quite simple if you are already familiar with +the logon process on Tymnet. Type 'Information', or 'Info' at the +NUI (Logon) prompt. It's self explanatory from there. You can +also dial 1-(800) 336-0149 to find out your local dial, this +includes HST Modems. + +You must now prepare your terminal to communicate with Tymnet. +Switch your parity to either 7E1 or 8N1. 7E1 is preferred, as I +have encountered problems using 8N1. Toggle your Local Echo until +it appears satisfactory. Once connected, Hit return a few times +until the following message appears: + +please type your terminal identifier + +When this occurs, hit 'a' if you have 7E1, or 'o' if you have 8N1 +set up. The 'a' / 'o' combination tells the PAD your parity +setting. Something to this effect will follow: + + -4353:01-007- + please log in: + +You have now successfully connected to Tymnet. + +Usage of NUIs: + +NUI is an acronym for Network User Identification. This is much +like the standard 'user name' on your favorite BBS. NUIs are +legitimate accounts given to paying members of Tymnet. Hackers +always seem to have a knack for setting up illegal NUIs though. +Unlike Telenet, Tymnet NUIs are easy to find. The NUI 'VIDEO', +which was by far one of the most popular hacker NUIs on Tymnet +was cancelled during the construction of this file. Along with +it, the T.LLOYxx Family died (T.LLOY01, T.LLOY02, T.LLOY03). +These NUIs are probably the most free accounts that have been +available; meaning they had extremely little restrictions. After +entering a legitimate NUI, a colon prompt will appear. This +notifies you that Tymnet is ready to receive a NUA. NUA is an +acronym for Network User Address. This could be associated with a +BBS telephone number, as they are much alike in certain aspects. + +Types of NUAs: + +Chat Systems- + +Chat systems are probably the most popular of the NUAs to hackers +on the networks. You can find many other hackers that are willing +to trade new information. As well, in-depth conversations on +hacking do take place on chat systems, so they are an excellent +place to learn for the newcomer. + +One of the most popular chat systems is QSD France. You can reach +QSD via 208057040540 NUA. It is not a 'Live' chat system, as +messages take some time to exchange. This chat system is also an +excellent place to find other hackers to exchange information +with. But be noted, QSD is like a local chat system in France, so +you will, certain times, run into people who know nothing about +hacking. It's best to avoid these people, because they are +usually gay/lesbian, or looking for a fight. Besides, what use do +you have for the general public? When reaching QSD, remember to +change your parity to 8N1. If you logged in with 8N1, don't worry +about it. Another note, QSD treats a destructive backspace as +return. Do NOT hit backspace. The only way to get around the +backspace problem, from my knowledge, is to use a Canadian PAD. + +Most other chat systems are run off either custom software, like +QSD, or off a Unix Shell. The Unix Shell chat systems are a bit +harder to understand, but are much more powerful. When logging in +to a Unix chat system, you will see a Logon: prompt, as most +Unix's have. Try using default accounts to logon (x25, Guest, +etc.). When logging onto a Unix Chat System which automatically +places your NUA (Your PAD Address), use the FROM= command from +the logon. RMI Chat System is a perfect example of this. Use Gast +FROM=Hell/Gast as a Username/Password. If you want other hackers +to know the exact geographical location from which you are +calling, don't bother with this, otherwise, be safe, and use the +FROM= command. + +Unix Chat Systems resemble closely to the conferences found on +most pay networks (Compuserve, Genie, BIX, etc), as they are +'Live', and you see messages as soon as the author writes them. + + +Outdials Explained: + +Outdials that are available on Tymnet are PC-Pursuit (Telenet) +Outdials. PC-Pursuit is a pay service from Telenet where you sign +up and pay a monthly fee, and you are allowed a certain amount of +long distance data calls. Of course, when using PC-Pursuit +Outdials through Tymnet, you don't have to pay for anything. +Outdials are restricted only to dial numbers from within that +area code. If you logon to the 213 Outdial, you can only reach +data numbers in 213. These Outdials are referred to as Local +Outdials. There is another type of Outdials, and there are called +Global Outdials, or, abbreviated, GODs. GODs can call anywhere +within the United States with no restrictions, unlike LODs. The +dial format for GODs usually differs. Ask whomever you received +the GOD from for dialing procedures. Usage of Outdials is quite +simple, after logging into Tymnet, and entering the NUA of the +desired Outdial, you must hit one of three commands. If you are +new to Outdials, they have a help level available where a program +controls the modem for you via certain commands you send to it. +To reach this help level, hit either CTRL-E or '%' when you +connect to the Outdial. If you wish to use simplified AT +commands, type 'AT', and you are ready. Use the AT level just as +you would with your own modem. Entering a 1+AC+Number is not +necessary, and if done, will not work correctly. Remember, you +are logged into a certain area code, and you can only call +numbers within that area code, so just type the local 7 digit +phone number. File transferring through Tymnet/Telenet OutDial +through tymnet is tricky when you are on a BBS, you must ALWAYS +switch to 8n1,1 after you connect to a BBS through a OD, and when +you are about to transfer, the only protocol you can use is PCP +Z-Modem, aka MobyTurbo Zmodem, aka Z-Modem '90. This protocol was +made for tymnet OD's and if you don't use it, you will get a slew +of errors in your file and it will just corrupt the file and/or +abort your transfer. + +DNIC Restrictions: + +DNIC is an acronym for Data Network Identification Code. A DNIC +is made up of the first 4 digits of any NUA. There are plenty of +DNIC lists around, so I will not include one. A DNIC shows which +network, or country you are connecting to. Most of the NUIs that +have been around have had very little restrictions when it comes +to connecting to different DNICs, but as they are slowly dying, +you might run into trouble with new NUIs that have restrictions. +If you are trying to connect to a system in Germany, and your NUI +bars access to German DNICs, try connecting to another PAD, such +as an England PAD, and attempt connecting to the NUA again. You +should not run into many problems. It's harder to scan this way.. +but it's a method around NUI restrictions. (Editor's Notes: In +this text file, the author refers to your local Tymnet dialup as +a PAD. Technically, it is. Technically, everything on Tymnet is a +PAD. When I use the acronym PAD, I mean an x28/x29 PAD, and not a +local dialup, and most of the rest of the hacker community on the +networks would agree. I find very rare instances where I see it +used in this way.) +Here is a list of Telenet PC-Pursuit Local Out Dials: + + New Jersey: +3110 201 00 022 2400 Baud + + District of Columbia: +3110 202 00 117 2400 Baud + + Connecticut: +3110 203 00 105 2400 Baud + + Washington: +3110 206000 208 2400 Baud + + New York: +3110 212 00 028 2400 Baud + + California: +3110 213 00 023 2400 Baud +3110 213 00 413 2400 Baud +3110 714 00 004 2400 Baud +3110 714 00 102 2400 Baud +3110 916 00 007 2400 Baud +3110 408 00 021 2400 Baud + + Texas: +3110 214 00 022 2400 Baud +3110 713 00 024 2400 Baud + + Pennsylvania: +3110 215 00 022 2400 Baud + + Ohio: +3110 216 00 120 2400 Baud + + Colorado: +3110 303 00 021 2400 Baud +3110 303 00 115 2400 Baud + + Florida: +3110 305 00 122 2400 Baud +3110 813 00 124 2400 Baud + + Illinois: +3110 312 00 024 2400 Baud + + Michigan: +3110 313 00 024 2400 Baud + + Missouri: +3110 314 00 005 2400 Baud + + Alabama: +3110 404 00 022 2400 Baud + + Wisconsin: +3110 414 00 120 2400 Baud + + Arizona: +3110 602 00 026 2400 Baud + + Minnesota: +3110 612 00 022 2400 Baud + + Massachusetts: +3110 617 00 026 2400 Baud + + Utah: +3110 801 00 012 2400 Baud + + North Carolina: +3110 919 00 124 2400 Baud + + + TELENET +I am writing this assuming that the reader has no knowledge of +the Telenet network. In part 1 I will discuss the basic theory of +Telenet and how it can be used as a basically safe and fun +hacking tool. Telenet is a Packet Switching Network (PSN). Since +I want to make this as short as possible I will try to give you a +*basic* understanding of what a PSN is and how it works. +Basically there are 3 levels to the PSN. The 3rd and lowest is +the PAD that you dial-up. This is where you enter all of the +information. 2nd is the actual PSN which takes the data you enter +in 128k chunks (usually) and then transmits them to the host (1st +and highest level) at baud rates ranging from 9600 to 19,200. +This means that 2 computers with different baud rates are able to +communicate (See my really bad ASCII PSN map). Ok, now you have a +*basic* understanding of how Telenet works. Now to the fun stuff! +Remember, Telenet has access to computers all over the world. +When you consider all the networks that these other computers are +connected to then you can see that you can basically access the +entire world. It is also pretty safe because there is no way that +someone can monitor all the PADs at one time. +Ok, now first you must find a list of Telenet access numbers. +There are many lists out there (look in Phrack issue 21). If you +can't find one then to find the Telenet dialup nearest your +location, call 800-424-9494 at 300/1200 baud. At the '@' prompt, +type 'MAIL'. Enter user name 'PHONES' with password 'PHONES'. So +now you have a local access number. Remember it's (7E1), so if +your screen looks messed-up then you're not set right. After you +call this is what you do..... + +*Inside the '<>' (of course is return) is what you have to +type.... + +CONNECT 2400 (or whatever baud rate it is) + +TERMINAL= +@ + + Ok, now you're to the @ prompt. This is the telenet PAD +prompt. This prompt means that telenet is in "command" mode. Now +we will get to the *real* fun. + Telenet's computer systems are identified by NUA's. This stands +for Network User Address. The way you connect to the NUA's are +by either typing in 'c' or just typing in the nua by +itself. We will work w/ the 1st and most basic form on the NUA +since this is a file for people who don't know what the hell +they're doing (I'll make another G-phile for the more advanced +telenet hacker ). The easiest form is AAA XXX, this is where AAA +stands for an area code and XXX stands for random numbers. So if +I wanted to scan the Los Angeles area for example I would type +213 123. Here 213 is the area code and 123 are random numbers. +You must have a at least 4 numbers. So 213 1 would work as would +213 12. + Telenet doesn't recognize zeros or spaces so you could also +type 213 123 like this 213000000000000123 or like 213123. Ok, now +that you know how to use simple NUA's you can start messing +around. So, now you can access all the networks and +Unix/Vax/Primes/etc... that you want right? So, you enter 213 +123 and suddenly it says.. COLLECT CONNECTION REFUSED +F4 E6 Well, you just learned life's first lesson. Nothing in +life is free! Yes, that's right, the "good" systems on telenet +you have to pay for. This is where a NUI comes in. This stands +for Network User ID. This is for users with "accounts" on +telenet. NUI's are very hard to find these days ( I've only had +1 in my hacking adventures ). They are in the form of a user +name ( anything ) and then a password (6 numbers). These are very +hard to hack since there are no "default" names or passwords. You +type in ID and then the password to user one. if you can +hack out a NUI then you should be writing G-Philes instead of +reading them. + But don't worry though! There are *MANY* systems on telenet +that are free. The only ones that cost money are the big ones +like some BIG corporation. By just typing in an area code and +then a random number ( up to 3 digits ) you can find some really +cool systems (hey, yo can hack into McDonalds for free!!). +Anyway I have the most fun by turning on my Led Zeppelin CD and +just randomly typing in numbers. You will find at least 1 NUA +that connects for every 5 you type in . Its not like phreaking +where you find a code per 10 hours.... Of course there are the +lazy hackers who just want the NUA's with no work, there are many +good NUA lists ( check you local p/h/a board ). You can find a +NUA lists in a few Phrack issues or on DII (Data Infinty, +Incorporated (yes once again, I must plug my organization you +know). If you want to feel like you did something then get the +NUA Attacker. This is an IBM program that calls telenet and then +types in different NUA's ( you set the range ). It is basically a +code hacker for Telenet. This can be found on DII (Data Infinity, +Inc.) or most good p/h/a boards. HACKING UNIX + +Welcome to the basics of hacking Vax's and Unix. In this article, +we discuss the unix system that runs on the various vax systems. +If you are on another unix-type system, some commands may differ, +but since it is licensed to bell, they can't make many changes. +Hacking onto a unix system is very difficult, and in this case, +we advise having an inside source, if possible. The reason it is +difficult to hack a vax is this: Many vax, after you get a +carrier from them, respond=> Login: They give you no chance to +see what the login name format is. Most commonly used are single +words, under 8digits, usually the person's name. There is a way +around this: Most vax have an acct. called 'suggest' for people +to use to make a suggestion to the system root terminal. This is +usually watched by the system operator, but at late he is +probably at home sleeping. So we can write a program to send at +the vax this type of a message: A screen freeze (Ctrl-s), screen +clear (system dependant), about 255 garbage characters, and then +a command to create a login acct., after which you clear the +screen again, then un- freeze the terminal. What this does: When +the terminal is frozen, it keeps a buffer of what is sent. well, +the buffer is about 127 characters long. so you overflow it with +trash, and then you send a command line to create an acct. +(System dependant). after this you clear the buffer and screen +again, then unfreeze the terminal. This is a bad way to do it, +and it is much nicer if you just send a command to the terminal +to shut the system down, or whatever you are after... There is +always, *Always* an acct. called root, the most powerful acct. to +be on, since it has all of the system files on it. If you hack +your way onto this one, then everything is easy from here on... +On the unix system, the abort key is the Ctrl-d key. watch how +many times you hit this, since it is also a way to log off the +system! A little about unix architecture: The root directory, +called root, is where the system resides. After this come a few +'sub' root directories, usually to group things (stats here, priv +stuff here, the user log here...). Under this comes the superuser +(the operator of the system), and then finally the normal users. +In the unix 'Shell' everything is treated the same. By this we +mean: You can access a program the same way you access a user +directory, and so on. The way the unix system was written, +everything, users included, are just programs belonging to the +root directory. Those of you who hacked onto the root, smile, +since you can screw everything... the main level (exec level) +prompt on the unix system is the $, and if you are on the root, +you have a # (super- user prompt). Ok, a few basics for the +system... To see where you are, and what paths are active in +regards to your user account, then type > pwd This shows your +acct. separated by a slash with another pathname (acct.), +possibly many times. To connect through to another path, or many +paths, you would type: You=> path1/path2/path3 and then you are +connected all the way from path1 to path3. You can run the +programs on all the paths you are connected to. If it does not +allow you to connect to a path, then you have insufficient privs, +or the path is closed and archived onto tape. You can run +programs this way also: +you=> path1/path2/path3/program-name +unix treats everything as a program, and thus there a few +commands to learn... To see what you have access to in the end +path, type=> ls -- for list. this show the programs you can run. +You can connect to the root directory and run it's programs +with=> /root By the way, most unix systems have their log file on +the root, so you can set up a watch on the file, waiting for +people to log in and snatch their password as it passes thru the +file. To connect to a directory, use the command: => cd pathname +this allows you to do what you want with that directory. You may +be asked for a password, but this is a good way of finding other +user names to hack onto. The wildcard character in unix, if you +want to search down a path for a game or such, is the *. => ls /* +Should show you what you can access. The file types are the same +as they are on a dec, so refer to that section when examining +file. To see what is in a file, use the => pr filename command, +for print file. We advise playing with pathnames to get the hang +of the concept. There is on-line help available on most systems +with a 'help' or a '?'. We advise you look thru the help files +and pay attention to anything they give you on pathnames, or the +commands for the system. You can, as a user, create or destroy +directories on the tree beneath you. This means that root can +kill every- thing but root, and you can kill any that are below +you. These are the => mkdir pathname => rmdir pathname commands. +Once again, you are not alone on the system... type=> who to see +what other users are logged in to the system at the time. If you +want to talk to them=> write username Will allow you to chat at +the same time, without having to worry about the parser. To send +mail to a user, say => mail And enter the mail sub-system. To +send a message to all the users on the system, say => wall which +stands for 'write all' By the way, on a few systems, all you have +to do is hit the key to end the message, but on others +you must hit the ctrl-d key. To send a single message to a user, +say => write username this is very handy again! If you send the +sequence of characters discussed at the very beginning of this +article, you can have the super-user terminal do tricks for you +again. Privs: If you want super-user privs, you can either log in +as root, or edit your acct. so it can say => su this now gives +you the # prompt, and allows you to completely by-pass the +protection. The wonderful security conscious developers at bell +made it very difficult to do much without privs, but once you +have them, there is absolutely nothing stopping you from doing +anything you want to. To bring down a unix system: => chdir /bin +=> rm * this wipes out the pathname bin, where all the system +maintenance files are. +Or try: => r -r This recursively removes everything from the +system except the remove command itself. Or try: => kill -1,1 => +sync This wipes out the system devices from operation. When you +are finally sick and tired from hacking on the vax systems, just +hit your ctrl-d and repeat key, and you will eventually be logged +out. The reason this file seems to be very sketchy is the fact +that bell has 7 licensed versions of unix out in the public +domain, and these commands are those common to all of them. We +recommend you hack onto the root or bin directory, since they +have the highest levels of privs, and there is really not much +you can do (except develop software) without them. + + + Primenet +Well, we've all heard of Unix and Vax systems. We hear a little +bit now and then about Cyber or Tops systems, but what is Prime? +Well, prime is a system made by Primos which has a set-up +something like DOS. Prime is arguably not as powerful as a Vax or +Unix system, but it is more user friendly (I feel) than either of +them. + +Now, you may say to yourself "Great, why should I even learn +about prime if nobody uses it". Well there are many people who +use it (just not as many as Unix of Vax), but the real reason I +wrote this is because a good percentage of the systems found on +Telenet are prime. Since I have already wrote a telenet G-Phile +(which is very good ), I thought I'd follow it up with a +primos text phile since there are so many. Also, there are no +really good primenet hacking philes (except for a good one in a +LOD/H journal and in a Phrack issue which I forget) that cover +everything. + +First of all find a prime system. This can be done by going on +Telenet and just scanning or picking-up the LOD/H journal #4 +which has a great NUA list (or any NUA list for that matter). You +can also check at your local university for one. Ok, first I tell +you the way to identify a prime system. It should be easy because +almost all prime systems have a system header that looks +something like... + +PRIMENET 22.1.1.R27 SWWCR + +This means that this is a primenet version 22.1.1. If for some +reason you get VERY lucky and find a version 18.xx or lower then +you're in. See, most version 18's and lower have either no +password (So you enter System for the ID which is the sysop), or +if they do have a password then all you have to do is hit a few +^C (Control C for the beginner) for the password. Some prime +systems just sit still when you connect. On these try typing like +'hi'. If its a prime you will get a message like... +Now, in order to logon to a prime system you must type "Login +" or just "Login". If you type in "Login" then it will +just ask you for your username anyway. Now, here is the hardest +part of hacking. You must get a working password. Primes are hard +to hack since they don't have any default passwords. Here is a +list that I have compiled ..... (passwords same as Username!) ÉÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» +º Username º Password º +ÌÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ +º Prime º Prime º +º System º System º +º Primos º Primos º +º Admin º Admin º +º rje º rje º +º Demo º Demo º +º Guest º Guest º +º Games º Games º +º Netman º Netman º +º Telenet º Telenet º +º Tools º Tools º +º Dos º Dos º +º Prirun º Prirun º +º Help º Help º +º Test º Test º +º Netlink º Netlink º +ÈÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ + +Not all these passwords and names are guaranteed to work. If none +of them work then try to mix-up the usernames and the passwords. +Hopefully you have now gotten into the system and get the "OK," +prompt. + +OK, so now you're in. If you have gotten in then that is a big +step in itself and I congratulate you. So, now you have the +prompt "OK," or something like that. This is the command prompt, +if you enter a bad command it may look different such as "ERR," +or soething like that. This is nothing to worry about just an +error message. Ok, first I'm going to run down some basic +commands. First of all we must understand how primos is set-up. +The primos set-up is very much like MS-DOS There are separate +directories each with files and more directories in them . It is +pretty easy to navigate, so i will just give you the commands and +then explain what to do with them.... +LD shows the contents of the current directory + you're in. +Attach attaches (move) to another directory. +Delete deletes a file or directory. +ED text editor to edit/create text. +Logout logs-off +Netlink enters the netlink section. +Slist lists the contents (text) of a file +CPL runs a .CPL program +Users lists the amount of users on the system. +Status Users gets the names, numbers and locations of the + users on line. +Help gets a list of the commands. +Help gets help with a command + + +Ok, those should be enough for the time being. Now, lets start by +doing a 'LD' (anything in single quotes means to type it). The +name of the directory you're in right now should be the same as +your user name. There may be a few files in here so to see the +contents of the files type 'SLIST '. Now, lets do an +'Attach MFD'. This is the "Main File Directory" where most of the +major files and directories are found. So now we will do another +"LD" and look at all the directories and files. Ok, now to start +the hacking. This method works with most primes, but not all so +don't be to discouraged if it doesn't work. Ok, first of all you +probably noticed that when you first started-out the directory +you were in had the same name as your username (id). This is a +very important lesson. The reason this is important is because +now you can probably figure-out that *The name of every directory +is also the name of a +user* (NOTE: This is true for all directories, EXCEPT ones with +an asterix '*' by their name). This means 2 things, first of all +it means that you can basically find a fair amount of usernames +from the mfd directory and the odds are that a few of them will +have the same password as the name (This is an important lesson +in hacking, whenever you're on any kind of system et a user list +and then just go through the list, using the username as the +password and you should get a few accounts at least) Secondly it +means that you can access a certain users "private" directory. +What this means is that a lot of the usernames of actually people +may not be in the MFD directory. This means that once you find +out a username you can then simply say "attach " and +your in their directory. So, now knowing that we will do a +'Status Users'. This will give you a list somewhat like this: + +User Number Device +Guest 14 +System 1 +Hacker 81 +Sysmaint 19 (phantom) + +From this list we can get all the usernames/directories of the +users on-line and start snooping. It is usually not ood to be on +when there are a lot of people on since a Sysop might notice that +you shouldn't be on at that time or something. You may notice +that the last one (Sysmaint) has the word Phantom by it. This +means that it is just a program that is doing house keeping +stuff. Its nothing to worry about. The devices are merely like a +tree in other software (UNIX/VAX), if there are 2 devices then it +means that the user is either interacting with another system or +has logged-off incorrectly. So, now we have some usernames / +directories to look at (and to try as passwords for the same +username). Now first of all we want to go back to the MFD +directory and look for a directory that is something like UTIL, +Utilities, CCUTIL or whatever. This part is very site dependant +so just try any thing that looks like a util. Now attach to that +directory which is 'Attach Util' (assuming the name is Util). Now +we get to another important part of Primenet. The different file +formats..... + +FileSuffix How to execute/Description +ÉÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» +º .CPL º CPL/Language º +º .SAVE º SAVE º +º .SEG º SEG º +º .TXT º SLIST º +ÈÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ + +This list shows you the different file suffixes you'll see. Every +file will be followed by a suffix. If it is not then you can +assume its text. The only suffix we want to worry about now is +the CPL suffix. CPL (Command Procedure Language) is the primos +"programming language". So you can assume that anything with a +.CPL suffix is some type of program. Most often you will find +simple programs which tell the date, some "menus" that people +programmed in CPL to navigate the system easier, and then their +own misc CPL files. To run a CPL file you type 'CPL ' +(the pathname is simply the file name). Now, since CPL is a +language it's programs must some how be written. This means that +by doing a SLIST on a .CPL file will display the contents & +source code of the .CPL file. + +Ok, so back to the hacking. So we're in the Util's library (or +whatever the name of the directory is). Ok, now do an 'LD' to see +the contents and look for any .CPL files. Lets say there's a CPL +file named "CleanUp.CPL". Now you'd type 'SLIST CleanUp.CPL', +this will display the source code of the CleanUp program. Now, +you will get a lot of trash but in it somewhere look for a line +that is something like... + + +A UTIL KEWL + ³ ^Password + ÀÄ´ Directory name + +So, what does this mean you ask?? Well first off we will remember +that every Directory (except for ones with stars by them) is a +username which you can log-on with. So this means that the +password for the username Util is KEWL !!! If you have found a +line like this then congratulate yourself..you have SYS1 access. +Just in case you don't really understand, lets say that there was +a directory's name was COUNT, and the password was ZER0. Now, if +you got lucky and were on a system where this works then you'd +see a line like... + +A COUNT ZER0 + +Another way to find out directory/usernames is by using the +'List_Access' command. This shows the different directories that +the current directory has access to. This will look something +like... + +ACL "). Because of this you will find *MANY* directories +with ALL access. I have found many directories of people who have +SYS1 access, with ALL access. Most of the other people will have +LUR access. This is still very sufficient for your needs, since U +can still read files. Since I want to be slightly kind I will +discuss how to change access on directories, for the people who +have legit prime accounts. If you have a hacked account then +there should be no reason for you to change access on a +directory, first of all you will be detected in a second, and +second of all its not permanent at all and can't be used to crash +the board. First of all the command to create a directory is +'Create [-password] [-access]'. So in other +words if I wanted to create a mail directory with the password of +HACK and LUR access hen I'd type. + +Create Mail [-HACK] [-LUR] + + The command for changing access on a directory is... + +Set_Access ALL [-LUR] + +In this example we are changing a directories access to LUR (you +can read but you can't edit) from ALL (everything). Since there +is no real reason you would want anyone else changing your files +I would suggest at least LUR access. If you are really worried +then I would not even think twice about going to NONE access, its +up to you. Although changing access is the most effective way to +secure your directory, there are some people who would like +others to read, or maybe even edit files in their directory. This +is why I usually tell people to just make a password, this +command has already been discussed.. That about wraps it up for +their directory part of this file. This is the major an most +important part. Now we get to the fun little features. + + + ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ + ³Creating Files and Writing Programs³ + ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ + +Creating files are a very important part of hacking prime net. +The main reason we want to create files is so we can take +advantage of the CPL language. I have not learned the CPL +language well enough so I really can't explain much about it. I'm +still looking for technical manuals. The easiest way to learn it +is by just looking at all the .CPL files. Once we learn the CPL +language we can simply add commands to create us new accounts to +house keeping programs. The reason we would want to do this is +because when it is run by the admin, or any user with high enough +access it will run these embedded commands and we will have a new +account with unlimited access!! The way to create a file is by +typing 'ED'. This will get you into the text editor. It should +look something like.. + +INPUT + +This means you can type in what ever you want. So lets say you +are making a file that, when run will type out 'Count_ZER0 is the +ruler of heaven and earth', you would type... + +Type Count_ZER0 is the ruler of heaven and earth + +Now, you'd type just a alone and you'll get a line like... + +COMMAND + +This line varies a lot from system to system, but you'll get +something to that affect. Here you would now type 'Save +Count.CPL'. This would then save a program call Count.CPL in the +directory and when you ran it (Discussed earlier) it would type +'Count_ZER0 is the ruler of heaven and earth' on the screen. + +The editor can also be used to write Basic, Fortran, C, and +pascal files (use the 'Languages' command to see what languages +it supports). All you do is write the program in the editor and +then save it with the correct suffix. Then you run/compile the +program. Since this file is much longer then I thought it would +be I won't discuss it, but it can easily be found out about by +using the 'HELP' command. + +Communicating With Other Users And Systems + +To send a message to another user On-Line you use the Message +command. Lets say using the status command (discussed earlier) +you found there was a user named JOE that you wanted to talk to. +So you'd type .. + +Message JOE +Hello, how are you ! + +This will send a message to him unless you get some message that +says something like.. + +User Joe not accepting messages at this time. + +This means that he is not accepting messages (duhhhhhh), so you +can try again later. You can also use the TALK command, which is +self-explanatory. Just type 'TALK', and then follow the +directions. + +Accessing Remote Systems + +The most exciting feature of primos (and this G-Phile), is +primenet's ability to access remote systems. See, they call it +primenet, because all primes are hooked-up to one big network. +This network is much like a "mini-telenet". This can be used with +the 'NETLINK' command. At a prompt, you must type 'NETLINK'. Then +you will be thrown into the netlink system. There is a good On- +Line help file which can be accessed with the 'HELP NETLINK' +command. Basically you type NC xxxxxxx . Now, +you can scan this like telenet and see what you come up with. The +most exciting part of all this is that some primos systems on +telenet let you enter telenet NUA's in the netlink system. This +means that all those "Collect Connection" NUA's you can't call, +can be accessed through primos *FOR FREE*. This means that you +don't need to mess with NUI's anymore (see my hacking telenet +part 1 file). Now comes the part that will bring me fame in the +hacking community, fame to œegions f œucifer, and anyone who +knows me............. + +The 'ANET' command + +Yes, this is the first time this command has every been +"published" is a G-phile. The way I came about this command was +one day I was hacking around and I saw this lady's directory with +LUR access. So I looked at the files, and surprisingly there was +a file that was a *BUFFER* of her logging on to remote systems +(yes the password was there!!). I was very surprised to see that +she used a command like 'anet -8887613' to access the remote +system, instead of netlink. This is a beautiful example of how +you can do a lot even if the directory isn't ALL access, anyway +heres the good part...... What the anet command does is dial a +phone number out from the primos and connects to it!! Yes, this +is like a code (but used for data communications of course). I'm +still hacking the command, but basically you just type 'anet - +' and you have it. I have only tried it on this one +system which is Primos version 22.1. This is a very exciting +command, so if you find any more things about it please contact +me. + + + HACKING DECs +Welcome to basics of hacking: DECs. In this article you will +learn how to log in to dec's, logging out, and all the fun stuff +to do in-between. All of this information is based on a standard +dec system. Since there are dec system s 10 and 20, and we favor, +the dec 20, there will be more info on them in this article. It +just so happens that the dec 20 is also the more common of the +two, and is used by much more interesting people (if you know +what we mean...) Ok , the first thing you want to do when you are +receiving carrier from a dec system is to find out the format of +login names. You can do this by looking at who is on the system. +Dec=> @ (the 'exec' level prompt) you=> sy sy is short for +sy(stat) and shows you the system status. You should see the +format of login names... A systat usually comes up in this form: +job line program user job: the job number (not important unless +you want to log them off later) line: what line they are on (used +to talk to them...) These are both two or three digit numbers. +Program: what program are they running under? If it says 'exec' +they aren't doing anything at all... User: ahhhahhhh! This is the +user name they are logged in under... Copy the format, and hack +yourself out a working code... Login format is as such: dec=> @ +you=> login username pass word username is the username in the +format you saw above in the systat. After you hit the space after +your username, it will stop echoing characters back to your +screen. This is the password you are typing in... Remember , +people usually use their name, their dog's name, the name of a +favorite character in a book, or something like this. A few +clever people have it setto a key cluster (qwerty or asdfg). +Pw's can be from 1 to 8 characters long, anything after that is +ignored. You are finally in... It would be nice to have a little +help, wouldn't it? + + + CRASHING BBSs +Fundamentals: +1) Never use YOUR account.. always go under JOHN DOE or some +lamer's password you figured out. +2) Never brag. It gets you in trouble. Tell some dudes in your +group or whatever but don't go posting on BBSs that you did it +unless the sysop doesn't really care (usually elite sysops +don't) +3) Always format. If you get in to dos, don't take the risk, +format the thing with out a boot sector. If you are going to JUST +use the format command be sure to corrupt and rename ALL the +files that might have records in them of you in his dos (in case +of a unformat command). Try low level formatting. De command: +g=c800:5 that calls up the low level format program. 4) Never +mess with a narc/fed. There ARE police boards and the like and it +just isn't worth it to mess with them. Don't be stupid. +5) Have class. The biggest thing to bear in mind is to do a good +job, or no job. If you really don't hate him, once you get into +his dos just add a line to his autoexec.bat file to show you got +in. Otherwise format it. 6) Don't call back. You never know if he +was keeping double logs in a hidden directory or some thing like +that. Just be damn sure never to call back and NEVER leave a +number. +7) Never delete. Never delete log files, always corrupt them by +ripping a few lines out with edlin and then rename them and +delete them. This, hopefully, will solve the undelete problem. +Another good thing to do is to start madly undoing zip files +after you delete something. This will also help the undelete +dilemma. + +SLBBS: + + The first thing you should do when in dos is to run config and +find out what his activity log file name is and where his data +files REALLY are. Use edlin or something and totally screw them +over so they are screwed and them rename them and delete them. +The most important ones are ACTIVITY.LOG, SYSTEM.BBS, INDEX.BBS, +LOG.BBS + + Most of these files can be used to figure out who you are. +Another wise thing to do is to look in his EVENT.DEF file and see +if he copies the files to a backup directory. Check all batch +files that the sysop may run out of EVENT.DEF. They also might +have backup in them. I, being the clever thing I am, back up my +logs to a tape backup after every call. Many sysops use Return +to dos after logoff and a program called GODOS to run a batch +after every call. Check his config to see if go to dos after +logoff is set to yes. If so look for batch files or com files +that look like they may be run to start the bbs. If he has a tape +backup you have to find his tape software and run it (the +directory name will be in his EVENT.DEF file if he backs up +regularly). Once you are in the tape software you have to format +the tape, however this will take a LOOOOOONG time (1 to 2 hours) +so you may want to do that last. You want to do pretty much the +same thing but the *.BBS files will be *.SL2. Pretty easy. + +After Shock 1.23: + + After Shock is kind of annoying. The best thing to do is to run +his config program t find out what his directories REALLY are +and then delete everything in his board and after shock main +directory. Remember to look at his RUN.BAT or what ever he uses +to run the bbs with, he may be keeping backups. There is also a +config option of what batch file to run every night. That also +may have back up info in it. + +Telegard: + + All the data files will probably be in the main bbs directory +or the GOFILES directory (check config for sure). Get rid of +these and that will be about it. + +Forum Hacks: + + A lot of BBS programs have been written by altering the source +code of TG or another BBS program. The best thing to do with +these is to run the config programs and find the REAL directory +names then mess them up and delete everything in them. CRASHING BBS's PART TWO + +Table of Contents: + +Section I : Crashing Emulex/2 & Forum Hacks + a: Emulex/2 + b: Forum Hacks +Section II: Crashing WWIV & Telegard + a: WWIV + b: Telegard + +Section Ia: Emulex/2 + +We'll start with one of the most known BBS softwares. Emulex/2. +As you all know, I, Tripin Face, stole the source code of +Emulex/2 last year from one of the programmers. Broke into his +house and grabbed a few diskettes and it just so happens that one +of the disks contained the source code to Emulex/2!! + +Here are a few ways to access into Emulex/2 (or any Forum Clone +for that matter.. a list of Forum Clones will be shown later.) + +When you get connected at the Matrix Menu, hack User ID #1. Of +course, its the Sysop Account. Always try the Password "Sysop", +some Sysops are SOO lame, you wouldn't believe it. If that +doesn't work, try anything that goes with the Sysop's handle... +But for the really stupid Sysops, the best way, is to get one of +his Passwords from another board and try that. Some lusers might +use the same Password. Also, if you don't hack the correct +password, don't hang up, wait for it to hang you up. Sometimes +the board hangup strings gets screwed and it doesn't get rid of +you, but lets you on the board with the account of the user you +attempted to hack! Ok, lets say you have a Sysop account. now, +the best thing to do is get a file on the board called "USERS." +Now, with Emulex/2, thanks to me, you can't add users, so what +you have to do is user edit each user by hand, and the view their +passwords and make sure you capture all of it. Now, lets get to +the crashing part. Hehehehe. Open a door,("P" from the Main Menu +and then "%" for Sysop Commands) and put any file for it, the +board will create any file you ask it to make. Now in the door +batch file, you must have the following commands: + + Ctty comX + command + +Now, comX, is the com port the bbs is set at. Now, if you know +the sysop is using com2, then put com2. DUH!!!. (Replace the "X" +with the Com Port #) Now this door should let you go to their +DOS, and the rest is easy. FORMAT ME PLEASE!. Or, run a virus or +a trojan.. Even a baby can do that.. If you can get an account, +but has no Sysop access. you can do many things. An easy way is +upload a file called "USERS. " with the following DSZ commands: + DSZ sz -fs \\ +make sure you are in the DIR you want to upload to. What this +does is upload a file anywhere on the HD you want. Now, before +you do this you must edit the users file and change the sysops +password to anything you want and then you can enter it and get +on as him! This way, you can crash the board but you don't need +to get all the users passwords. Also, a way to do this and get +all the users passwords is get the BBS software's config, and the +change the co-sysop level to like Level 1 or something and then +you can call with your account and have sysop access. I found +that the best way to crash a board... Now, with old Emulex/2 +there was a command for Net-Mail which was .. Shift 1 thru shift +0 ..like this -> !@#$%^&*() ..and with this command, the board +will receive any file. So you can use the DSZ on it. Works good, +but with the new Emulex/2 you set the Net-Mail command from the +config. Right now, in the new Emulex/2 there are only a few +backdoors. Sam Brown didn't want to add any more. Why, I don't +know. I think Emulex/2 has a upload a message command, you can +also use the DSZ command with that too. I am not sure though.. A +good way to hang a Emulex/2 board is go to the Database Area, if +there isn't one, keep on hitting "D", after a few times the board +will get screwed, you wont be able to tell unless you go the file +area, and it will say something like I/O errors, etc... then +upload and upload, and in the middle of the third or fourth +upload hang up, turn off the modem or pull the phone line out of +the wall, so it will hang on in the middle of the transfer. +Another way to hang Emulex/2 is by doing this: post a message, +and then edit a line, and insert a new line, but keep on hitting +anything until it gets to the last line. Then hang up, or try to +save. It should of hung, to make sure the hanging was cool, call +the board back and see. Section Ib: Forum Clones + +Now lets get to other software... + +Well, all FORUM CLONES are the same.. so all commands for Em/2 +should and will work for all the of the following BBS Softwares: + +Emulex/2 +LSD +Celerity +FCP all version +AfterShock +Monarch +Monarch/2 +TCS 1 and 2 +Havok +Forum Plus +ACS +UCI/Forum +Ghost Ship/2 +USSR +Magnum +TCS/Cobra +Silicosis + +Section IIa: WWIV BBS's + +1) Hacking into WWIV - The Utilities Needed. + PkZip/PkUnZip + Zmodem (Or Any Other Protocol) + An Account at the WWIV BBS you wish to Crash. + A Terminal Program +2) Hacking into WWIV - First Steps + First of all, you might want to make a separate directory +for all of these files you're about to make. Although there +won't be that many total, it might still be a good idea. But if +you're like normal people (Messy), like me, just put it wherever. + + Ok, Here's what you do. Make a text file called +PKUNZIP.BAT from your DOS, and put the line: command in it. This +is done like this: C:\HACKBBS> copy con pkunzip.bat +command +^Z (Press Ctrl-Z, Then Enter, and the file will save) + + Second, go ahead and zip the file. Make it any filename +you want as long as it's not something too obvious (like +TEMP.ZIP). You can zip up the file with PKZIP.EXE. This is done +like this: +PKZIP [zipfile] [athname\filename.ext] +- or in other words: +PKZIP temp.zip pkunzip.bat + + This will make a file called TEMP.ZIP with the file +pkunzip.bat in it. Go ahead and delete pkunzip.bat now, you +won't need it anymore. Now you've got the file temp.zip (or +whatever you called it). Go ahead and logon to your favorite WWIV +BBS. + +Hacking into WWIV - The Way To Do It. + + Go ahead and logon with your name and password, etc. +Go to the File section, and upload your file to any directory. +Now there is a temp file there. hit 'E' from the Transfer Menu +in the current directory that temp.zip is it, and when it asks +what file to extract, enter temp.zip as the filename. You'll +get something to the effect of: + Extract which file? (?=list, *=All files): +Hit '*'. What this just did is make a pkunzip in the current +working DOS directory. You'll be at the: + Extract which file? (?=list, *=All Files): +Hot the asterix (*) again. + + Congratulations! You made it into the Sysops DOS! (If +not, the sysop is smarter than you think, and he's protected +himself against some little hackers like yourself!) Not much you +can do if you didn't make it here. Hacking into WWIV - What to do while in DOS. + + You'll be in the path of \WWIV\TEMP>, Immediately type this +in: C:\WWIV\TEMP> cd ..\files + C:\WWIV\FILES> del *.log - This deletes the log of what +you did. C:\WWIV\FILES> del laston.txt - this deletes the +list of users who were on today. + Now, you're into his/her DOS. Since dos interrupts are +currently ON, You can type anything anywhere. You can type del +*.* and get the Are you sure? (Y/N) sign, and from there, you +CAN hit 'Y'. Or you can do it the other way, and just type echo +y|del *.*. From here you got his userlist and some other fun +stuff, which is located in C:\WWIV\DATA. You can go there by +typing cd..\data. once there, do this: +C:\WWIV\DATA> type user.lst +and you'll find the Sysops Phone Number and password right next +to each other. Write those down. Next, type cd.. and you'll be +in C:\WWIV>. From there, type the file status.dat, and the first +legible text you can find will be the System Password, so if you +just want to scare the living hell out of him, just type exit +from there and you'll come back to the BBS, with the Sysops Name, +Pass, Phone Number and System Password. You can now logon under +the Sysop and do all the cool stuff like go into UEDIT and give +yourself like 254sl and DSL, etc. + +Hacking into WWIV - Alternatives + +Instead of the PKUNZIP.BAT file in the TEMP.ZIP file, go ahead +and put your favorite Virus/Trojan in there, and follow the same +exact steps, except this time skip the DOS part. The Virus should +spread from there, and a trojan will work immediately. + +Hanging WWIV - The easiest thing to do in the world. + + Just make a plain and simple text file, and in it include an +ANSI code. Not just any ANSI Code, it's gotta be an ANSI Code +that is not a real part of ANSI. For example, (ESCAPE +CODE)[349857m or something like that, anyway. Then just //UPLOAD +it to a message base, and read it. When WWIV Doesn't intercept +the correct ANSI Codes, it doesn't know what to do, so it'll just +hang itself there 'till the System Operator comes and resets the +flippin' computer. Hang up from there, and well, it'll be down. Section IIb: Telegard BBSs + + All right, Swabbies. Here's a way to hack into Telegard (One +of the easiest to hack into - Next to WWIV). There's a catch to +this system, tho. There's got to be an Archive Menu from the File +Area. Most new Telegard systems will have one, it comes stock +into it. But the Sysop (Probably not if the Sysop is a new Sysop) +may take it out. So, if he's got it, you're in luck. It's +basically the same idea, Just follow these rules and other +guidelines, etc., and you'll soon become a better crasher than +you know ... + +Hacking into Telegard's DOS - Things Needed + Latest PkZip Utilities (c) PKWare + Terminal, Modem, Computer, etc. + A little knowledge of the use of DOS, + And a text file like this. + +Hacking into Telegard's DOS - Steps + + 1) Logging on. + 2) Finding your way. + 3) Uploading/Extracting the File + 4) What to do while in DOS. + +First of all, You've got to establish an account with the so- +called 'friendly BBS' that you want to crash. It's probably a +good idea to logon with a fake account, fake information, etc., +to protect yourself. Once you've logged on, try and talk to th +Sysop there. Try to social engineer your way into him validating +you with the highest possible access you can get. Be nice, offer +him stuff, basically, KISS HIS ASS. If he insists on Voice +Validating you, ask him just to pick up a phone at his end, and +you do the same (Pick up your phone), and you'll already be +connected so there should be no numbers dialing, and this will +obviously protect you. + +Make the PKUNZIP.BAT file from DOS, by typing in this: + copy con pkunzip.bat + command + ^Z + +Go and zip the file up, call it something that sounds catchy, so +it doesn't look too inconspicuous, use the line: +pkzip myfile.zip pkunzip.bat + +Now you have a myfile.zip with pkunzip.bat inside of it. +There's a way to get into the Telegard's File System, although +you may not haveaccess to it, you'll eventually get it if you +kiss the Sysop's ass for awhile. It's usually 'F' or 'T' from the +main menu. Once you're in there, upload a file to wherever it +tells you to, and if there's no certain directory, don't worry +about it. Just upload it. After you finish uploading the file, it +will kick you out to the transfer menu again. The Archive menu +from there is usually either '/A' or just 'A'. From there, you +will most likely get a prompt that is similar to the Transfer +prompt, (most likely containing the Area and Area Number that you +are currently in). Hit 'X' from there (Remember: Telegard has the +ability to change Command Letters, so if 'X' doesn't work, punch +in a '?' and look for Extract File). Extract the myfile.zip, +obviously extract *.*. If it kicks you back out, or whatever, +just go back into the menu and do the same thing over again. +Extract *.*, And this time it will run Pkunzip.bat, which +contains COMMAND.COM inside of it, and you'll have full access to +this guys DOS. + +Now that you're in DOS, you'll be in the area C:\BBS\TEMP>. From +there, type in 'cd ..\files'. Then 'del *.log', 'del *.txt', then +do the same thing in the Afiles Directory. Here's a type of basic +structure that Telegard uses. (Assuming the main dir is BBS): + + BBS + FILES + AFILES + TFILES + TEMP + 1 + 2 + 3 + DLS + TRAP +This is the basic format, del ALL *.log files from all of these +areas (The Sysop logs are kept in C:\BBS\TRAP>) You've now gotten +rid of all proof that you were ever on. Once in there, just do +whatever you'd like to do. Delete everything, run a few Virii, +execute a few trojans, give his computer herpes, or whatever. You +can simply exit by typing 'exit'. Another way is to upload a Game +or some file (Sysops never check the zip file to see what is in +it..) Make one of the files 'PKZIP.COM' or 'PKZIP.EXE' *.COM is +better because DOS runs COM files before EXE files. Anyway, +upload a PKZIP.COM that is a trojan or a virus, or even +COMMAND.COM (That will get you into DOS) and after you upload it +check and see if the file is 'Auto-Validated' if it isn't then +you have to wait until the Sysop Validates it.. otherwise if it +is Validated then type "/A" from the File Menu and then type "X" +or "E" for Extract ZIP File.. then it prompts you for the Zip +File, enter in the Fle you uploaded. Then it will ask you what +files to extract, just say all or just the PKZIP file.. When it +extracts it, type "Q" then type "W" for Work on Archive.. Then +you are at the 'Work on Archive Menu'. Type "A" for Add to +Archive, it will then proceed to ask you for a Archive Name,... +type in something like 'HACK.ZIP' or anything for that matter. It +will ask you for the files you want in the ZIP file, just do +'*.*'. Then it will ask you if you want to do it or add more +files, type "D" for 'Do It'. It will then run your "PKZIP.EXE" or +"PKZIP.COM"!!! Easy enough?? There are a bunch of great files you +can find in someone else's HD, try going to the Sysop Dir. +(C:\BBS\DLS\SYSOP) or just go to all the Directories right off +the root directory. After you are done having fun, take his/her +USER.LST & STATUS.DAT and you will have FOREVER Access.. or just +wipe out his drive! There are many more ways to access Telegard +DOS and have the System run what you upload, but I will not get +into that, I will leave some ways open for me, Captain +Swashbuckler, to crash those Telegard Boards! + + + CREDIT BUREAUS +Part One: What Is Credit Bureau, Incorporated? + + As many of you know, CBI is a credit reporting agency, or +credit bureau. It keeps the credit history of millions of +Americans on file. Our friends at CBI have been kind enough to +make this information available to the public for a moderate +annual fee. If you are cheap, or if you just want to learn how to +hack CBI, "you have come to the right place." + + +Part Two: The CBI Account. + +A CBI account follows this general format: +3 Numbers, 2 Letters, 2-5 Numbers, a dash{-}, followed by a +letter and a number. + +A sample might look like this: 123ab4567-a1. + or: 123ab4567-a1,bc,d. + +Either way is acceptable. The `bc,d' is not necessary. + +Part Three: Connecting To CBI. + + When calling CBI, I suggest you use at least one outdial if +you know for sure the account you have is valid. If you are going +to be hacking accounts, use at least three outdials. I don't +suggest calling direct, even if the dialup is local to you. If +you don't know why, you don't deserve to be reading this text. + CBI runs at either 300 baud, or that oh-so-technologically +advanced 1200 baud. This means you will need a 300 or 1200 baud +outdial for the NPA containing the CBI dialup. Make sure your +terminal program is set at E-7-1. I also find it easier to work +at half-duplex, because CBI does not echo a thing you type. So, +if you connect with full-duplex, and don't see your account +appearing on the screen, don't call your local P/H BBS and post +twenty messages saying, "N0thInG i tYpE aPPeArS 0n tHe sCrEEn aT +CbI!!!!!!!!!!!1!!1!1!!!!!!!!!!!!111!!!!!!!!!!!" (Note: the +exorbitant amount of exclamation points is a sign of the loser's +complete and utter idiocy.) Another thing I find useful is just +to have my capture log running as I work. This saves you the +trouble of having to write everything down, and it also serves as +a good reference. + + + Currently functioning CBI dialups are: + + *[201/984-6297] Newark, New Jersey + *[503/226-1070] Portland, Oregon + [612/341-0023] Minneapolis/St. Paul, Minnesota + [713/591-8100] Houston, Texas + *[804/466-1619] Norfolk, Virginia + [916/635-3935] Sacramento, California + + The starred numbers I have not verified. + + Keep in mind some CBI accounts are only valid on certain +dialups. They still serve any part of the country, you just can't +use them on every dialup. I have found CBI accounts that work on +more than one dialup, so it can't hurt for you to try. The worst +thing you will get is a message saying it's NOT VALID ON THIS +PHONE NUMBER or something. If you are hacking accounts and get +this message, try the account that yields the message on +different dialups. Maybe you'll "get lucky". + + CBI also has voice dialups. These numers are provided for +those "Social Engineers" out there. I have not verified these. + + [201/842-7500] Newark, New Jersey (Equifax Credit +Information Services) [617/932-8163] Boston, +Massachusetts (CBI) + + +Part Four: Applied Password Use: Pulling Info. + + Use is fairly straightforward. When you connect to CBI, hit +Control-S (^S) twice, then () twice. You should get +a message that reads: (ND)PLEASE SIGN-ON + + At this point you should enter the password. Make sure when +you enter the password that you include a period at the end. +This is very important; if you neglect to type the period, you +won't get in. Type the password: "123ab456-a1." then hit +CONTROL-S, and a . The ^S is the CBI "wakeup" +command. CBI doesn't respond to regular s. If you ever +think CBI should be doing something, and it has just frozen, hit +^S. Chances are this will solve the problem. Anyway, you will +then get a message telling you to + + WC5E - PROCEED + + This is when the fun begins. You decide you want to know +your next door neighbor's credit history. Here is what you do: + + NM-SMITH,ALAN,S. + CA-157,MAPLE,ST,YUTZVILLE,NY,10011. + ID-SSS-012-34-5678. ^S + + This is, of course, based on the assumption that your +subject's name is "Alan S. Smith" and that he lives at 157 Maple +Street in Yutzville, New York, 10011, and that his Social +Security Number is 012-34-5678. Keep in mind, the ID-SSS line is +not ecessary, but it is necessary if you are to distinguish +between Alan S. Smith, Jr. and Alan S. Smith, Sr. Wait a moment. +The report will pop up. You may want to hunt someone down from +a Post Office Box. If this is the case, replace the above CA- +line with this: + + CA-418#,POB,,YUTZVILLE,NY,10011. + + If you only have the subject's Social Security Number, type + + DTEC-012-34-5678. ^S + + This will give you a name and address to enter in the above +format. + + +Part Five: A Sample CBI Report. + +::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + S A M P L E C B I R E P O R T + Note: All information in this report is fictional, including +the ACCOUNT NOs and the BUS/ID CODEs. +::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + +*SMITH,ALAN,S SINCE 04/00/75 FAD 10/21/89 FN-700 +157,MAPLE,ST,YUTZVILLE,NY,10011,TAPE RPTD 10/89 + 68,PENN,ST,NOWHERE,IA,50055 + SEX-M,MAR-M,DEPS- 2,AGE-38,SSS-012-34-5678 +01 ES-WALMART CORP +02 EF-MCDONALDS RESTAURANTS + +*SUM-01/85-01/91,PR/OI-NO,FB-NO, ACCTS:11,HC$6-1600, 3-ONES. + +*INQS-450DC81 02/24/89,178BB20089 02/06/89. + +* BUS/ID CODE RPTD OPND H/C TRMS BAL P/D RT 30/60/90+MR +DLA/ACCOUNT NO +03 S*178BB34860 11/90 05/85 500 171 521 139 R5 01 01 01 66 +1234567890123456 + PREV HI RATES: R4 10/90, R3 09/90, R2 08/90 + CLOSED ACCOUNT + AMOUNT IN H/C COLUMN IS CREDIT LIMIT +04 I*178CD8712 10/90 03/89 123 123 123 O1 +003/88 048286423 05 I*342IH34 10/90 12/85 1600 500 1600 +R9 00 00 03 462642892 PREV HI RATES: R5 +11/88, R5 10/88, R5 09/88 + CHARGED OFF ACCOUNT + AMOUNT IN H/C COLUMN IS CREDIT LIMIT +06 I*905PZ82 11/90 12/86 700 0 390 R9 00 00 00 16 +3482684629331 PREV HI RATES: R9 03/89, R9 02/89, R9 +01/89 CHARGED OFF ACCOUNT + AMOUNT IN H/C +COLUMN IS CREDIT LIMIT 07 +U*178BQ282 10/90 01/85 231 231 R9 00 00 03 +4560337134046711 PREV HI RATES: R5 04/90, R5 03/90, +R4 02/90 CHARGED OFF ACCOUNT +08 I*956BB115 10/90 05/86 1100 0 R9 00 00 03 + 714827012 PREV HI RATES: R5 05/90, R5 04/90, R5 +07/89 CLOED ACCOUNT +09 I*178AC10870 07/90 05/87 123 123 123 123 R9 + 38812604654 CHARGED OFF ACCOUNT +10 A*906OC69 01/90 10/87 0 O5 00 00 01 09 +01/90 4906124373 PREV HI RATES: O5 04/89. + COLLECTION ACCOUNT + PAID-CREDIT LINE +CLOSED 11 +I*906OF259 12/89 11/87 6 6 6 O9 00 00 02 +3724962236703 PREV HI RATES: O5 11/89, O5 10/89, O9 +02/89 +12 I*416DC1577 11/88 11/87 300 R1 00 00 00 12 +32134882735921 SETTLEMENT ACCEPTED ON THIS ACCOUNT + CHARGE + 13 I*421DC4566 07/89 +10/87 401 390 372 R9 00 00 01 18736847728634 + PREV HI RATES: R9 02/89, R9 01/89, R5 12/88 + CHARGED OFF ACCOUNT + CHARGE + + +& +END OF REPORT CBI AND AFFILIATES - 01/30/91 +SAFESCANNED + +::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + E N D S A M P L E C B I R E P O R T +::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + S A M P L E D T E C R E P O R T +::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +M1 OF 1 NM-SMITH,ALAN,S +CA-157,MAPLE,ST,YUTZVILLE,NY,10011,10/89 +FA-68,PENN,ST,NOWHERE,IA,50055 ES-WALMART CORP + SS-012-34-5678 AGE 38& + +END OF REPORT CBI AND AFFILIATES - 01/30/91 + +::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + E N D S A M P L E D T E C R E P O R T +::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + + +Part Six: Making Sense Out of All That. + SMITH,ALAN,S - is the subject's last name, first name, and +middle initial. SINCE 04/00/75 - I imagine this is how long +they've had a file on the subject. (Since April, 1975). On the +next line is his address- his current address is listed first, +and his past addresses are listed underneath. + SEX-M is pretty self explanatory. (It indicates he is a +MALE.) MAR-M is the subject's marital status (single, married, +widowed, divorced). + DEPS- 2 is the number of dependents the subject has. A +dependant is most often a son or daughter of the subject who is +still under 21. SS-012-34-5678 is the subject's Social Security +Number. ES- is the subject's current employer. + EF- are his past employers, listed in order, from most recent +to least recent. + SUM-01/85-01/91 indicates that the report is a summary from +January 1985 to January 1991. This really just tells you how far +back in time the report covers. + PR/OI-NO - Public Record/Other Information. This indicates +whether or not the subject has been involved in any court cases +(Public Record), and how those cases turned out (usually that is +what Other Information is.) Obviously, the NO indicates the +subject has not had any legal involvement during the period which +the report covers. + FB-NO - Firm/Business. I assume this signifies the subject is +not a business. + ACCTS:11,HC$6-1600 tells you that there are 11 entries listed +below, and that the credit limit (or amount loaned, in the case +of a loan) ranges from $6 to $1600. + 3-ONES - This tells you the credit rating. The "3" indicates +that there are 3 of the following type ("ONES" in this case). The +more "ONES" a subject has, the better his rating. This particular +person has a lousy credit rating. Out of 11 accounts, only 3 are +ONES. There can also be TWOS, THREES, FOURS, et cetera, up +through NINES. NINES are incredibly bad; the more of these the +subject has, the worse his credit rating is. ZEROS indicate that +the account was too new to be rated at the time the creditor last +reported. INQS - This line tells what creditors have checked +on the subject's credit. While interesting, it is more of a +hassle than anything. You see, when YOU pull the subject's info, +a little line will be added saying that your hacked account +pulled the file. Now, this won't look funny until the subject +reports fraudulent charging on his card. Then, CBI may check on +who has pulled the guy's info. When they see that The First +National Bank of Ethiopia has pulled his info, they will know +something is up. They will probably call the First National Bank +of Ethiopia and say, "Did you pull this guy's info?" And of +course they'll say "No." Actually, I've made more out of this +than it's worth. Anyway, the most recent credit check is listed +first, and then it works backwards. It lists the ID CODE and the +date the file was pulled. + The next line contains the headings for the columns that fall +under them. BUS/ID CODE is the CBI account (minus the +password) of the creditor that holds the subject's credit card, +loan, or whatever. In front of the actual ID CODE, there is a +letter and an asterisk (*). The letter signifies what type of +account it is. A - Authorized, C - Co-maker, I - Individual, J - +Joint, S -Shared, T- Terminated, U - Undesignated. Consult your +Local Library to find out what each type of account is. This +isn't really relevant to what you are after. + RPTD - The last time the creditor reported on the subject. +OPND - tells when that account was opened. + H/C - you will notice throughout the report that the "AMOUNT +IN H/C COLUMN IS CREDIT LIMIT". On a loan, this column reports +the amount loaned. TRMS - clarifies the terms of a loan. +Usually in the case of a credit card, this column is blank. A +"48M" in this column iiicates that the amount in the H/C column +will be paid back over a period of 48 months, or four years. In +such a case, the number in the MR column subtracted from the 48 +will tell you how many more months the subject has to go before +paying off that loan. + BAL is an abbreviation for BALANCE OWING. This is how much +of the credit limit (on a credit card) has been used, or how much +of the loan has been paid back. On a credit card entry, the BAL +subtracted from the H/C is how much the subject is authorized to +spend. + P/D- Past Due. Every month, a minimum amount of money is due +on your credit card payment. This may be as little as 10% of the +total amount due. Now, the credit card company would be damned +happy to see you only pay the minimum amount, because then they +can charge interest on every thing you owe. But, if you do not +pay this minimum amount (say you pay $75 out of a $100 minimum), +then $25 will be PAST DUE. It isn't good to owe money. RT - +Rating. This column gives the credit rating for that particular +account. An 'R' means the account is a revolving or option +payment plan, an 'I' means it is an installment payment plan, and +an 'O' means it is an open account. Consult your library for +definitions. The number following it is the credit rating for +that account. Remember, a '1' is good, and a '9' is really bad. +The number of '1's here should match the number "X" in "X-ONES" +on the first line. + 30/60/90 - the number in the 30 column means that the subject +has been between 30 and 59 days delinquent on his payment that +many times. If a "2" is in the 60 column, this indicates that the +subject has been between 60 and 89 days late with the minimum +payment twice during the number of months in the MR column. A +number in the 90 column would indicate that the minimum payment +has been over 90 days past due "X" number of times. +MR - +Months Reviewed. Indicates how many months have been reviewed. +(Obviously.) Say you have a "1" in the 30 column, and a 49 in the +MR column. This indicates that the subject has been 30-59 days +late with the minimum payment in the past 49 months. It's not +really too hard to understand. + + DLA/ACCOUNT NO - This column contains the credit card +numbers. Visa and Mastercard both have 16 digits. American +Express (Amex) hs 13 digits. DLA is the Date Last Activity. If +there is a date in this column, it is NOT a credit card +expiration date, it is telling you the last time that account was +active. + PREV HI RATES - This indicates the past ratings of the +account on the date listed. + + Explanation of the DTEC report: + + "1 of 1" means that the first report of one is being listed. +Remember, no two people have the same Social Security Numbers. NM +is the subject's name. CA is the subject's current address. The +date at the end of this line should match the most recent date on +the address line in the subject's full report. The FA line lists +former addresses. The ES line lists the subject's current +employer. Following this is the subject's Social Security Number, +which you must have already had to get the DTEC report. And +lastly, the subject's age. + + +Part Seven: Practical Use of CBI. + + You may have a question now, "Whose file do I pull?" You want +to pull the file of someone who is rich. Usually Lawyers and +Doctors will fit the bill. Look in the Yellow Pages under +"Lawyers" and "Doctors" and find the names of some upper class +bastards. You can use your local White Pages to cross-reference +and get their home addresses. From here, you call CBI, and pull +their file. + Once you get the file, look in the DLA/ACCOUNT NO column. +Find all the 13 and 16 digit numbers. 16 digit numbers starting +with "4" are Visas. 16 digit numbers starting with "5" are +Mastercards. 13 digit numbers starting with "37" are American +Express. The first four digits of the card number signify the +bank that issued the card. A list is supplied below, taken from +the Narc Infofile #7, Update A. I have not done any work toward +verifying these myself, either. + +VISA +---- +4428 Bank of Hoven +4128 Citibank CV +4271 Citibank PV +4929 Barclay Card CV (from England) +4040 Wells Fargo CV +4019 Bank of America CV +4024 Bank of America PV or CV +4019 Bank of America Gold (This card looks like a CV but +without a CV after the expiration +date) +4678 Home Federal +4726 Wells Fargo CV +4036 +4561 +4443 +4833 +4424 Security Pacific National Bank +4428 Choice Visa [Citibank(Maryland)]??? +4070 +4735 +4673 +4044 +4050 +4226 Chase Manhattan Bank +4605 +4923 +4820 +4048 CV +4121 Signet Bank CV +4368 + + +Mastercard +---------- +5419 Bank of Hoven +5410 Wells Fargo +5412 Wells Fargo +5273 Bank of America Gold +5273 Bank of America +5254 Bank of America +5286 Home Federal +5031 Maryland Bank of North America +5326 +5424 Citibank +5250 +5417 +5215 +5204 +5465 Chase Manhattan Bank +5411 +5421 +5329 Maryland Bank of North 5308 +5217 +5415 +5291 Signet Bank + +American Express +---------------- +3728 GOLD +3713 Regular +3732 Regular +3737 +3782 Small Corporate Card +3731 +3724 +3742 +3727 +3787 Small Corporate Card +3726 +3766 +3734 +3749 +3763 +3710 +3718 +3720 +3739 + + At this point, your rendezvous with CBI is complete. Write +the credit card number you obtained, and the subject's basic info +in your notebook. Destroy the CBI report you have- there's no +need to have evidence sitting around. + + +Part Eight: Getting the CBI account. + + Okay kids, here's the hard part. Actually, it's not very hard +at all. Just time consuming. First, you have to find an ID CODE. +You know, the part of the account BEFORE the dash. Remember, the +part following the dash is the password. To get the ID CODE, go +trashing at a car dealership. You should find some printed out +reports. On these reports (they should look like what I supplied +above), you will find the "usernames" in the BUS/ID CODE column, +and in the INQS line. All you have to add to this ID CODE is the +password (obviously). Remember, the password is a letter and a +number. So, say your ID CODE is 123ab4567. When CBI asks you to +PLEASE SIGN ON, you begin hacking. Two common passwords are -c2 +and -c3. So, the first two things you try to enter should be +"123ab4567-c2. ^S " and "123ab4567-c3. ^S ". If neither +of these work, start at "123ab4567-a1." and work to "123ab4567- +z9." If I don't find something by the time I get hrough -d9, I +will usually pick another ID CODE and start over. You can do it +however you like. The lazy way to do this is hang around on +QSD with the sex freaks and see if you can find someone who will +trade with you. Chances are you'll get screwed, because almost +everyone there is a leech. They'll either give you something +fake, or nothing at all. If you want to trade, there are more +trustworthy and knowledgeable people on Lucifer. + + +Part Nine: ID CODEs. + + This section is a list of ID CODEs for you to hack on. This +list is taken from The Ghost's file on CBI, because I am too lazy +to make up my own list. + +426DC33 465IG14 444BB7072 906ON259 906ON267 +906BB5130 458ON2792 906BB206 444FP289 882AN137 +444FS1399 843BB342 404BB539 404DC21 496ON747 +496BB82 404CG94 426DC1577 401BB4880 872BB213 +444FS1381 728B10420 905BB587 496ON598 426BB756 +426BB3859 444BB3469 444BB3626 444BB5605 444FP2137 +906FA26 906BB115 906BB40 906FM6418 447FS844 + +906BB289 496ON291 901BB5101 906FM6335 496ON218 +458ON3022 402RE30375 426CG544 872BB31 872BB205 +444BB143 444BB6173 444FM11838 458ON3014 155ON44 +905ON1497 444ZB361 496ON648 444BB5654 496BB587 +906CG2913 444BB5704 416FM2092 444BB465 444BB5282 +444BB5308 444BB5290 404FF262 906FF278 906FF260 +404FF1039 404FF825 906FF252 426DC561 181FS320 + +444FA483 906FA34 163DC2280 444BB2719 163BB17526 +404HZ141 444AN1082 444ZB00577 906DC185 444DC10639 +906DC193 444JA591 906DC151 444DC49 405BB280 +801ON119 801BB2942 496BB74 496FM271 426BB238 +426BB541 426BB1895 426BB2406 444BB804 444BB3253 +444BB9466 906OC99 404BB3483 444BB1315 444FM12285 +805BB2492 906DC656 444FA848 444BB6173 444BB1869 + +444YC1311 444BB6363 444BB6496 444BB564 444BB3436 +444BB952 891BB186 496ON44 444AN2452 444CS315 +906DC29 444DC510 905DC3081 180BB19097 444CG377 +496FZ45 404TZ19 444AN4177 906DM10 403DC1426 +496DC319 496DC20 444KI54 606OC10587 414BB917 +906FA67 444FA814 444BB5035 444BB9466 444BB978 +444BB2248 444BB1182 444BB4491 444ON366 444ON200 + +444ON358 444ON341 404HF375 444AN4491 496FS380 +404BB182 155ON85 163BB19418 444ZB668 801ON1182 +444BB2958 444BB1331 465ZB134 + +I haven't collected these myself, so I don't know if they all are +valid. File grabbing on large systems + +Definitions: + +Salami......Program that takes a selected amount of money from a +group of specified accounts and deposits it into another account. + + +Trojan......Program that does one honest function but meanwhile +caries out a series of secret commands. + +Say you are working for a company that uses a large central +computer network that is slightly old. You want to get at the +accounts file to make your self a salami. Most old systems have +two pointers at the head of the file, a write access and a read +access. The write means you can edit and delete the file while +the copy mean you can only run and copy the file. Your goal is to +gain write access to the accounts file. The best form of action +would be to take a program everybody has read access to (data +base, spreadsheet, whatever) and make a trojan out of it. +Probably the spreadsheet would be the best idea since the +accountant must use it a lot. The first problem you are going to +have is that you are only going to have read access to the +spreadsheet program because all you need to do is run it. +(Business policy is to give no more access than is needed.) So +you make a file and give your self read and write access to it. +Then simply copy the spreadsheet file into your file. You can now +edit the spreadsheet and add a feature to it (diagonal adding or +something make it VERY attractive). Then you add a little trojan +to the program that copies the accounts file to a file in your +directory, then copies another file from your directory in place +of the true accounts fie. You then give the spreadsheet program +to the accountant showing him the new feature and hope to God he +likes it. When he uses your spreadsheet program you will get the +accounts file in your directory. You should write a program and +leave it in memory so that as soon as it sees this file it copies +it into the other file name so your trojan can copy the other +file back the first time with out error. Once this has happened +delete the TSR program and edit the accounts file as you please. +You can then rename it to the file in your directory the trojan +copies back and your payroll will be changed! + Potpourri BUGS + As far as bugs go, don't worry about not being able to obtain them. Sure, there are some suppliers around that only sell to +'Law Enforcement Agencies' only, but most will sell to you, so +there is no reason to bother with social engineering yourself +one. Anyway, most suppliers that will only sell to law +enforcement agencies usually have their products so marked up, +its unrealistic. Good bargains, and very high quality equipment +can be found offered by a Japanese company called CONY. Usually +their products are so reasonable that it makes the competitors +cry in shame. I suggest you write to them. + + CONY MFG CORP + Rm 301 Hirooka Bldg + No 59, 2 Chome + Kangetsu cho + Chikusa ku Nagoya + 464 JAPAN + + + WHERE AND HOW TO STICK THEM + + Assuming you obtain a bug, or any combination of different +types of bugs, you will want to use them, for any number of +particular purposes. The safest and easiest way to plant a is to +send the person that you want to know better a nice gift with you +know what hidden inside it. Something that they could, say, place +on their desk, or display prominently in their place or work or +residence. Wrap it nice, and include a small card, and do +whatever you feel is appropriate. A more dangerous method is to +actually obtain entry into the office or residence of the person +that you want to know better. If you have success in getting in, +planting it, and getting out unnoticed, then you will be safe. +Once a is planted, you will leave it there even after it becomes +inoperative, because, if you have placed considerable risk on +yourself to plant it, you do not want to go through that risk +again just to retrieve it. Just forget about it. It won't miss +you. There are a number of places to hide your electronic friend: +o Carefully [!] unscrew a wall socket. There, you will notice +some extra, unused space inside. Figure out the rest. + +o Do like the shows on TV. Hide them under a table, or chair. Let +your imagination run wild [use good judgement]. You are +relatively free, due to today's technology, and the short +antennas. Pick an area that is not subject to 'search or routine +cleaning'. +o Dress up like a workman and show up at their house. Make up a +good excuse. Gain access. Plant it. + +UTILIZATION + + You will want to record all that you can get with this for +later review. Also, take into consideration, that you can't be at +the receiver 24 hours a day. The setup to use for maximum +efficiency is a recorder with a VOX. Therefore, tape waste will +be at a bare minimum. That's also good, because you don't want to +be at the receiver just to flip tapes every half hour to 45 +minutes. Also, it would be difficult to review these tapes, +becasse you would have to listen to a half hour recording for an +actual half hour, and so on. Well, those half hours will add up +into hours, into hours, into hours. Not smart. As said, invest in +a VOX. This will make it able to have the recorder skip over +those quiet times in your target's house. To save tape you could +slow down the recorder with electronics, if you have the +electronics. You might not be successful, because it becomes +difficult to tell the speech of people from background noise. +Please note that not every technique is discussed here. This is a +scratch of the surface. If you can, use metal tapes [if the +recorder has that capability]. If not, use low noise/extended +range tapes. As with most surveillance equipment, be sure that +you know what you are doing. This is a game in which you can be +charged hundreds of dollars for something that you could do +yourself with 35 bucks. Some companies sell recorders which claim +to be able to record 14 hours on a standard cassette. They have +simply removed the pulley from the drive shaft of a Panasonic or +Sony recorder that costs less than 50 dollars and jacked up the +price 300%. Try it yourself, save money. + +ADVANCED TECHNOLOGY + + There is a nice device called a shotgun mic that allows you to +point it at a window and listen in on a conversation in the +immediate room, because of the room's sound waves causing the +window glass to vibrate. The window must be closed. Since all you +have to do is point it and go, well, they become obviously +convenient. And fun. Find one. They might cost a litle more, but +worth it. And the target is not likely to know he is being +watched, so he will not be smart enough to enact countermeasures. + + + WIRETAPPING +Everyone has at sometime wanted to hear what a friend, the +principal, the prom queen, or a neighbor has to say on the phone. +There are several easy ways to tap into a phone line. None of the +methods that I present will involve actually entering the house. +You can do everything from the backyard. I will discuss four +methods of tapping a line. They go in order of increasing +difficulty. 1. The " beige box ": a beige box (or bud box) is +actually better known as a "lineman" phone. They are terribly +simple to construct, and are basically the easiest method to use. +They consist of nothing more than a phone with the modular plug +that goes into the wall cut off, and two alligator clips attached +to the red and green wires. The way to use this box, is to +venture into the yard of the person you want to tap, and put it +onto his line. This is best done at the bell phone box that is +usually next to the gas meter. It should only have one screw +holding it shut, and is very easily opened. Once you are in, you +should see 4 screws with wires attached to them. If the house has +one line, then clip the red lead to the first screw, and the +green to the second. you are then on the "tappee's" phone. You +will hear any conversation going on. I strongly recommend that +you remove the speaker from the phone that your using so the +"tappee" can't hear every sound you make. If the house has two +lines, then the second line is on screws three and four. If you +connect everything right, but you don't get on the line, then you +probably have the wire's backward. Switch the red to the second +screw and the green to the first. If no conversation is going on, +you may realize that you can't tap the phone very well because +you don't want to sit there all night, and if you are on the +phone, then the poor tappee can't dial out, and that could be +bad...so....... method two. 2. The recorder: This method is +probably the most widespread, and you still don't have to be a +genius to do it. There are LOTS of ways to tape conversations. +The two easiest are either to put a "telephone induction pickup" +(radio shack $1.99) on the beige box you were using, then +plugging it into the microphone jack of a small tape recorder, +and leaving it on record. Or plugging the recorder right into the +line. This can be done by taking a walkman plug, and cutting off +the earphones, then pick one of the two earphone wires, and strip +it. There should be another wire inside the one you just +stripped. Strip that one too, and attach alligators to them. Then +follow the beige box instructions to tape the conversation. In +order to save tape, you may want to use a voice activated +recorder (Radio shack $59), or if your recorder has a "remote" +jack, you can get a "telephone recorder control" at Radio shack +for $19 that turns the recorder on when the phone is on, and off +when the phone is off. This little box plugs right into the wall +(modularly of course), so it is best NOT to remove the modular +plug for it. Work around it if you can. If not, then just do you +best to get a good connection. When ecording, it is good to keep +your recorder hidden from sight (in the bell box if possible), +but in a place easy enough to change tapes from. The wireless +microphone: this is the tap. It transmits a signal from the phone +to the radio (Fm band). You may remember Mr microphone (from +kaytel fame), these wireless microphones are available from radio +shack for $19. They are easy to build and easy to hook up. There +are so many different models, that it is almost impossible to +tell you exactly what to do. The most common thing to do, is to +cut off the microphone element, and attach these two wires to +screws one and two. the line MIGHT, depending on the brand, be +"permanently off hook" this is bad, but by mucking around with it +for a while, you should get it working. There are two drawbacks +to using this method. One, is that the poor asshole who is +getting his phone tapped might hear himself on "FM 88, the +principal connection". The second problem is the range. The store +bought transmitters have a VERY short range. I suggest that you +build the customized version I will present in part four (it's +cheaper too). Now on to the best of all the methods.... 4. The +"easy-talks": This method combines all the best aspects of all +the other methods. It only has one drawback... You need a set of +"Easy-talk" walkie talkies. They are voice activated, and cost +about $59. You can find them at toy stores, and "hi-tech" +catalogs. I think that any voice activated walkie talkies will +work, but I have only tried the easy-talks. First, you have to +decide on one for the "transmitter" and one for the "receiver". +It is best to use the one with the strongest transmission to +transmit, even though it may receive better also. Desolder the +speaker of the "transmitter", and the microphone of the +"receiver". now, go to the box. put the walkie talkie on "VOX" +and hook the microphone leads (as in method three) to the first +and second screws in the box. Now go home, and listen on your +walkie talkie. if nothing happens, then the phone signal wasn't +strong enough to "activate" the transmission. If this happens +there are two things you can do. One, add some ground lines to +the microphone plugs. This is the most inconspicuous, but if it +doesn't work then you need an amplifier, like a walkman with two +earphone plugs. Put the first plug on the line, and then into one +of the jacks. Then turn the volume all the way up (w/out pressing +play). Next connect the second earphone plug to the mice wires, +and into the second earphone outlet on the walkman. now put the +whole mess in the box, and lock it up. This should do the trick. +It gives you a private radio station to listen to them on, you +can turn it off when something boring comes on, and you can tape +off the walkie talkie speaker that you have! + +WIRELESS TRANSMITTER PLANS + +Here the plans for a tiny transmitter that consists on a one +colpitts oscillator that derives it's power from the phone line. +Since the it puts on the line is less than 100 ohms, it has no +effect on the telephone performance, and can not be detected by +the phone company, or the tappee. Since it is a low-powered +device using no antenna for radiation, it is legal to the FCC. +(That is it complies with part 15 of the FCC rules and +regulations). It, however is still illegal to do, it's just that +what your using to do it is legal. This is explained later in +part 15... "no person shall use such a device for eavesdropping +unless authorized by all parties of the conversation" (then it's +not eavesdropping is it?). What this thing does,is use four +diodes to form a "bridge rectifier". It produces a varying dc +voltage varying with the auto-signals on the line. That voltage +is used to supply the voltage for the oscillator transistor. +Which is connected to a radio circuit. From there, you can tune +it to any channel you want. The rest will all be explained in a +minute.... + PARTS LIST DESCRIPTION + +C1 | 47-Pf ceramic disk capacitor +C2,C3 | 27-Pf mica capacitor +CR1,CR2,CR3,CR4 | germanium diode 1n90 or equivalent +R1 | 100 ohm, 1/4 watt 10% composition resistor +R2 | 10k, 1/4 watt 10% composition resistor +R3 | .7k, 1/4 watt 10% composition resistor +L1 | 2 uH radio frequency choke (see text) +L2 | 5 turns No.20 wire (see text) +Q1 | Npn rf transistor 2N5179 or equivalent + +One may be constructed by winding approximately 40 turns of No. +36 enamel wire on a megohm, 1/2 watt resistor. The value of L1 is +not critical. L2 can be made by wrapping 5 turns of No. 20 wire +around a 1/4 inch form. After the wire is wrapped, the form can +be removed. Just solder it into place on the circuit board. It +should hold quite nicely. Also be sure to position Q1 so that the +Emitter, Base, and collector are in the proper holes. The +schematic should be pretty easy to follow. Although it has an +unusual number of grounds, it still works. + + |------------------L1----------------| + -- | + CR1 / \ CR2 |----------------| +A--------------/ \ --| ----| | | + | \ / | | | C2 L2 + | CR3 \ /CR4 | C1 R2 |----| | + R1 -- | | | gnd C3 | + | | | ----| |-----| + | gnd | | | + | | |-----|----Base collector + | | R3 \ / +B-----------------------| | \/\ <- Q1 + gnd \/ + | + | + emitter(gnd) + + +One odd thing about this that we haven't encountered yet, is +that it is put on only one wire (either red or green) so go to +the box, remove the red wire that was ALREADY on screw #1 and +attack it to wire 'A' of the then attach wire 'B' to the screw +itself. you can adjust the frequency which it comes out on (the +FM channel by either tightening, or widening the coils of L2. It +takes a few minutes to get to work right, but it is also very +versatile. You can change the frequency at will, and you can +easily record off your radio. HELPFUL HINTS +First of all, With method one, the beige box, you may notice that +you can also dial out on the phone you use. I don't recommend +that you do this. If you decide to anyway, and do something +conspicuous like set up a 30 person conference for three hours, +then I suggest that you make sure the people are either out of +town or dead. In general when you tap a line, you must be +careful. I test everything I make on my line first, then install +it late at night. I would not recommend that you leave a recorder +on all day. Put it on when you want it going, and take it off +when your done. As far as recording goes, I think that if there +is a recorder on the line it sends a sporadic beep back to the +phone co. I know that if you don't record directly off the line +(i.e off your radio) then even the most sophisticated equipment +can't tell that your recording. Also, make sure that when you +install something the people are NOT on the line. Installation +tends to make lots of scratchy sounds, clicks and static. It is +generally a good thing to avoid. It doesn't take too much +intelligence to just make a call to the house before you go to +install the thing. If it's busy then wait a while. (This of +course does not apply if you are making a "midnight run"). All +in all, if you use common sense, and are *VERY* Careful, chances +are you won't get caught. Never think that you're unstoppable, +and don't broadcast what your doing. Keep it to yourself, and you +can have a great time. Lunch Box +The Lunch Box is a VERY simple transmitter which can be handy for +all sorts of things. It is quite small and can easily be put in a +number of places. I have successfully used it for tapping phones, +getting inside info, blackmail and other such things. The +possibilities are endless. I will also include the plans for an +equally small receiver for your newly made toy. Use it for just +about anything. You can also make the transmitter and receiver +together in one box and use it as a walkie talkie. + +Materials you will need +======================= + +1 9 volt battery with battery clip +1 25-mfd, 15 volt electrolytic capacitor +2 0.0047 mfd capacitors +1 0.022 mfd capacitor +1 51 pf capacitor +1 365 pf variable capacito +1 Transistor antenna coil +1 2N366 transistor +1 2N464 transistor +1 100k resistor +1 5.6k resistor +1 10k resistor +1 2meg potentiometer with SPST switch +Some good wire, solder, soldering iron, +board to put it on, box (optional) Schematic for The Lunch Box + +This may get a tad confusing but just +print it out and pay attention.] + + [!] + ! + 51 pf + ! BASE + ---+---- ------------COLLECTOR + ! )( 2N366 ++----+------/\/\/----GND + 365 pf () emitter ! + ! )( ! ! + +-------- ---+---- ! ! + ! ! ! ! ! + GND / .022mfd ! ! + 10k\ ! ! ! + / GND ++------------------------emitter + ! ! ! + 2N464 + / .0047 ! +base collector + 2meg \----+ ! ! ++--------+ ! + / ! GND ! ! + ! + GND ! ! + ! + +-------------+.0047+--------------------+ ! + ! + ! ++--25mfd-----+ + -----------------------------------------+ ! + ! + microphone ++--/\/\/-----+ + ---------------------------------------------+ + 100k ! + + ! + +GND---->/<---------------------!+!+!+---------------+ + switch Battery + from 2meg pot. + + +Notes about the schematic + +1. GND means ground +2. The GND near the switch and the GND by the 2meg potentiometer +should be connected +3. Where you see: )( + () + )( it is the transistor antenna coil with 15 +turns of regular hook-up wire around it. +4. The middle of the loop on the left side (the left of "()") +you should run a wire down to the "+" which has nothing attached +to it. There is a .0047 capacitor on the correct piece of wire. +5. For the microphone use a magnetic earphone (1k to 2k). +6. Where you see "[!]" is the antenna. Use about 8 feet of wire +to broadcast approx 300ft. Part 15 of the FCC rules and +regulation says you can't broadcast over 300 feet without a +license. (Hahaha). Use more wire for an antenna for longer +distances. (Attach it to the black wire on the phone line for +about a 250 foot antenna!) + +Operation of the Lunch Box + +This transmitter will send the signals over the AM radio band. +You use the variable capacitor to adjust what freq. you want to +use. Find a good unused freq. down at the lower end of the scale +and you're set. Use the 2 meg pot. to adjust gain. Just screw +with it until you get what sounds good. The switch on the 2meg +is for turning the Lunch Box on and off. When everything is +adjusted, turn on an AM radio adjust it to where you think the +signal is. Have a friend say something thru the Box and tune in +to it. That's all there is to it. The plans for a simple +receiver are shown below: +9 volt battery with battery clip +365 pf variable capacitor +51 pf capacitor +1N38B diode +Transistor antenna coil +2N366 transistor +SPST toggle switch +1k to 2k magnetic earphone + +Schematic for receiver + + [!] + ! + 51 pf + ! + +----+----+ + ! ! + ) 365 pf + (----+ ! + ) ! ! + +---------+---GND + ! + +---*>!----base collector----- +[ diode 2N366 earphone + emitter +----- + ! ! + GND ! + - + + + - battery + + + GND------>/<------------+ + switch + + + Closing statement +This two devices can be built for under total of $10.00. Not too +bad. Using these devices in illegal ways is your option. If you +get caught, I accept NO responsibility for your actions. This can +be a lot of fun if used correctly. Hook it up to the green wire +(I think) on the phone line and it will send the conversation +over the air waves. +-- +Daniel N2SXX + dmd@panix.com diff --git a/textfiles.com/phreak/PHREAKING/part1_tx.txt b/textfiles.com/phreak/PHREAKING/part1_tx.txt new file mode 100644 index 00000000..605e1270 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/part1_tx.txt @@ -0,0 +1,745 @@ + + +*************************************************************** +* * +* * +* Phreaks * +* * +* Long Distance Phone Thieves * +* * +* OR * +* * +* The Phreaker's Handbook * +* * +*************************************************************** + MCI + +MCI is the Queen Mother of the long distance companys. There are +only a handful of companys that are "networked". This means +they've built their system to a point where travelers (or phreaks +can call into a local phone number and be in the "network" even +if they're three thousand miles from home. The exception is when +you're in an area that isn't serviced. Most LD services utilize +800 numbers so that you can connect even if you're out in the +boonies. + +Here we have two different code formats, one for the so called +"executive" user, primarily business , the other for the average +person. Executive class entails using the 950-1022 dialup. To +make a call you need to enter no less than thirty two digits. You +dial zero plus the area code and phone number that you want, then +the area code and phone number with a four digit "security code" +at the end. It'll look like this, 9501022 (the dialup) +02125551212 (zero plus the area code and phone number ) then +7045551212xxxx (your area code,phone number and security code). + +Many years ago I saw a piece of graffiti on the bathroom wall of +the Cotton Bowl. It went like this, "I've shit in England - I've +shit in France - But before I shit here again - I'll shit in my +pants." I feel the same way about this format. As a businessman, +I wouldn't waste my time trying to dial all this garbage. A real +pain in the ass. Hackers, don't find the format that tough. With +the exception of the user's telephone number and code the rest +are known quantities. You're left with fourteen numbers to hack +out. This can be reduced even further. MCI's 950 codes are good +anywhere in the country. Experienced phreaks pick an area that is +known to have an extremely high population density. New York City +is a case in points, area code 212. The number of digits has just +been reduced to eleven. The phreak will choose a prefix that is +occupied predominantly by business and cut the number down to +eight digits, which is one less than Sprint's code. I've seen +425,943,344,964,269,422,820,227,635,747,486,668,686,233,248,532, +732,306,938,255,925,678,and 564 posted on hacker boards. It seems +that Wall Street is a juicy target. The interesting thing about +hacking MCI's 950 numbers is that the phreak also gets the number +ÜjÜŒof the person who's going to be getting the bill. It's not +unusual for the hacker to call the victim on some pretense just +to find out who it is. If it's a large company who might not +notice a few additional phone calls, he'll use the code sparingly +so as not to attract attention. The end result will be years of +free long distance. + +MCI's second format is pretty standard. A local dialup and a five +digit code followed by the area code and number you wish to speak +with. They've recently instituted a new "security measure". One +phreak hacked out eight codes in about an hour. He let them sit a +day before he got around to using one of them, some phreaks let +them sit as long as a month. In that twenty four hour period all +but one of them went bad. It isn't unusual to see codes go bad. A +few of them fall by the wayside due to natural attrition, people +not paying their bills or cancelling service. To see seven fall +with one blow is mathematically improbable. It means they've +been reprogramming the computers to scan the dialups and check +for activity. If a node has an activity average of fifty calls +an hour and the hacker pumps the actual amount over that +average, it'll trigger a feature in the programming that'll +generate an activity report for a system operator to read. +Furthermore, the computer will list all the phone numbers called +and the codes that connected them to the system. If the phone +numbers are identical it can safely be assumed they're being +telephucked. The report will also show a time lag of about +fifteen seconds between calls. Isn't technology wonderful? + +The hacker's solution to their solution is obvious. Don't keep +dialing the same phone number over and over. The first generation +of hacker programs did (and still do) use a one number +destination. Consequently, they've set a pattern that, after +four or five years, the phone companies have finally noticed. It +takes about twenty minutes of reprogramming to beat it. Hacks +have now started using large files dialups similar to the one in +the appendix. It's not too difficult to blitz the call counter +feature either. MCI doesn't publish their dialup numbers except +to their customers and then they only give them one at a time. +Their ratio seems to be figured at around one dialup for two +hundred thousand of population. To find other dialups all one +needs to do is scan the prefix surrounding a known node. Hacks +are now rewriting their software to spread their hacks out over a +wider area. Fifty to one hundred hacks on one node and then they +move to another. The five digit code hacked on a local dialup is +good only on that node. A New York code won't be good in +Cleveland. It took MCI several years and a ton of money in losses +and programming time to come up with this little security wonder. +It'll take a fifteen year old phreak twenty minutes of +reprogramming at a cost of zero bucks to bust it. Kinda makes you +wonder doesn't it? + +What of the one code that was still good? The hacker didn't touch +it. He realized the system had detected him. It wouldn't be hard +recognize his pattern of calling. He knew the good code might be ÜjÜŒ"trapped". Any activity on it would have been traced (illegally). +If he stayed on the code long enough for the security department +to process the necessary paperwork he would undoubtedly be +busted. He decided that it was wiser to protect himself and those +that he called by not using it. He noted the number just in case +he should hack it out again at a later date. + +Some psychologists say that names can affect the development of a +child. I knew two kids when I was in school who's names are +etched in my memory forever, Jock Strap and Harry Balls. Their +parents should have been shot. The president of MCI is Orville +Wright. Orville has his work cut out for him. + GTE SPRINT + + +Sprint is owned by General Telephone. If you've ever lived in a +GTE area you can attest to the absolute crapola you've received +as service. Sprint has advertised good connections and rightly +so. Their international access is equal to AT&T. Like MCI and all +the other LD services, they don't go everywhere. They've +concentrated building their network in the metropolitan areas +where the money is so you country bumpkins are going to have to +wait a little longer. + +I recently spoke with Sprint's security department. They have a +service oriented philosophy. They don't want any restrictions on +data line users. A study indicated a respectable percentage of +Sprint customers were computer operators. Sprint maintains a +considerable number of dialup ports. I estimate the ratio is one +port for each forty thousand of population. As of this writing, +Sprint has not completed it's national 950-0777 setup. +Consequently, she still has a large number of local dialups in +the system. Scanning to either side of a local non 950 dialup +will yield a wealth of unpublished nodes. + +Sprint's code format runs 9 digits in length and also uses +prefix qualifiers . In this case a three digit coding identifies +the physical area of the country the code has been assigned to. +The next 4 digits are presumably it's record place within their +computer system. Therefore, xxxXXXXxx would translate to a three +digit prefix, followed by a four digit record number, with the +remaining two digits being what used to be a travel code. +Hackers report success rates of one per 300 hacks using the +random number approach, a bit on the shabby side. Success ratios +on MCI are around seven percent, or seven per hundred +hacks,actually pretty good. On Metro three to four percent is +about right. Essentially, Sprint is spreading their valid +accounts out over a wider area, keeping the density low, thus +making them harder to find. The hacker can increase his return +ratios by using the prefix and suffix technique. His first time +on the system he'll use a random hack, searching for a nine digit +code. Then use the first three digits of the code as a prefix, +and the last to digits as a suffix. All he needs then to hack is +the four digits in between. The return rate is currently one per ÜjÜŒtwo hundred hacks using this approach, a 33% increase in +efficiency. + +Sprint has achieved a reputation for vigorously prosecuting +phreaks. Yet, they are as limited as all the other companies. +They rely mainly on fear. Occasionally, they'll snare some kid +who overstayed his welcome. They make a big deal giving the +impression they're busting thousands a day. This just isn't so. +Phreaks only get caught when they get stupid or lazy. You can't +blame Sprint for capitalizing on some phreak's lack of brains. +Conversely, you can't blame the phreak for cashing in on Sprint's +lack of smarts. + +As an update, Sprints 950 dialups require 9 digits. Local nodes +used to come in at 7 and 8 digits. As the local dialups disappear +the 9 will become the norm. Sprint still has no specialized +security systems. The rumors of profound phreak snaring abilities +are basically untrue. + +They win a few and lose a few, although it appears they lose more +than they win. + + Allnet Communications + +Allnet is a run of the mill telecom company. They utilize the +standard 6 digit format and can be found at 950-1044. They appear +to have developed or purchased software for analyzing their data +much the same way Mci has. Furthermore, they seem to have +established a customer profile with which to compare current +hacking activities against the record of past calling habits. +A hacked code will remain valid for three days. It seems to take +that long to run the programming. + +Additionally, a code that connects for only a few seconds will be +invalidated within 24 hours. The obvious solution is stay +connected for several minutes. It works. On the user profile +strategy, there is no means of defeating it except to rape the +hell out of the code from the minute one lays hands on it. Those +that adhere to the I C's Rules of Phreaking wouldn't care since +they don't stay on a code more than three days any way. +Itt is Internation Telephone and Telegraph and operates out of +Seacacus New Jersy. They've been the the telcomunications +business for many years and have specialized in telix type +services. + +Itt's connections aren't particularly terrific for data +transmissions. Phreaks have complained of excessive line loss +over relatively short distances. The company's strong point is +and will continue to be their telix activities. + +The code format for this service is different. In an obvious +attempt to deter phreaking, they've departed from the usual node, +ÜjÜŒcode, number arrangement. Instead they utilize a reverse +arrangement, node, area code and number, then the code. From a +practical point of view there is little difference. From an +operational viewpoint the phreak must chain together his dialing +sting instead of using just one. I others words, instead of +punching one macro to output his call, two are required. +The coding uses a prefix and suffix as area qualifiers. The first +two digits of the code refer to the area of the country the code +has been assigned. Consequently, most phreaks prefer to use the +prefix in their hack attempts. The object is, of course, to +improve effieciency. + +Itt has no special security considerations as far as traces and +traps go. They have instead emphasized getting the phreak +disconnected as quickly as possible. Most Itt's will go bad in +three days (See Chapter on Updates). Hense it is impossible for a +phreak to be on the system long enough to require concern about +traps and traces. + +Itt is expanding it's overseas network and is offering services +to Singapore as well as the regular European countries. + + + ITT LOCAL DIALUPS + + +201-463-0900 305-545-8895 513-228-6506 717-234-0718 +201-589-6343 305-764-4522 513-651-1823 717-299-4796 +202-565-4110 312-364-6020 515-284-5040 717-347-9135 +203-324-1172 312-922-1013 518-462-2068 717-825-2761 +203-333-2722 313-662-2041 602-257-8200 803-233-1351 +203-527-7389 313-964-2843 608-258-8900 803-256-3060 +203-787-0170 314-656-0800 609-338-0340 803-573-7639 +203-794-1085 315-471-2900 609-989-1631 803-577-6728 +203-866-8411 316-267-1088 612-375-0690 804-355-1433 +209-445-9300 317-637-5223 614-224-0024 804-380-9038 +212-248-0151 401-273-8263 615-327-2511 804-627-3596 +214-651-0609 404-525-0714 615-521-7600 805-395-0123 +215-376-4864 405-525-7731 615-697-7000 813-223-5380 +215-433-2166 408-280-1301 616-458-2472 817-338-4749 +215-563-3256 412-261-4930 617-357-5562 904-358-8522 +216-375-9040 414-933-5680 702-323-7191 913-371-1300 +216-621-0490 415-495-2816 704-375-4311 916-448-6606 +219-237-1700 415-858-2750 713-862-5067 918-585-5001 +302-654-2809 502-589-9360 714-973-8032 919-378-9489 +303-861-4411 504-566-8300 716-325-1180 919-725-3532 +305-425-7791 512-474-4397 716-845-5150 919-832-9438 + +Ü`Ü + Listing of Cities Serviced by ITT + + + + Allentown Anaheim Annapolis + Athens Atlanta Baltimore + Boston Brooklyn Cambridge + Camden Charlotte Chicago + Compton Dallas El Monte + Elk Grove Fort Worth Fort Lauderdale + Gainesville Galveston Garden City + Gardena Gary Glendale + Greensboro Greensville Hackensack + Houston Inglewood Jacksonville + Joliet Kankakee La Plata + Long Beach Los Angeles Lynchburg + Miami Morristown New Brunswick + New York Newark Newport News + Norfolk Norristown Northbrook + Oak Brook Oakland Orlando + Palo Alto Philadelphia Reading + Richmond Rochester Rome + Rosenberg Sacramento San Jose + Santa Monica Santa Ana Scranton + Sherman Oaks Spartanburg St. Petersburg + Tampa Thousand Oaks Trenton + Van Nuys Washington West Palm Beach + White Plains Wilkes-Barre Wilmington + Winston-Salem + + Western Union Metrophone + +Metro was everyone's whore. Metro never said no. Any too bit +phreak could bang a metro code. The system was of interest to +business primarily due to there method of billing breakdowns. +Metro has been raped to the tune of tens of millions in phreak +related losses. + +Metro is currently, for phreaking purposes, offline. It's unknown +whether she has changed her code format or has simply closed +shop. Her previous code format was a standard 6 digit affair. The +equipment used was old and had very poor line quality. This was +apparent in 1200 baud data communications but would not +necessarily have been noticed on voice transmissions. The listing +for her networked dialups is included below. + +201-427-1100 +201-487-3155 +201-531-7900 +201-643-2227 +201-825-8852 +201-828-8660 +202-737-2051 ÜjÜŒ +203-222-1148 +203-323-1468 +203-522-0003 +203-748-0770 +206-382-0910 +212-732-7430 +212-950-0220 +213-202-6117 +213-404-4100 +213-618-0231 +213-624-8884 +213-629-1026 +214-595-4282 +214-742-4500 +215-351-0100 +215-770-8940 +216-374-1001 +216-861-5163 +219-237-4805 +219-420-0011 +219-882-8901 +301-659-7700 +302-429-9439 +303-623-5356 +305-326-3300 +305-462-3530 +312-356-4480 +312-396-2550 +312-450-5875 +312-480-8901 +312-496-2431 +312-578-3900 +312-679-8120 +312-844-6981 +312-853-4700 +312-888-5580 +312-891-8083 +312-981-8870 +312-986-0566 +313-963-4847 +313-996-8900 +314-342-1130 +315-474-3911 +317-635-6284 +401-272-0356 +402-422-1120 +404-223-1000 +405-232-9011 +408-947-7606 +409-833-9331 +412-261-5720 +414-277-1805 +414-633-3636 ÜjÜŒ415-499-8086 + +415-579-6001 +415-676-1062 +415-724-3170 +415-794-4800 +415-833-9200 +415-836-6900 +415-852-0900 +415-956-0162 +419-243-1046 +502-561-0900 +504-566-8500 +512-224-9600 +512-474-6057 +513-228-1576 +513-241-1747 +516-933-9700 +516-950-0220 +518-436-6200 +602-254-2930 +602-323-0502 +606-231-8961 +608-251-9596 +609-338-0100 +609-641-0004 +609-989-1900 +612-370-9000 +614-224-0577 +616-242-9580 +617-950-1020 +618-235-8870 +619-233-0327 +702-329-1025 +707-584-4931 +713-224-9417 +714-527-7055 +714-591-9351 +714-594-9311 +714-877-6641 +714-972-9515 +716-852-9200 +716-950-1020 +717-238-4731 +717-348-4300 +717-846-6304 +718-950-0220 +804-225-1920 +804-623-9004 +805-968-0700 +806-379-8271 +806-762-0004 +815-966-2401 +816-471-1999 ÜjÜŒ817-322-1422 + +817-338-1639 +817-565-9202 +817-757-2002 +818-350-1028 +818-954-8699 +818-992-8282 +913-621-3186 +914-684-0268 +915-532-0025 +915-561-5481 +915-658-2943 +915-676-0078 +916-443-6921 +918-587-6770 + Thrifty Telephone Exchange + + +TTE is an example of a mom and pop telephone company. It services +a very small area and utilizes 800 as its sole source of out of +the area access for its customers. The 800's are also more +expensive for the customer. + +TTE offers two dialups in the 818 area, 902-0950 and 908-0951. +These are located in Van Nuys, California, a part of the City of +Los Angeles. She utilizes the standard 6 digit format. + +TTE is a good example of a company hackers just won't mess with. +Not because of any great security measure or because of some +ultra sophisticated phreak catching ability, but simply for the +reason they don't have enough customers (valid codes) to make the +effort worthwhile. TTE has a rough road to hoe. It seems too +small to be of interest for a larger company to gobble up and is +unable to compete on the grander scales of Mci or Sprint. She's +bound to belly up sooner or later. This situation is not unique +in the industry. + + + Access Communications + + +Access is a company in the genre of TTE with the major exception +it appears to have the benefit of more capitalization. There +operate out of the 801 area and offer a local dialup at 801-359- +3900 as well as national access at 800-548-0003. The code length +is identical to ITT, 7 digits. The prefix may safely assume the +use of prefix qualifiers. + +Access' format is standard with one minor exception. Node + code ++ 1 + area code and destination number. Like ITT's reverse +format, the minor deviation from the norm is bound to save the +telco money. The problem all these companies have is they must +make the format easy enough for an idiot to operate and the MUST ÜjÜŒmake the dialups and formats public knowledge. In doing both they +make their systems vulnerable. + + + U.S. Telecom + + U.S. Telecom was known as the "Metro" of the 950's. Codes were +easily hacked and density varyed in direct proportion to the +population of the area serviced. The Director of "Code Abuse" is +a fellow named "Frank Porko". It seems one of the prerequisites +of being in telecommunications is you have an odd name. Frank +was recently promoted to this exaulted position. U.S. Tel isn't +making money, so the company has been swallowed up by a bigger +fish, Sprint. Frank didn't strike me as overly bright on the +subject of phreaking. The company has tried the "Carrier Blast" +only to find it worked for a couple of days and the phreaks by +passed it. It can still be found at the end of the dialing +sequence for their 950. Their latest security gizzy is to limit a +caller to four tries before it routes him to a dummy line. Sound +familiar? Sprint does it with two tries and it doesn't work for +them either. Ironically, phreaks in the military are hurting +USTel much worse than the civilian poplulation. It appears +government computers are being put to uses other than those +intended. U.S. Tel's 950-1033 dialup is already famous among +phreaks. They've placed qualifiers on the codes, even so the +return rate runs around five per hundred hacks. Five percent - +not bad. The node uses the standard six digit format. I spoke +with one of their chief programmers who was trying to hack out +codes. He complained the only code he could find was his own. +This explains why the company's response time is so pathetic. +Phreaks and computer engineers thinking at different levels. This +supports the old saying of "Set a Theif to Catch a Thief". + +U.S. Tel sports two 800 numbers, 800-345-0008 and 800-245-0033. +These babies are infamous. The 345 number used to have codes +packed like sardines, every tenth (fifteenth at the most) number +was a good code. How could you lose? After several years of +getting their asses kicked they finally changed the format and +wised up a bit and went to a 14 digit code, ie. AT&T format. The +format is constructed of two sets of three digits followed by two +sets of four digits, XXX-XXX-XXXX-XXXX. We can assume the first +sets of three are area qualifiers, actually area codes. USTel +doesn't use the actual area code as do AT&T and MCI. Area codes +818 and 714 return as 527 and 662 respectively. Additionally, the +three digit prefix and suffix are also bastardized. Hackers have +deduced this is the product of a mathematical formula indexed +from the users area code and phone number. The four digit +"security code" is obtained by the same formula. A group of +hackers who call themselves the IC (Inner Core) are working on +cracking this coding. There are fifty of them. This translates to +fifty intellegent people, fifty computers all dedicated to +breaking the MCI/Ustel code. It would seem it is only a matter +of time before they succeed. It's their belief they will also +reap the AT&T formula in the bargain. This stems primarily from ÜjÜŒthe fact MCI "borrowed" AT&T's format. +ÜÜ +Hackers love a challenge and will rise to one almost at the +dropping of a pin. Code cracking is what they love best. I have +no doubt that the IC will succeed. + + + Update + +The 14 digit format is being used for new accounts. Older +customers still have their 6 digit codes. US Tel has never had +terrific connections and under Sprint this has not improved. +Two digit prefix qualifers are used. The calling areas are very +small. Sprint is still the best bet for away from home phreaking. + + + + SBS SKYLINE + + +Each long distance company tries to promote itself in different +ways. Skyline's approach is two fold, first price (so what's +new), and secondly the fact they use satellites to get their +calls to their destinations. This isn't terribly impressive. +Never the less, they obviously feel enough people will be +impressed it's worth mentioning. Point in fact, most of the LD's +use satellites. It would be impractical, not to mention +expensive, to use AT&T's network for 100% of their traffic. +Skyline has a well established dialup at 950-1088. Her format is +the standard 6 digits. Hacks report it is a fairly easy system. + +It appears she has divided the country in areas which are rather +large geographically. A code that originates in one area will be +workable two to three hundred miles from its point of origin. The +six digit code will also work on her 800-446-4462 dialup. There +are reports she also uses a seven digit format collateral to the +six. + +Skyline has a reputation for vigorously calling the destination +numbers after more than ten calls have been placed. This is the +most they can realistically do. One must assume they will score +a certain percentage of people who are willing to give them +information about the origin of the calls. Yet, as far as +experienced hacks and phreaks go, you can be equally sure the +trail will stop there and the possibility of back tracking is +nil, if not impossible. This problem is not unique to Skyline. + +She appears to be your run of the mill long distance carrier +without much to make it especially noteworthy. Like all other +services, she isn't making money and is playing the merger game. +I predict by 1988 you will have three majors in the business, +AT&T, MCI, and Sprint. The rest are fish bait waiting to be +gobbled up by the larger fish. See Updates for further +information. ÜjÜŒ + + + Alliance Teleconferencing + +Alliance is a service of At&t. It provides people, usually +business with what is essentially a party line; several people +can join in the same conversation at the same time. It's an +outstanding tool for business. The phreak approaches Alliance +essentially from the same perspective, except that phreakery is +the business. + +As a service of At&t, Alliance is approached indirectly through a +PBX or a diverter. The origination phone number of all calls +place to Alliance is supplied by the ANI - Automatic Number +Identifier. Placing the call through a PBX insures the ANI, and +the people receiving the bill, will be someone other than the +phreak. + +AT&T offers two basic conference services, Alliance 1000 and +Alliance 2000. The former is your basic voice communication and +the later has special graphic abilities. The service operates in +all fifty states, Mexico, Canada, Puerto Rico, Bermuda and the +Virgin Islands. + +To make a conference call the phreak will need to have the phone +numbers of all the parties. Since this is not always desireable, +the controller can route the call through a number of loops, thus +insuring the location of the phreak remains unknown (See Loops). +The controller will then call 0+700+456-1000 for an audio +conference. He'll then dial in the phone numbers as you would any +At&t call. When the party answers, he'll tell him to hold on +while he connects the rest of the group. He'll hit the # button +to continue adding people or the * to cancel his input. He can +resume adding callers at any time by hitting the # button. Ending +a conference is easy, everyone hangs up. + +A national conference was held after the 415 bust to discuss +added security measures to counteract the sting techniques used +by the Fremont Police Department. Elite phreaks from coast to +coast were dialed in. The phreaks saw the need for immediate +discussion to plan their future actions and to discuss the +details of the bust. One of the parties to the conference had +actually seen the hacker known as Trask as he was being arrested. +Trask's down fall held vital concern to many on that conference +as he held many personal phone numbers and names in his data +base. The police did not obtain that information nor did Trask +make a deal with them. Needless to say he was prosecuted. Other +hackers involved in the 415 bust did make bargains with law +enforcement which resulted in wide spread arrests. The Fremont +Sting has successfully been used in Texas and there is every +indication it will be used elsewhere. + ÜjÜŒ +Alliance provided the means for these hacks to meet and discuss +their vital concerns. Some company with a PBX was billed for the +calls. It would be accurate to say that while the 415 conference +was called under "emergency" conditions, most conferences are +little more than bullshit sessions. Some pranksters like to play +games like dialing six or seven operators and listening to the +say, "Operator", "Operator", "No I'm the operator can I help +you?". This can go on for five or six minutes before they realize +they've been cross connected. Others like to call their favorite +software company and taunt them as to how they've cracked their +latest security measures. These applications are rather juvenile. + + +At&t Security is a feared aspect of the phreak's existence. With +the exception of the PBX and the Diverter, Ma Bell holds all the +cards. Tracing is a snap. Even so, At&t doesn't appear to be a +mean mother in the tracking down of her Alliance phreaks. The +company with the PBX is going to be stuck with the bill and it +appears the phone company has little incentive to follow the +scent. + +Phreaks of fifteen to twenty years pass used to place calls and +have them billed to phone booths. ESS has made that game +obsolete. However, Ma Bell didn't sit still for the theft. They +dropped the billing on the party who received the call. If then +didn't pay, they lost their phone service. The obvious option was +to give them the name and location of the person that really was +responsible for the call. There are no reports that this +collection device is still being used. From the phreak's vantage +point, Alliance is pretty safe. + +Another old method of phreaking from payphones, and purported to +have dome from Abby Hoffman, was to place a call from a payphone +and to reverse the handset of an adjacent payphone to signal the +operator that money was being dropped. As the phreak dropped the +coins into the phone he wasn't placing the call from, the clinks +and cur-chunks would signal her the correct amount had been +deposited. This was corrected by simply making the telephone +cords shorter. + +Cur-chunks are out and tones are in. So the technique now has a +new twist called the Red Box. the box is a simple, handheld, +battery operated tone generator that duplicates the tones used to +signal the operator the money has actually been placed into the +payphone. Utilizing 1700 hz and 2200 hz (Duel Multi Frequency +Tones), the box signals that a nickel has been dropped by pulsing +the frequencies at 66ms one time. A dime is recognized by 66ms on +once, off once, and on again. This produces two "beeps". The +quarter is shown at 33 ms off and on five times. + +The newest phone technology also brinks greater phreaking +opportunities. The Cordless telephone is one example. These unitsÜjÜ + +use two frequencies, one to send and the other to receive. the +FCC restricts the number of frequencies available so that a trial +and error approach in hacking is feasible. Most people don't +realize a cordless signal can carry for miles enabling others to +hear every word of their conversations. A properly equipped +techno-phreak can zero in on the signal, locate the source, and +screw around until he find the correct "in" level. The result is +a Godzilla of a phone bill for the unsuspecting owner of the +cordless phone. Most phreaks wouldn't go to this kind of trouble. +Your technoelectrical wiz kids will. + +Ess, while being the scourge of phreakdom, has also enabled him +some benefits. The payphone games and 950 phreaking are just two +examples. ESS has, however, completely obliterated the use of the +infamous Blue Box. Phone company computers are programmed to be +sensitive to the 2600 hz tone needed to seize a trunk line. And +818 system operator (an adult) boxed one call on ESS. He was +detected and traced but not arrested. The second time he box, he +had a knock on the door and was arrested by the local police who +had been accompanied by telco security. It's estimated by the mid +1990's the entire country will be on ESS. Today, only the major +metropolitan areas utilize the service. Crossbar is still the +norm for the boonies. + +Ess is a technological marvel, a logical step in the ever +evolving future of the phone industry. Yet, it has some very +scary aspects. The ability for abuse is tremendous. In the movies +you see the cop saying "We didn't have enough time for the +trace." Not any longer. Traces, wire taps and much more can be +programmed to be automatic. An operator at a console can push a +few buttons and Zap, no civil rights. I knew a woman who's +brother was a highly placed official in Pac Tel. Her boyfriend +had broken up with her and she was livid. The boyfriend's +communications were traced and tapped as a "courtesy" by the +brother. There is a history of past abuse which spawned the few +laws designed to protect the consumer. However, just as there are +laws against wire fraud, there are plenty of phreaks breaking +those laws. The phreak can hide behind the technology of the +computer and use it to break the law. So can your phone company. +Murphy's law is applicable here, if it can happen it will. + +Government has a philosophy of regulating and controlling the +hell out of small and medium sized business. Large politically +powerful corporations are afforded the convenience of policing +themselves. A classic case of the fox watching the hen house. If +the public were even remotely aware of the capabilities of ESS +the uproar would shatter Washington. Phone services have been +taken for granted. The combination of ESS and the Data Services +who sell their information over the network makes it impossible +for anyone to have true privacy. TRW is a prime target of the +hacking community. Hacks abuse that data service and others for +their own informational needs. It logically follows that any ÜjÜŒ +agency with the inclination could use those services to create +non existent people or to kill the electronic lives of real ones. +The computer gives spying an entirely new dimension. Believe it, +Big Brother really is Watching! + with the bill and it +appears the phone company has little incentive to follow the +scent. + + diff --git a/textfiles.com/phreak/PHREAKING/part2_tx.txt b/textfiles.com/phreak/PHREAKING/part2_tx.txt new file mode 100644 index 00000000..7d14815d --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/part2_tx.txt @@ -0,0 +1,1621 @@ + + + THE IC'S RULES OF PHREAKING + + + These are the standards of hacking employed by the Inner Core. + The text comes from a data file written by and for IC members. + + HACK YOUR OWN CODES. + +Don't leech from someone else. Having codes is like having sex, +if you don't protect yourself you'll end up with a venereal +disease. You have no idea where a code has been before you got +your hands on it, when it was hacked or how long it's been in +circulation. Time is a very important factor, the longer a code +has been in use, the greater the risk. + + DON'T STAY ON A CODE MORE THAN THREE DAYS. + + Don't give the suckers an even break. To run a trace, MCI needs +to shuffle a lot of papers. Ain't that nice. Paper work takes +time, and it's highly unlikely they could accomplish the feat in +three days. It's even more unlikely they would even know +they've been phreaked for at least a week. All company's have +thirty day billing cycles, if you started using the code the day +after the bills went out, you'd have twenty nine days left to +play with it. The customer gets his billing and bitches up a + storm. The company now has the option of setting up a trap, but + alas, they notice you haven't used the code in three weeks and + have no destination number to PIN. If you phreaked the code one + day before the billing cycle ends, the customer may notice + right away. Figure you have two days for it to reach the + customer. If he yells right away it takes a few more days for + the security department to process the paperwork for the trace. + By that time you're long gone. + + DON'T STAY ON A NODE MORE THAN THREE DAYS. + + If you insist on burning the same company, you're going to + develop a pattern. You call your girl friend in Alaska every + damned day using the same company. It doesn't take a genius to + predict what you're going to do tomorrow. They know where you + enter their system and where you're going to. You've given them + everything they need to run a good trace. Spread the wealth a + little. Use US Telecom, then ITT, Lexitel, Skyline, Metro and a + few of the 800's if you like. Spread it out. These people have + no way of comparing. So you can screw Peter, Paul and the rest + of the Apostles with no worry. Just don't be a dip stick and get + lazy. + + Everyone is worried about THE TRACE. Don't be. It's no big deal + for AT&T, after all it is their network, but for the leech + services it's an entirely different matter. This is why we don't + mess around with AT&T except through secondary accesses like + PBX's or Diverters. This is the scenario MCI's security + department will run down. They call up a number you've + called....... + +"Hello, this is Inspector Bullshit with MCI. Did you receive a + phone call from the 212 area code on November 22, 1945 at 4:00 + A. M.? " + +"You didn't?" + +"We've traced fourteen calls to this number in the last + two weeks, by the way, who am I speaking with?" + +"Well Mrs. Blabbermouth, perhaps someone else in your household + received the calls? " + +"I see, your daughter has a boyfriend in New York. + +"I'm afraid he's in some serious trouble Mrs. B. If + you'll cooperate with me we won't pursue this matter with your + daughter." + +"That's correct, little Susie Blabbermouth won't be involved. It + would be a shame to cause you folks trouble, after all she + didn't actually make the calls."" + + All I need is the boy's name and phone number." + +"Let me see if I have that right."Jimmy Phreaker at + 212-555-1212?" + +"Thank you Mrs. B you've been very helpful." + + The point is, if Bullshit had really run traces he wouldn't be + calling to con the information. The exchange is typical of those + used by most phone companys and illustrate several important + issues. + + Make sure the person you're calling is cool and there's no + chance someone else could rat on you. It is very unlikely MCI + will make such a call if you use the IC's Rules of Phreaking. + Yet, if it were to occur these are your friend's options... + + 1. HANGUP + 2. "FUCK YOU"...THEN HANG UP + 3. "I WAS WATCHING MIAMI VICE AND YOU INTERRUPT ME WITH + THIS CRAP. FUCK YOU"....HANG UP. + 4. If you want to be nice about it; "I don't know what you're + talking about.....HANG UP. + + The problem is now resolved. Remember these guys are like + rabid dogs in heat, they're excellent con artists. Believe + nothing you hear. You don't have to talk to them. If they had + anything on you they'd be standing at your door with a search + warrant. Their abilities in this area are very restricted. They + operate by manipulating your fear and you have nothing to fear + but your own fear. Don't try to come up with some lame + explanation, you know you received the call and they know it. So + don't make an ass out of yourself trying to explain away the + obvious - HANG UP! + + What happens if your are caught? + + Congratulate yourself on being an asshole. The number of phreaks + caught are so small you have now qualified for membership in a + really elite group of jerks. + + Inspector Bullshit now has several options. + + Grab your computer......... this will be done no matter what. + + Grab your data files and any hard copy you have laying around. + This to help identify other subversives and also to supply + incriminating information about you. + + Try to scare you into a confession. Standard operating procedure + - keep your fucking mouth shut. You have nothing to gain by + talking and a much to lose. + + If you're a minor you can forget about jail time, an adult + is looking at a couple of weeks in the slam - may-be. + + Realize this, they don't really want your ass as much as they + want THE MONEY. That's right boys and girls the buck talks loud + and clear. + + If you're caught, you've broken every one of the IC's + rules. At worst you're looking at a couple of thousand in phone + bills. Get a lawyer to do your talking for you, that'll be about + a five hundred dollar retainer. If the company is willing to + settle for the money, and your computer, pay it - it's cheaper + in the long run. If they want you in the calaboose then fight + it. As a first time offender the odds of you actually getting + time are slim. Incidentally, Inspector Bullshit will drop a + little extra on the bill for good measure. Have the attorney + demand they produce their records of all "alleged phone + conversations". + + In fighting a phreaking case you'll want to have a jury trial. + The technology behind the running of a trace is so + complicated even a halfassed lawyer could confuse the + average layman. He can make Inspector Bullshit describe + switching down to atomic subparticles if he wants and by the + time he gets to how a trace works the jury would be so confused + you'd skate on a "reasonable doubt". It would be + interesting to see if a sharp shark could subpoena the actual + equipment used to run the trace. I don't think MCI would + care to have one of their computers offline for the time it + would take to have "independent" examiners checking out the + functionality of the switching mechanisms. + + To phreak or not to phreak. It's a question only you can answer + for yourself. + + +The following are electronic BBS conversations at a Hacker +Bulletin Board. They have been left intact (misspellings too)with +the exception of codes and phone numbers which could conceiveably +get my ass in hot water. + +The Hacker network of communication is loosely knit but extremely +effective in getting information circulated quickly. + +Lady G (Lady Godiva) is the only female I've ever seen on a hack +board. Amazingly she conned her way inside, yet turned out not to +be a threat to hackers even though she is employed by government. + +Numb. --> 72 +Title --> JUST A LITTLE CODE +From --> BIG BYTE +Left --> 19-Apr-86 2:30 am + +While not to much to say just heres a sprint +(Code Deleted) + +Also Bill the Cat do you know some people down in Florida like +Blackbeard or been on some off my Conferences?? Let me know. + + +.s +opps +/s +shit + + +B17> + +--> Next bulletin + +Numb. --> 73 +Title --> Fed trap +From --> BIG BYTE +Left --> 19-Apr-86 3:05 am + +Where i live here in Green Bay Wi, they are busting our town for +illegal use of the phone. The number they are getting kids +(leeches on) is 1-800-437-7010 it is GCI of Ancrage <-spelled +wrong Alaska and so far they have busted 400 people from one +school and have questioned 1500 its like a bad dream oh +who cares not me. Just be careful and dont use it unless you fell +lucky. All the codes used are in the 467xxxxx area so may be +other areas are safe. + later + bb + + +B17> + +--> Next bulletin + +Numb. --> 74 +Title --> Bobo.. +From --> THE ARABIAN KNIGHT +Left --> 19-Apr-86 11:10 am + +Bobo, + + Leave me mail. Id like to get a +sprint Code(New). I got a new Pbx, +maybe old. but it works fine.. + + Ak + +Bobo- Why are you so worried About +Lady G? Does she know alot about you +or something? + + + +B17> + +--> Next bulletin + +Numb. --> 75 +Title --> [ Lady G. ] ? +From --> THE D MEN TOR +Left --> 19-Apr-86 1:23 pm + +I can run CNA's in 415, Give me e-mail and I'll find out whatever +you want to find out about her BOBO. Have you spoken with her? +How do you really know this person is over 30 etc...... + +later, +The D men tor...Confused. + + +B17>W + +Enter the name of the person you wish +to send mail to: +>THE D MEN TOR + +What is the subject of this letter? +>Lady G + +Mail: +You may enter up to 100 lines of text. +Press CTRL-A or CTRL-Q when done. + +D men + +The numbers for Lady G are 415-(Deleted) and +415-(Deleted). + +She is over 30 because +1. She's uses expressions that are 15 years out of date. +2. I recoginize this becuase I too am 15 years out of date. + +I don't like people getting busted. She pirates +but that's about it. I wonder why she's on so many hack boards. +Motor City went down right about the time she logged on. +I might be totally wrong, BUT, I want to check it out just to be +safe. +You can call me Mr. Paranoia. She rattles my cage and +it makes me nervous. + +Let me know what pops. + +Bobo + + +E>S + +Filing mail for THE D MEN TOR... + +B17> + +B17>7 + +--> Telecommunications Today (7)... +--> 60 bulletins posted; some new! + +B7>N + +Numb. --> 59 +Title --> Police Sting +From --> CHARLIE SMITH +Left --> 19-Apr-86 6:29 am + + +Here is an interesting story: + +AUSTIN,TX--Law enforcement officials here have joined a growing +number of police agencies nationwide running "sting" operations +to catch persons using bulletin boards for illegal purposes. + +Based on information posted on a bulletin board it operated, The +Austin Police Department said it has been able to turn off two +pirate boards here and expects shortly to make a number of +arrests for misdemeanor violations of Texas' newly enacted +computer crime law. + +For more than two years, the police department secretly ran a +board called the Underground Tunnel, which was set up to appear +as a normal BBS run by a Sysop called "Pluto". But late last +month - to the surprise of the board's more than 1,000 users - +Pluto was revealed as Sgt. Robert Ansley, a seven-year veteran of +the Austin Police Department! + +"Most of the users were people interested primarily in several +on-line fantasy games or in electronic messaging." Ansley said. +"To get to the levels where people posted information on how to +crash corporate sysems, the user had to ask for increased +access. We were very careful not to solicit or entrap anyone +into leaving illegal information." + +The Austin Police Department disclosure caught most of the BBS's +users by surprise. "I liked the board's electronic messaging +capabilities," said user Michael Whalen, the managing editor of +the Daily Texan, the student newspaper of the University of +Texas, here. "I was really surprised at how the officer was able +to pull this off." + +What the police found, according to Ansley, included access codes +belonging to the world's largest credit reporting organization, +TRW Information Services Systems Division of Orange, California. +"Most offenders seem to be real big on TRW," said Ansley. + +Sting and intelligence gathering bulletin board operations are on +the rise throughout the country, according to law enforcement +officials. Several police departments nationwide have already +used bulletin boards to track down and arrest microcomputer +users who post illegally obtained calling card codes, mainframe +access procedures and passwords, or other confidential +information. According to one high-level West Coast law +enforcement officer who declined to be identified, federal +officials are now joining local authorities in running b5lletin +boards (BBSs) in several key metropolitan areas. + +"You better believe law enforcement agencies are interested and +in in some cases, running bulletin boards," said Dan Pasquale, a +sergeant with the Fremont, California, police department. Last +month, police in Fremont, capped three and a half months of +bulletin board operations by arresting eight individuals for +alleged credit card fraud, misuse of telephone credit +card operations, and technical trespass. Pasquale said most +corporations whose passwords or calling card numbers were posted +on Fremont's BBS were unaware that their information had been +compromised. + +** Hackers Note Here** Pasquale actively solicited the posting of +codes, passwords, credit cards. Qualifying as entrapment. More +experienced hacks pulled out before he sprang his trap. More than +200 people were arrested coast to coast. Only one was elite and +he beat the rap. The rest were rodents. + + +Although police are pleased with their results, some users say +they feel the sting bulletin boards are unfair to both the +innocent users and the suspected criminals alike. Whalen said +students at the University of Texas used the board extensively, +andhe claimed that some people accused of posting access codes +and other information on the board felt they had been entrapped +when they discovered that the BBS was a police sting operation. + +Whalen also said that some users were concerned about the privacy +and sanctity of electronic mail left on the board. "Ansley said +users are foolish if they don't think a sysop reads the mail on +the board," he added. + +Indeed, as police turn increasingly to bulletin boards to catch +suspected criminals, the issue of entrapment has also become a +growing concern, one to which police are sensitive. + +"At no time did the police department urge users to leave access +codes, applications, or passwords for corporate computers on The +Tunnel," Ansley said. + +To prove entrapment, a suspect would have to clearly show that +the government agent offered some type of inducement to promote +criminal activity, said Jim Harrington, the legal director of +the Texas Civil Liberties Union here. "The whole area of police +gaining information on [criminal activities] by reading +electronic mail is very interesting." + +Fremont police held a series of meetings with a district attorney +before they started a board, according to Pasquale. "We +established a point where entrapment began and made sure we +never crossed that point, and in fact, messages on the board +were scripted in conjunction with the district attorney's +of + +Ahem, let me hasten to point out the Gemini System is NOT a +police BBS! + +Charlie + + + +Numb. --> 60 +Title --> Infocom +From --> ATILLA THE HUN +Left --> 19-Apr-86 11:37 pm + + +Well I don't know if anyone has heard this but, + +I have heard that Infocom will start (or may have started) +calling AE lines to see if they contain any infocom software. +If so they download it and check the serials, and bingo if a +pirated version then plain and simple YOU IS BUSTED! + +oh well anyone else know of anything more, I picked it up under +discussion at a bbs. + + atilla the hun -<*----- + + + + +B7>OFF + + +In The News + +Press reports of hacker misdeeds seem to be written in flavors +which border upon awe to contempt. It depends on the publication. +Newspapers ten to permit more editorializing. Between the two +extremes there is a point of reason. I've often wondered, "If a +fifteen year old kid can break into a 'secure' government +computer, what could a fully trained enemy agent do?" It's a +reasonable question. + +Virginia - A fourteen year old hacker who called himself Phineas +Phreak was the first to be prosecuted under the state's computer +trespassing law. Arrested for hacking at a Bulletin Board, he was +placed on one year's probation and ordered to pay $300.00 in +compensation to the board's operator, Allen Knapp. + +Milwaukee - A hacker group who called themselves the 414's after +their area code were arrested by FBI agents and found to have +access to more than 60 computer databases. These included a +California Bank, a cancer center and the Los Alamos Scientific +Laboratory. + +California - Stanley Rifkin a computer consultant for Security +Pacific Bank, stole the bank's passwords and liberated 10 million +dollars from the institution. He then erased the electronic +records of the transactions. While Rifkin was not a hacker, he +hold the distinction of being the country's number one computer +thief. His arrest was not the result of his computerized +misdeeds, but instead, his lack of expertise at being a thief. + +Washington - The United States Government has become the nation's +leading user of computers. As such, they are a target of internal +thieves who have used their systems to divert funds for their own +uses. A number of arrests of computer related theft has led the +government to believe they haven't scratched the surface yet. +It's estimated that only one in 22,000 computers crimes will ever +be prosecuted. + +San Diego - A computer hacker, Bill Landreth pleaded guilty to +tapping the GTE Telemail network in Vienna, Virginia. Known as +"The Cracker" he agreed to cooperate with Federal Investigators +in a larger investigation. Four teenagers from Irvine, California +were subsequently arrested and named Landreth as their source of +information on hacking. Landreth has since written a book "Out of +the Inner Circle". The four kids from Irvine don't receive +royalties. + +TRW - Hackers armed with stolen passwords broke into the TRW +credit system and reviewed information on employment records, +bankruptcies, loans, social security numbers and credit cards. +The password was stolen from a Sears and Roebuck and was +reportedly in circulation for the better part of a year. The +credit card numbers, expiration dates and credit limits of card +holders were used to make fraudulent purchases. TRW changed the +password. + +Atlanta - Edward Johnson took exception to Jerry Falwell's fund +raising activities. His mother had a thing for T.V. preachers and +often gave money to Falwell's Liberty Foundation. Mr. Falwell's +collectors were oblivious to the fact the elderly lady lived on +social security and couldn't afford the donations. On a previous +occasion she had attempted to give the family farm to Jimmy +Swaggart. Johnson adjusted his phreaker program into a phone +cranker to auto dial Falwell's 800 and tie up the line for 30 +seconds a call. Falwell's people reported they lost one million +in donations from the activity. Southern Bell finally trace the +calls and gave Johnson two choices, stop or lose his phone line - +he stopped. After all, it was "God's will". + +Washington - Representative William Hughes from New Jersey has +introduced a bill to make computer theft of data and certain +"kinds of hacking activities" federal felonies. + +New Jersey - Seven teenagers were arrested on charges of credit +card fraud, phreaking and hacking. An investigation into credit +card purchases led local police to the operator of a hacker bbs. +Armed with a search warrant the police seized his computer and +all related data. Inspection of same led to the arrests of the +other six. Now known in hack circles as the New Jersey Seven, +they reportedly had the ability to change the attitude of a +government satellite. The Inner Core reports they consider it +unlikely the kids knew they had the capability. + +In my research, I've noted government and business to be at +greater risk from their own employees than from hackers. Credit +card fraud is the leading hacker crime. The pales beside the +reported cases of computer theft from internal sources. The +Rifkin case is the most noted. However, thousand of unreported +thefts occur every year. + MAKING MONEY WITH YOUR CODES + + +Ok, phreaking will save you money, that's fine. Wouldn't you +rather make some bucks off these jokers? No biggy. You sell your +codes. Is it illegal? You bet, but your the adverturesome type +with avarice in your heart...this is how it works. + +Abdul wants to call the Middle East so he can talk with his +camel. No problem. Call the international operator and ask how +much it costs for an hour to Jordon. Charge the raghead fifty +percent of the cost for hooking him up and let him talk as long +as he likes. MCI and Sprint both access the Middle East so you're +in business. Foreigners are good to deal with. They're extremely +paranoid anyway so tell them you have to make the calls from a +phone booth. This isn't true BUT, you're covering your own ass. + + +There are a variety of good reasons why a phone booth is called a +fortress, this is one. DO NOT SELL THE CODES. Abdul knows nothing +about phreaking. The dumbshit will stay on the code too long and +will end up getting his ass traced. The telcos don't give two +shits about this guy. THEY WANT YOU!. You're the guy costing them +the big bucks. Abdul will make a deal and your tit will be in the +ringer. So keep control of the codes. If you want to be a nice +guy and hand out codes to your phriends fine. Just be sure they +don't have big mouths and that they know the IC's Rules of +Phreaking. You'll find a list of the countrys MCI and Sprint +access in the appendix. You'll also notice there are a lot of +places that they don't go. India for one. The only way to book +passage to India is on AT&T. You'll need to bag a PBX or a +Diverter for that action. + + Equal Access + +What does equal access mean to you? Not much. Access was the +issue that permitted Mci to break up At&t. The result was the +sudden emergence of the companies you'll find listed in this +chapter. At&t still retains an 85%+ share of the +telecommunications market. The rest of the business enterprises +are basically parasites attempting to feed off of Ma Bell's +network. + +Equal Access means you get to pay 2 to 5 dollars a month for +"access" to the long distance network, whether you want it or +not. It means your local telco can go begging to the Public +Utilities commissions claiming the need for rate increases in the + +wake of the break up. Pacfic Tel was hurt so much they posted +sales recently of one billion dollars. I first in the company's +history. + +There is one small advantage to equal access. Ustel (950-1033) +customers can crossover to the Sprint Network (950-0777) and make +international calls. By appending the equal access code to the +customer code the call will be cross connected. + +In short, equal access means this..."Bend over and smile +America". If you thought you were getting screwed before, well +you ain't seen nothing yet. + + + Equal Access Codes + + + + + + + +10824 ATC Directline + +10482 Access America + +10939 Access Long Distance + +10282 Action Telecom + +10444 Allnet + + Americall + +10002 Americall LDC Inc. + +10053 American Network + +10366 American Telco + +10050 American Telephone Exchange + +10080 Amtel + + Amertel + +10824 + + ATC Communications + +10287 ATS Communications + +10272 Bell of Pa + +10606 Biz-Tel + +10300 Call America + +10221 Capitol Telecommunications Inc. + +10987 Clay Desta Communications + +10266 Com Systems + +10885 Communigroup of Kansas City + +10733 Comp-Data Communications + + Compute a Call + + Comtel of Pine Bluff + +10203 Cytel10233 Delta Communications + +10339 Dial USA + + Directline + + Discount Long Distance + + EO Tech10054 Eastern Telephone Systems + +10634 Econo Line of Midland + + Econo-line of Waco + +10256 Execuline + +10393 Execulines of Florida + + Garden State Telco + +10235 Inteleplex + +10884 ITI + +10488 Itt + +10535 LDL - Long Distance for Less + +10084 LDS + + LDX + + LTS + +10066 Lexitel + +10852 Line One + +10036 Long Distance Savers + +10537 Long Distance Service of Washington + + Long Distance Telephone Savers + + Max Long Distance + +10222 Mci + +10021 Mercury Long Distance + +10622 Metro America Communications + + National Telecommunications of Austin + + Network I/Metromedia + +10855 Network Plus + +10638 Northwest Telecom Ltd. + +10785 Olympia Telecom + +10808 Phone America of Colorado + +10936 R - Comm + +10211 RCI + +10787 STS/Star Tel + +10800 Satelco + +10888 Skyline + +10087 Southernnet + +10321 Southland Systems + +10777 Sprint + +10889 St. Joseph10787 STS/Star Tel + +10007 TMC of Arkansas + +10021 TMC of Chattanooga + +10007 TMC of El Paso + +10007 TMC of Miami + +10007 TMC of S.E. Florida + + TMI of Oklahoma + +10826 Tel AMCO + + Tel-Central Inc of Oklahoma + +10330 Tel-Share + +10626 Tel/man + +10007 Telemarketing Communications + +10899 Telephone Express + +10331 Texustel + +10850 Tollkall + +10824 Transcall + +10333 US Telecom + +10859 Valu-Line of Longview + + Valu-Line of Wichita Falls + +10687 WTS Communicatons + +10085 Westel + +10220 Western Union + +10995 Wylon + + ESS + +The following is a file taken from a Hack Board. I think it is +intellegently written and accurate. + + + +====================================+ + + ELECTRONIC SWITCHING SERVICE V1. + + + EXERT FROM 2600 MAGAZINE FEB '84 + + +FROM THE RADIO STATION: 718-xxx-xxxx+ + +====================================+ + + THERE WAS OF COURSE NO WAY OF KNOWING + WETHER YOU WERE BEING WATCHED AT ANY + GIVEN MOMENT. HOW OFTEN, OR ON WHAT + SYSTEM, THE THOUGHT POLICE PLUGGED IN ON + ANY INDIVIDUAL WIRE WAS GUESSWORK. IT + WAS EVEN CONCEIVABLE THAT THEY WATCHED + EVERYBODY ALL THE TIME. BUT AT ANY RAT + E THEY COULD PLUG IN YOUR WIRE WHENEVER + THEY WANTED TO. YOU HAD TO LIVE--DID L + IVE, FROM HABIT THAT BECAME INSTICT--IN + THE ASSUMPTION THAT EVERY SOUND YOU MAD + E WAS OVERHEARD, AND, EXCEPT IN + DARKNESS, EVERY MOVEMENT SCRUTINIZED. + + 'FROM NINETEEN EIGHTY-FOUR' + + ESS IS THE BIG BROTHER OF THE BELL + FAMILY. ITS VERY NAME STRIKES FEAR AND + APPREHENSION INTO THE HEARTS OF MOST + PHREAKERS, AND FOR A VERY GOOD REASON. + ESS (ELECTRONIC SWITCHING SYSTEM) KNOWS + THE FULL STORY ON EVERY TELEPHONE + HOOKED INTO IT. WHILE IT MAY BE PARANO + ID TO SAY THAT ALL PHREAKING WILL COME + TO A SCREECHING HALT UNDER ESS, IT'S + CERTAINLY REALISTIC TO ADMIT THAT ANY + PHREAK WHOSE CENTRAL OFFICE TURNS TO + ESS WILL HAVE TO BA A LOT MORE CAREFUL. + HERE'S WHY. + + WITH ELECTRONIC SWITCHING, EVERY + SINGLE DIGIT DIALED IS RECORDED. THIS + IS USEFUL NOT ONLY FOR NAILING PHREAKS + BUT FOR SETTLING BILLING DISPUTES. IN + THE PAST, THERE HAS BEEN NO EASY WAY + FOR THE PHONE COMPANY TO SHOW YOU WHAT + NUMBERS YOU DIALED LOCALLY. IF YOU + PROTESTED LONG ENOUGH AND LOUD ENOUGH, + THEY MIGHT HAVE PUT A PEN REGISTER ON + YOUR LINE TO RECORD EVERYTHING AND + PROVE IT TO YOU. UNDER ESS, THE ACTUAL + PRINTOUT (WHICH WILL BE DUG OUT OF A + VAULT SOMEWHERE IF NEEDED) SHOWS EVERY + LAST DIGIT DIALED. + EVERY 800 CALL, EVERY CALL TO DIRECTORY + ASSISTANCE, REPAIR SERVICE, THE + OPERATOR, EVERY RENDITION OF THE 1812 + OVERTURE, EVERYTHING! HERE IS AN + EXAMPLE OF A TYPICAL PRINTOUT, WHICH + SHOWS TIME OF CONNECT, LENGTH OF + CONNECT, AND NUMBER CALLED. + + DATE TIME LENGTH UNITS NUMBER + + 0603 1518 3 1 456-7890 + 0603 1525 5 3 345-6789 + 0603 1602 1 0 000-4011 + 0603 1603 1 0 800-555-1212 + 0603 1603 10 2.35* 212-345-6789 + 0603 1624 1 0 000-000-0000 + (TSPS) + + A THOUSAND CALLS TO "800" WILL SHOW + UP AS JUST THAT--A THOUSAND CALLS TO + "800"! EVERY TOUCH TONE OR PULSE IS + KEPT TRACK OF AND FOR MOST PHREAKS, + THIS IN ITSELF WON'T BE VERY PRETTY. + + SOMEWHERE IN THE HALLOWED HALLS OF 19 + 5 BROADWAY, A TRAFFIC ENGINEER DID AN + EXHAUSTIVE STUDY OF ALL 800 CALLS OVER + THE PAST FEW YEARS, AND REACHED THE + FOLLOWING CONCLUSIONS: (1) LEGITIMATE + CALLS TO 800 NUMBERS LAST AN AVERAGE OF + 3 MINUTES OR LESS. OF THE ILLEGAL (I.E + PHREAKERS) CALLS MADE VIA 800 LINES, + MORE THAN 80% LASTED 5 MINUTES/LONGER; + (2) THE AVERAGE RESIDENTIAL TELEPHONE + SUBSCRIBER MAKES FIVE SUCH CALLS TO AN + 800 NUMBER PER MONTH. WHENEVER + PHREAKERS ARE BEING WATCHED, THAT + NUMBER WAS SIGNIFICANTLY HIGHER. AS A + RESULT OF THIS STUDY, ONE FEATURE OF + ESS IS A DAILY LOG CALLED THE "800 + EXCEPTIONAL CALLING REPORT." + + UNDER ESS, ONE SIMPLY DOES NOT PLACE + A 2600 HZ TONE ON THE LINE, UNLESS OF + COURSE, THEY WANT A TELCO SECURITY + REPRESENTATIVE AND A POLICEMAN AT THEIR + DOORWITHIN AN HOUR! THE NEW GENERICS + OF ESS (THE #5) NOW IN PRODUCTION, WITH + AN OPERATING PROTOTYPE IN GDNZFA, nILL, + ALLOW THE SYSTEM TO SILENTLY DETECT ALL + "FOREIGN" TONES NOT AVALABLE ON THE + CUSTOMER'S PHONE. YOU HAVE EXACTLY 12 + BUTTONS ON YOUR TOUCH-TONE (R) PHONE. + ESS KNOWS WHAT THEY ARE, AND YOU HAD + BEST NOT SOUND ANY OTHER TONES ON THE + LINE, SINCE THE NEW #5 IS PROGRAMMED + TO SILENTLY NOTIFY A HUMAN BEING IN THE + CENTRAL OFFICE, WHILE CONTINUING WITH + YOUR CALL AS THOUGH NOTHING WERE WRONG! + SOMEONE WILL JUST PUNCH A FEW KEYS ON + THEIR TERMINAL, AND THE WHOLE SORDID + STORY WILL BE RIGHT IN FRONT OF THEM, & + PRINTED OUT FOR ACTION BY THE SECURITY + REPRESENTATIVES AS NEEDED. + + TRACING OF CALLS FOR WHATEVER REASON + (ABUSIVE CALLS, FRAUD CALLS, ETC.) IS + DONE BY MERELY ASKING THE COMPUTER + RIGHT FROM A TERMINAL IN THE SECURITY + DEPARTMENT. WITH ESS, EVERYTHING IS RI + GHT UP FRONT, NOTHING HIDDEN OR + CONCEALED IN ELECTROMECHANICAL FRAMES, + ETC. IT'S MERELY A SOFTWARE PROGRAM! + AND A PROGRAM DESIGNED FOR EASE IN + OPERATION BY THE PHONE COMPANY. CALL + TRACING HAS BECOME VERY SOPHISTICATED A + ND IMMEDIATE. THERE'S NO MORE RUNNING + IN THE FRAMES AND LOOKING FOR LONG PERI + ODS OF TIME. ROM CHIPS IN COMPUTERS + WORK FAST, AND THAT IS WHAT ESS IS ALL + ABOUT. + + PHONE PHREAKS ARE NOT THE ONLY REASON + FOR ESS, BUT IT WAS ONE VERY IMPORTANT + ONE. THE FIRST AND FOREMOST REASON FOR + ESS IS TO PROVIDE THE PHONE COMPANY + WITH BETTER CONTROL ON BILLING AND + EQUIPMENT RECORDS, FASTER HANDLING OF + CALLS (I.E. LESS EQUIPMENT TIED UP IN + THE OFF ICE AT ANY ONE TIME), & TO HELP + AGENCIES SUCH AS THE FBI KEEP BETTER + ACCOUNT OF WHO WAS CALLING WHO FROM + WHERE,ETC. WHEN THE FBI FINDS OUT THAT + SOMEONE WHOSE CALLS THEY WANT TO TRACE + IS ON A ESS EXCHANGE, THEY ARE THRILLED + BECAUSE IT'S SO MUCH EASIER FOR THEM + THEN. + + THE UNITED STATES WON'T BE 100% ESS + UNTIL SOMETIME IN THE MID 1990'S. BUT + IN REAL PRACTICE, ALL PHONE OFFICES IN + ALMOST EVERY CITY ARE GETTING SOME OF + THE MOST BASIC MODIFICATIONS BROUGHT + ABOUT BY ESS. "911" SERVICE IS AN ESS + FUNCTION. SO IS ANI (AUTOMATIC NUMBER + IDENTIFICATION) ON LONG DISTANCE CALLS. + "DIAL TONE FIRST" PAY PHONES ARE ALSO + AN ESS FUNCTION. NONE OF THESE THINGS + WERE AVAILABLE PRIOR TO ESS. THE AMOUNT + OF PURE FRAUD CALLING VIA BOGUS CREDIT + CARD, THIRD NUMBER BILLING, ETC. ON + BELL'S LINES LED TO THE DECISION TO + RAPIDLY INSTALL THE ANI, FOR EXAMPLE, + EVEN IF THE REST OF THE ESS WAS SEVERAL + YEARS AWAY IN SOME CASES. + + DEPENDING ON HOW YOU CHOOSE TO LOOK + AT THE WHOLE CONCEPT OF ESS, IT CAN BE + EITHER ONE OF THE MOST ADVANTAGEOUS + INNOVATIONS OF ALL TIME OR ONE OF THE + SCARIEST. THE SYSTEM IS GOOD FOR + CONSUMERS IN THAT IT CAN TAKE A LOT OF + ACTIVITY AND DO LOTS OF THINGS THAT OLD + ER SYSTEMS COULD NEVER DO. FEATURES + SUCH AS DIRECT DIALING OVERSEAS, CALL + FORWARDING (BOTH OF WHICH OPEN UP NEW + WORLDS OF PHREAKING WHICH WE'LL EXPLORE + IN LATER ISSUES), AND CALL HOLDING ARE + STEPS FORWARD, WITHOUT QUESTION. BUT + AT THE SAME TIME, WHAT DO ALL OF THE + NASTY IMPLICATIONS MENTIONED FURTHER + BACK MEAN TO THE AVERAGE PERSON ON THE + SIDEWALK? THE SYSTEM IS PERFECTLY + CAPABLE OF MONITORING ANYONE, NOT JUST + PHONE PHREAKS! WHAT WOULD HAPPEN IF + THE NICE FRIENDLY GOVERNMENT WE HAVE + SOMEHOW GOT OVERTHROWN AND A MEAN NASTY + ONE TOOK ITS PLACE? WITH ESS, THEY + WOULDN'T HAVE TO DO TOO MUCH WORK, JUST + COME UP WITH SOME NEW SOFTWARE. IMAGINE + A PHONE SYSTEM THAT COULD TELL + AUTHORITIES HOW MANY CALLS YOU PLACED + TO CERTAIN TYPES OF PEOPLE, I.E. BLACKS + COMMUNISTS, LAUNDROMAT SERVICE + EMPLOYEES... ESS COULD DO IT, IF SO + PROGRAMMED. + + *** BIOC FROM WHACKOLAND BBS: + *** AGENT + THE RADIO STATION BBS + 300/1200 BAUD + + + --------------------------------------- + + + GAMES PHONE COMPANIES PLAY + + + +Some phone companies have come up with clever little tricks to +fuck up the phreaks hacking activities. One of these is the +CARRIER BLAST. Simply put, they shoot a 300/1200 baud answer tone +across the phone line right before you connect with your +destination. This move makes your computer THINK it's connected +with the computer you're calling. The attempt is laughable. All +you need do is to take the modem offline for that period of +seconds when the carrier is blasting. For the Hayes and the +Hayes compatible modems you work this command into the dialing +sequence, "+++,". Each modem in the AT mode permits you to take +the modem offline and "idle". The function is programable so you +can use any keyboard character. The "+++" puts the modem in idle, +the comma is a timing element you've preprogrammed. If you want a +five second delay, you will have programmed "ATS8=5" or "ATS8=10" +for a ten second delay. After your delay the modem will continue +to execute the dialing sequence. You'll now use "ATO" to put the +modem back on line. The whole routine will look like +this,"+++,ATO". Consult your modem manuals if you don't have a +Hayes Compatible. Each manufacturer has "borrowed" the same +features from Hayes. The result will be the same even if your +commands may differ. + +Another little gimmick has been borrowed from the PBX. After +entering your code you have to enter "9" to get out. No big deal. +Just use nine as a suffix. + + +If you've ever tried hacking an AT&T credit card (and I recommend +that you don't) you'd notice that you can dump the entire dialing +sequence all at once. This is a classy system. Not so with MCI or +UStel. After you've entered the 0 and the area code of your +destination the system beeps you that it has received the proper +format. While this beeping is going on you can't dial over it. +The solution is simple, insert the "comma delay to wait for the +"beeper" to get done. The one problem you may encounter depends +on the size of you modem's buffer. The Hayes compatible can +accept forty five digits. The MCI/UStel format requires a full 44 +digits. You have one to spare. If your buffer size is smaller, +you'll have to break the dialing sequence in two separate +routines. A bit of a bitch but liveable for the return. + + +Code format bastardizations are a nice change. The telco's hope +that in deviating from the norm, it will be less advantageous for +the hacker, who like anyone else develops habits, to whack away +at their systems. Itt's reverse arrangement is a prime example. The Pbx + +The Pbx (Public Branch Exchange) is a switching station. In the +old days an operator would stick a plug into a slot and connect +with an incoming call and another plug to a second slot to +establish a connection with the destination. The equipment is the +same in theory except, today the microchip has eliminated the +human operator. + +The phreak is interested in the board's dial in/out capability. +The legitimate users of the Pbx can call into a number, enter a +code + a routing number and have an At&t line to dial out with. +Pbx's afford the hack indirect access to Ma Bell without exposing +him to the risk of a trace. There are two principle uses, +Teleconferencing and Overseas calls to area only At&t services. + +To find a Pbx the hack scans a local prefix. This is also known +as War Dialing after the movie War Games. To find the unit the +hack must be equipped with a modem capable of recognizing a dial +tone. The Hayes modem can not. The Apple Cat is considered the +ideal phreaking modem. Not only can it recognize dial tones it +can generate the frequencies needed to emulate a blue box. The +Cat is not one of Ma Bell's favorites. The Hayes user is forced +to sit and listen to the dialing if he wants a Pbx. Most phreaks +will usually make a deal with a cat owner for pbx locations. + +The phreak will recognize the Pbx when he hears a second dial +tone. He'll now start playing around looking for the code. Many +switchboards have simple and easy to remember 4 digit codes like +1234. The hack will always go for the obvious. Code lengths can +be any where from zero to eight digits. Pbx's are very user +friendly. When you screw up it'll beep at you to let you know. +This is a worksheet for Pbx hacking + + + 1 1 1 1 1 1 1 1 + 2 2 2 2 2 2 2 2 + 3 3 3 3 3 3 3 3 + 4 4 4 4 4 4 4 4 + 5 5 5 5 5 5 5 5 + 6 6 6 6 6 6 6 6 + 7 7 7 7 7 7 7 7 + 8 8 8 8 8 8 8 8 + 9 9 9 9 9 9 9 9 + +The hack will now enter a number from the far left column. If it +beeps at him he knows he's guessed wrong so he disconnects and +redials. With an autodialer that's no big deal. He goes back to +work on the first column. He will eventually it a number which +doesn't generate an error message. He circles it and proceeds to +the next column. When he's succeeded in hacking out the code, he +will hear another dial tone. This is his At&t line out. Most +phreaks will test the line by dialing information, local to the +Pbx. + +Some units require an additional out code. Would you believe 9 ? +Actually the Pbx will accept any preprogrammed 2 digit code, like +85. Nine has become a habit and many virgins have lost their +cherry to a phreak by doing the obvious. I've seen units that +required no code, only the 9 to get outside. + +It's impossible to make a Pbx secure. If a hacker want's it, and +he's willing to work on it, he'll get it. The only option +available to the business is to disconnect the in/out dialups and +supply their outside personnel with long distance travel cards. + +Loops + + +Loops are mildly interesting in the hack/phreak world. They +consist of two telephone numbers that, when connected, permit +callers to hold conversations with strangers or friends whom +they've met by appointment. + +A loop has a high side and a low side, meaning one of the pair of + +numbers emits a tone while the other is quiet. Loops in 213 and +818 areas can be found by dialing any prefix and 1118 or 1119. +Pacific Telephone has injected a rather annoying "click" into the + +line which makes data transfers impossible and voice +communication tedious. This situation doesn't exist in other +areas of the country. + +At first glance, loops may not appear to have any practical +value. To the hacker it has two uses. It enables him to voice +with people he doesn't want to have his phone number and it's +useful in conferencing (see Alliance). Many hacks refuse to make +their personal information available to those who are not long +standing bbs acquaintances. Loops make safe voicing possible. + + + A Few Loops + + + 201-531-9929,9930 201-938-9929,9930 + 206-827-0018,0019 206-988-0020,0022 + 212-283-9977,9997 208-862-9996,9997 + 209-732-0044,0045 212-529-9900,9906 + 212-283-9977,9979 212-352-9900,9906 + 212-220-9977,9979 212-365-9977,9979 + 212-562-9977,9979 212-986-9977,9979 + 213-549-1118,1119 214-299-4759,4757 + 214-291-4759,4757 307-468-9999,9998 + 308-357-0004,0005 402-779-0004,0007 + 406-225-9902,9903 714-884-1118,1119 + + + +These loops were taken from a Hack Board and are for the 808 +area. + + + + ((((((((((((((((((((((((((((((((((( + ( ( + ( ( + ( ( + ( Here are some loops for ya. ( + ( ( + ( ( + ( ( + ( (808) = 1 ( + ( (9907)= Loud ( + ( (9908)= Silent ( + ( ( + ( ( + ( ( + ( ( + ( 1 328 (Loud) (Silent) ( + ( " 322 """"""""""""""" ( + ( " 572 """"""""""""""" ( + ( " 261 """"""""""""""" ( + ( " 239 """"""""""""""" ( + ( " 668 """"""""""""""" ( + ( " 885 """"""""""""""" ( + ( " 961 """"""""""""""" ( + ( " 245 """"""""""""""" ( + ( " 332 """"""""""""""" ( + ( " 335 """"""""""""""" ( + ( " 623 """"""""""""""" ( + ( " 624 """"""""""""""" ( + ( " 959 """"""""""""""" ( + ( " 742 """"""""""""""" ( + ( " 879 """"""""""""""" ( + ( " 882 """"""""""""""" ( + ( " 329 """"""""""""""" ( + ( " 247 """"""""""""""" ( + ( " 235 """"""""""""""" ( + (((((((((((((((((((((((((((((((((((((( + The Loop master (Merauge) was here + + + DIVERTERS + + + Diverters are privately owned call forwarding machines. They'll + be found almost exclusively in areas that don't have call + forwarding. This also means ESS isn't operational in your + area. This is how it works... + + You may not realize it, but the sounds of a call connecting are + permanently etched on your subconscience mind. Whether it's the + sounds of tones or clicks, you know when your call has + connected. Pay attention next time, you'll see what I mean. A + call going to a diverter makes two connections. First to the + number you called and second to the number that the diverter + called. When you hear this second connection, you'll know that + you've bagged a diverter. The call will be connected to a person + you have absolutely no interest in talking to. Tell the person + that you have the wrong number, click the rocker on your phone, + and wait for HIM to hang up. Your call is now in a never never + land between the first number you dialed and the number that the + diverter called. Wait about two minutes. You'll hear a faint + dial tone in the back ground. That's your AT&T line out. You can + now dial anywhere in the world. + + Since you're dealing with a real human on the other end, be + prepared for the unexpected. I called one diverter recently and + had a fellow answer the phone. I used the wrong number routine + and clicked the rocker, but HE DIDN'T HANG UP. Hey, I'm cool, a + dummied up and waited. After five minutes HE STILL WOULDN'T HANG + UP. Not only that, he started making lewd suggestions that he + and I get together for a date. I like girls and this joker was + grossing me out. I said,"Jesus fucking Christ" very disgustedly + (for emphasis) and clicked the rocker arm again. THE SON OF A + BITCH STILL WOULDN'T HANG UP. I gave up and went to a PBX. + + This is the moral of this story. This fellow had been burned + before. He knew the flaw in his diverter and he knew what to do + about it. Plus the guy gets 10 points for have some style. He +knew what I was trying to do to him and he played the game out +all the way. A good show. Manufacturers of diverters are hip to +the game. Their newer machines have disconnect features that +restrict a phreaks call out abilities. Never the less, there are +hundreds of thousands of the older machines still out there with +their cherries intact. Firms that use a diverter are too cheap +to hire and answering service. For this reason alone they won't +be too quick to upgrade their systems. They'll get a little +incentive after they receive a several thousand dollar phone +bill. + + + I spoke with a phreak not too long ago who received a 2 thousand + dollar phone bill for conferance calls he'd made with a +diverter. + Explained the steps he'd taken in its use. I asked him if the +second dial tone he received was as loud as the first. I +informed him as kindly as possible, "You dumb shit, that was +your dial tone not the diverter". There's a moral in there +somewhere. + The Black Box + +Another credible file on box building. Note the black will work +under Crossbar or Step by Step but not with ESS. + + + +*************************************** +* * +* HOW TO BUILD A BLACK BOX * +* * +*************************************** +A BLACK BOX +IS A DEVICE THAT IS HOOKED UP TO YOUR +FONE THAT FIXES YOUR FONE SO THAT WHEN +YOU GET A CALL, THE CALLER DOESN'T GET +CHARGED FOR THE CALL. THIS IS GOOD FOR +CALLS UP TO 1/2 HOUR, AFTER 1/2 HOUR +THE FONE CO. GETS SUSPICOUS, AND THEN +YOU CAN GUESS WHAT HAPPENS. + +THE WAY IT WORKS: + +WHAT THIS LITTLE BEAUTY DOES IS +KEEP THE LINE VOLTAGE FROM DROPPING TO +10V WHEN YOU ANSWER YOUR FONE. THE +LINE IS INSTED KEPT AT 36V AND IT WILL +MAKE THE FONE THINK THAT IT IS STILL +RINGING WHILE YOUR TALKING. THE REASON +FOR THE 1/2 HOUR TIME LIMIT IS THAT THE +FONE CO. THINKS THAT SOMETHING IS WRONG +AFTER 1/2 AN HOUR OF RINGING. + +ALL PRTS ARE AVAILABLE RADIO +SHACK. USING THE LEAST POSSIBLE PARTS +AND ARANGEMENT, THE COST IS $0.98 !!!! +AND THAT IS PARTS FOR TWO OF THEM! +TALK ABOUT A DEAL! IF YOU WANT TO +SPLURGE THEN YOU CAN GET A SMALL PC +BOARD, AND A SWITCH. THERE ARE TWO +SCHEMATICS FOR THIS BOX, ONE IS FOR +MOST NORMAL FONES. THE SECOND ONE IS +FOR FONES THAT DON'T WORK WITH THE +FIRST. IT WAS MADE FOR USE WITH A BELL +TRIMLINE TOUCH TONE FONE. + +** SCHEMATIC 1 FOR MOST FONES ** +** LED ON: BOX ON ** + +FROM >--------------------GREEN-> TO +LINE >--! 1.8K LED !---RED--> FONE +!--/\/\/\--!>--! +! ! +------>/<------- +SPST + + + +PARTS: 1 1.8K 1/2 WATT RESISTOR +1 1.5V LED +1 SPST SWITCH + +YOU MAY JUST HAVE TWO WIRES WHICH YOU +CONNECT TOGETHER FOR THE SWITCH. + + +** SCHEMATIC 2 FOR ALL FONES ** +** LED ON: BOX OFF ** + +FROM >---------------GREEN-> TO +LINE >------- ---RED--> FONE +! LED ! +-->/<--!>-- +! ! +---/\/\/--- +1.8K + +PARTS: 1 1.8K 1/2 WATT RESISTOR +1 1.5V LED +1 DPST SWITCH + + +HERE IS THE PC BOARD LAYOUT THAT I +RECOMMEND USING. IT IS NEAT AND IS +VERY EASY TO HOOK UP. + +SCHEMATIC #1 SCHEMATIC #2 + +************** **************** +* * * ------- * +* ----- * * ! ! * +* ! ! * * ! * +* RESISTOR ! * * ! ! ! * +* ! ! * * ! ! / * +* -------- ! * * ! ! \ * +* ! ! * * ! ! / * +* --SWITCH-- * * ! ! \ * +* ! ! * * ! ! / * +L * ! ! * F L * ! ! ! * F +I>RED- -RED>O I>RED- ---RED>O +N>-----GREEN---->N N>-----GREEN------>N +E * H * E E * * E +************** **************** + + +ONCE YOU HAVE HOOKED UP ALL THE +PARTS, YOU MUST FIGURE OUT WHAT SET OF +WIRES GO TO THE LINE AND WHICH GO TO +THE FONE. THIS IS BECAUSE OF THE FACT +THAT LED'S MUST BE PUT IN, IN A CERTAIN +DIRECTION. DEPENDING ON WHICH WAY YOU +PUT THE LED IS WHAT CONTROLS WHAT WIRES +ARE FOR THE LINE & FONE. + +HOW TO FIND OUT: + +HOOK UP THE BOX IN ONE DIRECTION +USING ONE SET OF WIRES FOR LINE AND THE +OTHER FOR FONE. + +*NOTE* FOR MODEL I SWITCH SHOULD BE OFF. +*NOTE* FOR MODEL ][ SWITCH SHOULD BE +SET TO SIDE CONNECTING THE LED. + +ONCE YOU HAVE HOOKED IT UP, THEN +PICK UP THE FONE AND SEE IF THE LED IS +ON. IF IT IS, THE LED WILL BE LIT. IF +IS DOESN'T LIGHT THEN SWITCH THE WIRES +AND TRY AGAIN. ONCE YOU KNOW WHICH ARE +WHICH THEN LABEL THEM. *NOTE* - IF +NEITHER DIRECTIONS WORKED THEN YOUR +SWITCH WAS IN THE WRONG POSITION. NOW +LABLE THE SWITCH IN ITS CURRENT +POSITION AS BOX ON. + +HOW TO USE IT: + +THE PURPOSE OF THIS BOX IS NOT TO +POEPLE WHO CALL YOU SO IT WOULD MAKE +SENCE THAT IT CAN ONLY BE USED TO +RECEIVE! CALLS. WHEN THE BOX IS *ON* +THEN YOU MAY ONLY RECIEVE CALLS. YOUR +FONE WILL RING LIKE NORMAL AND THE LED +ON THE BOX WILL FLASH. IF YOU ANSWER +THE FONE NOW, THEN THE LED WILL +LIGHT AND THE CALLER WILL NOT BE CHARGED. +HANG UP THE FONE AFTER YOU ARE DONE +TALKING LIKE NORMAL. YOU WILL NOT BE +ABLE TO GET A DIAL-TONE OR CALL WHEN +THE BOX IS ON, SO TURN THE BOX *OFF* +FOR NORMAL CALLS. I DON'T RECOMMEND +YOU DON'T WANT IT TO ANSWER WHEN MA BELL +CALLS! + + +Incidentally, never let it be said that all hackers are literate. +Just knowing thieves. + The Infamous Blue Box + + +The follwoing appears to be a credible set of plans for the +Captain Crunch machine. + + + + +$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +$ $ +$ BLUE BOX PLANS! $ +$ --------------- $ +$ $ +$ Edited and Uploaded by: $ +$ $ +$ $ +$$$$$$$->The Spirit Of Radio<-$$$$$$$ +$ $ +$ Written by: $ +$ $ +$ Mr. America from Osuny BBS $ +$ $ +$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + +This file will explain the construction, troubleshooting, +andadjustmentof a Blue Box. + +We all know that the touch tone frequencies are composed of 2 +tones (2 different freqs.) so that is the reason why we have 2 +VCO's (Voltage Controlled Oscilators). We'll call them VCO#1 and +VCO#2.If you have noticed VCO#1 and VCO#2 are exactly the same +type of circuits. That is why only 1 was drawn. But remember +that whatever goes for VCO#1 also goes for VCO#2. Both VCO'S are +composed of a handfull of parts. One chip, two capacitors,2 +resistors and five potentionmeters. All of this will give you +(when properly calibrated) one of the freqencies necessary (the +other one will come fromVCO#2) for the operation of $ the Blue +Box. Both of these freqs. will bemixed in the speaker to form the +required tone. + +This is one of the most sophisticated designs I have ever made. +Why? Because other designs will drain the battery after 10 calls. +This design will make them last 10 months!!!!!! But +nevertheless, don'tforget to put in aswitch for on and off. Ok +let's build the two VCO'S andcalibrate the unit before we get to +the keyboard construction. + + +VCO CONSTRUCTION + +TOOLS REQUIRED +1 ocilliscope(optional but not req) +1 Freq. counter (REQUIRED) +1 Volt meter " " " +Electronics tools (Pliers, drll, screwdrivers, etc.) + + +PARTS + +R1 1.5K RESISTOR 5% +R2 1K RESISTOR 5% +C1 .1uf ELECTROLYTIC CAPACITOR 16VDC +C2 .01uf " " (MYLQR) 16VDC +C1 2207 VCO CHIP BY EXAR ELECTRONICS + +Remember the above only says VCO#1 but the same is for VCO#2 + +R3-R4 150 OHM RESISTORS 5% . +C3-C4 .1 uf ELECTROLITIC CAPACITOR . +10VDC . + +P1-P10 200K TRIMMER POT - 20 TURNS DIODES USED IN THE KEYBOARD +ARE 1N914 TYPE(40 OF THEM) & 13 SWITCHES FOR THE KEYBOARD SPST +MOMENTARY. + +SPKR YOU CAN USE A TELEPHONE SPEAKER FOR THIS (IT WORKS BEST) BUT +REMEMBER TOTAKE OUT THE DIODE THAT IS CONNECTED ACCROSS IT. + + +IMPORTANT NOTES + +1. DO NOT USE ANYTHING ELSE OTHER THAN A MYLAR CAPACITOR FORC2. +2. PINS 10,9,8 SHOULD BE TIED TOGETHER AND BE LEFT FLOATING. +3. ALL RESISTORS SHOULD BE 5%! NOTHING ELSE! +4. A TELEPHONE SPEAKER GIVES THE BEST RESULTS. + + +TROUBLE SHOOTING + +By now you should have constructed the two VCO'S on a bread board +or anything that pleases you. Check for cold solder +joints,broken wires,polarity of the battery, etc. Before we +apply power to the VCO'S we have to adjust the pots for their +half way travel point. This is done by turning them 21 turns to +the right and then 10 turns to the left. Do the same for all ten +of them. + +Now apply power to the unit check to see that you have power in +the chips by putting the positive lead of your volt meter on pin +7 andthe negative lead on pin 12. If you do not have anything +there turn off the unit and RECHECK THE WIRING. + +When you get the right voltages on the chips, connect a diode to +a piece of wire (look at fig. 2 for the orientation of the diode) +from round to any pot at point T (look carefully at the schematic +for point T it is labeled T1-T10 for all pots). You should be +able to hear a tone, if not disconnect the lead and place the +speaker close to your ear and if you hear a chirp-like sound, +this means that the two VCO'S are working if you don't, +it means that either one or both of the VCO'S are dead. So in +this case it is always good to have an ocilloscope on hand. +Disconnect the speaker from the circuit and hook the ocilliscope +to 1 of the leads of the speaker & the ground from the scope to +the ground of the battery. Connect again the ground lead with the +diode connected to it from ground to any pot on the VCO that you +are checking and you should see a triangle wave if not turn the +pot in which you are applying the ground to until you see it. +When you do see it do the the same for the other VCO to makesure +it is working. (amplitude is about 2VAC). When you get the two +VCO's working you are set for the adjustment of the individual +spots. + + +ADJUSTMENT + +Disconnect the speaker from the circuit and connect a freq. +counter (the positive lead of the counter to one of the speakers +leads that belongs to VCO#1 or connect it to pin 14. + +Connect the negative lead to the battery negative and connect the +jumperlead with the diode from ground to pot number 1.T1 (the +first pot number 1 point T1). If you got it working you should +hear a tone and get a reading on the counter. Adjust the pot for +a freq. of 1700hz and continue doing the same for pots 2-5 +except that they get different freqs. which are: + +: $$$$$$$$$$$$$$ : +: $ $ : +: $ P1 1700hz $ : +: $ P2 1300hz $ : +: $ P3 1100hz $ : +: $ P4 900hz $ : +: $ P5 1500hz $ : +: $ $ : +: $$$$$$$$$$$$$$ : + +Now disconnect the freq. counter from the speaker lead of VCO#1 +or from pin (which ever you had it attached to at the beginning) +and connect it to the speaker lead of VCO#2 or to pin 14 of VCO#2 +and make the same adjustments toP6-10.: + +: $$$$$$$$$$$$$$$ : +: $ $ : +: $ P6 1100hz $ : +: $ P7 700hz $ : +: $ P8 900hz $ : +: $ P9 2600hz $ : +: $ P10 1500hz $ : +: $ $ : +: $$$$$$$$$$$$$$$ : + +When you finish doing all of the pots go back and re-check +them. + + +KEYBOARD + +IF YOU LOOK AT FIG-2 YOU WILL SEE THAT THE KEYS ARE +SIMPLE SWITCHES. CONNECTED TO A GROUND AND TWO DIODES ON THE +OTHER END. THESE DIODES ARE USED TO SIMPLIFY THE CONSTRUCTION OF +THE KEYBOARD BECAUSE OTHERWISE THE DISTRIBUTION OF THE GROUND +SIGNAL FOR BOTH VCO'S WOULD HAVE BEEN DONE MECHANICALLY. THE +DIODE WILL GO TO VCO#1 AND THE OTHER WILL GO TO VCO#2. FIG-3 +SHOWS THE ARRANGEMENT OF THE KEYS ON THE KEYBOARD. + +BELOW IS A TABLE THAT WILL HELP YOU CONNECT THE KEYS TO THE +REQUIRED VCO'SPOTS. + +<-------------------------------------> +< > +< (-FIG 2-) > +< > +<-----!-----!--------!--------!-------> +< ! ! ! ! > +< TO ! TO ! FREQ ! FREQ ! KEY > +< POT ! POT ! OUT: ! OUT: ! > +< ON ! ON ! ! ! > +< VCO1! VCO2! ! ! > +<-----!-----!--------!--------!-------> +< 1 ! 06 ! 1700hz ! 1100hz ! C > +< 2 ! 10 ! 1300hz ! 1500hz ! 0 > +< 1 ! 10 ! 1700hz ! 1100hz ! E > +< 4 ! 07 ! 0900hz ! 0700hz ! 1 > +< 3 ! 07 ! 1100hz ! 0700hz ! 2 > +< 3 ! 08 ! 1100hz ! 0900hz ! 3 > +< 2 ! 07 ! 1300hz ! 0700hz ! 4 > +< 2 ! 08 ! 1300hz ! 0900hz ! 5 > +< 2 ! 06 ! 1300hz ! 1100hz ! 6 > +< 5 ! 07 ! 1500hz ! 0700hz ! 7 > +< 5 ! 08 ! 1500hz ! 0900hz ! 8 > +< 5 ! 06 ! 1500hz ! 1100hz ! 9 > +< - ! 09 ! ------ ! 2600hz ! X > +< ! ! ! ! > +<-------------------------------------> + +REMEMBER THAT IN FIG-2 IT'S THE SAME FOR EACH KEY EXCEPT THE "X" +KEY, WHICH ONLY TAKES ONE DIODE. + + diff --git a/textfiles.com/phreak/PHREAKING/part3_tx.hac b/textfiles.com/phreak/PHREAKING/part3_tx.hac new file mode 100644 index 00000000..46822ef7 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/part3_tx.hac @@ -0,0 +1,1454 @@ + + + All Nodes + +This is the most comprehensive list of dialups ever published. +Sprint, Metro, Itt and Mci are represented. Mci makes it's nodes +known only to customers. Therefore, 100% of the Mci dialups come +from hackers and are usually the product of war dialing +(scanning) local prefixes in their areas. All things are subject +to change. As Sprint installs her 950 systems the local dialups +are no longer active. They're there but can only be accessed +through the 950 switch. + + +201-333-0042 SPRINT +201-427-1100 METRO +201-455-0600 SPRINT +201-463-0300 SPRINT +201-463-0900 ITT +201-472-8700 SPRINT +201-487-3155 METRO +201-494-3250 SPRINT +201-499-8410 MCI +201-530-7072 SPRINT +201-531-7900 METRO +201-589-6343 ITT +201-592-7550 SPRINT +201-642-0061 MCI +201-643-2227 METRO +201-666-7844 SPRINT +201-672-0633 SPRINT +201-825-8852 METRO +201-828-8660 METRO +201-862-1990 SPRINT +202-565-4110 ITT +202-737-2051 METRO +202-950-0777 SPRINT +202-955-0020 SPRINT +203-222-1148 METRO +203-222-1585 SPRINT +203-223-3478 SPRINT +203-322-0606 SPRINT +203-323-1468 METRO +203-324-1172 ITT +203-333-2722 ITT +203-443-1134 MCI +203-444-6646 MCI +203-522-0003 METRO +203-525-0155 SPRINT +203-525-0455 SPRINT +203-527-7389 ITT +203-579-1525 SPRINT +203-748-0770 METRO +203-755-8193 SPRINT +203-787-0170 ITT ÜjÜŒ203-787-9964 SPRINT +203-794-1085 ITT +203-797-8076 SPRINT +203-866-8411 ITT +205-320-2000 SPRINT +205-431-6600 SPRINT +205-832-9800 SPRINT +206-382-0910 METRO +206-950-0777 SPRINT +207-761-0700 SPRINT +208-342-2671 SPRINT +209-334-5900 SPRINT +209-445-9001 SPRINT +209-445-9300 ITT +209-575-1730 SPRINT +209-583-6010 SPRINT +209-625-2762 SPRINT +209-943-2111 SPRINT +212-248-0151 ITT +212-732-7430 METRO +212-950-0220 METRO +212-950-0777 SPRINT +213-202-6117 MCI +213-202-6117 METRO +213-329-8600 SPRINT +213-404-4100 METRO +213-456-0010 SPRINT +213-618-0231 METRO +213-624-8884 METRO +213-628-9902 SPRINT +213-629-1026 METRO +213-637-8883 SPRINT +213-640-3111 SPRINT +213-690-5301 SPRINT +213-855-7600 SPRINT +214-595-4282 METRO +214-597-3306 SPRINT +214-651-1400 MCI +214-654-0609 ITT +214-742-4500 METRO +214-744-2019 MCI +214-747-9422 MCI +214-748-3400 MCI +214-950-0777 SPRINT +215-351-0100 METRO +215-376-4864 ITT +215-433-2166 ITT +215-563-3256 ITT +215-665-8700 MCI +215-770-8940 METRO +215-950-0777 SPRINT +216-255-2072 SPRINT +216-261-9103 MCI +216-277-0009 SPRINT ÜjÜŒ216-374-1001 METRO +216-375-9040 ITT +216-375-9240 SPRINT +216-394-7700 SPRINT +216-455-4147 SPRINT +216-575-1900 SPRINT +216-621-0490 ITT +216-621-7505 MCI +216-621-7507 MCI +216-621-7518 MCI +216-746-3128 SPRINT +216-861-5163 METRO +217-398-4350 SPRINT +217-429-8110 SPRINT +217-788-5900 SPRINT +219-237-1010 MCI +219-237-1020 MCI +219-237-1030 MCI +219-237-1040 MCI +219-237-1060 MCI +219-237-1070 MCI +219-237-1080 MCI +219-237-1090 MCI +219-237-1099 MCI +219-237-1700 ITT +219-237-1776 SPRINT +219-237-4805 METRO +219-420-0011 METRO +219-436-4500 SPRINT +219-882-8901 METRO +219-886-8700 SPRINT +301-263-7660 SPRINT +301-659-5500 SPRINT +301-659-7700 METRO +301-950-0777 SPRINT +302-429-9439 METRO +302-654-2809 ITT +302-950-0777 SPRINT +303-224-9700 SPRINT +303-351-8230 SPRINT +303-544-0184 SPRINT +303-623-5356 METRO +303-623-5646 SPRINT +303-630-8700 SPRINT +303-651-6040 SPRINT +303-861-4411 ITT +303-920-3900 SPRINT +304-344-4002 SPRINT +304-525-8408 SPRINT +305-326-3300 METRO +305-425-7791 ITT +305-462-3100 SPRINT +305-462-3530 MCI +305-462-3530 METRO ÜjÜŒ305-545-8895 ITT +305-756-2400 SPRINT +305-764-4522 ITT +305-950-0777 SPRINT +307-266-1512 SPRINT +307-634-0358 SPRINT +309-637-0650 SPRINT +312-356-4480 METRO +312-364-6020 ITT +312-396-2550 METRO +312-450-5875 METRO +312-480-8901 METRO +312-496-2431 METRO +312-578-3900 METRO +312-679-8120 METRO +312-844-6981 METRO +312-853-4700 METRO +312-888-5580 METRO +312-891-8083 METRO +312-922-1013 ITT +312-950-0777 SPRINT +312-981-8870 METRO +312-986-0566 METRO +313-237-0600 MCI +313-257-2700 SPRINT +313-332-2312 MCI +313-332-8711 MCI +313-471-1213 SPRINT +313-479-4540 +313-643-9060 SPRINT +313-662-2041 ITT +313-752-5959 SPRINT +313-775-8755 SPRINT +313-961-7090 SPRINT +313-963-4847 METRO +313-964-2843 ITT +313-977-0200 MCI +313-978-8100 MCI +313-981-3579 MCI +313-996-0006 MCI +313-996-0056 MCI +313-996-0096 MCI +313-996-8800 SPRINT +313-996-8900 METRO +314-342-1130 METRO +314-342-8900 SPRINT +314-656-0800 ITT +314-925-0980 SPRINT +315-422-6341 SPRINT +315-471-2900 ITT +315-474-3911 METRO +316-262-4002 MCI +316-262-8290 MCI +316-267-1088 ITT ÜjÜŒ316-267-6910 MCI +316-269-1190 SPRINT +317-286-4342 SPRINT +317-455-2220 SPRINT +317-635-0119 SPRINT +317-635-6284 METRO +317-637-5223 ITT +317-644-3274 SPRINT +317-950-0777 SPRINT +318-269-4900 SPRINT +318-425-0300 SPRINT +318-494-7500 SPRINT +319-324-9568 SPRINT +319-362-1177 SPRINT +401-272-0356 METRO +401-273-8263 ITT +401-274-0130 SPRINT +402-422-0281 MCI +402-422-0282 MCI +402-422-0710 MCI +402-422-0711 MCI +402-422-0906 Mci +402-422-1120 METRO +402-474-7040 SPRINT +402-592-6000 SPRINT +404-223-1000 METRO +404-223-1520 MCI +404-327-2770 SPRINT +404-525-0062 SPRINT +404-525-0714 ITT +404-950-0777 SPRINT +405-232-9011 METRO +405-236-8901 SPRINT +405-525-7731 ITT +408-280-1301 ITT +408-425-1950 SPRINT +408-458-1700 MCI +408-754-2000 SPRINT +408-947-7606 METRO +408-995-6701 SPRINT +409-832-7171 SPRINT +409-833-9331 METRO +412-261-4930 ITT +412-261-5720 METRO +412-950-0777 SPRINT +413-950-0777 SPRINT +414-276-1804 SPRINT +414-277-1805 METRO +414-435-1000 SPRINT +414-632-8383 SPRINT +414-633-3636 METRO +414-652-6334 SPRINT +414-933-5680 ITT +414-950-0777 SPRINT ÜjÜŒ415-348-7700 SPRINT +415-449-1014 SPRINT +415-477-0200 SPRINT +415-495-2816 ITT +415-499-0250 SPRINT +415-499-8086 METRO +415-540-4700 MCI +415-541-9555 SPRINT +415-577-0200 SPRINT +415-579-6001 METRO +415-676-1062 METRO +415-724-0604 SPRINT +415-724-3170 METRO +415-778-4700 SPRINT +415-791-5151 MCI +415-791-5559 MCI +415-794-4800 METRO +415-794-7920 SPRINT +415-832-5016 SPRINT +415-833-9200 METRO +415-836-6900 METRO +415-852-0900 METRO +415-856-1626 SPRINT +415-858-2750 ITT +415-944-5000 SPRINT +415-956-0162 METRO +417-831-1442 SPRINT +419-243-1046 METRO +419-243-4227 SPRINT +419-522-0857 SPRINT +501-374-1001 SPRINT +502-259-0680 SPRINT +502-561-0900 METRO +502-581-0376 MCI +502-589-0680 SPRINT +502-589-9360 ITT +503-295-8300 SPRINT +503-341-6310 SPRINT +503-371-5400 SPRINT +503-758-2220 SPRINT +504-346-5900 SPRINT +504-566-4321 MCI +504-566-8300 ITT +504-566-8500 METRO +504-566-8900 MCI +504-950-0777 SPRINT +505-765-0000 MCI +505-848-0000 SPRINT +507-288-0270 SPRINT +509-456-5120 SPRINT +512-224-9110 SPRINT +512-224-9600 METRO +512-474-4397 ITT +512-474-6057 METRO ÜjÜŒ512-474-7773 SPRINT +512-576-1154 MCI +512-578-8183 MCI +512-722-3676 SPRINT +512-887-8090 SPRINT +513-228-1576 METRO +513-228-6506 ITT +513-228-8015 SPRINT +513-241-1747 METRO +513-241-5690 SPRINT +513-322-0794 SPRINT +513-423-8304 SPRINT +513-651-1823 ITT +515-233-5904 +515-233-5910 +515-243-3480 SPRINT +515-284-5040 ITT +516-933-9700 METRO +516-950-0220 METRO +516-950-0777 SPRINT +517-484-0333 SPRINT +518-436-6200 METRO +518-455-7011 +518-462-2068 ITT +518-462-8200 SPRINT +601-960-0000 SPRINT +602-254-2930 METRO +602-257-8200 ITT +602-271-9445 SPRINT +602-323-0502 METRO +602-622-2372 MCI +602-629-9000 MCI +602-629-9015 MCI +602-778-6800 SPRINT +602-792-2635 SPRINT +602-884-7710 MCI +602-929-9020 MCI +603-668-9259 SPRINT +603-881-9955 SPRINT +605-335-8053 SPRINT +606-223-8015 SPRINT +606-231-8961 METRO +607-773-0422 SPRINT +608-251-9596 METRO +608-256-6782 SPRINT +608-258-8900 ITT +609-261-6550 MCI +609-261-8930 MCI +609-338-0100 METRO +609-338-0340 ITT +609-348-3880 SPRINT +609-452-0100 SPRINT +609-541-5028 SPRINT +609-641-0004 METRO ÜjÜŒ609-645-0533 MCI +609-728-1067 MCI +609-728-2067 MCI +609-728-7423 MCI +609-890-0525 SPRINT +609-987-8000 MCI +609-989-1631 ITT +609-989-1900 METRO +612-370-9000 METRO +612-375-0690 ITT +614-224-0024 ITT +614-224-0577 METRO +614-224-3735 SPRINT +615-248-1900 MCI +615-248-6000 SPRINT +615-327-2511 ITT +615-521-7600 ITT +615-525-1342 SPRINT +615-697-7000 ITT +615-757-9600 SPRINT +616-242-9580 METRO +616-388-4800 SPRINT +616-458-2472 ITT +616-459-1800 SPRINT +617-357-5562 ITT +617-458-4138 MCI +617-863-1333 MCI +617-950-0777 SPRINT +617-950-1020 METRO +618-235-8870 METRO +618-398-8710 MCI +618-398-8766 MCI +618-463-1850 SPRINT +619-233-0327 METRO +619-237-1009 SPRINT +619-340-4800 SPRINT +619-340-9300 MCI +619-340-9436 MCI +619-346-2133 MCI +619-484-4442 SPRINT +619-489-0414 SPRINT +619-723-7411 SPRINT +619-753-0438 SPRINT +701-232-2838 SPRINT +702-322-1512 SPRINT +702-323-6822 MCI +702-323-7191 ITT +702-329-1025 METRO +702-387-7000 SPRINT +703-344-8850 SPRINT +703-950-0777 SPRINT +704-375-4311 ITT +704-376-8085 SPRINT +704-861-9114 SPRINT ÜjÜŒ707-446-7032 SPRINT +707-576-7950 SPRINT +707-584-4931 METRO +707-778-1901 SPRINT +707-944-1350 SPRINT +712-258-0930 SPRINT +713-224-9417 METRO +713-225-1444 SPRINT +713-237-1822 MCI +713-862-5067 ITT +713-993-6533 MCI +714-493-0806 SPRINT +714-527-7055 METRO +714-541-1915 MCI +714-550-7466 MCI +714-591-9351 METRO +714-594-9311 METRO +714-778-4011 SPRINT +714-824-7430 SPRINT +714-877-6641 METRO +714-972-9515 METRO +714-973-2900 SPRINT +714-973-4707 MCI +714-973-8032 ITT +714-986-1762 SPRINT +716-262-5000 SPRINT +716-325-1180 ITT +716-845-5150 ITT +716-852-9200 METRO +716-950-0777 SPRINT +716-950-1020 METRO +717-233-9031 SPRINT +717-234-0718 ITT +717-238-4731 METRO +717-247-9135 ITT +717-291-4524 SPRINT +717-299-4796 ITT +717-346-0131 SPRINT +717-348-4300 METRO +717-822-7161 SPRINT +717-825-2761 ITT +717-846-6304 METRO +717-848-5700 SPRINT +718-950-0220 METRO +718-950-0777 SPRINT +800-221-1950 ITT +800-322-1415 MCI +800-327-9488 ITT +800-538-0007 +801-226-1128 SPRINT +801-363-2294 SPRINT +801-546-7000 SPRINT +802-863-8800 SPRINT +803-232-1356 SPRINT ÜjÜŒ803-233-1351 ITT +803-254-6039 SPRINT +803-256-3060 ITT +803-573-7639 ITT +803-577-6728 ITT +803-585-6211 SPRINT +803-723-0242 SPRINT +804-225-1920 METRO +804-355-1433 ITT +804-380-9038 ITT +804-623-9004 METRO +804-627-3596 ITT +804-950-0777 SPRINT +805-257-3028 SPRINT +805-395-0123 ITT +805-395-1301 SPRINT +805-496-0010 SPRINT +805-656-4800 SPRINT +805-968-0700 METRO +806-376-4836 SPRINT +806-379-8271 METRO +806-762-0004 METRO +806-763-0116 SPRINT +808-244-6000 SPRINT +808-525-5000 SPRINT +808-528-5000 SPRINT +808-969-6000 SPRINT +812-232-1616 SPRINT +812-332-8130 SPRINT +812-464-2003 SPRINT +813-221-3111 SPRINT +813-223-5380 ITT +813-371-1550 SPRINT +813-797-1986 SPRINT +814-453-7811 SPRINT +814-942-8103 SPRINT +815-950-0777 SPRINT +815-966-2401 METRO +815-966-3429 SPRINT +816-364-1291 SPRINT +816-471-1999 METRO +816-474-1850 SPRINT +816-474-4850 SPRINT +817-322-1422 METRO +817-338-1321 MCI +817-338-1428 MCI +817-338-1639 METRO +817-338-1659 MCI +817-338-1961 MCI +817-338-4749 ITT +817-565-0102 SPRINT +817-565-9202 METRO +817-756-7960 SPRINT +817-757-2002 METRO ÜjÜŒ817-877-1140 MCI +817-950-0777 SPRINT +818-350-1028 METRO +818-575-1411 SPRINT +818-954-8699 METRO +818-965-1391 SPRINT +818-989-0921 SPRINT +818-992-1999 SPRINT +818-992-8282 METRO +818-995-1002 MCI +818-995-1156 MCI +818-995-1166 MCI +818-995-1184 MCI +818-995-1185 MCI +818-995-4418 MCI +901-529-1800 SPRINT +904-354-3020 SPRINT +904-358-8522 ITT +904-434-9282 SPRINT +912-435-2166 SPRINT +912-741-0000 SPRINT +913-271-1300 ITT +913-354-4191 SPRINT +913-621-3186 METRO +914-684-0268 METRO +914-950-0777 SPRINT +915-448-1361 SPRINT +915-532-0025 METRO +915-561-5481 METRO +915-562-5801 SPRINT +915-657-7511 SPRINT +915-658-2943 METRO +915-672-1733 SPRINT +915-676-0078 METRO +915-950-0777 SPRINT +916-443-6921 METRO +916-448-4179 MCI +916-448-6606 ITT +916-577-9400 SPRINT +916-758-6841 SPRINT +916-961-1044 SPRINT +918-584-6030 SPRINT +918-585-5001 ITT +918-587-6770 METRO +919-286-0006 SPRINT +919-373-8633 SPRINT +919-378-9489 ITT +919-721-0704 SPRINT +919-725-3532 ITT +919-832-9396 SPRINT +919-832-9438 ITT +919-889-2366 SPRINT +919-929-7912 SPRINT +950-950-0220 METRO ÜjÜŒ950-950-0223 TDX +950-950-0488 ITT +950-950-0777 SPRINT +950-950-1003 RCI +950-950-1007 TMC +950-950-1022 MCI +950-950-1033 US SPRINT +950-950-1044 ALLNET +950-950-1088 SKYLINE +950-950-1220 METRO + + The Compuserve Network + +The following is the current list of Compuserve Dialups for the +nation. The obvious use is as destination numbers. Most +experienced phreaks use file between 10 and 20 numbers in length. +Networks are constantly taking nodes down and putting others up. +Consequently a small file is easier to check. Destination numbers +are usually verified every couple of months + +Bayonne NJ CS 201 624-6565 +Elizabeth NJ CS 201 624-6565 +Greenbrook NJ CS 201 968-9000 +Hackensack NJ CS 201 489-0111 +Hackettstown NJ CS 201 852-8070 +Hackettstown NJ CS 201 852-8502 +Jersey City NJ CS 201 624-6565 +Montclair NJ CS 201 783-5400 +Newark NJ CS 201 624-6565 +Parsippany NJ CS 201 898-1935 +Ridgewood NJ CS 201 444-3913 +Tom's River NJ CS 201 244-7722 +Union NJ CS 201 624-6565 +Union City NJ CS 201 624-6565 +Wayne NJ CS 201 633-5030 +Woodbridge NJ CS 201 906-0960 +Bridgeport CT CS 203 926-0001 +Danbury CT CS 203 797-1815 +Fairfield CT CS 203 926-0001 +Greenwich CT CS 203 967-4589 +Hartford CT CS 203 728-0633 +Milford CT CS 203 926-0001 +New Haven CT CS 203 467-3489 +New London CT CS 203 444-2509 +North Haven CT CS 203 467-3489 +Norwalk CT CS 203 967-4589 +Stamford CT CS 203 967-4589 +Waterbury CT CS 203 574-0500 +Westport CT CS 203 222-1748 +Westport CT CS 203 226-2704 +Bessemer AL CS 205 879-2250 +Bessemer AL CS 205 879-2280 ÜjÜŒBirmingham AL CS 205 879-2250 +Birmingham AL CS 205 879-2280 +Huntsville AL CS 205 536-4405 +Mobile AL CS 205 478-0688 +Montgomery AL CS 205 262-0010 +Olympia WA CS 206 786-6666 +Seattle WA CS 206 241-7023 +Seattle WA CS 206 241-9111 +Tacoma WA CS 206 922-1790 +Portland ME CS 207 879-0005 +Boise ID CS 208 384-5660 +Boise ID CS 208 384-5666 +Pocatello ID CS 208 232-9452 +Fresno CA CS 209 252-1892 +Stockton CA CS 209 465-7251 +New York NY CS 212 422-8820 +New York NY CS 212 758-2090 +New York NY CS 212 758-4114 +Beverly Hills CA CS 213 739-0371 +Beverly Hills CA CS 213 739-8906 +Culver City CA CS 213 216-0010 +Culver City CA CS 213 390-9617 +Inglewood CA CS 213 739-0371 +Inglewood CA CS 213 739-8906 +Long Beach CA CS 213 591-8392 +Los Angeles CA CS 213 739-0371 +Los Angeles CA CS 213 739-8906 +San Fernando CA CS 213 739-0371 +San Fernando CA CS 213 739-8906 +Torrance CA CS 213 542-4311 +West L.A. CA CS 213 739-0371 +West L.A. CA CS 213 739-8906 +Dallas TX CS 214 761-0599 +Dallas TX CS 214 761-9040 +Allentown PA CS 215 776-6960 +King of Prussia PA CS 215 279-5811 +Philadelphia PA CS 215 977-9758 +Reading PA CS 215 375-4850 +Upper Darby PA CS 215 977-9758 +Akron OH CS 216 867-1237 +Akron OH CS 216 867-1243 +Canton OH CS 216 455-2126 +Canton OH CS 216 455-2516 +Cleveland OH CS 216 771-0723 +Cleveland OH CS 216 771-6860 +Euclid OH CS 216 771-0723 +Euclid OH CS 216 771-6860 +North Canton OH CS 216 867-1237 +North Canton OH CS 216 867-1243 +Parma OH CS 216 771-0723 +Parma OH CS 216 771-6860 +Youngstown OH CS 216 743-4992 +Springfield IL CS 217 522-5101 +Elkhart IN CS 219 293-1593 ÜjÜŒFt. Wayne IN CS 219 447-0510 +Gary IN CS 219 769-0081 +Osceola IN CS 219 674-6951 +Annapolis MD CS 301 266-7530 +Baltimore MD CS 301 254-7113 +Dundalk MD CS 301 254-7113 +Dundalk MD CS 301 254-7311 +Hyattsville MD CS 301 559-0200 +Hyattsville MD CS 301 559-8000 +Newark DE CS 302 652-8732 +Wilmington DE CS 302 652-8732 +Aspen CO CS 303 925-5892 +Aurora CO CS 303 629-5563 +Boulder CO CS 303 629-5563 +Colorado Sprngs CO CS 303 596-0910 +Denver CO CS 303 629-0668 +Denver CO CS 303 629-5563 +Dillon CO CS 303 668-0991 +Fort Collins CO CS 303 493-8601 +Glenwood Spring CO CS 303 945-0424 +Grand Junction CO CS 303 241-1885 +Grand Junction CO CS 303 241-1889 +Lakewood CO CS 303 629-5563 +Vail CO CS 303 476-8700 +Charleston WV CS 304 768-9700 +Huntington WV CS 304 736-2331 +Parkersburg WV CS 304 485-4225 +Wheeling WV CS 304 233-9470 +Boynton Beach FL CS 305 684-9051 +Deerfield Beach FL CS 305 428-6104 +Ft. Lauderdale FL CS 305 771-8074 +Ft. Lauderdale FL CS 305 772-3240 +Longwood FL CS 305 273-8780 +Longwood FL CS 305 273-8805 +Miami FL CS 305 266-0231 +Orlando FL CS 305 273-8780 +Orlando FL CS 305 273-8805 +Vero Beach FL CS 305 778-0550 +W. Palm Beach FL CS 305 684-9051 +Casper WY CS 307 234-6914 +Peoria IL CS 309 685-2543 +Arlington Hts. IL CS 312 332-7382 +Arlington Hts. IL CS 312 443-1250 +Aurora IL CS 312 859-1557 +Chicago IL CS 312 443-1250 +Cicero IL CS 312 332-7382 +Cicero IL CS 312 443-1250 +Lombard IL CS 312 953-9680 +Oak Park IL CS 312 332-7382 +Oak Park IL CS 312 443-1250 +Skokie IL CS 312 332-7382 +Skokie IL CS 312 443-1250 +St. Charles IL CS 312 859-1557 +Ann Arbor MI CS 313 663-3934 ÜjÜŒDetroit MI CS 313 255-9207 +Flint MI CS 313 238-6202 +Troy MI CS 313 362-2540 +E. St. Louis IL CS 314 241-3101 +E. St. Louis IL CS 314 241-3102 +Florissant MO CS 314 241-3101 +Florissant MO CS 314 241-3102 +St. Louis MO CS 314 241-3101 +St. Louis MO CS 314 241-3102 +Syracuse NY CS 315 458-6016 +Wichita KS CS 316 689-8585 +Wichita KS CS 316 689-8765 +Indianapolis IN CS 317 638-2517 +Indianapolis IN CS 317 638-2762 +Lafayette IN CS 317 742-6578 +Muncie IN CS 317 284-3812 +Richmond IN CS 317 935-0061 +Lafayette LA CS 318 233-1150 +Monroe LA CS 318 387-0879 +Shreveport LA CS 318 424-5380 +Cedar Rapids IA CS 319 365-9363 +Davenport IA CS 319 323-7388 +Providence RI CS 401 941-6900 +Lincoln NE CS 402 474-1006 +Omaha NE CS 402 895-5288 +Edmonton AB CS 403 466-4501 +Atlanta GA CS 404 237-3003 +Atlanta GA CS 404 237-8113 +Augusta GA CS 404 733-0346 +Martinez GA CS 404 733-0346 +Bethany OK CS 405 946-4799 +Bethany OK CS 405 946-4860 +Norman OK CS 405 946-4799 +Norman OK CS 405 946-4860 +Oklahoma City OK CS 405 946-4799 +Oklahoma City OK CS 405 946-4860 +Billings MT CS 406 245-0863 +Cupertino CA CS 408 988-8762 +Los Altos CA CS 408 988-8762 +Monterey CA CS 408 375-9931 +Mt. View CA CS 408 988-8762 +San Jose CA CS 408 988-8762 +Santa Clara CA CS 408 988-8762 +Sunnyvale CA CS 408 988-8762 +Butler PA CS 412 285-8187 +Penn Hills PA CS 412 391-7732 +Penn Hills PA CS 412 391-8818 +Pittsburgh PA CS 412 391-7732 +Pittsburgh PA CS 412 391-8818 +Amherst MA CS 413 256-8591 +Chicopee MA CS 413 734-7362 +Holyoke MA CS 413 734-7362 +Springfield MA CS 413 734-7362 +Brookfield WI CS 414 258-5616 ÜjÜŒMilwaukee WI CS 414 258-5616 +Alameda CA CS 415 531-3700 +Berkeley CA CS 415 531-3700 +Castro Valley CA CS 415 581-2631 +Concord CA CS 415 682-2633 +Hayward CA CS 415 581-2631 +Livermore CA CS 415 443-9202 +Oakland CA CS 415 531-3700 +Pacheco CA CS 415 682-2633 +Palo Alto CA CS 415 591-5591 +Palo Alto CA CS 415 591-5846 +Pleasant Hills CA CS 415 682-2633 +San Carlos CA CS 415 591-5591 +San Carlos CA CS 415 591-5846 +San Francisco CA CS 415 956-4191 +San Francisco CA CS 415 956-4281 +San Mateo CA CS 415 591-5591 +San Mateo CA CS 415 591-5846 +Walnut Creek CA CS 415 682-2633 +Toronto ON CS 416 865-1451 +Toledo OH CS 419 244-0073 +Little Rock AR CS 501 224-9311 +Louisville KY CS 502 581-9526 +Portland OR CS 503 232-1072 +Portland OR CS 503 232-4026 +Baton Rouge LA CS 504 273-0184 +New Orleans LA CS 504 734-8150 +Albuquerque NM CS 505 265-1263 +Los Alamos NM CS 505 662-4122 +Spokane WA CS 509 326-0515 +Austin TX CS 512 444-7234 +Corpus Christi TX CS 512 887-2983 +San Antonio TX CS 512 435-3883 +Cincinnati OH CS 513 771-1630 +Dayton OH CS 513 461-1064 +Montreal PQ CS 514 842-3684 +Des Moines IA CS 515 270-1581 +Des Moines IA CS 515 270-9410 +Hicksville NY CS 516 681-7240 +Hicksville NY CS 516 681-7347 +Lake Grove NY CS 516 981-0880 +Williston Park NY CS 516 294-1482 +East Lansing MI CS 517 321-2388 +Lansing MI CS 517 321-2388 +Saginaw MI CS 517 893-1161 +Albany NY CS 518 439-7491 +Schenectady NY CS 518 439-7491 +Troy NY CS 518 439-7491 +Jackson MS CS 601 948-6411 +Mesa AZ CS 602 256-2951 +Phoenix AZ CS 602 256-2951 +Phoenix AZ CS 602 267-0623 +Scottsdale AZ CS 602 256-2951 +Tempe AZ CS 602 256-2951 ÜjÜŒTucson AZ CS 602 748-2004 +Tucson AZ CS 602 748-2009 +Yuma AZ CS 602 782-7191 +Nashua NH CS 603 883-5551 +Vancouver BC CS 604 738-5157 +Rapid City SD CS 605 341-3733 +Lexington KY CS 606 259-3446 +Madison WI CS 608 256-6525 +Atlantic City NJ CS 609 645-1258 +Camden NJ CS 609 665-7555 +Cherry Hill NJ CS 609 665-7555 +Pennsaukin NJ CS 609 665-7555 +Princeton NJ CS 609 683-4770 +Princeton NJ CS 609 683-4776 +Minneapolis MN CS 612 342-2207 +St. Paul MN CS 612 342-2207 +Athens OH CS 614 594-8364 +Columbus OH CS 614 457-2105 +Columbus OH CS 614 876-2116 +Granville OH CS 614 587-0932 +Chattanooga TN CS 615 877-5804 +Gatlinburg TN CS 615 436-2001 +Knoxville TN CS 615 584-9902 +Nashville TN CS 615 366-1947 +Oak Ridge TN CS 615 483-2292 +Grand Rapids MI CS 616 459-9891 +Kalamazoo MI CS 616 344-2298 +Kalamazoo MI CS 616 344-5312 +Arlington MA CS 617 542-1796 +Arlington MA CS 617 542-3792 +Boston MA CS 617 542-1796 +Boston MA CS 617 542-3792 +Brockton MA CS 617 588-3222 +Brookline MA CS 617 542-1796 +Brookline MA CS 617 542-3792 +Burlington MA CS 617 667-4266 +Cambridge MA CS 617 542-1796 +Cambridge MA CS 617 542-3792 +Concord MA CS 617 371-0354 +Framingham MA CS 617 875-3814 +Georgetown MA CS 617 352-7596 +Hudson MA CS 617 568-8019 +Lawrence MA CS 617 975-0451 +Maynard MA CS 617 897-4746 +Medfield MA CS 617 359-7603 +Medford MA CS 617 542-1796 +Medford MA CS 617 542-3792 +Medway MA CS 617 533-2722 +Mendon MA CS 617 478-0653 +Newton MA CS 617 542-1796 +Newton MA CS 617 542-3792 +Quincy MA CS 617 542-1796 +Quincy MA CS 617 542-3792 +Waltham MA CS 617 542-1796 ÜjÜŒWaltham MA CS 617 542-3792 +Westboro MA CS 617 366-2617 +Worcester MA CS 617 792-2512 +Cathedral City CA CS 619 325-4584 +Palm Springs CA CS 619 325-4584 +Rancho Bernardo CA CS 619 471-0960 +San Diego CA CS 619 283-6021 +San Diego CA CS 619 283-6091 +San Diego CA CS 619 569-0697 +Solana Beach CA CS 619 481-3527 +Las Vegas NV CS 702 878-0056 +Reno NV CS 702 786-5308 +Reno NV CS 702 786-5356 +Alexandria VA CS 703 352-7500 +Alexandria VA CS 703 841-9834 +Arlington VA CS 703 841-9834 +Bethesda MD CS 703 352-7500 +Bethesda MD CS 703 841-9834 +Fairfax VA CS 703 352-7500 +Manassas VA CS 703 368-5707 +Roanoke VA CS 703 563-8421 +Washington DC CS 703 352-7500 +Washington DC CS 703 841-9834 +Charlotte NC CS 704 333-6654 +Charlotte NC CS 704 333-7155 +Houston TX CS 713 225-2330 +Houston TX CS 713 225-2550 +Anaheim CA CS 714 520-9724 +Anaheim CA CS 714 520-9733 +Irvine CA CS 714 851-0145 +Newport Beach CA CS 714 851-0145 +Pomona CA CS 714 623-2651 +Riverside CA CS 714 359-7801 +San Bernadino CA CS 714 881-1583 +San Bernadino CA CS 714 881-1871 +Buffalo NY CS 716 874-3751 +Rochester NY CS 716 458-3460 +Rochester NY CS 716 458-3465 +Tonawanda NY CS 716 694-6263 +Harrisburg PA CS 717 657-9633 +York PA CS 717 845-7631 +Provo UT CS 801 377-1120 +Salt Lake City UT CS 801 521-2890 +Salt Lake City UT CS 801 521-2915 +Burlington VT CS 802 862-1575 +Charleston SC CS 803 763-0090 +Columbia SC CS 803 783-5484 +Greenville SC CS 803 255-4686 +Myrtle Beach SC CS 803 238-8625 +Chesapeake VA CS 804 461-6128 +Chesapeake VA CS 804 461-6167 +Hampton VA CS 804 722-0016 +Midlothian VA CS 804 358-8274 +Norfolk VA CS 804 461-6128 ÜjÜŒNorfolk VA CS 804 461-6167 +Portsmouth VA CS 804 461-6128 +Portsmouth VA CS 804 461-6167 +Richmond VA CS 804 358-8274 +Virginia Beach VA CS 804 461-6128 +Virginia Beach VA CS 804 461-6167 +Bakersfield CA CS 805 323-7691 +Santa Barbara CA CS 805 682-2331 +Thousand Oaks CA CS 805 499-0371 +Thousand Oaks CA CS 805 499-0566 +Ventura CA CS 805 643-0177 +Amarillo TX CS 806 379-8411 +Lubbock TX CS 806 763-5081 +Kailua HI CS 808 263-6670 +Evansville IN CS 812 479-0165 +Ft. Myers FL CS 813 939-7060 +Sarasota FL CS 813 355-9331 +St. Petersburg FL CS 813 525-0378 +Tampa FL CS 813 237-8189 +Erie PA CS 814 453-7538 +Somerset PA CS 814 443-6402 +Rockford IL CS 815 968-3412 +Independence MO CS 816 474-3770 +Kansas City KS CS 816 474-3770 +Kansas City MO CS 816 474-3770 +Mission KS CS 816 474-3770 +Shawnee KS CS 816 474-3770 +Shawnee Mission KS CS 816 474-3770 +Ft. Worth TX CS 817 870-2461 +Ft. Worth TX CS 817 870-2468 +Canoga Park CA CS 818 902-0932 +Canoga Park CA CS 818 902-0934 +Hollywood CA CS 818 982-1813 +N. Hollywood CA CS 818 982-1813 +Sherman Oaks CA CS 818 902-0932 +Sherman Oaks CA CS 818 902-0934 +Sierra Madre CA CS 818 303-2563 +Sierra Madre CA CS 818 303-2681 +Van Nuys CA CS 818 902-0932 +Van Nuys CA CS 818 902-0934 +Memphis TN CS 901 452-1710 +Memphis TN CS 901 452-8530 +Daytona Beach FL CS 904 257-5019 +Jacksonville FL CS 904 396-7105 +Panama City FL CS 904 871-4775 +Pensacola FL CS 904 434-3911 +Tallahassee FL CS 904 222-4144 +Tallahassee FL CS 904 224-6021 +Albany GA CS 912 435-9420 +Poughkeepsie NY CS 914 473-2617 +White Plains NY CS 914 428-9270 +White Plains NY CS 914 949-4510 +El Paso TX CS 915 565-4661 +El Paso TX CS 915 565-4670 ÜjÜŒMidland TX CS 915 697-8211 +Sacramento CA CS 916 971-4681 +Tulsa OK CS 918 749-8801 +Tulsa OK CS 918 749-8850 +Burlington NC CS 919 584-2971 +Davidson NC CS 919 725-1550 +Durham NC CS 919 682-6239 +Greensboro NC CS 919 373-1635 +Raleigh NC CS 919 878-8570 +Resch. Triangle NC CS 919 682-6239 +Winston-Salem NC CS 919 725-1550 + + + National Phone Areas + NPAS + + + +201 202 203 204 205 206 207 208 209 212 213 214 215 216 217 218 +219 301 302 303 304 305 306 307 308 313 314 315 316 318 319 401 +402 404 405 406 408 409 412 413 414 415 416 417 419 501 502 503 +504 505 506 507 509 512 513 514 515 516 517 518 519 601 602 603 +604 605 606 607 608 609 612 613 614 615 616 617 618 619 701 702 +703 704 705 706 707 709 712 713 714 715 716 717 801 802 803 804 +805 806 807 808 812 813 814 815 816 817 818 819 901 902 904 905 +906 907 912 913 914 915 916 918 919 + + +This is a listing of the current area codes in use by At&t. The +obvious phreaking related use is as prefix qualifiers relative to +the 14 digit code format. + + International Calling Codes + + +International Calls are made by dialing 011 + the Country Code + +the City Code + the local number. Calls made to Canada are the +same as made within the U.S. 1 + Area Code + Number. + +m and s after the Country Code indicates service by Sprint and +Mci. At&t is assumed + + + + +Algeria 213m +American Samoa 684 +Andorra 33 +Argentina 54ms Buenos Aires 1 + Cordoba 51 + La Plata 21 + Rosario 41 +Aruba 297 +Ascension Island 247 ÜjÜŒAustralia 61ms Adelaide 8 + Brisbane 7 + Melbourne 3 + Sydney 2 +Austria Graz 316 + Linz Donau 732 + Vienna 222 +Bahrain 973 +Bangladesh 880 Barisal 431 + Chittacong 31 + Dhaka 2 + Khulna 41 +Belgium 32m Antwerp 3 + Brussels 2 + Ghent 91 + Liege 41 +Belize 501 Corozal Town 04 + Punta Gorda 07 +Benin 229 +Bolivia 591 Cochabamba 42 + La Paz 2 + Santa Cruz 33 +Brazil 55m Belo Horizonte 31 + Rio De Janeiro 21 + Sao Paulo 11 +Brunei 673 Brunei City 2 + Kuala Belait 3 + Tutong 4 +Bulgaria 379 Plovdiv 32 + Rousse 82 + Sofia 2 + Varna 52 +Cameroon 237 +Chile 56s Concepcion 41 + Santiago 2 + Valparaiso 32 +China (Red) 86 Fuzhou 591 + Jinan 531 + Nanchang 791 + Nanjing 25 + Peking 1 + Shanghai 21 +Columbia 57 Barranquilla 5 + Bogota 1 +Greece 30m Athens 1 + Crete 81 + Larissa 41 + Piraeus 1 +Guadeloupe 590 +Guam 671s +Guantanamo Bay,Cuba 53 +Guatemala 502 Antigua 9 + Guatemala City 2 + Quezaltenango 9 ÜjÜŒGuyana 502 Bartica 5 + Georgetown 2 + New Amsterdam 3 +Haiti 509 Cap Hatien 3 + Cayes 5 + Gonaive 2 + Port Au Prince 1 +Honduras 504 +Hong Kong 852ms Hong Kong 5 + Kowloon 3 + New Territories 0 +Hungary 36 Budapest 1 + Derbrecen 52 + Gyor 96 + Miskolc 46 +Iceland 354 Akureyir 6 + Keflavic 2 + Reykjavik 1 +India 91 bombay 22 + Calcutta 33 + Madras 44 + New Delhi 11 +Indonesia 62 Jakarta 22 + Medan 61 + Semarang 24 +Iran 98 Isfahan 31 + Mashad 51 + Tabriz 41 + Teheran 21 +Ireland 353 Cork 21 + Dublin 1 + Galway 91 + Limerick 61 +Israel 972 Haifa 4 + Jerusalem 2 + Ramat Gan 3 + Tel Aviv 3 +Italy 39 Florence 55 + Genoa 10 + Milan 2 + Naples 81 + Rome 6 +Ivory Coast 225 +Japan 81s Kyoto 75 + Osaka 6 + Sapporo 11 + Tokyo 3 + Yokohama 45 +Jordan 962m Amman 6 + Irbib 2 + Jerash 4 + Karak 3 + Ma'am 3 +Kenya 254ms Kisumu 35 ÜjÜŒ Mombasa 11 + Nairobi 2 + Nakuru 37 +Korea Rep of 82 Incheion 32 + Pusan 51 + Seoul 2 + Taegu 53 +Kuwait 965m Ahmadi 398 + Kuwait City 24 + Rigga 394 +Lesotho 266 Leibe 3 + Mafeteng 6 + Maseru 1 + Roma 21 +Liberia 231 +Libya Who gives a damn about libya? +Liechtenstein 41 All Cities 75 +Luxembourg 352 +Macao 853s +Malawi 265ms Domasi 531 + Makwasa 474 + Zomba 50 +Malasia 60 Ipoh 5 + Johor Bahru 7 + Kajang 3 + Kuala Lumpur 3 +Mexico 52 Acapulco 748 + Cancun 988 + Celaya 461 + Cordoba 271 + Culiacan 671 + Guadaljara 36 + Hermosillo 621 + Jalapa 281 + Leon 471 + Merida 992 + Mexico City 5 + Monterrey 83 + Tampico 121 + Toluca 721 + Torreon 171 + Veracruz 293 +Monaco 33 All 93 +Morocco 212 Agadir 8 + Beni-Mellal 48 + Casablanca 34 +Namibia 264 Grootfontein 673 + Keetmanshoop 631 + Mariental 661 +Netherlands 31 Amsterdam 20 + Rotterdam 10 + The Haque 70 +New Caldonia 687 +New Zealand 64ms Auckland 9 ÜjÜŒ Christchurch 3 + Dunedin 24 + Hamilton 71 +Nicaragua 505 Chinandega 341 + Diriamba 42 + Leon 311 + Managua 2 +Nigeria 234 Lagos 1 +Norway 47 Bergen 5 + Oslo 2 + Stavanger 4 + Trondheim 7 +Oman 968ms +Pakistan 92 Islambad 51 + Karachi 21 + Lahore 42 +Panama 507 +Papua New Guinea 675ms +Paraguay 595 Asuncion 21 + Concepcion 31 +Peru 51 Arequipa 54 + Callao 14 + Lima 14 + Trujillo 44 +Philippines 63 Cebu 32 + Davao 35 + Lloilo 33 + Manila 2 +Poland 48 Crakow 12 + Gdansk 58 + Warsaw 22 +Portugal 351 Coimbra 39 + Lisbon 1 + Porto 2 + Setubal 65 +Qatar 974ms +Romania 40 Bucharest 0 + Cluj-Napoca 51 + Constanta 16 +Saipan 670 Susupe 234 + Rota 532 + Tinian 433 +San Marino 39 All 541 +Saudi Arabia 966m Hofuf 3 + Jeddah 2 + Mecca 2 + Riyady 1 +Senegal 221m +Singapore 65 +South Africa 27m Cape Town 21 + Durban 31 + Johannesburg 11 +Spain 34 Barcelona 3 + Madrid 1 ÜjÜŒ Seville 54 + Valencia 6 +Sri Lanka 94m Colombo 1 + Kandy 8 + Kotte 1 +St Pierre/Miguelon 508 +Suriname 597 +Swaziland 268 +Sweden 46m Goteborg 31 + Malmo 40 + Stockholm 8 + Vasteras 21 +Switzerland 41 Basel 61 + Berne 31 + Geneva 22 + Zurich 1 +Taiwan 886ms Kaosiung 7 + Tainan 6 + Taipei 2 +Tanzania 255ms Dar Es Salaam 51 + Dodoma 61 + Mwanza 68 + Tanga 53 +Thailand 66ms Bangkok 2 + Burirum 44 + Chanthaburi 39 +Togo 228 +Tunisia 216ms Bizerte 2 + Kairouan 7 + Msel Bourguiba 2 + Tunis 1 +Turkey 90 Adana 711 + Ankara 41 + Istanbul 1 + Iamir 51 +Uganda 256 Entebee 42 + Jinja 43 + Kampala 41 + Kyambobo 41 +United Arab Emirate 971ms Abu Dhabi 2 + Al Ain 3 + Dubai 4 + Sharjah 6 +United Kingdom 44ms Belfast 232 + Birmingham 21 + Glasgow 41 + London 1 +Uruguay 598 Canelones 332 + Mercedes 532 + Montevideo 2 +Vatican City 39 +Venezuela 58 Barquisimeto 51 + Caracas 2 + Maracaibo 61 ÜjÜŒ Valencia 41 +Yemen 967 Amran 2 + Sana 2 + Taiz 4 + Yarim 4 +Yugoslavia 38 Belgrade 11 + Sarajevo 71 + Zagreb 41 +Zaire 243 Kinshasal 12 + Lubumbashi 2 +Zambia 260 Chingola 2 + Kitwe 2 + Luanshya 2 + Lusaka 1 + Ndola 26 +Zimbabwe 263 Bulawayo 9 + Harare 0 + Mutare 20 + +------------------------------------------------ + +Caribbean 1s 809+Number + + + + + Updates + + +Since my first writing of this piece the telco's have instituted +a number of anti-phreak techniques. All can be by passed! Some +are clever, some aren't and some have been very expensive to +implement. + +In the summer of 1986 Mci began turning to their own database for +help. They instituted a port monitoring program that kept an eye +on the number of times a port was called and whether or not a +good code had been received. The typical hacking scenario had +been node, code and destination number...over and over again. +This permitted Mci to count certain items. Hacking activity was +detected if the code was wrong and the same destination number +had been used more than a few times. I also reported a good +chance contacts with the node were being recorded and compared to +an average figure for the time of day. If Mci wasn't doing this, +they should have. + +In either case, the hacker's solution was operative within a few +days. Multinode and multidestination hacking was instituted. In +not hacking at the same node constantly one flag of the Mci +system was avoided. By using a file of Compuserve dialups the +second flag was rendered useless. + +Multinode hacking now being norm had a drawback. Theoretically, +there should be no difference in the return rates for or against ÜjÜ + +a company. This proved inaccurate. Multinode hacking reduces the +percentage of hits on a given node. A mathematical analysis will +show the theory to be true, yet the practice is another matter. I +believe the fault lays in how the random number generator picks +its next number. While the hacking attempts were concentrated on +one node, as with the first generation phreaking program, the RND +function of the personal computer hit certain numbers which were +agreeable to the particular company more often. For instance Mci +codes have a wide range of prefixes, never the less, in my +travels around phreak and hack bbs's I've noted the numbers 5 and +8 appear more often. With a company using prefix qualifiers this +will undoubtedly be the cause of low return rations. + +Mci's latest security measure set them back a few bucks. Once a +code has been hacked they actively monitor its use. Originally, +if you made 15 calls in a 20 minute period the code was suspended +until you called their 800 number and verified you actually made +the call. The figure has since been reduced to around 7 or 8 +calls per 20 minutes. This rules our long distance wardialing, +but then most phreaks scan their local prefixes. The fact of the +matter is Mci now has the ability to monitor in real time what is +happening on the system. Even so they're still hampered by the +necessity of sorting the bugs from their regular customers. + +Most phreaks don't care to bother with the 14 digit format. It +really isn't hard once you realize you're only whacking 8 digits +(See Chapter Mci) + +Allnet is another company who has turned to their data bases for +help. They're looking for the quick disconnect you find with a +hacking program. Once the program has detected the carrier it +auto disconnects and continues hacking away. The obvious solution +is to stay connected. 25,000 for next loops will eat up about 3 +minutes and will render the feature useless. + +Skyline instituted the carrier blast soon after Mci's takeover in +1986. The only modem that's impervious to it is the Apple Cat. +However, it isn't unbeatable. It takes from 24 to 32 seconds for +a long distance call to connect. Skyline shoots the blast about +10 seconds into the dialing sequence thereby grabbing the modem +and telling the program it has found a code. The result is you +can't tell the forest from the trees. Good codes are mixed in +with tons of bad ones. + +The solution is to record the connect times and shoot the code +and the time to a file. A quick look at the file will sort out +the bogus connects from the goodies. + +Itt has gone to their data bases also. While it is impossible to +know for sure, I believe they've established a user profile. When +a customer starts making calls to area codes he hasn't called in +the past, they get nervous and kill the code in 3 days. I figure ÜjÜ + +it takes two days for them to find it and one to contact the +customer. Any hack who adheres to the IC's three day rule won't +be bothered by this since they wouldn't have been on the code +longer anyway. + +As with any scenario involving the analysis of the telco data +bases, they can and are being beaten by 15 and 16 year old +phreaks daily. Other companies are bound to institute variations +of the protection schemes, all are doomed to failure because they +do not address the real problem. Short of going off line, there +is only one way to stop phreaking, and that boys and girls can be +bought from me. Have no fear, telco's don't pay. They steal or +legislate but they never pay.....unless it's to a phreak. + +A word on Metro. I haven't been in close contact with many +hackers lately and I'm a bit out of touch. However, I've heard of +no one getting any codes from Metrophone in the recent future. +The company has either bellied up (unlikely) or they've changed +their format. Sooner or later the news will surface in the +grapevine. + + diff --git a/textfiles.com/phreak/PHREAKING/ph08.txt b/textfiles.com/phreak/PHREAKING/ph08.txt new file mode 100644 index 00000000..f2ad24c8 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/ph08.txt @@ -0,0 +1,631 @@ +The THC Hack/Phreak Archives: PH08.TXT (779 lines) +Note: I did not write any of these textfiles. They are being posted from +the archive as a public service only - any copyrights belong to the +authors. See the footer for important information. +========================================================================== +<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> +<*> Joe Cosmo Presents..... <*> +<*> <*> +<*> Methods of Phreaking and Telco Security Measures <*> +<*> <*> +<*> June 16, 1988 1:30 am <*> +<*> <*> +<*> (updated 7/3/88 for CN/A list & Plus One Service) <*> +<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> + + +(formatted to 80 Columns) + + + + Dedication: This phile is dedicated to all those great phreakers who taught +me all of this, and to all of the newcomers being born to the phreak world. For +the legends, it is here as their legacy, and for the newcomers, I hope they +will +use it as their guide in times of trouble, and may there always be phreakers in +the world. + + +TABLE OF CONTENTS +CHAPTER + I. Introduction: What Telephone Fraud Is + II. Who Does It and Why + III. The Systems That Are Fooled + IV. Electronic Toll Fraud + How Boxes Work + The Blue Box + Operation of a Blue Box + Pink Noise + The Black Box + The Red Box + The Cheese Box + V. Divertors + VI. Private Branch Exchanges + VII. Specialized Common Carriers + SCC Extenders List +VIII. PC Pursuit + How to Originate a PC Pursuit Call + IX. Cellular Phone Fraud + ESN Tampering + Obtaining ESN's + X. CN/A's + CN/A List (updated 7/3/88) + XI. Loops + XII. Alliance Teleconferencing + Billing an Alliance Conference + Starting a Conference +XIII. Telephone System Security Measure + ESS Detection Devices + Automatic Number Identification and Centralized + Automatic Message Accounting Tapes + Dialed Number Recorders + Trap Codes + The Lock In Trace + Stopping a Lock In Trace + 4Tel (Updated 6/24/88 Thanx to Touch Tone of BC, Canada) + Evading 4Tel + Plus One Service (updated 7/3/88) + Common Channel Inter-office Signaling + XIV. Laws Governing the Rights of Phreakers + XV. Conclusion + + + + + I. Introduction: What Telephone Fraud Is + Telephone fraud is illegally using the communication facilities of +telephone companies. This is commonly known as "phreaking." The writer's +purpose +is to explore the methods of phreaking, and the various security measures of +telephone companies. + + + II. Who Does It and Why + The majority of people who phreak are owners of modems (MOdulators +DEModulators, devices which allow computers to communicate over telephone +lines) +and are usually between the ages of twelve and seventeen. When the person +reaches age eighteen, he or she usually stops, since after that age, if the +person in caught, the penalty can become very serious. Phreaking is the +violation of the law on Fraud In Connection With Access Devices, which carries +maximum penalties of 15 years imprisonment and a fine of $50,000, or twice the +value of the fraudulent activity. + Scattered throughout the country are many different computer bulletin +board +systems, or BBS's. These are computer systems established by private users or +large organizations for the exchange of public and private messages and +software. Most are not a local call, though. Since the normal user calls about +ten different BBS's, with even the lowest long-distance rates, the phone bill +each month can range from $100 to $1000. The solution is to phreak. When these +people learn how to phreak, they also realize that besides making free +long-distance calls from their home, they can also make free calls from +payphones. They also find that there are many other facilities that they can +used without paying. + + + III. The Systems That Are Fooled + Their are three types of telephone operating systems in the U.S., Step by +Step (SxS), Crossbar (XB), and Electronic Switching System (ESS). They are +described in detail in the following paragraphs. + + Step by Step + Step by Step (SxS) was the first switching system used in America, adopted +in 1918 and until 1978 Bell had over 53% of all exchanges using Step by Step. +A +long, and confusing train of switches is used for SxS switching. + + Disadvantages +A. The switch train may become jammed, blocking calls. +B. No DTMF (Dual-Tone Multi-Frequency), to be discussed later. +C. Much maintenance and much electricity. +D. No "Touch-Tone" dialing. + + Identification +A. No pulsing digits after dialing or "Touch Tone". +B. Much static in the connections. +C. No Speed calling, Call forwarding, and other services. +D. Pay-phone wants money first before dial-tone. + + Crossbar + Crossbar has been Bell's primary switcher after 1960. Three types of +Crossbar switchings exist, Number 1 Crossbar (1XB), Number 4 Crossbar (4XB), +and +Number 5 Crossbar (5XB). A switching matrix is used for all of the phones in an +area. When someone calls, the route is determined and is connected with the +other phone. The matrix is positioned in horizontal and vertical paths, +organizing the train of switches more effectively, and therefore, stopping the +equipment from jamming. There are no definite distinguishing features of +Crossbar switchings from Step by Step. + + + Electronic Switching System + ESS is the most advanced system employed, and has gone through many kinds +of revisions. The latest system to date is ESS 11a, which is used in Washington +D.C. for security reasons. ESS is the country's most advanced switching system, +and has the highest security system of all. With its many special features, it +is truly the phreaker's nightmare. + + Identification +A. Dialing 911 for emergencies. +B. Dial-tone first for pay-phones. +C. Calling services, including Call forwarding, Speed dialing, and Call +waiting. +D. Automatic Number Identification for long-distance calls (ANI), to be +discussed later. +E. "Touch Tone" + + + IV. Electronic Toll Fraud + The ETF's are electrical devices used to get free long-distance calls. The +devices are more commonly known as colored boxes, and using them is known as +"boxing." Boxing is one of the oldest way to phreak, and therefore, it is also +the most dangerous, since the telephone companies are very much aware of their +existence. Colored boxes are not used only for phreaking. There are many types +which have other uses (such as the Tron Box, which lowers your electric bill), +so only those used in telephone fraud will be discussed. + + How Boxes Work + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. +This is because pulse (rotary) digits are created by causing breaks in the DC +current. Since long distance calls call for routing through various switching +equipment and AC voice amplifiers, pulse dialing cannot be used to send the +destination number to the end local office (CO). + Eventually, the demand for faster and more efficient long distance service +caused Bell to make a multi-billion dollar decision. They had to create a +signaling system that could be used on the LD Network. They had two options: + +{1} To send all the signaling and supervisory information (eg., ON and OFF +HOOK) +over separate data links. This type of signaling is referred to as out-of-band +signaling. + +{2} To send all the signaling information along with the conversation using +tones to represent digits. This type of signaling is called in-band signaling. + + +The second seemed to be the most economical choice, and so, it was incorporated +in ESS. + Then, in the 1960's, when the first ESS systems were employed, a toy +whistle was put in each box of Captain Crunch Cereal as a premium. A young +radio +technician in the United States Air Force became fascinated with the whistle +when he discovered that by blowing it into the telephone after dialing any long +distance number, the trunk line would remain open without toll charges +accounting. From then on, any number could be dialed for free. The truth was +that the whistle produced a perfect-pitch 2600 Hz tone, the one used to signify +a disconnect in ESS switching equipment. To overcome the initial charge for the +for the long distance call, he later used toll-free 800 numbers. + Being a skilled technician, Captain Crunch (he began to use the name as an +alias) soon went beyond the simple whistle and experimented with other +frequencies, creating many of the boxes discussed in the following paragraphs. + + The Blue Box + The "Blue Box" was so named because of the color of the first one +discovered by the authorities. The design and hardware used in the Blue Box is +very sophisticated, and its size varies from a large piece of apparatus to a +miniaturized unit that is approximately the size of a "king size" package of +cigarettes. + The Blue Box contains 12 or 13 buttons or switches that emit the +multi-frequency tones used in the normal operation of the telephone toll (long +distance) switching network. In effect, the the Blue Box can let a person +become +the operator of a phone line. The Blue Box enables its user to originate +fraudulent toll calls by circumventing (fooling) toll billing equipment. The +Blue Box may be directly connected to a phone line, or it may be acoustically +coupled to a telephone handset by placing the Blue Box's speaker next to the +transmitter, or the telephone handset. + + Operation of a Blue Box + To understand the steps of a fraudulent Blue Box call, it is necessary to +understand the basic operation of the Direct Distance Dialing (DDD) telephone +network. When a DDD call is originated, the calling number is identified as an +integral part of establishing the connection. This may be done either +automatically by ANI in ESS, or in some cases, by an operator asking the +calling +party for his telephone number. This information is entered on a tape in the +Centralized Automatic Message Accounting (CAMA) office. This tape also contains +the number assigned to the trunk line over which the call is to be made. The +information relating to the call contained on the tape includes the called +number's identification, time of origination of the call, and if the called +number answered the call. The time of disconnect is also recorded. The various +data entries with of the call are correlated to provide billing information for +use by the caller's telephone company's accounting department. + The typical Blue Box user usually dials a number that will route the call +into the telephone network without charge. For example, the user will very +often +call a well-known INWATS (toll-free) number. The Blue Box user, after gaining +this access to the network when somebody picks up and in effect, "seizing" +control of the line, operates a key on the Blue Box which emits a 2600 Hertz +(cycles per second, abbreviated as Hz) tone. This tone causes the switching +equipment to release the connection to the INWATS customer's line. The 2600 Hz +tone is the signal to the switching system that the calling party has hung up. +In fact though, the local trunk on the calling party's end is still connected +to +the toll network. The Blue Box user now operates the "KP" (Key Pulse) key on +the +Blue Box to notify the toll switching equipment that switching signals are +about +to be emitted. The user then pushes the "number" buttons on the Blue Box +corresponding to the telephone number being called. After doing so, he/she +operates the "ST" (Start) key to tell the switching equipment that signaling is +complete. If the call is completed, only the portion of the original call prior +to the operation of the 2600 Hz tone is recorded on the CAMA tape. The tones +emitted by the Blue Box are not recorded on the CAMA tape. Therefore, because +the original call to the INWATS number is toll-free, no billing is rendered in +connection with the call. + + The above are the steps in a normal operation of a Blue Box, but they may +vary in any one of the following ways: + +A. The Blue Box may include a rotary dial to apply the 2600Hz tone and the +switching signals. This type of Blue Box is called a "dial pulser" or "rotary +SF" Blue box. + +B. A magnetic tape recording may be used to record the Blue Box tones. Such a +tape recording could be used in lieu of a Blue Box to fraudulently place calls +to the phone numbers recorded on the magnetic tape. + + All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes, +must have the following four common operating capabilities: + +A. It be able to emit the 2600 Hz tone. This tone is used by the toll network +to +indicate, either by its presence or its absence, an "on hook" (idle) or "off +hook" (busy) condition of a trunk line. + +B. The Blue Box must have a "KP" tones that unlocks or readies +the multi-frequency receiver at the called end to receive the +tones corresponding to the called phone number. + +C. The Blue Box must be able to emit DTMF, tones used to transmit phone numbers +over the toll network. Each digit of a phone number is represented by a +combination of two tones. For example, the 2 is 700 Hz and 900 Hz. + +D. The Blue Box must have an "ST" key which consists of a combination of two +tones that tell the equipment at the called end that all digits have been sent +and that the equipment should start connecting the call to the called number. + + The following is a chart of the multi-frequency (MF) tones produced by the +normal Blue Box. + +700 : 1 : 2 : 4 : 7 : 11 : 2600 X +900 : + : 3 : 5 : 8 : 12 : +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : + + The "Dial Pulser" or "Rotary SF" Blue Box requires only a dial +with a signalling capability to produce a 2600 Hz tone. + + + Pink Noise + Since telephone companies have such advanced equipment to detect Blue +Boxes, to help avoid detection "pink noise" is sometimes added to the 2600 Hz +tone. + Since 2600 Hz tones can be simulated in speech, the detection equipment of +the switching system must be attentive not to misinterpret speech as a +disconnect signal. Thus, a virtually +pure 2600 Hz tone is required for disconnect. This is also the reason why the +2600 Hz tone must be sent rapidly; sometimes, it will not work when the person +called is speaking. It is feasible, though, to send some "pink noise" along +with +the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise will +not reach the toll network, where we want our pure 2600 Hz to hit, but it will +go through the local CO and thus, the fraud detectors. + + The Black Box + The Black Box is the easiest type to build. The box stops a call from +being +charged to some one only if it is hooked to the line of the person being +called. + In the normal telephone cable, there are four wires: a red, a green, a +black, and a yellow. The red & green wires are often referred to as tip (T) and +ring (R). + When a telephone is on-hook (hung up) there is approximately 48 volts of +DC +current (VDC) flowing through the tip and ring. When the handset of a phone is +lifted, switches close, causing a loop to be connected (which is known as the +"local loop,") between the telephone and the CO. Once this happens DC current +is able to flow through the telephone with less resistance. This causes a +relay +to energize and signal to other CO equipment that service is being requested. +Eventually, a dial tone is emitted. This also causes the 48 VDC to drop down +into the vicinity of 13 volts. The resistance of the loop also drops below the +2500 ohm level. Considering that this voltage and resistance drop is how the CO +detects that a telephone was taken off hook, how a Black Box works is by +allowing the voltage to drop enough to allow talking, but not enough to signal +to the CO equipment to start billing. To do this, a 10,000 Ohm, .5 Watt +resistor +is incorporated in t{.b= +1.loop on the called party's line. + + The Red Box + A Red Box is a device that simulates the sound of a coin being accepted by +a payphone. When a coin is put in the slot of a payphone, the first obstacle is +the magnetic trap. This will stop any light-weight magnetic slugs. If it passes +this, the coin is then classed as a nickel, dime, or quarter. Each coin is then +checked for appropriate size and weight. If these tests are passed, it will +then +travel through a nickel, dime, or quarter magnet as proper. These magnets start +an eddy current effect which causes coins of the appropriate characteristics to +slow down so they will follow the correct trajectory. + If all goes well, the coin will follow the correct path, striking the +appropriate totalizer arm, causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). The totalizer +then causes the coin signal oscillator to readout a dual-frequency signal +indicating the value deposited to the Automated Coin Toll Service computer +(ACTS) or the Traffic Service Position System (TSPS) operator. These are the +tones emitted by the Red Box. + For a quarter, five beep tones are outpulsed for 66 milliseconds (ms). A +dime causes two beep tones for 33 ms, while a nickel causes one beep tone at +also 33 ms. A beep consists of two frequencies, 2200 Hz and 1700 Hz. As with a +Blue Box, Red Box tones can be recorded on a magnetic tape. + Since any call from a payphone is originated with a "ground test," in +which +the TSPS operator or the ACTS computer checks for the presence of the first +coin +inserted into the phone, by verifying use of the magnetic, weight, and size +traps, when using a Red Box, it is necessary to put in at least one coin. + + The Cheese Box + A Cheese Box lets a normal telephone emulate a payphone. By emulating a +payphone, using a blue box now becomes safe, because if the CO equipment +recognizes the call as one from a payphone, it does not record it on a CAMA +tape. Since a normal telephone does not have a slot to enter coins, a Red Box +is +needed to generate the sound of a coin dropping. + + + V. Divertors + A divertor is a special service that allows businesses to "divert" calls +if +no one answers after a certain number of rings. For example, a person calls a +company, and nobody answers. After about three rings, a few clicks are heard, +then a few fainter rings are heard. The building receiving the call has changed +from the company to another building, usually somebody's house. What has +happened is that the call has been re-routed from building A to building B. In +effect, the number called is not really changed, but instead, building A has +answered the call, called building B, and connected the two lines together. If +the person in building B disconnects, the caller is still connected to building +A. With the way the divertor equipment works in the telephone company, the +phone +line of building A will then emit a dial tone and the caller has total control +of the line, and can originate another call, charging it to building A. + + + + VI. Private Branch Exchange + A Private Branch Exchange (PBX) is a system of out-WATS (Wide Area +Telephone Service) lines and in-WATS lines. An out-WATS line allows a business +to make as long-distance calls each month for a flat rate. An in-WATS line is a +toll-free number (800 number) that is also leased to businesses for flat rates. +PBX's save corporations much money when their salesmen, distributors, and +franchisees must make many calls from different parts of the country. It works +much like specialized common carriers (to be discussed later). + First, the employee calls the company on the in-WATS line. The switching +equipment picks up the phone, and send a tone to the employee indicating for +him +to enter the access code of the PBX. If the access code is correct, then the +line is connected to the out-WATS line, and the employee can make a call. + To use PBX's, phreakers must find the access code of the PBX. This can be +done very easily, since the code is usually only a few digits. One way is to +dial different combinations manually on the telephone keypad. The other way is +of the phreaker is the owner of a modem. A simple program can be easily written +to continuously dial digit combinations randomly or sequentially. + + + VII. Specialized Common Carriers + Ever since the break up of AT&T's monopoly on long-distance service, there +have been many other corporations that compete with AT&T in the long-distance +market, including Sprint, MCI, All-net, ITT, and Metrophone. These all boast +opportunities for large savings on long-distance calls. These companies are +called specialized common carriers (SCC's). + SCC's cost less because they do not use the AT&T's cable-based systems, +but +instead use microwave links. Some have also added fiber-optic lines to their +networks. + Another way they can save consumers money is by using AT&T's lines. +Instead +of connecting calls by the shortest route, the carrier will use a different +route, so the call goes through places where the long-distance traffic is +heavy, +and the rate is lower. The companies that do this are known as "resellers." + Most SCC's work nearly the same as PBX's. The 800 number is called, a tone +is hearl, the private identification number (PIN) is entered, and then the call +can be made. The length of the PIN number can range from four digit to fourteen +digits. + Besides 800 toll free numbers, in some areas, a 950 can be used. A 950 +works exactly the same as an 800 number, the only difference is that the +consumer must enter only seven digits before dialing his PIN number instead of +ten with a toll-free number. 950's are free of charge and can be used both at +home and at pay phones. + The PIN numbers can be found the same way as PBX access codes. Since the +number of digits in a PIN is so great, using a computer is much more common +practice than manual dialing. + The following pages are lists of SCC's and their dialups, formats, and +special points. Note that some have many different dialups. + + + +============================================================================= +{ SCC Extenders List } +{ 0-9 - Number of digits in code } +{ { } - Dial that exact number } +{ # - Area code + Prefix + Suffix } +{ : - Dial tone } +{ + - Continue dialing } +============================================================================= +\ Extender \ Dialing Format \ Company \ Comments \ +----------------------------------------------------------------------------- +\ 800-223-0548 \ 8+{1}+# \ TDX \ \ +\ 800-241-1129 \ 8+{1}+# \ TDX \ \ +\ 800-248-6248 \ 6+{1}+# \ SumNet Systems \ (800)824-3000 \ +\ 800-288-8845 \ 7:{1}+# \ TMC Watts \ (800)999-3339 \ +\ 800-325-0192 \ {1}+#+6 \ MCI \ 950-1986 \ +\ 800-325-1337 \ 7:{1}+# \ TMC Watts \ \ +\ 800-325-7222 \ 6+{1}+# \ Max \ (800)982-4422 \ +\ 800-325-7970 \ 6+{1}+# \ Max \ (800)982-4422 \ +\ 800-327-4532 \ 8+# \ All-TelCo \ \ +\ 800-327-9488 \ #:13 \ ITT \ 950-0488 \ +\ 800-334-0193 \ {9}+# \ Piedmont \ \ +\ 800-345-0008 \ {0}+#:14 \ US Sprint FON Cards \950-1033 also 9+#\ +\ 800-368-4222 \ 8+# \ Congress Watts Lines \ \ +\ 800-437-7010 \ 13 \ GCI \ \ +\ 800-448-8989 \ 14+{1}+# \ Call US \ \ +\ 800-521-8400 \ 8:# \ TravelNet \ 950-1088 (voice)\ +\ 800-541-2255 \ 10 \ MicroTel \ \ +\ 800-547-1784 \ 13 \ AmericaNet \ \ +\ 800-621-5640 \ 6+{1}+# \ ExpressTel \ \ +\ 800-637-4663 \ 5+{1}+# \ TeleSave \ \ +\ 800-821-6511 \ 5+{1}+# \ American Pioneer \ (800)852-4154 \ +\ 800-821-6629 \ 6+{1}+# \ Max \ (800)982-4422 \ +\ 800-821-7961 \ 6+{1}+# \ Max \ (800)982-4422 \ +\ 800-826-7397 \ 6:{1}+# \ Call U.S. \ \ +\ 800-858-4009 \ 6+{1}+# \ NTS \ Voice \ +\ 800-862-2345 \ 7:{1}+# \ TMC \ \ +\ 800-877-8000 \ {0}+#:14 \ US Sprint Calling Card\950-1033 also 9+#\ +\ 800-882-2255 \ 6:{1}+# \ AmeriCall \ False Carrier \ +\ 800-950-1022 \ {0}+#:14 \ MCI Calling Card \ \ +\ 800-992-1444 \ 9+# \ AllNet \ 950-1444 \ +============================================================================= + + + + VIII. PC Pursuit + Many modem users know Telenet as a packet-switching network through which +they can connect to different telecommunication services throughout the country +for an hourly rate of $2. With PC Pursuit, Telenet uses the same method as +SCC's, but instead of using microwave links, the call is routed through +computers. Since it is routed through computers, the service can be used by +only +owners of modems. Instead of paying the hourly rate, the consumer needs only to +pay a flat monthly rate of $25. + Using PC Pursuit is a little more difficult than using SCC's, because now +instead of combinations of only ten different characters (0-9), the whole +alphabet can be used in the access code. The following is a chart showing the +steps to originate a typical PC Pursuit call. + + How to Originate a PC Pursuit Call + First, the users dials the local Telenet Access Center, which can be found +by dialing Telenet customer service at 1-800-336-0437. + +Then: + +Note: (cr) signifies the carriage return on a computY.Z+e =I9 + +Network Shows \ User Types \ Explanation +uuuuuuuuuuuuumuuE[]]]]]]][]]]]]][]]]]]]][]]]]q]][]]]]]]][]]]][]]]]]]][]]]]]k + \ (cr) (cr) \ +\\ +TELENET \ \ Telenet network called and +XXX XXX \ \ your network address. +\\ +TERMINAL= \ "D1" (cr) \ Enter "D1" or press (cr) +\\ +@ \ For 300 bps: \ CONNECT command. To access + \ "C(sp)DIALXXX/3,XXXX(cr)" \ a PC Pursuit city type a PC + \ \ Pursuit access code and + \ For 1200 bps: \ your user ID. + \ "C(sp)DIALXXX/12,XXXX(cr)" \ +\\ +PASSWORD= \ "XXXXXX" (cr) \ Type the password +\\ +DIALXXX/X \ "ATZ" (cr) \ You are now connected to the +CONNECTED \ \ PCP city. Type ATZ (upper). +\\ +OK \ "ATDTXXXXXXX" (cr) \ Dials a number in PCP city +\\ +CONNECT \ \ Your are now connected to + \ \ your destination computer. +\\ + + If the number dialed is busy, the user will see BUSY. To call another +number in the same city, the user types "ATZ." The network will answer OK. The +user then types "ATDTXXXXXXX" (cr) to dial the next number. + To connect to a different PC Pursuit City, when the user sees BUSY, he +types "@" (cr). When a @ appears, you are in business, and ask for the owner of +the number. In some states, though, the operator will +ask for an ID number. In these cases, one must be guessed at. + There is also a type of reverse CN/A bureau, which is usually called a NON +PUB DA or TOLL LIB. With these numbers, somebody can find unpublished numbers +if +the caller gives the operator the name and locality. These are considerably +harder to use, since the operator will then request the caller's name, +supervisors name, etc. + The following is a list of current CN/A's. + + + + 1988 CN/A List (subject to change) + + +Area: CN/A Area: CN/A Area: CN/A + 201: 201-676-7070 202: 304-343-7016 203: 203-789-6815 + 204: 204-949-0900 205: 205-988-7000 206: 206-345-4082 + 207: 617-787-5300 208: 303-293-8777 209: 415-781-5271 + 212: 518-471-8111 213: 415-781-5271 214: 214-464-7400 + 215: 412-633-5600 216: 614-464-0519 217: 217-789-8290 + 218: 402-221-7199 219: 317-265-4834 301: 304-343-1401 + 302: 412-633-5600 303: 303-293-8777 304: 304-344-8041 + 305: 912-752-2000 307: 303-293-8777 308: 402-221-7199 + 309: 217-525-7000 312: 312-796-9600 313: 313-424-0900 + 314: 816-275-8460 315: 518-471-8111 316: 913-276-6708 + 317: 317-265-4834 318: 504-245-5330 319: 402-221-7199 + 401: 617-787-5300 402: 402-221-7199 403: 403-425-2652 + 404: 912-752-2000 405: 405-236-6121 406: 303-293-8777 + 408: 415-546-1341 412: 412-633-5600 413: 617-787-5300 + 414: 608-252-6932 415: 415-781-5271 416: 416-443-0542 + 417: 816-275-8460 418: 614-464-0123 419: 614-464-0519 + 501: 405-236-6121 502: 502-583-2861 503: 206-345-4082 + 504: 504-245-5330 505: 303-293-8777 506: 506-657-3855 + 507: 402-380-2255 509: 206-345-4082 512: 512-828-2501 + 513: 614-464-0519 514: 514-394-7440 515: 402-221-7199 + 516: 518-471-8111 517: 313-424-0900 518: 518-471-8111 + 519: 416-443-0542 601: 601-961-8139 602: 303-293-8777 + 603: 617-787-5300 604: 604-432-2996 605: 402-221-7199 + 606: 502-583-2861 607: 518-471-8111 608: 608-252-6932 + 609: 201-676-7070 612: 402-221-7199 613: 416-443-0542 + 614: 614-464-0519 615: 615-373-5791 616: 313-424-0900 + 617: 617-787-5300 618: 217-525-7000 619: 415-781-5271 + 701: 402-221-7199 702: 415-543-2861 703: 304-344-7935 + 704: 912-752-2000 705: 416-443-0542 707: 415-781-5271 + 712: 402-221-7199 713: 713-961-2397 714: 213-995-0221 + 715: 608-252-6932 716: 518-471-8111 717: 412-633-5600 + 718: 518-471-8111 801: 303-293-8777 802: 617-787-5300 + 803: 912-784-9111 804: 304-344-7935 805: 415-781-5271 + 806: 512-828-2501 808: 212-226-5487 809: 404-751-8871 + 812: 317-265-4834 813: 813-228-7871 814: 412-633-5600 + 815: 217-789-8290 816: 816-275-8460 817: 214-464-7400 + 819: 514-861-6391 901: 615-373-5791 902: 902-421-4110 + 904: 912-752-2000 906: 313-424-0900 912: 912-752-2000 + 914: 518-471-8111 916: 415-781-5271 + 918: 405-236-6121 912: 912-752-2000 + + + + + XI. Loops + The {k..is an alternative communication medium that has many potential +uses. Loops are phone lines that are connected when they are called +simultaneously. One use is when somebody wants another person to call them back +but is reluctant to give out their home phone number (eg., if they were on a +party line). + Loops are found in pairs that are usually close to each other (eg., +718-492-9996 and 718-492-9997). On a loop, one line is the high end, and the +other is the low end. The high end is always silent. The tone disappears on +the +low end when somebody calls the high end. + It is truly only safe to use a loop during non-business hours. During +business, loops are used to test equipment by various telephone companies and +local CO's. + + + XII. Alliance Teleconferencing + Alliance Teleconferencing is an independent company which allows the +general public to access and use its conferencing equipment. + + + diff --git a/textfiles.com/phreak/PHREAKING/phb b/textfiles.com/phreak/PHREAKING/phb new file mode 100644 index 00000000..7e8757ef --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phb @@ -0,0 +1,13075 @@ +1 + + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + The Official Phreaker's Manual V1.1 + Updated 2/14/87 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + The Official Phreaker's Manual + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Table of Contents + + ********************************************************************** + + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Appendixes + + ********************************************************************** + + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 4 + + + + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 5 + + + + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /\<\ /\<\ .. + . \>ad \>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + Page 6 + + + + + The Official Phreaker's Manual + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + Page 7 + + + + + The Official Phreaker's Manual + + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +explanation. Automated versions (ASI) with automatic v¿Z¬–WÖ®Ëk•ë¹¥Ñ͇ɕ5S:ɽݥ¹Ë¹ÕÍ•¹kRj¤”å‹•ÉÉÕÁÑ郢¡•Ë¹Ñ•ÉÉÕÁÑ¥½¹û¹ÿa phone line to disconnect and connect with +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + Page 8 + + + + + The Official Phreaker's Manual + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 9 + + + + + The Official Phreaker's Manual + + ============================================================ + _ _ _______ + | \/ | / _____/ + |_||_|etal / /hop + __________/ / + /___________/ + (314) 432-0756 + + Proudly Presents + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + Typed by Knight Lightning + + ============================================================ + +- A - + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + + + + + The Official Phreaker's Manual + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + +AUDIBLE RINGING TONE: An audible signal heard by the calling party during the +ringing-interval. + +AUTHORIZATION CODE: An identification number that the caller enters when +placing a call which is used for billing purposes. + +AUTHORIZED USER: A person, firm, organization, corporation or any other entity +authorized by the customer to send or receive communications over a specific +communications network. + +AUTO ANSWER: A machine feature that allows a transmission control unit or +station to automatically respond to a call that it receives. + +AUTOMATIC CALL +DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a +large volume of incoming calls to a group of attendants to the next available +"answering" position. + +AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined +set of dialing digits. + +AUTOMATIC IDENTIFICATION +OF OUTWARD DIALING (AIOD): A computer generated report showing all long +distance calls placed over AT&T's toll network. + +AUTOMATIC NUMBER +IDENTIFICATION (ANI): Automatic equipment at a local dial office used on +customer dialed calls to identify the calling-station. + +AUTOMATIC ROUTE +SELECTION (ARS): Least cost routing via AT&T CENTREX system. + + + +- B - + + + Page 11 + + + + + The Official Phreaker's Manual + +BAND: (1) The range of frequencies between two defined limits. (2) In reference +to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: +BANDWIDTH. + +BANDWIDTH: See BAND. + +BASEBAND: The total frequency band occupied by the aggregate of all the voice +and data signals used to modulate a radio carrier. + +BAUD: A unit of signaling speed. The speed in baud is the number of discrete +conditions conditions or signal elements per second. If each signal event +represents only one bit condition, then Baud is the same as bits per second. +When each signal event represents other than one bit, Baud does not equal bits +per second. + +BELL OPERATING COMPANY +(BOC) /BELL SYSTEMS +OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing +local service. + +BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long +Lines, Western Electric, and Bell Labs. + +BILLING NUMBER: The MCI term for the number which identifies a customer on a +billing location level, assigned to Network Service Customer (by COMS). +Assigned for each unique customer name and billing location. For internal use +only. + +BINARY: A number system that uses only two characters ("0" and "1"). + +BIT: A binary digit. The smallest unit of coded information. + +BITS PER SECOND (BPS): The rate at which data transmission is measured. + +BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to +the central offices are in use; or (2) all connecting connecting paths through +the PBX/switch are in use. + +BLOCKED ANI: ANI prohibited from completing a call over the MCI network. + +BREAK: A means of interrupting transmission, a momentary interruption of a +circuit. + +BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. + +BUS: A heavy conductor, or group of conductors, to which several units of the +same type of equipment may be connected. + +BUSY: The condition in which facilities over which a call is to be connected +are already in use. + +BUSY HOUR: The time of day when phone lines are most in demand. + +BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to +indicate that the terminal point of a call is already in use. + +BYTE: A group of binary digits that are processed by a computer as a unit. + + + Page 12 + + + + + The Official Phreaker's Manual + + + +- C - + + +CARRIER: High frequency current that can be modulated with voice or digital +signals for bulk transmission via cable or radio circuits. + +CARRIER SYSTEM: A system for providing several communications channels over a +single path. + +CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output +from a computer. + +CELLULAR MOBILE RADIO: A system providing exchange telephone service to a +station located in an auto or other mobile vehicle, using radio circuits to a +base radio station which covers a specific geographical area and as the vehicle +moves from one area to another, different base radio stations handle the call. + +CENTRAL OFFICE (CO): A telephone switching center that provides local access to +the public network. Sometimes referred to as: Class 5 office, end office, or +Local Dial Office. + +CENTREX, CO: PBX Service provided by a switch located at the telephone company +central office. + +CENTREX, CU: A variation on Centrex CO provided by a telephone company +maintained "Central Office" type switch located at the customer's premises. + +CENTRAL PROCESSING UNIT +(CPU): The control unit within a computer which handles all the intelligent +functions of the systems. In a telephone switch, directs all potions of the +system to carry out their appropriate functions. Synonym: Common Control. + +CHANNEL: A communication path via a carrier or microwave radio. + +CHARACTER: Any letter, digit, or special symbol. In data transmission would be +represented by a specific code made up of a group of binary digits. + +CIRCUIT: A path for the transmission of electromagnetic signals to include all +conditioning and signaling equipment. Synonym: Facility + +CIRCUIT SWITCHING: A switching system that completes a dedicated transmission +path from sender to receiver at the time of transmission. + +CLASS OF SERVICE/CLASS +MARK (COS): A subgrouping of telephone customers or users for the sake of rate +distinction or limitation of service. + +COAXIAL CABLE: A cable having several coaxial lines under a single protective +sheath. Usually used as a high capacity carrier in urban areas between +interexchange and toll offices. + +CODEC: Coder-Decoder. Used to convert analog signals to digital form for +transmission over a digital median and back again to the original analog form. + +COMMON CARRIER: A government regulated private company that provides the +general public with telecommunications services and facilities. + + Page 13 + + + + + The Official Phreaker's Manual + + +COMMON CHANNEL INTEROFFICE +SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated +Services Digital Network. It uses a separate data line to route interoffice +signals to provide faster call set-up and more efficient use of trunks. + +COMMON CONTROL SWITCHING +ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which +common controlled switching machines are used to route traffic over network +routes and access lines. The switching machine may be shared with other users +and is maintained by the telephone company. + +COMPUTER PORT/TKI PORT: The interface through which the computer connects to +the communications circuit. + +CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to +match transmission levels and impedances and which equalizes transmission and +delay to bring circuit losses, levels, and distortion within established +standards. + +CONFIGURATION: The combination of long-distance services and/or equipment that +make up a communications system. + +CONTROL UNIT (CU): The central processor of a telephone switching device. + +CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on +a corporate level. (Not all MCI customers have this). + +COST COMPONENT: The price of each type of long distance service and/or +equipment that constitutes a configuration. + +COST PER HOUR (CPH): Total cost of different services divided by total holding +time (in minutes). + +CROSS CONNECTION: The wire connections running between terminals on the two +sides of a distribution frame, or between binding posts in a terminal. + +CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit +to another circuit. + +CUSTOMER OWNED AND +MAINTAINED (COAM): Customer provided communications apparatus, and their +associated wiring. + +CUSTOMER +PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located +within the customer's part of a building. + +CUT: To transfer a service from one facility to another. + +CUT THROUGH: The establishment of a complete path for signaling and/or audio +communications. + + +- D - + +DATA: Any representation, such as characters to which a meaning is assigned. + + + Page 14 + + + + + The Official Phreaker's Manual + +DATA COMMUNICATIONS: The movement of coded information by means of electronic +transmission systems. + +DATA SET: A device which converts data into signals suitable for transmission +over communications lines. + +DATA TERMINAL: A station in a system capable of sending and/or receiving data +signals. + +DECIBEL (db): A unit of measurement represented as a ratio of two voltages, +currents or powers and is used to measure transmission loss or gain. + +DELAY DIAL: A dialing configuration whereby local dial equipment will wait +until it receives the entire telephone number before seizing a circuit to +transmit the call. + +DELTA MODULATION (DM): A variant of pulse code modulation whereby a code +representing the difference between the amplitude of a sample and t~he +amplitude of a previous one is sent. Operates well in the presence of noise, +but requires a wide frequency band. + +DEMODULATION: The process of retrieving data from a modulated signal. + +DIAL LEVEL: The selection of stations or services associated with a PBX using a +one to four digit code (e.g., dialing 9 for access to outside dial tone). + +DIAL PULSING: The transmitting of telephone address signals by momentarily +opening a DC circuit a number of times corresponding to the decimal digit which +is dialed. + +DIAL REPEATING TIE LINE/ +DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station +calling without use of the attendant. + +DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is +selected by a prearranged dialing code. + +DIAL TONE: A tone indicating that automatic switching equipment is ready to +receive dial signals. + +DIALING PLAN: A description of the dialing arrangements for customer use on a +networks. + +DIGITAL: Referring to the use of digits to formulate and solve problems, or to +encode information. + +DIMENSION CUSTOM +TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station +sets which use special buttons to access PBX features. + +DIRECT +DISTANCE DIALING (DDD): A toll service that permits customers to dial their own +long distance call without the aid of an operator. + +DIRECT +INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside +the system to directly dial a station within the system. + + + Page 15 + + + + + The Official Phreaker's Manual + +DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to +gain direct access to an exchange network. + +DROP: That direction of a circuit which looks towards the local operator. + +DRY CIRCUIT: A circuit which transmits voice signals and carries no direct +current. + +DUAL TONE +MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which +emits two distinct frequencies for each indicated digit. + +DUPLEX: Simultaneous two-way independent transmission. + +DX SIGNALING: A long-range bidirectional signaling method using paths derived +from transmission cable pairs. It is based on a balanced and symmetrical +circuit that is identical at both ends. This circuit presents an E&M lead +interface to connecting circuits. + + + + ============================================================ + +This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for +more G-philes from The MCI School of Telecommunications Management Reference +Guide coming soon. + + This has been a 2600 Club production + + +Thanx to Taran King + ============================================================ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 16 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ _______________________________ $ + $ | | $ + $ | ELECTRONIC TOLL FRAUD DEVICES | $ + $ |_______________________________| $ + $ $ + $ $ + $ TYPED AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ $ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL +FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT +BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD +DEVICES. (FOR OFFICIAL USE ONLY). + +THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE +GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". +THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. + + + +*BLUE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE +DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE +VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS +APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX +CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES +CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL +(LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE +FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE +BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY +COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE +TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE +DISCUSSED IN MORE DETAIL BELOW. + + TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO +UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE +NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS +IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE +EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY +FOR HIS TELEPHONE NUMBER. + THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING +(AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE +OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL +CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. +THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. + ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE +VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO +PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. + THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL +INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY + + Page 17 + + + + + The Official Phreaker's Manual + +OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX +USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZ¥§G" +CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX +WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE +SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. +THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX +SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING +PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW +OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING +EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES +THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING +CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE +SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY +THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS +RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON +THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS +TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. + ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A +COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY +IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: + +(A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE +SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY +SF" BLUE BOX. + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF +A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE +MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + Page 18 + + + + + The Official Phreaker's Manual + + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + + + + The Official Phreaker's Manual + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + Page 20 + + + + + The Official Phreaker's Manual + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you receive your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + A) SSS: Strowger Switching System. First non-operator system +available. + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + + Beige Box: ¡ simpler produced linesman's handset that allows you to tap +into phone lines and extract by eavesdropping, or crossing wires, etc. + Purple Box: Makes all calls made out from your house seem to be local +calls. + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + Page 21 + + + + + The Official Phreaker's Manual + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. A small list of +dialups: + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : + + Page 22 + + + + + The Official Phreaker's Manual + +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator (hehe) +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + +/-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + + Page 23 + + + + + The Official Phreaker's Manual + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + Page 24 + + + + + The Official Phreaker's Manual + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + +File Level:5 + + /-/ Credits /-/ + + To The Videosmith- for setting me straight on some shit. + To The Linesman- for telling me to upload it to his AE line. + To Modern Mutant- for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------\ + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + \---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler +Zer0-g + + + + + + + Page 25 + + + + + The Official Phreaker's Manual + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + + +HOW TO BE A REAL PHREAK +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + + + + + The Official Phreaker's Manual + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + Page 27 + + + + + The Official Phreaker's Manual + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + Page 28 + + + + + The Official Phreaker's Manual + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--\ | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE LITTLE +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + + Page 29 + + + + + The Official Phreaker's Manual + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + +TOUCH-TONE & FREE CALLS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + + + Page 30 + + + + + The Official Phreaker's Manual + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. +ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + Page 31 + + + + + The Official Phreaker's Manual + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 32 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + --One Farad Cap, Atlantic Anarchist Guild + + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + Page 33 + + + + + The Official Phreaker's Manual + + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + Page 34 + + + + + The Official Phreaker's Manual + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +He presses the lower left-hand corner button which is markeddH‘)*$¤Ë «’VÖìe +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + Page 35 + + + + + The Official Phreaker's Manual + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ansil Collins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + Page 36 + + + + + The Official Phreaker's Manual + +tells me. + +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's F~5 +and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + Page 37 + + + + + The Official Phreaker's Manual + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays wih the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + Page 38 + + + + + The Official Phreaker's Manual + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +2600-cycle button, sending 2600 out from the New Or¶YX_.$]X‹[V ‰Û ‰«Ê)Ê©Hˆ…¹‘•µÿ. The L.A. tandem notices 2600 cycles are coming over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + Page 39 + + + + + The Official Phreaker's Manual + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + ++-- End first file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 40 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + Page 41 + + + + + The Official Phreaker's Manual + + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + Page 42 + + + + + The Official Phreaker's Manual + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +"Yes, sir. Who is this callingš…åÍÑ¡•³½¥•¹+Rj¤$ʕ͹¢¡¥Í¥Íã•ÍÑ“½…É‘£•É•ƒ¹;•ÝK½É­¹ƒº•Û•›…±±¥¹ã½›¡•­»ÕÑÑ¡•5S ¥ÉÕ¥Ñͱƒš••û¡…ÑÛ¥¹‘»™£¥¹•Íÿ you've got. Everything okay there in +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + Page 43 + + + + + The Official Phreaker's Manual + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + + + + + The Official Phreaker's Manual + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + Page 45 + + + + + The Official Phreaker's Manual + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + Page 46 + + + + + The Official Phreaker's Manual + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + Page 47 + + + + + The Official Phreaker's Manual + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + Page 48 + + + + + The Official Phreaker's Manual + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + ++-- End second file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + Page 49 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two +sound like Stepi¾Fetchit. That is sixteen-year-old Randy's voice. + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + Page 50 + + + + + The Official Phreaker's Manual + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthrough: + +"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + Page 51 + + + + + The Official Phreaker's Manual + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to live out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + Page 52 + + + + + The Official Phreaker's Manual + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + Page 53 + + + + + The Official Phreaker's Manual + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + + + + + The Official Phreaker's Manual + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + Page 55 + + + + + The Official Phreaker's Manual + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + +"Well yes, ¡—.." + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + + + + + The Official Phreaker's Manual + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + ++-- End third file of four --+ + + + + + + + + + + + + + + + + + + + + Page 57 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + Page 58 + + + + + The Official Phreaker's Manual + + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------\ /------\ /-----\ +!Operator!-- > ! S.A. ! --->! BOS ! +\--------/ \------/ \-----/ + ! + ! + V +/-------------\ +! Group Chief ! +\-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + + + + + + Page 88 + + + + + The Official Phreaker's Manual + + 2600 Magazine's story on the Private Sector Bust + Uploaded by Elric of Imrryr + Lunatic Labs Unlimited + :::::::::::::::::::::::::::::::::::::::::::::::: + +Typed By Shooting Shark : The following article appeared in the August, 1985 +issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. +Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle +Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article +follows. + +SEIZED! +2600 Bulletin Board is Implicated in Raid on Jersey Hackers + + On July 12, 1985, law enforcement officials seized the Private Sector BBS, +the official computer bulletin board of 2600 magazine, for "complicity in +computer theft," under the newly passed, and yet untested, New Jersey Statute +2C:20-25. Police had uncovered in April a credit carding ring operated around +a Middlesex County electronic bulletin board, and from there investigated +other North Jersey bulletin boards. Not understanding subject matter of the +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been paººicularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the BBS just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 +212-982-9977/9979 +212-986-9977/9979 + + THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS +SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER +SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE +CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT +FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN +ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED +IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE +CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND +THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE +AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL +OTHER LOOPS ARE BUSY. + + 99XX SCANNING: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND +OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 +AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN +YOUR EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268: + +9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) +9936 - VOICE # TO THE TELCO CO +9937 - VOICE # TO THE TELCO CO +9941 - CARRIER +9960 - OSC. TONE (TONE SIDE LOOP) +9963 - TONE (STOPS: MUTED) +9966 - CARRIER +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + + Page 96 + + + + + The Official Phreaker's Manual + + MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL +INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE +REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN +THE EXCHANGE AND THE TELCO OPERATING COMPANY. + + WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES +WHEN YOU FIND ONE: + +1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK +EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE +BUT THE FUCKING CLICK IS SUPER ANNOYING. + +2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. + +3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY +AGAIN IN A MONTH OR SO) + +4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! + + MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. +IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE +SWITCH", IE, TURN OFF THE LOOP. + + SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED +NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE +NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. +268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 +FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 +(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S +DON'T SUPE EITHER. + + IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A +SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP +LINES (AS MENTIONED ABOVE). + IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE +BELOW: + + + NPA-NNX-99XX SCAN + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + _________________________________________________________ + | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | + |_______|____|____|____|____|____|____|____|____|____|____| + | 990 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 991 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 992 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 993 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 994 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 995 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 996 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + Page 97 + + + + + The Official Phreaker's Manual + + | 997 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 998 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 999 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU +SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN +THEM. FOR EXAMPLE: + +B - BUSY (TRY AGAIN AT ANOTHER TIME) +R - RINGS (TRY AGAIN AT ANOTHER TIME) +O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) +R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) +T - TONE ] TONE AT A LOWER # + IGNORE +I - IGNORE ] AT A HIGHER # = LOOP +V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. +C - CARRIER + + THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN +UNDERSTAND. + + NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A +MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF +A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER +EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) +634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. +IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" +NEXT TO EACH OTHER FOR A LOOP. + SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN +THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING +TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE +IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE +#'S! + ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR +EXAMPLE: "(713) 324-1799/1499" IS A LOOP. + +THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: + +1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A +TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS +SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! + +2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & +9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. + +3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. + + FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN +STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. + + +NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER +FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR +OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS + + Page 98 + + + + + The Official Phreaker's Manual + +MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. + + ANI + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT +WILL TELL YOU WHAT # YOU ARE CALLING FROM. + THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T +HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE +LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE +DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. +IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM +AREA TO AREA. + +HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: + +890-751-5191 +202-222-2222 +1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE +TO DIAL 1-990-1111) + + TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX +SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE +NEXT PART), TRY 1-9XX-1111. + ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR +NEIGHBOR WHO WORKS FOR THE FONE COMPANY. + + RING BACK + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL +THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF +THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 +SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL +RING. + IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP +FOR THE FIRST TIME (IE, AT THE FIRST TONE). + + OTHER RINGBACK #'S THAT I HAVE SEEN ARE: + +26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. +THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. + +890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. + +119911/11911/1199911 - GTE + +NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE + + + THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN +SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD +DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE +PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS +USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN +PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN +SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS +AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY + + Page 99 + + + + + The Official Phreaker's Manual + +SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD +THEN RINGBACK. + + TOUCH-TONE TEST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE +FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP +TWICE. +I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 + + COMING SOON: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE +NETWORK. + + + BREAK UP OF BELL: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT +AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED +HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD +"FONE NETWORK" FOR BELL SYSTEM. + + +AU REVOIR, + +*****BIOC +*=$=*AGENT +*****003 + +DECEMBER 8, 1983 + +ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, +& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN +DISTRIBUTING THIS TUTORIAL. + + + + + + + + + + + + + + + + + + + + + + Page 100 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART III * + * * + ************************************************************ + +PREFACE: + + IN PART III, WE WILL DISCUSS THE DIALING PROCEDURES FOR DOMESTIC AS WELL AS +INTERNATIONAL DIALING. WE WILL ALSO TAKE A LOOK AT THE TELEPHONE NUMBERING +PLAN. + +NORTH AMERICAN NUMBERING PLAN +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN NORTH AMERICA, THE TELEPHONE NUMBERING PLAN IS AS FOLLOWS: + +A) A 3 DIGIT NUMBERING PLAN AREA (NPA) CODE, [IE, AREA CODE] + +B) A 7 DIGIT TELEPHONE # CONSISTING OF A 3 DIGIT CENTRAL OFFICE (CO) CODE PLUS +A 4 DIGIT STATION #. + + THESE 10 DIGITS ARE CALLED THE NETWORK ADDRESS OR DESTINATION CODE. IT IS +IN THE FORMAT OF: + +AREA CODE TELEPHONE # +--------- ----------- + N*X NXX-XXXX + +WHERE: N = A DIGIT FROM 2-9 + * = THE DIGIT 0 OR 1 + X = A DIGIT 0-9 + +AREA CODES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CHECK YOUR TELEPHONE BOOK OR THE SEPARATE LISTING OF AREA CODES FOUND ON +MANY BBS'S. HERE ARE THE SPECIAL AREA CODES (SAC'S): + +510 - TWX (USA) +610 - TWX (CANADA) +700 - NEW SERVICE +710 - TWX (USA) +800 - WATS +810 - TWX (USA) +900 - DIAL-IT SERVICES +910 - TWX (USA) + + THE OTHER AREA CODES NEVER CROSS STATE LINES, THEREFORE EACH STATE MUST +HAVE AT LEAST ONE EXCLUSIVE NPA CODE. WHEN A COMMUNITY IS SPLIT BY A STATE +LINE, THE CO #'S ARE OFTEN INTERCHANGEABLE (IE, YOU CAN DIAL THE SAME # FROM 2 +DIFFERENT AREA CODES) + +TWX: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + Page 101 + + + + + The Official Phreaker's Manual + + + TWX (TELEX II) CONSISTS OF 5 TELETYPE-WRITER AREA CODES. THEY ARE OWNED BY +WESTERN UNION. THESE SAC'S MAY ONLY BE REACHED VIA OTHER TWX MACHINES. THESE +RUN AT 110 BAUD. BESIDES THE TWX #'S, THESE MACHINES ARE ROUTED TO NORMAL +TELEPHONE #'S. TWX MACHINES ALWAYS RESPOND WITH AN ANSWERBACK. FOR EXAMPLE, +WU'S FYI TWX # IS (910) 988-5956, THE CORRESPONDING REAL NUMBER TO THIS IS +(201) 279-5956. THE ANSWERBACK FOR THIS SERVICE IS "WU FYI MAWA." + + IF YOU DON'T WANT TO BUY A TWX MACHINE, YOU CAN STILL SEND TWX MESSAGES +USING EASYLINK [800/325-4112 - SEE TUC'S AND MY ARTICLE ENTITLED "HACKING +WESTERN UNION'S EASYLINK] + +700: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT THE TIME OF THIS WRITING, THE 700 EXCHANGE DOES NOT YET EXIST. AT&T +PLANS TO USE IT SOON THOUGH. THEY PLAN TO MAKE IT A TYPE OF FANCY CALL +FORWARDING SERVICE. IT WILL BE TARGETED TOWARDS SALESMEN ON THE RUN. + + TO UNDERSTAND HOW IT WORKS, I'LL EXPLAIN IT WITH AN EXAMPLE. LET'S SAY JOE +Q. SALESPIG WORKS FOR AT&T SECURITY AND HE IS ON THE RUN CHASING A PHREAK +AROUND THE COUNTRY WHO ROYALLY SCREWED UP AN IMPORTANT COSMOS SYSTEM. LET'S +SAY THAT JOE'S 700 # IS (700) 382-5968. EVERY TIME JOE GOES TO A NEW HOTEL, HE +DIALS A SPECIAL 700 #, ENTERS A CODE, AND THE # WHERE HE IS STAYING. NOW, IF +HIS BOSS RECEIVED SOME IMPORTANT INFO, ALL HE WOULD DO IS DIAL (700) 382-5968 +AND IT WOULD RING WHEREVER JOE LAST PROGRAMMED IT TO. NEAT, HUH? + +800: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS SAC IS ONE OF MY FAVORITES SINCE IT ALLOWS FOR TOLL-FREE CALLS. + +INWARD WATS (INWATS): INWARD WIDE AREA TELECOMMUNICATIONS SERVICE IS THE 800 +#'S THAT WE ARE ALL FAMILIAR WITH. 800 #'S ARE SET UP IN SERVICE AREAS OR +BANDS. THERE ARE 6 OF THESE. BAND 6 IS THE LARGEST AND YOU CAN CALL A BAND 6 +# FROM ANYWHERE IN THE US EXCEPT THE STATE WHERE THE CALL IS TERMINATED (THIS +IS WHY MOST COMPANIES HAVE ONE 800 # FOR THE COUNTRY AND THEN ANOTHER FOR JUST +ONE STATE). BAND 5 INCLUDES THE 48 CONTIGUOUS STATES. ALL THE WAY DOWN TO +BAND 1 WHICH INCLUDES ONLY THE STATES CONTIGUOUS TO THAT ONE. THEREFORE, LESS +PEOPLE CAN REACH A BAND 1 INWATS # THAT A BAND 6 #. + +INTRASTATE INWATS #'S (IE, YOU CAN CALL IT FROM ONLY 1 STATE) ALWAYS HAVE A 2 +AS THE LAST DIGIT IN THE EXCHANGE (IE, 800-NX2-XXXX). THE NXX ON 800 #'S +REPRESENT THE AREA WHERE THE BUSINESS IS LOCATED. FOR EXAMPLE, A # BEGINNING +WITH 800-431 WOULD TERMINATE AT A NEW YORK CO. + +800 #'S ALWAYS END UP IN A HUNT SERIES IN A CO. THIS MEANS THAT IT TRIES THE +FIRST # ALLOCATED TO THE COMPANY FOR THEIR 8P0 LINES; IF THIS IS BUSY IT WILL +THEN TRY THE NEXT #, ETC). YOU MUST HAVE A MINIMUM OF TWO LINES PER EACH 800 +#. FOR EXAMPLE, TRAVELNET USES A HUNT SERIES. IF YOU DIAL (800) 521-8400, IT +WILL FIRST TRY THE # ASSOCIATED WITH 8400; IF IT IS BUSY IT WILL GO TO THE NEXT +AVAILABLE PORT, ETC. INWATS CUSTOMERS ARE BILLED BY THE # OF HOURS OF CALLS +THAT ARE MADE TO THEIR #. + +OUTWATS (OUTWARD WATS): OUTWATS ARE FOR MAKING OUTGOING CALLS ONLY. LARGE +COMPANIES USE OUTWATS SINCE THEY RECEIVE BULK-RATE DISCOUNTS. SINCE OUTWATS # +CANNOT HAVE INCOMING CALLS, THEY ARE IN THE FORMAT OF: + + + Page 102 + + + + + The Official Phreaker's Manual + +(800) *XX-XXXX + + WHERE * IS THE DIGIT 0 OR 1 WHICH CANNOT BE DIALED UNLESS YOU BOX THE CALL. +THE *XX IDENTIFIES THE TYPE OF SERVICE AND THE AREAS THAT THE COMPANY CAN +CALL. + +REMEMBER: INWATS + OUTWATS = WATS EXTENDER (SEE PART I) +900: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS DIAL-IT SAC IS A NATIONWIDE DIAL-IT SERVICE. IT IS USED FOR TAKING +TELEVISION POLLS AND OTHER STUFF. THE FIRST MINUTE CURRENTLY COSTS AN +OUTRAGEOUS 50 CENTS AND EACH ADDITIONAL MINUTE COSTS 35 CENTS. BELL TAKES IN +ALOT OF REVENUE IN THIS WAY. + +DIAL (900) 555-1212 TO FIND OUT WHAT IS CURRENTLY ON THE SERVICE. + +CO CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THESE IDENTIFY THE SWITCHING OFFICE WHERE THE CALL IS TO BE ROUTED. + +THE FOLLOWING CO CODES ARE RESERVED NATIONWIDE: + +555 - DIRECTORY ASSISTANCE +844 - TIME ] THESE ARE NOW IN +936 - WEATHER ] THE 976 EXCHANGE +950 - FUTURE SERVICES +958 - PLANT TEST +959 - PLANT TEST +970 - PLANT TEST (TEMPORARY) +976 - DIAL-IT SERVICES + + ALSO, THE 3 DIGIT ANI & RINGBACK #'S ARE REGARDED AS PLANT TEST AND ARE +THUS RESERVED. THESE NUMBERS VARY FROM AREA TO AREA. + +950: [ALSO SEE PART I] +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +HERE ARE THE SERVICES THAT ARE CURRENTLY ON THE 950 EXCHANGE: + +1000 - SPC +1022 - MCI EXECUNET +1033 - US TELEPHONE +1044 - ALLNET +1066 - LEXITEL +1088 - SBS SKYLINE + +THESE SCC'S (SPECIALIZED COMMON CARRIERS) ARE FREE FROM FORTRESSES! + +Publishers note: Most 950's now require the station code (1022, 1000, 1088, +etc.) to be five digits long. MCI 950-10222, US telefone 10333, ALLNET 10444, +etc. Look in "Equal Access and the American Dream" p. for a complete list. +PLANT TESTS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THESE INCLUDE ANI, RINGBACK, AND OTHER VARIOUS TESTS. + + + Page 103 + + + + + The Official Phreaker's Manual + +976: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + DIAL 976-1000 TO SEE WHAT IS CURRENTLY ON THE SERVICE. ALSO, MANY BBS'S +HAVE A LISTING OF THESE #'S. + + +N11 CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL IS TRYING TO PHASE SOME OF THESE OUT, BUT THEY STILL EXIST IN MANY +AREAS. + +011 - INTERNATIONAL DIALING PREFIX +211 - COIN REFUND OPERATOR +411 - DIRECTORY ASSISTANCE +611 - REPAIR SERVICE +811 - BUSINESS OFFICE +911 - EMERGENCY + +INTERNATIONAL DIALING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + WITH INTERNATIONAL DIALING, THE WORLD HAS BEEN DIVIDED INTO 9 NUMBERING +ZONES. + +TO MAKE AN INTERNATIONAL CALL, YOU MUST DIAL: INT. PREFIX + COUNTRY CODE + NAT. +# + + IN NORTH AMERICA, THE INTERNATIONAL DIALING PREFIX IS 011 FOR +STATION-TO-STATION CALLS AND 01 FOR OPERATOR- SERVICED CALLS. IDDD STANDS FOR +INTERNATIONAL DIRECT DISTANCE DIALING. + + THE COUNTRY CODE, WHICH VARIES FROM 1 TO 3 DIGITS, ALWAYS HAS THE WORLD +NUMBERING ZONE AS THE FIRST DIGIT. FOR EXAMPLE, THE COUNTRY CODE FOR THE +UNITED KINGDOM IS 44, THUS IT IS IN WORLD NUMBERING ZONE 4. + + SOME BOARDS MAY CONTAIN A COMPLETE LISTING OF OTHER COUNTRY CODES, BUT HERE +ARE A FEW: + +001 - NORTH AMERICA (US, CANADA,ETC) +020 - EGYPT +258 - MOZAMBIQUE +034 - SPAIN +049 - GERMANY +052 - MEXICO (SOUTHERN PORTION) +061 - AUSTRALIA +007 - USSR +081 - JAPAN +098 - IRAN + + IF YOU CALL FROM AN AREA OTHER THAN NORTH AMERICA, THE FORMAT IS GENERALLY +THE SAME. FOR EXAMPLE, LET'S SAY YOU WANTED TO CALL THE WHITE HOUSE FROM +SWITZERLAND. FIRST YOU WOULD DIAL 00 (THE SWISS INTERNATIONAL DIALING PREFIX), +THEN 1 (THE US COUNTRY CODE), FOLLOWED BY 202-456-1414 (THE NATIONAL # FOR THE +WHITE HOUSE). + + ALSO, COUNTRY CODE 87 IS RESERVED FOR MARITIME MOBILE SERVICE, IE CALLING + + Page 104 + + + + + The Official Phreaker's Manual + +SHIPS: + +871 - MARISAT (ATLANTIC) +872 - MARISAT (PACIFIC) +873 - MARISAT (INDIAN ) + +INTERNATIONAL SWITCHING: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN NORTH AMERICA, THERE ARE CURRENTLY 7 NO. 4 ESS'S THAT PERFORM THE DUTY +OF ISC (INTERNATIONAL SWITCHING CENTERS). ALL INTERNATIONAL CALLS DIALED FROM +NUMBERING ZONE 1 WILL BE ROUTED THROUGH ONE OF THESE "GATEWAY CITIES." THEY +ARE: + +182 - WHITE PLAINS, NY +183 - NEW YORK, NY +184 - PITTSBURGH, PA +185 - ORLANDO, FL +186 - OAKLAND, CA +187 - DENVER, CO +188 - NEW YORK, NY + + THE 18X SERIES ARE OPERATOR ROUTING CODES FOR OVERSEAS ACCESS (TO BE +FURTHER DISCUSSED WITH BLUE BOXES). ALL INTERNATIONAL CALLS USE A SIGNALING +SYSTEM CALLED CCITT. IT IS AN INTERNATIONAL STANDARD FOR SIGNALING. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART IV, WE WILL DISCUSS SWITCHING EQUIPMENT, VARIOUS OPERATORS, CO +TYPES, ETC. + +PHREAKING LIVES IN '84, + +*****BIOC +*=$=*AGENT +*****003 + +<<=-FARGO 4A-=>> +23-FEB-84 + +REFERENCES/ +ACKNOWLEDGEMENTS: NOTES ON THE NETWORK (AT&T), TAP (ROOM 603, 147W 42 ST, +NEW YORK, NY 10036),UNDERSTANDING TELEPHONE ELECTRONICS,AND MANY OTHERS/TUC, +MULCHER... + + + + + + + + + + + + + + + Page 105 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART IV * + * * + ************************************************************ + +PREFACE: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + PART IV WILL DEAL WITH THE VARIOUS TYPES OF OPERATORS, OFFICE HIERARCHY, & +SWITCHING EQUIPMENT. + + +OPERATORS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THERE ARE MANY TYPES OF OPERATORS IN THE NETWORK AND THE MORE COMMON ONES +WILL BE DISCUSSED. + +TSPS OPERATOR: +____________________________________________________________ + + THE TSPS (TRAFFIC SERVICE POSITION SYSTEM) OPERATOR IS PROBABLY THE BITCH +(OR BASTARD FOR THE PHEMALE LIBERATIONISTS) THAT MOST OF US ARE USE TO HAVING +TO DEAL WITH. + +HERE ARE HER RESPONSIBILITIES: + +1) OBTAINING BILLING INFORMATION FOR CALLING CARD OR 3RD NUMBER CALLS. + +2) IDENTIFYING CALLED CUSTOMER ON PERSON-TO-PERSON CALLS. + +3) OBTAINING ACCEPTANCE OF CHARGES ON COLLECT CALLS. + +4) IDENTIFYING CALLING NUMBERS. THIS ONLY HAPPENS WHEN THE CALLING # IS NOT +AUTOMATICALLY RECORDED BY CAMA (CENTRALIZED AUTOMATIC MESSAGE ACCOUNTING) & +FORWARDED FROM THE LOCAL OFFICE. THIS COULD BE CAUSED BY EQUIPMENT FAILURES OR +IF THE OFFICE IS NOT EQUIPPED FOR CAMA (MOST ARE). + + + + YOU SHOULDN'T MESS WITH THE TSPS OPERATOR SINCE SHE KNOWS WHERE YOU ARE +CALLING FROM. SHE ALSO KNOWS WHETHER OR NOT YOU ARE AT A FORTRESS FONE & SHE +CAN TRACE CALLS QUITE READILY. OUT OF ALL THE OPERATORS, SHE IS ONE OF THE +MOST DANGEROUS. + +INWARD OPERATOR: +____________________________________________________________ + + THIS OPERATOR ASSISTS YOUR LOCAL TSPS ("0") OPERATOR IN CONNECTING CALLS. + + Page 106 + + + + + The Official Phreaker's Manual + +SHE WILL NEVER QUESTION A CALL AS LONG AS THE CALL IS WITHIN HER SERVICE AREA. +SHE CAN ONLY BE REACHED VIA OTHER OPERATORS OR BY A BLUE BOX. FROM A BB, YOU +WOULD DIAL KP+NPA+121+ST FOR THE INWARD OPERATOR THAT WILL HELP YOU CONNECT ANY +CALLS WITHIN THAT NPA AREA ONLY. (BLUE BOXING WILL BE DISCUSSED IN A FUTURE +PART OF BASIC TELCOM) + +DIRECTORY ASSISTANCE OPERATOR: +____________________________________________________________ + + THIS IS THE OPERATOR THAT YOU ARE CONNECTED TO WHEN YOU DIAL: 411 OR +NPA-555-1212. SHE DOES NOT READILY KNOW WHERE YOU ARE CALLING FROM. SHE DOES +NOT HAVE ACCESS TO UNLISTED #'S, BUT SHE DOES KNOW IF AN UNLISTED # EXISTS FOR +A CERTAIN LISTING. + + THERE IS ALSO A DIRECTORY ASSISTANCE FOR DEAF PEOPLE WHO USE +TELETYPEWRITERS IF YOU MODEM CAN TRANSFER BAUDOT (THE APPLE CAT CAN), THEN YOU +CAN CALL HER UP AND HAVE AN INTERESTING CONVERSATION WITH HER. THE # +IS:800/855-1155. SHE USES THE STANDARD TELEX ABBREVIATIONS SUCH AS GA FOR GO +AHEAD. THEY TEND TO BE NICER & WILL TALK LONGER THAN YOUR REGULAR OPERATORS. +ALSO, THEY ARE MORE VULNERABLE INTO BEING TALKED OUT OF INFORMATION THROUGH THE +PROCESS OF "SOCIAL ENGINEERING" AS CHESHIRE CATALYST WOULD PUT IT. + +OTHER OPERATORS HAVE ACCESS TO THEIR OWN DA BY DIALING KP+NPA+131+ST (MF). + + THIS IS A LITTLE OUT OF THE SCOPE OF THIS TUTORIAL, BUT MANY TELCO'S ARE +NOW CHARGING FOR CALLS TO DIR. ASST. YOU CAN BEAT THIS BY: + +(1) COUNT HOW MANY CALLS YOU MAKE TO DIRECTORY ASSISTANCE IN A BILLING PERIOD. +GO TO A FORTRESS FONE & DIAL DA. WHEN THE OPERATOR COMES ON, GIVE HER A NAME +THAT YOU KNOW HAS AN UNLISTED # OR ASK FOR A TOWN THAT ISN'T IN THE NPA. SHE +WILL THEN ASK FOR YOUR # SO SHE CAN CREDIT THE CALL TO YOU. GIVE HER YOUR HOME +#, SHE DOESN'T KNOW THAT YOU ARE MAKING A FREE CALL FROM THE FORTRESS. JUST +MAKE SURE THAT YOU DON'T CREDIT YOURSELF FOR MORE CALLS THAN YOU ACTUALLY MADE +OR YOU MIGHT HAVE A FEW PROBLEMS! + +(2) IF YOU HAVE A BAUDOT TERMINAL, USE THE 800 #, IT'S FREE & THERE IS ONE # +FOR ALL REQUESTS. + +C/NA OPERATORS: +____________________________________________________________ + + C/NA OPERATORS ARE OPERATORS THAT DO EXACTLY THE OPPOSITE OF WHAT DIRECTORY +ASSISTANCE OPERATORS ARE FOR. SEE PART II, FOR MORE INFO ON C/NA & #'S. IN MY +EXPERIENCES, THESE OPERATORS KNOW MORE THAN THE DA OP'S DO & THEY ARE MORE +SUSCEPTIBLE TO "SOCIAL ENGINEERING." IT IS POSSIBLE TO BULLSHIT A C/NA +OPERATOR FOR THE NON-PUB DA # (IE, YOU GIVE THEM THE NAME & THEY GIVE YOU THE +UNLISTED #). THIS IS DUE TO THE FACT THAT THEY ASSUME YOUR ARE A PHELLOW +COMPANY EMPLOYEE. + +INTERCEPT OPERATOR: +____________________________________________________________ + + THE INTERCEPT OPERATOR IS THE ONE THAT YOU ARE CONNECTED TO WHEN THERE ARE +NOT ENOUGH RECORDINGS AVAILABLE TO TELL YOU THAT THE # HAS BEEN DISCONNECTED OR +CHANGED. SHE USUALLY SAYS, "WHAT # YOU CALLIN' ? " WITH A FOREIGN ACCENT. +THIS IS THE LOWEST OPERATOR LIFEFORM. EVEN THOUGH THEY DON'T KNOW WHERE YOU +ARE CALLING FROM, IT IS A WASTE OF YOUR TIME TO TRY TO VERBALLY ABUSE THEM +SINCE THEY USUALLY UNDERSTAND VERY LITTLE ENGLISH. + + Page 107 + + + + + The Official Phreaker's Manual + + +OTHER OPERATORS: +____________________________________________________________ + +AND THEN THERE ARE THE: +MOBILE +SHIP-TO-SHORE +CONFERENCE +MARINE VERIFY, "LEAVE WORD & CALL BACK," +ROUT & RATE (KP+NPA+141+ST) & OTHER SPECIAL OPERATORS WHO HAVE ONE PURPOSE OR +ANOTHER IN THE NETWORK. + + PROBLEMS WITH AN OPERATOR? ASK TO SPEAK TO THEIR SUPERVISOR... WHICH IS +THE EQUIVALENT OF THE MADAME IN A WHOREHOUSE (IF YOU WILL EXCUSE THE ANALOGY). + + BY THE WAY, SOME CO'S THAT WILL ALLOW YOU TO DIAL A 1 OR 0 AS THE 4TH +DIGIT, WILL ALSO ALLOW YOU TO CALL SPECIAL OPERATORS WITHOUT A BLUE BOX. THIS +IS VERY RARE THOUGH! FOR EXAMPLE, 212-121-1111 WILL GET YOU A NY INWARD +OPERATOR. + +OFFICE HIERARCHY +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + EVERY SWITCHING OFFICE OFFICE IN NORTH AMERICA (THE NPA SYSTEM), IS +ASSIGNED AN OFFICE NAME & CLASS. THERE ARE FIVE CLASSES OF OFFICES NUMBERED 1 +THROUGH 5. YOUR CO IS MOST LIKELY A CLASS 5 OR END OFFICE. ALL LONG-DISTANCE +(TOLL) CALLS ARE SWITCHED BY A TOLL OFFICE WHICH CAN BE A CLASS 4, 3, 2, OR 1 +OFFICE. THERE IS ALSO A 4X OFFICE CALLED AN INTERMEDIATE POINT. THE 4X OFFICE +IS A DIGITAL ONE THAT CAN HAVE AN UNATTENDED EXCHANGE ATTACHED TO IT (KNOWN AS +A REMOTE SWITCHING UNIT-RSU). + + THE FOLLOWING CHART WILL LIST THE OFFICE #, NAME, & HOW MANY OF THOSE +OFFICES EXISTED IN NORTH AMERICA IN 1981. + +CLASS NAME ABB # EXISTING +----- ---------------- --- ------------ +1 REGIONAL CENTER RC 12 +2 SECTIONAL CENTER SC 67 +3 PRIMARY CENTER PC 230 +4 TOLL CENTER TC 1,30 +4P TOLL POINT TP ? +4X INTERMEDIATE PT IP ? +5 END OFFICE EO 19,000 +R RSU RSU ? + + WHEN CONNECTING A CALL FROM ONE PARTY TO ANOTHER, THE SWITCHING EQUIPMENT +USUALLY TRIES TO FIND THE SHORTEST ROUTE BETWEEN THE CLASS 5 END OFFICE OF THE +CALLER & THE CLASS 5 END OFFICE OF THE CALLED PARTY. IF NO INTER-OFFICE TRUNKS +EXIST BETWEEN THE 2 PARTIES, IT WILL THEN MOVE UPTO THE NEXT HIGHEST OFFICE FOR +SERVICING (CLASS 4). IF THE CLASS 4 OFFICE CANNOT HANDLE THE CALL BY SENDING +IT TO ANOTHER CLASS 4 OR 5 OFFICE, IT WILL BE SENT TO THE NEXT OFFICE IN THE +HIERARCHY (3). THE SWITCHING EQUIPMENT FIRST USES THE HIGH-USAGE INTEROFFICE +TRUNK GROUPS, IF THEY ARE BUSY IT THEN GOES TO THE FINAL TRUNK GROUPS ON THE +NEXT HIGHEST LEVEL. IF THE CALL CANNOT BE CONNECTED THEN, YOU WILL PROBABLY GET +A RE-ORDER (120IPM BUSY SIGNAL) SIGNAL. AT THIS TIME, THE GUYS AT NETWORK +OPERATIONS ARE PROBABLY SHITTING IN THEIR PANTS AND TRYING TO AVOID THE DREADED +NETWORK DREADLOCK (AS SEEN ON TV!). + + + Page 108 + + + + + The Official Phreaker's Manual + + IT IS ALSO INTERESTING TO NOTE THAT 9 CONNECTIONS IN TANDEM IS CALLED +RING-AROUND-THE ROSY AND IT HAS NEVER OCCURRED IN TELEPHONE HISTORY. THIS +WOULD CASE AN ENDLESS LOOP CONNECTION. [ A NEAT WAY TO REALLY SCREW-UP THE +NETWORK]. + + THE 10 REGIONAL CENTERS IN THE US & THE 2 IN CANADA ARE ALL INTERCONNECTED. +THEY FORM THE FOUNDATION OF THE ENTIRE TELEPHONE NETWORK. SINCE THERE ARE ONLY +12 OF THEM, THEY ARE LISTED BELOW: + +CLASS 1 REGIONAL OFFICE LOCATION NPA +---------------------------------- --- +DALLAS 4 ESS 214 +WAYNE, PA 215 +DENVER 4T 303 +REGINA NO.2 SP1-4W [CANADA] 306 +ST. LOUIS 4T 314 +ROCKDALE, GA 404 +PITTSBURGH 4E 412 +MONTREAL NO.1 4AETS [CANADA] 504 +NORWICH, NY 607 +SAN BERNARDINO, CA 714 +NORWAY, IL 815 +WHITE PLAINS 4T, NY 914 + + THE FOLLOWING DIAGRAM DEMONSTRATES HOW THE VARIOUS OFFICES MAY BE +CONNECTED: + + _________________________ + _|_ _|_ _|_ REGIONAL + | | | | | | OFFICES + | 1 | <=--=> | 1 | <=--=> | 1 | <<==------ + |___| |___| |___| + | OTHERS\/ + _________________|_______________________| + _|_ _|_ _|_ _|__ _|_ +| | | | | | | | | | +| 2 | | 3 | | 4 | | 4P | | 5 | +|___| |___| |___| |____| |___| + | | | | + |____ | _|__ | + _|_ _|_ | __|_ _|_ \ +| || || | || | |_____ +| 3 || 4 || | 4X || 5 | _|__ _|_ +|___||___|| |____||___|| || | + | | | 4X || 5 | + __|_ | |____||___| + | ||_____________ + | 5R | _______|_________ + |____| | | | + _|_ _|_ _|_ __|_ + | | | | | | | | + | R | | 4 | | 5 | | 5R | + |___| |___| |___| |____| + +NOTE: THE PRECEDING DIAGRAM USED SPECIAL SYMBOLS FROM AN APPLE //E THAT MAY NOT +BE VIEWED AS I INTENDED THEM IF YOU ARE NOT USING AN APPLE//E OR //C. + +SWITCHING EQUIPMENT + + Page 109 + + + + + The Official Phreaker's Manual + +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NETWORK, THERE ARE 3 MAJOR TYPES OF SWITCHING EQUIPMENT. THEY ARE +KNOWN AS: STEP, CROSSBAR, & ESS. + + +STEP-BY-STEP (SXS) +____________________________________________________________ + + THE STEP-BY-STEP, A/K/A THE STROWGER SWITCH OR TWO-MOTION SWITCH, WAS +INVENTED IN 1889 BY AN UNDERTAKER NAMED ALMON STROWGER. HE INVENTED THIS +MECHANICAL SWITCHING EQUIPMENT BECAUSE HE FELT THAT THE BIASED OPERATOR WAS +ROUTING ALL REQUESTS FOR AN 'UNDERTAKER' TO HER HUSBAND'S BUSINESS. BELL +STARTED USING THIS SYSTEM IN 1918 AS OF 1978, OVER 53% OF THE BELL EXCHANGES +USED THIS METHOD OF SWITCHING. + + STEP-BY-STEP SWITCHING IS CONTROLLED DIRECTLY BY THE DIAL PULSES WHICH MOVE +A SERIES OF SWITCHES (CALLED THE SWITCH TRAIN) IN ORDER. WHEN YOU FIRST PICK UP +THE FONE UNDER SXS, A LINEFINDER ACKNOWLEDGES THE REQUEST (SOONER OR LATER) BY +SENDING A DIAL TONE. IF YOU THEN DIALED 1234, THE EQUIPMENT WOULD FIRST FIND +AN IDLE SELECTOR SWITCH. IT WOULD THEN MOVE VERTICALLY 1 PULSE, IT WOULD THEN +MOVE HORIZONTALLY TO FIND A FREE SECOND SELECTOR, IT WOULD THEN MOVE 2 VERTICAL +PULSES, STEP HORIZONTALLY TO FIND THE NEXT SELECTOR, ETC. THUS THE FIRST +SWITCH IN THE TRAIN TAKES NO DIGITS, THE SECOND SWITCH TAKES 1 DIGIT, THE THIRD +SWITCH TAKES 1 DIGIT, & THE LAST SWITCH IN THE TRAIN (CALLED THE CONNECTOR) +TAKES THE LAST 2 DIGITS & CONNECTS YOUR CALLS. A NORMAL (10,000 LINE) EXCHANGE +REQUIRES 4 DIGITS (0000-9999) TO CONNECT A LOCAL CALL & THUS IT TAKES 4 +SWITCHES TO CONNECT EVERY CALL (LINEFINDER, 1ST & 2ND SELECTORS, & THE +CONNECTOR) . + + WHILE IT WAS THE FIRST, SXS SUCKS FOR THE FOLLOWING REASONS: + +[1] THE SWITCHED OFTEN BECOME JAMMED THUS THE CALLS OFTEN BECOME BLOCKED. + +[2] YOU CAN'T USE DTMF (DUAL-TONE MULTI-FREQUENCY A/K/A TOUCH-TONE) DIRECTLY. +IT IS POSSIBLE THAT THE TELCO MAY HAVE INSTALLED A CONVERSION KIT BUT THEN THE +CALLS WILL GO THROUGH JUST AS SLOW AS PULSE, ANYWAY! + +[3] THEY USE A LOT OF ELECTRICITY & MECHANICAL MAINTENANCE. (BAD FROM TELCO +POINT OF VIEW) + +[4] EVERYTHING IS HARDWIRED. + + THEY CAN STILL HOOK UP PEN REGISTERS & OTHER SHIT ON THE LINE SO IT IS NOT +EXACTLY A PHREAK HAVEN. + +YOU CAN IDENTIFY SXS OFFICES BY: + +(1) LACK OF DTMF OR PULSING DIGITS AFTER DIALING DTMF. + +(2) IF YOU GO NEAR THE CO, IT WILL SOUND LIKE A TYPEWRITER TESTING FACTORY. + +(3) LACK OF SPEED CALLING, CALL FORWARDING, & OTHER CUSTOMER SERVICES. + +(4) FORTRESS FONES THAT WANT YOUR MONEY FIRST (AS OPPOSED TO DIAL TONE FIRST +ONES). + + THE PRECEDING DON'T NECESSARILY IMPLY THAT YOU HAVE SXS BUT THEY SURELY + + Page 110 + + + + + The Official Phreaker's Manual + +GIVE EVIDENCE THAT IT MIGHT BE. ALSO, IF ANY OF THE ABOVE CHARACTERISTICS +EXIST, IT CERTAINLY ISN'T ESS! ALSO, SXS HAVE PRETTY MUCH BEEN ERADICATED FROM +LARGE METROPOLITAN AREAS SUCH AS NYC (212). + +CROSSBAR: +____________________________________________________________ + + THERE ARE 3 MAJOR TYPES OF CROSSBAR SYSTEMS CALLED: NO. 1 CROSSBAR (1XB), +NO. 4 CROSSBAR (4XB), & NO. 5 CROSSBAR (5XB). 5XB HAS BEEN THE PRIMARY END +OFFICE SWITCH OF BELL SINCE THE 60'S AND THUS IT IS IN WIDE-USE. + + CROSSBAR USES A COMMON CONTROL SWITCHING METHOD. WHEN THERE IS AN INCOMING +CALL, A STORED PROGRAM DETERMINES ITS ROUTE THROUGH THE SWITCHING MATRIX. + + IN CROSSBAR, THE BASIC OPERATION PRINCIPLE IS THAT A HORIZONTAL &&HPC!U”Uj* +‰*ʪ R”µR”ªJÕTJUE +)Ê +YR*Š•U4+¤)êêå)j¢!I=MMA=%9Qÿ MATRIX. THE +POINT WHERE THESE 2 LINES MEET IN THE MATRIX IS THE CONNECTION. + + +ESS +____________________________________________________________ + +ELECTRONIC SWITCHING SYSTEM (ESS) THE PHREAK'S NIGHTMARE COME TRUE (OR ORWELL'S +PROPHECY AS 2600 PUTS IT) + + ESS IS BELL'S MOVE TOWARDS THE AIRSTRIP ONE SOCIETY DEPICTED IN ORWELL'S +1984. WITH ESS, EVERY SINGLE DIGIT THAT YOU DIAL IS RECORDED--EVEN IF IT IS A +MISTAKE. THEY KNOW WHO YOU CALL, WHEN YOU CALL, HOW LONG YOU TALKED FOR, & +PROBABLY WHAT YOU TALKED ABOUT (IN SOME CASES). ESS CAN (AND IS) ALSO +PROGRAMMED TO PRINT OUT #'S OF PEOPLE WHO MAKE EXCESSIVE CALLS TO 800 #'S OR +DIRECTORY ASSISTANCE. THIS IS CALLED THE "800 EXCEPTIONAL CALLING REPORT." ESS +COULD ALSO BE PROGRAMMED TO PRINT OUT LOGS OF WHO CALLS CERTAIN #'S--LIKE A +BOOKIE, A KNOWN COMMUNIST, A BBS, ETC THE THING TO REMEMBER WITH ESS IS THAT IT +IS A SERIES OF PROGRAMS WORKING TOGETHER. THESE PROGRAMS CAN BE VERY EASILY +CHANGED TO DO WHATEVER THEY WANT IT TO DO. ONE PHREAK WHOM I KNOW HAS SOME ESS +SOURCE CODE LISTING WHICH IS INCREDIBLY COMPLEX (AS WELL AS DOCUMENTED--GRACIAS +DIOS). THIS SYSTEM MAKES THE JOB OF BELL SECURITY, THE FBI, NSA, & OTHER +ORGANIZATIONS THAT LIKE TO INVADE PRIVACY INCREDIBLY EASY. + + WITH ESS, TRACING IS DONE IN MICROSECONDS (EINE AUGENBLICK) & THE RESULTS +ARE PRINTED AT THE CONSOLE OF A BELL GESTAPO OFFICER. ESS WILL ALSO PICK UP +ANY "FOREIGN" TONES ON THE LINE SUCH AS 2600 HZ! + + BELL PREDICTS THAT THE COUNTRY WILL BECOME TOTALLY ESS BY THE 1990'S. + + YOU CAN IDENTIFY ESS BY THE FOLLOWING WHICH ARE USUALLY ESS FUNCTIONS: + +[1] DIALING 911 FOR HELP. +[2] DIAL-TONE-FIRST FORTRESSES. +[3] CUSTOM CALLING SERVICES SUCH AS:CALL FORWARDING, SPEED DIALING, & CALL +WAITING. (ASK YOUR BUSINESS OFFICE IF YOU CAN GET THESE.) +[4] ANI (AUTOMATIC NUMBER IDENTIFICATION) ON LD CALLS. + + PHREAKING DOES NOT COME TO A COMPLETE HALT UNDER ESS THOUGH--JUST BE VERY +CAREFUL, THOUGH!!! + + DUE TO THE FACT THAT ESS SENDS A COMPUTER GENERATED "ARTIFICIAL RING," +WHERE THE VOICE IS NOT CONNECTED DIRECTLY TO THE CALLED PARTIES LINE UNTIL HE + + Page 111 + + + + + The Official Phreaker's Manual + +PICKS UP, BLACK BOXES & INFINITY TRANSMITTERS WILL NOT WORK! + +NOTE: ANOTHER INTERESTING WAY TO FIND OUT WHAT TYPE OF EQUIPMENT YOU ARE ON IS +TO RAID THE TRASH CAN OF YOU LOCAL CO--THIS ART WILL DISCUSSED IN A SEPARATE +ARTICLE SOON. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN THE PART V, WE WILL START TO TAKE A LOOK AT TELEPHONE ELECTRONICS. + +FURTHER READING: + +FOR MORE INFORMATION ON THE ABOVE TOPICS, I SUGGEST THE FOLLOWING: + +NOTES ON THE NETWORK, AT&T, 1980. + +UNDERSTANDING TELEPHONE ELECTRONICS,TEXAS INSTRUMENTS, 1983. + +AND SUBSCRIPTIONS TO: + +TAP, ROOM 603, 147 W 42 ST, NEW YORK, NY 10036. SUBSCRIPTIONS ARE +$10/YEAR.#BACK ISSUES ARE $0.75. THE CURRENT ISSUES IS #90 (JAN/FEB 1984) + +2600, BOX 752, MIDDLE ISLAND, NY 11953. SUBSCRIPTIONS ARE $10/YEAR. BACKISSUES +ARE $1 EACH. THE CURRENT ISSUE IS #4 (APRIL 1984). + +THEY ARE BOTH EXCELLENT SOURCES OF ALL SORTS OF INFORMATION (PRIMARILY +PHREAKING/HACKING). + +NOTE: FOR THE MOST PART, I HAVE ASSUMED THAT YOU HAVE READ MY PREVIOUS 3 +COURSES IN THE BASIC TELCOM SERIES. + +HASTA LUEGO, + +*****BIOC +*=$=*AGENT +*****003 + +APRIL 13, 1984 [THE YEAR OF BIG BROTHER] + +<<=-FARGO 4A-=>> + + + + + + + + + + + + + + + + + + Page 112 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART V * + * * + ************************************************************ + + +PREFACE: + + PREVIOUS INSTALLMENTS OF THIS SERIES WERE FOCUSED ON TELEPHONY FROM A +NETWORK POINT-OF-VIEW. PART V WILL DEAL WITH TELEPHONE ELECTRONICS FOCUSING +PRIMARILY ON THE SUBSCRIBER'S TELEPHONE. HERE-IN-AFTER SIMPLY REFERRED TO AS +"FONE." + +WIRING: +____________________________________________________________ + + ASSUMING A STANDARD ONE-LINE FONE, THERE ARE USUALLY 4 WIRES THAT LEAD OUT +OF THE FONE SET. THESE ARE STANDARDLY COLORED RED, GREEN, YELLOW, & BLACK. +THE RED & GREEN SIRES ARE THE TWO THAT ARE ACTUALLY HOOKED UP TO YOUR CO. THE +YELLOW WIRE IS SOMETIMES USED TO RING DIFFERENT FONES ON A PARTY LINE (IE, ONE +#, SEVERAL FAMILIES--FOUND PRIMARILY IN RURAL AREAS WHERE THEY PAY LESS FOR THE +SERVICE AND THEY DON'T USE THE FONE AS MUCH); OTHERWISE, THE YELLOW IS USUALLY +JUST IGNORED. ON SOME TWO-LINE FONES, THE RED & GREEN WIRES ARE USED FOR THE +FIRST FONE # AND THE YELLOW & BLACK ARE USED FOR THE SECOND LINE. IN THIS CASE +THERE MUST BE AN INTERNAL OR EXTERNAL DE–R¨*ŠÒµUŠ5 +ªjQ]9#!#]=5Sb%9M 9AI=Y%M C=13ÿUNCTION. (SUCH AS RADIO SHACK'S OUTRAGEOUSLY PRICED +2 LINE & HOLD MODULE-9. + + IN TELEPHONY, THE RED & GREEN WIRES ARE OFTEN REFERRED TO AS TIP (T) & RING +(R). THE TIP IS USUALLY THE MORE POSITIVE OF THE TWO WIRES. THIS NAMING GOES +BACK TO THE OLD OPERATOR CORD BOARDS WHERE ONE OF THE WIRES WAS THE TIP OF THE +PLUG AND THE OTHER WAS THE RING (OF THE BARREL). + A ROTARY FONE (AKA DIAL OR PULSE) WILL WORK FINE REGARDLESS WHETHER THE RED +(OR GREEN) WIRE IS CONNECTED THE TIP(+) OR RING(-). A TOUCH-TONE (TM) FONE IS +A DIFFERENT STORY, THOUGH. IT WILL NOT WORK EXCEPT IF THE TIP(+) IS THE GREEN +WIRE. [ALTHOUGH, SOME OF THE MORE EXPENSIVE DTMF FONES DO HAVE A RECTIFIER +BRIDGE WHICH COMPENSATES FOR POLARITY REVERSAL.] THIS I WHY UNDER CERTAIN +(NON-DIGITAL) SWITCHING EQUIPMENT YOU CAN REVERSE THE RED & GREEN WIRES ON A +TOUCH-TONE FONE AND RECEIVE FREE DTMF SERVICE. EVEN THOUGH IT WON'T BREAK DIAL +TONE, REVERSING THE WIRES ON A ROTARY LINE ON A DIGITAL SWITCH WILL CAUSE THE +TONES TO BE GENERATED. + +VOLTAGES, ETC. +____________________________________________________________ + + WHEN YOUR TELEPHONE IS ON-HOOK (IE, HUNG UP) THERE IS APPROXIMATELY 48 +VOLTS OF DC CURRENT (VDC) FLOWING THROUGH THE TIP & RING. WHEN THE HANDSET OF +A FONE IS LIFTED A FEW SWITCHES CLOSE WHICH CAUSE A LOOP TO BE CONNECTED (KNOWN +AS THE "LOCAL LOOP") BETWEEN YOUR FONE & THE CO. ONCE THIS HAPPENS DC CURRENT +IS ABLE TO FLOW THROUGH THE FONE WITH LESS RESISTANCE. THIS CAUSES A RELAY TO +ENERGIZE WHICH CAUSES OTHER CO EQUIPMENT TO REALIZE THAT YOU WANT SERVICE. +EVENTUALLY, YOU SHOULD END UP WITH A DIAL TONE. THIS ALSO CAUSES THE 48 VDC TO +DROP DOWN INTO THE VICINITY OF 13 VOLTS. THE RESISTANCE OF THE LOOP ALSO DROPS +BELOW THE 2500 OHM LEVEL. + + Page 113 + + + + + The Official Phreaker's Manual + + + AS OF NOW, YOU ARE PROBABLY SAYING TO YOURSELF THAT THIS IS ALL NICE AND +TECHNICAL BUT WHAT THE HELL GOOD IS THE INFORMATION. WELL, ALSO CONSIDER THAT +THIS VOLTAGE (& RESISTANCE) DROP IS HOW THE CO DETECTS THAT A FONE WAS TAKEN +OFF HOOK (PICKED UP). IN THIS WAY, THEY KNOW WHEN TO START BILLING THE CALLING +NUMBER. NOW WHAT DO YOU SUPPOSE WOULD HAPPEN IF A DEVICE SUCH AS A RESISTOR OR +A ZENER DIODE WAS PLACED ON THE CALLED PARTIES LINE SO THAT THE VOLTAGE WOULD +DROP JUST ENOUGH TO ALLOW TALKING BUT NOT ENOUGH TO START BILLING? FIRST OFF, +THE CALLING PARTY WOULD NOT BE BILLED FOR THE CALL BUT CONVERSATION COULD BE +PURSUED. SECONDLY, THE CO EQUIPMENT WOULD THINK THAT THE FONE JUST KEPT ON +RINGING. THE TELCO CALLS THIS A "NO-NO" (TOLL FRAUD TO BE MORE SPECIFIC) WHILE +PHONE PHREAKS AFFECTIONATELY CALL THIS MUTE A BLACK BOX. + + THE FOLLOWING ARE INSTRUCTIONS ON HOW TO BUILD A SIMPLE BLACK BOX. OF +COURSE, ANYTHING THAT PREVENTS THE VOLTAGE FROM DROPPING WOULD WORK. +YOU ONE OR TWO PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT RESISTOR. ANY ELECTRONICS STORE SHOULD STOCK THESE PARTS. + + NOW, CUT 2 PIECES OF WIRE (ABOUT 6 INCHES LONG) AND ATTACH ONE END OF EACH +WIRE TO ONE OF THE TERMINALS ON THE SWITCH. NOW TURN YOUR K500 (STANDARD DESK +FONE) UPSIDE DOWN AND TAKE OFF THE COVER. LOCATE THE 2 SCREWS ON THE NETWORK +BOX LABELED >F< AND >RR<. WRAP THE RESISTOR BETWEEN THE 2 SCREWS MAKING SURE +THAT IT DOESN'T TOUCH ANY OTHER TERMINALS!. NOW CONNECT ONE WIRE FROM THE +SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE +(DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE +FONE AND REPLACE THE COVER. + + PUT THE SWITCH IN A POSITION WHERE YOU RECEIVE A DIAL TONE. MARK THIS +POSITION NORMAL. MARK THE OTHER SIDE FREE. + + WHEN YOUR PHRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST A POSSIBLE. THIS WILL STOP THE RINGING (DO IT AGAIN IF IT +DOESN'T) WITH OUT STARTING THE BILLING. IT IS IMPORTANT THAT YOU DO IT QUICKLY +(LESS THAN ONE SECOND THEN PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE +FONE. KEEP ALL CALL SHORT AND PREFERABLY UNDER 15 MINUTES. + +NOTE: IF ANYONE PICKS UP AN EXTENSION IN THE CALLED PARTIES HOUSE AND THAT +FONE IS NOT SET FOR FREE THEN BILLING WILL START. + +NOTE: AN OLD WAY OF SIGNALING A PHRIEND THAT YOU ARE ABOUT TO CALL IS +MAKING A COLLECT CALL TO A NON-EXISTENT PERSON IN THE HOUSE. SINCE YOUR FRIEND +WILL NOT ACCEPT THE CHARGES, HE WILL KNOW THAT YOU ARE ABOUT TO CALL AND THUS +PREPARE THE BLACK BOX (OR VISA VERSA). + +WARNING: THE TELCO CAN DETECT BLACK BOXES IF THEY SUSPECT ONE ON YOUR LINE. +THIS IS DONE DUE TO THE PRESENCE OF AC VOICE SIGNAL AT THE WRONG DC LEVEL! + +PICTORIAL DIAGRAM: (STANDARD ROTARY K500 FONE) +____________________________________________________________ + + _____________________________________ +| | +***BLUE WIRE**>>F< | +| * * | +**WHITE WIRE** * | +| * | +| RESISTOR | +| * | + + Page 114 + + + + + The Official Phreaker's Manual + +| * | +| >RR<*******SWITCH**** | +| * | +****GREEN WIRE********************** | +| | +|_____________________________________| + +NOTE: THE BLACK BOX WILL NOT WORK UNDER ESS OR OTHER SIMILAR DIGITAL +SWITCHES SINCE ESS DOES NOT CONNECT THE VOICE CIRCUITS UNTIL THE FONE IS PICKED +UP (& BILLING STARTS). INSTEAD, ESS USES AN "ARTIFICIAL" COMPUTER GENERATED +RING. + +RINGING: +____________________________________________________________ + + TO INFORM A SUBSCRIBER OF AN INCOMING CALL, THE TELCO SENDS 90 VOLTS (RMS) +OF AC CURRENT DOWN THE LINE (AT AROUND 15 TO 60 HZ) IN STANDARD FONES, THIS +CAUSES A METAL ARMATURE TO BE ATTRACTED ALTERNATELY BETWEEN TWO ELECTRO-MAGNETS +THUS STRIKING 2 BELLS. OF COURSE, THE STANDARD BELL (PATENTED IN 1878 BY TOM +A. WATSON) CAN BE REPLACED BY A MORE MODERN ELECTRONIC BELL OR SIGNALING +DEVICE. + + ALSO, YOU CAN HAVE LIGHTS AND OTHER SIMILAR DEVICES IN LIEU OF (OR IN +CONJUNCTION WITH) THE BELL. A SIMPLE NEON LIGHT (WITH ITS CORRESPONDING +RESISTOR) CAN SIMPLY BE CONNECTED BETWEEN THE RED & GREEN WIRES (USUALLY L1 & +L2 ON THE NETWORK BOX) SO THAT IT LIGHTS UP ON INCOMING CALLS. A REGULAR 60 +WATT LIGHT BULB CAN ALSO BE HOOKED UP USING A SIMPLE (120 VAC) RELAY. + +WARNING: 90 & 120 VAC CAN GIVE QUITE A SHOCK. EXERCISE EXTREME CAUTION IF +YOU WISH TO FURTHER PURSUE THESE TOPICS. + + ALSO INCLUDED IN THE RINGING CIRCUIT IS A CAPACITOR TO PREVENT THE DC +CURRENT FROM INTERFERING WITH THE BELL [A CAPACITOR WILL PASS AC CURRENT WHILE +IT WILL PREVENT DC CURRENT FROM FLOWING (BY STORING IT)]. + ANOTHER REASON THAT THE TELCO HATES BLACK BOXES IS BECAUSE RINGING USES +ALOT OF COMMON-CONTROL EQUIPMENT, IN THE CO, WHICH USE ALOT OF ELECTRICITY. +THUS THE RINGING GENERATORS ARE BEING TIED UP WHILE A FREE CALL IS BEING MADE. +USUALLY CALLS THAT ARE ALLOWED TO RING FOR A LONG PERIOD OF TIME MAY BE +CONSTRUED AS SUSPICIOUS. SOME OFFICES MAY BE SET UP TO DROP A TROUBLE CARD FOR +LONG PERIODS OF RINGING THEN A "NO-NO" DETECTION DEVICE MAY BE PLACED ON THE +LINE. + INCIDENTALLY, THE TERM "RING TRIP" REFERS TO THE CO PROCESS INVOLVED TO +STOP THE AC RINGING SIGNAL WHEN THE CALLING FONE GOES OFF HOOK. + +NOTE: IT IS SUGGESTED THAT YOU ACTUALLY DISSECT FONES TO HELP YOU BETTER +UNDERSTAND THEM. IT WILL ALSO HELP YOU TO BETTER UNDERSTAND THE CONCEPTS HERE +IF YOU ACTUALLY PROVE THEM TO YOURSELF. FOR EXAMPLE, ACTUALLY TAKE THE VOLTAGE +READINGS ON YOUR FONE LINE [ANY SIMPLE MULTI-TESTER (A MUST) WILL DO.] +PHREAKING IS AN INTERACTIVE PROCESS NOT A PASSIVE ONE! + +DIALING: +____________________________________________________________ + + ON A STANDARD FONE, THERE ARE TWO COMMON TYPES OF DIALING: PULSE & DTMF. +OF COURSE, SOME PEOPLE INSIST UPON BEING DIFFERENT AND DON'T USE THE DT THUS +LEAVING THEM WITH MF (MULTI FREQUENCY, AKA OPERATOR, BLUE BOX) TONES. THIS IS +ANOTHER "NO-NO" AND THE TELCO SECURITY GENTLEMEN HAVE A SPECIAL KNACK FOR +DEALING WITH SUCH "PHREAKS" ON THE NETWORK. + + Page 115 + + + + + The Official Phreaker's Manual + + WHEN YOU DIAL ROTARY, YOU ARE ACTUALLY RAPIDLY BREAKING & RECONNECTING +(MAKING) THE LOCAL LOOP ONCE FOR EVERY DIGIT DIALED. SINCE THE PHYSICAL +CONNECTION MUST BE BROKEN, YOU CANNOT DIAL IF ANOTHER EXTENSION (OF THAT #) IS +OFF-HOOK. NEITHER OF THE FONES WILL BE ABLE TO DIAL PULSE UNLESS THE OTHER +HANGS UP. + ANOTHER TERM OFTEN REFERRED TO IN TELEPHONE ELECTRONICS IS THE BREAK RATIO. +IN THE US, THERE ARE 10 PULSES PER SECOND (MAX). WHEN THE CIRCUIT IS OPENED IT +IS CALLED THE BREAK INTERVAL. WHEN IT IS CLOSED IT IS CALLED THE MAKE INTERVAL. +IN THE US, THERE IS A 60 MILLISECOND (MS) BREAK PERIOD AND A 40 MS MAKE PERIOD. +(60+40=100 MS = 1/10 MINUTE). THIS IS REFERRED TO AS A 60% BREAK INTERVAL. +SOME OF THE MORE SOPHISTICATED ELECTRONIC FONES CAN SWITCH BETWEEN A 60% & A +67% BREAK INTERVAL. THIS IS DUE TO THE FACT THAT MANY FOREIGN NATIONS USE A +67% BREAK INTERVAL. + HAVE YOU EVER BEEN IN AN OFFICE OR A SIMILAR FACILITY AND SAW A FONE +WAITING TO BE USED FOR A FREE CALL BUT SOME ASSHOLE PUT A LOCK ON IT TO PREVENT +OUTGOING CALLS? + WELL, DON'T FRET PHELLOW PHREAKS, YOU CAN SIMULATE PULSE DIALING BY RAPIDLY +DEPRESSING THE SWITCHOOK. (IF YOU DEPRESS IT FOR LONGER THAN A SECOND IT WILL +BE CONSTRUED AS A DISCONNECT.) BY RAPIDLY SWITCHOOKING YOU ARE CAUSING THE +LOCAL LOOP TO BE BROKEN & MADE SIMILAR TO ROTARY DIALING! THUS IF YOU CAN +MANAGE TO SWITCHOOK RAPIDLY 10 TIMES YOU CAN REACH AN OPERATOR TO PLACE ANY +CALL YOU WANT! THIS TAKES ALOT OF PRACTICE, THOUGH. YOU MIGHT WANT TO PRACTICE +ON YOUR OWN FONE DIALING A FRIEND'S # OR SOMETHING ELSE. INCIDENTALLY, THIS +METHOD WILL ALSO WORK WITH DTMF FONES SINCE ALL DTMF LINES CAN ALSO HANDLE +ROTARY. + ANOTHER PROBLEM WITH PULSE DIALING IS THAT IT PRODUCES HIGH-VOLTAGE SPIKES +THAT MAKE LOUD NOISES IN THE EARPIECE AND CAUSE THE BELL TO "TINKLE." IF YOU +NEVER NOTICED THIS THEN YOUR FONE HAS A SPECIAL "ANTI-TINKLE" & EARPIECE +SHORTING CIRCUIT (MOST DO). IF YOU HAVE EVER DISSECTED A ROTARY FONE (A MUST +FOR ANY SERIOUS PHREAK) YOU WOULD HAVE NOTICED THAT THERE ARE 2 SETS OF CONTACT +THAT OPEN AND CLOSE DURING PULSING (ON THE BACK OF THE ROTARY DIAL UNDER THE +PLASTIC COVER). ONE OF THESE ACTUALLY OPENS AND +CLOSES THE LOOP WHILE THE OTHER MUTES THE EARPIECE BY SHORTING IT OUT. THE +SECOND CONTACTS ALSO ACTIVATES A SPECIAL ANTI-TINKLE CIRCUIT THAT PUTS A 340 +OHM RESISTOR ACROSS THE RINGING CIRCUIT WHICH PREVENTS THE HIGH VOLTAGE SPIKES +FROM INTERFERING WITH THE BELL. + DUAL TONE MULTI FREQUENCY (DTMF) IS A MODERN DAY IMPROVEMENT ON PULSE +DIALING IN SEVERAL WAYS. FIRST OF ALL, IT IS MORE CONVENIENT FOR THE USER +SINCE IT IS FASTER AND CAN BE USED FOR SIGNALING AFTER THE CALL IS COMPLETED +(IE, SCC'S, COMPUTERS, ETC.). ALSO, IT IS MORE UPTO PAR WITH MODERN DAY +SWITCHING EQUIPMENT (SUCH AS ESS) SINCE PULSE DIALING WAS DESIGNED TO ACTUALLY +MOVE RELAYS BY THE NUMBER OF DIGITS DIALED (IN SXS OFFICES). + + EACH KEY ON A DTMF KEYPAD PRODUCES 2 FREQUENCIES SIMULTANEOUSLY (ONE FROM +THE HIGH GROUP AND ANOTHER FROM THE LOW GROUP). + + _______________________________________________ +LOW GROUP | | | | | + 697 HZ-| Q | ABC | DEF | | + | 1 | 2 | 3 | A | + |___________|___________|___________|___________| + | | | | | + 770 HZ-| GHI | JKL | MNO | | + | 1 | 2 | 3 | B | + |___________|___________|___________|___________| + | | | | | + 852 HZ-| PRS | TUV | WXY | | + | 1 | 2 | 3 | C | + + Page 116 + + + + + The Official Phreaker's Manual + + |___________|___________|___________|___________| + | | OPERATOR | | | + 941 HZ-| | Z | | | + | * | 0 | # | D | + |___________|___________|___________|___________| + | | | | + 1209 HZ 1336 HZ 1477 HZ 1633 HZ + HIGH GROUP + +A PORTABLE DTMF KEYPAD IS KNOWN AS A WHITE BOX. + + THE FOURTH COLUMN (1633 HZ) IS NOT NORMALLY FOUND ON REGULAR FONES BUT IT +DOES HAVE SEVERAL SPECIAL USES. FOR ONE, IT IS USED TO DESIGNATE THE PRIORITY +OF CALLS ON AUTOVON, THE MILITARY FONE NETWORK. THESE KEY ARE CALLED: FLASH, +IMMEDIATE, PRIORITY, & ROUTINE (WITH VARIATIONS) INSTEAD OF ABCD. SECONDLY, +THESE KEYS ARE USED FOR TESTING PURPOSES BY THE TELCO. IN SOME AREA YOU CAN +FIND LOOPS AS WELL AS OTHER NEAT TESTS (SEE PART II) ON THE 555-1212 DIRECTORY +ASSISTANCE EXCHANGE. FOR THIS, YOU WOULD CALL UP AN DA IN CERTAIN AREAS [THAT +HAVE AN AUTOMATIC CALL DISTRIBUTOR (ACD)] AND HOLD DOWN THE "D" KEY WHICH +SHOULD BLOW THE OPERATOR OFF. YOU WILL THEN HEAR A PULSING DIAL TONE WHICH +INDICATES THAT YOU ARE IN THE ACD INTERNAL TESTING MODE. YOU CAN GET ON ONE +SIDE OF A LOOP BY DIALING A 6. THE OTHER SIDE IS 7. SOME PHREAKS CLAIM THAT +IF THE PERSON ON SIDE 6 HANGS UP, OCCASIONALLY THE EQUIPMENT WILL SCREW UP AD +START DIRECTING DIRECTORY ASSISTANCE CALLS TO THE OTHER SIDE OF THE LOOP. +ANOTHER ALLEGED TEST IS CALLED REMOB WHICH ALLOWS YOU TO TAP INTO LINES BY +ENTERING A SPECIAL CODE FOLLOWED BY THE 7 DIGIT NUMBER YOU WANT TO MONITOR. +THEN THERE IS THE POSSIBILITY OF MASS CONFERENCING. + ACD'S ARE BECOME RARE THOUGH. YOU WILL PROBABLY HAVE TO MAKE SEVERAL +NPA-555- 1212 CALLS BEFORE YOU FIND ONE. + YOU CAN MODIFY REGULAR FONES QUITE READILY SO THAT THEY HAVE A SWITCH TO +CHANGE BETWEEN THE 3RD AND 4TH COLUMNS. THIS IS CALLED A SILVER BOX (AKA GREY +BOX) AD PLANS CAN BE FOUND IN TAP AS WELL AS ON MANY BBS'S. + +TRANSMITTER/RECEIVER: +____________________________________________________________ + + WHEN YOU TALK INTO THE TRANSMITTER, THE SOUND WAVES FROM YOUR VOICE CAUSE A +DIAPHRAGM TO VIBRATE AND PRESS AGAINST THE CARBON GRANULES (OR ANOTHER SIMILAR +SUBSTANCE). THIS CAUSES THE CARBON GRANULES TO COMPRESS AND CONTRACT THUS +CHANGING THE RESISTANCE OF THE DC CURRENT FLOWING THROUGH IT. THEREFORE, YOUR +AC VOICE SIGNAL IS SUPERIMPOSED OVER THE DC CURRENT OF THE LOCAL LOOP. THE +RECEIVER WORKS IN A SIMILAR FASHION WHERE THE SIMPLE TYPES UTILIZE A MAGNET, +ARMATURE, & DIAPHRAGM. + +HYBRID/INDUCTION COIL: +____________________________________________________________ + + AS YOU MAY HAVE NOTICED, THERE ARE TWO WIRES FOR THE RECEIVER AND TWO FOR +THE TRANSMITTER IN THE FONE, YET THE LOCAL LOOP CONSISTS OF 2 WIRES INSTEAD OF +4. THIS 4-WIRE TO 2-WIRE CONVERSION IS DONE INSIDE THE FONE BY A DEVICE KNOWN +AS AN INDUCTION COIL WHICH USES COUPLING TRANSFORMERS. + THE REASON 2 SIRES ARE USED ON THE LOCAL LOOPS ARE BECAUSE IT IS ALOT +CHEAPER FOR THE TELCO. ALTHOUGH, ALL OF THE INTER-OFFICE TRUNKS UTILIZE 4 +WIRES. THIS IS NECESSARY FOR FULL DUPLEX (IE, SIMULTANEOUS CONVERSATION ON +BOTH SIDES) AND FOR AMPLIFICATION DEVICES. THERE ARE SIMILAR DEVICES IN THE +CO'S, KNOWN AS A HYBRID, THAT COUPLE THE 4-WIRE TRUNKS TO THE 2-WIRE LOCAL +LOOPS AND VISA-VERSA. + + + Page 117 + + + + + The Official Phreaker's Manual + +MISCELLANEOUS: +____________________________________________________________ + + IN THE TELEPHONE, THERE IS ALSO A BALANCING NETWORK CONSISTING OF A FEW +CAPACITORS & RESISTORS WHICH PROVIDE SIDETONE. SIDETONE ALLOWS THE CALLER TO +HEAR HIS OWN VOLUME IN THE RECEIVER. HE CAN THEN ADJUST HIS VOICE ACCORDINGLY. +THIS PREVENTS PEOPLE FROM SHOUTING OR SPEAKING TOO SOFTLY WITHOUT NOTICING IT. + +HOLD: +____________________________________________________________ + + WHEN A TELEPHONE GOES OFF HOOK, THE RESISTANCE DROPS BELOW 2500 OHMS. AT +THIS POINT, THE TELCO WILL SEND A DIAL TONE. TO PUT SOMEONE ON HOLD YOU MUST +PUT A 1000 OHM RESISTOR (1 WATT) ACROSS THE TIP & RING BEFORE IT REACHES THE +SWITCHOOK. IN THIS WAY, WHEN THE FONE IS HUNG UP (FOR HOLD) THE RESISTANCE +REMAINS BELOW 2500 OHMS WHICH CAUSES THE CO TO BELIEVE THAT YOU ARE STILL +OFF-HOOK. YOU CAN BUILD A SIMPLE HOLD DEVICE USING THE FOLLOWING PICTORIAL +DIAGRAM: + +(RED) O_________________________ + [L1] | | | + | | | + 1000 OHM | \ + | | \ + RESISTOR RINGING | + | CIRCUIT | -SWITCH + | | | HOOK + / | | + / SPST SWITCH | \ + | | \ + | | | + | | | +(GREEN) O__|_____________|______| + [L2] +--> TO REST OF FONE + +CONCLUSION: +____________________________________________________________ + +NOTE: MANY OF THE ELECTRONICS COMPONENTS OF NORMAL FONES (K500) ARE +ENCLOSED IN THE NETWORK BOX (WHICH SHOULDN'T BE OPENED). + + I HAVE ASSUMED THAT THE READER HAS A BASIC KNOWLEDGE OF ELECTRONICS. ALSO, +I HAVE ASSUMED THAT YOU HAVE READ THE 4 PREVIOUS INSTALLMENTS OF THIS SERIES +(AND HOPEFULLY ENJOYED THEM). + + IN PART VI, WE WILL TAKE A LOOK AT FORTRESS FONES. + +SUGGESTED FURTHER READING: +____________________________________________________________ + +ELECTRONICS COURSES A-D, TAP, @ $.75 EACH. + +ELECTRONIC TELEPHONE PROJECTS, A.J. CARISTI, HOWARD SAMS BOOKS. + +EVERYTHING YOU ALWAYS WANTED TO KNOW ABOUT 1633 HZ TONES BUT WERE AFRAID TO +ASK, THE MAGICIAN, TAP, ISSUE #62. + + + Page 118 + + + + + The Official Phreaker's Manual + +FREE BELL PHONE CALLS, TAP, FACT SHEET #2, @ $.50. + +FREE GTE PHONE CALLS, TAP, FACT SHEET #3, @ $.50. + +HOW TO MODIFY YOUR BELL TOUCH TONE FONE TO HAVE 1633 CYCLE TONES, TAP, ISSUE +#63. + +MODIFYING YOUR PHONE FOR 1633 HZ (NEW ELECTRONIC KEYPADS), FRED STEINBECK, TAP, +ISSUE #84. + +NOTES ON THE NETWORK, AT&T. + +THE PHONE BOOK, J. EDGAR HYDE. + +REGULATING THE TELEPHONE COMPANY IN YOUR HOME, RAMAPART MAGAZINE, JUNE 1972. + +REMOBS, TAP #91 (NOT YET PUBLISHED AS OF THIS WRITING). + +UNDERSTANDING TELEPHONE ELECTRONICS, TEXAS INSTRUMENTS. + +& OTHER ASSORTED SOURCES... + +TAP: ROOM 603/147 W 42 ST./NEW YORK, NY 10036. PLEASE SPECIFY BY BACKISSUE +#'S (NOT ARTICLE NAMES). ALL BACK-ISSUES ARE $1 EACH. SUBSCRIPTIONS ARE +$10/YEAR (10 ISSUES). SAY THAT BIOC AGENT 003 SENT YOU. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 119 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VI * + * * + ************************************************************ + +REVISED: 27-OCT-84 + +Preface: + + This article will focus primarily on the standard Western Electric +single-slot coin telephone (aka fortress fone) which can be divided into 3 +types: + +- Dial-Tone First (DTF) + +- Coin-First (CF): (ie, it wants your $ before you receive a dial tone) + +- Dial Post-Pay Service (PP): you pay after the party answers + +Depositing Coins (Slugs): +____________________________________________________________ + + Once you have deposited your slug into a fortress, it is subjected to a +gamut of tests. The first obstacle for a slug is the magnetic trap. This will +stop any light-weight magnetic slugs and coins. If it passes this, the slug is +then classified as a nickel, dime, or quarter. Each slug is then checked for +appropriate size and weight. If these tests are passed, it will then travel +through a nickel, dime, or quarter magnet as appropriate. These magnets set up +an eddy current effect which causes coins of the appropriate characteristics to +slow down so they will follow the correct trajectory. If all goes well, the +coin will follow the correct path (such as bouncing off of the nickel anvil) +where it will hopefully fall into the narrow accepted coin channel. + The rather elaborate tests that are performed as the coin travels down the +coin chute will stop most slugs and other undesirable coins, such as pennies, +which must then be retrieved using the coin release lever. + If the slug miraculously survives the gamut, it will then strike the +appropriate totalizer arm causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). + The totalizer then causes the coin signal oscillator to readout a +dual-frequency signal indicating the value deposited to ACTS (a computer) or +the TSPS operator. These are the same tones used by phreaks in the infamous red +boxes. + For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS). +A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone +at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz. + A relay in the fortress called the "B relay" (yes, there is also an 'A +relay') places a capacitor across the speech circuit during totalizer read-out +to prevent the "customer" from hearing the red box tones. + In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells +for a dime, and one gong (800 Hz) for a quarter are used instead of the modern +dual-frequency tones. + +TSPS & ACTS +____________________________________________________________ + + Page 120 + + + + + The Official Phreaker's Manual + + + While fortresses are connected to the CO of the area, all transactions are +handled via the Traffic Service Position System (TSPS). In areas that do not +have ACTS, all calls that require operator assistance, such as calling card and +collect, are automatically routed to a TSPS operator position. + In an effort to automate fortress service, a computer system known as +Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS +listens to the red box signals from the fones and takes appropriate action. It +is ACTS which says, "Two dollars please (pause) Please deposit two dollars for +the next ten seconds" (and other variations). Also, if you talk for more than +three minutes and then hang-up, ACTS will call back and demand your money. +ACTS is also responsible for Automated Calling Card Service. + ACTS also provide trouble diagnosis for craftspeople (repairmen +specializing in fortresses). For example, there is a coin test which is great +for tuning up red boxes. In many areas this test can be activated by dialing +09591230 at a fortress (thanks to Karl Marx for this information). Once +activated it will request that you deposit various coins. It will then identify +the coin and outpulse the appropriate red box signal. The coins are usually +returned when you hang up. + To make sure that there is actually money in the fone, the CO initiates a +"ground test" at various times to determine if a coin is actually in the fone. +This is why you must deposit at least a nickel in order to use a red box! + +Green Boxes: +____________________________________________________________ + + Paying the initial rate in order to use a red box (on certain fortresses) +left a sour taste in many red boxer's mouths thus the GREEN BOX was invented. +The green box generates useful tones such as COIN COLLECT, COIN RETURN, and +RINGBACK. These are the tones that ACTS or the TSPS operator would send to the +CO when appropriate. Unfortunately, the green box cannot be used at a fortress +station but it must be used by the CALLED party. + +Here are the tones: + +COIN COLLECT 700 + 1100 Hz +COIN RETURN 1100 + 1700 Hz +RINGBACK 700 + 1700 Hz + + Before the called party sends any of these tones, an operator released +signal should be sent to alert the MF detectors at the CO. This can be +accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed +by a 60 ms gap and then the appropriate signal for at least 900 ms. + Also, do not forget that the initial rate is collected shortly before the 3 +minute period is up. + Incidentally, once the above MF tones for collecting and returning coins +reach the CO, they are converted into an appropriate DC pulse (-130 volts for +return & +130 volts for collect). This pulse is then sent down the tip to the +fortress. This causes the coin relay to either return or collect the coins. + The alleged "T-Network" takes advantage of this information. When a pulse +for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded +somewhere. This is usually either the yellow or black wire. Thus, if the wires +are exposed, these wires can be cut to prevent the pulse from being grounded. +When the three minute initial period is almost up, make sure that the black & +yellow wires are severed; then hang up, wait about 15 seconds in case of a +second pulse, reconnect the wires, pick up the fone, hang up again, and if all +goes well it should be "JACKPOT" time. + + + Page 121 + + + + + The Official Phreaker's Manual + +Physical Attack: +____________________________________________________________ + + A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of +this is accounted for in the armor plating. Why all the security? Well, Bell +contributes it to the following: + + "Social changes during the 1960's made the multislot coin station a +prime target for: vandalism, strong arm robbery, fraud, and theft of service. +This brought about the introduction of the more rugged single slot coin station +and a new environment for coin service." + +As for picking the lock, I will quote Mr. Phelps: + + "We often fantasize about 'picking the lock' or 'getting a master +key.' Well, you can forget about it. I don't like to discourage people, but it +will save you from wasting alot of your time--time which can be put to better +use (heh, heh)." + + As for physical attack, the coin plate is secured on all four side by +hardened steel bolts which pass through two slots each. These bolts are in +turn interlocked by the main lock. + One phreak I know did manage to take one of the 'mothers' home (which was +attached to a piece of plywood at a construction site; otherwise, the permanent +ones are a bitch to detach from the wall!). It took him almost ten hours to +open the coin box using a power drill, sledge hammers, and crow bars (which was +empty -- perhaps next time, he will deposit a coin first to hear if it slushes +down nicely or hits the empty bottom with a clunk.) + Taking the fone offers a higher margin of success. Although this may be +difficult often requiring brute force and there has been several cases of back +axles being lost trying to take down a fone! A quick and dirty way to open the +coin box is by using a shotgun. In Detroit, after ecologists cleaned out a +municipal pond, they found 168 coin phones rifled. + In colder areas, such as Canada, some shrewd people tape up the fones using +duct tape, pour in water, and come back the next day when the water will have +froze thus expanding and cracking the fone open.In one case: + + "unauthorized coin collectors" where caught when they brought $6,000 in +change to a bank and the bank became suspicious... + + At any rate, the main lock is an eight level tumbler located on the right +side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since +there are 8 tumblers each with 5 possible positions) thus it is highly pick +resistant! The lock is held in place by 4 screws. If there is sufficient +clearance to the right of the fone, it is conceivable to punch out the screws +using the drilling pattern below (provided by Alexander Mundy in TAP) + + + + + + + + + + + + + + Page 122 + + + + + The Official Phreaker's Manual + + Chapter 5 + + What is covered in these last few articles, is the essence of phreaking, +blue boxing & equal access. These last articles, I hope will be the final +stage of phreak education for now. Basic telecommunications 7 is a brief intro +to the art of blue boxing, while Better Homes & Blue Boxing will cover it in +full. Equal access will be an interesting switch, it is installed in my area +already and I have been investigating it. One thought is to call MCI operators +and box through them, over MCI lines... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 123 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VII * + * * + ************************************************************ + +Preface: + + After most neophyte phreaks overcome their fascination with Metro codes and +WATS extenders, they will usually seek to explore other avenues in the vast +phone network. Often they will come across references such as "simply dial KP ++ 2130801050 + ST for the Alliance teleconferencing system in LA.". Numbers +such as the one above were intended to be used with a blue box; this article +will explain the fundamental principles of the fine art of blue boxing. + +Genesis: +____________________________________________________________ + + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. This is because pulse (aka rotary) digits are created by causing +breaks in the DC current (see Basic Telcom V). Since long distance calls +require routing through various switching equipment and AC voice amplifiers, +pulse dialing cannot be used to send the destination number to the end local +office (CO). + + Eventually, the demand for faster and more efficient long distance (LD) +service caused Bell to make a multi-billion dollar decision. They had to create +a signaling system that could be used on the LD Network. Basically, they had +two options: + +[1] To send all the signaling and supervisory information (ie, ON & OFF +HOOK) over separate data links. This type of signaling is referred to as +out-of-band signaling. + -or- +[2] To send all the signaling information along with the conversation +using tones to represent digits. This type of signaling is referred to as +in-band signaling. + + Being the cheap bastard that they naturally are, Bell chose the latter (and +cheaper) method -- IN-BAND signaling. They eventually regretted this, though +(heh, heh)... + +IN-BAND SIGNALING PRINCIPLES: +____________________________________________________________ + + When a subscriber dials a telephone number, whether in rotary or touch-tone +(aka DTMF), the equipment in the CO interprets the digits and looks for a +convenient trunk line to send the call on its way. In the case of a local +call, it will probably be sent via an inter-office trunk; otherwise, it will be +sent to a toll office (class 4 or higher -- see Telcom IV) to be processed. + + When trunks are not being used there is a 2600 Hz tone on the line; thus, +to find a free trunk, the CO equipment simply checks for the presence of 2600 +Hz. If it doesn't find a free trunk the customer will receive a re-order signal + + Page 124 + + + + + The Official Phreaker's Manual + +(120 IPM busy signal) or the "all circuits are busy..." message. If it does +find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the +called number or a special routing code to the other end or toll office. + + The tones it uses to send this information are called multi-frequency (MF) +tones. An MF tone consists of two tones from a set of six master tones which +are combined to produce 12 separate tones. You can sometimes hear these tones +in the background when you make a call but they are usually filtered out so +your delicate ears cannot hear them. These are NOT the same as touch-tones. + + To notify the equipment at the far end of the trunk that it is about to +receive routing information, the originating end first sends a Key Pulse (KP) +tone. At the end of sending the digits, #he originating end then sends a STart +(ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517 ++ ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to +signify a disconnect to the distant end. + +History: +____________________________________________________________ + + In the November 1960 issue of The Bell System Technical Journal, an article +entitled "Signaling Systems for Control of Telephone Switching" was published. +This journal, which was sent to most university libraries, happened to contain +the actual MF tones used in signaling. They appeared as follows: + +Digit Tones +----- ----- + 1 700 + 900 Hz + 2 700 + 1100 Hz + 3 900 + 1100 Hz + 4 700 + 1300 Hz + 5 900 + 1300 Hz + 6 1100 + 1300 Hz + 7 700 + 1500 Hz + 8 900 + 1500 Hz + 9 1100 + 1500 Hz + 0 1300 + 1500 Hz + KP 1100 + 1700 Hz + ST 1500 + 1700 Hz + 11 (*) 700 + 1700 Hz + 12 (*) 900 + 1700 Hz + KP2 (*) 1300 + 1700 Hz + +(*) Used only on CCITT SYSTEM 5 for special international calling. + + Bell caught wind of blue boxing in 1961 when it caught a Washington state +college student using one. They originally found out about blue boxes through +police raids and informants. In 1964, Bell Labs came up with scanning +equipment, which recorded all suspicious calls, to detect blue box usage. +These units were installed in CO's where major toll fraud existed. AT&T +Security would then listen to the tapes to see if any toll fraud was actually +committed. Over 200 convictions resulted from the project. Surprisingly +enough, blue boxing is not solely limited to the electronics enthusiast; AT&T +has caught businessmen, film stars, doctors, lawyers, college students, high +school students and even a millionaire financier (Bernard Cornfeld) using the +device. AT&T also said that nearly half of those that they catch are +businessmen. + + + Page 125 + + + + + The Official Phreaker's Manual + + Of course, phone phreaks have achieved an almost cult status. They have +also had their fair share of media. In October 1971, Esquire published the +infamous "Secrets of the Little Blue Box" article which featured phreaks such +as Captain Crunch, who took his name from the cereal which one gave away +whistles that produced a perfect 2600 Hz pitch; Joe Engressia, the blind +phreak; and Mark Bernay, one of the nation's first and oldest phreaks. Others +such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had +blue box backgrounds. 1971 also saw the publication of the first issue of YIPL, +the phone phreak newsletter, (now TAP) under the editorship of supreme yippie +Abbie Hoffman. + +Usage: +____________________________________________________________ + + To use a blue box, one would usually make a free call to any 800 number or +distant directory assistance (NPA-555-1212). This, of course, is legitimate. +When the call is answered, one would then swiftly press the button that would +send 2600 Hz down the line. This has the effect of making the distant CO +equipment think that the call was terminated and it leaves the trunk hanging. +Now, the user has about 10 seconds to enter in the telephone number he wished +to dial -- in MF, that is. The CO equipment merely assumes that this came from +another office and it will happily process the call. Since there are no records +(except on toll fraud detection devices!) of these MF tones, the user is not +billed for the call. When the user hangs up, the CO equipment simply records +that he hung up on a free call. + +Detection: +____________________________________________________________ + + Bell has had 20 years to work on detection devices; therefore, in this day +and age, they are rather well refined. Basically, the detection device will +look for the presence of 2600 Hz where it does not belong. It then records the +calling number and all activity after the 2600 Hz. If you happen to be at a +fortress fone, though, and you make the call short, your chances of getting +caught are significantly reduced (see Telcom VI). Incidentally, there have been +rumors of certain test numbers (see Telcom II) that hook directly into trunks +thus avoiding the need for 2600 Hz and detection! + + Another way that Bell catches boxers is to examine the CAMA (Centralized +Automatic Message Accounting) tapes. When you make a call, your number, the +called number, and time of day are all recorded. The same thing happens when +you hang up. This tape is then processed for billing purposes. Normally, all +free calls are ignored. But Bell can program the billing equipment to make note +of lengthy calls to directory assistance. They can then put a pen register +(aka DNR) on the line or an actual full-blown tap. This detection can be +avoided by making short-haul (aka local) calls to box off of. + + It is interesting to note that NPA+555-1212 originally did not return +answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes. +AT&T changed this though for "traffic studies!" + +CCIS: +____________________________________________________________ + + Besides detection devices, Bell has begun to gradually redesign the network +using out-of-band signaling. This is known as Common Channel Inter-office +Signaling (CCIS). Since this signaling method sends all the signaling +information over separate data lines, blue boxing is impossible under it. + + Page 126 + + + + + The Official Phreaker's Manual + + + While being implemented gradually, this multi-billion dollar project is +still strangling the fine art of blue boxing. Of course until the project is +totally complete, boxing will still be possible. It will become progressively +harder to find places to box off of, though. In areas with CCIS, one must find +a directory assistance office that doesn't have CCIS yet. Area codes in Canada +and predominately rural states are the best bets. WATS numbers terminating in +non-CCIS cities are also good prospects. + +Pink Noise: +____________________________________________________________ + + Another way that may help to avoid detection is too add some "pink noise" +to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the +detection equipment must be careful not to misinterpret speech as a disconnect +signal. Thus a virtually pure 2600 Hz tone is required for disconnect. + + Keeping this in mind, the 2600 Hz detection equipment is also probably +looking for pure 2600 Hz or else is would be triggered every time someone hit +that note (highest E on a piano =2637 Hz). This is also the reason that the +2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator +is saying "Hello, hello." It is feasible to send some "pink noise" along with +the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise +won't make it into the toll network (where we want our pure 2600 Hz to hit) but +it should make it past the local CO and thus the fraud detectors. + +Construction: +____________________________________________________________ + + While step-by-step details for the construction of a blue box is beyond the +scope of this tutorial, it is worthwhile to mention some of the details. + + First there are some alternatives but they are not as good as an actual +blue box. Many computers are capable of generating MF tones. Thus, your local +phriendly software pirate should have a program compatible for your computer. + + However, it is highly advisable not to box from home as stated in The Ten +Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86). + +I. Box thou not over thine home telephone wires, for those who doest must +surely bring the full wrath of the Chief Special Agent down upon thy heads. + + Another alternative that has a moderate success rate involves recording the +tones from a phriend with a box or computer onto a cassette tape. They can +then be used at a fortress. + + As for actual construction techniques, TAP has devoted many issues to blue +boxing. Basically, a blue box is merely a device capable of generating two +different tones simultaneously. There are two basic construction methods that I +will outline below for the electronics hobbyist. + + The first involves the use of two 555 timer chips (or a 556 -- i.e., two +555's in one chip). It offers excellent frequency and voltage stability. +Also, it does not need a diode matrix keypad but used double-pole switches +instead. Schematics for this type of box can be found in TAP issue #29. + + The other common box makes use of two Intersil 8038CC Function Generators. +It does require a diode matrix keypad though, potentiometers, an LM-100 voltage + + Page 127 + + + + + The Official Phreaker's Manual + +regulator, a 741 Op-amp, and a handful of other parts. The schematics for this +type of blue box can be found in TAP #26. Both designs draw about 20 ma of +current. + + Also, most blue boxes use telephone earpieces (with the varistor removed) +for speakers. These can be easily liberated from fortress fones with a small +coping saw. + + Usually, the hardest part about building a blue box is the calibration. A +frequency counter is a must and an oscilloscope won't hurt. + + Some boxes also take timing into account. It is feasible on the ESS +systems that they check to see if the digits are of uniform length. If they +aren't, they are probably from a blue box and a trouble card may be dropped. +With this in mind, the Bell standard for MF pulses and interdigit intervals is +around 75 ms. It varies with the equipment used since ESS can handle higher +speeds and doesn't need interdigit intervals. + +Applications: +____________________________________________________________ + + Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes +offer the entire network for exploration. Emergency break-ins, service +monitoring (aka taps), stacking tandems (the art of busying out all trunks +between two points), re-routing calls, conference calls, and much, much more +are all feasible. Although, Bell frequently changes these codes due to +phreaks. Here are some standard ones, though: + +Operator & Other Codes: +____________________________________________________________ + + (an optional NPA may proceed all of the numbers; otherwise, you will reach +the one local for the area where the call is originated) + +001 -- Trunk Access System +009 -- Rate Quote System +101 -- toll office test board +121 -- INWARD Operator + + This operator assists the local "0" operator in completing calls. (S)he +will do virtually anything for you providing it is within her NPA. + +131 -- Operator Directory assistance +141 -- Rout & Rate +141 defunct -- use KP + 800 + 141 +1212 + ST) + + These operators are very useful if you know how to mumble a few cryptic +phrases as compiled below (with thanks to Fred Steinbeck): To find out.....Area +Codes + + For example say , "Miami, Florida, numbers route, please." The R&R +operator will tell you "305 plus," meaning that 305 plus the seven digit number +will get you Miami. + +... Inward Operator City Codes + + Usually, the INWARD operator for an area is simply KP + NPA + 121 + +ST. In some area codes, though, there are several large cities and thus + + Page 128 + + + + + The Official Phreaker's Manual + +several inwards. To find the inward for a specific city, you would say "916 +756, operator route, please" to the R&R operator who will then tell you "916 +plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an +inward for Sacramento, CA (916-756). + +... City names + + If you want to know the city that corresponds to an area code and +exchange, you simply tell the R&R, "Place name, 914 390, please." In this +example, the R&R operator will respond with "White Plains, NY." + +... International Directory Assistance + + If you need a directory route for London, you could say +"International, London, England. TSPS directory route, please." The R&R +operator will respond with "Directory to London, England. Country code 44 plus +1 plus 986 plus 3611." Therefore to get a DA operator in London, you would +route yourself to an international sender and KP + 04419863611 + ST. + +... Country & City codes + + If you need to know the country and city code for an international +number you can say "International, Sydney, Australia, TSPS numbers route, +please" and get "Country code 61 plus 2." + +... International Inwards Routes + + To get routing codes for international inwards say "International, +London, England, TSPS inward route, please." The R&R Operator will respond with +"Country code 44 plus 121." + + Finally, to get language assistance for completing a foreign call you can +tell the foreign inward, "United States calling. Language assistance in +completing a call to (called party) at (called number)." + +151 -- Overseas incoming (212 +& 914+) +160-XX0 -- Various Overseas Operators +161 -- Trouble reporting operator (defunct) +181 -- Coin Refund Operator +18X -- Overseas senders + + To make an international call, one would KP + 011 + 0CC + ST where CC is +the country code. This will route you to the appropriate overseas sender. You +will then receive a 480 Hz dial tone. Here you enter KP + 0CC + city code + +local number + ST and the call is on its way. + + Country codes can be either 1, 2, or 3 digits but they must be padded for +three digits to create a pseudo-country code with extra zero's if necessary. +For example, England, country code 44, becomes 044. + + To see which international sender a certain country (lets use French +Guiana, country code 594, for example) goes through, you can dial KP + 011 + +594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you +will receive a recording saying which ISC (International Switching Center) it +is. For the example it will say, "This is the international switching center +in Pittsburg, PA -- This is a recording - 4121." You can actually route calls +to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to +since it may look suspicious if a call is sent through a sender that it + + Page 129 + + + + + The Official Phreaker's Manual + +shouldn't go through. Here are the senders: + +182 -- White Plains, NY +183 -- New York, NY +184 -- Pittsburg, PA +185 -- Orlando, FL +186 -- Oakland, CA +187 -- Denver, CO +188 -- New York, NY + + Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP, +ST3P, & ST2P keys. While they do exist the blue boxer need not concern himself +with them. The first three are used on CCITT System 5. This is the signaling +system that the International Senders use to send information to other +countries. These codes are usually added automatically just like the language +assistance digit [which distinguishes operator (or blue box) dialed calls from +customer dialed calls]. The STP, ST3P, & ST2P tones are used when equipment is +communicating with the TSPS. These also are automatically added when needed in +most cases. + +[see Telcom III for more on International Switching Centers (ISC)] + +11XXX -- miscellaneous operators +11501 -- universal cordboard operator +11511 -- conference operator +11521 -- mobile operator +11531 -- marine operator +11541 -- LD incoming switchboard +11551 -- leave word for time & charges (neat stuff) +11561 -- same as 11551 but for hotel/motels +11571 -- overseas operators (language assistance) + + The 11XXX series is interesting scanning material. + +Miscellaneous Routing Codes : +____________________________________________________________ + + Alliance Teleconferencing has several numbers, a few of which are listed +below: + +KP + 213 080 XXXX + ST +KP + 305 025 XXXX + ST +KP + 312 001 XXXX + ST +XXXX = 1050, 1100, or a few others + + Also, at KP + 317 009 + ST there is a MF tone checker. After the +beep-kerclunk, dial in KP + 999 1234567 890 + ST and it will repeat the digits +that you pulsed if they are of the right frequency. + +Tandem Scanning: +____________________________________________________________ + + To find all sorts of interesting things, you must look. Begin scanning +three digit codes in your area (i.e., KP + 000 + ST, KP + 001 + ST, etc.). Keep +track of all of your results. Sometimes you must probe things, send additional +digits and see what happens, send touch-tone, send it 2600 Hz, rip it apart. +You never know, you may run into something phun, like a computer that checks CC +numbers. + + Page 130 + + + + + The Official Phreaker's Manual + + + Incidentally, in some exchange you can dial inwards and other box codes +directly! For example, 914-121-1111 will get you a NY inward. The only problem +is that a 0 or 1 as the first digit of the exchange is usually *prohibited in +customer dialing. Somebody may have "accidentally" changed this screening code +on your ESS's computer, though -- you never know and it can't hurt to try. +WATS translation numbers also take up some of the 0XX & 1XX codes. + + Finally, certain tones on the blue box can also be used for other purposes. +An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN. +Thus every blue box is also a green box (see Telcom VI). + +Coming soon: + +Telcom VIII will deal with cordless phones, mobile phones, and other neat +things. + +Be careful and have phun, + +*****BIOC +*=$=*Agent +*****003 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 131 + + + + + The Official Phreaker's Manual + +The Mark Tabas encounter series presents: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + Better Homes and Blue Boxing + + Part I + + Theory of Operation + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To quote Karl Marx, blue boxing has always been the most noble form of +phreaking. As opposed to such things as using an MCI code to make a free fone +call, which is merely mindless pseudo-phreaking, blue boxing is actual +interaction with the Bell System toll network. It is likewise advisable to be +more cautious when blue boxing, but the careful phreak will not be caught, +regardless of what type of switching system he is under. + + In this part, I will explain how and why blue boxing works, as well as where. +In later parts, I will give more practical information for blue boxing and +routing information. + + To begin with, blue boxing is simply communicating with trunks. Trunks must +not be confused with subscriber lines (or "customer loops") which are standard +telefone lines. Trunks are those lines that connect central offices. Now, when +trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied +to them. If they are two-way trunks, there is 2600Hz in both directions. When a +trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the +side that is off-hook. The 2600Hz is therefore known as a supervisory signal, +because it indicates the status of a trunk; on hook (tone) or off-hook (no +tone). Note also that 2600Hz denoted SF (single frequency) signalling and is +"in-band." This is very important. "In-band" means that is is within the band +of frequencies that may be transmitted over normal telefone lines. Other SF +signals, such as 3700Hz are used also. However, they cannot be carried over the +telefone network normally (they are "out-of-band") and are therefore not able +to be taken advantage of as 2600Hz is. + + Back to trunks. Let's take a hypothetical phone call. You pick up your fone +and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll +assume that you are on #5 Crossbar switching and not in the 806 area. Your +central office (CO) would recognize that 806 is a foreign NPA, so it would +route the call to the toll centre that serves you. [For the sake of accuracy +here, and for the more experienced readers, note that the CO in question is a +class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending +on where you are in the country, the call would leave your toll centre (on more +trunks) to another toll centre, or office of higher "rank". Then it would be +routed to central office 806-258 eventually and the call would be completed. +Illustration: + +A---CO1-------TC1------TC2----CO2----B + +A=you +CO1=your central office +TC1=your toll office. +TC2=toll office in Amarillo. +CO2=806-258 central office. +B=your friend (806-258-1234) + + In this situation it would be realistic to say that CO2 uses SF in-band + + Page 132 + + + + + The Official Phreaker's Manual + +(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). +If you don't understand this, don't worry too much. I am pointing this out +merely for the sake of accuracy. The point is that while you are connected to +806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 +central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell +equipment that a call is in progress and the trunks are in use. + + Now let's say you're tired of talking to your friend in Amarillo +(806-258-1234) so you send a 2600Hz down the line. This tone travels down the +line to your friend's central office (CO2) where it is detected. However, that +CO thinks that the 2600Hz is originating from Bell equipment, indicating to it +that you've hung up, and thus the trunks are once again idle (with 2600Hz +present on them). But actually, you have not hung up, you have fooled the +equipment at your friend's CO into thinking you have. Thus,it disconnects him +and resets the equipment to prepare for the next call. All this happens very +quickly (300-800ms for step-by-step equipment and 150-400ms for other +equipment). + + When you stop sending 2600Hz (after about a second), the equipment thinks +that another call is coming towards it (e.g. it thinks the far end has come +"off-hook" since the tone has stopped. It could be thought of as a toggle +switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending +2600Hz, several things happen: + +1) A trunk is seized. + +2) A "wink" is sent to the CALLING end from the CALLED end indicating that the +CALLED end (trunk) is not ready to receive digits yet. + +3) A register is found and attached to the CALLED end of the trunk within about +two seconds (max). + +4) A start-dial signal is sent to the CALLING end from the CALLED end +indicating that the CALLED end is ready to receive digits. + +Now, all of this is pretty much transparent to the blue boxer. All he really +hears when these four things happen is a . So, seizure of a +trunk would go something like this: + +1> Send a 2600Hz +2> Terminate 2600Hz after 1-2 secs. +3> [beep][kerchunk] + + Once this happens, you are connected to a tandem that is ready to obey your +every command. The next step is to send signalling information in order to +place your call. For this you must simulate the signalling used by operators +and automatic toll-dialing equipment for use on trunks. There are mainly two +systems, DP and MF. However, DP went out with the dinosaur , so I'll only +discuss MF signalling. MF (multi-frequency) signalling is the signalling used +by the majority of the inter- and intra-lata network. It is also used in +international dialing known as the CCITT no.5 system. + + MF signalling consists of 7 frequencies, beginning with 700Hz and separated +by 200Hz. A different set of two of the 7 frequencies represent the digits 0 +thru 9, plus an additional 5 special keys. The frequencies and uses are as +follows: + +Frequencies (Hz) Domestic Int'l + + Page 133 + + + + + The Official Phreaker's Manual + +-------------------------------------- + 700+900 1 1 + 700+1100 2 2 + 900+1100 3 3 + 700+1300 4 4 + 900+1300 5 5 +1100+1300 6 6 + 700+1500 7 7 + 900+1500 8 8 +1100+1500 9 9 +1300+1500 0 0 + 700+1700 ST3p Code 11 + 900+1700 STp Code 12 +1100+1700 KP KP1 +1300+1700 ST2p KP2 +1500+1700 ST ST + + The timing of all the MF signals is a nominal 60ms, except for KP, which +should have a duration of 100ms. There should also be a 60ms silent period +between digits. This is very flexible, however, and most Bell equipment will +accept outrageous timings. + + In addition to the standard uses listed above, MF pulsing also has expanded +usages known as "expanded inband signalling" that include such things as coin +collect, coin return, ringback, operator attached, and operator released. KP2, +code 11, and code 12 and the ST_ps (STart "primes") all have special uses which +will be mentioned only briefly here. + + To complete a call using a blue box, once seizure of a trunk has been +accomplished by sending 2600Hz and pausing for the , one must +first send a KP. This readies the register for the digits that follow. For a +standard domestic call, the KP would be followed by either 7 digits (if the +call were in the same NPA as the seized trunk) or 10 digits (if the call were +not in the same NPA as the seized trunk). [Exactly like dialing a normal fone +call]. Following either the KP and 7 or 10 digits, a STart is sent to signify +that no more digits follow. Example of a complete call: + +1> Dial 1-806-258-1234 +2> wait for a call-progress indication (such as ring, busy, recording, etc.) +3> Send 2600Hz for about 1 second. +4> Wait for about 2 seconds while a trunk is seized. +5> Send KP+305+994+9966+ST + + The call will then connect if every-thing was done properly. Note that if a +call to an 806 number were being placed in the same situation, the area code +would be omitted and only KP+ seven digits+ST would be sent. + + Code 11 and code 12 are used in international calling to request certain +types of operators. KP2 is used in international calling to route a call other +than by way of the normal route, whether for economic or equipment reasons. + + STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS +signalling to indicate calling type of call (such as coin-direct dialed). + + This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and +learned from it. If you have any questions, comments, threats or insults, +please fell free to drop me a line. If you have noticed any errors in this text +(yes, it does happen), please let me know and perhaps a correction will be in + + Page 134 + + + + + The Official Phreaker's Manual + +order. Part II will deal mainly with more advanced principles of blue boxing, +as well as routings and operators. + + Note 1: other highly trunkable areas include: 816,305,813,609,205. I +personally have excellent luck boxing off of 609-953-0000. Try that if you have +any trouble. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 135 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part II + + Practical Applications + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood Part I of this series). + + The essential purpose of blue boxing in the beginning was merely to receive +toll services free of charge. Though this can still be done, blue boxing has +essentially outlived its usefulness in this area. Modern day "extenders" and +long distance services provide a safer and easier way to make free fone calls. +However, you can do things with a blue box that just can't be done with +anything else. For ordinary toll-fraud, a blue box is impractical for the +following reasons: + +1. Clumsy equipment required (blue box or equivalent) +2. Most boxed calls must be made through an extender. Not for safety reasons, +but for reasons I'll explain later. +3. Connections are often sacrificed because considerable distances must be +dialed to cross a seizable trunk, in addition to awkward routing. + + As stated in reason #2, boxed calls are usually made through an extender. +This is for billing reasons. If you recall from Part i, 2600Hz is used as a +"supervisory" signal. That is, it signals the status of a trunk--"on-hook" or +"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the +CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook +once again when the 2600Hz is terminated. The CALLED end recognizes that a +call is on the way and attaches a register, which interprets the digits which +are to be sent. Now, understand that even though your end has come off-hook (no +2600Hz present), the other end is still on-hook. You may wonder then, why, if +the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the +other way on the trunk, when there should be. This is correct. 2600Hz *IS* +present on the trunk when you seize it and afterwards, but you cannot hear it +because of a Band Elimination Filter (BEF) at your central office. + + Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed +coming the other way on the trunk because the CALLED end is still on-hook, but +you don't actually hear it because of a filter. However, the Bell equipment +knows it's there (they can "hear" it). The presence of the 2600Hz is telling +the billing equipment that your call has not yet been completed (i.e., the +CALLED end is still on-hook). When finally you do connect with your boxed call, +the 2600Hz from the called end terminates. This tells the billing equipment +that someone picked up the fone at the CALLED end and you should begin to be +billed. So you do start to get billed, but for the call to the trunk, NOT the +boxed call. Your billing equipment thinks that you've connected with the number +you used to seize the trunk. Illustration: + +1. You call 1+806-258-2222 (directly) +2. Status of trunks: + +<-----------------------------------> +(You) 806-258-2222 +No 2600Hz-------> <------------2600Hz + + When you seize a trunk (before the number you called answers) there is no + + Page 136 + + + + + The Official Phreaker's Manual + +affect on your billing equipment. It simply thinks that you're still waiting +for the call to complete (the CALLED end is still on-hook; it is ringing, busy, +going to recorder or intercept operator. + + Now, let's say that you've seized a trunk (806-258-2222) and for example, +KP+314+949+1705+ST. The call is routed from the tandem you seized to: +314-949-1705. Illustration: + +<------------------>O<---------------> +(You) 806 314-949 + tandem +No 2600Hz----------> <----------2600Hz + + Note that the entire path towards the right (the CALLED end) has no 2600Hz +present and is therefore "off-hook." The entire path towards the left (the +CALLING end) does have 2600Hz present on it, indicating that the CALLED end has +not picked up (or come "off-hook"). When 314-949-1705 answers, "answer +supervision" is given and the 2600Hz towards the left (the CALLING end) +terminates. This tells your billing equipment, which thinks that you're still +waiting to be connected with 806-258-2222, that you've finally connected. +Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an +aspiring young phone phreak. + + To avoid this, several actions may be taken. As previously mentioned, one may +avoid being charged for the number called to seize a trunk by using an extender +(in which case the extender will get billed). In some areas, boxing may be +accomplished using an 800 number, generally in the format of 800-858-xxxx (many +Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). +However, boxing off of 800 numbers is impossible in many areas. In my area, +Denver, I am served by #1A ESS and it is impossible for me to box off of any +800 number. + + Years ago, in the early days of blue boxing (before my time), phreaks often +used directory assistance to box off of because they were "free" long distance +calls. However, because of competitive long distance companies, directory +assistance surcharges are now $0.50 in many areas. It is additionally advised +that directory assistance numbers not be used to box from because of the +following: + + Average DA calls last under 2 minutes. When you box a call, chances are that +it will last considerably longer. Thus, the Bell billing equipment will make a +note of calls to directory assistance that last a long time. A call to a +directory assistant lasting for 4 hours and 17 minutes may appear somewhat +suspicious. + + Although the date, time, and length of a DA call do not appear on the bill, +it is recorded on AMA tape and will trip a trouble report if it were to last +too long. This is how most phreaks were discovered in the old days. Also, +sometimes too many calls lasting too long to one 800 number may raise a few +eyebrows at the local security office. + + Assuming you can complete a blue box call, the following are listed routings +for various Bell internal operators. These are in the format of KP+NPA+ +special routing+1X1+ST, which I will explain later. The 1X1 is the actual +operator routing, and NPA and NPA+ special routing are used for out-of-area +code calls and out-of-area code calls requiring special routing, respectively. + +KP+101+ST ...... Toll test board. + + Page 137 + + + + + The Official Phreaker's Manual + +KP+121+ST ...... Inward Operator. +KP+131+ST ...... Directory assistance. +KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few +others. It has been replaced with a universal rate & route number +800+141+1212. +KP+151+ST ...... Overseas completion operator (inbound). Works only in certain +NPAs, such as 303. +KP+181+ST ...... In some areas, toll station for small towns. + + Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you +would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 +trunk, an area code would be required. Thus, you would dial KP+312+121+ST. +Finally, some places in the network require special routing, in addition to an +area code. An example is Franklin Park, Ill. It requires a special routing of +032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward +operator. + + Special routings are in the format of 0XX. They are used primarily for load +balance, so that traffic flow may be evenly distributed. About half of the +exchanges in the network require special routing. Note that special routings +are NEVER EVER EVER used to dial normal telephone numbers, only operators. + + Operator functions: + +TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. +They are not used by operators, only switchmen. + +INWARD- Assists the normal TSPS (0+) operator in completing calls out of the +TSPS's area. Also, inwards perform emergency interrupts when the number to be +interrupted is out of the area code of the original (TSPS) operator. For +example, a 303 operator has a customer that needs an emergency interrupt on +215-647-6969. The 303 operator gets the routing for the inward that covers +215-647, since she cannot do the interrupt herself. The routing is found to be +only 215+ (no special routing required). So, the 303 operator keys +KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is +Denver. I need an emergency interrupt on 215-647-6969. My customer's name is +Mark Tabas." The inward will then do the interrupt (off the line, of course). +If the number to be interrupted had required special routing, such as, say, +312-456-1234 (spec routing 032), then the 303 operator would dial +KP+312+032+121+ST for the inward to do that interrupt. + +DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist +customers with obtaining telefone directory listings. Not much toll-fraud +potential here, except maybe $0.50. + +RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. +They assist normal (TSPS) operators with rates and routings (thus the name). +The only uses I typically have for them are the following: + + 1. Routing- + Information- In the above example, when the 303 operator needed to dial +an inward that served 215-647, she needed to know if any special routing was +required and, if so, what it was. Assuming she would use rate and route, she +would dial them and say nicely, "Operator's route, please, for 215-647." Rate & +route would respond with "215 plus." This means that the operator would dial +KP+215+121+ST to reach the inward that serves 215-647. If there were special +routing required, such as in 312-456, rate & route would respond with "312 plus +032 plus." In that case, the operator would dial KP+312+032+ST for the inward + + Page 138 + + + + + The Official Phreaker's Manual + +that serves 312-456. + + It is good practice to ask for "operator's route" specifically, as there are +also "numbers route" and "directory routes." If you do not specifically ask for +operator's route, rate & route will generally assume that is what you want +anyway. + +"Numbers" route refers to overseas calls. Example, you want to know how to +reach a number in Geneva, Switzerland (and you already have the number). You +would call routing and say "Numbers route, please, Geneva, Switzerland." The +operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark +41+22" has to do with billing, so disregard it. The 011+041 is access to the +overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing +for Geneva from the overseas sender. + +"Directory" routings are for directory assistance overseas. Example: you want a +DA in Rome, Italy. You would call rate & route and say, "Directory routing +please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 +STart." As in the previous example, the 011+039 is access to the overseas +gateway. The 039+1108 is a directory assistant in Rome. + + 2. Nameplace information- Rate & Route will give you the location of an NPA+ +exchange. Example: "Nameplace please, for 215-648." The operator would respond +with "Paoli, Pennsylvania." This isn't especially useful, since you can get the +same information (legally) by dialing 0, but using rate & route is often much +faster and it avoids having to hang up when you are already on a trunk. + +*NOTE* On Rate & Route: As a blue boxer, always ask for "IOTC" routings. +(e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them +that you want cordboard-type routings, not TSPS, because a blue boxer is +actually just a cordboard position (that Bell doesn't know about). + +OVERSEAS COMPLETION +OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of +calls coming in to the United States from overseas. There are KP+151+ST +operators only in a few NPAs in the country (namely 303). To use one, you would +seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for +example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." +[in a broken Indian accent]. She would connect you, and the bill would be sent +to Bangladesh (where I've been billing my KP+151+ST calls for two years). + +Other internal Bell Operators. + +KP+11501+ST ...... universal operator +KP+11511+ST ...... conference op +KP+11521+ST ...... mobile op +KP+11531+ST ...... marine op +KP+11541+ST ...... long distance terminal +KP+11551+ST ...... time & charges op +KP+11561+ST ...... hotel/motel op +KP+11571+ST ...... overseas (outbound) op + + These 115X1 operators are identical in routing to the 1X1 operators listed +previously, with one exception. If special routing is required (0XX), then the +trailing 1 is left off. + +Examples: + + + Page 139 + + + + + The Official Phreaker's Manual + +A 312 universal op ... KP+312+11501+ST +A Franklin Park (312-456) universal op (special routing 032 required)........ +KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. + +Purposes of 115X1 operators. + +UNIVERSAL- Used for collect/callback calls to coin stations. + +CONFERENCE- This is a cordboard conference operator who will set up a +conference for a customer on a manual operation basis. + +MOBILE- Assists in completion of calls to mobile (IMTS) type telefones. + +MARINE- Assists in completion of calls to ocean going vessels. + +LONG DISTANCE TERMINAL- Now obsolete.Was used for completion of long distance +calls. + +TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform +customer of exactly how much it cost. + +HOTEL/MOTEL- Handles calls to/from hotels and motels. + +OVERSEAS +COMPLETION (outbound)- assists in completion of calls to overseas points. Only +works in some, if any NPAs, because overseas assistance has been centralized to +IOCC (covered in Part III). + + Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that +you are a TSPS or cordboard operator assisting a customer with a call. DO NOT +DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these +operators! Find out what to do first. + + This concludes Part II. There is one final part in which I will explain +overseas dialing, IOCC (International Overseas Completion Centre), RQS +(Rate/Quote System), and some basic scanning. + + + + + + + + + + + + + + + + + + + + + + + + Page 140 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part III + + Advanced Signalling +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood parts i & ii before +proceeding to this part). + + In Parts I & II, I covered basic theory and domestic signalling and +operators. In this part I will explain overseas direct boxing, the IOCC, the +RQS, and some basic scanning methods. + +Overseas Direct Boxing. + + Calling outside of the United States and Canada is accomplished by using an +"overseas gateway." There are 7 over-seas gateways in the Bell System, and each +one is designated to serve a certain region of the world. To initiate an +overseas call, one must first access the gateway that the call is to be sent +on. To do this automatically, decide which country you are calling and find its +country code. Then, pad it to the left with zeros as required so it is three +digits. [Add 1, 2, or 3 zeros as required]. + +Examples: + +Luxembourg (352) is 352 (stays the same) +Spain (34) becomes 034 (1 zero added) +U.S.S.R. (7) becomes 007 (2 zeros added) + + Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit +padded country code that you just determined by the above method. [For +Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ +007+ST]. This is done to route you to the appropriate overseas gateway that +handles the country you are dialing. Even though every gateway will allow you +to dial every dialable country, it is good practice to use the gateway that is +designated for the country you are calling. + + After dialing KP+011+CC+ST (as CC is defined above) you should be connected +to an overseas gateway. It will acknowledge by sending a wink (which is audible +as a and a dial tone. Once you receive international dial +tone, you may route your call one of two ways: a) as an operator-originated +call, or b) as a customer-originated call. To go as a operator-originated call, +key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will +then be connected, providing the country you are calling can receive +direct-dialed calls. The U.S.S.R. is an example of a country that cannot. + +Example of a boxed int'l call: + +To make a call to the Pope (Rome, Italy), first obtain the country code, which +is 39. Pad it with zeros so that it is 039. Seize a trunk and dial +KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is +the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To +go as an operator-originated call, simply place a zero in front of the country +code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at +sender dial tone. Routing your call as operator-originated does not affect much +unless you are dialing an operator in a foreign country + + Page 141 + + + + + The Official Phreaker's Manual + + + To dial an operator in a foreign country, you must first obtain the operator +routing from rate & route for that country. Dial rate & route and if you're +trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, +please, for Yugoslavia." [In larger countries it may be necessary to specify a +city]. Rate & route will respond with, "38 plus 11029". So, dial your overseas +gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+11029+ST. +You should then get an operator in Yugoslavia. Note that you must prefix the +country code on the sender with a 0 because presumably only an operator here +can dial an operator in a foreign country. + + When you dial KP+011+CC+ST for an overseas gateway, it is translated to a +3-digit sender code of the format 18X, depending on which sender is designated +to handle the country you are dialing. The overseas gateways and their 3-digit +codes are listed below. + +182 ..... White Plains, NY +183 ..... New York, NY +184 ..... Pittsburg, PA +185 ..... Orlando, FL +186 ..... Oakland, CA +187 ..... Denver, CO +188 ..... New York, NY + + Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST +would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as +previously mentioned). To find out what sender you were routed to after dialing +KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. + + If you have difficulty in reaching a sender, call rate and route and ask for +a numbers route for the country you're dialing. Sometimes, KP+011+ padded +country code+ST will not work. I have found this in many 3-digit country +codes. Luxembourg, country code 352, for example, should be KP+011+352+ST +theoretically. But it is not. In this case, dial KP+011+ 003+ST for the +overseas gateway. If you have trouble, try dialing KP+00+ first digit of +country code+ST, or call rate The IOCC. + + Sometimes when you call rate and route and ask for an "IOTC numbers route" or +"IOTC operators route" for a foreign country, you will get something like +"160+700" (as in the case of the Soviet Union). This means that the country is +not dialable directly and must be handled through the International Overseas +Completion Centre (IOCC). For an IOCC routing, pad the country code to the +RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded +country code, plus ST. Examples: + +The U.S.S.R. (7) ...... KP+160+700+ST +Japan (81) ............ KP+160+810+ST +Uraguay (598) ......... KP+160+598+ST + + You will then be routed to the IOCC in Pittsburg, PA, who will ask for +country, city, and number being dialed. Many times they will ask for a +ringback [thanks to Telenet Bob] so have a loop ready. They will then place the +call and call you back (or sometimes put you through directly). Some calls, +such as to Moscow, take several hours. + +The Rate Quote System (RQS). + + The RQS is the operator's rate/quote system. It is a computer used by TSPS + + Page 142 + + + + + The Official Phreaker's Manual + +(0+) operators to get rate and route information without having to dial the +rate and route operator. In Part ii, I discussed getting an inward routing for +dialing-assistance and emergency interrupts from the rate and route operators +(KP+800+141+1212+ST). The same information is available from RQS. Say you want +the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to +access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with +RQS, you need to dial an NPA that is equipped with RQS first, such as 303. +Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink +() and then RQS dial tone. At RQS dial tone, for an inward +routing for 305-994 you would dial KP+06+305+994+ST. That is, +KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means +you would dial KP+305+033+121+ST for an inward that services 305-994. If no +special routing were required, RQS would have responded with "305 plus" and you +would simply dial: KP+305+121+ST for an inward. + + Another RQS feature is the echo feature. You can use it to test your blue +box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond +with voice identification of the digits it recognized, between the KP+07 and +ST. + + RQS can also be used for rates and directory routings, but those are seldom +needed, so they have been omitted here. + +Simple Scanning. + + If you're interested in scanning, try dialing on a trunk, routings in the +format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of +interesting things to be found there, as Doctor Who (413 area) can tell you. +Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan +area code 212, dial KP+212+ 11XX1+ST. + + There, now you know as much about blue boxing as most phreaks. If you read +and understand the material, and put aside preconceived ideas of what blue +boxing is that you may have acquired from inexperienced people or other +bulletin boards, you should be well on you way to an enlightening career in +blue boxing. If you follow the guidelines in Part I to box, you should have no +problem with the fone company. Comments made by "phreaks" on bulletin boards +that proclaim "tracing" of blue boxers are nonsense and should be ignored +(except for a passing chuckle). + +NOTE 1: CCIS and the downfall of blue boxing. + +CCIS stands for Common Channel Inter-office Signalling. It is a signalling +method used between electronic switching systems that eminiates the use of +2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places +cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will +not respond to any tones that you generate on the line. Eventually, all +existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In +this case, we'll all be boxing with microwave dishes. Until then (about 1995 by +current BOC/AT&T estimates), have fun! + +If you have ANY questions about this text, please feel free to drop me a line. +I will respond to all mail, messages, etc. Insults are also welcomed. And if +you discover anything interesting scanning, be sure to let me know. + +Mark Tabas +$LOD$ + + + Page 143 + + + + + The Official Phreaker's Manual + +This text was prepared in full by Mark Tabas for: + +K.A.O.S. +Philadelphia, PA. +[215-465-3593]. + +Any sysop may freely download this text and use it on his/her BBS, provided +that none of it be altered in any way. + +Technical acknowledgements: + +Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor +Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. + +References: + +1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. +2. Notes on the Network Bell System publication, 1983. +3. Engineering and Operations in the Bell System Bell System publication, +198³— +4. Notes on Distance Dialing Bell System publication, 1968. +5. Early Medieval Architecture. +....................................... +(c) February 6, 1900 Mark Tabas +....................................... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 144 + + + + + The Official Phreaker's Manual + + BY FRED STEINBECK (TAP #88) + + IT SEEMS THAT FEWER AND FEWER PEOPLE HAVE BLUE BOXES THESE DAYS, AND +THAT IS REALLY TOO BAD. BLUE BOXES, WHILE NOT ALL THAT GREAT FOR MAKING FREE +CALLS (SINCE THE TPC CAN TELL WHEN THE CALL WAS MADE, AS WELL AS WHERE IT WAS +TOO AND FROM), ARE REALLY A LOT OF FUN TO PLAY WITH. SHORT OF BECOMING A REAL +LIVE TSPS OPERATOR, THEY ARE ABOUT THE ONLY WAY YOU CAN REALLY PLAY WITH THE +NETWORK. + FOR THE FEW OF YOU WITH BLUE BOXES, HERE ARE SOME PHRASES WHICH MAY +MAKE LIFE EASIER WHEN DEALING WITH THE RATE & ROUTE (R&R) OPERATORS. TO GET +THE R&R OP, YOU SEND A KP + 141 + ST. IN SOME AREAS YOU MAY NEED TO PUT +ANOTHER NPA BEFORE THE 141 (I.E., KP + 213 + 141 + ST), IF YOU HAVE NO LOCAL +R&R OPS. + THE R&R OPERATOR HAS A MYRIAD OF INFORMATION, AND ALL IT TAKES TO GET +THIS DATA IS MUMBLING CRYPTIC PHRASES. THERE ARE BASICALLY FOUR SPECIAL +PHRASES TO GIVE THE R&R OPS. THEY ARE NUMBERS ROUTE, DIRECTORY ROUTE, OPERATOR +ROUTE, AND PLACE NAME. + YOU GET AN R&R AN AREA CODE FOR A CITY, ONE CAN CALL THE R&R OPERATOR +AND ASK FOR THE NUMBERS ROUTE. FOR EXAMPLE, TO FIND THE AREA CODE FOR CARSON +CITY, NEVADA, WE'D ASK THE R&R OP FOR "CARSON CITY, NEVADA, NUMBERS ROUTE, +PLEASE." AND GET THE ANSWER, "RIGHT... 702 PLUS." MEANING THAT 702 PLUS 7 +DIGITS GETS US THERE. + SOMETIMES DIRECTORY ASSISTANCE ISN'T JUST NPA + 131. THE WAY TO GET +THESE ROUTINGS IS TO CALL R&R AND ASK FOR "ANAHEIM, CALIFORNIA, DIRECTORY +ROUTE, PLEASE." OF COURSE, SHE'D TELL US IT WAS 714 PLUS, WHICH MEANS 714 + 131 +GETS US THE D.A. OP THERE. THIS IS SORT OF POINTLESS EXAMPLE, BUT I COULDN'T +COME UP WITH A BETTER ONE ON SHORT NOTICE. + LET'S SAY YOU WANTED TO FIND OUT HOW TO GET TO THE INWARD OPERATOR FOR +SACRAMENTO, CALIFORNIA. THE FIRST SIX DIGITS OF A NUMBER IN THAT CITY WILL BE +REQUIRED (THE NPA AND AN NXX). FOR EXAMPLE, LET US USEM 916 756. WE WOULD CALL +R&R, AND WHEN THE OPERATOR ANSWERED, SAY, "916 756, OPERATOR ROUTE, PLEASE." +THE OPERATOR WOULD SAY, "916 PLUS 001 PLUS." THIS MEANS THAT 916 + 001 + 121 +WILL GET YOU THE INWARD OPERATOR FOR SACRAMENTO. + DO YOU KNOW THE CITY WHICH CORRESPONDS TO 503-640? THE R&R OPERATOR +DOES, AND WILL TELL YOU THAT IT IS HILLSBORO, OREGON, IF YOU SWEETLY ASK FOR +"PLACE NAME, 503 640, PLEASE." + FOR EXAMPLE, LET'S SAY YOU NEED THE DIRECTORY ROUTE FOR SVEG, SWEDEN. +SIMPLY CALL R&R, AND ASK FOR, "INTERNATIONAL, BADEN, SWITZERLAND. TSPS +DIRECTORY ROUTE, PLEASE." IN RESPONSE TO THIS, YOU'D GET, "RIGHT... DIRECTORY +TO SVEG, SWEDEN. COUNTRY CODE 46 PLUS 1170." SO YOU'D ROUTE YOURSELF TO AN +INTERNATIONAL SENDER, AND SEND 46 + 1170 TO GET THE D.A. OPERATOR IN SWEDEN. + INWARD OPERATOR ROUTINGS TO VARIOUS COUNTRIES ARE OBTAINED THE SAME WAY +"INTERNATIONAL, LONDON, ENGLAND, TSPS INWARD ROUTE, PLEASE." AND GET "COUNTRY +CODE 44 PLUS 121." THEREFORE, 44 PLUS 121 GETS YOU INWARD FOR LONDON. + INWARDS CAN GET YOU LANGUAGE ASSISTANCE IF YOU DON'T SPEAK THE +LANGUAGE. TELL THE FOREIGN INWARD, "UNITED STATES CALLING. LANGUAGE ASSISTANCE +IN COMPLETING A CALL TO (CALLED PARTY) AT (CALLED NUMBER)." + R&R OPERATORS ARE PEOPLE ARE PEOPLE TOO, Y'KNOW. SO ALWAYS BE POLITE, +MAKE SURE USE OF 'EM, AND DIAL WITH CARE. + +NOTE: AS A RESULT OF THE BREAK-UP, R&R IS NOW KP+800+141+1212+ST + + + + + + + + + Page 145 + + + + + The Official Phreaker's Manual + + Verification + By Fred Steinbeck + +From TAP issue # 88 10-83 + + There has been a great deal of controversy in the realm of phreakdom over a +mysterious subject known under a number of different names, including +"Verification", "Autoverification", "Verify", "Autoverify", "Verify Busy", and +even "VFY BY". All of these names basically mean the same thing: the ability +to listen to another person's telephone line from any telephone in the +direct-dialable world. + Needless to say, Bell System is very tight lipped about knowledge regarding +verification. Indeed, the infamous book 'Notes on long distance dialing' ('68 +edition) says, "Care must be taken to insure that the customer never gains +verification capabilities." With a printed policy like that, you can imagine +what their real-world policy is like! Even their own rate and route operators +will not give verification on routing codes (at least in my experience), one +even responding, "What?! You must be crazy! We don't give those out!" Before +you get too far into this article, I will state simply: I don't know how to +verify. However, I have been fooling with various things related to it, and +collecting information on it for some time now. Therefore, while I can't do it +(yet), I may be able to point some other bright TAPer on the right track, and +perhaps he or she will show us all how. If you have knowledge not covered in +this article, but don't want to write an article on your own, please send your +ideas, comments, or information to Project Verify, C/O TAP Verify has also +been called "Autoverify", and I have no idea why. This is not, to my +knowledge, a Bell System term (at least I've never seen it in any manuals) As +far as I know, there is verify, which means being able to listen to speech +(kind of; see below) on a line, and there is the "Emergency Interrupt which +allows you to take part in the conversation taking place on the line in +question. It has been suggested that "Autoverify" is the same as an emergency +interrupt , but I tend to disagree with this idea. It should be noted that the +verification circuitry does not actually let an operator listen to a +conversation without making a beep on the line every so often. Instead, she +will hear encrypted speech. However, I believe with the proper methods, verify +can be converted to an emergency interrupt. + Verification is normally done either by your normal "0" (TSPS) operator, if +the call is in your home NPA (HNPA), or by an inward operator (IO). If the +call is outside your HNPA, your normal operator will call the IO for the +NPA,and say, "Verify Busy" or "Emergency Interrupt" please, 555 1212." The IO +will perform whatever magic he or she must, and then report back. If the call +is in your HNPA, though, the "0" operator can do the verification herself by +using the "VFY BY" key on her keyshelf. However, in some areas, the operator +uses a routing code to accomplish verification, and this the is loop hole we +shall attack. + It follows that if a IO or "0" operator can do it, so can we, with a blue box +Now, courtesy of Robert Allen (who brought it to my attention) and Susan +Thunder (who apparently discovered it), here is what used to work for getting +operators to hook you into conversations with other people (i.e.,let you listen +to them till you hung up): You'd call the operator and say "Operator, TSPS +Maintenance Engineer Calling. Ring forward to 001 + NPA + 7d, ring back to my +number, hit ring forward, no AMA, and then position release. + This creates some problems, and you must be familiar with the TSPS +console(by dialing "0"), you are on the "back", or incoming part of a loop. +When she places a call for you, the call goes out on the "forward", or outgoing +part of the loop. If an operator wants to make a call, she punches KP FWD +(keypulse forward), the number, and ST. Ring FWD puts a 90 volt ringing signal +across the forward part of the line (and may dial the number as well). The + + Page 146 + + + + + The Official Phreaker's Manual + +problem arises from the fact that I don't know if Ring FWD will actually dial a +call, and if there is some other subtle difference between it an KP FWD. + Let us assume ringing forward makes a call from the TSPS console to whatever +number is given. Ring back causes your phone to ring (it is assumed you hung +up after giving her your instructions; if you didn't you'd hear an annoying 90 +volts across the earpiece...) "No AMA" means "no automatic message accounting", +so nobody gets billed for the call, although it will show up on a tape +somewhere. "Position Release" removes the operator from the circuit, and +allows her to receive other calls. This leaves an unaccounted-for ring +forward. + The verification circuit, as you know, likes to encrypt conversation, which +is something we don't want. Well, the second Ring FWD sends another 90 volts +crashing against the verify circuitry, which Juda Gerad thinks removes the +voice encryption from the line, puts the operator (and you) in circuit, and +puts a beep tone on the line every five seconds. This seems to make sense, and +I am inclined to agree with him. + The bit about "....001 + NPA + 7D" causes the thought "MF routing code" to +spring immediately to mind. Now, the above trick was supposed to work in the +213 NPA. I have tried both "KP+001+213+7D+ST", and some other area codes. I +generally get nothing, a reorder signal, or a tandem recording. + Here's some food for thought: On an official Telco sheet I have, labeled " +213 NPA MF Routing Codes", 001 is listed as "VFY BY", or verify busy for the +213 NPA. 002 is listed for the 805 NPA. Ma Bell likes to have standardized +routing codes, such logical, then, that 001 would be a sort of "standard" +verify code, and other prefixes would be tacked on at 002,003, etc. However, I +have heard from a retired operator that verification codes are different from +area to area, and are not always nice numbers like 001, 002. Ah, well, a guy +can hope, can't he? + Some suggestions for future attacks on this dilemma: Everyone call your +operators and subtly ask questions. I have found the tend to give information +out easier if you ask for something that you would ordinarily have to be a +company employee to know about, such as rate steps, operator routings, etc. + Casually let slip that you used to be (or still are) an operator, or that +you work for company security. Also, you might want to blue box some codes +like 001 followed by your NPA and the last 7D of a busy number. If you get a +sort of "whispery noise", try blasting the line with a ringing signal (you +might piggyback another line onto yours and call the piggyback to generate the +90 volts) and see if that does anything. + + + + + + + + + + + + + + + + + + + + + + Page 147 + + + + + The Official Phreaker's Manual + + =================================== + EQUAL ACCESS AND THE AMERICAN DREAM + =================================== + + +by + +Mark Tabas +P.O. Box 620401 +Littleton, CO 80162 + +July 7, 1985 + + + + The American Dream means many things to many people. To the small, typical +businessman, it means building a good, strong business based on hard work and +perseverance; indeed, with nothing limiting his potential but he amount of work +he is willing to put into his business. To a large businessman, the American +Dream means living and working in a country where a single corporation can have +a profit exceeding the gross national product of an entire third world nation. + To the individual, the American Dream is the right to choose -- everything +from one's breakfast cereal to a long-distance service, as well as the formal +right outlined by our founding fathers: those of life, liberty, and the pursuit +of happiness. + To the phone phreak, I think the American Dream is, in a sort of twisted way, +the uninhibited pursuit of knowledge. This quest could scarcely remain +unchecked in many other countries. Analogous to this quest is the thriving of +the Bell System, which until January 1, 1984 consisted of the American +Telephone and Telegraph Company, the largest corporation in the history of the +world. Did the American Dream die on January first or did the divestiture of +AT&T cause a giant step forward for competition and free enterprise in the +United States? I do not know. I do know that the other nations of the world +were amazed that the United States would dissolve the entity that brought the +finest and most universal telephone system in the world, and did so at a time +when the majority of the rest of the world was still using two dixie cups and a +string. + The unfairness of the situation is that AT&T built the telephone system of +this nation and is now being bound and gagged and having its possessions +distributed to others, whom AT&T also wrought. All in the name of fairness, +free competition, and "equal access". Where was was MCI during the century +that AT&T built he communications system of this nation? Well, I believe in +Equal Access, Wholly. And, since I believe in equal access and its +implications for equality for all so strongly, I feel that MCI, Sprint, and +others should take the same amount of time to build their respective toll +networks: 100 years. Therefore, if the United States Justice Department were +truly the fair and just administrator that it portrays itself to be, MCI would +not have a hand in the long-distance cache until about 2080. That's only +fair. + There is no doubt that MCI is a sub-standard organization. They consist of +incompetent employees, inferior equipment, and an inferior marketing strategy. +They are mockingly imitative of AT&T, except in the quality of their service, +which is practically unusable. It is also interesting that with less than 2% +market share, MCI calls itself "the nation's long-distance company." The point +to this diatribe is this. It's time for these long-distance companies such as +MCI and Sprint to grow up. With Equal Access, they are going to become real +long-distance companies, not the joke organizations they are now, and I think +it may just take them one hundred years to do so. + + Page 148 + + + + + The Official Phreaker's Manual + + + ============ + Equal Access + ============ + + Equal Access, as it applies to the telecommunications industry, is "the +requirement that each Bell Operating Company provide exchange access to all +long-distance carriers that is equal in type and quality to that provided AT&T +communications." This is the official provision set forth by the United States +Justice Department in the Modification of the Final Judgment, August 24, 1982. +All this means is that each long-distance-distance company will have "equal +access" to all of the same types of services that AT&T currently enjoys. There +are four types of long-distance carrier services, divided into "feature +groups." They follow. + +FG A: "line side access." This is the standard 7-digit dialup+code (for +billing purposes) +destination telephone number. It is currently in use by +most long-distance carriers. + +FG B: "trunk side access." These are the 950 exchange numbers. They also +utilize an authorization code for billing. As with FG A, automatic number +identification (ANI) (i.e. calling number) is not provided to the carrier, but +will be in the future. + +FG C: "1+ dialing." Currently, only AT&T is able to get this type of +service. It is 1/0+7 of 10 digit direct long distance dialing. ANI (for +billing) is provided. + +FG D: "equal access." This will allow for 1/0+7 or 10 digit direct +long-distance dialing (presubscription carrier) and 10xxx+1/0+7 or 10 digit +long-distance dialing (alternate carrier). ANI for billing is provided at the +long-distance carrier's option. Billing may also be handled by the individual +long distance company or the local Bell Operating Company. + + Feature groups C and D are mutually exclusive (i.e. both cannot exist in a +particular area at the same time). Areas which have Feature Group C (AT&T +long-distance only) are non-Equal Access, and areas which have Feature Group D +(multiple long distance carriers) are Equal Access regions. + Feature Group B, the 950 exchange numbers will be used in areas in which it +is not feasible to provide with Equal Access, such as step-by-step offices +(yes, they CAN have 950 numbers), some crossbar offices, and some independent +telcos, which are not bound by the provisions of Equal Access and may provide +to their customers any type of long-distance service(s) they wish. The 950 +exchange is now active in many areas. It is mainly used as a universal +"roaming" access port for many long-distance carriers, but when an office is +converted to Equal Access, the 950 capability is removed. Thus, in an Equal +Access region, one cannot complete a call to a 950 telephone number. + I personally am looking very forward to Equal Access. My area is not +scheduled for full implementation of it until late 1985 or early 1986, and by +this time many of the alternate long distance carriers' networks will be in +place (or well under way). Think about what Equal Access means. Equality for +all long distance carriers. Access to common facilities, such as: busy-line +verification lines, Bell System information, signalling specifications. etc. +After full implementation of Equal Access, one will be able to take advantage +of and manipulate the services of more than just one carrier. It will no +longer be phreaks vs. AT&T. + When your area is ready to initiate Equal Access, you will receive a notice +in the mail informing you of some of the details of Equal Access, and will ask + + Page 149 + + + + + The Official Phreaker's Manual + +you to specify your choice of "primary carrier." In some cases you will need to +specify both inter-LATA carrier (IC), which handles calls out of your LATA +(Local Access and Transport Area), and an international carrier (INC), which +will handle calls destined for other countries. Recent market studies have +shown that between 80 and 90 per cent of residential customers will continue to +be served by AT&T for their long-distance service after Equal Access. So much +for competition. + You will probably be faced with many long-distance companies to choose from, +including but not limited to: AT&T, MCI, Sprint, ITT, Western Union, Dial U.S., +Call America, TMC, and U.S. Telephone. Whichever you choose will become your +"primary carrier." Your primary carrier will handle your call each time you +pick up you fone and dial 1+7 or 10 digits or 0+7 or 10 digits, inter-LATA +only. That is, if you dial a toll call that is within your LATA, it will be +handled by your local telephone company (Bell), not by your primary carrier, +even though it is a toll call. Let's use an example. The state of Colorado +consists of two LATAs. For this example, I will use three cities in Colorado: +Denver (in LATA1), Sterling (LATA1 also), and Colorado Springs (in LATA2). +Note here that even though Denver ad Sterling are in the same LATA, and Denver +and Colorado Springs are not, Sterling is actually much farther away from +Denver than Colorado Springs. This is because LATA boundaries were designed +giving consideration to high toll-traffic regions, to bring in revenue. Toll +traffic between Denver and Colorado Springs is very high, so the two cities +were placed in separate LATAs (or, more correctly, they were separated by a +LATA boundary). Toll traffic between Denver and Sterling is very low, of the +two cities were allowed to remain in the same LATA. Now, if everyone in +Colorado Springs were to pack up and move to Sterling (though who knows what +the hell for), the LATA boundaries in Colorado would be changed so that Denver +and Sterling were in different LATAs. The primary factor in determining LATAs +is money. + If I made a call to Sterling from my home in Denver, the call would be routed +entirely via Mountain Bell long-distance facilities. No long distance carrier +would be involved because Denver and Sterling are in LATA1. If I made a call +to Kelley, the blonde babe in Colorado Springs, the call would be handled by a +long distance carrier (in this case, AT&T) because Denver is in LATA1 and +Colorado Springs is in LATA2. Here is a table to simplify this: + +Customer dials LATA Carrier +----------------------------------------------------------------- +7 digits same Bell +1+7 digits same Bell +1+7 digits diff LD carrier (currently AT&T) +1+10 digits diff LD carrier (currently AT&T) +----------------------------------------------------------------- + + Note several things here. First, not all areas need to dial a 1 when dialing +any number, local or long distance, but the central offices will still discern +whether the call is in the same LATA as the customer or a different one and +handle the call appropriately. Secondly, some step-by-step offices require a +1+NPA to be dialed for calls within the same LATA and, in fact, all numbers +outside of the office itself. But, for the most part, the above table is +standard for common switching networks. + + ================== + Alternate Carriers + ================== + + Your normal long distance carrier will handle all your toll calls which cross +over LATA boundaries when you dial directly, 1+. If you wish to place your + + Page 150 + + + + + The Official Phreaker's Manual + +call via another carrier's network, whether for cost, quality, or circuit +availability reasons, you may do so in Equal Access regions. To access an +alternate long distance carrier after Equal Access, a customer dials +10xxx+1/0+7 or 10 digit telefone number. Note that xxx is the "carrier access +code (CAC)." A few CACs currently in use are listed below. + +220 ........ Western Union 666 ........ Lexitel +222 ........ MCI 777 ........ Sprint +333 ........ US Telefone 888 ........ SBS +444 ........ Allnet + + Thus, in an Equal Access region, to dial Fred in Orlando, a customer would +dial 1+305+994+9966 to place his call on his primary carrier, or to place it on +another network, he could dial: 10222+1+305+994+9966, and the call would go +over MCI facilities (in this case). Eventually, after many more long distance +services get into the act, there will be a directory of the various long +distance companies and their CACs, and deciding which carrier to use for any +particular call to get the bet rate will be beyond the ability of everyone +except phone phreaks. + + ================ + The 950 Exchange + ================ + + As discussed, the 950 central office exchange is currently a "roaming" access +port for various long distance carriers. In areas that have 950, the access to +carriers is standardized. Thus, someone travelling to several different areas +need only know the 950 number of the carrier he uses to access it from any area +(provided that it have 950 active). Originally, the 950 exchange was designed +to correspond with the 10xx carrier access code used for Equal Access. For +example, 950-1022 would be the same carrier as 1022 (+telephone number). +However, it was later found that the 100 codes available for use as 10xx CACs +would be insufficient to handle he number of long distance carriers. So, the +common carrier access code was increased by one digit, to 10xxx, thus +increasing the number of possible CACs to 1000. To keep the 950 exchange +consistent with the non CAC, the Bell Operating Companies have opted to change +the 950-10xx to 950-0xxx. The xxx in the 950-0xxx remains the same as the xxx +in the 10xxx carrier access code. The new modified 950 numbering pan is now +active in Philadelphia (Bell Atlantic) among other areas. + After Equal Access is well under way, the 950 exchange will be used in +certain areas that cannot be equipped for the standard Equal Access dialing +plans. This includes step-by-step, #1 crossbar, #5 crossbar, #2ESS, and #3ESS +offices. Customers in areas served by these types of switching equipment will +dial 950-0xxx, wait for acknowledgement tone from the carrier, and then dial a +"personal identification number" and destination telefone number,and the call +will be completed on the selected carrier's facilities. Initially, billing +will be handled by the carrier itself, and supervisory information and ANI will +not be provided by the local Bell Operating Company. + There are three main advantages to the 950 central office exchange and +protocol. They are: a) universal access for all areas, b) 950-exchange numbers +are "trunk side access." This means that the long distance carrier has direct +trunks going to it from a Bell toll office or local central office. These +trunks are interoffice lines, not customer type (POTS) lines, and supposedly +insure higher quality of connection. And, c) 950-exchange numbers are toll and +message unit free. On metered-usage (i.e., not "flat rate") customer lines, +they cost nothing. In most areas they are free from coin stations, with +Colorado as one notable exception. + + + Page 151 + + + + + The Official Phreaker's Manual + + ===== + Costs + ===== + + Each long-distance carrier must choose the type(s) of service it wishes to +provide to its customers. These different types of service were outlined +earlier as "Feature Groups." The costs of these Feature Groups vary directly +with the complexity and quality of the service itself. The following table +outlines the cost to the carrier of each available Feature Group. It is based +on the monthly rate per line for 9000 minutes of circuit use, and assumes the +carrier and Bell switch are 15 miles apart. + +FG non-Equal Access Equal Access +-------------------------------------------------------- +A $329.94 $709.20 +B 329.94 721.80 +C 752.40 ** N/A ** +D ** N/A ** 752.40 +-------------------------------------------------------- + + These figures are a lot more significant than they might appear. They +indicate that after Equal Access, in order to compete with the giants such as +AT&T, MCI, etc., smaller long distance companies will use Feature Group A or B +type service in order to provide significantly lower rates to their customers +than companies subscribing to Feature Group D service (like AT&T, MCI, etc). +This will cause a unique type of equilibrium to form. Customers willing to +dial an access number, authorization code, and destination number and put up +with lower quality service will be able to save a lot of money. This seems +faintly reminiscent of pre-Equal Access times.... + + ==================== + Directory Assistance + ==================== + + Each Bell Operating Company will be responsible for providing intra-LATA +operator services. When a customer dials (1)+411 or (1)+555+1212 for local +directory assistance, he will reach a Bell operator who will service requests +for listed numbers within the customer's LATA. Requests for numbers in LATAs +other than the calling customer's may be handled at the discretion of the local +operating company. Initially, the Bell Operating Companies will meet the +responsibility for providing directory assistance services by contracting it to +a long distance carrier or carriers (currently AT&T). All inter-LATA directory +assistance services will be provided by the inter-LATA carrier (IC). ICs may +also provide 800 Enterprise service or other toll free type directory +assistance services. See table. + +================================================================= +Intra-LATA: +================================================================= + HNPA 411/555-1212 BOC + *FNPA NPA+555-1212 BOC + HNPA 10xxx+555-1212 intra-LATA carrier + *FNPA 10xxx+NPA+555-1212 intra-LATA carrier + +================================================================= +Inter-LATA: +================================================================= + HNPA (10xxx)+1+555-1212 IC + + Page 152 + + + + + The Official Phreaker's Manual + + FNPA (10xxx)+1+NPA+555-1212 IC +================================================================= +* When LATA boundaries cross NPA boundaries (rare). +FNPA = Foreign Numbering Plan Area (area code). +HNPA = Home Numbering Plan Area (area code). + + At first glance, the above table appears somewhat complex. But, if you +understand the concept of LATAs and carriers, it is easily understood. +Essentially, all local Bell Operating Companies will maintain their own +directory assistance services. When a customer dials 411 or 555-1212, he will +reach a BOC directory assistant. Additionally, each long distance carrier that +wishes to provide directory assistance to its customers will also have DA +facilities. And, when a customer dials a directory assistant (NPA+555-1212) on +a carrier, he will reach an operator of that particular long distance carrier. +The key here is LATAs. If a customer wants to find a number that is within his +LATA, no long distance carrier is involved. It is handled strictly by the +Local Bell Operating Company. If a customer is seeking a number that is not +within his LATA, he must use the services of an inter-LATA (long-distance) +carrier. + + ====================== + TSPS Operator Services + ====================== + + Traffic Service Position System (TSPS) operator services will be handled much +in the same fashion as directory assistance services, with a few differences. +As with DAs, each Bell Operating Company and each inter-LATA carrier will +maintain its own TSPS operator facilities (or cordboard I suppose, if they +cannot afford TSPS). When a customer dials simply 0 (operator), he will reach +a BOC TSPS operator. The BOC TSPS will be able to handle all types of +intra-LATA operator-assisted traffic including (but not limited to): collect, +third party billing, Bell credit card, coin, verification and emergency +interrupt, and requests for emergency aid. BOC TSPS will be unable to complete +calls for customers outside of the customer's LATA. Thus, inter-LATA operator +assistance will be handled by an inter-LATA carrier TSPS (IC TSPS). An IC TSPS +will handle all previously mentioned types of calls that require inter-LATA +transport (i.e., the call originates and terminates in different LATAs). When +a customer dials 0+NXX-XXXXX or 0+NPA+NXX-XXXX, the central office will +determine if the call is destined for another LATA. If it is not, the call +will be sent to the Bell TSPS for appropriate handling. If the call is bound +for another LATA (and his determination is made based on the NXX or NPA+NXX), +then the call will be sent off to the customer's primary long-distance carrier +(since only 0+ was dialed). If the customer wishes to use a different +carrier's operator services, he would dial 10xxx+0+number, and the carrier +specified by the 10xxx carrier access code would receive the call. Note: if a +customer dials 10xxx+0+number, and the call is an intra-LATA call, he will get +a recording, "We're sorry, the number you dialed cannot be reached with the +carrier access code you dialed. Please check the code and try again or call +your carrier for assistance." (Western Electric KS-22550 central office tape +list no. 46.) Until the Bell Operating Companies can install their own TSPS +facilities and networks, they will (continue to) lease capacity from AT&T TSPS. +That is, AT&T will handle the intra-LATA traffic for the BOCs on a contract +basis. In the meantime, AT&T will continue to handle its own long-distance +operator services while the other inter-LATA carriers will have to implement +their own operator networks from scratch. My estimation is that you won't be +able to dial 10222+0 for an MCI TSPS operator until sometime around the year +2590. And even then they will probably be cordboard. + In addition to the changes in TSPS described above, there will be certain + + Page 153 + + + + + The Official Phreaker's Manual + +modifications to the software and hardware involved in the TSPS operator +system. Most critical, and of paramount importance to the telecommunications +enthusiast is changes in circuit associated signalling (CAS). This is +signalling to and from the TSPS facility. When a customer dials 0 (operator) or +10xxx+0 (IC operator), a succession of events occurs. First, the end office +seizes a trunk to the appropriate operator facility (this assumes that no +access tandem is involved). The operator service facility responds with a wink +(proceed signal) and the end office outpulses the CALLED number (or KP+ST if 0 +only dialed). The operator service (OS) facility will then come off-hook to +signal that it is ready to receive ANI information. The end office outpulses +the ANI information in the format of KP+II+7 digits+ST (or ST'). If there is +ANI failure, a KP+02+ST (or ST') will be sent. "ST'" stands for STart "prime", +and is indicative of a coin call (i.e., dial 0 from a coin station). A normal +ST terminating the ANI sequence means that the call is originating from a +noncoin station. See table for ultimate description. + +Inter-LATA calls MF-pulsed + +type of call customer dials cld num ANI +============================================================ +noncoin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST + +============================================================ +coin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST + operator assist 10xxx+0 KP+ST' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST + +============================================================================= +Intra-LATA calls +============================================================================= +noncoin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST' + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST' + +============================================================================= +coin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST' + operator assist 10xxx+0 KP+ST' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST' +============================================================================= +Note: ST=Start, ST'=STart prime, ST''=Start double prime, ST'''=STart triple +prime. + + Once again, the above table appears somewhat intimidating in its complexity. +All these STs, ST primes, etc. Actually, the only purpose of the starts is to +distinguish to the TSPS machine exactly what type of call the customer is +placing and from what type of telefone he is calling. "Special toll" calls are +collect, credit card, and third-party billing type calls. Here is an example +of a complete dialing and outpulsing sequence for an operator service call: + + Page 154 + + + + + The Official Phreaker's Manual + +from a coin fone, a customer dials 0+ (or 10xxx+) 303+979-9997. The central +office would seize a trunk to the operator service facility and outpulse: +KP+303+979-9997+ST'. This indicates to the operator service facility that the +call is a special toll call originating from a coin telephone. The OS facility +comes off-hook and the central office would then outpulse KP+00+232+9969+ST. +This is he ANI information, and the ST indicates that the call is inter-LATA +(if it were intra-LATA, the sequence would be terminated with ST' instead). + Perhaps now I should explain screening. Certain telefones are "screened" +against placing certain types of calls. A screening code is a two digit +information carrier. For instance, 00 is "identified line" (no special +treatment), 01 is multiparty ONI (operator number identification), 02 is ANI +failure, 06 is hotel/motel, 07 is coinless (hospital/inmate fone), 08 is +inter-LATA restricted, 68 is hotel inter-LATA restricted, 78 is coinless +(hospital inmate) inter-LATA restricted, etc. A 98 is an AT&T Charge-A-Call +fone (those blue fuckers). More screening codes are allocated as they are +needed. Note that the original TSPS screening design only allowed for single +digit information digits. They were later found to be insufficient. + I believe that the operator services have been adequately covered, so I will +now move on to other aspects of Equal Access. + + ============= + Routing Codes + ============= + + The TTC (terminating toll centre) and special routing codes will continue to +be used in inter-LATA networks. These 0xx and 1xx type codes, which sometimes +precede operator routing codes, will be assigned to various ICs on an +individual basis. When 0xx and 1xx codes serve as pseudo-central office code, +they will be coordinated such that it will avoid IC conflicts. The +Numbering/Dialing Planning Group of the Central Services Organization (sounds +like some sort of Communist governing body) will provide assistance where the +assignment of coordinated codes is necessary. + + ================== + Special Area Codes + ================== + + Special area codes, also called Service Area Codes (SACs) presented the +designers of Equal Access with an interesting problem. SACs are N00 type area +codes, such as 700, 800, and 900. They are used for special services and +unlike normal area codes, are not associated with a particular state or region. +Each long distance carrier will be allocated its own exchanges in each service +area code. Thus, when a customer places a call to a number in a service area +code, the central office will examine the exchange of the telefone number and +route the call over the proper carrier's facilities. The customer will be +totally oblivious to this process. Current SACs include 700 (teleconferencing), +800 (toll free services), and 900 (dial-it services). There are currently +plans under way to implement the 600 area code, although its exact uses are not +yet clear. + + ================ + Signalling to IC + ================ + + Each long distance carrier that wishes to serve a particular LATA must +establish a point of presence (POP) in that LATA. A carrier's POP is a toll +office that receives toll traffic destined for another LATA. A POP is a centre +for inter-LATA transport of toll traffic. This traffic will be directed to it + + Page 155 + + + + + The Official Phreaker's Manual + +from a Bell central office, either an end office or an access tandem (AT). An +access tandem is simply a Bell office which directs long distance traffic from +a number of local end offices to a number of different inter-LATA carriers. To +pass call details (such as called and calling numbers) from the Bell local +office to the inter-LATA carrier, a signalling system was designed that employs +current multifrequency (MF) signalling protocol. When a customer dials +10xxx+(1/0)+(NPA)+NXX+, the end office will seize a trunk to the appropriate IC +as determined by the 10xxx CAC (or primary carrier if no CAC is dialed). Note: +this happens as soon as the customer finishes dialing the exchange, even though +he may still be dialing the last four digits of he telefone number. After the +endË›Vk«¥¬.¤®VK•‘‡ãÉÕ¹­ã½£¡• +±ƒ¢¡•+ +ߥ±±ƒÿeturn a wink, which is +the signal to proceed. Then, the end office will send ANI information, in the +format of: KP+II+10 digit ANI+ST. If the carrier is not to receive ANI +information from the Bell Operating Company (i.e., they are not paying for it), +then only KP+ST is sent. Presumably, by now the customer has completed dialing +the last four digits of the destination telefone number, so the end office will +send: KP+7 or 10 digit CALLED number+ST. Note several things here: 1) The IC +does not send a wink when it is ready to receive CALLED number information. 2) +ANI information is ten digits, plus a two-digit screening code, and 3) The +central office's outpulsing to the IC overlaps the customer's dialing. + Some ANI screening codes include: 00 (identified POTS), 01 (ONI multiparty), +02 (ANI failure), 06 (hotel without room identification), 07 (coinless, +hospital, inmate, etc.), 08 (inter-LATA restriction), 10 (test call), 20 (AIOD +calls, listed DN sent), 27 (coin call), and 95 (test call). These are the same +or similar as the screening codes used in operator service signalling. + In addition to the domestic signalling design outlined above, a new +international signalling system has been designed for use with Equal Access. +It also uses two-stage, overlapping outpulsing. After a customer has completed +dialing (10xxx)+011+CC (CC is country code), the Bell end office will seize a +trunk to he appropriate IC (or international carrier, if direct routing is +available). The IC/INC will respond with a wink, and the end office will +outpulse: KP+1NX+YXX+CCC+ST. Each of these three groups of routing information +indicate something different abut the international call being placed. The 1NX +is the "international system routing code, one for each type of call routing." +I have absolutely no idea what that means, and no one I have talked to at Bell, +AT&T, MCI, CCITT, ITT, the CSO and FCC have any idea either. Next, the YXX is +the carrier routing code. It is actually XXX, Which is the three digits of the +10xxx CAC for the particular carrier being accessed. Finally, CCC is the +country code, padded with a zero if necessary. + One may wonder why the CAC is signalled forward when a trunk is seized +directly to the carrier itself. The reason for this is that in some cases a +direct trunk to the carrier is not available and the call must be routed +through an access tandem, which is responsible for routing calls to a variety +of different long distance carriers. + + ==================== + Switch Compatibility + ==================== + + Full-feature Equal Access will become available first for Western Electric +#1ESS switching systems. It will be available first in generic 1E8 (1AE8 for +#1A ESS). Later, generic 5E2 for #5ESS, generic 2B4 for #2B ESS, generic +BCS-16 for Northern Telecom DMS-100, and generics 209 and 302 for DMS-10 will +provide full-feature Equal Access capabilities in those types of end office +switching equipment. The Western Electric #4ESS, #1 and 1A ESS, #5ESS, and the +Northern Telecom DMS-200 machines which serve as toll offices or access tandems +will be capable of receiving the new Equal Access signalling format, after +required generic development. Other switches (such as all crossbar offices) + + Page 156 + + + + + The Official Phreaker's Manual + +will not be able to handle the new signalling format. + + ===== + LATAs + ===== + + LATAs, Local Access and Transport Areas, are the entire key to the +administration of Equal Access. They can be thought of as miniature area +codes. A telefone call can never cross a LATA boundary except on an inter-LATA +carrier. However, there are certain exceptions to this. For example, in the +state of Colorado, which consists of two LATAs, the local Bell Operating +Company (Mountain Bell), which serves as the intra-LATA (i.e., calls to/from +the same LATA) carrier, may also serve as inter-LATA (to/from different LATAs) +carrier within Colorado. + There are also exceptions in the corridor region of the New York/New +Jersey/Pennsylvania area. + The forty-eight continental United States consist of 161 LATAs. Some states, +such as Deleware, consist of only one LATA, while others, such as Illinois, can +have up to 14 or more. Each LATA is given a name. For instance, Pennsylvania +consists of six LATAs: Philadelphia, Capital, Northeast, Altoona, Pittsburgh, +and Erie (independent telco). + + ============== + A Few Thoughts + ============== + + In 1973, Chrysler, A&P, RCA, Phillips Petroleum, S.S. Kresge, Boeing +Aircraft, International Harvester, Woolworth's, Greyhound, Firestone, Litton, +and General Foods, among others, each reported annual profits of less than $150 +million. In that same year, the Telephone Company wrote off, as being +uncollectable, debts of $150 million. + In 1974, the Bell System had direct interests in at least 276 organizations, +many of them not related to the telefone industry. Bell also had interlocking +financial arrangements with such corporations as the Chase Manhattan Bank, IBM, +Prudential Insurance, Sears Roebuck, General Motors, U.S. Steel, and Lever +Brothers. Should the need have arisen, the Bell System in 1974 could have +exercised control of 400 billion dollars, fully one-third of that year's gross +national product. + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago Illinois, 1976. ISBN 0-8092-8008-6. + + There are many viewpoints as to the future course of the telefone industry. +The general consensus among most Telco employees is that the children of AT&T +(i.e., the seven regional holding companies into which the Bell System was +divided) will someday be reassembled into the original Bell System, and all +will be well and good in the world of telecommunications again. I tend to +disagree with this. I think that within three decades the entire telefone +industry will be consolidated and nationalized. It will be owned and operated +entirely by the United States Federal Government. This will accomplish several +goals of the government. First, the immense revenue from telefone services +will provide great financial resources for the federal government. Rates for +telefone services will skyrocket far out of the range of affordability, quality +of service will deteriorate to a point of unusability, and meanwhile +politicians will get rich. + Second, once the government controls the telefone system, monitoring the +general public will become infinitely easier. Big Brother will be able to keep +and eye, or rather, an ear on the general population, and giant step forward in + + Page 157 + + + + + The Official Phreaker's Manual + +ultimate government control of peoples' lives will be achieved. Most people +won't know anything about this, and even if they do, they won't give a shit +because by then the fucking government will have already invaded every +remaining private aspect of the individual's life. + To those who find it utterly unthinkable that the federal government would +ever assume control of the telefone industry, I would call attention to the +situation that existed between 1917 and 1919. During this time the government +controlled the phone system of the United States. J. Edward Hyde sums it up +beautifully: + + Between 1917 and 1919, the Federal Government did control the phone +industry. Since then, the most charitable historians have blamed the +subsequent mess on the First World War. Others blame it on the democrats. But +the fact is that it was a fiasco of the bureaucracy's own making, combined with +intracompany sabotage. + Today, in those countries where the phone service is nationally owned, the +service runs from poor to nonexistent. Would you want the government that gave +you the Russian wheat deals, Defense Department overruns, Amtrak, and the +Postal Service handling your phone problems? + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago, Illinois, 1976. ISBN 0-8092-8008-6, p. 170. + +Technical References: + +Notes on the BOC intra-LATA Networks. American Telephone & Telegraph Company, +1983. + +The Phone Book. J. Edward Hyde, 1976. + +Bell System Technical Journal. Volume 58, Number 5. + +Engineering and Operations in the Bell System. American Telephone & Telegraph +Company, 1983. + + +Acknowledgements: Karl Marx, Telenet Bob, and the scores of Telco employees +in Denver, White Plains, Omaha, and North Jersey who were very helpful in +patiently answering my many questions about Equal Access. + +Thanks to Mack the Knife for magnetic transfer of this illustrious file, a +tedious task for which I have no time. + +Thanks to the following printers for their cooperation and professional manner +in helping me with final production of this file: + +Kinko's Print Shop +7155 West Colfax +Lakewood, CO + +Office Products and Printing +5035 S. Kipling Suite B4 +Littleton, CO + +This has been a Mark Tabas Encounter Series production. Questions, comments, +and requests may be addressed to: + +Tabas + + Page 158 + + + + + The Official Phreaker's Manual + +P.O. Box 620401 +Littleton, CO 80162 + +Requests for copies of this or any other Encounter Series file are honored for +free, but please enclose a self-addressed medium sized first class mailing +envelope with 73 cents postage. + +Special thanks to Steve Reger, who was kind enough to shoot my neighbor's dog, +whose incessant barking constantly distracted me as I labored to complete this +file. + +(for Amy) cl/KIABB!/jd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 159 + + + + + The Official Phreaker's Manual + + Equal Access and Modem Autodialers by Shadow 2600 + + Now that AT&T is being divested of its local telephone companies, phone +customers across the nation have to choose their long distance carrier as equal +access is phased in. Advertising campaigns emphasize such aspects as low rates +and operator assistance, but no one mentions a factor that will affect modem +users who use auto dialers for long distance calls. Not all of the alternate +long distance carriers provide called party answering supervision on all calls. +Called party answering supervision basically has the telephone company start +billing only when the called party answers the telephone. However, many of the +alternate long distance companies still operate with the "fixed timeout" basis +for charging. That is, if a call is held for a fixed length of time (usually +30 seconds) the charging starts, whether or not the call was answered. This +could cause modem owners large bills if they use autodialers to make long +distance calls. Modems are usually set up to wait up to one minute when +attempting to make a call, and thus have to timeout through busy signals, long +call setup sequences, extender waits, and similar problems. This could result +in many billed but never answered calls. + + Some of the other carriers provide it on calls to some cities, and others +not support it at all. Only AT&T Communications provides called party +answering supervision on all calls to all points at this time. It is almost +impossible to get information on how a long distance company charges its calls +as as they don't want to reveal how their billing is handled. The alternate +carriers get called party supervision when the destination location goes equal +access. However, there has been no quick action on the part of the alternate +long distance companies to make use of the supervision data as they would have +to get equipment for passing the information back to the billing computer at +the originating point. Thus called party answering supervision information +often ends up being ignored by these carriers even when available. Another +point to remember is that called party answering supervision's availability +depends on whether the destination has equal access, not the originating +location. The lower long distance rates of alternate long distance rates must +be weighed against the time out problem as it affects autodialing modems. One +way to circumvent this is merely to set your modem to a shorter +waiting-for-connect time, but this may not provide enough time for the call to +go through. [For more information on this and other telecommunications topics +call the Private Sector BBS at (201) 366- 4431] + + + + + + + + + + + + + + + + + + + + + + Page 160 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #6 of 9 + + Toward Universal Information Services Via ISDN + ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ ~~~ ~~~~ + by Taran King + + From PROTO newsletter of AT&T Bell Laboratories + ------------------------------------------------------------ +Phase one, the Present. +~~~~~ ~~~~ ~~~ ~~~~~~~~ + The local network of today, although still largely voice-oriented, is already +on the path to Universal Information Services. Lightguide fiber is +dramatically expanding the capacity of local networks, helping to lower the +costs and increase the demand for high-band width, Information Age services. +And public networks are increasingly digital and geared for data and special + services. For example: + +o The AT&T Network Systems 5ESS (TM ) switch, designed by Bell +Laboratories, can serve as the hub of a local deployment of remote modules at +locations up to 100 miles from a host central office. + +o The Integrated Special Services Network (ISSN) is a channel network that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect System (DACS). + +o The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Today's public networks consist of multiple or overlay networks. The public +switched network, or circuit network, mainly for voice, is the base network. +Two kinds of overlay networks provide special services. Channel networks carry +private lines leased by large customers and transmit much of today's data and +image traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internally +to public networks for common channel signaling to set up, route and take down +calls, or to give customers information. "Overlay networks help +telecommunications companies efficiently meet growing demand for digital +transmission and special services," says Stan Johnston, Market Planning +Manager, Network Systems Evolution, in AT&T Network Systems. "Their integration +into a single network, however, would be still more effective." + +Phase two, the Integrated Services Digital Network (ISDN). +~~~~~ ~~~~ ~~~ ~~~~~~~~~~ ~~~~~~~~ ~~~~~~~ ~~~~~~~ ~~~~~~~ + The ISDN is a concept to which AT&T is committed - and it's the foundation +for Universal Information Services. The central idea of ISDN, as AT&T Network +Systems sees it, is to provide an individual user a link to the local central +office of generous band-width - a digital subscriber line that can carry +144,000 bits per second (sure beats 2400 baud!). The band-width is subdivided +into two 64,000-bit channels, which may carry voice or data or both, and one +16,000-bit channel for packetized signaling information or data transport. +Such a link provides convenient "integrated" network access by accommodating +voice, data and signaling over a single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber + + Page 161 + + + + + The Official Phreaker's Manual + +line, which provides 1.5 billion bits per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal, and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make important +progress toward the goal of Universal Information Services. But overlay +networks will continue to divvy up the transport job. And messages needing +less than 144,000 bits per second will not fill their allotted bandwidth, +leaving capacity under utilized. + +Phase three, Universal Information Services. +~~~~~ ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~ + Rooted in the fertile ground of 5ESS switches, ISDN equipment and +technologies such as wideband packet transport, Universal Information Services +will bear fruit during the 1990s. From a single kind of network will hang +services as different as apples, oranges and pears. Just as network access was +integrated in ISDN, transport functions will increasingly be integrated by +powerful new network equipment evolved from equipment developed for the ISDN. +Where customers once got standard-sized ISDN channels, they'll get big +bandwidth for large jobs, little bandwidth for small jobs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 162 + + + + + The Official Phreaker's Manual + + TOWARD UNIVERSAL INFORMATION SERVICES VIA ISDN + +Phase one, the present. The local network of today, although still largely +voice oriented, is already on the path to Universal Information Services. +Lightguide fiber is dramatically expanding the capacity of local networks, +helping to lower the costs and increase the demand for high-bandwidth, +Information Age services. And public networks are increasingly digital and +geared for data and special services. For example: + + * The AT&T Network Systems 5ESS switch, designed by Bell Laboratories, can +serve as the hub of a local digital network through deployment of remote +modules at locations up to 100 miles from a host central office. + + * The Integrated Special Services Network (ISSN) is a channel networks that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect Systems (DACS). + + * The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Todays public networks consist of multiple or overlay networks. The public +switched network, or circuit network, is the base network. Two kinds of +overlay networks provide special services. Channel networks carry private +lines leased by large customers and transmit much of today's data and image +traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internal to +public networks for common channel signaling to set up, route and take down +calls, or to give customers information. + "Overlay networks help telecommunications companies efficiently meet growing +demand for digital transmission and special services," says Stan Johnston, +Market Planning Manager, Network Systems Evolution, in AT&T Network Systems. +"Their integration into a signal network, however, would be still +more effective." + Phase two, the Integrated Services Digital Network (ISDN). The ISDN is a +concept to which AT&T is commited--and it's the foundation for Universal +Information Services. The central idea of ISDN, as AT&T Network Systems sees +it, is to provide an individual user a link to the local central office of +generous bandwidth--a digital subscriber line that can carry 144,000 bits per +second. The bandwidth is subdivided into two 64,000-bit channels, which may +carry voice or data or both, and one 16,000-bit channel for packetized +signaling information or data transport. Such a link provides convenient +"integrated" network access by accommodating voice, data and signaling over a +single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber +line, which provides 1.5 million bit per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make +important progress toward the goal of Universal Information Services. But + + Page 163 + + + + + The Official Phreaker's Manual + +overlay networks will continue to divvy up the transport job. And messages +needing less than 144,000 bits per second will not fill their allotted +bandwidth, leaving capacity underutilized. + Phase three, Universal Information Services. Rooted in the fertile ground +of 5ESS switches, ISDN equipment and technologies such as wideband packet +transport, Universal Information Services will bear fruit during the 1990s. +From a single kind of network will hang services as different as apples, +oranges and pears. Just as network access was integrated in ISDN, transport +functions will increasingly be integrated by powerful new equipment evolved +from equipment developed for the ISDN. Where customers once got standard- +sized ISDN channels, they'll get big bandwidth for large jobs, little bandwidth +for small jobs. + +*** retyped from PROTO, AT&T Bell Laboratories report to executives on new +technologies, without written permission from the editors. (heh, heh.) + +Subscriptions: $15.00 per year, published bi-monthly. Send check payable to +"Bell Laboratories PROTO," to PROTO Circulation Manager, Room 3E-230, 150 John +F. Kennedy Parkway, Short Hills, N.J. 07078. + +:LIQUID:CRYSTAL: +wisdom is safety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 164 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #7 of 9 + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ _ _ _______ @ + @ | \/ | / _____/ @ + @ |_||_|etal / /hop @ + @ __________/ / @ + @ /___________/ @ + @ Headquarters of Phrack Newsletter @ + @ (314) 432-0756 @ + @ Proudly Presents @ + @ MCI Overview @ + @ Written on 11/16/85 @ + @ by @ + @ @ + @ Knight Lightning & Taran King @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +MCI Communications Corporation, headquartered in Washington, D.C., provides a +full range of domestic and international telecommunications services, including +voice and data, telex and cable, paging and mobile telephone, and time +sensitive message delivery. + +Since its founding in 1968, MCI has grown to more than $1.6 billion in annual +sales and serves more than 1.9 million business, residential and government +customers through its four major business units: + +MCI Telecommunications + +MCI Airsignal + +MCI International + +MCI Digital Information Services + + +MCI TELECOMMUNICATIONS + + MCI Telecommunications provides domestic interstate long distance service +throughout all 50 states, plus Puerto Rico, the U.S. Virgin Islands, and major +calling areas of Canada. It is also authorized to provide varying degrees of +intrastate long distance service in some states. + +MCI also is the first long distance carrier other than AT&T to offer direct +dial service overseas. International telephone service is available to all +residential and commercial customers (with the exception of Private Line +customers). In October, 1984 the first international service agreements were +announced with the following countries: Argentina, Belgium, Brazil, East +Germany, Greece, United Arab Emirates, and the United Kingdom. + +Total capital investment in MCI's long distance network is approximately $2 +billion. MCI's network, the second largest in the U.S., employs microwave +optical fiber, satellite and various digital transmission technologies. + +Subscribers - Domestic Long Distance (as of 10/84) + + Page 165 + + + + + The Official Phreaker's Manual + +----------- ---------------------- +Residential 1.4 million +Commercial .3 million + Total 1.7 million + +Operations - (as of 10/84) +Network Miles...20,543 (microwave, optical fiber, satellite) +Circuits.......238,000 +Employees........9,500 (full-time, approx.) + +MCI AIRSIGNAL + +MCI Airsignal provides personal message delivery and car telephone services. +MCI Message Service is offered in more than 50 metropolitan areas. In 1984, +service will commence in New York City, Baltimore-Washington, Los Angeles, and +Chicago. MCI car telephone service is offered in 20 markets. + +Personal Message Delivery Service + +ALPHANUMERIC MESSAGE SERVICE + +Displays up to 40-character message using letters and/or numbers. Memory and +recall ability. Alerts subscriber with a silent visual alert or a soft tone. + +DISPLAY MESSAGE SERVICE + +Displays up to 24-digit message (e.g., phone number, stock quotes, sales +figures, coded messages). Memory and recall capability. Alerts customer to +message with a silent visual alert or a soft tone. + +TONE MESSAGE SERVICE + +Notifies customer of a message with a soft tone. + +VOICE MESSAGE SERVICE + +Receives message in actual voice of caller. + +EXPRESS MESSAGE SERVICE + +Receives and stores messages. Instantly alerts subscriber via pager when a +message is received. + +Car Telephone Service + +Enables customers to place calls to or receive calls from anywhere in the +world, 24 hours a day, as they travel in their cars. With the advent of new +cellular technology, both the quality and the accessibility of car telephone +service will vastly improve. + +MCI has thus far obtained franchises to operate a new kind of mobile phone +service, cellular telephone, in Minneapolis and Pittsburgh, and has received +favorable decisions from FCC administration law judges authorizing service in +Los Angeles, Denver-Boulder, and Kansas City. MCI has applied for licenses to +provide cellular service in 81 metropolitan areas. + +MCI Airsignal Branch Sales Offices + + + Page 166 + + + + + The Official Phreaker's Manual + +Personal Message Service/Conventional Mobile Phone Service + +Birmingham (205) 942-2924 +Sacramento (916) 444-2350 +Memphis (901) 682-9658 +Cleveland (216) 464-7311 +Dallas (214) 788-5111 +Fresno (209) 486-7410 +Las Vegas (702) 382-7461 +Denver (303) 778-7878 +Portland (503) 227-2556 +Philadelphia (215) 677-9845 +Atlanta (404) 252-2114 +West Florida (813) 875-3404 +Minneapolis (612) 544-8175 +Kansas City (913) 648-8090 +Miami (305) 491-0122 +Pittsburgh (412) 343-1611 +Houston (713) 464-2516 +Bakersfield (805) 832-2346 + +Cellular Telephone Offices + + Minneapolis-St. Paul (612) 544-3312 + Los Angeles (714) 527-0385 + Elsewhere in California (800) 344-3455 + Headquarters - Washington, D.C. (202) 429-9660 + + +MCI INTERNATIONAL + +MCI International provides private-line voice service to several overseas +countries, and data and message services, including telex, cablegram, leased +channel, and packet switching communications, to more than 200 overseas points. +MCI has moved into two new areas of service: International direct-dial +telephone service and international electronic mail and hard-copy delivery +services. + +International Record Services + +TELEX SERVICE (domestic and international) permits instantaneous, two-way, +written communications with other subscribers worldwide. Customers can send +messages at any time, even though the receiving terminal may be unattended. MCI +International offers access to its telex service from a variety of terminals +and networks; not only subscribers with telex terminals but also those with +communicating word processors, data terminals or computers that communicate +over telephone lines can take advantage of MCI International telex service. To +subscribers connected to its own telex network, MCI International offers World +Message Services--a package of communications offerings including telex, +cablegram and MCI Mail services. Various service enhancements are available to +save time, improve operating efficiency and simplify records keeping for telex +users. + +CABLEGRAM SERVICE, the traditional means of international written +communications, offers flexibility in delivery and economical rates for shorter +messages. Cablegrams can be delivered to virtually any overseas +point.Subscribers with telex terminals or various other types of equipment can +access and TELUS cablegram switch and take advantage of such service + + Page 167 + + + + + The Official Phreaker's Manual + +enhancements as abbreviated addressing and departmental billing. + +LEASED +CHANNEL SERVICE provides an exclusive line between a U.S. firm and it's +overseas office for private communications 24 hours a day. Each MCI +International leased channel is tailored to meet the needs of a specific +customer for teleprinter, facsimile, voice and/or data traffic. For subscribers +with several offices requiring private communications with each other, MCI +International offers a versatile message-switching service. Voice/data leases +can be configured to meet a whole array of communicating needs; for example, +one channel might carry data traffic from a computer at night, voice +communications during office hours, and simultaneous teleprinter messages at +any time. Data channels can handle requirements for traffic at any speed from +1200 bits per second to 1.544 megabits per second. + +IMPACS SERVICE uses packet-switching technology to provide international +communications service between data terminals and computers. Impacs offers +on-line, real-time connections and enables many types of incompatible systems +to communicate. Impacs service offers virtually error-free transmission +because of the error-detection and retransmission capability of the network. + +INSTALINK SERVICE allows businesses overseas to use regular telex equipment to +access remote computing systems and databases in the U.S. Subscribers can +retrieve data from a computer-based information service or use a computing +system connecting to a packet-switching network in the U.S. + +INTERNATIONAL +FACSIMILE SERVICE enables subscribers to send duplicates of original documents +overseas quickly and efficiently, even when neither the sender or the receiver +has facsimile transmission equipment, or when the sender and receiver have +incompatible equipment. + +DATEL SERVICE provides automatic or voice-coordinated data transmission at +speeds up to 2400 bits per second. Either digital or analog facsimile traffic +can be transmitted via Datel. Datel facilities are conditioned to ensure +high-quality transmission. The MCI International switching center allows +communications between incompatible terminals. + +MARITIME SERVICES provide instant, high--quality contact between ships at sea +or offshore rigs, and between these vessels and land-based subscribers +worldwide. + +International Voice Services + +PRIVATE +LINE SERVICE provides, fast, easy access to a single overseas location at an +economical monthly rate. This technically efficient system maximizes the use +of line capacity by recognizing idle time and assigning a speaker to a +transmission path only when the path is needed. Users can dial a four-digit +extension from a regular business phone to reach a key overseas location. + +International Mail Services + +WORLD +MESSAGE SERVICE subscribers can access the domestic electronic mail and +hard-copy delivery offerings of MCI Mail. In addition, MCI International is +developing fast, low-cost services that will deliver electronic messages and +high-quality printed documents worldwide. + + Page 168 + + + + + The Official Phreaker's Manual + + +Customer Service + +THE CUSTOMER TROUBLE REPORTING ASSISTANCE CENTER at MCI International addresses +customer concerns such as equipment maintenance and service performance +questions. Customer service specialists, on duty 24 hours a day on business +days, answer questions and electronically route service requests to technicians +nationwide. + +MCI DIGITAL INFORMATION SERVICES CORP. + +MCI Digital Information Services, MCI's newest unit, provides high-speed, +low-cost, time-sensitive message delivery (MCI Mail), either electronically or +via hard copy. + +MCI Mail provides time-sensitive document delivery to anyone, anywhere vial +MCI's long-distance telephone network. MCI Mail can reach a recipient +instantly, in four hours or less, or overnight by noon the next day. Prices +are as much as 90 percent lower than comparable time-sensitive mail delivery +services. MCI Mail can be delivered electronically, terminal to terminal, or +laser printed on letterhead stationery with the customer's signature. + +MCI Mail customers can even order gifts and services direct through MCI Mail, +ranging from software and paper for personal computers to investment advisory +services to travel specials. + +There are no sign-up, monthly service charges or "connect time" charges for MCI +Mail. MCI Mail can be used by virtually any personal computer, word processor, +electronic typewriter, data terminal, telex, or other digital communications +device. The service is accessed by a local telephone call or 800 number. + +MCI Mail + +INSTANT delivery to an "electronic" mailbox. + +FOUR-HOUR paper delivery by courier to 17 major metropolitan areas regardless +of point of origin. + +OVERNIGHT paper delivery by courier by noon the next day in 20,000 continental +U.S. cities. + +MCI LETTER transmitted electronically to the MCI digital postal center nearest +its destination, then delivered locally by the U.S. Postal Service. + +TELEX DISPATCH enables MCI Mail subscribers to transmit messages to the more +than 1.6 million telex subscribers worldwide. + +VOLUME MAIL enables customers to send large mailings in a variety of letter +formats, at substantial savings in delivery time and expense. + + ============================================================ + Look for more MCI Files coming to Metal Shop soon! + + This has been a Knight Lightning Presentation + ============================================================ + + + + + Page 169 + + + + + The Official Phreaker's Manual + + Reference Tables + + Just some notes that you will always try to find but can never! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 170 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue One, Phile #5 of 8 + + Using MCI Calling Cards + by + Knight Lightning + of the + 2600 Club! + +How to dial international calls on MCI: + + "Its easy to use MCI for international calling." + +1. Dial your MCI access number and authorization code (code = 14 digit number, +however the first 10 digits are the card holders NPA+PRE+SUFF). + +2. Dial 011 + +3. Dial the country code + +4. Dial the city code and the PRE+SUFF that you want. + +Countries served by MCI: + +Country code|Country code +-------------------------------------|-------------------------------- +Algeria..........................213 |New Zealand..................064 +Argentina........................054 |Northern Ireland.............044 +Australia........................061 |Oman.........................968 +Belgium..........................032 |Papua New Guinea.............675 +Brazil...........................055 |Qatar........................974 +Canada................Use Area Codes |Saudi Arabia.................966 +Cyprus...........................357 |Scotland.....................044 +Denmark..........................045 |Senegal......................221 +Egypt............................020 |South Africa.................027 +England..........................044 |Sri Lanka....................094 +German Democratic Republic |Sweden.......................046 +(East Germany)...................037 |Taiwan.......................886 +Greece...........................030 |Tanzania.....................255 +Jordan...........................962 |Tunisa.......................216 +Kenya............................254 |United Arab Emirates.........971 +Kuwait...........................965 |Wales........................044 +Malawi...........................265 | +====================================================================== + +Thats 33 countries in all. To get the extender for these calls dial 950-1022 or +1-800-624-1022. + +For local calling: + +1. Dial 950-10222 or 1-800-624-1022 + +2. Wait for tone + +3. Dial "0", the area code, the phone number, and the 14 digit authorization +code. You will hear 2 more tones that let you know you are connected. + + - Knight Lightning --> The 2600 Club! + + Page 171 + + + + + The Official Phreaker's Manual + +===================================================================== + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 172 + + + + + The Official Phreaker's Manual + + AT&T INTERNATIONAL DIALING COUNTRY CODES AS OF 2-17-85 + + FILE BY: Lock Lifter + +=========================+ + +*UNITED KINGDOM/IRELAND +------------------------------------ +IRELAND.........................353 +UNITED KINGDOM...................44 + +*EUROPE +------------------------------------ +ANDORRA..........................33 +AUSTRIA..........................43 +BELGIUM..........................32 +CYPRUS..........................357 +CZECHOLSLOVAKIA..................42 +DENMARK..........................45 +FINLAND.........................358 +FRANCE...........................33 +GERMAN DEMOCRATIC REPUBLIC.......37 +GERMANY, FEDERAL REPUBLIC OF.....49 +GIBRALTAR.......................350 +GREECE...........................30 +HUNGARY..........................36 +ICELAND.........................354 +ITALY............................39 +LIECHTENSTEIN....................41 +LUXEMBOURG......................352 +MONACO...........................33 +NETHERLANDS......................31 +NORWAY...........................47 +POLAND...........................48 +PORTUGAL........................351 +ROMANIA..........................40 +SAN MARINO.......................39 +SPAIN............................34 +SWEDEN...........................46 +SWITZERLAND......................41 +TURKEY...........................90 +VATICAN CITY.....................39 +YUGOSLAVIA.......................38 + +*CENTRAL AMERICA +------------------------------------ +BELIZE..........................501 +COSTA RICA......................506 +EL SALVADOR.....................503 +GUATEMALA.......................502 +HONDURAS........................504 +NICARAGUA.......................505 +PANAMA..........................507 + +*AFRICA +------------------------------------ +ALGERIA.........................213 +CAMEROON........................237 +EGYPT............................20 + + Page 173 + + + + + The Official Phreaker's Manual + +ETHIOPIA........................251 +GABON...........................241 +IVORY COAST.....................225 +KENYA...........................254 +LESOTHO.........................266 +LIBERIA.........................231 +LIBYA...........................218 +MALAWI..........................265 +MOROCCO.........................212 +NAMIBIA.........................264 +NIGERIA.........................234 +SENEGAL.........................221 +SOUTH AFRICA.....................27 +SWAZILAND.......................268 +TANZANIA........................255 +TUNISIA.........................216 +UGANDA..........................256 +ZAMBIA..........................260 +ZIMBABWE........................263 + +*PACIFIC +------------------------------------ +AMERICAN SAMOA..................684 +AUSTRAILIA.......................61 +BRUNEI..........................673 +FIJI............................679 +FRENCH POLYNESIA................689 +GUAM............................671 +HONG KONG.......................852 +INDONESIA........................62 +JAPAN............................81 +KOREA, REPUBLIC OF...............82 +MALAYSIA.........................60 +NEW CALEDONIA...................687 +NEW ZEALAND......................64 +PAPUA NEW GUINEA................675 +PHILIPPINES......................63 +SAIPAN..........................670 +SINGAPORE........................65 +TAIWAN..........................886 +THAILAND.........................66 + +*INDIAN OCEAN +------------------------------------ +PAKISTAN.........................92 +SRI LANKA........................94 + +*SOUTH AMERICA +------------------------------------ +ARGENTINA........................54 +BOLIVIA.........................591 +BRAZIL...........................55 +CHILE............................56 +COLOMBIA.........................57 +ECUADOR.........................593 +GUYANA..........................592 +PARAGUAY........................595 +PERU.............................51 + + Page 174 + + + + + The Official Phreaker's Manual + +SURINAME........................597 +URUGUAY.........................598 +VENEZUELA........................58 + +*NEAR EAST +------------------------------------ +BAHRAIN.........................973 +IRAN.............................98 +IRAQ............................964 +ISRAEL..........................972 +JORDAN..........................962 +KUWAIT..........................965 +OMAN............................968 +QATAR...........................974 +SAUDI ARABIA....................966 +UNITED ARAB EMIRATES............971 +YEMEN ARAB REPUBLIC.............967 + +*CARIBBEAN/ATLANTIC +------------------------------------ +FRENCH ANTILLES.................596 +GUANTANAMO BAY (US NAVY BASE)....53 +HAITI...........................509 +NETHERLANDS ANTILLES............599 +ST. PIERRE AND MIQUELON.........508 + +*INDIA +------------------------------------ +INDIA............................91 + +*CANADA +------------------------------------ +TO CALL CANADA, DIAL 1 + AREA CODE + +LOCAL NUMBER. + +*MEXICO +------------------------------------ +TO CALL MEXICO, DIAL 011 + 52 + CITY CODE+ LOCAL NUMBER. + +***NOTES :DO NOT FORGET ABOUT THE TIME DIFFERENCE WHEN CALLING OUTSIDE OF YOUR +TIME ZONE. CALLING CARDS CAN BE USED OVER SEAS TO CALL BACK INTO THE U.S. FOR +FURTHER INFORMATION CALL TOLL-FREE 1-800-874-0000. DIAL '#' AFTER THE COMPLETE +NUMBER TO MAKE THE CALL GO THROUGH FASTER. + + + + + + + + + + + + + + + + + Page 175 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * International Dialing Codes * + * Country + Routing * + * * + * (Typed by The Dagda Mor) * + * (Edited by The Jammer) * + * * + ************************************** + +To dial international calls: + +International Access Code + Country code + Routing code + +Example : + +To call Frankfurt, Germany, you would do the following: + +011 + 49 + 611 + (# wanted) + # sign(octothrope) + +The # sign at the end is to tell Bell that you are done entering in all the +needed info. + +Here is the list of Country Codes, listed next to the country, and the routing +codes listed next to the city. + +Andorra- 33 Argentina- 54 +------- --------- +all points- 078 Buenos Aires- 1 + + +Australia- 61 Austria- 43 +--------- ------- +Melbourne- 3 Innsbruck- 5222 +Sydney- 2 Vienna- 222 + + +Bahrain- 973 Belgium- 32 +------- ------- +no routing needed Antwerp- 31 + Brussels- 2 + + +Belize- 501 Bolivia- 591 +------ ------- +no routing needed La Paz- 2 + + +Brazil- 591 Chile- 56 +------ ----- +Brasilia-61 Santiago- 2 +Rio de Janeiro- 21 Valparaiso- 31 +Sao Paulo- 11 + + +China- 86 Colombia- 56 +----- -------- +Tainan- 62 none needed + + Page 176 + + + + + The Official Phreaker's Manual + +Taipei- 2 + + +Costa Rica- 506 Cyprus- 357 +----- ---- ------ +no routing needed Nicosia- 21 + + +Denmark- 45 Ecuador- 593 +------- ------- +Aalborg- 8 Cuenca- 4 +Copenhagen 1 or 2 Quito- 2 + + +El Salvador- 503 Fiji- 679 +---------- ---- +no routing needed none needed + + +France- 33 Germany- 49 +------ ------- +Bordeaux- 56 Berlin- 30 +Marseille- 91 Bonn- 228 +Nice- 93 Frankfurt- 661 +Paris- 1 Munich- 89 + + +German. Rep- 37 Greece- 30 +------- --- ------ +¢Y.+Ë« ™$$$HHÈ Athens- 1 + Rhodes- 241 + + +Guam- 671 Guatamala- 502 +---- --------- +no routing needed Guatemala City- 2 + + +Guyana- 592 Haiti- 509 +------ ----- +Georgetown- 02 Port Au Prince- 1 + + +Hoduras- 504 Hong Kong- 852 +------- ---- ---- +no routing needed Hong Kong- 5 + Kowloon- 3 + + +Indonesia- 62 Iran- 98 +--------- ---- +Jakarta- 21 Teheran- 21 + + +Iraq- 964 Ireland- 353 +---- ------- +Baghdad- 1 Dublin- 1 + Galway- 91 + + Page 177 + + + + + The Official Phreaker's Manual + + + +Israel- 978 Italy- 39 +------ ----- +Haifa- 4 Florence- 55 +Jerusalem- 2 Naples- 81 +Tel Aviv- 3 Rome- 6 + Venice- 41 + + +Ivory Coast- 225 Japan- 81 +----- ----- ----- +no routing needed Hiroshima- 822 + Tokyo- 3 + Yokohama- 45 + + +Kenya- 254 Korea- 82 +----- ----- +Nairobi- 2 Pusan- 51 + Seoul- 2 + + +Kuwait- 965 Liberia- 231 +------ ------- +no routing needed none needed + + +Libya- 218 Lechtenstein- 4 +----- ------------ +Tripoli- 21 All points- 75 + + +Luxembourg- 352 Malaysia- 60 +---------- -------- +no routing needed Kuala Lumpur- 3 + + +Monaco- 33 Netherlands- 31 +------ ----------- +All points- 93 Amsterdam- 20 + Rotterdam- 10 + The Hague- 70 + + +New Caledonia- 687 New Zealand- 64 +--- --------- --- ------- +no routing needed Auckland- 9 + Wellinton- 4 + + +Nicaragua- 505 Nigeria- 234 +--------- ------- +Managua- 2 Lagos- 1 + + +Norway- 47 Panama- 507 +------ ------ + + Page 178 + + + + + The Official Phreaker's Manual + +Bergen- 5 none needed +Oslo- 2 + + +Papua New Guinea-675 Paraguay- 595 +----- --- ------ -------- +no routing needed Asuncion- 21 + + +Peru- 51 Phillippines- 63 +---- ------------ +Arequipa- 542 Manila- 2 +Lima- 14 + +Portugal- 351 Romania- 40 +-------- ------- +Lisbon- 19 Bucuresti- 0 + + +San Marino- 39 Saudi Arabia- 966 +--- ------ ----- ------ +All points- 541 Riyadh- 1 + + +Senegal- 221 South Africa- 27 +------- ----- ------ +no routing needed Cape Town- 21 + Pretoria- 12 + + +Spain- 34 Sri Lanka- 94 +----- --- ----- +Barcelona- 3 Colombo- 1 +Canary Is.- 28 +Madrid- 1 +Seville- 54 + + +Suriname- 597 Sweden- 46 +-------- ------ +no routing needed Goteborg- 31 + Stockholm- 8 + + +Switzerland- 41 Tahiti- 689 +----------- ------ +Berne- 31 none needed +Geneva- 22 +Lucerne- 41 +Zurich- 1 + + +Thailand- 66 Tunisia- 216 +-------- ------- +Bangkok- 2 Tunis- 1 + + +Turkey- 90 United Arab + + Page 179 + + + + + The Official Phreaker's Manual + +------ Emirates- 971 +Istanbul- 11 -------- + Abu Dhabi- 2 + Ajman- 6 + Al Ain- 3 + Aweir- 49 + Dubai- 4 + Fujairah- 91 + Jebel Dhana- 5 + Sharjah- 6 + Umm-Al-Quwain- 6 + + +United Kingdom- 44 USSR- 7 +------ ------- ---- +Belfast- 232 Kiev- 044 +Cardiff- 222 Leningrad- 812 +Edinburgh- 31 Minsk- 017 +Glasgow- 41 Moscow- 095 +Liverpool- 51 Tallinn- 0142 +London- 1 + +Vatican City- 39 Venezuela- 58 +------- ---- --------- +All points- 6 Caracas- 2 + Maracaibo- 61 + +Yugoslavia- 38 +---------- +Belgrade- 11 +Zagreb- 41 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 180 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * MAX ACCESS PORTS * + * * + * (LEXITEL CORPORATION) * + * * + * WORD PROCESSED BY THE DAGDA MOR * + * * + ************************************** + +ADRIAN,MI............313-263-0191 LIVONIA, MI..........313-261-6970 +AKRON,OH.............216-275-9814 LOS ANGELES, CA......213-624-9041 +ANN ARBOR, MI........313-451-2121 LOUISVILLE, KY.......502-568-6204 +ATLANTA, GA..........404-525-1769 MARION, OH...........614-387-1011 +AVON LAKE, OH........216-933-2823 MCKEESPORT, PA.......412-664-4870 +BADEN, PA............412-869-1360 MENTOR, OH...........216-255-1645 +BALTIMORE, MD........301-444-7280 MIDDLETOWN, OH.......513-423-1066 +BEAVER FALLS, PA.....412-847-3640 MILWAUKEE, WI........414-933-1880 +BIRMINGHAM, MI.......313-649-0730 MINNEAPOLIS, MN......612-375-0280 +BOSTON, MA...........617-267-9134 MONESSEN, PA.........412-684-8710 +BUFFALO, NY..........716-854-0802 MORTON GROVE,IL......312-950-1066 +BUTLER, PA...........412-285-9081 NEWARK, NJ...........201-624-5040 +CANTON, OH...........216-455-1425 NEWARK, OH...........614-349-8754 +CHICAGO, IL..........312-950-1066 NEW CASTLE, PA.......412-656-9420 +CHILLICOTHE, OH......614-772-1066 NEW YORK, NY.........212-950-1066 +CINCINNATI, OH.......513-421-1880 OAK LAWN, IL.........312-950-1066 +CLEVELAND, OH........216-771-6614 PHILADELPHIA, PA.....215-751-9711 +COLUMBUS, OH.........614-950-1066 PITTSBURG, PA........412-391-9532 +DALLAS, TX...........214-653-1047 PLYMOUTH, MI.........313-451-2121 +DAYTON, OH...........513-223-0366 PONTIAC, MI..........313-332-0500 +DETROIT, MI..........313-950-1066 PORT HURON, MI.......313-982-7115 +ELK GROVE, IL........312-950-1066 PHOENIX, AZ..........602-242-0252 +ELYRIA, OH...........419-323-4431 QUEENS, NY...........718-204-7330 +FINDLAY, OH..........419-424-5934 SANDUSKY, OH.........419-625-1289 +GLEENSHAW, PA........412-486-7394 SHARON, PA...........412-983-0100 +GRAND RAPIDS, MI.....616-456-7925 SPRINGFIELD, OH......513-950-1066 +GREENSBURG, PA.......412-836-8110 STEUBENVILLE, OH.....614-283-1756 +HACKENSACK, NJ.......201-342-2815 ST. LOUIS, MO........314-289-9100 +HOUSTON, TX..........713-224-0982 ST. PAUL, WI.........612-375-0280 +INDIANA, PA..........412-349-8760 TOLEDO, OH...........419-255-1316 +INDIANAPOLIS, IN.....317-638-4442 TROY, OH.............513-335-2303 +KALAMAZOO, MI........616-342-0266 TURTLE CREEK, PA.....412-823-1500 +KANSAS CITY, MO......816-474-6193 WASHINGTON, DC.......202-479-4411 +KOKOMO, IN...........317-453-9932 WASHINGTON, PA.......412-225-1800 +LA GRANGE, IL........312-950-1066 WARREN, MI...........313-268-9120 +LANCASTER, OH........614-687-0159 XENIA, OH............513-376-2991 +LANSING, MI..........517-950-1066 YOUNGSTOWN, OH.......216-746-2021 +LAFAYETTE, IN........317-423-5492 ZANESVILLE, OH.......614-454-6815 + + + + + + + + + + + + Page 181 + + + + + The Official Phreaker's Manual + + ******************** METROFONE ACCESS NUMBERS ******************** + +ANAHEIM, CA (714)527-7055 LOS ANGELES, CA (213)992-8282 +ATLANTA, GA (404)223-1000 LOS ANGELES, CA (213)202-6117 +AUSTIN, TX (512)474-6057 MIAMI, FL (305)326-3300 +BALTIMORE, MD (301)659-7700 MILWAUKEE, WI (414)277-1805 +BEAUMONT, TX (713)833-9331 MINNEAPOLIS, MN (612)370-9000 +BOSTON, MA (617)482-3222 NEW ORLEANS, LA (504)566-8500 +BUFFALO, NY (716)852-9200 NEW YORK, NY (212)732-7430 +CHICAGO, IL (312)853-4700 NEWARK, NJ (201)645-9220 +CINCINNATI, OH (513)241-1747 OAKLAND, CA (415)836-6900 +CLEVELAND, OH (216)861-5163 OKLAHOMA CITY, OK (405)232-9011 +COLUMBUS, OH (614)224-0577 OMAHA, NE (402)422-1120 +CULVER CITY, CA (213)410-0078 PHILADELPHIA, PA (215)351-0100 +DALLAS, TX (214)742-4500 PITTSBURGH, PA (412)261-5720 +DAYTON, OH (513)228-1576 RENO, NV (702)329-1025 +DENVER, CO (303)623-5326 RICHMOND, VA (804)225-1920 +DETROIT, MI (313)963-4847 ST. LOUIS, MO (314)342-1130 +EL MONTE, CA (213)350-1028 SACRAMENTO, CA (916)443-6921 +ELK GROVE, IL (312)981-8870 SAN ANTONIO, TX (512)224-9600 +FT. LAUDERDALE, FL (305)462-3530 SAN DIEGO, CA (714)233-0327 +FT. WORTH, TX (817)338-1639 SAN FRANCISCO, CA (415)956-0162 +HACKENSACK, NJ (201)487-3155 SAN JOSE, CA (408)947-7606 +HARTFORD, CT (203)522-0003 SAN MATEO, CA (415)579-6001 +HAWTHORNE, NJ (201)427-1100 SANTA ANA, CA (714)972-9515 +HINSDALE, IL (312)986-0566 SEATTLE, WA (206)382-0910 +HOUSTON, TX (713)224-9417 SKOKIE, IL (312)679-8120 +HUNTINGTON BEACH, CA (714)972-8515 SYRACUSE, NY (315)474-3911 +INDIANAPOLIS, IN (317)635-6284 TOLEDO, OH (419)243-1046 +KANSAS CITY, KS (913)621-3186 WASHINGTON, DC (202)737-2051 +LONG ISLAND, NY (516)443-5402 +LOS ANGELES, CA (213)629-1026 + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 182 + + + + + The Official Phreaker's Manual + + Area Codes In Numerical Order, by The Jammer +______________________________________________________________________ + +201 Newark New Jersey 519 London Ontario +202 Washington D.C (all) 601 Mississippi (all) +203 Connecticut (all) 602 Arizona (all) +205 Alabama (all) 603 New Hampshire (all) +206 Seattle Washington 605 South Dakota (all) +207 Maine (all) 606 Winchester Kentucky +208 Idaho (all) 607 Binghamton New York +212 Bronx Nyc, New York 608 Madison Wisconsin +212 Manhattan Nyc, New York 609 Trenton New Jersey +213 Los Angeles California 612 St. Paul Minnesota +214 Dallas Texas 613 Ottawa Ontario +215 Philadelphia Pennsylvania 614 Columbus Ohio +216 Cleveland Ohio 615 Nashville Tennessee +217 Springfield Illinois 616 Grand Rapids Michigan +218 Duluth Minnesota 617 Boston Massachusetts +219 Gary Indiana 618 Alton Illinois +301 Maryland (all) 619 San Diego California +303 Colorado (all) 700 Teleconference (all) +304 West Virginia (all) 701 North Dakota (all) +305 Miami Florida 702 Nevada (all) +305 Orlando Florida 703 Alexandria Virginia +307 Wyoming (all) 704 Charlotte North Carolina +308 Abott Nebraska 705 North Bay Ontario +309 Peoria Illinois 712 Councilbluffs Iowa +312 Chicago Illinois 713 Houston Texas +313 Detroit Michigan 714 Anaheim California +314 St. Louis Missouri 715 Bay City Wisconsin +315 Syracuse New York 716 Buffalo New York +316 Wichita Kansas 716 Rochester New York +317 Indinapolis Illinois 717 Harrisburg Pennsylvania +318 Lake charles Lousiana 800 Toll Free (all) +319 Davenport Iowa 801 Utah (all) +401 Rhode Island (all) 802 Vermont (all) +402 Omaha Nebraska 803 South Carolina (all) +404 Atlanta Georgia 804 Richmond Virgina +405 Oklahoma City Oklahoma 805 Bakersfield California +406 Montana (all) 806 Amarillo Texas +408 San Jose California 807 Thunder Bay Ontario +412 Pittsburg Pennsylvania 808 Hawaii (all) +413 Springfield Massachusetts 809 Bermuda (all) +414 Milwaukee Wisconsin 809 Bahamas (all) +415 San Francisco California 809 Puerto Rico (all) +416 Toronto Onterio 809 Virgin Islands (all) +417 Joplin Missouri 812 Evansville Indiana +418 Quebec Quebec 812 Dade park Kentucky +419 Toledo Ohio 814 Johnston Pennsylvania +501 Arkansas (all) 815 Rockford Illinois +502 Frankfort Kentucky 816 Independence Missouri +503 Oregon (all) 817 Fort Worth Texas +504 New Orleans Louisiana 818 Burbank California +504 Baton Rouge Louisiana 819 Trois Riv. Quebec +505 New Mexico (all) 900 Dial-it (all) +507 Rochester Minnesota 901 Memphis Tennessee +509 Pullman Washington 904 Talahassee Florida +512 Austin Texas 906 Escanaba Michigan + + Page 183 + + + + + The Official Phreaker's Manual + +513 Cincinnati Ohio 907 Alaska (all) +514 Montreal Quebec 912 Savannah Georgia +515 Des Moines Iowa 913 Kansas City Kansas +516 Hempstead New York 915 El Paso Texas +517 Lansing Michigan 916 Sacramento California +518 Albany New York 918 Tulsa Oklahoma + 919 Raleigh North Carolina + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 184 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #5 of 9 + +Updated from November 26, 1985 +Tac Dialups taken from Arpanet +by Phantom Phreaker + + TAC DIALUPS SORTED BY LOCATION 26-NOV-85 + +State/Country 300 Baud 1200 Baud 1200 Type +------------- --------------- ----------------- --------- + + ALABAMA + Anniston Army Depot [M] + (ANNIS-MIL-TAC) (205) 235-6285 (R4) (205) 235-7650 B/V + (205) 237-5731 (R8) (205) 237-5731 (R8) B/V + (205) 237-5770 (R8) (205) 237-5779 (R8) B/V + (205) 237-5805 (R8) (205) 237-5805 (R8) B/V + + *Please note: When accessing the Anniston TAC you must first enter a + , then enter DDN . After you receive CLASS DDN START, + proceed as normal. + + Gunter AFS [M] + + (GUNTER-TAC) (205) 279-3576 + (205) 279-4682 + + Redstone Arsenal [M] + (MICOM-TAC) [none known] + + ARIZONA + Ft. Huachuca [M] + (HUAC-MIL-TAC) [none known] + + Yuma [M] + (YUMA-TAC) (602) 328-2186 (602) 328-2186 B/V + (602) 328-2187 (602) 328-2187 B/V + (602) 328-2188 (602) 328-2188 B/V + + CALIFORNIA (NORTHERN) + Alameda [M] + (ALAMEDA-MIL-TAC) [none known] + + Menlo Park [M] + (SRI-MIL-TAC) (415) 327-5440 (R3) (415) 327-5440 (R3) B + + (USGS3-TAC) [M] [no dialups] + + Moffett Field [M] + (AMES-TAC) [no dialups; contact NSC for access] + William Jones - (415) 694-6482 + (FTS) 494-6482 + (AV) 359-6482 + + Monterey [M] + (NPS-TAC) [none known] + + + Page 185 + + + + + The Official Phreaker's Manual + + Sacsamento [M] + (MCCLELLAN1-MIL-TAC) [none known] + (MCCLELLAN2-MIL-TAC) [none known] + + Stanford [A] + (SU-TAC) (415) 327-5220 + + CALIFORNIA (SOUTHERN) + China Lake [M] + (NWC-TAC) [none known] + + + Edwards AFB [M] + (EDWARD-MIL-TAC) [none known] + + El Segundo [M] + (AFSC-SD-TAC) (213) 643-9204 (213) 643-9204 B/V + + Los Angeles [A] + (USC-TAC) (213) 749-5436 + + Los Angeles [A] + (USC-ARPA-TAC) [none known] + + San Diego [M] + (ACCAT-TAC) (619) 225-1641 (R4) (619) 225-6903 V + (619) 225-6946 (R3) + (619) 223-2148 V + (619) 226-7884 (R2) + + Santa Monica + (RAND-ARPA-TAC) [A] + (213) 393-9230 + (213) 393-9237 + (213) 393-9238 + (213) 393-9239 + + (RAND2-MIL-TAC) [M] [none known] + + COLORADO + Denver Fed Ctr [M] + (USGS2-TAC) (303) 232-0206 (303) 232-0206 B/V + + Lowry Air Force Base [M] + (LOWRY-MIL-TAC) [none known] + + D.C. + Washington + [Andrews AFB] [M] + (AFSC-HQ-TAC) (301) 967-7930 (R16) (301) 967-7930 (R16) B + (301) 736-2990 (R4) (301) 736-2990 (R4) B + (301) 736-2998 (R2) (301) 736-2998 (R2) B + + (PENTAGON-TAC) (202) 553-0229 (R14) (202) 553-0229 (R14) B + + FLORIDA + Eglin AFB [M] + (AFSC-AD-TAC) (904) 882-8202 (904) 882-8202 B/V + + Page 186 + + + + + The Official Phreaker's Manual + + (904) 882-8201 (904) 882-8201 V + + MacDill AFB [M] + (MACDILL-MIL-TAC) [none known] + + Naval Air Station - Jacksonville [M] + (JAX1-MIL-TAC) [none known] + + Naval Air Station - Orlando [M] + (ORLANDO-MIL-TAC) [none known] + + GEORGIA + Robins AFB [M] + (ROBINS-TAC) (912) 926-2725 (912) 926-2725 B/V + (912) 926-2726 + (912) 926-3231 + (912) 926-3232 + (912) 926-2204 (912) 926-2204 B/V + HAWAII + Camp H.M. Smith [M] + (HAWAII2-TAC) (808) 487-5545 (808) 487-5545 B + + ILLINOIS + Scott AFB [M] + (SCOTT-TAC) [none known] + + (SCOTT2-MIL-TAC) [none known] + + KANSAS + Ft. Leavenworth [M] + (LVN-MIL-TAC) (913) 651-7041 (R8) (913) 651-7041 (R8) B + + LOUISIANA + Navy Regional Data Automation Center [M] + (NORL-MIL-TAC) (504) 944-7940 (504) 944-7940 B + (504) 944-7948 (R2) (504) 944-7948 (R2) B + (504) 944-7951 (R5) (504) 944-7951 (R5) B + (504) 944-8702 (R8) (504) 944-8702 (R8) B + + MARYLAND + Aberdeen Proving Ground [M] + (BRL-TAC) (301) 278-6916 (R4) (301) 278-6916 (R4) B/V + + Bethesda [M] + (DAVID-TAC) (202) 227-3526 (R16) (202) 227-3526 (R16) B/V + + Patuxent River [M] + (PAX-RV-TAC) (301) 863-4815 (301) 863-4815 B/V + (301) 863-4816 (301) 863-4816 B/V + (301) 863-5750 (R6) (301) 863-5750 (R6) B/V + + Silver Spring [M] + (WHITEOAK-MIL-TAC) (301) 572-5960 (R10) (301) 572-5960 (R10) B + (301) 572-5970 (R10) (301) 572-5970 (R10) B + + MASSACHUSETTS + Hanscom AFB [M] + (AFGL-TAC) (617) 861-3000 (R8) (617) 861-3000 (R8) B + + Page 187 + + + + + The Official Phreaker's Manual + + (617) 861-4965 (R8) (617) 861-4965 (R8) + + Cambridge + (BBN-MIL-TAC) [M] [none known] + + (BBN-ARPA-TAC) [A] [no dialup capability] + + (CCA-ARP-TAC) [A] [none known] + + (MIT-TAC) [A] + (617) 491-5669 (617) 258-6224 V + (617) 491-5708 (617) 258-6225 V + (617) 491-5734 (617) 258-6227 V + (617) 491-5819 (617) 258-6248 V + (617) 491-5826 + (617) 491-5841 + (617) 491-5849 + (617) 491-6769 + (617) 491-6772 + (617) 491-6937 + (617) 258-6241 + (617) 258-6242 + (617) 258-6243 + + MICHIGAN + U.S. Army Tank Automotive Command (TACOM) - Warren [M] + (TACOM-TAC) [none known] + + MISSOURI + St. Louis [M] + (STLA-TAC) [none known] + + NEBRASKA + Offutt AFB [M] + (SAC1-MIL-TAC) [none known] + + (SAC2-MIL-TAC) (402) 292-4638 (R10) (402) 292-4638 (R10) B + + (SAC-ARPA-TAC) [A] + (402) 294-2398 (402) 294-2398 B + (402) 291-2018 (402) 291-2018 B + (402) 292-7054 (402) 292-7054 B + + NEW JERSEY + Dover [M] + (ARDC-TAC) (201) 724-6731 (201) 724-6731 B/V + (201) 724-6732 (201) 724-6732 B/V + (201) 724-6733 (201) 724-6733 B/V + (201) 724-6734 (201) 724-6734 B/V + + Fort Monmouth [M] + (FTMONMOUTH1-MIL-TAC) (201) 544-2052 (201) 544-2052 B/V + (201) 544-2062 (201) 544-2062 B/V + (201) 544-2072 (201) 544-2072 B/V + (201) 544-2396 (201) 544-2396 B/V + (201) 544-2430 (201) 544-2430 B/V + + (FTMONMOUTH2-MIL-TAC) (201) 544-4254 (R3) (201) 544-2430 B + + Page 188 + + + + + The Official Phreaker's Manual + + (201) 544-2636 B + (201) 544-2638 B + (201) 544-2777 B + + NEW MEXICO + Albuquerque [M] + (AFWL-TAC) [none known] + + White Sands [M] + (WSMR-TAC) [no dialups; contact NSC for access] + Claude (Skeet) Steffey - (505) 678-1271 + (FTS) 898-1271 + (AV) 258-1271 + + NEW YORK + Griffiss AFB + (RADC-ARPA-TAC) [A] [no dialup capability] + + (RADC-TAC) [M] + (315) 339-4913 (R5) + (315) 337-2004 (315) 337-2004 B/V + (315) 337-2005 (315) 337-2005 B/V + + (315) 330-2294 (315) 330-2294 (FTS) 952 B/V + + (315) 330-3587 (315) 330-3587 (FTS) 952 B/V + + NORTH CAROLINA + Ft. Bragg [A] + (BRAGG-ARPA-TAC) (919) 396-1131 (R10) (919) 396-1426 (R5) B/V + (919) 396-1491 (R8) B/V + Ft. Bragg [M] + (BRAGG-MIL-TAC) [none known] + + OHIO + Wright-Patterson AFB [M] + (WPAFB-TAC) (513) 258-4218 + (513) 258-4219 + (513) 258-4987 + (513) 258-4988 + (513) 258-4989 + (513) 258-4990 + + (WPAFB2-MIL-TAC) (513) 257-2172 (R8) (513) 257-2172 (R8) B + (513) 257-2690 (R8) (513) 257-2690 (R8) B + (513) 257-3625 (R8) (513) 257-3625 (R8) B + + OKLAHOMA + Tinker AFB [M] + (TINKER-MIL-TAC) [none known] + + + PENNSYLVANIA + New Cumberland Army Depot [M] + (NCAD-MIL-TAC) [none known] + + (NCAD2-MIL-TAC) [none known] + + + Page 189 + + + + + The Official Phreaker's Manual + + TEXAS + Brooks AFB [M] + (BROOKS-AFB-TAC) (512) 536-3081 (R6) (512) 536-3081 (R6) B/V + + Richardson [A] + (COLLINS-TAC) (214) 235-2131 (214) 235-2131 B + (214) 235-2143 (214) 235-2143 B + (214) 235-2178 (214) 235-2178 B + (214) 235-2204 (214) 235-2204 B + (214) 235-2251 (214) 235-2251 B + (214) 235-2278 (214) 235-2278 B + + UTAH + Dugway Proving Ground [M] + (DUGWAY-MIL-TAC) [none known] + + Salt Lake City (University of Utah) [A] + (UTAH-TAC) (801) 581-3486 (801) 581-3486 B/V + + VIRGINIA + Alexandria [M] + (DARCOM-TAC) (202) 274-5300 (202) 274-5300 B + (202) 274-5320 (R6) (202) 274-5320 (R6) B + + Arlington + (ARPA1-MIL-TAC) [M] [none known] + + (ARPA2-MIL-TAC) [M] [none known] + + (ARPA3-TAC) [A] [no dialup capability] + + Dahlgren [M] + (NSWC-TAC) (703) 663-2162 (R8) (703) 663-2162 (R8) B + + Langley Air Force Base [M] + (LANGLEY-MIL-TAC) [none known] + + McLean [M] + (DDN-PMO-MIL-TAC) [none known] + + + (MITRE-TAC) [M] + (703) 442-8020 (R15) + (703) 893-0330 (R10) (703) 893-0330 (R10) B/V + + Norfolk [M] + (NORFOLK-MILTAC) (804) 423-0241 (R2) (804) 423-0241 (R2) B + (804) 423-0247 (R2) (804) 423-0247 (R2) B + (804) 423-0346 (R4) (804) 423-0346 (R4) B + (804) 423-0480 (804) 423-0480 B + (804) 423-0486 (R2) (804) 423-0486 (R2) B + (804) 423-0489 (804) 423-0489 B + (804) 423-0570 (804) 423-0570 B + (804) 423-0572 (R2) (804) 423-0572 (R2) B + (804) 423-0577 (R2) (804) 423-0577 (R2) B + (804) 423-0651 (804) 423-0651 B + (804) 423-0654 (R3) (804) 423-0654 (R3) B + (804) 423-0841 (R2) (804) 423-0841 (R2) B + + Page 190 + + + + + The Official Phreaker's Manual + + (804) 423-0845 (804) 423-0845 B + (804) 423-0849 (804) 423-0849 B + (804) 423-0858 (804) 423-0858 B + (804) 423-0950 (804) 423-0950 B + (804) 423-0952 (804) 423-0952 B + (804) 423-0955 (R3) (804) 423-0955 (R3) B + (804) 423-0959 (804) 423-0959 B + + Reston + (DCEC-ARPA-TAC) [A] [no dialups available] + + (DCEC-MIL-TAC) [M] + (703) 437-2892 (R5) (703) 437-2928 B + (703) 437-2925 (703) 437-2929 B + (703) 437-2926 + (703) 437-2927 + + WASHINGTON + Seattle [A] + (WASHINGTON-TAC) [no dialup capability] + + ENGLAND [M] + (CROUGHTON-MIL-TAC) [none known] + + GERMANY [M] + (FRANKFURT-MIL-TAC) + (M) 2311-5641 (R8) B + + (RAMSTEIN2-MIL-TAC) [none known] + + ITALY [M] + (AGNANO-MIL-TAC) + + JAPAN [M] + (BUCKNER-MIL-TAC) + + (ZAMA-MIL-TAC) + + KOREA [M] + (KOREA-TAC) (M) 264-4951 (R8) B + + PHILIPPINES [M] + (CLARK-MIL-TAC) + + SPAIN [M] + (MILNET-TJN-TAC) [none known] + + (ROTA-MIL-TAC) [none known] + + Notes: + + 1. "(R10)" following phone number indicates a rotary with 10 lines. + + 2. For alternate phone numbers, FTS=Federal Telephone System. + 3. (M)=Military DoD Telephone System. + + 4. [M] denotes a MILNET TAC and [A] denotes an ARPANET TAC. + + + Page 191 + + + + + The Official Phreaker's Manual + + 5. "1200 Type" refers to the modem compatibility for 1200 baud only: + B/V = Bell and Vadic + B = Bell 212A only + V = Vadic 3400 only + + 6. This list is contained in the file NETINFO:TAC-PHONES.LIST at + SRI-NIC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 192 + + + + + The Official Phreaker's Manual + + >>==========================<< + >>==> TELCO TEST NUMBERS <==<< + >>====> as of 5/16/85 <=====<< + >>=> compiled and updated <=<< + >>====> by Shadow 2600 <====<< + >>==========================<< + +011-44-61-2468011 : US dial tone then "When this system changes, this is the +new dial tone you hear" (UK is changing dialtone) + +201-226-0709 : alternating tones, then "warble" +201-267-9922 : sweep tone +201-267-9966 : 600 ohm termination +201-232-9924 : (tone 1,2,5-beep, bleep; 9,#- 1200 baud static, beep, bleep; +6-tone, higher tone, bleep) +201-232-9959 : tone 11 sec. silence, repeats... +201-233-9972 : multitude of clicks +201-233-9974 : busy 15 sec. then tone w/ clicks +201-241-9916 : hissing with clicks +201-328-9971 : 1000 hrtz tone +201-376-9907 : "is being checked for trouble. Please try again later" +201-464-9915 : low tone 15 sec, silence +201-464-9916 : low tone 2 sec, silence +201-464-9963 : buzz +201-464-9974 : busy 15 sec, low tone +201-543-9902 : "If you'd like to make a call, hang up and try it again." +201-543-9903 : "We're sorry, your call did not go through." +201-543-9904 : "the number you have dialed requires a .20 cents deposit." +201-655-9900 : "cannot be completed as dialed from the phone you are using" +201-769-0205 : People's Express Reservation system +203-771-4920 : telephone company employee newsline +207-866-4411 : 1000 hrtz tone +212-233-9980 : (tone 1,2,3,*-tone, higher tone, bloop; 5-tone, bloop; 9,#- +static,beep,bloop) +212-369-7003 : "you have reached 212-369-7003 in zone 3" (?) +212-799-5017 : ABC New York feed line +213-621-4141 : telephone employee newsline +213-935-1111 : sweep tone with echo at top of range (?) +215-489-0036 : tone, bloop (1,2,5-tone bloop, 3,6,9-tone, higher tone,tone) +215-489-0040 : "please check your instruction manual or call repair service for +assistance" +215-489-0042 : "if you like to make a call please hang up and try again" +215-489-0043 : "We're sorry, your call did not go through." +215-489-0044 : "The call you have made requires a 25 cent deposit" +215-489-0045 : "You must first dial a 1 when dialing this number." +215-489-0074 : LOUD tone, stops, repeats +215-489-0075 : 600 ohm termination (silence) +215-489-0078 : tone, silence +215-489-0080 : 600 ohm termination +215-489-0097 : tone, (lower pitched than -0078) silence (also at -0098) +215-489-0104 : 1000 hrtz tone +216-861-8300 : tone, then higher tone +301-256-9987 : 1000 hertz +301-546-7777 : "Due to Telephone Company facility trouble your call cannot be +completed at this time" +301-725-9904 : "deposit .20" +305-263-0000 : repeating bloop (keypress 2 : slow reorder w/ bloops, clicks) +305-994-9963 : pay fone instructions + + Page 193 + + + + + The Official Phreaker's Manual + +305-994-9966 : "telephone you are calling from is not in service" +312-222-9948 : tone (keypress 1,2,3,6,7,*-tone, high tone, bleep, +4-tone,bloop,9, #-static,beep,bloop) +312-222-9954 : "Test Center" +312-222-9990 : clicks, ticking like +312-222-9996 : LOUD tone, repeats +312-368-8000 : Illinois Bell Communicator (employee newsline) +312-592-0000 : tone (keypress 2222, then other digits, at re-order type * to +restart) (?) +313-223-7223 : telephone employee newsline +313-333-9981 : LOUD tone, silence +313-333-9989 : high tone (enter touchtones for a while, eventually get +"metallic" echo, then 5-high pitched tone, random re-orders) +313-333-9990 : beep, click repeats, with "winks" +313-333-9994 : tone bloop (keypress in 2-tone,bloop, 3-tone, higher tone,tone, +9-static, beep,bloop) +313-333-9995 : 600 ohm termination (silence) +313-333-9996 : weird siren/sweep tone, multi-frequency +313-430-4300 : beep, beep, beep, then reorder +313-698-9998 : sweep tone +314-247-5511 : Southwestern Bell Telenews (employee newsline) +315-471-9934 : "deposit 5 cents for next five minutes" +408-255-0081 : (any two 2,4,8,0-tone) +408-294-6969 : beep, click, computer voice repeats number +408-395-1110 : (tone 2-bleep,glitch; 3-beep,higher beep;#then number-loud +tone,bleep) +408-738-8190 : (tone 1,3,6,7,*-tone, high tone, tone;2-beep,cluck;9,#- +static,tone,beep) +408-745-6060 : high pitched tone, low tone then repeats +408-994-0044 : tone end of loop +412-633-3333 : telephone company employee newsline +414-628-0001 : continuous tone +414-628-0002 : continuous tone (higher pitched, sounds like muted dial) +414-628-0004 : high pitched tone, bloop, silence +414-628-0006 : brief very high tone (also -0007) (multiple keypresses of +2,5,8,0 tone repeats) +414-628-0010 : loud tone, stops, repeats... +414-628-0011 : loud tone, stops +414-628-0013 : 600 ohm termination (silence) (also -0017, two in an exchange?) +414-628-0014 : continuous tone (sounds like weird dial), eventually stops +414-628-0015 : LOUD tone, repeats +414-628-0028 : "Your call cannot be completed as dialed +414-678-3511 : Wisconsin Bell Newsline +414-781-0004 : high tone, silence (keypress 2,5-beep,bleep, 3,6-beep,longbeep, +bloop, 9-static,bloop) +415-284-1111 : one sweep, then silence +415-327-0046 : sweep tone +415-388-0037 : tone,bloop (keypress 2-tone,bloop, 3-tone,high tone,tone, +9-static,beep,bloop) +415-472-0046 : sweep w/ glitch at top +415-545-8800 : Pacific Bell Newsline +415-467-0097 : fast DTMF tones, keypress to repeat +415-777-0020 : 1000 hrtz tone +415-777-0037 : tone, bloop (keypress 2-beep,bloop, 3,6-tone,higher tone, +9-static,beep,bloop) +415-777-0046 : sweep tone with echo +415-777-0105 : tone,bloop (keypress 2-beep,bleep, 3,6-tone, higher tone, +tone,9-static,beep,bloop + + Page 194 + + + + + The Official Phreaker's Manual + +415-826-0022 : tone, click, tone (sounds like a busy) +415-994-0710 : multitude of clicks +512-472-2181 : "if you would like to make a call, please hang up and try +again" +512-472-4263 : garbled recording (?) +512-472-9833 : "you must first dial a 1 or 0 before calling this number" +512-472-9936 : "please check your instructions or call your business office for +assistance" +512-472-9941 : "insert 25 cents" +516-222-3825 : LOUD tone +516-234-9914 : New York Telephone Newsline +518-471-2272 : New York Telephone Newsline +518-789-3299 : weird busy, multitude of clicks +609-267-9966 : busy with clicks in background +609-267-9967 : 600 ohm termination (silence) +609-267-9968 : 1000 hrtz tone +609-267-9971 : LOUD tone, stops, repeats +609-267-9972 : rings with clicks in background (also -9973 and -9974) +609-877-9924 : high tone (tone in 1,2,5-tone, bloop; 3,6,*-tone, higher tone, +bleep; #-static, beep, bleep) +609-877-9929 : 1000 hrz tone +617-553-9953 : tone end of loop +617-890-9900 : sweep tone +617-955-1111 : telephone company employee newsline +619-748-0002 : tone increases in pitch, silence, repeats in monotone +619-748-0003 : sweep, repeat, hangs up +702-789-6711 : Nevada Bell Newsline +713-354-0000 : touch tone in #, then new #, then 5 - listed, 9 - unlisted) +713-482-3199 : "We're sorry, all circuit are busy now." +713-652-5111 : touch tones echo back "metallic", something about "drivers +licence number" replys in a female recorded voice +717-255-5555 : Bell of Pennsylvania "Inside Line" (employee newsline) +718-429-9900 : "Please slide a valid credit card through the slot now" +800-221-5959 : tone (# makes it ring) +800-228-8466 : Sensaphone (tm) demo (time etc. (EST) (wait 7+ rings)) +800-321-3048 : non-connecting loop with 800-321-3049 +800-321-3052 : loop (don't know where other end is) +800-321-6366 : Centagram's Voice Memo System (extension 100 for demo) +800-323-6321 : tone, stops, bloop repeats +800-327-0000 : "Announcement three, Dallas" (changes sometimes) +800-344-4001 : non-connecting loop with 800-344-4002 +800-524-0000 : "Announcement 1 Atlanta" +800-554-5924 : Cable News Network audio feed +800-824-8274 : "Enter your password service code" +802-955-1111 : telephone company newsline +808-533-4426 : Hawaiian Telephone Newsline +816-391-1122 : recorder (keypress 1-toggle on/off, 3-rewind, 4-stop, 7-play) +907-269-0955 : tone (sounds like extender, doesn't take touch tone (?)) +914-232-9901 : "Daytona, New York DMS-100 verification" +914-268-9901 : "Congers DMS 100 Verification" +914-268-9903 : "your call cannot be completed as dialed" +914-268-9968 : (keypress 2-high tone, 3-high, higher tone, 6,0-click, 7- hangs +up, sometimes 0,#,*-harmony) +914-359-9901 : repeats the number dialed ("914-359-9901") +914-359-9960 : weird tone, stops, clicks, repeats +914-623-9968 : (keypress 2,5-beep glitch, 3,6-tone highertone) +916-480-8000 : Pacific Bell Newsline + + + Page 195 + + + + + The Official Phreaker's Manual + + WHAT A TSPS CONSOLE LOOKS LIKE + +--- NON/COIN ---- ------------- COIN ------------- --------- HOTEL --------- + + ---- ---- ---- ---- ---- ---- ----- --- --- ---- +!VFY ! !OVER! !SCRN! !INWD! !EMER! !STA ! ! 0+ ! !DIAL! !STA ! ! 0+ ! +!DIAL! !POST! !TONE! !STA ! ! 0+ ! !DIAL! !QST ! ! ! ! ! ! ! + ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- + +----- OUTGOING TRUNKS ----- RING RELEASE + + ---- ---- ---- ---- ---- ----- ---- ---- ---- ---- +! DA ! !R&R ! !SWB ! !OGT ! !BACK! ! FWD ! !CALL! !T&C ! !NFY ! !CHG ! + ---- ---- ---- ---- ---- ----- ---- ---- ---- ! DUE! + ---- + --- ---- ---- ---- ---- ---- ---- ---- ---- ---- +!KEY ! !BACK! !FWD ! ! SR ! !MAKE! !MTCE! !POS ! !BACK! ! ! ! ! +!CLG ! ! ! ! ! ! ! !BUSY! !TRFR! ---- ---- ---- ---- + ---- ---- ---- ---- ---- ---- + + ----------------- AMA ----------------- + ---- ---- ---- ---- ---- ---- +STATION -----!PAID! !COL ! !SPL ! !SPL ! !AUTO! !DDD ! + ! ! ! ! !CLG ! !CLD ! !COL ! ! ! + ---- ---- ---- ---- ---- ---- + + ---- ---- ---- ---- ---- +PERSON ----- !PAID! !COL ! !SPL ! !SPL ! ! NO ! + ! ! ! ! !CLG ! !CLD ! !AMA ! + ---- ---- ---- ---- ---- + + ---- ---- ---- + !CLG ! !CLG ! !CLG ! + ! ! ! ! ! ! + ---- ---- ---- + + + + + + + + + + + + + + + + + + + + + + + + + Page 196 + + + + + The Official Phreaker's Manual + + Box Plans + + Hmm... I wonder! This is still under construction (Ha Ha). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 197 + + + + + The Official Phreaker's Manual + + THE INFINITY TRANSMITTER + + TYPED BY THE GHOST WIND + + FROM THE BOOK BUILD YOUR OWN + LASER, PHASER, ION RAY GUN & OTHER WORKING SPACE-AGE PROJECTS + BY ROBERT IANNINI (TAB BOOKS INC) + +Description: Briefly, the Infinity Transmitter is a device which activates a +microphone via a phone call. It is plugged into the phone line, and when the +phone rings, it will immediately intercept the ring and broadcast into the +phone any sound that is in the room. This device was originally made by +Information Unlimited, and had a touch tone decoder to prevent all who did not +know the code from being able to use the phone in its normal way. This +version, however, will activate the microphone for anyone who calls while it is +in operation. +NOTE: It is illegal to use this device to try to bug someone. It is also +pretty stupid because they are fairly noticeable. +Parts List: +Pretend that uF means micro Farad, cap= capacitor + +Part # Description +---- - ----------- +R1,4,8 3 390 k 1/4 watt resistor +R2 1 5.6 M 1/4 watt resistor +R3,5,6 3 6.8 k 1/4 watt resistor +R7—ª&HHÈ 1 5 k pot/switch +R9,16 2 100 k 1/4 watt resistor +R10 1 2.2 k 1/4 watt resistor +R13,18 2 1 k 1/4 watt resistor +R14 1 470 ohm 1/4 watt resistor +R15 1 10 k 1/4 watt resistor +R17 1 1 M 1/4 watt resistor +C1 1 .05 uF/25 V disc cap +C2,3,5,6,7 5 1 uF 50 V electrolytic cap or tant + (preferably non-polarized) +C4,11,12 3 .01 uF/50 V disc cap +C8,10 2 100 uF @ 25 V electrolytic cap +C9 1 5 uF @ 150 V electrolytic cap +C13 1 10 uF @ 25 V electrolytic cap +TM1 1 555 timer dip +A1 1 CA3018 amp array in can +Q1,2 2 PN2222 npn sil transistor +Q3 1 D4OD5 npn pwr tab transistor +D1,2 2 50 V 1 amp react. 1N4002 +T1 1 1.5 k/500 matching transformer +M1 1 lar + + +Which G-file (Q=Quit) ?  +Call back later when you are there. +I‡ˆ©4Àb¾y¤Qn¢cqolÎ + +NO CARRIER + +D/CASFA/24 DISCONNECTED 00 87 00:01:14:28 9811 354 + +@Çí1ÔoPHúoÿ +NO CARRIER + +RING + +RING + +RING + +RING + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phbook.txt b/textfiles.com/phreak/PHREAKING/phbook.txt new file mode 100644 index 00000000..c30e6a8c --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phbook.txt @@ -0,0 +1,660 @@ + + WRITTEN BY::DOCTOR DISSECTOR + HTML & GRAPHICS BY: THE DIGITAL SNIPER + **** An Official Phortune 500 Product **** + + ---------------------------------------------- + a useful source for the phreaker covering both + the basics and advances of phreaking + ---------------------------------------------- + + + GENERAL NOTE + ------------ + +The purpose of this newsletter is purely educational. It has been released in order to teach +and advance the knowledge of today's declining phreaks. However, the author does not +take any responsibility over the misuse of the herein contained information, and the +newsletter itself does not encourage or support the above type of activity. Also, any wrong +or old information in this document is not to the responsibility of the author, and the reader +accepts any consequences due to information that may be mistaken in this manner. + + + + NOTE TO ABUSERS + --------------- + +All information contained within this document was intended towards educational purposes. +Any misuse or illegal use of the information contained in this document is strictly at the +misuser's risk. The author assumes NO responsibility of the reader's actions following the +release this document (in otherwords, you're on your own if you get nailed!) + + + + TPH #1 Table Of Contents: + ========================= + +Title Page & Disclaimer Notes + +Table Of Contents & Introduction + +The Phreak's Vitals + True Definition Of The Phreaker + The Phone Phreak's Ten Commandments + +The Phreaker's Glossary + +Other Fone Information + Voltages & Technical Stuff + Scanning Phun Fone Stuff + +References & Suggested Reading + + + + Introduction To TPH #1 + ====================== + + This phile was written for beginning as well as those uninformed +"advanced" phreaks who need something as a reference when reading +or writing philes concerning phreaking or fone phraud. Of course, you +could be a beginning phreak and use this phile to B.S. your way into a +big group by acting like you know a lot, or something, but that is up +to you. Anyway, I compiled this listing phrom various sources, the +majority is listed as references at the end of this phile. + + This phile's only goal is to educate and inform. Any illegal or +fraudulent activity is neither encouraged nor supported by the author +of this phile, not by the majority of the >TRUE< phreaking community. +The author assumes NO responsibility for the actions of the reader. + + Also, I know that some of the stuff covered in this release of TPH +will be old and outdated; however, I will try to clean that up by the +next release of TPH, and will notify you, the reader, of the changes +due to these revisions. + + + + The Phreak's Vitals: + ==================== + True Definition Of The Phreaker + ------------------------------- + +"Many people think of phone phreaks as slime, out to rip off Bell for +all she is worth. Nothing could be further from the truth! Granted, +there are some who get their kicks by making free calls; however, +they are not true phone phreaks. Real phone phreaks are +'telecommunications hobbyists' who experiment, play with, and learn +from the phone system. Occasionally, this experimenting and a need +to communicate with other phreaks, without going broke, leads to free +calls. The free calls are but a small subset of a >TRUE< phone phreak's +activities." + + - Wise Words Of The Magician + + + + The Phone Phreak's Ten Commandments + ----------------------------------- + + I. Box thou not over thine home telephone wires, for those who doest + will surely bring the wrath of the Chief Special Agent down upon + thy head. + II. Speakest thou not of important matters over thine home telephone + wires, for to do so is to risk thine right of freedom. + III. Use not thine own name when speaking to other phreaks, for that + every third phreak is an FBI agent is well known. + IV. Let not overly many people know that thy be a phreak, as to do so + is to use thine own self as a sacrificial lamb. + V. If thou be in school, strive to get thine self good grades, for the + authorities well know that scholars never break the law. + VI. If thou workest, try to be an employee and impressest thine boss + with thine enthusiasm, for important employees are often saved by + their own bosses. + VII. Storest thou not thine stolen goodes in thine own home, for those + who do are surely non-believers in the Bell System Security Forces, + and are not long for this world. +VIII. Attractest thou not the attention of the authorities, as the + less noticeable thou art, the better. + IX. Makest sure thine friends are instant amnesiacs and willst not + remember thou hast called illegally, for their cooperation with the + authorities willst surely lessen thine time for freedom on this + earth. + X. Supportest thou TAP, as it is thine newsletter, and without it, thy + work would be far more limited. + + + + The Phreaker's Glossary + ======================= + +1XB - No.1 Crossbar system. See XBAR for more information. + +2600 - A hack/phreak oriented newsletter that periodically was + released and still is being released. See Phile 1.6 for more + information on the magazine and ordering. + +4XB - No.4 Crossbar system. See XBAR for more information. + +5XB - No.5 Crossbar system. The primary end office switch of Bell + since the 60's and still in wide use. See XBAR for more detail. + +700 Services - These services are reserved as an advanced forwarding + system, where the forwarding is advanced to a user-programed + location which could be changed by the user. + +800 Exceptional Calling Report - System set up by ESS that will log + any caller that excessively dials 800 numbers or directory + assistance. See ESS for more information. + +800 Services - Also known as WATS. These services often contain WATS + extenders which, when used with a code, may be used to call + LD. Many LD companies use these services because they are + toll-free to customers. Most 800 extenders are considered dangerous + because most have the ability to trace. + +900 Services - Numbers in the 900 SAC usually are used as special + services, such as TV polls and such. These usually are $.50 for the + first minute and $.35 for each additional minute. Dial (900)555-1212 + to find out what the 900 services currently have to offer. + +950 - A nationwide access exchange in most areas. Many LD companies + have extenders located somewhere on this exchange; however, all + services on this exchange are considered dangerous due to the fact + that they ALL have the ability to trace. Most 950 services have + crystal clear connections. + +ACCS - Automated Calling Card Service. The typical 0+NPA+Nxx+xxxx + method of inputting calling cards and then you input the calling + card via touch tones. This would not be possible without ACTS. + +ACD - Automatic Call Distributor. + +ACD Testing Mode - Automatic Call Distributor Test Mode. This level of + phreaking can be obtained by pressing the "D" key down after + calling DA. This can only be done in areas that have the ACD. The + ACD Testing Mode is characterized by a pulsing dial tone. From here, + you can get one side of a loop by dialing 6, the other side is 7. + You may also be able to REMOB a line. All possibilities of the ACD + Test have not been experimented with. See silver box for more details. + +ACTS - Automated Coin Toll Service. This is a computer system that + automates phortress fone service by listening for red box tones and + takes appropriate action. It is this service that is commonly heard + saying, "Two dollars please. Please deposit two dollars for the next + three minutes." Also, if you talk for more than three minutes and + then hang up, ACTS will call back and demand your money. ACTS is + also responsible for ACCS. + +Alliance - A teleconferencing system that is apart from AT&T which + allows the general public to access and use its conferencing + equipment. The equipment allows group conversations with members + participating from throughout the United States. The fone number to + Alliance generally follows the format of 0-700-456-x00x depending on + the location the call originates from and is not accessible direct + by all cities/states. + +AMA - Automated Message Accounting. Similar to the CAMA system; see + CAMA for more info. + +analog - As used for a word or data transmission, a continuously + varying electrical signal in the shape of a wave. + +ANI - Automatic Number Identification - This is the system you can + call, usually a three digit number or one in the 99xx's of + your exchange, and have the originating number you are calling + from read to you by a computer. This is useful if you don't know + the number you are calling from, for finding diverters, and when + you are playing around with other fone equipment like cans or beige + boxes. The ANI system is often incorporated into other fone companies + such as Sprint and MCI in order to trace those big bad phreaks that + abuze codez. + +ANIF - Automatic Number Identification Failure. When the ANI system of + a particular office fails. + +APF - All PINs Fail. This is a security measure which is designed to + frustrate attempts at discovering valid PINs by a hacking method. + +aqua box - A box designed to drain the voltage of the FBI lock-in- + trace/trap-trace so you can hang up your fone in an emergency and + phrustrate the Pheds some more. The apparatus is simple, just + connect the two middle wires of a phone wire and plug, which would + be the red and green wires if in the jack, to the cord of some + electrical appliance; ie, light bulb or radio. KEEP THE APPLIANCE + OFF. Then, get one of those line splitters that will let you hook + two phone plugs into one jack. Plug the end of the modified cord + into one jack and your fone into the other. THE APPLIANCE MUST BE + OFF! Then, when the Pheds turn their lame tracer on and you find + that you can't hang up, remove your fone from the jack and turn + the appliance ON and keep it ON until you feel safe; it may be + awhile. Then turn it off, plug your fone back in, and start + phreaking again. + Invented by: Captain Xerox and The Traveler. + +BAUDOT - 45.5 baud. Also known as the Apple Cat Can. + +BEF - Band Elimination Filter. A muting system that will mute the 2600 + Hz tone which signals hang-up when you hang up. + +beige box - An apparatus that is a home-made lineman's handset. It is + a regular fone that has clips where the red and green wires normally + connect to in a fone jack. These clips will attach to the rings + and tips found in many of MA's output devices. These are highly + portable and VERY useful when messing around with cans and other + output devices the fone company has around. + Invented by: The Exterminator and The Terminal Man. + +BITNET - Nationwide system for colleges and schools which accesses a + large base of education-oriented information. Access ports are + always via mainframe. + +bit stream - Refers to a continuous series of bits, binary digits, + being transmitted on a transmission line. + +black box - The infamous box that allows the calling party to not be + billed for the call placed. We won't go in depth right now, most + plans can be found on many phreak oriented BBS's. The telco can + detect black boxes if they suspect one on the line. Also, these + will not work under ESS. + +bleeper boxes - The United Kingdom's own version of the blue box, + modified to work with the UK's fone system. Based on the same + principles. However, they use two sets of frequencies, foreword + and backwards. + +Blotto box - This box supposedly shorts every fone out in the immediate + area, and I don't doubt it. It should kill every fone in the + immediate area, until the voltage reaches the fone company, and the + fone company filters it. I won't cover this one in this issue, cuz + it is dangerous, and phreaks shouldn't destroy MA's equipment, just + phuck it up. Look for this on your phavorite BBS or ask your + phavorite phreak for info if you really are serious about seriously + phucking some fones in some area. + +blue box - An old piece of equipment that emulated a true operator + placing calls, and operators get calls for free. The blue box seizes + an open trunk by blasting a 2600 Hz tone through the line after + dialing a party that is local or in the 800 NPA so calls will be + local or free for the blue boxer. Then, when the blue boxer has + seized a trunk, the boxer may then, within the next 10-15 seconds, + dial another fone number via MF tones. These MF tones must be + preceded by a KP tone and followed with a ST tone. All of these + tones are standardized by Bell. The tones as well as the inter-digit + intervals are around 75ms. It may vary with the equipment used since + ESS can handle higher speeds and doesn't need inter-digit intervals. + There are many uses to a blue box, and we will not cover any more + here. See your local phreak or phreak oriented BBS for in depth info + concerning blue boxes and blue boxing. Incidentally, blue boxes are + not considered safe anymore because ESS detects "foreign" tones, such + as the 2600 Hz tone, but this detection may be delayed by mixing pink + noise of above 3000 Hz with the 2600 Hz tone. To hang up, the 2600 Hz + tone is played again. Also, all blue boxes are green boxes because MF + "2" corresponds to the Coin Collect tone on the green box, and the + "KP" tone corresponds to the Coin Return tone on the green box. See + green box for more information. Blue boxing is IMPOSSIBLE under the + new CCIS system slowly being integrated into the Bell system. + +blue box tones - The MF tones generated by the blue box in order to + place calls, emulating a true operator. These dual tones must be + entered during the 10-15 second period after you have seized a + trunk with the 2600 Hz tone. + + 700: 1 : 2 : 4 : 7 : 11 : KP= Key Pulse + Parallel Frequencies 900: ** : 3 : 5 : 8 : 12 : ST= STop + 2= Coin Collect 1100: ** : ** : 6 : 9 : KP : KP2= Key Pulse 2 + KP= Coin Return 1300: ** : ** : ** : 10 :KP2 : **= None + (green box tones) 1500: ** : ** : ** : ** : ST : + : 900:1100:1300:1500:1700: 75ms pulse/pause + +BLV - Busy Line Verification. Allows a TSPS operator to process a + customer's request for a confirmation of a repeatedly busy line. + This service is used in conjunction with emergency break-ins. + +BNS - Billed Number Screening. + +break period - Time when the circuit during pulse dialing is left + open. In the US, this period is 40ms; foreign nations may use 33ms + break periods. + +break ratio - The interval pulse dialing breaks and makes the loop + when dialing. The US standard is 10 pulses per second. When the + circuit is opened, it is called the break interval. When the circuit + is closed, it is called the make interval. In the US, there is a + 60ms make period and a 40ms break period. This is often referred to + as a 60% make interval. Many foreign nations have a 67% make interval. + +bridge - I don't really understand this one, but these are important + phreak toys. I'll cover them more in the next issue of TPH. + +British Post Office - The United Kingdom's equivalent to Ma Bell. + +busy box - Box that will cause the fone to be busy, without taking it + OFF-HOOK. Just get a piece of fone wire with a plug on the end, + cut it off so there is a plug and about two inches of fone line. + Then, strip the wire so the two middle wires, the tip and the ring, + are exposed. Then, wrap the ring and the tip together, tape with + electrical tape, and plug into the fone jack. The fone will be busy + until the box is removed. + +cans - Cans are those big silver boxes on top of or around the telephone + poles. When opened, the lines can be manipulated with a beige box + or whatever phun you have in mind. + +calling card - Another form of the LD service used by many major LD + companies that composes of the customers fone number and a PIN + number. The most important thing to know when questioned about + calling cards are the area code and the city where the calling card + customer originated from. + +CAMA - Centralized Automatic Message Accounting. System that records + the numbers called by fones and other LD systems. The recording can + be used as evidence in court. + +CC - Calling Card. + +CC - Credit Card. + +CCIS - Common Channel Inter-office Signaling. New method being incorporated + under Bell that will send all the signaling information over separate + data lines. Blue boxing is IMPOSSIBLE under this system. + +CCITT - The initials of the name in French of the International Telegraph + and Telephone Consultative Committee. At CCITT representatives of + telecommunications authorities, operators of public networks and + other interested bodies meet to agree on standards needed for + international intermarrying of telecommunications services. + +CCS - Calling Card Service. + +CCSS - Common Channel Signalling System. A system whereby all signalling + for a number of voice paths are carried over one common channel, + instead of within each individual channel. + +CDA - Coin Detection and Announcement. + +CF - Coin First. A type of fortress fone that wants your money before + you receive a dial tone. + +Channel - A means of one-way transmission or a UCA path for electrical + transmission between two or more points without common carrier, + provided terminal equipment. Also called a circuit, line, link, + path, or facility. + +cheese box - Another type of box which, when coupled with call forwarding + services, will allow one to place free fone calls. The safety of + this box is unknown. See references for information concerning text + philes on this box. + +clear box - Piece of equipment that compromises of a telephone pickup + coil and a small amp. This works on the principal that all receivers + are also weak transmitters. So, you amplify your signal on PP + fortress fones and spare yourself some change. + +CN/A - Customer Name And Address. Systems where authorized Bell employees + can find out the name and address of any customer in the Bell + System. All fone numbers are listed on file, including unlisted + numbers. Some CN/A services ask for ID#'s when you make a request. + To use, call the CN/A office during normal business hours, and say + that you are so and so from a certain business or office, related to + customers or something like that, and you need the customer's name + and address at (NPA)Nxx-xxxx. That should work. The operators to + these services usually know more than DA operators do and are also + susceptible to "social engineering." It is possible to bullshit a + CN/A operator for the NON PUB DA number and policy changes in the + CN/A system. + +CO Code - Central Office code which is also the Nxx code. See Nxx for + more details. Sometimes known as the local end office. + +conference calls - To have multiple lines inter-connected in order to + have many people talking in the same conversation on the fone at + once. See Alliance and switch crashing for more information. + +credit operator - Same as TSPS operator. The operator you get when you + dial "0" on your fone and phortress fones. See TSPS for more + information. + +CSDC - Circuit Switched Digital Capability. Another USDN service that + has no ISDN counterpart. + +DA - Directory Assistance. See directory assistance. + +DAO - Directory Assistance Operator. See directory assistance. + +data communications - In telefone company terminology, data communications + refers to an end-to-end transmission of any kind of information + other than sound, including voice, or video. Data sources may be + either digital or analog. + +data rate - The rate at which a channel carries data, measured in bits + per second, bit/s, also known as "data signalling rate." + +data signalling rate - Same as "data rate." See data rate. + +DCO-CS - Digital Central Office-Carrier Switch. + +DDD - Direct Distance Dialed. + +Dial-It Services - See 900 Services. + +digital - A method to represent information to be discrete or individually + distinct signals, such as bits, as opposed to a continuously + variable analog signal. + +digital transmission - A mode of transmission in which all information + to be transmitted is first converted to digital form and then + transmitted as a serial stream of pulses. Any signal, voice, data, + television, can be converted to digital form. + +Dimension 2000 - Another LD service located at (800)848-9000. + +directory assistance - Operator that you get when you call 411 or + NPA-555-1212. This call will cost $.50 per call. These won't know + where you are calling from, unless you annoy them, and do not have + access to unlisted numbers. There are also directory assistance + operators for the deaf that transfer BAUDOT. You can call these and + have interesting conversations. The fone number is 800-855-1155, are + free, and use standard Telex abbreviations such as GA for Go Ahead. + These are nicer than normal operators, and are often subject to + "social engineering" skills (bullshitting). Other operators also + have access to their own directory assistance at KP+NPA+131+ST. + +diverter - This is a nice phreak tool. What a diverter is is a type of + call forwarding system done externally, apart from the fone company, + which is a piece of hardware that will foreword the call to + somewhere else. These can be found on many 24 hour plumbers, doctors, + etc. When you call, you will often hear a click and then ringing, or + a ring, then a click, then another ring, the second ring often sounds + different from the first. Then, the other side picks the fone up and + you ask about their company or something stupid, but DO NOT ANNOY + them. Then eventually, let them hang up, DO NOT HANG UP YOURSELF. + Wait for the dial tone, then dial ANI. If the number ANI reads is + different from the one you are calling from, then you have a + diverter. Call anywhere you want, for all calls will be billed to + the diverter. Also, if someone uses a tracer on you, then they trace + the diverter and you are safe. Diverters can, however, hang up on you + after a period of time; some companies make diverters that can be + set to clear the line after a set period of time, or click every once + in a while, which is super annoying, but it will still work. + Diverters are usually safer than LD extenders, but there are no + guarantees. Diverters can also be accessed via phortress fones. Dial + the credit operator and ask for the AT&T CREDIT OPERATOR. They will + put on some lame recording that is pretty long. Don't say anything + and the recording will hang up. LET IT HANG UP, DO NOT HANG UP. Then + the line will clear and you will get a dial tone. Place any call you + want with the following format: 9+1+NPA+Nxx+xxxx, or for local calls, + just 9+Nxx+xxxx. I'd advise that you call ANI first as a local call + to make sure you have a diverter. + +DLS - Dial Line Service. + +DNR - Also known as pen register. See pen register. + +DOV - Data-Over-Voice. + +DSI - Data Subscriber Interface. Unit in the LADT system that will + concentrate data from 123 subscribers to a 56k or a 9.6k + bit-per-second trunk to a packet network. + +DT - Dial tone. + +DTF - Dial Tone First. This is a type of fortress fone that gives you + a dial tone first. + +DTI - Digital Trunk Interface. + +DTMF - Dual-Tone-Multi-Frequency, the generic term for the touch tone. + These include 0,1,2,3,4,5,6,7,8,9 as well as A,B,C,D. See silver + box for more details. + +DVM - Data Voice Multiplexor. A system that squeezes more out of a + transmission medium and allows a customer to transmit voice and data + simultaneously to more than one receiver over the existing telefone + line. + +emergency break-in - Name given to the art of "breaking" into a busy + number which will usually result in becoming a third party in the + call taking place. + +end office - Any class 5 switching office in North America. + +end-to-end signalling - A mode of network operation in which the + originating central office, or station, retains control and signals + directly to each successive central office, or PBX, as trunks are + added to the connection. + +ESS - Electronic Switching System. "The phreak's nightmare come true." + With ESS, EVERY SINGLE digit you dial is recorded, even mistakes. + The system records who you call, when you call, how long you + talked, and, in some cases, what you talked about. ESS is programed + to make a list of people who make excessive 800 calls or directory + assistance. This is called the "800 Exceptional Calling Report." ESS + can be programed to print out logs of who called certain numbers, + such as a bookie, a known communist, a BBS, etc. ESS is a series of + programs working together; these programs can be very easily changed + to do whatever the fone company wants ESS to do. With ESS, tracing + is done in MILLISECONDS and will pick up any "foreign" tones on the + line, such as 2600 Hz. Bell predicts the whole country will be on + ESS by 1990! You can identify an ESS office by the functions, such + as dialing 911 for help, fortress fones with DT first, special + services such as call forwarding, speed dialing, call waiting, etc., + and ANI on LD calls. Also, black boxes and Infinity transmitters + will NOT work under ESS. + +extender - A fone line that serves as a middleman for a fone call, such + as the 800 or 950 extenders. These systems usually require a multi- + digit code and have some sort of ANI to trace suspicious calls with. + +facsimile - A system for the transmission of images. The image is scanned + at the transmitter, reconstructed at the receiving station, and + duplicated on some form of paper. Also known as a FAX. + +FAX - See facsimile for details. + +FiRM - A large cracking group who is slowly taking the place of PTL and + the endangered cracking groups at the time of this writing. + +fortress phone - Today's modern, armor plated, pay fone. These may be + the older, 3 coin/coin first fones or the newer, 1 coin/DT first + fones. There are also others, see CF, DTF, and PP. Most phortresses + can be found in the 9xxx or 98xx series of your local Nxx. + +gateway city - See ISC. + +Gestapo - The telefone company's security force. These nasties are the + ones that stake out misused phortresses as well as go after those + bad phreaks that might be phucking with the fone system. + +green base - A type of output device used by the fone company. Usually + light green in color and stick up a few feet from the ground. See + output device for more information. + +green box - Equipment that will emulate the Coin Collect, Coin Return, + and Ringback tones. This means that if you call someone with a + fortress fone and they have a green box, by activating it, your + money will be returned. The tones are, in hertz, Coin Collect=700+ + 1100, Coin Return=1100+1700, and Ringback=700+1700. However, before + these tones are sent, the MF detectors at the CO must be alerted, + this can be done by sending a 900+1500 Hz or single 2600 Hz wink + of 90ms followed by a 60ms gap, and then the appropriate signal for + at least 900ms. + +gold box - This box will trace calls, tell if the call is being traced, + and can change a trace. + +grey box - Also known as a silver box. See silver box. + +group chief - The name of the highest ranking official in any fone + office. Ask to speak to these if an operator is giving you trouble. + +high-speed data - A rate of data transfer ranging upward from 10,000 + bits per second. + +H/M - Hotel/Motel. + +ICH - International Call Handling. Used for overseas calls. + +ICVT - InComing Verification Trunk. + +IDA - Integrated Digital Access. The United Kingdom's equivalent of + ISDN. + +IDDD - International Direct Distance Dialing - The ability to place + international calls direct without processing through a station. + Usually, one would have to place the call through a 011, station, or + a 01, operator assisted, type of setup. + +IDN - Integrated Digital Networks. Networks which provide digital + access and transmission, in both circuit switched and packet modes. + +in-band - The method of sending signaling information along with the + conversion using tones to represent digits. + +INS - Information Network System. Japan's equivalent of ISDN. + +Intercept - The intercept operator is the one you get connected to when + there are not enough recordings available to tell you that the + number has been disconnected or changed. These usually ask what + number you are calling and are the lowest form of the operator. + +intermediate point - Any class 4X switching office in North America. + Also known as an RSU. + +international dialing - In order to call across country borders, one must + use the format PREFIX + COUNTRY CODE + NATION #. The prefix in + North America is usually 011 for station-to-station calls or 01 for + operator-assisted calls. If you have IDDD, you don't need to place + this prefix in. + +INTT - Incoming No Test Trunks. + +INWARD - An operator that assists your local TSPS '0' operator in + connecting calls. These won't question you as long as the call is + within their service area. The operator can ONLY be reached by other + operators or a blue box. The blue box number is KP+NPA+121+ST for + the INWARD operator that will help you connect to any calls in that + area ONLY. + +INWATS - Inward Wide Area Telecommunications Service. These are the 800 + + + + + + + + + + + + + + + + + + + + + diff --git a/textfiles.com/phreak/PHREAKING/phk90s.txt b/textfiles.com/phreak/PHREAKING/phk90s.txt new file mode 100644 index 00000000..085eb597 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phk90s.txt @@ -0,0 +1,409 @@ + + Hitchhikers guide to the phone system.. Phreaking in the nineties + (By Billsf) + + + Introduction + ------------ + + + In this article I will try to introduce you to the most complex machine on +earth: the phone system. It's a guide to having fun with the technology, and +I hope it will help you on your travels through the network. It is by no +means a definitive manual: If you really want to get into this, there are lots +of additional things you must learn and read. + This article assumes you know a little bit about the history of phreaking. +It is meant as an update for the sometimes very outdated documents that can +be downloaded from BBS's. In here I'll tell you which of the old tricks might +still work today, and what new tricks you may discover as you become a phone +phreak. + As you learn to phreak you will (hopefully) find ways to make calls that +you could not make in any other way. Calls to test numbers that you cannot +reach from normal network, calls to ships (unaffordable otherwise), and much +more. As you tell others about the hidden world you have discovered, you will +run into people who have been brainwashed into thinking that all exploration +into the inner workings of the phone system is theft or fraud. Convincing +these people of your right to explore is probably a waste of time, and does +not advance your technical knowledge. + Phreaking is like magic in more than one way. Those people who are really +good share their tricks with each other, but usually don't give out these +tricks to anyone walking by. This will be somewhat annoying at first, but +once you're really good you'll understand that it's very unpleasant if the +trick you just discovered is wasted the very next day. I could tell you at +least twenty new tricks in this article but I prefer to teach you how to find +your own. + Having said this, the best way to get into phreaking is to hook up with +other phreaks. Unlike any other sub-culture, phreaks are not bound by any +geographical restrictions. You can find other phreaks by looking for +hacker/phreak BBS's in your region. Having made contact there you may en- +counter these same people in teleconferences that are regularly set up. These +conferences usually have people from all over the planet. Most phreaks from +other contries outside the United States speak Englisch, so language is not +as much of a barrier as you might think. + If you live in a currently repressed area, such as the United States, you +should beware that even the things that you consider "harmless exploring" +could get you into lots of trouble (confiscation of computer, fines, probation +jail, loss of job, etc.). Use your own judgement and find your protection. + + + Getting Started + --------------- + + The human voice contains components as low as 70Hz, and as high as 8000Hz. +Most energy however is between 700 and 900Hz. If you cut off the part under +200 and above 3000, all useful information is still there. This is exactly +what phone companies do on long distance circuits. + If you think all you have to do is blow 2600Hz and use a set of twelve MF +combinations, you have a lot of catching up to do. One of the first multi- +frequency systems was R1 with 2600Hz as the line signalling frequency, but for +obvious reasons it is rarely used anymore, except for some very small remote +communities. In this case its use is restricted, meaning it will not give you +access to all the world in most cases. + To begin with, all experimenting starts at home. As you use your phone, +take careful note as what it does on a variety of calls. Do you hear "dialing" +in the background of certain calls as they are set up? Do you hear any high +pitched beeps while a call is setting up, as it's answered or at hangup of +the called party? + Can you make your CO fial to complete a call either by playing with the +switchhook or dialing strange numbers? If you are in the United States, did +you ever do something that will produce a recording:"We're sorry, your call +did not go through..." after about 15 seconds of nothing? + If you can do the last item, you are "in" for sure! Any beeps on answer or +hang-up of the called party also means a sure way in. Hearing the actual MF +tones produced by the telco may also be your way in. While it would be nice +to find this behavior on a toll-free circuit, you may consider using a +national toll circuit to get an overseas call or even a local circuit for a +bigger discount. Every phone in the world has a way in. All you have to do +is find one! + + + An overview of Systems + ---------------------- + + First we must start with numbering plans. The world is divided up into +eight separate zones. Zone 1 is the United States, Canada and some Caribbean +nations having NPA 809. Zone 2 is Africa. Greenland (299) and Faroe Islands +(298) do not like their Zone 2 assignment, but Zones 3 and 4 (Europe) are +all taken up. Since the DDR is now unified with BRD (Germany) the code 37 is +up for grabs and will probably be subdivided into ten new country codes to +allow the new nations of Europe, including the Baltics, to have their own +codes. Greenland and the Faroe Islands should each get a 37x country code. +Zone 5 is Latin America, including Mexico (52) and Cuba (53). Zone 6 is the +south Pacific and includes Australia (61), New Zealand (64) and Malaysia (60). +Zone 7 is now called CIS (formerly the Soviet Union), but may become a third +European Code. Zone 8 is Asia and includes Japan (81), Korea (82), Vietnam +(84), China (86), and many others. Zone 9 is the sub-continent of India (91) +and surrounding regions. A special sub-zone is 87, which is the maritime +satellite service (Inmarsat). Country code 99 is reserved as a test code for +international and national purposes and may contain many interesting numbers. + In zone 1, a ten digit number follows with a fixed format, severely limiting +the total number of phones. NPA's like 310 and 510 attest to that. The new +plan (beginning in 1995) will allow the middle digit to be other than 1 or 0, +allowing up to five times more phones. This is predicted to last into the +21st century. After that Zone 1 must move to the fully extensible system used +in the rest of the world. + The "rest of the world" uses a system where "0" precedes the area code for +numbers dialed within the country code. France and Denmark are notable ex- +ceptions, where there are no area codes or just one as in France (1 for Paris +and just eight digits for the rest). This system has proven to be a total +mess - worse than the Zone 1 plan! + In the usual numbering system, the area code can be of any length, but at +this time between one and five digits are used. The phone number can be any +length too, the only requirement being that the whole number, including the +country code but not the zero before the area code, must not exceed fourteen +digits. Second dialtones are used in some systems to tell customers they are +connected to the area they are calling and are to proceed with the number. +With step-by-step, you would literally connect to the distant city and then +actually signal it with your pulses. Today, if second dialtones are used it's +only because they were used in the past. They have no meaning today, much +like the second dialtones in the custom calling features common in the United +States. The advantages of the above "linked" system is that it allows ex- +pansion where needed without affecting other numbers. Very small villages may +only have a three digit number while big cities may have eight digit numbers. +Variations of this basic theme are common. In Germany, a large company in +Hamburg may have a basic five digit number for the reception and eight digit +numbers for the employee extensions. In another case in this same town, +analog lines have seven digits and ISDN lines have eight digits. In many +places it common to have different length numbers coming to the same place. +As confusing as it sounds, it really is easier to deal with than the fixed +number plan! + + + International Signalling Systems + -------------------------------- + + CCITT number four (C4) is an early system that linked Europe together and +connected to other systems for overseas calls. C4 uses two tones: 2040 and +2400. Both are played together for 150mS (P) to get the attention of the +distant end, followed by a "long" (XX or YY = 350mS) or a "short" (X or Y = +100mS) of either 2040 (x or X) or 2400 (y or Y) to indicate status of the +call buildup. Address data (x=1 or y=0, 35 ms) is sent in bursts of four bits +as hex digits, allowing 16 different codes. One hundred milliseconds of +silence was placed between each digit in automatic working. Each digit there- +fore took 240mS to send. This silence interval was non-critical and often had +no timeout, allowing for manual working. C4 is no longer in wide use, but it +was, due to its extreme simplicity a phreak favorite. + CCITT number five (C5) is still the world's number one overseas signalling +method; over 80 percent of all overseas trunks use it. The "plieks" and tones +on Pink Floyd's "The Wall" are C5, but the producer edited it, revealing an +incomplete number with the old code for Londen. He also botched the cadance +of the address signalling very badly, yet it really sounds OK to the ear as +perhaps the only example most Americans have of what an overseas call sounds +like! + In actual overseas working, one-half second of 2400 and 2600Hz, compound, +is sent (clear forward) followed by just the 2400Hz (seize), which readies +the trunk for the address signalling. All address signals are preceded with +KP1 (code 13) for terminal traffic, plus a discriminating digit for the class +of call and the number. The last digit is ST (code 15) to tell the system +signalling is over. For international transit working, KP2 (code 14) is used +to tell the system a country code follows, after which the procedure is +identical to the terminal procedure. + CCITT six and seven (C6 and C7) are not directly accessible from the +customer's line, yet many "inband" systems interface to both of thes. C6 is +also called Common Channel Interoffice Signalling (CCIS) and as its name +implies, a dedicated line carries all the setup information for a group of +trunks. Modems (usually 1200 Bps) are used at each end of the circuit. CCIS +is cheaper, and as an added benefit, killed all the child's play blue boxing +that was common in the states in the 60's and early 70's. In the early 80's +fiber and other digital transmission became commonplace, and a new signalling +standard was required. C7 places all line, address, and result (backward) +signalling on a Time Division Multiplexed Circuit (TDM and TDMC) along with +everything else like data and voice. All ISDN systems require the use of SS7 +to communicate on all levels from local to worldwide. + The ITU/CCITT has developed a signalling system for very wide and general +use. One called "The European System", R2 has become a very widespread inter- +national system used on all continents. R2 is the most versatile end-to-end +system ever developed. It is a two-way system like C7 and comes in two forms, +analog and digital, both fully compatible with each other. R2 has completely +replaced C4, with the possible exception of a few very remote areas where it +works into R2 using using registers. Two groups of fifteen, two of six MF +tones are used for each direction, the high frequency group forward and the +low group backward. Line signalling can be digital with two channels or out- +of-band at 3825Hz, DC, or in cases of limited bandwidth on trunks, can use the +C4 line signals, just the 2040 + 2400Hz or 3000Hz or even backward signals +sent in a forward direction. The signals can be digitally quantised using the +A-law or u-law codec standards, resulting in compatible signals for analog +lines. In international working, only a small part of the standard is man- +datory with a massive number of options available. For national working, an +ample number of MF combinations are "reserved for national use", providing +an expandable system with virtually limitless capabilities. R2 is the "system +of the nineties" and mastering this, for the first time, allows the phone +phreak "to hold the whole world in his hands" in a manner that the person who +coined this phrase could have only dreamed of in the early seventies! + With the exception of bilateral agreements between neighboring countries to +make each other's national systems compatible, especially in border regions, +all international systems in use are: C5, C6, C7, and R2. R2 is limited to a +single numbering region by policy and must use one of the three remaining +systems for overseas working. There are few technical limitations to prevent +R2 from working with satellites, TASI, or other analog/digital underseas +cables. The spec is flexible enough to allow overseas working, but is not +done at the present time. R2 is likely to displace C5 on the remaining analog +trunks in the near future. + +DTMF is on a 4x4 matrix, one tone from a row and one from a column. + 1=697+1209, etc. + + 1209 1336 1477 1633 + 697 1 2 3 A + 770 4 5 6 B + 852 7 8 9 C + 941 * 0 # D + +MF signalling, often used to signal between pionts, uses a 2 of 6 matrix. +Each tone has a weighting which adds up to an unique number. The three +standard sets of tones use this system. + + Digit Weighting + 1 0+1 + 2 0+2 + 3 1+2 + 4 0+4 + 5 1+4 + 6 2+4 + 7 0+7 + 8 1+7 + 9 2+7 + 0 (Code 10) 4+7 + 11 (Code 11) 0+12 + 12 (Code 12) 1+12 + KP1 (Code 13) 2+12 + KP2 (Code 14) 3+12 + ST (Code 15) 7+12 + +For C5, either KP is 100mS and each digit lasts 50mS. A 50mS off time is used +between each digit. For older R1 systems, the KP is 100mS and each digit is +68mS on and 68mS off. Modern systems are C5 compatible and use the C5 timing. +In North America, an additional 50 or 68mS pause is inserted before the last +digit. +Example: KP18(pause)2ST.....KP03120600148(pause)0ST. This pattern was added +about 15 years ago and appears to be unnecessary, except to give an audible +indication of false (blue box) signalling. Its is is HIGHLY recommended for +phreaks where it is normally used by the telco! R2 is a COMPELLED system +where reception of the forward signal produces a backward signal, which at +its reception, stops the forward signal. The stopping of the forward signal +stops the backward signal, and when the stopping of the backward signal is +detected, a new forward signal is generated. This goes back and forth until +all the information is transmitted. The backward signal (usually "1", send +next digit) tells the sendig end what to send next. See the CCITT Red Book +or Welch for complete information on both systems. + + Weight MFC R2 forward R2 Backward + 0 700 1380 1140 + 1 900 1500 1020 + 2 1100 1620 900 + 4 1300 1740 780 + 7 1500 1860 660 + 12 1700 1980 540 + +C4 is the old European signalling system. The address signals have 35mS pause +between each beep and 100mS pause (minimum) between each digit. Minimum time +to send a digit (including pause) is 345mS. This system is limited use today, +if at all. + + x: 2040 35mS (binary "1") + y: 2400 35mS (binary "0") + X: 2040 100mS + Y: 2400 100mS + XX: 2040 350mS + YY: 2400 350mS + P: 2040+2400 150mS + + Clear Forward: PXX + Transit Seizure: PX + Forward Transfer: PYY + Terminal Seizure: PY + 1: yyyx + 2: yyxy + 3: yyxx + ... + 14: xxxy + 15: xxxx + 16: yyyy + + + Place Event Freq Cadance + ========================================================================= + N. America dialtone 350+440 Continuous + ring 440+480 2s on 4s off + busy 480+620 0.5s on 0.5s off + fast busy 480+620 0.25 on 0.25 off + England ring 450+500 0.25 on 0.5 off + (Australia,New Zealand, 0.25 on 2.0 off + etc.) + Japan ring 450+500 1.0 on 2.0 off + Holland dialtone 150+450 Continuous + (450 at -8dB) + most of world all 400 or 440 (See text) + SIT 950, 1400, 1800 (See text) + + + Most of the world's phone systems use only one low pitched tone to represent +all calling status. The most common tones in use are 400Hz, 440Hz and 450Hz. +In some cases the tones are modulated, usually AM, at 25 or 50Hz at variable +depths. In some old switches, the ring modulates the tone, or it is just the +harmonics of the ring frequency, which is usually 25Hz, but can be other +frequencies, producing the "fart ring". Cadances for the busy are either the +fast at 0.25 on and 0.25 off, or the slow at 0.5 on and 0.5 off. Ring signals +are usually on one second and off for two, but can vary. In Iraq, the ring is +continuous! The SIT (Subscriber Information Tone) is 950 then 1400 and then +1800Hz. The total length is about one second. The lengths of the individual +tones are sometimes variable to impart different meanings for automatic +detection. + + + National Signalling Systems + --------------------------- + + CCITT 1, 2 and 3 are early international standards for signalling the +distant end. C1 is just a 500Hz line signalling tone, and was used to alert +the operator at a distant switchboard that there was traffic and no DC path, +due to amplifiers or repeaters on a relatively long circuit. C1 has only one +line signalling function (forward transfer) and no address signalling. It is +probably used nowhere. + CCITT 2 was the first international standard that used address signalling, +allowing automatic completion of calls. Two frequencies, 600Hz and 750Hz, +were used for line signalling and by pulsing between the two frequencies, +representing make and break, of the loop current at the distant end during +signalling, calls were automatically pulse dialable. You may actually find +this system in limited use in very remote parts of Australia or South Africa. +Fairly high signalling levels are required and may very well make customer +signalling impossible, unless you are right there. Travel to both the above +countries should be fascinating however for both phone play and cultural +experience! + CCITT 3 is an improved pulse system. Onhook is represented by the presence +of 2280Hz and offhook by the absence of 2280Hz. This exact system is still +used in a surprising number of places. Pulse-dial PBX's often use C3 to signal +distant branches of a company over leased lines. Signalling for this system +is generally at a much lower level than C2: The tones will propagate over any +phone line. + A system from the early 50's is called R1. Many people remember R1 as the +Blue boxes of the 60's and 70's . R1 is still in wide use in the United +States, Canada and Japan. The use of 2600Hz for line signalling is quite rare +in the 90's, but can be found in all of the above countries. Address signal- +ling uses the MFC standard which is a combination of two of six tones +between 700Hz and 1700Hz as in CCITT 5. Alsmost all R1 used either "out of +band" signalling at 3825Hz or 3350Hz or some form of digital or DC line +signalling. To use this system from home one must find an indirect method of +using the "out of band" signalling. In North America, most signalling from +your central office to your long distance carrier is R1, as is most OSPS/ +TSPS/TOPS operator traffic. + Pulse systems like CCITT 2 and 3 are still used in national systems. In +North America, the C3 standard using 2600Hz in place of 2280 for national +working was commonplace through the 70's and still has limited end-to-end use +today. "End-to-end" use refers to sending just the last few digits (usually +five) to complete the call at the distant end. The only use this may have to +the phreak would be to make several calls to a single locality on one quarter. +It may be possible that a certain code would drop you into an R1, but you +just have to experiment! This type of system is referred to as 1VF, meaning +"one Voice Frequency". The other standard frequency, for use outside North +America, is 2400Hz. A national system using two voice frequencies (2VF) may +still be used in remote areas of Sweden and Norway. The two frequencies are +2400Hz and 2600Hz. Playing these two systems in Europe predates the cracking +of the R1 and C5 systems in the late 50's and early 60's respectively. The +first phone phreak was probably in Sweden. + Common Channel Interoffice Signalling (CCIS) is CCITT 6 developed for +national use and employing features that are of interest to national admini- +strations. R1 often plays into a gateway being converted to CCIS and CCIS +will play into a gateway that converts to C5, C6 or C7 for international +working. The bulk of the ATT net is CCIS in North America, while R1 is often +used by your CO talk to it and the lessel networks. CCITT 7 is the digital +system and is the same nationally as internationally. C7 allows the greatest +efficiency of all systems and will in time be the world system. C7 has much +more speed and versatility than R2, but is a digital only system. All fiber +optic systems employ SS7 (C7). + No discussion of systems is complete without mentioning Socotel. Socotel is +a general system developed by the French. It is a hodgepodge of many systems, +using MFC, pulse tone, pulse AC and pulse DC system. Most (all?) line +signalling tones can be used. An inband system can use 2500Hz as a clear +forward and 1700 or 1900Hz for seize or, in Socotel terms, "confirm". Most +line signalling today is "out of band", but unlike normal outband signalling, +it is below band: DC, 50Hz or 100Hz. It is a "brute force" system using 100V +levels, insuring no customer has a chance of getting it directly! Call setup +on the AC systems often has a very characteristic sound of of short bursts of +50Hz or 100Hz buzz, followed by the characteristic French series of 500 Hz +beeps to alert the customer that the call has been received from the Socotel +by the end office and is now being (pulse) dialed. Calls often don't make it +through all the gateways of a Socotel system, sometimes giving the French +phreak a surprise access where it stuck! + On a national level there are even more systems and some are very bizarre. +Some use backward R2 tones in the forward direction for line signalling, +giving analog lines the versatility of digital line signalling. There have +been some interlocal trunks that actually used DTMF in place of MF! The +"Silicon Valley" was once served by DTMF trunks for instance. When I visited +my local toll office and was told this and pressed for an answer as to why, +I was told "We had extra (expensive then) DTMF receivers and used them!" As +a phreak, be ready for anything as you travel the world. + + + Stuff to read + ------------- + + Signalling in Telecommunications Networks, S. Welch, 1979 + ISBN 0 906048 044 + The Institution of Electrical Engineers, Londen & New York + CCITT Red Book, Blue Book, Green Book and whatever other colors of books + they have, Concentrate on the Q norms. + Telecommunications Engineering, Roger L. Freeman + + +- EOF - diff --git a/textfiles.com/phreak/PHREAKING/phmanual.txt b/textfiles.com/phreak/PHREAKING/phmanual.txt new file mode 100644 index 00000000..327d40b9 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phmanual.txt @@ -0,0 +1,5602 @@ + + The Official Phreaker's Manual V1.1 + Updated 2/14/87 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + Page 1 + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + Page 2 + + ********************************************************************** + + Table of Contents + + ********************************************************************** + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + Page 4 + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + Page 5 + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /\<\ /\<\ .. + . \>ad \>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + + Page 6 + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + + Page 7 + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +explanation. Automated versions (ASI) with automatic voiceresponse units are +growing in use. + +Interrupt: The interruption on a phone line to disconnect and connect with +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + + Page 8 + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + Page 9 + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + +AUDIBLE RINGING TONE: An audible signal heard by the calling party during the +ringing-interval. + +AUTHORIZATION CODE: An identification number that the caller enters when +placing a call which is used for billing purposes. + +AUTHORIZED USER: A person, firm, organization, corporation or any other entity +authorized by the customer to send or receive communications over a specific +communications network. + +AUTO ANSWER: A machine feature that allows a transmission control unit or +station to automatically respond to a call that it receives. + +AUTOMATIC CALL DISTRIBUTOR (ACD): A switching system designed to queue and/or +distribute a large volume of incoming calls to a group of attendants to the +next available "answering" position. + +AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined +set of dialing digits. + +AUTOMATIC IDENTIFICATION +OF OUTWARD DIALING (AIOD): A computer generated report showing all long +distance calls placed over AT&T's toll network. + +AUTOMATIC NUMBER +IDENTIFICATION (ANI): Automatic equipment at a local dial office used on +customer dialed calls to identify the calling-station. + +AUTOMATIC ROUTE +SELECTION (ARS): Least cost routing via AT&T CENTREX system. + + + Page 11 + +BAND: (1) The range of frequencies between two defined limits. (2) In reference +to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: +BANDWIDTH. + +BANDWIDTH: See BAND. + +BASEBAND: The total frequency band occupied by the aggregate of all the voice +and data signals used to modulate a radio carrier. + +BAUD: A unit of signaling speed. The speed in baud is the number of discrete +conditions conditions or signal elements per second. If each signal event +represents only one bit condition, then Baud is the same as bits per second. +When each signal event represents other than one bit, Baud does not equal bits +per second. + +BELL OPERATING COMPANY +(BOC) /BELL SYSTEMS +OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing +local service. + +BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long +Lines, Western Electric, and Bell Labs. + +BILLING NUMBER: The MCI term for the number which identifies a customer on a +billing location level, assigned to Network Service Customer (by COMS). +Assigned for each unique customer name and billing location. For internal use +only. + +BINARY: A number system that uses only two characters ("0" and "1"). + +BIT: A binary digit. The smallest unit of coded information. + +BITS PER SECOND (BPS): The rate at which data transmission is measured. + +BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to +the central offices are in use; or (2) all connecting connecting paths through +the PBX/switch are in use. + +BLOCKED ANI: ANI prohibited from completing a call over the MCI network. + +BREAK: A means of interrupting transmission, a momentary interruption of a +circuit. + +BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. + +BUS: A heavy conductor, or group of conductors, to which several units of the +same type of equipment may be connected. + +BUSY: The condition in which facilities over which a call is to be connected +are already in use. + +BUSY HOUR: The time of day when phone lines are most in demand. + +BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to +indicate that the terminal point of a call is already in use. + +BYTE: A group of binary digits that are processed by a computer as a unit. + + + Page 12 + +CARRIER: High frequency current that can be modulated with voice or digital +signals for bulk transmission via cable or radio circuits. + +CARRIER SYSTEM: A system for providing several communications channels over a +single path. + +CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output +from a computer. + +CELLULAR MOBILE RADIO: A system providing exchange telephone service to a +station located in an auto or other mobile vehicle, using radio circuits to a +base radio station which covers a specific geographical area and as the vehicle +moves from one area to another, different base radio stations handle the call. + +CENTRAL OFFICE (CO): A telephone switching center that provides local access to +the public network. Sometimes referred to as: Class 5 office, end office, or +Local Dial Office. + +CENTREX, CO: PBX Service provided by a switch located at the telephone company +central office. + +CENTREX, CU: A variation on Centrex CO provided by a telephone company +maintained "Central Office" type switch located at the customer's premises. + +CENTRAL PROCESSING UNIT +(CPU): The control unit within a computer which handles all the intelligent +functions of the systems. In a telephone switch, directs all potions of the +system to carry out their appropriate functions. Synonym: Common Control. + +CHANNEL: A communication path via a carrier or microwave radio. + +CHARACTER: Any letter, digit, or special symbol. In data transmission would be +represented by a specific code made up of a group of binary digits. + +CIRCUIT: A path for the transmission of electromagnetic signals to include all +conditioning and signaling equipment. Synonym: Facility + +CIRCUIT SWITCHING: A switching system that completes a dedicated transmission +path from sender to receiver at the time of transmission. + +CLASS OF SERVICE/CLASS +MARK (COS): A subgrouping of telephone customers or users for the sake of rate +distinction or limitation of service. + +COAXIAL CABLE: A cable having several coaxial lines under a single protective +sheath. Usually used as a high capacity carrier in urban areas between +interexchange and toll offices. + +CODEC: Coder-Decoder. Used to convert analog signals to digital form for +transmission over a digital median and back again to the original analog form. + +COMMON CARRIER: A government regulated private company that provides the +general public with telecommunications services and facilities. + + + Page 13 + +COMMON CHANNEL INTEROFFICE + +SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated +Services Digital Network. It uses a separate data line to route interoffice +signals to provide faster call set-up and more efficient use of trunks. + +COMMON CONTROL SWITCHING +ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which +common controlled switching machines are used to route traffic over network +routes and access lines. The switching machine may be shared with other users +and is maintained by the telephone company. + +COMPUTER PORT/TKI PORT: The interface through which the computer connects to +the communications circuit. + +CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to +match transmission levels and impedances and which equalizes transmission and +delay to bring circuit losses, levels, and distortion within established +standards. + +CONFIGURATION: The combination of long-distance services and/or equipment that +make up a communications system. + +CONTROL UNIT (CU): The central processor of a telephone switching device. + +CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on +a corporate level. (Not all MCI customers have this). + +COST COMPONENT: The price of each type of long distance service and/or +equipment that constitutes a configuration. + +COST PER HOUR (CPH): Total cost of different services divided by total holding +time (in minutes). + +CROSS CONNECTION: The wire connections running between terminals on the two +sides of a distribution frame, or between binding posts in a terminal. + +CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit +to another circuit. + +CUSTOMER OWNED AND +MAINTAINED (COAM): Customer provided communications apparatus, and their +associated wiring. + +CUSTOMER +PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located +within the customer's part of a building. + +CUT: To transfer a service from one facility to another. + +CUT THROUGH: The establishment of a complete path for signaling and/or audio +communications. + +DATA: Any representation, such as characters to which a meaning is assigned. + + + Page 14 + +DATA COMMUNICATIONS: The movement of coded information by means of electronic +transmission systems. + +DATA SET: A device which converts data into signals suitable for transmission +over communications lines. + +DATA TERMINAL: A station in a system capable of sending and/or receiving data +signals. + +DECIBEL (db): A unit of measurement represented as a ratio of two voltages, +currents or powers and is used to measure transmission loss or gain. + +DELAY DIAL: A dialing configuration whereby local dial equipment will wait +until it receives the entire telephone number before seizing a circuit to +transmit the call. + +DELTA MODULATION (DM): A variant of pulse code modulation whereby a code +representing the difference between the amplitude of a sample and the +amplitude of a previous one is sent. Operates well in the presence of noise, +but requires a wide frequency band. + +DEMODULATION: The process of retrieving data from a modulated signal. + +DIAL LEVEL: The selection of stations or services associated with a PBX using a +one to four digit code (e.g., dialing 9 for access to outside dial tone). + +DIAL PULSING: The transmitting of telephone address signals by momentarily +opening a DC circuit a number of times corresponding to the decimal digit which +is dialed. + +DIAL REPEATING TIE LINE/ +DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station +calling without use of the attendant. + +DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is +selected by a prearranged dialing code. + +DIAL TONE: A tone indicating that automatic switching equipment is ready to +receive dial signals. + +DIALING PLAN: A description of the dialing arrangements for customer use on a +networks. + +DIGITAL: Referring to the use of digits to formulate and solve problems, or to +encode information. + +DIMENSION CUSTOM +TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station +sets which use special buttons to access PBX features. + +DIRECT +DISTANCE DIALING (DDD): A toll service that permits customers to dial their own +long distance call without the aid of an operator. + +DIRECT +INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside +the system to directly dial a station within the system. + + + Page 15 + +DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to +gain direct access to an exchange network. + +DROP: That direction of a circuit which looks towards the local operator. + +DRY CIRCUIT: A circuit which transmits voice signals and carries no direct +current. + +DUAL TONE +MULTI-FREQUENCY (DTMF): Also known as Touch Tone. A type of signaling which +emits two distinct frequencies for each indicated digit. + +DUPLEX: Simultaneous two-way independent transmission. + +DX SIGNALING: A long-range bidirectional signaling method using paths derived +from transmission cable pairs. It is based on a balanced and symmetrical +circuit that is identical at both ends. This circuit presents an E&M lead +interface to connecting circuits. + +This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for +more G-philes from The MCI School of Telecommunications Management Reference +Guide coming soon. + + + Page 16 + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ _______________________________ $ + $ | | $ + $ | ELECTRONIC TOLL FRAUD DEVICES | $ + $ |_______________________________| $ + $ $ + $ $ + $ TYPED AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + + THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL +FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT +BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD +DEVICES. (FOR OFFICIAL USE ONLY). + +THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE +GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". +THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. + + +*BLUE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE +DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE +VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS +APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX +CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES +CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL +(LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE +FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE +BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY +COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE +TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE +DISCUSSED IN MORE DETAIL BELOW. + + TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO +UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE +NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS +IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE +EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY +FOR HIS TELEPHONE NUMBER. + + THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING +(AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE +OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL +CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. +THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. + + ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE +VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO +PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. + + THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL +INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY + + + Page 17 + +OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX +USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" +CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX +WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE +SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. +THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX +SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING +PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW +OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING +EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES +THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING +CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE +SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY +THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS +RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON +THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS +TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. + ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A +COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY +IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: + +(A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE +SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY +SF" BLUE BOX. + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON +THE MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + + Page 18 + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + + Page 20 + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. + +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you receive your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + + A) SSS: Strowger Switching System. First non-operator system +available. + + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + + Beige Box: A simpler produced linesman's handset that allows you to tap +into phone lines and extract by eavesdropping, or crossing wires, etc. + + Purple Box: Makes all calls made out from your house seem to be local +calls. + + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + + Page 21 + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + + + Page 22 + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + + + Page 23 + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + + Page 24 + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------\ + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + \---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler + + + Page 25 + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + +HOW TO BE A REAL PHREAK +^^^^^^^^^^^^^^^^^^^^^^^ + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +^^^^^^^^^^^^ + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FROM A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +^^^^^^^^^^^^^^ + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +^^^^^^^^^^^ + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + + Page 27 + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +^^^^^^^^^^^^^^^^^ + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +^^^^^^^^^ + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + + Page 28 + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--\ | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +^^^^^^^^^^ + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +^^^^^^^^^^^^^^^^^ + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + Page 29 + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + + +TOUCH-TONE & FREE CALLS +^^^^^^^^^^^^^^^^^^^^^^^ + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +^^^^^^^^^^^^^^^^^^ + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + Page 30 + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. + + ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + + Page 31 + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + Page 32 + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + + --One Farad Cap, Atlantic Anarchist Guild + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + + Page 33 + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. + +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) + +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + + Page 34 + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +He presses the lower left-hand corner button which is marked "KP" on the face +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + + Page 35 + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ansil Collins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + + Page 36 + +tells me. +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's F~5 +and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + + Page 37 + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays with the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + + Page 38 + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A. +tandem. The L.A. tandem notices 2600 cycles are coming over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + + Page 39 + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + + + Page 40 + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + + Page 41 + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + + Page 42 + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +"Yes, sir. Who is this calling?" says the voice. + +"Yes. This is test board here in New York. We're calling to check out the +circuits, see what kind of lines you've got. Everything okay there in +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + + Page 43 + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + + Page 45 + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + + Page 46 + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + + Page 47 + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + + Page 48 + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + + + Page 49 + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two +sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + + Page 50 + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthrough: + +"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + + Page 51 + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to live out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + + Page 52 + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + + Page 53 + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + + Page 55 + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + +"Well yes, I..." + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + + + Page 57 + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + + Page 58 + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------\ /------\ /-----\ +!Operator!-- > ! S.A. ! --->! BOS ! +\--------/ \------/ \-----/ + ! + ! + V +/-------------\ +! Group Chief ! +\-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + + + + + + Page 88 + + + + + The Official Phreaker's Manual + + 2600 Magazine's story on the Private Sector Bust + Uploaded by Elric of Imrryr + Lunatic Labs Unlimited + :::::::::::::::::::::::::::::::::::::::::::::::: + +Typed By Shooting Shark : The following article appeared in the August, 1985 +issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. +Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle +Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article +follows. + +SEIZED! +2600 Bulletin Board is Implicated in Raid on Jersey Hackers + + On July 12, 1985, law enforcement officials seized the Private Sector BBS, +the official computer bulletin board of 2600 magazine, for "complicity in +computer theft," under the newly passed, and yet untested, New Jersey Statute +2C:20-25. Police had uncovered in April a credit carding ring operated around +a Middlesex County electronic bulletin board, and from there investigated +other North Jersey bulletin boards. Not understanding subject matter of the +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been particularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the BBS just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phoneb.phk b/textfiles.com/phreak/PHREAKING/phoneb.phk new file mode 100644 index 00000000..050b2ad3 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phoneb.phk @@ -0,0 +1,1335 @@ +### +<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> +<*><*><*><*><*> +<*> Joe Cosmo Presents..... +<*> +<*> +<*> +<*> Methods of Phreaking and Telco Security +Measures <*> +<*> +<*> +<*> June 16, 1988 +1:30 am <*> +<*> +<*> +<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> +<*><*><*><*><*> + + +(formatted to 80 Columns) + + + + Dedication: This phile is dedicated to all those great +phreakers who +taught me all of this, and to all of the newcomers being +born to the phreak +world. For the legends, it is here as their legacy, and for +the newcomers, I +hope they will use it as their guide in times of trouble, +and may there +always be phreakers in the world. + + +TABLE OF CONTENTS +CHAPTER + I. Introduction: What Telephone Fraud Is + + + II. Who Does It and Why + + + III. The Systems That Are Fooled + + + IV. Electronic Toll Fraud + + + How Boxes Work + + + The Blue Box + + + Operation of a Blue Box + + + Pink Noise + + + The Black Box + + + The Red Box + + + The Cheese Box + V. Divertors + VI. Private Branch Exchanges + VII. Specialized Common Carriers + SCC Extenders List +VIII. PC Pursuit + How to Originate a PC Pursuit Call + IX. Cellular Phone Fraud + ESN Tampering + Obtaining ESN's + X. CN/A's + CN/A List + XI. Loops + XII. Alliance Teleconferencing + Billing an Alliance Conference + Starting a Conference +XIII. Telephone System Security Measure + ESS Detection Devices + Automatic Number Identification and Centralized + + Automatic Message Accounting Tapes + Dialed Number Recorders + Trap Codes + Stopping an FBI Trace + Common Channel Inter-office Signaling + XIV. Laws Governing the Rights of Phreakers + XV. Conclusion + + + + + I. Introduction: What Telephone Fraud Is + Telephone fraud is illegally using the communication +facilities of +telephone companies. This is commonly known as "phreaking." +The writer's +purpose is to explore the methods of phreaking, and the +various security +measures of telephone companies. + + + II. Who Does It and Why + The majority of people who phreak are owners of modems +(MOdulators +DEModulators, devices which allow computers to communicate +over telephone +lines) and are usually between the ages of twelve and +seventeen. When the +person reaches age eighteen, he or she usually stops, since +after that age, +if the person in caught, the penalty can become very +serious, such as time in +prison, and fines starting at $8000. + Scattered throughout the country are many different +computer bulletin +board systems, or BBS's. These are computer systems +established by private +users or large organizations for the exchange of public and +private messages +and software. Most are not a local call, though. Since the +normal user calls +about ten different BBS's, with even the lowest +long-distance rates, the +phone bill each month can range from $100 to $1000. The +solution is to +phreak. When these people learn how to phreak, they also +realize that besides +making free long-distance calls from their home, they can +also make free +calls from payphones. They also find that there are many +other facilities +that they can used without paying. + + + III. The Systems That Are Fooled + Their are three types of telephone operating systems in +the U.S., Step +by Step (SxS), Crossbar (XB), and Electronic Switching +System (ESS). They are +described in detail in the following paragraphs. + + Step by Step + Step by Step (SxS) was the first switching system used +in America, +adopted in 1918 and until 1978 Bell had over 53% of all +exchanges using Step +by Step. A long, and confusing train of switches is used +for SxS switching. + + Disadvantages +A. The switch train may become jammed, blocking calls. +B. No DTMF (Dual-Tone Multi-Frequency), to be discussed +later. +C. Much maintenance and much electricity. +D. No "Touch-Tone" dialing. + + Identification +A. No pulsing digits after dialing or "Touch Tone". +B. Much static in the connections. +C. No Speed calling, Call forwarding, and other services. +D. Pay-phone wants money first before dial-tone. + + Crossbar + Crossbar has been Bell's primary switcher after 1960. +Three types of +Crossbar switchings exist, Number 1 Crossbar (1XB), Number 4 +Crossbar (4XB), +and Number 5 Crossbar (5XB). A switching matrix is used for +all of the phones +in an area. When someone calls, the route is determined and +is connected with +the other phone. The matrix is positioned in horizontal and +vertical paths, +organizing the train of switches more effectively, and +therefore, stopping +the equipment from jamming. There are no definite +distinguishing features of +Crossbar switchings from Step by Step. + + + Electronic Switching System + ESS is the most advanced system employed, and has gone +through many +kinds of revisions. The latest system to date is ESS 11a, +which is used in +Washington D.C. for security reasons. ESS is the country's +most advanced +switching system, and has the highest security system of +all. With its many +special features, it is truly the phreaker's nightmare. + + Identification +A. Dialing 911 for emergencies. +B. Dial-tone first for pay-phones. +C. Calling services, including Call forwarding, Speed +dialing, and Call + waiting. +D. Automatic Number Identification for long-distance calls +(ANI), to be + discussed later. +E. "Touch Tone" + + + IV. Electronic Toll Fraud + The ETF's are electrical devices used to get free +long-distance calls. +The devices are more commonly known as colored boxes, and +using them is known +as "boxing." Boxing is one of the oldest way to phreak, and +therefore, it is +also the most dangerous, since the telephone companies are +very much aware of +their existence. Colored boxes are not used only for +phreaking. There are +many types which have other uses (such as the Tron Box, +which lowers your +electric bill), so only those used in telephone fraud will +be discussed. + + How Boxes Work + In the beginning, all long distance calls were +connected manually by +operators who passed on the called number verbally to other +operators in +series. This is because pulse (rotary) digits are created by +causing breaks +in the DC current. Since long distance calls call for +routing through +various switching equipment and AC voice amplifiers, pulse +dialing cannot be +used to send the destination number to the end local office +(CO). + Eventually, the demand for faster and more efficient +long distance +service caused Bell to make a multi-billion dollar decision. +They had to +create a signaling system that could be used on the LD +Network. They had two +options: + +[1] To send all the signaling and supervisory information +(eg., ON and OFF +HOOK) over separate data links. This type of signaling is +referred to as +out-of-band signaling. + +[2] To send all the signaling information along with the +conversation using +tones to represent digits. This type of signaling is called +in-band +signaling. + +The second seemed to be the most economical choice, and so, +it was +incorporated in ESS. + Then, in the 1960's, when the first ESS systems were +employed, a toy +whistle was put in each box of Captain Crunch Cereal as a +premium. A young +radio technician in the United States Air Force became +fascinated with the +whistle when he discovered that by blowing it into the +telephone after +dialing any long distance number, the trunk line would +remain open without +toll charges accounting. From then on, any number could be +dialed for free. +The truth was that the whistle produced a perfect-pitch 2600 +Hz tone, the one +used to signify a disconnect in ESS switching equipment. To +overcome the +initial charge for the for the long distance call, he later +used toll-free +800 numbers. + Being a skilled technician, Captain Crunch (he began to +use the name as +an alias) soon went beyond the simple whistle and +experimented with other +frequencies, creating many of the boxes discussed in the +following +paragraphs. + + The Blue Box + The "Blue Box" was so named because of the color of the +first one +discovered by the authorities. The design and hardware used +in the Blue Box +is very sophisticated, and its size varies from a large +piece of apparatus to +a miniaturized unit that is approximately the size of a +"king size" package +of cigarettes. + The Blue Box contains 12 or 13 buttons or switches that +emit the +multi-frequency tones used in the normal operation of the +telephone toll +(long distance) switching network. In effect, the the Blue +Box can let a +person become the operator of a phone line. The Blue Box +enables its user to +originate fraudulent toll calls by circumventing (fooling) +toll billing +equipment. The Blue Box may be directly connected to a phone +line, or it may +be acoustically coupled to a telephone handset by placing +the Blue Box's +speaker next to the transmitter, or the telephone handset. + + Operation of a Blue Box + To understand the steps of a fraudulent Blue Box call, +it is necessary +to understand the basic operation of the Direct Distance +Dialing (DDD) +telephone network. When a DDD call is originated, the +calling number is +identified as an integral part of establishing the +connection. This may be +done either automatically by ANI in ESS, or in some cases, +by an operator +asking the calling party for his telephone number. This +information is +entered on a tape in the Centralized Automatic Message +Accounting (CAMA) +office. This tape also contains the number assigned to the +trunk line over +which the call is to be made. The information relating to +the call contained +on the tape includes the called number's identification, +time of origination +of the call, and if the called number answered the call. The +time of +disconnect is also recorded. The various data entries with +of the call are +correlated to provide billing information for use by the +caller's telephone +company's accounting department. + The typical Blue Box user usually dials a number that +will route the +call into the telephone network without charge. For example, +the user will +very often call a well-known INWATS (toll-free) number. The +Blue Box user, +after gaining this access to the network when somebody picks +up and in +effect, "seizing" control of the line, operates a key on the +Blue Box which +emits a 2600 Hertz (cycles per second, abbreviated as Hz) +tone. This tone +causes the switching equipment to release the connection to +the INWATS +customer's line. The 2600 Hz tone is the signal to the +switching system that +the calling party has hung up. In fact though, the local +trunk on the calling +party's end is still connected to the toll network. The Blue +Box user now +operates the "KP" (Key Pulse) key on the Blue Box to notify +the toll +switching equipment that switching signals are about to be +emitted. The user +then pushes the "number" buttons on the Blue Box +corresponding to the +telephone number being called. After doing so, he/she +operates the "ST" +(Start) key to tell the switching equipment that signaling +is complete. If +the call is completed, only the portion of the original call +prior to the +operation of the 2600 Hz tone is recorded on the CAMA tape. +The tones emitted +by the Blue Box are not recorded on the CAMA tape. +Therefore, because the +original call to the INWATS number is toll-free, no billing +is rendered in +connection with the call. + + The above are the steps in a normal operation of a Blue +Box, but they +may vary in any one of the following ways: + +A. The Blue Box may include a rotary dial to apply the +2600Hz tone and the +switching signals. This type of Blue Box is called a "dial +pulser" or "rotary +SF" Blue box. + +B. A magnetic tape recording may be used to record the Blue +Box tones. Such a +tape recording could be used in lieu of a Blue Box to +fraudulently place +calls to the phone numbers recorded on the magnetic tape. + + All Blue Boxes, except "dial pulse" or "Rotary SF" Blue +Boxes, +must have the following four common operating capabilities: + +A. It be able to emit the 2600 Hz tone. This tone is used by +the toll network +to indicate, either by its presence or its absence, an "on +hook" (idle) or +"off hook" (busy) condition of a trunk line. + +B. The Blue Box must have a "KP" tones that unlocks or +readies +the multi-frequency receiver at the called end to receive +the +tones corresponding to the called phone number. + +C. The Blue Box must be able to emit DTMF, tones used to +transmit phone +numbers over the toll network. Each digit of a phone number +is represented by +a combination of two tones. For example, the 2 is 700 Hz and +900 Hz. + +D. The Blue Box must have an "ST" key which consists of a +combination of two +tones that tell the equipment at the called end that all +digits have been +sent and that the equipment should start connecting the call +to the called +number. + + The following is a chart of the multi-frequency (MF) +tones produced by +the normal Blue Box. + +700 : 1 : 2 : 4 : 7 : 11 : 2600 X +900 : + : 3 : 5 : 8 : 12 : +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : + + The "Dial Pulser" or "Rotary SF" Blue Box requires only +a dial +with a signalling capability to produce a 2600 Hz tone. + + + Pink Noise + Since telephone companies have such advanced equipment +to detect Blue +Boxes, to help avoid detection "pink noise" is sometimes +added to the 2600 Hz +tone. + Since 2600 Hz tones can be simulated in speech, the +detection equipment +of the switching system must be attentive not to +misinterpret speech as a +disconnect signal. Thus, a virtually +pure 2600 Hz tone is required for disconnect. This is also +the reason why the +2600 Hz tone must be sent rapidly; sometimes, it will not +work when the +person called is speaking. It is feasible, though, to send +some "pink noise" +along with the 2600 Hz. Most of this energy should be above +3000 Hz. The +pink noise will not reach the toll network, where we want +our pure 2600 Hz to +hit, but it will go through the local CO and thus, the fraud +detectors. + + The Black Box + The Black Box is the easiest type to build. The box +stops a call from +being charged to some one only if it is hooked to the line +of the person +being called. + In the normal telephone cable, there are four wires: a +red, a green, a +black, and a yellow. The red & green wires are often +referred to as tip (T) +and ring (R). + When a telephone is on-hook (hung up) there is +approximately 48 volts of +DC current (VDC) flowing through the tip and ring. When the +handset of a +phone is lifted, switches close, causing a loop to be +connected (which is +known as the "local loop,") between the telephone and the +CO. Once this +happens DC current is able to flow through the telephone +with less +resistance. This causes a relay to energize and signal to +other CO equipment +that service is being requested. Eventually, a dial tone is +emitted. This +also causes the 48 VDC to drop down into the vicinity of 13 +volts. The +resistance of the loop also drops below the 2500 ohm level. +Considering that +this voltage and resistance drop is how the CO detects that +a telephone was +taken off hook, how a Black Box works is by allowing the +voltage to drop +enough to allow talking, but not enough to signal to the CO +equipment to +start billing. To do this, a 10,000 Ohm, .5 Watt resistor is +incorporated in +the local loop on the called party's line. + + The Red Box + A Red Box is a device that simulates the sound of a +coin being accepted +by a payphone. When a coin is put in the slot of a payphone, +the first +obstacle is the magnetic trap. This will stop any +light-weight magnetic +slugs. If it passes this, the coin is then classed as a +nickel, dime, or +quarter. Each coin is then checked for appropriate size and +weight. If these +tests are passed, it will then travel through a nickel, +dime, or quarter +magnet as proper. These magnets start an eddy current effect +which causes +coins of the appropriate characteristics to slow down so +they will follow the +correct trajectory. + If all goes well, the coin will follow the correct +path, striking the +appropriate totalizer arm, causing a ratchet wheel to rotate +once for every +5-cent increment (eg, a quarter will cause it to rotate 5 +times). The +totalizer then causes the coin signal oscillator to readout +a dual-frequency +signal indicating the value deposited to the Automated Coin +Toll Service +computer (ACTS) or the Traffic Service Position System +(TSPS) operator. These +are the tones emitted by the Red Box. + For a quarter, five beep tones are outpulsed for 66 +milliseconds (ms). A +dime causes two beep tones for 33 ms, while a nickel causes +one beep tone at +also 33 ms. A beep consists of two frequencies, 2200 Hz and +1700 Hz. As with +a Blue Box, Red Box tones can be recorded on a magnetic +tape. + Since any call from a payphone is originated with a +"ground test," in +which the TSPS operator or the ACTS computer checks for the +presence of the +first coin inserted into the phone, by verifying use of the +magnetic, weight, +and size traps, when using a Red Box, it is necessary to put +in at least one +coin. + + The Cheese Box + A Cheese Box lets a normal telephone emulate a +payphone. By emulating a +payphone, using a blue box now becomes safe, because if the +CO equipment +recognizes the call as one from a payphone, it does not +record it on a CAMA +tape. Since a normal telephone does not have a slot to enter +coins, a Red Box +is needed to generate the sound of a coin dropping. + + V. Divertors + A divertor is a special service that allows businesses +to "divert" calls +if no one answers after a certain number of rings. For +example, a person +calls a company, and nobody answers. After about three +rings, a few clicks +are heard, then a few fainter rings are heard. The building +receiving the +call has changed from the company to another building, +usually somebody's +house. What has happened is that the call has been re-routed +from building A +to building B. In effect, the number called is not really +changed, but +instead, building A has answered the call, called building +B, and connected +the two lines together. If the person in building B +disconnects, the caller +is still connected to building A. With the way the divertor +equipment works +in the telephone company, the phone line of building A will +then emit a dial +tone and the caller has total control of the line, and can +originate another +call, charging it to building A. + + + VI. Private Branch Exchanges + A Private Branch Exchange (PBX) is a system of out-WATS +(Wide Area +Telephone Service) lines and in-WATS lines. An out-WATS line +allows a +business to make as long-distance calls each month for a +flat rate. An +in-WATS line is a toll-free number (800 number) that is also +leased to +businesses for flat rates. PBX's save corporations much +money when their +salesmen, distributors, and franchisees must make many calls +from different +parts of the country. It works much like specialized common +carriers (to be +discussed later). + First, the employee calls the company on the in-WATS +line. The switching +equipment picks up the phone, and send a tone to the +employee indicating for +him to enter the access code of the PBX. If the access code +is correct, then +the line is connected to the out-WATS line, and the employee +can make a call. + To use PBX's, phreakers must find the access code of +the PBX. This can +be done very easily, since the code is usually only a few +digits. One way is +to dial different combinations manually on the telephone +keypad. The other +way is of the phreaker is the owner of a modem. A simple +program can be +easily written to continuously dial digit combinations +randomly or +sequentially. + + + VII. Specialized Common Carriers + Ever since the break up of AT&T's monopoly on +long-distance service, +there have been many other corporations that compete with +AT&T in the +long-distance market, including Sprint, MCI, All-net, ITT, +and Metrophone. +These all boast opportunities for large savings on +long-distance calls. These +companies are called specialized common carriers (SCC's). + SCC's cost less because they do not use the AT&T's +cable-based systems, +but instead use microwave links. Some have also added +fiber-optic lines to +their networks. + Another way they can save consumers money is by using +AT&T's lines. +Instead of connecting calls by the shortest route, the +carrier will use a +different route, so the call goes through places where the +long-distance +traffic is heavy, and the rate is lower. The companies that +do this are known +as "resellers." + Most SCC's work nearly the same as PBX's. The 800 +number is called, a +tone is heard, the private identification number (PIN) is +entered, and then +the call can be made. The length of the PIN number can range +from four digit +to fourteen digits. + Besides 800 toll free numbers, in some areas, a 950 can +be used. A 950 +works exactly the same as an 800 number, the only difference +is that the +consumer must enter only seven digits before dialing his PIN +number instead +of ten with a toll-free number. 950's are free of charge and +can be used both +at home and at pay phones. + The PIN numbers can be found the same way as PBX access +codes. Since the +number of digits in a PIN is so great, using a computer is +much more common +practice than manual dialing. + The following pages are lists of SCC's and their +dialups, formats, and +special points. Note that some have many different dialups. + + + +============================================================ +================= +[ SCC Extenders List +] +[ 0-9 - Number of digits in code +] +[ [ ] - Dial that exact number +] +[ # - Area code + Prefix + Suffix +] +[ : - Dial tone +] +[ + - ontinue dialing +] +============================================================ +================= +| Extender | Dialing Format | Company | +Comments | +------------------------------------------------------------ +----------------- +| 800-223-0548 | 8+[1]+# | TDX | +| +| 800-241-1129 | 8+[1]+# | TDX | +| +| 800-248-6248 | 6+[1]+# | SumNet Systems | +(800)824-3000 | +| 800-288-8845 | 7:[1]+# | TMC Watts | +(800)999-3339 | +| 800-325-0192 | [1]+#+6 | MCI | +950-1986 | +| 800-325-1337 | 7:[1]+# | TMC Watts | +| +| 800-325-7222 | 6+[1]+# | Max | +(800)982-4422 | +| 800-325-7970 | 6+[1]+# | Max | +(800)982-4422 | +| 800-327-4532 | 8+# | All-TelCo | +| +| 800-327-9488 | #:13 | ITT | +950-0488 | +| 800-334-0193 | [9]+# | Piedmont | +| +| 800-345-0008 | [0]+#:14 | US Sprint FON Cards +|950-1033 also 9+#| +| 800-368-4222 | 8+# | Congress Watts Lines | +| +| 800-437-7010 | 13 | GCI | +| +| 800-448-8989 | 14+[1]+# | Call US | +| +| 800-521-8400 | 8:# | TravelNet | +950-1088 (voice)| +| 800-541-2255 | 10 | MicroTel | +| +| 800-547-1784 | 13 | AmericaNet | +| +| 800-621-5640 | 6+[1]+# | ExpressTel | +| +| 800-637-4663 | 5+[1]+# | TeleSave | +| +| 800-821-6511 | 5+[1]+# | American Pioneer | +(800)852-4154 | +| 800-821-6629 | 6+[1]+# | Max | +(800)982-4422 | +| 800-821-7961 | 6+[1]+# | Max | +(800)982-4422 | +| 800-826-7397 | 6:[1]+# | Call U.S. | +| +| 800-858-4009 | 6+[1]+# | NTS | +Voice | +| 800-862-2345 | 7:[1]+# | TMC | +| +| 800-877-8000 | [0]+#:14 | US Sprint Calling +Card|950-1033 also 9+#| +| 800-882-2255 | 6:[1]+# | AmeriCall | +False Carrier | +| 800-950-1022 | [0]+#:14 | MCI Calling Card | +| +| 800-992-1444 | 9+# | AllNet | +950-1444 | +============================================================ +================= + + + VIII. PC Pursuit + Many modem users know Telenet as a packet-switching +network through +which they can connect to different telecommunication +services throughout the +country for an hourly rate of $2. With PC Pursuit, Telenet +uses the same +method as SCC's, but instead of using microwave links, the +call is routed +through computers. Since it is routed through computers, the +service can be +used by only owners of modems. Instead of paying the hourly +rate, the +consumer needs only to pay a flat monthly rate of $25. + Using PC Pursuit is a little more difficult than using +SCC's, because +now instead of combinations of only ten different characters +(0-9), the whole +alphabet can be used in the access code. The following is a +chart showing the +steps to originate a typical PC Pursuit call. + + How to Originate a PC Pursuit Call + First, the users dials the local Telenet Access Center, +which can be +found by dialing Telenet customer service at 1-800-336-0437. + +Then: + +Note: (cr) signifies the carriage return on a computer +keyboard. + +Network Shows | User Types | Explanation +__________________|____________________________|____________ +_________________ + | (cr) (cr) | +__________________|____________________________|____________ +_________________ +TELENET | | Telenet +network called and +XXX XXX | | your +network address. +__________________|____________________________|____________ +_________________ +TERMINAL= | "D1" (cr) | Enter "D1" +or press (cr) +__________________|____________________________|____________ +_________________ +@ | For 300 bps: | CONNECT +command. To access + | "C(sp)DIALXXX/3,XXXX(cr)" | a PC +Pursuit city type a PC + | | Pursuit +access code and + | For 1200 bps: | your user +ID. + | "C(sp)DIALXXX/12,XXXX(cr)" | +__________________|____________________________|____________ +_________________ +PASSWORD= | "XXXXXX" (cr) | Type the +password +__________________|____________________________|____________ +_________________ +DIALXXX/X | "ATZ" (cr) | You are now +connected to the +CONNECTED | | PCP city. +Type ATZ (upper). +__________________|____________________________|____________ +________________ +OK | "ATDTXXXXXXX" (cr) | Dials a +number in PCP city +__________________|____________________________|____________ +________________ +CONNECT | | Your are +now connected to + | | your +destination computer. +__________________|____________________________|____________ +________________ + + If the number dialed is busy, the user will see BUSY. +To call another +number in the same city, the user types "ATZ." The network +will answer OK. +The user then types "ATDTXXXXXXX" (cr) to dial the next +number. + To connect to a different PC Pursuit City, when the +user sees BUSY, he +types "@" (cr). When a @ appears, "D" (cr) is entered. This +disconnects the +user from the previous city. The user then follows the +above procedures to +dial another city. + + IX. Cellular Phone Fraud + Cellular phones have evolved considerably from previous +systems. +Signaling between mobile and base stations uses high-speed +digital techniques +and involves many different types of digital messages. The +cellular phone +contains its own Mobile Identification Number (MIN), which +is programmed by +the seller or service shop and can be changed when, for +example, the phone is +sold to a new user. In addition, the U.S. cellular standard +incorporates a +second number, the Electronic Serial Number (ESN), which is +intended to +uniquely and permanently identify the mobile unit. + According to the Electronic Industries Association +(EIA) Interim +Standard IS-3-B, Cellular System Mobile Station Land Station +Compatibility +Specification, the serial number is a 32-bit binary number +that uniquely +identifies a mobile station to any cellular system. It must +be factory-set +and not readily alterable in the field. The circuitry that +provides the +serial number must be isolated from fraudulent contact and +tampering. +Attempts to change the serial number circuitry should render +the mobile +station inoperative. + The ESN was intended to solve two problems the industry +observed with +its older systems. First, the number of subscribers that +older systems could +support fell far short of the demand in some areas, leading +groups of users +to share a single mobile number (fraudulently) by setting +several phones to +send the same identification. Carriers lost individual user +accountability +and their means of predicting and controlling traffic on +their systems. + Second, systems had no way of automatically detecting +use of stolen +equipment because thieves could easily change the +transmitted identification. + In theory, the required properties of the ESN allow +cellular systems to +check to ensure that only the correctly registered unit uses +a particular +MIN, and the ESNs of stolen units can be permanently denied +service +("hot-listed"). This measure is an improvement over the +older systems, but +vulnerabilities remain. + + ESN Tampering + Although the concept of the unalterable ESN is laudable +in theory, +weaknesses are apparent in practice. Many cellular phones +are not +constructed so that attempts to change the serial number +circuitry renders +the mobile station inoperative. Contrary to this statement, +swapping of one +ESN chip for another in a unit that has been found to +functione flawlessly +after the switch was made. + + Obtaining ESN's + Since most manufacturers are using industry standard +Read-Only Memory +(ROM) chips for their ESNs, the chips are easily bought and +programmed or +copied. In programming the ESN with a valid code is another +matter. +Remembering that to obtain service from a system, a cellular +unit must +transmit a valid MIN (telephone number) and (usually) the +corresponding +serial number stored in the cellular switch's database. With +the right +equipment, the ESN/MIN pair can be read right off the air +because the mobile +transmits it each time it originates a call. Service shops +can capture this +information using test gear that automatically receives and +decodes the +reverse, or mobile-to-base, channels. + Another way to obtain the numbers is from service +shops. Service shops +keep ESN/MIN records on file for units they have sold or +serviced, and the +carriers also have these data on all of their subscribers. +Unscrupulous +employees could compromise the security of their customers' +telephones by +obtaining these records. + In many ways, trade in illegally obtained ESN/MIN pairs +could, in the +future, resemble what currently transpires in the long +distance telephone +business with AT&T credit card numbers and alternate +long-distance carrier +(such as MCI, Sprint and Alltel) account codes. Code numbers +are swapped +among friends, published on computer bulletin boards and +trafficked by career +criminal enterprises. + + + X. CN/A's + CN/A's, which stands for Customer Names and Addresses, +are bureaus that +exist so that authorized Bell employees can find out the +name and address of +any customer in the Bell System. All phone numbers are +maintained on file +including unlisted numbers. + To find the owner of any number, the person first must +call the local +CN/A during business hours. Then he must pretend to be from +a registered +business, and ask for the owner of the number. In some +states, though, the +operator will ask for an ID number. In these cases, one must +be guessed at. + There is also a type of reverse CN/A bureau, which is +usually called a +NON PUB DA or TOLL LIB. With these numbers, somebody can +find unpublished +numbers if the caller gives the operator the name and +locality. These are +considerably harder to use, since the operator will then +request the caller's +name, supervisors name, etc. + The following is a list of current CN/A's. + +____________________________________________________________ +_________________ + + 1988 CN/A List (subject to change) +____________________________________________________________ +_________________ + +Area: CN/A Area: CN/A Area: CN/A + 201: Classified 202: 304-343-7016 203: +203-789-6815 + 204: 204-949-0900 206: 206-345-4082 207: +617-787-5300 + 208: 303-293-8777 209: 415-781-5271 212: +518-471-8111 + 213: 415-781-5271 214: 214-464-7400 215: +412-633-5600 + 216: 614-464-0519 217: 217-789-8290 218: +402-221-7199 + 219: 317-265-4834 301: 304-343-1401 302: +412-633-5600 + 303: 303-293-8777 304: 304-344-8041 305: +912-752-2000 + 307: 303-293-8777 308: 402-221-7199 312: +312-796-9600 + 313: 313-424-0900 314: 816-275-8460 316: +913-276-6708 + 317: 317-265-4834 318: 504-245-5330 319: +402-221-7199 + 401: 617-787-5300 402: 402-221-7199 404: +912-752-2000 + 405: 405-236-6121 406: 303-293-8777 412: +412-633-5600 + 413: 617-787-5300 414: 608-252-6932 415: +415-781-5271 + 416: 416-443-0542 417: 816-275-8460 418: +614-464-0123 + 419: 614-464-0519 501: 405-236-6121 502: +502-583-2861 + 503: 206-345-4082 504: 504-245-5330 505: +303-293-8777 + 509: 206-345-4082 512: 512-828-2501 513: +614-464-0519 + 514: 514-394-7440 515: 402-221-7199 517: +313-424-0900 + 518: 518-471-8111 519: 416-443-0542 601: +601-961-8139 + 602: 303-293-8777 603: 617-787-5300 605: +402-221-7199 + 606: 502-583-2861 607: 518-471-8111 608: +608-252-6932 + 609: Classified 612: 402-221-7199 613: +416-443-0542 + 614: 614-464-0519 615: 615-373-5791 616: +313-424-0900 + 617: 617-787-5300 619: 415-781-5271 701: +402-221-7199 + 702: 415-543-2861 703: 304-344-7935 704: +912-752-2000 + 705: 416-443-0542 707: 415-781-5271 712: +402-221-7199 + 713: 713-961-2397 715: 608-252-6932 716: +518-471-8111 + 717: 412-633-5600 718: 518-471-8111 801: +303-293-8777 + 802: 617-787-5300 804: 304-344-7935 805: +415-781-5271 + 806: 512-828-2501 809: 404-751-8871 812: +317-265-4834 + 813: 813-228-7871 814: 412-633-5600 815: +217-789-8290 + 816: 816-275-8460 817: 214-464-7400 901: +615-373-5791 + 904: 912-752-2000 906: 313-424-0900 912: +912-752-2000 + 914: 518-471-8111 916: +415-781-5271 + 918: 405-236-6121 912: +912-752-2000 +____________________________________________________________ +_________________ + + + + XI. Loops + The loop is an alternative communication medium that +has many +potential uses. Loops are phone lines that are connected +when they are called +simultaneously. One use is when somebody wants another +person to call them +back but is reluctant to give out their home phone number +(eg., if they were +on a party line). + Loops are found in pairs that are usually close to +each other (eg., +718-492-9996 and 718-492-9997). On a loop, one line is the +high end, and the +other is the low end. The high end is always silent. The +tone disappears on +the low end when somebody calls the high end. + It is truly only safe to use a loop during non-business +hours. During +business, loops are used to test equipment by various +telephone companies and +local CO's. + + + XII. Alliance Teleconferencing + Alliance Teleconferencing is an independent company +which allows the +general public to access and use its conferencing equipment. + + Billing an Alliance Conference + Alliance Teleconferencing is accessed by dialing +0-700-456-1000 in most +states. In some states, the first and last digits of the +suffix vary. There +are four main ways to use Alliance illegally. The first is +through a PBX. +Some allow use of the 700 exchange, but many do not. + The second way is with a Blue Box. After seizing the +line, +KP-0-700-456-1000-ST is dialed. The equipment now thinks +that Alliance has +been dialed from a switchboard and bills the conference to +it. + The third way is to a loop. After being connected to +Alliance, the +caller contacts the operator by pressing 0. The caller then +can ask for the +conference to billed to another number, giving the operator +the number of the +high-end of a loop. The operator will then call the loop. A +friend of the +phreaker must be prepared to answer the call by calling the +low-end. When the +friend answers and accepts the billing, the conference will +be billed to the +loop. + The fourth way is from a divertor. Since the divertor +is a normal, +home-type line, the phreaker should not have any problems +starting a +conference. + + + Starting a Conference + When Alliance answers, a two-tone combination is +emitted. The caller +then types a two digit combination to tell the equipment how +many people will +be in the conference, including the originator. Then either +# is pressed to +continue or * is pressed to cancel the conference. To dial a +each conferee, +the phreaker simply answers each prompt with the phone +number of the +corresponding person. + To join the conference, the originator enters #, and to +return to +control mode, he enters # again. To transfer control of the +conference, +#+6+1+ the phone number of the person you wish to transfer +the control to. To +end the conference, the phreaker presses the * button. + + + XIII. Telephone System Security Measures + To stop telephone fraud, there are many measures which +telephone +companies can apply to identify and convict the phone +phreaker. + + ESS Detection Devices + Telephone companies have had twenty years to work on +detection devices; +therefore, they are well refined. Basically, the detection +devices will look +for the presence of 2600 Hz where it does not belong, which +is in the local +CO. It then records the calling number and all activity +after the 2600 Hz. + + Automatic Number Identification and the Centralized +Automatic Message + Accounting Tapes + Automatic Number Identification (ANI) is an implement +in ESS that can +instantly identify the calling party. For every call that is +made, +information including the numbers of the calling and +receiving parties, the +time of origination of the call, if the called party +answered the call, and +the time when the caller has hung-up is recorded on a tape +in the Centralized +Automatic Message Accounting (CAMA) office. This includes +wrong numbers, +toll-free numbers, and local calls. This tape is then +processed for billing +purposes. + Normally, all free calls are ignored, but the billing +equipment has been +programmed to recognize many different types of unusual +activity. One checks +if a certain 800 number is called excessively. If the number +is an SCC, the +equipment can instantly check if the caller is a subscriber +of the SCC. If it +is not, it will alert the company of the illegal activity. +Another is if +there is a call where the calling party has stayed off-hook +for a large +amount of time, but the called party never answers. The +equipment recognizes +this as possible use of a Black Box. + + Dialed Number Recorders + Placing a Dialed Number Recorders (DNR) on a telephone +line is standard +procedure when telephone fraud is suspected. The most common +DNR's can do the +following: print all touch tone digits sent (in suspected +illegal use of an +SCC), print out all MF and record the presence of 2600hz on +the line (in +suspected use of a Blue Box), and activate a tape recorder +for a specific +amount of time. + + Trap Codes + Trap codes are decoy PIN numbers. If a telephone +company find that a +certain PIN number is being used illegally, it will call the +real owner and +notify him of the change in his account number. The company +will then contact +the FBI to bring their telephone "lock in" trace equipment. + A lock in trace is a device used by the FBI to lock +into the phone +user's location. Since all phone connections are held open +by a certain +voltage of electricity, +the lock in trace works by patching into the line and +generate the same +voltage into the lines. If the caller tries to hang up, +voltage is retained. +The phone will continue to ring as if someone was calling +even after the call +is disconnected. The trunk then remains open and the call +can be traced. The +FBI sets its equipment so that the next time the PIN number +is illegally +used, the call goes through, but while the communication is +proceeding, the +FBI traces the call. + + Stopping an FBI Trace. + Stopping a trace is quite simple. If the voltage in the +line could be +lowered, the trace could not function, since lowering the +voltage would also +probably short out the FBI voltage generator. Therefore, any +appliance which +uses many volt can be connected to the red and green wires +in a wall jack, +and the trace should be removed. + + Common Channel Inter-office Signaling + Besides detection devices, Bell has begun to gradually +redesign the +network using out-of-band signaling. This is known as +Common Channel +Inter-office Signaling (CCIS). Since this signaling method +sends all the +signaling information over separate data lines, and does not +use any form of +DTMF, all colored boxes do not work under it. Of course, +until this +multi-million dollar project is totally complete, boxing +will still be +possible. It will become progressively harder to find places +to "box" off of, +though. + + + XIV. Laws Governing the Rights of Phreakers + Since phreaking is one-hundred percent illegal, once +discovered, there +are not many laws protecting the phreaker. There are, +however some laws +governing steps government agents may take to convict him. + The first law is the Section 605 of Title 47 of the +United States Code. +This section forbids interception of communications, except +by persons +outlined in Chapter 119, Title 18, which is a portion of the +Omnibus Crime +Control and Safe Streets Act of 1968. + In this chapter, Section 2511 (2) (a) (i) says "It +shall not be unlawful +under this chapter for an operator of a switchboard, or an +officer, employee, +or agent of any communications carrier, whose facilities are +used in the +transmission of a wire communication, to intercept, +disclose, or use that +communication in the normal course of his employment, while +engaged in any +activity which is a necessary incident to the rendition of +his service of the +protection of the rights or property of the carrier of such +communication." +This means that agents of telephone companies are allowed +not only allowed to +tap lines without a warrant, but also allowed to disclose +the recording of a +communication. + In the case United States vs. Sugden, the following +ruling was made: +"For an unreasonable search and seizure to result from the +interception of +the defendant's communication, he must have exhibited a +reasonable +expectation of privacy. Where, as here, one uses a +communication facility +illegally, no such expectation is required." This simply +means that when you +make an illegal call, you have waved your right to privacy. + +.S + + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/phonehac.phk b/textfiles.com/phreak/PHREAKING/phonehac.phk new file mode 100644 index 00000000..3f0ef49e --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phonehac.phk @@ -0,0 +1,54 @@ + The Autodial + Proudly Presents + "Phone Hackers take their toll" + + A network of computer hackers obtained a Campbell man's Sprint telephone +service access number used it to make around $60,000 worth of calls, a company +spkesman said Tuesday. + + Tom Bestor, a spokesman from the Burlingame long-distance firm, said the +incident is one of the largest telephone fraud cases of its kind. + + "We have found a lot of people (involved) in three major cities and we are +pursuing prosecution right now. I think this is going to be a good-sized +investigation," Bestor said. + + He said hackers - computer enthusiasts - in Atlanta, New York, and Baltimore +as well as many other cities around the country used Robert Bocek's Sprint +number to make hundreds of calls in November and December. + + Bestor said it appears that the hackers used so-called "computer bulletin +boards" to pass the number form person to person. + + Such boards are actually computers equipped to answer the phone, distribute +information, and store messages. Their phone numbers are often listed in +publications for computer hobbyists. + + Bocek, an engineer who works for an electronics firm, said he knew something +was wrong when his November Sprint bill came in at around $4,800 when "our +normal bill is around $70 to $80." + + At the same time, Sprint notified Bocek and his wife that the company's +security personnel had discovered that their access code was being abused. + + Bestor said the firm told Bocek not to worry about the bill and changed his +access code. + + But in the 10 days that it took to change the number, Bestor said the hackers +were able to run amok,and Sprint warnings to Bocek to expect a large bill for +the period of time proved correct. + + In mid-December Bocek recieved a 722 page phone bill from Sprint that listed +17,311 calls. The total charges were $55,562.27 not counting an $8,197 "volume +discount" + + (article from the San Jose Mercury News..Written by Karen Klinger) + + Phootnote by The Autodial. + + Well it looks like this "damaging" publicity is going to do just that, Damage, +not the Phreak kingdom but Sprint.. Well if your parents do subscribe to Sprint +advise them to change to AT&T... They're not only cheaper but they're better. +It looks like Sprint is going to have to change its ways.. Thank you Nick +Halflinger. + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phphil.txt b/textfiles.com/phreak/PHREAKING/phphil.txt new file mode 100644 index 00000000..7ef262de --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phphil.txt @@ -0,0 +1,116 @@ + a phreindly + phile + +---------------------------------------- + index +---------------------------------------- +* = 2600hz k = key pulse +p = prefix x = sufix +ac= area code rc= routing code ++ = 121 s = start +---------------------------------------- +*k141s = rate & route +*k+s = local inward +*kacrc+s= long distance inwards +*k131s = local information +*kac131s= long distance information +---------------------------------------- + definitions and procedures +---------------------------------------- +rate & route - the price rate for long distance calling. also routes for long +distance inwards. +procedure - call r&r say,"yes, i need the operator routing fo thank you."(if +you don't say thank you they get suspicious, that is correct operator +procedure.) + +inward - the operator in the area specified. the pupose is mainly for verify +and interrupt. +procedure - call the inward say,"yes, operator i need an emergency +interupt on (ac-p-x). when she/he replies say,"thank you operator." +for verify rather than anemergency interrupt say varification only on (ac-p-x). + +information - if you don't know it forget phreaking!!! +---------------------------------------- + the six-way loop!!! +---------------------------------------- +1-213-206-6053 + +call until it rings and let it continue ringing until someone else calls in. +it will then connect you and alow you to converse with that person and any +others who call in. (ideal for joint confrences.) +the best time to call unless you know it is in use is aprox. 5:45 eastern time. +school is then out nationwide. the loop population is booming then. +---------------------------------------- + confrencing phreinds +---------------------------------------- +the confrence call is nothing new but it is still really popular and +probably will stay that way for a long time. +the conference gives you a 15 line split and allows you to call upto 14 other +people. if you know of a few conferences going on it proves ultimate fun to +join them on the loop. + the controls +when you dial the conference enter 15 wait for a voice then enter # after +which you may dial out using the (1-ac-p-x) format. when you reach someone +enter # to add them to your conference. hit ### to then join and talk to that +person. enter # to goto control-mode then dial another number. for +international dial (011-countrycode-citycode-p-x). add them the same way as +the first. join and talk to both or call another location. when in control +mode you may terminate the conference by hitting * then hanging up, +or just hangup but it is really correct procedure to hit * first so that the +conference computer resets immedeatly. if you are talking in control mode * +hangs up on the person with whom you are conversing in control mode. you may +then dial another confree. + when a person hangs up if you wish to call them right back then goto control +mode and hit #. + + + to start a conference you can dial a devertor then +0700-456-1000:0700-456-2002. or you can call 1-800-050-1000:1-800-050-2002. + the 800 numbers drop a loop you then enter k0000000000s. + your conference is ready for setup. + the 0700 numbers go directly to setup. +---------------------------------------- + phreindly phones!!! +---------------------------------------- +***-***-**** rocky racoon +***-***-**** the canadian +***-***-**** hackin' hank + +feel free to call these people for help.the 813 numbers are bb users. +the 607 is extenders and watts +outlines only. + + +these are the big three of phreinds phorever!!! +---------------------------------------- + phun numbers +---------------------------------------- +1-800-521-8400-6978-5492 travelnet +1-813-584-1494-39843 mci +1-301-792-2505 watts outline +1-301-953-0125&6 devertor + + this has been brought to you by: + *>rocky racoon<* + via seq. philes! + on behalf of the + phreinds phorever! + phun club + + p. p. p. p. !!!! +phreaking phor phun & phreinds!!!!!!!!!! +contact one of the big three for an +aplication or print out the seqential +that accompanies this phile! +phill it out and send to: + the true dude + 10598 106th ave. n. + largo fl., + 33543 + + +thanx and look for our updates to this, phreindly phile v1.0. + + + later daze, + *>rocky racoon<* diff --git a/textfiles.com/phreak/PHREAKING/phrakman.txt b/textfiles.com/phreak/PHREAKING/phrakman.txt new file mode 100644 index 00000000..f872a64c --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrakman.txt @@ -0,0 +1,13465 @@ + + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + The Official Phreaker's Manual V1.1 + Updated 2/14/91 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + The Official Phreaker's Manual + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Table of Contents + + ********************************************************************** + + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Appendixes + + ********************************************************************** + + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 4 + + + + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 5 + + + + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /\<\ /\<\ .. + . \>ad \>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + Page 6 + + + + + The Official Phreaker's Manual + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + Page 7 + + + + + The Official Phreaker's Manual + + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +explanation. Automated versions (ASI) with automatic voiceresponse units are +growing in use. + +Interrupt: The interruption on a phone line to disconnect and connect with +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + Page 8 + + + + + The Official Phreaker's Manual + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 9 + + + + + The Official Phreaker's Manual + + ============================================================ + _ _ _______ + | \/ | / _____/ + |_||_|etal / /hop + __________/ / + /___________/ + (314) 432-0756 + + Proudly Presents + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + Typed by Knight Lightning + + ============================================================ + +- A - + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + + + + + The Official Phreaker's Manual + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + +AUDIBLE RINGING TONE: An audible signal heard by the calling party during the +ringing-interval. + +AUTHORIZATION CODE: An identification number that the caller enters when +placing a call which is used for billing purposes. + +AUTHORIZED USER: A person, firm, organization, corporation or any other entity +authorized by the customer to send or receive communications over a specific +communications network. + +AUTO ANSWER: A machine feature that allows a transmission control unit or +station to automatically respond to a call that it receives. + +AUTOMATIC CALL +DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a +large volume of incoming calls to a group of attendants to the next available +"answering" position. + +AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined +set of dialing digits. + +AUTOMATIC IDENTIFICATION +OF OUTWARD DIALING (AIOD): A computer generated report showing all long +distance calls placed over AT&T's toll network. + +AUTOMATIC NUMBER +IDENTIFICATION (ANI): Automatic equipment at a local dial office used on +customer dialed calls to identify the calling-station. + +AUTOMATIC ROUTE +SELECTION (ARS): Least cost routing via AT&T CENTREX system. + + + +- B - + + + Page 11 + + + + + The Official Phreaker's Manual + +BAND: (1) The range of frequencies between two defined limits. (2) In reference +to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: +BANDWIDTH. + +BANDWIDTH: See BAND. + +BASEBAND: The total frequency band occupied by the aggregate of all the voice +and data signals used to modulate a radio carrier. + +BAUD: A unit of signaling speed. The speed in baud is the number of discrete +conditions conditions or signal elements per second. If each signal event +represents only one bit condition, then Baud is the same as bits per second. +When each signal event represents other than one bit, Baud does not equal bits +per second. + +BELL OPERATING COMPANY +(BOC) /BELL SYSTEMS +OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing +local service. + +BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long +Lines, Western Electric, and Bell Labs. + +BILLING NUMBER: The MCI term for the number which identifies a customer on a +billing location level, assigned to Network Service Customer (by COMS). +Assigned for each unique customer name and billing location. For internal use +only. + +BINARY: A number system that uses only two characters ("0" and "1"). + +BIT: A binary digit. The smallest unit of coded information. + +BITS PER SECOND (BPS): The rate at which data transmission is measured. + +BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to +the central offices are in use; or (2) all connecting connecting paths through +the PBX/switch are in use. + +BLOCKED ANI: ANI prohibited from completing a call over the MCI network. + +BREAK: A means of interrupting transmission, a momentary interruption of a +circuit. + +BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. + +BUS: A heavy conductor, or group of conductors, to which several units of the +same type of equipment may be connected. + +BUSY: The condition in which facilities over which a call is to be connected +are already in use. + +BUSY HOUR: The time of day when phone lines are most in demand. + +BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to +indicate that the terminal point of a call is already in use. + +BYTE: A group of binary digits that are processed by a computer as a unit. + + + Page 12 + + + + + The Official Phreaker's Manual + + + +- C - + + +CARRIER: High frequency current that can be modulated with voice or digital +signals for bulk transmission via cable or radio circuits. + +CARRIER SYSTEM: A system for providing several communications channels over a +single path. + +CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output +from a computer. + +CELLULAR MOBILE RADIO: A system providing exchange telephone service to a +station located in an auto or other mobile vehicle, using radio circuits to a +base radio station which covers a specific geographical area and as the vehicle +moves from one area to another, different base radio stations handle the call. + +CENTRAL OFFICE (CO): A telephone switching center that provides local access to +the public network. Sometimes referred to as: Class 5 office, end office, or +Local Dial Office. + +CENTREX, CO: PBX Service provided by a switch located at the telephone company +central office. + +CENTREX, CU: A variation on Centrex CO provided by a telephone company +maintained "Central Office" type switch located at the customer's premises. + +CENTRAL PROCESSING UNIT +(CPU): The control unit within a computer which handles all the intelligent +functions of the systems. In a telephone switch, directs all potions of the +system to carry out their appropriate functions. Synonym: Common Control. + +CHANNEL: A communication path via a carrier or microwave radio. + +CHARACTER: Any letter, digit, or special symbol. In data transmission would be +represented by a specific code made up of a group of binary digits. + +CIRCUIT: A path for the transmission of electromagnetic signals to include all +conditioning and signaling equipment. Synonym: Facility + +CIRCUIT SWITCHING: A switching system that completes a dedicated transmission +path from sender to receiver at the time of transmission. + +CLASS OF SERVICE/CLASS +MARK (COS): A subgrouping of telephone customers or users for the sake of rate +distinction or limitation of service. + +COAXIAL CABLE: A cable having several coaxial lines under a single protective +sheath. Usually used as a high capacity carrier in urban areas between +interexchange and toll offices. + +CODEC: Coder-Decoder. Used to convert analog signals to digital form for +transmission over a digital median and back again to the original analog form. + +COMMON CARRIER: A government regulated private company that provides the +general public with telecommunications services and facilities. + + Page 13 + + + + + The Official Phreaker's Manual + + +COMMON CHANNEL INTEROFFICE +SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated +Services Digital Network. It uses a separate data line to route interoffice +signals to provide faster call set-up and more efficient use of trunks. + +COMMON CONTROL SWITCHING +ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which +common controlled switching machines are used to route traffic over network +routes and access lines. The switching machine may be shared with other users +and is maintained by the telephone company. + +COMPUTER PORT/TKI PORT: The interface through which the computer connects to +the communications circuit. + +CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to +match transmission levels and impedances and which equalizes transmission and +delay to bring circuit losses, levels, and distortion within established +standards. + +CONFIGURATION: The combination of long-distance services and/or equipment that +make up a communications system. + +CONTROL UNIT (CU): The central processor of a telephone switching device. + +CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on +a corporate level. (Not all MCI customers have this). + +COST COMPONENT: The price of each type of long distance service and/or +equipment that constitutes a configuration. + +COST PER HOUR (CPH): Total cost of different services divided by total holding +time (in minutes). + +CROSS CONNECTION: The wire connections running between terminals on the two +sides of a distribution frame, or between binding posts in a terminal. + +CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit +to another circuit. + +CUSTOMER OWNED AND +MAINTAINED (COAM): Customer provided communications apparatus, and their +associated wiring. + +CUSTOMER +PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located +within the customer's part of a building. + +CUT: To transfer a service from one facility to another. + +CUT THROUGH: The establishment of a complete path for signaling and/or audio +communications. + + +- D - + +DATA: Any representation, such as characters to which a meaning is assigned. + + + Page 14 + + + + + The Official Phreaker's Manual + +DATA COMMUNICATIONS: The movement of coded information by means of electronic +transmission systems. + +DATA SET: A device which converts data into signals suitable for transmission +over communications lines. + +DATA TERMINAL: A station in a system capable of sending and/or receiving data +signals. + +DECIBEL (db): A unit of measurement represented as a ratio of two voltages, +currents or powers and is used to measure transmission loss or gain. + +DELAY DIAL: A dialing configuration whereby local dial equipment will wait +until it receives the entire telephone number before seizing a circuit to +transmit the call. + +DELTA MODULATION (DM): A variant of pulse code modulation whereby a code +representing the difference between the amplitude of a sample and t~he +amplitude of a previous one is sent. Operates well in the presence of noise, +but requires a wide frequency band. + +DEMODULATION: The process of retrieving data from a modulated signal. + +DIAL LEVEL: The selection of stations or services associated with a PBX using a +one to four digit code (e.g., dialing 9 for access to outside dial tone). + +DIAL PULSING: The transmitting of telephone address signals by momentarily +opening a DC circuit a number of times corresponding to the decimal digit which +is dialed. + +DIAL REPEATING TIE LINE/ +DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station +calling without use of the attendant. + +DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is +selected by a prearranged dialing code. + +DIAL TONE: A tone indicating that automatic switching equipment is ready to +receive dial signals. + +DIALING PLAN: A description of the dialing arrangements for customer use on a +networks. + +DIGITAL: Referring to the use of digits to formulate and solve problems, or to +encode information. + +DIMENSION CUSTOM +TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station +sets which use special buttons to access PBX features. + +DIRECT +DISTANCE DIALING (DDD): A toll service that permits customers to dial their own +long distance call without the aid of an operator. + +DIRECT +INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside +the system to directly dial a station within the system. + + + Page 15 + + + + + The Official Phreaker's Manual + +DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to +gain direct access to an exchange network. + +DROP: That direction of a circuit which looks towards the local operator. + +DRY CIRCUIT: A circuit which transmits voice signals and carries no direct +current. + +DUAL TONE +MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which +emits two distinct frequencies for each indicated digit. + +DUPLEX: Simultaneous two-way independent transmission. + +DX SIGNALING: A long-range bidirectional signaling method using paths derived +from transmission cable pairs. It is based on a balanced and symmetrical +circuit that is identical at both ends. This circuit presents an E&M lead +interface to connecting circuits. + + + + ============================================================ + +This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for +more G-philes from The MCI School of Telecommunications Management Reference +Guide coming soon. + + This has been a 2600 Club production + + +Thanx to Taran King + ============================================================ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 16 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ _______________________________ $ + $ | | $ + $ | ELECTRONIC TOLL FRAUD DEVICES | $ + $ |_______________________________| $ + $ $ + $ $ + $ TYPED AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ $ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL +FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT +BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD +DEVICES. (FOR OFFICIAL USE ONLY). + +THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE +GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". +THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. + + + +*BLUE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE +DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE +VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS +APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX +CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES +CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL +(LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE +FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE +BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY +COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE +TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE +DISCUSSED IN MORE DETAIL BELOW. + + TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO +UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE +NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS +IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE +EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY +FOR HIS TELEPHONE NUMBER. + THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING +(AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE +OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL +CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. +THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. + ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE +VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO +PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. + THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL +INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY + + Page 17 + + + + + The Official Phreaker's Manual + +OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX +USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" +CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX +WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE +SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. +THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX +SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING +PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW +OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING +EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES +THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING +CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE +SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY +THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS +RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON +THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS +TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. + ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A +COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY +IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: + +(A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE +SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY +SF" BLUE BOX. + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF +A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE +MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + Page 18 + + + + + The Official Phreaker's Manual + + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + + + + The Official Phreaker's Manual + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + Page 20 + + + + + The Official Phreaker's Manual + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you receive your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + A) SSS: Strowger Switching System. First non-operator system +available. + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + + Beige Box: A simpler produced linesman's handset that allows you to tap +into phone lines and extract by eavesdropping, or crossing wires, etc. + Purple Box: Makes all calls made out from your house seem to be local +calls. + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + Page 21 + + + + + The Official Phreaker's Manual + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. A small list of +dialups: + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : + + Page 22 + + + + + The Official Phreaker's Manual + +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator (hehe) +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + +/-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + + Page 23 + + + + + The Official Phreaker's Manual + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + Page 24 + + + + + The Official Phreaker's Manual + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + +File Level:5 + + /-/ Credits /-/ + + To The Videosmith- for setting me straight on some shit. + To The Linesman- for telling me to upload it to his AE line. + To Modern Mutant- for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------\ + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + \---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler +Zer0-g + + + + + + + Page 25 + + + + + The Official Phreaker's Manual + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + + +HOW TO BE A REAL PHREAK +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + + + + + The Official Phreaker's Manual + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + Page 27 + + + + + The Official Phreaker's Manual + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + Page 28 + + + + + The Official Phreaker's Manual + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--\ | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + + Page 29 + + + + + The Official Phreaker's Manual + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + +TOUCH-TONE & FREE CALLS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + + + Page 30 + + + + + The Official Phreaker's Manual + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. +ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + Page 31 + + + + + The Official Phreaker's Manual + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 32 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + --One Farad Cap, Atlantic Anarchist Guild + + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + Page 33 + + + + + The Official Phreaker's Manual + + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + Page 34 + + + + + The Official Phreaker's Manual + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +He presses the lower left-hand corner button which is marked "KP" on the face +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + Page 35 + + + + + The Official Phreaker's Manual + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ansil Collins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + Page 36 + + + + + The Official Phreaker's Manual + +tells me. + +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's F~5 +and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + Page 37 + + + + + The Official Phreaker's Manual + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays with the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + Page 38 + + + + + The Official Phreaker's Manual + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A. +tandem. The L.A. tandem notices 2600 cycles are coming over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + Page 39 + + + + + The Official Phreaker's Manual + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + ++-- End first file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 40 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + Page 41 + + + + + The Official Phreaker's Manual + + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + Page 42 + + + + + The Official Phreaker's Manual + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +"Yes, sir. Who is this calling?" says the voice. + +"Yes. This is test board here in New York. We're calling to check out the +circuits, see what kind of lines you've got. Everything okay there in +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + Page 43 + + + + + The Official Phreaker's Manual + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + + + + + The Official Phreaker's Manual + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + Page 45 + + + + + The Official Phreaker's Manual + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + Page 46 + + + + + The Official Phreaker's Manual + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + Page 47 + + + + + The Official Phreaker's Manual + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + Page 48 + + + + + The Official Phreaker's Manual + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + ++-- End second file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + Page 49 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two +sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + Page 50 + + + + + The Official Phreaker's Manual + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthrough: + +"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + Page 51 + + + + + The Official Phreaker's Manual + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to live out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + Page 52 + + + + + The Official Phreaker's Manual + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + Page 53 + + + + + The Official Phreaker's Manual + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + + + + + The Official Phreaker's Manual + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + Page 55 + + + + + The Official Phreaker's Manual + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + +"Well yes, I..." + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + + + + + The Official Phreaker's Manual + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + ++-- End third file of four --+ + + + + + + + + + + + + + + + + + + + + Page 57 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + Page 58 + + + + + The Official Phreaker's Manual + + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------\ /------\ /-----\ +!Operator!-- > ! S.A. ! --->! BOS ! +\--------/ \------/ \-----/ + ! + ! + V +/-------------\ +! Group Chief ! +\-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + + + + + + Page 88 + + + + + The Official Phreaker's Manual + + 2600 Magazine's story on the Private Sector Bust + Uploaded by Elric of Imrryr + Lunatic Labs Unlimited + :::::::::::::::::::::::::::::::::::::::::::::::: + +Typed By Shooting Shark : The following article appeared in the August, 1985 +issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. +Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle +Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article +follows. + +SEIZED! +2600 Bulletin Board is Implicated in Raid on Jersey Hackers + + On July 12, 1985, law enforcement officials seized the Private Sector BBS, +the official computer bulletin board of 2600 magazine, for "complicity in +computer theft," under the newly passed, and yet untested, New Jersey Statute +2C:20-25. Police had uncovered in April a credit carding ring operated around +a Middlesex County electronic bulletin board, and from there investigated +other North Jersey bulletin boards. Not understanding subject matter of the +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been particularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the BBS just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 +212-982-9977/9979 +212-986-9977/9979 + + THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS +SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER +SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE +CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT +FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN +ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED +IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE +CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND +THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE +AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL +OTHER LOOPS ARE BUSY. + + 99XX SCANNING: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND +OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 +AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN +YOUR EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268: + +9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) +9936 - VOICE # TO THE TELCO CO +9937 - VOICE # TO THE TELCO CO +9941 - CARRIER +9960 - OSC. TONE (TONE SIDE LOOP) +9963 - TONE (STOPS: MUTED) +9966 - CARRIER +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + + Page 96 + + + + + The Official Phreaker's Manual + + MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL +INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE +REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN +THE EXCHANGE AND THE TELCO OPERATING COMPANY. + + WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES +WHEN YOU FIND ONE: + +1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK +EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE +BUT THE FUCKING CLICK IS SUPER ANNOYING. + +2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. + +3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY +AGAIN IN A MONTH OR SO) + +4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! + + MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. +IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE +SWITCH", IE, TURN OFF THE LOOP. + + SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED +NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE +NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. +268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 +FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 +(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S +DON'T SUPE EITHER. + + IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A +SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP +LINES (AS MENTIONED ABOVE). + IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE +BELOW: + + + NPA-NNX-99XX SCAN + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + _________________________________________________________ + | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | + |_______|____|____|____|____|____|____|____|____|____|____| + | 990 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 991 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 992 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 993 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 994 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 995 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 996 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + Page 97 + + + + + The Official Phreaker's Manual + + | 997 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 998 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 999 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU +SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN +THEM. FOR EXAMPLE: + +B - BUSY (TRY AGAIN AT ANOTHER TIME) +R - RINGS (TRY AGAIN AT ANOTHER TIME) +O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) +R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) +T - TONE ] TONE AT A LOWER # + IGNORE +I - IGNORE ] AT A HIGHER # = LOOP +V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. +C - CARRIER + + THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN +UNDERSTAND. + + NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A +MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF +A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER +EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) +634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. +IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" +NEXT TO EACH OTHER FOR A LOOP. + SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN +THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING +TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE +IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE +#'S! + ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR +EXAMPLE: "(713) 324-1799/1499" IS A LOOP. + +THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: + +1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A +TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS +SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! + +2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & +9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. + +3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. + + FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN +STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. + + +NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER +FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR +OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS + + Page 98 + + + + + The Official Phreaker's Manual + +MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. + + ANI + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT +WILL TELL YOU WHAT # YOU ARE CALLING FROM. + THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T +HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE +LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE +DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. +IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM +AREA TO AREA. + +HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: + +890-751-5191 +202-222-2222 +1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE +TO DIAL 1-990-1111) + + TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX +SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE +NEXT PART), TRY 1-9XX-1111. + ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR +NEIGHBOR WHO WORKS FOR THE FONE COMPANY. + + RING BACK + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL +THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF +THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 +SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL +RING. + IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP +FOR THE FIRST TIME (IE, AT THE FIRST TONE). + + OTHER RINGBACK #'S THAT I HAVE SEEN ARE: + +26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. +THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. + +890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. + +119911/11911/1199911 - GTE + +NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE + + + THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN +SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD +DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE +PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS +USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN +PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN +SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS +AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY + + Page 99 + + + + + The Official Phreaker's Manual + +SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD +THEN RINGBACK. + + TOUCH-TONE TEST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE +FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP +TWICE. +I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 + + COMING SOON: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE +NETWORK. + + + BREAK UP OF BELL: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT +AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED +HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD +"FONE NETWORK" FOR BELL SYSTEM. + + +AU REVOIR, + +*****BIOC +*=$=*AGENT +*****003 + +DECEMBER 8, 1983 + +ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, +& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN +DISTRIBUTING THIS TUTORIAL. + + + + + + + + + + + + + + + + + + + + + + Page 100 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART III * + * * + ************************************************************ + +PREFACE: + + IN PART III, WE WILL DISCUSS THE DIALING PROCEDURES FOR DOMESTIC AS WELL AS +INTERNATIONAL DIALING. WE WILL ALSO TAKE A LOOK AT THE TELEPHONE NUMBERING +PLAN. + +NORTH AMERICAN NUMBERING PLAN +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN NORTH AMERICA, THE TELEPHONE NUMBERING PLAN IS AS FOLLOWS: + +A) A 3 DIGIT NUMBERING PLAN AREA (NPA) CODE, [IE, AREA CODE] + +B) A 7 DIGIT TELEPHONE # CONSISTING OF A 3 DIGIT CENTRAL OFFICE (CO) CODE PLUS +A 4 DIGIT STATION #. + + THESE 10 DIGITS ARE CALLED THE NETWORK ADDRESS OR DESTINATION CODE. IT IS +IN THE FORMAT OF: + +AREA CODE TELEPHONE # +--------- ----------- + N*X NXX-XXXX + +WHERE: N = A DIGIT FROM 2-9 + * = THE DIGIT 0 OR 1 + X = A DIGIT 0-9 + +AREA CODES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CHECK YOUR TELEPHONE BOOK OR THE SEPARATE LISTING OF AREA CODES FOUND ON +MANY BBS'S. HERE ARE THE SPECIAL AREA CODES (SAC'S): + +510 - TWX (USA) +610 - TWX (CANADA) +700 - NEW SERVICE +710 - TWX (USA) +800 - WATS +810 - TWX (USA) +900 - DIAL-IT SERVICES +910 - TWX (USA) + + THE OTHER AREA CODES NEVER CROSS STATE LINES, THEREFORE EACH STATE MUST +HAVE AT LEAST ONE EXCLUSIVE NPA CODE. WHEN A COMMUNITY IS SPLIT BY A STATE +LINE, THE CO #'S ARE OFTEN INTERCHANGEABLE (IE, YOU CAN DIAL THE SAME # FROM 2 +DIFFERENT AREA CODES) + +TWX: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + Page 101 + + + + + The Official Phreaker's Manual + + + TWX (TELEX II) CONSISTS OF 5 TELETYPE-WRITER AREA CODES. THEY ARE OWNED BY +WESTERN UNION. THESE SAC'S MAY ONLY BE REACHED VIA OTHER TWX MACHINES. THESE +RUN AT 110 BAUD. BESIDES THE TWX #'S, THESE MACHINES ARE ROUTED TO NORMAL +TELEPHONE #'S. TWX MACHINES ALWAYS RESPOND WITH AN ANSWERBACK. FOR EXAMPLE, +WU'S FYI TWX # IS (910) 988-5956, THE CORRESPONDING REAL NUMBER TO THIS IS +(201) 279-5956. THE ANSWERBACK FOR THIS SERVICE IS "WU FYI MAWA." + + IF YOU DON'T WANT TO BUY A TWX MACHINE, YOU CAN STILL SEND TWX MESSAGES +USING EASYLINK [800/325-4112 - SEE TUC'S AND MY ARTICLE ENTITLED "HACKING +WESTERN UNION'S EASYLINK] + +700: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT THE TIME OF THIS WRITING, THE 700 EXCHANGE DOES NOT YET EXIST. AT&T +PLANS TO USE IT SOON THOUGH. THEY PLAN TO MAKE IT A TYPE OF FANCY CALL +FORWARDING SERVICE. IT WILL BE TARGETED TOWARDS SALESMEN ON THE RUN. + + TO UNDERSTAND HOW IT WORKS, I'LL EXPLAIN IT WITH AN EXAMPLE. LET'S SAY JOE +Q. SALESPIG WORKS FOR AT&T SECURITY AND HE IS ON THE RUN CHASING A PHREAK +AROUND THE COUNTRY WHO ROYALLY SCREWED UP AN IMPORTANT COSMOS SYSTEM. LET'S +SAY THAT JOE'S 700 # IS (700) 382-5968. EVERY TIME JOE GOES TO A NEW HOTEL, HE +DIALS A SPECIAL 700 #, ENTERS A CODE, AND THE # WHERE HE IS STAYING. NOW, IF +HIS BOSS RECEIVED SOME IMPORTANT INFO, ALL HE WOULD DO IS DIAL (700) 382-5968 +AND IT WOULD RING WHEREVER JOE LAST PROGRAMMED IT TO. NEAT, HUH? + +800: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS SAC IS ONE OF MY FAVORITES SINCE IT ALLOWS FOR TOLL-FREE CALLS. + +INWARD WATS (INWATS): INWARD WIDE AREA TELECOMMUNICATIONS SERVICE IS THE 800 +#'S THAT WE ARE ALL FAMILIAR WITH. 800 #'S ARE SET UP IN SERVICE AREAS OR +BANDS. THERE ARE 6 OF THESE. BAND 6 IS THE LARGEST AND YOU CAN CALL A BAND 6 +# FROM ANYWHERE IN THE US EXCEPT THE STATE WHERE THE CALL IS TERMINATED (THIS +IS WHY MOST COMPANIES HAVE ONE 800 # FOR THE COUNTRY AND THEN ANOTHER FOR JUST +ONE STATE). BAND 5 INCLUDES THE 48 CONTIGUOUS STATES. ALL THE WAY DOWN TO +BAND 1 WHICH INCLUDES ONLY THE STATES CONTIGUOUS TO THAT ONE. THEREFORE, LESS +PEOPLE CAN REACH A BAND 1 INWATS # THAT A BAND 6 #. + +INTRASTATE INWATS #'S (IE, YOU CAN CALL IT FROM ONLY 1 STATE) ALWAYS HAVE A 2 +AS THE LAST DIGIT IN THE EXCHANGE (IE, 800-NX2-XXXX). THE NXX ON 800 #'S +REPRESENT THE AREA WHERE THE BUSINESS IS LOCATED. FOR EXAMPLE, A # BEGINNING +WITH 800-431 WOULD TERMINATE AT A NEW YORK CO. + +800 #'S ALWAYS END UP IN A HUNT SERIES IN A CO. THIS MEANS THAT IT TRIES THE +FIRST # ALLOCATED TO THE COMPANY FOR THEIR 8P0 LINES; IF THIS IS BUSY IT WILL +THEN TRY THE NEXT #, ETC). YOU MUST HAVE A MINIMUM OF TWO LINES PER EACH 800 +#. FOR EXAMPLE, TRAVELNET USES A HUNT SERIES. IF YOU DIAL (800) 521-8400, IT +WILL FIRST TRY THE # ASSOCIATED WITH 8400; IF IT IS BUSY IT WILL GO TO THE NEXT +AVAILABLE PORT, ETC. INWATS CUSTOMERS ARE BILLED BY THE # OF HOURS OF CALLS +THAT ARE MADE TO THEIR #. + +OUTWATS (OUTWARD WATS): OUTWATS ARE FOR MAKING OUTGOING CALLS ONLY. LARGE +COMPANIES USE OUTWATS SINCE THEY RECEIVE BULK-RATE DISCOUNTS. SINCE OUTWATS # +CANNOT HAVE INCOMING CALLS, THEY ARE IN THE FORMAT OF: + + + Page 102 + + + + + The Official Phreaker's Manual + +(800) *XX-XXXX + + WHERE * IS THE DIGIT 0 OR 1 WHICH CANNOT BE DIALED UNLESS YOU BOX THE CALL. +THE *XX IDENTIFIES THE TYPE OF SERVICE AND THE AREAS THAT THE COMPANY CAN +CALL. + +REMEMBER: INWATS + OUTWATS = WATS EXTENDER (SEE PART I) +900: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS DIAL-IT SAC IS A NATIONWIDE DIAL-IT SERVICE. IT IS USED FOR TAKING +TELEVISION POLLS AND OTHER STUFF. THE FIRST MINUTE CURRENTLY COSTS AN +OUTRAGEOUS 50 CENTS AND EACH ADDITIONAL MINUTE COSTS 35 CENTS. BELL TAKES IN +ALOT OF REVENUE IN THIS WAY. + +DIAL (900) 555-1212 TO FIND OUT WHAT IS CURRENTLY ON THE SERVICE. + +CO CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THESE IDENTIFY THE SWITCHING OFFICE WHERE THE CALL IS TO BE ROUTED. + +THE FOLLOWING CO CODES ARE RESERVED NATIONWIDE: + +555 - DIRECTORY ASSISTANCE +844 - TIME ] THESE ARE NOW IN +936 - WEATHER ] THE 976 EXCHANGE +950 - FUTURE SERVICES +958 - PLANT TEST +959 - PLANT TEST +970 - PLANT TEST (TEMPORARY) +976 - DIAL-IT SERVICES + + ALSO, THE 3 DIGIT ANI & RINGBACK #'S ARE REGARDED AS PLANT TEST AND ARE +THUS RESERVED. THESE NUMBERS VARY FROM AREA TO AREA. + +950: [ALSO SEE PART I] +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +HERE ARE THE SERVICES THAT ARE CURRENTLY ON THE 950 EXCHANGE: + +1000 - SPC +1022 - MCI EXECUNET +1033 - US TELEPHONE +1044 - ALLNET +1066 - LEXITEL +1088 - SBS SKYLINE + +THESE SCC'S (SPECIALIZED COMMON CARRIERS) ARE FREE FROM FORTRESSES! + +Publishers note: Most 950's now require the station code (1022, 1000, 1088, +etc.) to be five digits long. MCI 950-10222, US telefone 10333, ALLNET 10444, +etc. Look in "Equal Access and the American Dream" p. for a complete list. +PLANT TESTS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THESE INCLUDE ANI, RINGBACK, AND OTHER VARIOUS TESTS. + + + Page 103 + + + + + The Official Phreaker's Manual + +976: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + DIAL 976-1000 TO SEE WHAT IS CURRENTLY ON THE SERVICE. ALSO, MANY BBS'S +HAVE A LISTING OF THESE #'S. + + +N11 CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL IS TRYING TO PHASE SOME OF THESE OUT, BUT THEY STILL EXIST IN MANY +AREAS. + +011 - INTERNATIONAL DIALING PREFIX +211 - COIN REFUND OPERATOR +411 - DIRECTORY ASSISTANCE +611 - REPAIR SERVICE +811 - BUSINESS OFFICE +911 - EMERGENCY + +INTERNATIONAL DIALING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + WITH INTERNATIONAL DIALING, THE WORLD HAS BEEN DIVIDED INTO 9 NUMBERING +ZONES. + +TO MAKE AN INTERNATIONAL CALL, YOU MUST DIAL: INT. PREFIX + COUNTRY CODE + NAT. +# + + IN NORTH AMERICA, THE INTERNATIONAL DIALING PREFIX IS 011 FOR +STATION-TO-STATION CALLS AND 01 FOR OPERATOR- SERVICED CALLS. IDDD STANDS FOR +INTERNATIONAL DIRECT DISTANCE DIALING. + + THE COUNTRY CODE, WHICH VARIES FROM 1 TO 3 DIGITS, ALWAYS HAS THE WORLD +NUMBERING ZONE AS THE FIRST DIGIT. FOR EXAMPLE, THE COUNTRY CODE FOR THE +UNITED KINGDOM IS 44, THUS IT IS IN WORLD NUMBERING ZONE 4. + + SOME BOARDS MAY CONTAIN A COMPLETE LISTING OF OTHER COUNTRY CODES, BUT HERE +ARE A FEW: + +001 - NORTH AMERICA (US, CANADA,ETC) +020 - EGYPT +258 - MOZAMBIQUE +034 - SPAIN +049 - GERMANY +052 - MEXICO (SOUTHERN PORTION) +061 - AUSTRALIA +007 - USSR +081 - JAPAN +098 - IRAN + + IF YOU CALL FROM AN AREA OTHER THAN NORTH AMERICA, THE FORMAT IS GENERALLY +THE SAME. FOR EXAMPLE, LET'S SAY YOU WANTED TO CALL THE WHITE HOUSE FROM +SWITZERLAND. FIRST YOU WOULD DIAL 00 (THE SWISS INTERNATIONAL DIALING PREFIX), +THEN 1 (THE US COUNTRY CODE), FOLLOWED BY 202-456-1414 (THE NATIONAL # FOR THE +WHITE HOUSE). + + ALSO, COUNTRY CODE 87 IS RESERVED FOR MARITIME MOBILE SERVICE, IE CALLING + + Page 104 + + + + + The Official Phreaker's Manual + +SHIPS: + +871 - MARISAT (ATLANTIC) +872 - MARISAT (PACIFIC) +873 - MARISAT (INDIAN ) + +INTERNATIONAL SWITCHING: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN NORTH AMERICA, THERE ARE CURRENTLY 7 NO. 4 ESS'S THAT PERFORM THE DUTY +OF ISC (INTERNATIONAL SWITCHING CENTERS). ALL INTERNATIONAL CALLS DIALED FROM +NUMBERING ZONE 1 WILL BE ROUTED THROUGH ONE OF THESE "GATEWAY CITIES." THEY +ARE: + +182 - WHITE PLAINS, NY +183 - NEW YORK, NY +184 - PITTSBURGH, PA +185 - ORLANDO, FL +186 - OAKLAND, CA +187 - DENVER, CO +188 - NEW YORK, NY + + THE 18X SERIES ARE OPERATOR ROUTING CODES FOR OVERSEAS ACCESS (TO BE +FURTHER DISCUSSED WITH BLUE BOXES). ALL INTERNATIONAL CALLS USE A SIGNALING +SYSTEM CALLED CCITT. IT IS AN INTERNATIONAL STANDARD FOR SIGNALING. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART IV, WE WILL DISCUSS SWITCHING EQUIPMENT, VARIOUS OPERATORS, CO +TYPES, ETC. + +PHREAKING LIVES IN '84, + +*****BIOC +*=$=*AGENT +*****003 + +<<=-FARGO 4A-=>> +23-FEB-84 + +REFERENCES/ +ACKNOWLEDGEMENTS: NOTES ON THE NETWORK (AT&T), TAP (ROOM 603, 147W 42 ST, +NEW YORK, NY 10036),UNDERSTANDING TELEPHONE ELECTRONICS,AND MANY OTHERS/TUC, +MULCHER... + + + + + + + + + + + + + + + Page 105 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART IV * + * * + ************************************************************ + +PREFACE: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + PART IV WILL DEAL WITH THE VARIOUS TYPES OF OPERATORS, OFFICE HIERARCHY, & +SWITCHING EQUIPMENT. + + +OPERATORS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THERE ARE MANY TYPES OF OPERATORS IN THE NETWORK AND THE MORE COMMON ONES +WILL BE DISCUSSED. + +TSPS OPERATOR: +____________________________________________________________ + + THE TSPS (TRAFFIC SERVICE POSITION SYSTEM) OPERATOR IS PROBABLY THE BITCH +(OR BASTARD FOR THE PHEMALE LIBERATIONISTS) THAT MOST OF US ARE USE TO HAVING +TO DEAL WITH. + +HERE ARE HER RESPONSIBILITIES: + +1) OBTAINING BILLING INFORMATION FOR CALLING CARD OR 3RD NUMBER CALLS. + +2) IDENTIFYING CALLED CUSTOMER ON PERSON-TO-PERSON CALLS. + +3) OBTAINING ACCEPTANCE OF CHARGES ON COLLECT CALLS. + +4) IDENTIFYING CALLING NUMBERS. THIS ONLY HAPPENS WHEN THE CALLING # IS NOT +AUTOMATICALLY RECORDED BY CAMA (CENTRALIZED AUTOMATIC MESSAGE ACCOUNTING) & +FORWARDED FROM THE LOCAL OFFICE. THIS COULD BE CAUSED BY EQUIPMENT FAILURES OR +IF THE OFFICE IS NOT EQUIPPED FOR CAMA (MOST ARE). + + + + YOU SHOULDN'T MESS WITH THE TSPS OPERATOR SINCE SHE KNOWS WHERE YOU ARE +CALLING FROM. SHE ALSO KNOWS WHETHER OR NOT YOU ARE AT A FORTRESS FONE & SHE +CAN TRACE CALLS QUITE READILY. OUT OF ALL THE OPERATORS, SHE IS ONE OF THE +MOST DANGEROUS. + +INWARD OPERATOR: +____________________________________________________________ + + THIS OPERATOR ASSISTS YOUR LOCAL TSPS ("0") OPERATOR IN CONNECTING CALLS. + + Page 106 + + + + + The Official Phreaker's Manual + +SHE WILL NEVER QUESTION A CALL AS LONG AS THE CALL IS WITHIN HER SERVICE AREA. +SHE CAN ONLY BE REACHED VIA OTHER OPERATORS OR BY A BLUE BOX. FROM A BB, YOU +WOULD DIAL KP+NPA+121+ST FOR THE INWARD OPERATOR THAT WILL HELP YOU CONNECT ANY +CALLS WITHIN THAT NPA AREA ONLY. (BLUE BOXING WILL BE DISCUSSED IN A FUTURE +PART OF BASIC TELCOM) + +DIRECTORY ASSISTANCE OPERATOR: +____________________________________________________________ + + THIS IS THE OPERATOR THAT YOU ARE CONNECTED TO WHEN YOU DIAL: 411 OR +NPA-555-1212. SHE DOES NOT READILY KNOW WHERE YOU ARE CALLING FROM. SHE DOES +NOT HAVE ACCESS TO UNLISTED #'S, BUT SHE DOES KNOW IF AN UNLISTED # EXISTS FOR +A CERTAIN LISTING. + + THERE IS ALSO A DIRECTORY ASSISTANCE FOR DEAF PEOPLE WHO USE +TELETYPEWRITERS IF YOU MODEM CAN TRANSFER BAUDOT (THE APPLE CAT CAN), THEN YOU +CAN CALL HER UP AND HAVE AN INTERESTING CONVERSATION WITH HER. THE # +IS:800/855-1155. SHE USES THE STANDARD TELEX ABBREVIATIONS SUCH AS GA FOR GO +AHEAD. THEY TEND TO BE NICER & WILL TALK LONGER THAN YOUR REGULAR OPERATORS. +ALSO, THEY ARE MORE VULNERABLE INTO BEING TALKED OUT OF INFORMATION THROUGH THE +PROCESS OF "SOCIAL ENGINEERING" AS CHESHIRE CATALYST WOULD PUT IT. + +OTHER OPERATORS HAVE ACCESS TO THEIR OWN DA BY DIALING KP+NPA+131+ST (MF). + + THIS IS A LITTLE OUT OF THE SCOPE OF THIS TUTORIAL, BUT MANY TELCO'S ARE +NOW CHARGING FOR CALLS TO DIR. ASST. YOU CAN BEAT THIS BY: + +(1) COUNT HOW MANY CALLS YOU MAKE TO DIRECTORY ASSISTANCE IN A BILLING PERIOD. +GO TO A FORTRESS FONE & DIAL DA. WHEN THE OPERATOR COMES ON, GIVE HER A NAME +THAT YOU KNOW HAS AN UNLISTED # OR ASK FOR A TOWN THAT ISN'T IN THE NPA. SHE +WILL THEN ASK FOR YOUR # SO SHE CAN CREDIT THE CALL TO YOU. GIVE HER YOUR HOME +#, SHE DOESN'T KNOW THAT YOU ARE MAKING A FREE CALL FROM THE FORTRESS. JUST +MAKE SURE THAT YOU DON'T CREDIT YOURSELF FOR MORE CALLS THAN YOU ACTUALLY MADE +OR YOU MIGHT HAVE A FEW PROBLEMS! + +(2) IF YOU HAVE A BAUDOT TERMINAL, USE THE 800 #, IT'S FREE & THERE IS ONE # +FOR ALL REQUESTS. + +C/NA OPERATORS: +____________________________________________________________ + + C/NA OPERATORS ARE OPERATORS THAT DO EXACTLY THE OPPOSITE OF WHAT DIRECTORY +ASSISTANCE OPERATORS ARE FOR. SEE PART II, FOR MORE INFO ON C/NA & #'S. IN MY +EXPERIENCES, THESE OPERATORS KNOW MORE THAN THE DA OP'S DO & THEY ARE MORE +SUSCEPTIBLE TO "SOCIAL ENGINEERING." IT IS POSSIBLE TO BULLSHIT A C/NA +OPERATOR FOR THE NON-PUB DA # (IE, YOU GIVE THEM THE NAME & THEY GIVE YOU THE +UNLISTED #). THIS IS DUE TO THE FACT THAT THEY ASSUME YOUR ARE A PHELLOW +COMPANY EMPLOYEE. + +INTERCEPT OPERATOR: +____________________________________________________________ + + THE INTERCEPT OPERATOR IS THE ONE THAT YOU ARE CONNECTED TO WHEN THERE ARE +NOT ENOUGH RECORDINGS AVAILABLE TO TELL YOU THAT THE # HAS BEEN DISCONNECTED OR +CHANGED. SHE USUALLY SAYS, "WHAT # YOU CALLIN' ? " WITH A FOREIGN ACCENT. +THIS IS THE LOWEST OPERATOR LIFEFORM. EVEN THOUGH THEY DON'T KNOW WHERE YOU +ARE CALLING FROM, IT IS A WASTE OF YOUR TIME TO TRY TO VERBALLY ABUSE THEM +SINCE THEY USUALLY UNDERSTAND VERY LITTLE ENGLISH. + + Page 107 + + + + + The Official Phreaker's Manual + + +OTHER OPERATORS: +____________________________________________________________ + +AND THEN THERE ARE THE: +MOBILE +SHIP-TO-SHORE +CONFERENCE +MARINE VERIFY, "LEAVE WORD & CALL BACK," +ROUT & RATE (KP+NPA+141+ST) & OTHER SPECIAL OPERATORS WHO HAVE ONE PURPOSE OR +ANOTHER IN THE NETWORK. + + PROBLEMS WITH AN OPERATOR? ASK TO SPEAK TO THEIR SUPERVISOR... WHICH IS +THE EQUIVALENT OF THE MADAME IN A WHOREHOUSE (IF YOU WILL EXCUSE THE ANALOGY). + + BY THE WAY, SOME CO'S THAT WILL ALLOW YOU TO DIAL A 1 OR 0 AS THE 4TH +DIGIT, WILL ALSO ALLOW YOU TO CALL SPECIAL OPERATORS WITHOUT A BLUE BOX. THIS +IS VERY RARE THOUGH! FOR EXAMPLE, 212-121-1111 WILL GET YOU A NY INWARD +OPERATOR. + +OFFICE HIERARCHY +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + EVERY SWITCHING OFFICE OFFICE IN NORTH AMERICA (THE NPA SYSTEM), IS +ASSIGNED AN OFFICE NAME & CLASS. THERE ARE FIVE CLASSES OF OFFICES NUMBERED 1 +THROUGH 5. YOUR CO IS MOST LIKELY A CLASS 5 OR END OFFICE. ALL LONG-DISTANCE +(TOLL) CALLS ARE SWITCHED BY A TOLL OFFICE WHICH CAN BE A CLASS 4, 3, 2, OR 1 +OFFICE. THERE IS ALSO A 4X OFFICE CALLED AN INTERMEDIATE POINT. THE 4X OFFICE +IS A DIGITAL ONE THAT CAN HAVE AN UNATTENDED EXCHANGE ATTACHED TO IT (KNOWN AS +A REMOTE SWITCHING UNIT-RSU). + + THE FOLLOWING CHART WILL LIST THE OFFICE #, NAME, & HOW MANY OF THOSE +OFFICES EXISTED IN NORTH AMERICA IN 1981. + +CLASS NAME ABB # EXISTING +----- ---------------- --- ------------ +1 REGIONAL CENTER RC 12 +2 SECTIONAL CENTER SC 67 +3 PRIMARY CENTER PC 230 +4 TOLL CENTER TC 1,30 +4P TOLL POINT TP ? +4X INTERMEDIATE PT IP ? +5 END OFFICE EO 19,000 +R RSU RSU ? + + WHEN CONNECTING A CALL FROM ONE PARTY TO ANOTHER, THE SWITCHING EQUIPMENT +USUALLY TRIES TO FIND THE SHORTEST ROUTE BETWEEN THE CLASS 5 END OFFICE OF THE +CALLER & THE CLASS 5 END OFFICE OF THE CALLED PARTY. IF NO INTER-OFFICE TRUNKS +EXIST BETWEEN THE 2 PARTIES, IT WILL THEN MOVE UPTO THE NEXT HIGHEST OFFICE FOR +SERVICING (CLASS 4). IF THE CLASS 4 OFFICE CANNOT HANDLE THE CALL BY SENDING +IT TO ANOTHER CLASS 4 OR 5 OFFICE, IT WILL BE SENT TO THE NEXT OFFICE IN THE +HIERARCHY (3). THE SWITCHING EQUIPMENT FIRST USES THE HIGH-USAGE INTEROFFICE +TRUNK GROUPS, IF THEY ARE BUSY IT THEN GOES TO THE FINAL TRUNK GROUPS ON THE +NEXT HIGHEST LEVEL. IF THE CALL CANNOT BE CONNECTED THEN, YOU WILL PROBABLY GET +A RE-ORDER (120IPM BUSY SIGNAL) SIGNAL. AT THIS TIME, THE GUYS AT NETWORK +OPERATIONS ARE PROBABLY SHITTING IN THEIR PANTS AND TRYING TO AVOID THE DREADED +NETWORK DREADLOCK (AS SEEN ON TV!). + + + Page 108 + + + + + The Official Phreaker's Manual + + IT IS ALSO INTERESTING TO NOTE THAT 9 CONNECTIONS IN TANDEM IS CALLED +RING-AROUND-THE ROSY AND IT HAS NEVER OCCURRED IN TELEPHONE HISTORY. THIS +WOULD CASE AN ENDLESS LOOP CONNECTION. [ A NEAT WAY TO REALLY SCREW-UP THE +NETWORK]. + + THE 10 REGIONAL CENTERS IN THE US & THE 2 IN CANADA ARE ALL INTERCONNECTED. +THEY FORM THE FOUNDATION OF THE ENTIRE TELEPHONE NETWORK. SINCE THERE ARE ONLY +12 OF THEM, THEY ARE LISTED BELOW: + +CLASS 1 REGIONAL OFFICE LOCATION NPA +---------------------------------- --- +DALLAS 4 ESS 214 +WAYNE, PA 215 +DENVER 4T 303 +REGINA NO.2 SP1-4W [CANADA] 306 +ST. LOUIS 4T 314 +ROCKDALE, GA 404 +PITTSBURGH 4E 412 +MONTREAL NO.1 4AETS [CANADA] 504 +NORWICH, NY 607 +SAN BERNARDINO, CA 714 +NORWAY, IL 815 +WHITE PLAINS 4T, NY 914 + + THE FOLLOWING DIAGRAM DEMONSTRATES HOW THE VARIOUS OFFICES MAY BE +CONNECTED: + + _________________________ + _|_ _|_ _|_ REGIONAL + | | | | | | OFFICES + | 1 | <=--=> | 1 | <=--=> | 1 | <<==------ + |___| |___| |___| + | OTHERS\/ + _________________|_______________________| + _|_ _|_ _|_ _|__ _|_ +| | | | | | | | | | +| 2 | | 3 | | 4 | | 4P | | 5 | +|___| |___| |___| |____| |___| + | | | | + |____ | _|__ | + _|_ _|_ | __|_ _|_ \ +| || || | || | |_____ +| 3 || 4 || | 4X || 5 | _|__ _|_ +|___||___|| |____||___|| || | + | | | 4X || 5 | + __|_ | |____||___| + | ||_____________ + | 5R | _______|_________ + |____| | | | + _|_ _|_ _|_ __|_ + | | | | | | | | + | R | | 4 | | 5 | | 5R | + |___| |___| |___| |____| + +NOTE: THE PRECEDING DIAGRAM USED SPECIAL SYMBOLS FROM AN APPLE //E THAT MAY NOT +BE VIEWED AS I INTENDED THEM IF YOU ARE NOT USING AN APPLE//E OR //C. + +SWITCHING EQUIPMENT + + Page 109 + + + + + The Official Phreaker's Manual + +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NETWORK, THERE ARE 3 MAJOR TYPES OF SWITCHING EQUIPMENT. THEY ARE +KNOWN AS: STEP, CROSSBAR, & ESS. + + +STEP-BY-STEP (SXS) +____________________________________________________________ + + THE STEP-BY-STEP, A/K/A THE STROWGER SWITCH OR TWO-MOTION SWITCH, WAS +INVENTED IN 1889 BY AN UNDERTAKER NAMED ALMON STROWGER. HE INVENTED THIS +MECHANICAL SWITCHING EQUIPMENT BECAUSE HE FELT THAT THE BIASED OPERATOR WAS +ROUTING ALL REQUESTS FOR AN 'UNDERTAKER' TO HER HUSBAND'S BUSINESS. BELL +STARTED USING THIS SYSTEM IN 1918 AS OF 1978, OVER 53% OF THE BELL EXCHANGES +USED THIS METHOD OF SWITCHING. + + STEP-BY-STEP SWITCHING IS CONTROLLED DIRECTLY BY THE DIAL PULSES WHICH MOVE +A SERIES OF SWITCHES (CALLED THE SWITCH TRAIN) IN ORDER. WHEN YOU FIRST PICK UP +THE FONE UNDER SXS, A LINEFINDER ACKNOWLEDGES THE REQUEST (SOONER OR LATER) BY +SENDING A DIAL TONE. IF YOU THEN DIALED 1234, THE EQUIPMENT WOULD FIRST FIND +AN IDLE SELECTOR SWITCH. IT WOULD THEN MOVE VERTICALLY 1 PULSE, IT WOULD THEN +MOVE HORIZONTALLY TO FIND A FREE SECOND SELECTOR, IT WOULD THEN MOVE 2 VERTICAL +PULSES, STEP HORIZONTALLY TO FIND THE NEXT SELECTOR, ETC. THUS THE FIRST +SWITCH IN THE TRAIN TAKES NO DIGITS, THE SECOND SWITCH TAKES 1 DIGIT, THE THIRD +SWITCH TAKES 1 DIGIT, & THE LAST SWITCH IN THE TRAIN (CALLED THE CONNECTOR) +TAKES THE LAST 2 DIGITS & CONNECTS YOUR CALLS. A NORMAL (10,000 LINE) EXCHANGE +REQUIRES 4 DIGITS (0000-9999) TO CONNECT A LOCAL CALL & THUS IT TAKES 4 +SWITCHES TO CONNECT EVERY CALL (LINEFINDER, 1ST & 2ND SELECTORS, & THE +CONNECTOR) . + + WHILE IT WAS THE FIRST, SXS SUCKS FOR THE FOLLOWING REASONS: + +[1] THE SWITCHED OFTEN BECOME JAMMED THUS THE CALLS OFTEN BECOME BLOCKED. + +[2] YOU CAN'T USE DTMF (DUAL-TONE MULTI-FREQUENCY A/K/A TOUCH-TONE) DIRECTLY. +IT IS POSSIBLE THAT THE TELCO MAY HAVE INSTALLED A CONVERSION KIT BUT THEN THE +CALLS WILL GO THROUGH JUST AS SLOW AS PULSE, ANYWAY! + +[3] THEY USE A LOT OF ELECTRICITY & MECHANICAL MAINTENANCE. (BAD FROM TELCO +POINT OF VIEW) + +[4] EVERYTHING IS HARDWIRED. + + THEY CAN STILL HOOK UP PEN REGISTERS & OTHER SHIT ON THE LINE SO IT IS NOT +EXACTLY A PHREAK HAVEN. + +YOU CAN IDENTIFY SXS OFFICES BY: + +(1) LACK OF DTMF OR PULSING DIGITS AFTER DIALING DTMF. + +(2) IF YOU GO NEAR THE CO, IT WILL SOUND LIKE A TYPEWRITER TESTING FACTORY. + +(3) LACK OF SPEED CALLING, CALL FORWARDING, & OTHER CUSTOMER SERVICES. + +(4) FORTRESS FONES THAT WANT YOUR MONEY FIRST (AS OPPOSED TO DIAL TONE FIRST +ONES). + + THE PRECEDING DON'T NECESSARILY IMPLY THAT YOU HAVE SXS BUT THEY SURELY + + Page 110 + + + + + The Official Phreaker's Manual + +GIVE EVIDENCE THAT IT MIGHT BE. ALSO, IF ANY OF THE ABOVE CHARACTERISTICS +EXIST, IT CERTAINLY ISN'T ESS! ALSO, SXS HAVE PRETTY MUCH BEEN ERADICATED FROM +LARGE METROPOLITAN AREAS SUCH AS NYC (212). + +CROSSBAR: +____________________________________________________________ + + THERE ARE 3 MAJOR TYPES OF CROSSBAR SYSTEMS CALLED: NO. 1 CROSSBAR (1XB), +NO. 4 CROSSBAR (4XB), & NO. 5 CROSSBAR (5XB). 5XB HAS BEEN THE PRIMARY END +OFFICE SWITCH OF BELL SINCE THE 60'S AND THUS IT IS IN WIDE-USE. + + CROSSBAR USES A COMMON CONTROL SWITCHING METHOD. WHEN THERE IS AN INCOMING +CALL, A STORED PROGRAM DETERMINES ITS ROUTE THROUGH THE SWITCHING MATRIX. + + IN CROSSBAR, THE BASIC OPERATION PRINCIPLE IS THAT A HORIZONTAL & A +VERTICAL LINE ARE ENERGIZED IN A MATRIX KNOWN AS THE CROSSPOINT MATRIX. THE +POINT WHERE THESE 2 LINES MEET IN THE MATRIX IS THE CONNECTION. + + +ESS +____________________________________________________________ + +ELECTRONIC SWITCHING SYSTEM (ESS) THE PHREAK'S NIGHTMARE COME TRUE (OR ORWELL'S +PROPHECY AS 2600 PUTS IT) + + ESS IS BELL'S MOVE TOWARDS THE AIRSTRIP ONE SOCIETY DEPICTED IN ORWELL'S +1984. WITH ESS, EVERY SINGLE DIGIT THAT YOU DIAL IS RECORDED--EVEN IF IT IS A +MISTAKE. THEY KNOW WHO YOU CALL, WHEN YOU CALL, HOW LONG YOU TALKED FOR, & +PROBABLY WHAT YOU TALKED ABOUT (IN SOME CASES). ESS CAN (AND IS) ALSO +PROGRAMMED TO PRINT OUT #'S OF PEOPLE WHO MAKE EXCESSIVE CALLS TO 800 #'S OR +DIRECTORY ASSISTANCE. THIS IS CALLED THE "800 EXCEPTIONAL CALLING REPORT." ESS +COULD ALSO BE PROGRAMMED TO PRINT OUT LOGS OF WHO CALLS CERTAIN #'S--LIKE A +BOOKIE, A KNOWN COMMUNIST, A BBS, ETC THE THING TO REMEMBER WITH ESS IS THAT IT +IS A SERIES OF PROGRAMS WORKING TOGETHER. THESE PROGRAMS CAN BE VERY EASILY +CHANGED TO DO WHATEVER THEY WANT IT TO DO. ONE PHREAK WHOM I KNOW HAS SOME ESS +SOURCE CODE LISTING WHICH IS INCREDIBLY COMPLEX (AS WELL AS DOCUMENTED--GRACIAS +DIOS). THIS SYSTEM MAKES THE JOB OF BELL SECURITY, THE FBI, NSA, & OTHER +ORGANIZATIONS THAT LIKE TO INVADE PRIVACY INCREDIBLY EASY. + + WITH ESS, TRACING IS DONE IN MICROSECONDS (EINE AUGENBLICK) & THE RESULTS +ARE PRINTED AT THE CONSOLE OF A BELL GESTAPO OFFICER. ESS WILL ALSO PICK UP +ANY "FOREIGN" TONES ON THE LINE SUCH AS 2600 HZ! + + BELL PREDICTS THAT THE COUNTRY WILL BECOME TOTALLY ESS BY THE 1990'S. + + YOU CAN IDENTIFY ESS BY THE FOLLOWING WHICH ARE USUALLY ESS FUNCTIONS: + +[1] DIALING 911 FOR HELP. +[2] DIAL-TONE-FIRST FORTRESSES. +[3] CUSTOM CALLING SERVICES SUCH AS:CALL FORWARDING, SPEED DIALING, & CALL +WAITING. (ASK YOUR BUSINESS OFFICE IF YOU CAN GET THESE.) +[4] ANI (AUTOMATIC NUMBER IDENTIFICATION) ON LD CALLS. + + PHREAKING DOES NOT COME TO A COMPLETE HALT UNDER ESS THOUGH--JUST BE VERY +CAREFUL, THOUGH!!! + + DUE TO THE FACT THAT ESS SENDS A COMPUTER GENERATED "ARTIFICIAL RING," +WHERE THE VOICE IS NOT CONNECTED DIRECTLY TO THE CALLED PARTIES LINE UNTIL HE + + Page 111 + + + + + The Official Phreaker's Manual + +PICKS UP, BLACK BOXES & INFINITY TRANSMITTERS WILL NOT WORK! + +NOTE: ANOTHER INTERESTING WAY TO FIND OUT WHAT TYPE OF EQUIPMENT YOU ARE ON IS +TO RAID THE TRASH CAN OF YOU LOCAL CO--THIS ART WILL DISCUSSED IN A SEPARATE +ARTICLE SOON. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN THE PART V, WE WILL START TO TAKE A LOOK AT TELEPHONE ELECTRONICS. + +FURTHER READING: + +FOR MORE INFORMATION ON THE ABOVE TOPICS, I SUGGEST THE FOLLOWING: + +NOTES ON THE NETWORK, AT&T, 1980. + +UNDERSTANDING TELEPHONE ELECTRONICS,TEXAS INSTRUMENTS, 1983. + +AND SUBSCRIPTIONS TO: + +TAP, ROOM 603, 147 W 42 ST, NEW YORK, NY 10036. SUBSCRIPTIONS ARE +$10/YEAR.#BACK ISSUES ARE $0.75. THE CURRENT ISSUES IS #90 (JAN/FEB 1984) + +2600, BOX 752, MIDDLE ISLAND, NY 11953. SUBSCRIPTIONS ARE $10/YEAR. BACKISSUES +ARE $1 EACH. THE CURRENT ISSUE IS #4 (APRIL 1984). + +THEY ARE BOTH EXCELLENT SOURCES OF ALL SORTS OF INFORMATION (PRIMARILY +PHREAKING/HACKING). + +NOTE: FOR THE MOST PART, I HAVE ASSUMED THAT YOU HAVE READ MY PREVIOUS 3 +COURSES IN THE BASIC TELCOM SERIES. + +HASTA LUEGO, + +*****BIOC +*=$=*AGENT +*****003 + +APRIL 13, 1984 [THE YEAR OF BIG BROTHER] + +<<=-FARGO 4A-=>> + + + + + + + + + + + + + + + + + + Page 112 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART V * + * * + ************************************************************ + + +PREFACE: + + PREVIOUS INSTALLMENTS OF THIS SERIES WERE FOCUSED ON TELEPHONY FROM A +NETWORK POINT-OF-VIEW. PART V WILL DEAL WITH TELEPHONE ELECTRONICS FOCUSING +PRIMARILY ON THE SUBSCRIBER'S TELEPHONE. HERE-IN-AFTER SIMPLY REFERRED TO AS +"FONE." + +WIRING: +____________________________________________________________ + + ASSUMING A STANDARD ONE-LINE FONE, THERE ARE USUALLY 4 WIRES THAT LEAD OUT +OF THE FONE SET. THESE ARE STANDARDLY COLORED RED, GREEN, YELLOW, & BLACK. +THE RED & GREEN SIRES ARE THE TWO THAT ARE ACTUALLY HOOKED UP TO YOUR CO. THE +YELLOW WIRE IS SOMETIMES USED TO RING DIFFERENT FONES ON A PARTY LINE (IE, ONE +#, SEVERAL FAMILIES--FOUND PRIMARILY IN RURAL AREAS WHERE THEY PAY LESS FOR THE +SERVICE AND THEY DON'T USE THE FONE AS MUCH); OTHERWISE, THE YELLOW IS USUALLY +JUST IGNORED. ON SOME TWO-LINE FONES, THE RED & GREEN WIRES ARE USED FOR THE +FIRST FONE # AND THE YELLOW & BLACK ARE USED FOR THE SECOND LINE. IN THIS CASE +THERE MUST BE AN INTERNAL OR EXTERNAL DEVICE THAT SWITCHES BETWEEN THE TWO +LINES AND PROVIDES A HOLD FUNCTION. (SUCH AS RADIO SHACK'S OUTRAGEOUSLY PRICED +2 LINE & HOLD MODULE-9. + + IN TELEPHONY, THE RED & GREEN WIRES ARE OFTEN REFERRED TO AS TIP (T) & RING +(R). THE TIP IS USUALLY THE MORE POSITIVE OF THE TWO WIRES. THIS NAMING GOES +BACK TO THE OLD OPERATOR CORD BOARDS WHERE ONE OF THE WIRES WAS THE TIP OF THE +PLUG AND THE OTHER WAS THE RING (OF THE BARREL). + A ROTARY FONE (AKA DIAL OR PULSE) WILL WORK FINE REGARDLESS WHETHER THE RED +(OR GREEN) WIRE IS CONNECTED THE TIP(+) OR RING(-). A TOUCH-TONE (TM) FONE IS +A DIFFERENT STORY, THOUGH. IT WILL NOT WORK EXCEPT IF THE TIP(+) IS THE GREEN +WIRE. [ALTHOUGH, SOME OF THE MORE EXPENSIVE DTMF FONES DO HAVE A RECTIFIER +BRIDGE WHICH COMPENSATES FOR POLARITY REVERSAL.] THIS I WHY UNDER CERTAIN +(NON-DIGITAL) SWITCHING EQUIPMENT YOU CAN REVERSE THE RED & GREEN WIRES ON A +TOUCH-TONE FONE AND RECEIVE FREE DTMF SERVICE. EVEN THOUGH IT WON'T BREAK DIAL +TONE, REVERSING THE WIRES ON A ROTARY LINE ON A DIGITAL SWITCH WILL CAUSE THE +TONES TO BE GENERATED. + +VOLTAGES, ETC. +____________________________________________________________ + + WHEN YOUR TELEPHONE IS ON-HOOK (IE, HUNG UP) THERE IS APPROXIMATELY 48 +VOLTS OF DC CURRENT (VDC) FLOWING THROUGH THE TIP & RING. WHEN THE HANDSET OF +A FONE IS LIFTED A FEW SWITCHES CLOSE WHICH CAUSE A LOOP TO BE CONNECTED (KNOWN +AS THE "LOCAL LOOP") BETWEEN YOUR FONE & THE CO. ONCE THIS HAPPENS DC CURRENT +IS ABLE TO FLOW THROUGH THE FONE WITH LESS RESISTANCE. THIS CAUSES A RELAY TO +ENERGIZE WHICH CAUSES OTHER CO EQUIPMENT TO REALIZE THAT YOU WANT SERVICE. +EVENTUALLY, YOU SHOULD END UP WITH A DIAL TONE. THIS ALSO CAUSES THE 48 VDC TO +DROP DOWN INTO THE VICINITY OF 13 VOLTS. THE RESISTANCE OF THE LOOP ALSO DROPS +BELOW THE 2500 OHM LEVEL. + + Page 113 + + + + + The Official Phreaker's Manual + + + AS OF NOW, YOU ARE PROBABLY SAYING TO YOURSELF THAT THIS IS ALL NICE AND +TECHNICAL BUT WHAT THE HELL GOOD IS THE INFORMATION. WELL, ALSO CONSIDER THAT +THIS VOLTAGE (& RESISTANCE) DROP IS HOW THE CO DETECTS THAT A FONE WAS TAKEN +OFF HOOK (PICKED UP). IN THIS WAY, THEY KNOW WHEN TO START BILLING THE CALLING +NUMBER. NOW WHAT DO YOU SUPPOSE WOULD HAPPEN IF A DEVICE SUCH AS A RESISTOR OR +A ZENER DIODE WAS PLACED ON THE CALLED PARTIES LINE SO THAT THE VOLTAGE WOULD +DROP JUST ENOUGH TO ALLOW TALKING BUT NOT ENOUGH TO START BILLING? FIRST OFF, +THE CALLING PARTY WOULD NOT BE BILLED FOR THE CALL BUT CONVERSATION COULD BE +PURSUED. SECONDLY, THE CO EQUIPMENT WOULD THINK THAT THE FONE JUST KEPT ON +RINGING. THE TELCO CALLS THIS A "NO-NO" (TOLL FRAUD TO BE MORE SPECIFIC) WHILE +PHONE PHREAKS AFFECTIONATELY CALL THIS MUTE A BLACK BOX. + + THE FOLLOWING ARE INSTRUCTIONS ON HOW TO BUILD A SIMPLE BLACK BOX. OF +COURSE, ANYTHING THAT PREVENTS THE VOLTAGE FROM DROPPING WOULD WORK. +YOU ONE OR TWO PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT RESISTOR. ANY ELECTRONICS STORE SHOULD STOCK THESE PARTS. + + NOW, CUT 2 PIECES OF WIRE (ABOUT 6 INCHES LONG) AND ATTACH ONE END OF EACH +WIRE TO ONE OF THE TERMINALS ON THE SWITCH. NOW TURN YOUR K500 (STANDARD DESK +FONE) UPSIDE DOWN AND TAKE OFF THE COVER. LOCATE THE 2 SCREWS ON THE NETWORK +BOX LABELED >F< AND >RR<. WRAP THE RESISTOR BETWEEN THE 2 SCREWS MAKING SURE +THAT IT DOESN'T TOUCH ANY OTHER TERMINALS!. NOW CONNECT ONE WIRE FROM THE +SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE +(DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE +FONE AND REPLACE THE COVER. + + PUT THE SWITCH IN A POSITION WHERE YOU RECEIVE A DIAL TONE. MARK THIS +POSITION NORMAL. MARK THE OTHER SIDE FREE. + + WHEN YOUR PHRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST A POSSIBLE. THIS WILL STOP THE RINGING (DO IT AGAIN IF IT +DOESN'T) WITH OUT STARTING THE BILLING. IT IS IMPORTANT THAT YOU DO IT QUICKLY +(LESS THAN ONE SECOND THEN PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE +FONE. KEEP ALL CALL SHORT AND PREFERABLY UNDER 15 MINUTES. + +NOTE: IF ANYONE PICKS UP AN EXTENSION IN THE CALLED PARTIES HOUSE AND THAT +FONE IS NOT SET FOR FREE THEN BILLING WILL START. + +NOTE: AN OLD WAY OF SIGNALING A PHRIEND THAT YOU ARE ABOUT TO CALL IS +MAKING A COLLECT CALL TO A NON-EXISTENT PERSON IN THE HOUSE. SINCE YOUR FRIEND +WILL NOT ACCEPT THE CHARGES, HE WILL KNOW THAT YOU ARE ABOUT TO CALL AND THUS +PREPARE THE BLACK BOX (OR VISA VERSA). + +WARNING: THE TELCO CAN DETECT BLACK BOXES IF THEY SUSPECT ONE ON YOUR LINE. +THIS IS DONE DUE TO THE PRESENCE OF AC VOICE SIGNAL AT THE WRONG DC LEVEL! + +PICTORIAL DIAGRAM: (STANDARD ROTARY K500 FONE) +____________________________________________________________ + + _____________________________________ +| | +***BLUE WIRE**>>F< | +| * * | +**WHITE WIRE** * | +| * | +| RESISTOR | +| * | + + Page 114 + + + + + The Official Phreaker's Manual + +| * | +| >RR<*******SWITCH**** | +| * | +****GREEN WIRE********************** | +| | +|_____________________________________| + +NOTE: THE BLACK BOX WILL NOT WORK UNDER ESS OR OTHER SIMILAR DIGITAL +SWITCHES SINCE ESS DOES NOT CONNECT THE VOICE CIRCUITS UNTIL THE FONE IS PICKED +UP (& BILLING STARTS). INSTEAD, ESS USES AN "ARTIFICIAL" COMPUTER GENERATED +RING. + +RINGING: +____________________________________________________________ + + TO INFORM A SUBSCRIBER OF AN INCOMING CALL, THE TELCO SENDS 90 VOLTS (RMS) +OF AC CURRENT DOWN THE LINE (AT AROUND 15 TO 60 HZ) IN STANDARD FONES, THIS +CAUSES A METAL ARMATURE TO BE ATTRACTED ALTERNATELY BETWEEN TWO ELECTRO-MAGNETS +THUS STRIKING 2 BELLS. OF COURSE, THE STANDARD BELL (PATENTED IN 1878 BY TOM +A. WATSON) CAN BE REPLACED BY A MORE MODERN ELECTRONIC BELL OR SIGNALING +DEVICE. + + ALSO, YOU CAN HAVE LIGHTS AND OTHER SIMILAR DEVICES IN LIEU OF (OR IN +CONJUNCTION WITH) THE BELL. A SIMPLE NEON LIGHT (WITH ITS CORRESPONDING +RESISTOR) CAN SIMPLY BE CONNECTED BETWEEN THE RED & GREEN WIRES (USUALLY L1 & +L2 ON THE NETWORK BOX) SO THAT IT LIGHTS UP ON INCOMING CALLS. A REGULAR 60 +WATT LIGHT BULB CAN ALSO BE HOOKED UP USING A SIMPLE (120 VAC) RELAY. + +WARNING: 90 & 120 VAC CAN GIVE QUITE A SHOCK. EXERCISE EXTREME CAUTION IF +YOU WISH TO FURTHER PURSUE THESE TOPICS. + + ALSO INCLUDED IN THE RINGING CIRCUIT IS A CAPACITOR TO PREVENT THE DC +CURRENT FROM INTERFERING WITH THE BELL [A CAPACITOR WILL PASS AC CURRENT WHILE +IT WILL PREVENT DC CURRENT FROM FLOWING (BY STORING IT)]. + ANOTHER REASON THAT THE TELCO HATES BLACK BOXES IS BECAUSE RINGING USES +ALOT OF COMMON-CONTROL EQUIPMENT, IN THE CO, WHICH USE ALOT OF ELECTRICITY. +THUS THE RINGING GENERATORS ARE BEING TIED UP WHILE A FREE CALL IS BEING MADE. +USUALLY CALLS THAT ARE ALLOWED TO RING FOR A LONG PERIOD OF TIME MAY BE +CONSTRUED AS SUSPICIOUS. SOME OFFICES MAY BE SET UP TO DROP A TROUBLE CARD FOR +LONG PERIODS OF RINGING THEN A "NO-NO" DETECTION DEVICE MAY BE PLACED ON THE +LINE. + INCIDENTALLY, THE TERM "RING TRIP" REFERS TO THE CO PROCESS INVOLVED TO +STOP THE AC RINGING SIGNAL WHEN THE CALLING FONE GOES OFF HOOK. + +NOTE: IT IS SUGGESTED THAT YOU ACTUALLY DISSECT FONES TO HELP YOU BETTER +UNDERSTAND THEM. IT WILL ALSO HELP YOU TO BETTER UNDERSTAND THE CONCEPTS HERE +IF YOU ACTUALLY PROVE THEM TO YOURSELF. FOR EXAMPLE, ACTUALLY TAKE THE VOLTAGE +READINGS ON YOUR FONE LINE [ANY SIMPLE MULTI-TESTER (A MUST) WILL DO.] +PHREAKING IS AN INTERACTIVE PROCESS NOT A PASSIVE ONE! + +DIALING: +____________________________________________________________ + + ON A STANDARD FONE, THERE ARE TWO COMMON TYPES OF DIALING: PULSE & DTMF. +OF COURSE, SOME PEOPLE INSIST UPON BEING DIFFERENT AND DON'T USE THE DT THUS +LEAVING THEM WITH MF (MULTI FREQUENCY, AKA OPERATOR, BLUE BOX) TONES. THIS IS +ANOTHER "NO-NO" AND THE TELCO SECURITY GENTLEMEN HAVE A SPECIAL KNACK FOR +DEALING WITH SUCH "PHREAKS" ON THE NETWORK. + + Page 115 + + + + + The Official Phreaker's Manual + + WHEN YOU DIAL ROTARY, YOU ARE ACTUALLY RAPIDLY BREAKING & RECONNECTING +(MAKING) THE LOCAL LOOP ONCE FOR EVERY DIGIT DIALED. SINCE THE PHYSICAL +CONNECTION MUST BE BROKEN, YOU CANNOT DIAL IF ANOTHER EXTENSION (OF THAT #) IS +OFF-HOOK. NEITHER OF THE FONES WILL BE ABLE TO DIAL PULSE UNLESS THE OTHER +HANGS UP. + ANOTHER TERM OFTEN REFERRED TO IN TELEPHONE ELECTRONICS IS THE BREAK RATIO. +IN THE US, THERE ARE 10 PULSES PER SECOND (MAX). WHEN THE CIRCUIT IS OPENED IT +IS CALLED THE BREAK INTERVAL. WHEN IT IS CLOSED IT IS CALLED THE MAKE INTERVAL. +IN THE US, THERE IS A 60 MILLISECOND (MS) BREAK PERIOD AND A 40 MS MAKE PERIOD. +(60+40=100 MS = 1/10 MINUTE). THIS IS REFERRED TO AS A 60% BREAK INTERVAL. +SOME OF THE MORE SOPHISTICATED ELECTRONIC FONES CAN SWITCH BETWEEN A 60% & A +67% BREAK INTERVAL. THIS IS DUE TO THE FACT THAT MANY FOREIGN NATIONS USE A +67% BREAK INTERVAL. + HAVE YOU EVER BEEN IN AN OFFICE OR A SIMILAR FACILITY AND SAW A FONE +WAITING TO BE USED FOR A FREE CALL BUT SOME ASSHOLE PUT A LOCK ON IT TO PREVENT +OUTGOING CALLS? + WELL, DON'T FRET PHELLOW PHREAKS, YOU CAN SIMULATE PULSE DIALING BY RAPIDLY +DEPRESSING THE SWITCHOOK. (IF YOU DEPRESS IT FOR LONGER THAN A SECOND IT WILL +BE CONSTRUED AS A DISCONNECT.) BY RAPIDLY SWITCHOOKING YOU ARE CAUSING THE +LOCAL LOOP TO BE BROKEN & MADE SIMILAR TO ROTARY DIALING! THUS IF YOU CAN +MANAGE TO SWITCHOOK RAPIDLY 10 TIMES YOU CAN REACH AN OPERATOR TO PLACE ANY +CALL YOU WANT! THIS TAKES ALOT OF PRACTICE, THOUGH. YOU MIGHT WANT TO PRACTICE +ON YOUR OWN FONE DIALING A FRIEND'S # OR SOMETHING ELSE. INCIDENTALLY, THIS +METHOD WILL ALSO WORK WITH DTMF FONES SINCE ALL DTMF LINES CAN ALSO HANDLE +ROTARY. + ANOTHER PROBLEM WITH PULSE DIALING IS THAT IT PRODUCES HIGH-VOLTAGE SPIKES +THAT MAKE LOUD NOISES IN THE EARPIECE AND CAUSE THE BELL TO "TINKLE." IF YOU +NEVER NOTICED THIS THEN YOUR FONE HAS A SPECIAL "ANTI-TINKLE" & EARPIECE +SHORTING CIRCUIT (MOST DO). IF YOU HAVE EVER DISSECTED A ROTARY FONE (A MUST +FOR ANY SERIOUS PHREAK) YOU WOULD HAVE NOTICED THAT THERE ARE 2 SETS OF CONTACT +THAT OPEN AND CLOSE DURING PULSING (ON THE BACK OF THE ROTARY DIAL UNDER THE +PLASTIC COVER). ONE OF THESE ACTUALLY OPENS AND +CLOSES THE LOOP WHILE THE OTHER MUTES THE EARPIECE BY SHORTING IT OUT. THE +SECOND CONTACTS ALSO ACTIVATES A SPECIAL ANTI-TINKLE CIRCUIT THAT PUTS A 340 +OHM RESISTOR ACROSS THE RINGING CIRCUIT WHICH PREVENTS THE HIGH VOLTAGE SPIKES +FROM INTERFERING WITH THE BELL. + DUAL TONE MULTI FREQUENCY (DTMF) IS A MODERN DAY IMPROVEMENT ON PULSE +DIALING IN SEVERAL WAYS. FIRST OF ALL, IT IS MORE CONVENIENT FOR THE USER +SINCE IT IS FASTER AND CAN BE USED FOR SIGNALING AFTER THE CALL IS COMPLETED +(IE, SCC'S, COMPUTERS, ETC.). ALSO, IT IS MORE UPTO PAR WITH MODERN DAY +SWITCHING EQUIPMENT (SUCH AS ESS) SINCE PULSE DIALING WAS DESIGNED TO ACTUALLY +MOVE RELAYS BY THE NUMBER OF DIGITS DIALED (IN SXS OFFICES). + + EACH KEY ON A DTMF KEYPAD PRODUCES 2 FREQUENCIES SIMULTANEOUSLY (ONE FROM +THE HIGH GROUP AND ANOTHER FROM THE LOW GROUP). + + _______________________________________________ +LOW GROUP | | | | | + 697 HZ-| Q | ABC | DEF | | + | 1 | 2 | 3 | A | + |___________|___________|___________|___________| + | | | | | + 770 HZ-| GHI | JKL | MNO | | + | 1 | 2 | 3 | B | + |___________|___________|___________|___________| + | | | | | + 852 HZ-| PRS | TUV | WXY | | + | 1 | 2 | 3 | C | + + Page 116 + + + + + The Official Phreaker's Manual + + |___________|___________|___________|___________| + | | OPERATOR | | | + 941 HZ-| | Z | | | + | * | 0 | # | D | + |___________|___________|___________|___________| + | | | | + 1209 HZ 1336 HZ 1477 HZ 1633 HZ + HIGH GROUP + +A PORTABLE DTMF KEYPAD IS KNOWN AS A WHITE BOX. + + THE FOURTH COLUMN (1633 HZ) IS NOT NORMALLY FOUND ON REGULAR FONES BUT IT +DOES HAVE SEVERAL SPECIAL USES. FOR ONE, IT IS USED TO DESIGNATE THE PRIORITY +OF CALLS ON AUTOVON, THE MILITARY FONE NETWORK. THESE KEY ARE CALLED: FLASH, +IMMEDIATE, PRIORITY, & ROUTINE (WITH VARIATIONS) INSTEAD OF ABCD. SECONDLY, +THESE KEYS ARE USED FOR TESTING PURPOSES BY THE TELCO. IN SOME AREA YOU CAN +FIND LOOPS AS WELL AS OTHER NEAT TESTS (SEE PART II) ON THE 555-1212 DIRECTORY +ASSISTANCE EXCHANGE. FOR THIS, YOU WOULD CALL UP AN DA IN CERTAIN AREAS [THAT +HAVE AN AUTOMATIC CALL DISTRIBUTOR (ACD)] AND HOLD DOWN THE "D" KEY WHICH +SHOULD BLOW THE OPERATOR OFF. YOU WILL THEN HEAR A PULSING DIAL TONE WHICH +INDICATES THAT YOU ARE IN THE ACD INTERNAL TESTING MODE. YOU CAN GET ON ONE +SIDE OF A LOOP BY DIALING A 6. THE OTHER SIDE IS 7. SOME PHREAKS CLAIM THAT +IF THE PERSON ON SIDE 6 HANGS UP, OCCASIONALLY THE EQUIPMENT WILL SCREW UP AD +START DIRECTING DIRECTORY ASSISTANCE CALLS TO THE OTHER SIDE OF THE LOOP. +ANOTHER ALLEGED TEST IS CALLED REMOB WHICH ALLOWS YOU TO TAP INTO LINES BY +ENTERING A SPECIAL CODE FOLLOWED BY THE 7 DIGIT NUMBER YOU WANT TO MONITOR. +THEN THERE IS THE POSSIBILITY OF MASS CONFERENCING. + ACD'S ARE BECOME RARE THOUGH. YOU WILL PROBABLY HAVE TO MAKE SEVERAL +NPA-555- 1212 CALLS BEFORE YOU FIND ONE. + YOU CAN MODIFY REGULAR FONES QUITE READILY SO THAT THEY HAVE A SWITCH TO +CHANGE BETWEEN THE 3RD AND 4TH COLUMNS. THIS IS CALLED A SILVER BOX (AKA GREY +BOX) AD PLANS CAN BE FOUND IN TAP AS WELL AS ON MANY BBS'S. + +TRANSMITTER/RECEIVER: +____________________________________________________________ + + WHEN YOU TALK INTO THE TRANSMITTER, THE SOUND WAVES FROM YOUR VOICE CAUSE A +DIAPHRAGM TO VIBRATE AND PRESS AGAINST THE CARBON GRANULES (OR ANOTHER SIMILAR +SUBSTANCE). THIS CAUSES THE CARBON GRANULES TO COMPRESS AND CONTRACT THUS +CHANGING THE RESISTANCE OF THE DC CURRENT FLOWING THROUGH IT. THEREFORE, YOUR +AC VOICE SIGNAL IS SUPERIMPOSED OVER THE DC CURRENT OF THE LOCAL LOOP. THE +RECEIVER WORKS IN A SIMILAR FASHION WHERE THE SIMPLE TYPES UTILIZE A MAGNET, +ARMATURE, & DIAPHRAGM. + +HYBRID/INDUCTION COIL: +____________________________________________________________ + + AS YOU MAY HAVE NOTICED, THERE ARE TWO WIRES FOR THE RECEIVER AND TWO FOR +THE TRANSMITTER IN THE FONE, YET THE LOCAL LOOP CONSISTS OF 2 WIRES INSTEAD OF +4. THIS 4-WIRE TO 2-WIRE CONVERSION IS DONE INSIDE THE FONE BY A DEVICE KNOWN +AS AN INDUCTION COIL WHICH USES COUPLING TRANSFORMERS. + THE REASON 2 SIRES ARE USED ON THE LOCAL LOOPS ARE BECAUSE IT IS ALOT +CHEAPER FOR THE TELCO. ALTHOUGH, ALL OF THE INTER-OFFICE TRUNKS UTILIZE 4 +WIRES. THIS IS NECESSARY FOR FULL DUPLEX (IE, SIMULTANEOUS CONVERSATION ON +BOTH SIDES) AND FOR AMPLIFICATION DEVICES. THERE ARE SIMILAR DEVICES IN THE +CO'S, KNOWN AS A HYBRID, THAT COUPLE THE 4-WIRE TRUNKS TO THE 2-WIRE LOCAL +LOOPS AND VISA-VERSA. + + + Page 117 + + + + + The Official Phreaker's Manual + +MISCELLANEOUS: +____________________________________________________________ + + IN THE TELEPHONE, THERE IS ALSO A BALANCING NETWORK CONSISTING OF A FEW +CAPACITORS & RESISTORS WHICH PROVIDE SIDETONE. SIDETONE ALLOWS THE CALLER TO +HEAR HIS OWN VOLUME IN THE RECEIVER. HE CAN THEN ADJUST HIS VOICE ACCORDINGLY. +THIS PREVENTS PEOPLE FROM SHOUTING OR SPEAKING TOO SOFTLY WITHOUT NOTICING IT. + +HOLD: +____________________________________________________________ + + WHEN A TELEPHONE GOES OFF HOOK, THE RESISTANCE DROPS BELOW 2500 OHMS. AT +THIS POINT, THE TELCO WILL SEND A DIAL TONE. TO PUT SOMEONE ON HOLD YOU MUST +PUT A 1000 OHM RESISTOR (1 WATT) ACROSS THE TIP & RING BEFORE IT REACHES THE +SWITCHOOK. IN THIS WAY, WHEN THE FONE IS HUNG UP (FOR HOLD) THE RESISTANCE +REMAINS BELOW 2500 OHMS WHICH CAUSES THE CO TO BELIEVE THAT YOU ARE STILL +OFF-HOOK. YOU CAN BUILD A SIMPLE HOLD DEVICE USING THE FOLLOWING PICTORIAL +DIAGRAM: + +(RED) O_________________________ + [L1] | | | + | | | + 1000 OHM | \ + | | \ + RESISTOR RINGING | + | CIRCUIT | -SWITCH + | | | HOOK + / | | + / SPST SWITCH | \ + | | \ + | | | + | | | +(GREEN) O__|_____________|______| + [L2] +--> TO REST OF FONE + +CONCLUSION: +____________________________________________________________ + +NOTE: MANY OF THE ELECTRONICS COMPONENTS OF NORMAL FONES (K500) ARE +ENCLOSED IN THE NETWORK BOX (WHICH SHOULDN'T BE OPENED). + + I HAVE ASSUMED THAT THE READER HAS A BASIC KNOWLEDGE OF ELECTRONICS. ALSO, +I HAVE ASSUMED THAT YOU HAVE READ THE 4 PREVIOUS INSTALLMENTS OF THIS SERIES +(AND HOPEFULLY ENJOYED THEM). + + IN PART VI, WE WILL TAKE A LOOK AT FORTRESS FONES. + +SUGGESTED FURTHER READING: +____________________________________________________________ + +ELECTRONICS COURSES A-D, TAP, @ $.75 EACH. + +ELECTRONIC TELEPHONE PROJECTS, A.J. CARISTI, HOWARD SAMS BOOKS. + +EVERYTHING YOU ALWAYS WANTED TO KNOW ABOUT 1633 HZ TONES BUT WERE AFRAID TO +ASK, THE MAGICIAN, TAP, ISSUE #62. + + + Page 118 + + + + + The Official Phreaker's Manual + +FREE BELL PHONE CALLS, TAP, FACT SHEET #2, @ $.50. + +FREE GTE PHONE CALLS, TAP, FACT SHEET #3, @ $.50. + +HOW TO MODIFY YOUR BELL TOUCH TONE FONE TO HAVE 1633 CYCLE TONES, TAP, ISSUE +#63. + +MODIFYING YOUR PHONE FOR 1633 HZ (NEW ELECTRONIC KEYPADS), FRED STEINBECK, TAP, +ISSUE #84. + +NOTES ON THE NETWORK, AT&T. + +THE PHONE BOOK, J. EDGAR HYDE. + +REGULATING THE TELEPHONE COMPANY IN YOUR HOME, RAMAPART MAGAZINE, JUNE 1972. + +REMOBS, TAP #91 (NOT YET PUBLISHED AS OF THIS WRITING). + +UNDERSTANDING TELEPHONE ELECTRONICS, TEXAS INSTRUMENTS. + +& OTHER ASSORTED SOURCES... + +TAP: ROOM 603/147 W 42 ST./NEW YORK, NY 10036. PLEASE SPECIFY BY BACKISSUE +#'S (NOT ARTICLE NAMES). ALL BACK-ISSUES ARE $1 EACH. SUBSCRIPTIONS ARE +$10/YEAR (10 ISSUES). SAY THAT BIOC AGENT 003 SENT YOU. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 119 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VI * + * * + ************************************************************ + +REVISED: 27-OCT-84 + +Preface: + + This article will focus primarily on the standard Western Electric +single-slot coin telephone (aka fortress fone) which can be divided into 3 +types: + +- Dial-Tone First (DTF) + +- Coin-First (CF): (ie, it wants your $ before you receive a dial tone) + +- Dial Post-Pay Service (PP): you pay after the party answers + +Depositing Coins (Slugs): +____________________________________________________________ + + Once you have deposited your slug into a fortress, it is subjected to a +gamut of tests. The first obstacle for a slug is the magnetic trap. This will +stop any light-weight magnetic slugs and coins. If it passes this, the slug is +then classified as a nickel, dime, or quarter. Each slug is then checked for +appropriate size and weight. If these tests are passed, it will then travel +through a nickel, dime, or quarter magnet as appropriate. These magnets set up +an eddy current effect which causes coins of the appropriate characteristics to +slow down so they will follow the correct trajectory. If all goes well, the +coin will follow the correct path (such as bouncing off of the nickel anvil) +where it will hopefully fall into the narrow accepted coin channel. + The rather elaborate tests that are performed as the coin travels down the +coin chute will stop most slugs and other undesirable coins, such as pennies, +which must then be retrieved using the coin release lever. + If the slug miraculously survives the gamut, it will then strike the +appropriate totalizer arm causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). + The totalizer then causes the coin signal oscillator to readout a +dual-frequency signal indicating the value deposited to ACTS (a computer) or +the TSPS operator. These are the same tones used by phreaks in the infamous red +boxes. + For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS). +A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone +at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz. + A relay in the fortress called the "B relay" (yes, there is also an 'A +relay') places a capacitor across the speech circuit during totalizer read-out +to prevent the "customer" from hearing the red box tones. + In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells +for a dime, and one gong (800 Hz) for a quarter are used instead of the modern +dual-frequency tones. + +TSPS & ACTS +____________________________________________________________ + + Page 120 + + + + + The Official Phreaker's Manual + + + While fortresses are connected to the CO of the area, all transactions are +handled via the Traffic Service Position System (TSPS). In areas that do not +have ACTS, all calls that require operator assistance, such as calling card and +collect, are automatically routed to a TSPS operator position. + In an effort to automate fortress service, a computer system known as +Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS +listens to the red box signals from the fones and takes appropriate action. It +is ACTS which says, "Two dollars please (pause) Please deposit two dollars for +the next ten seconds" (and other variations). Also, if you talk for more than +three minutes and then hang-up, ACTS will call back and demand your money. +ACTS is also responsible for Automated Calling Card Service. + ACTS also provide trouble diagnosis for craftspeople (repairmen +specializing in fortresses). For example, there is a coin test which is great +for tuning up red boxes. In many areas this test can be activated by dialing +09591230 at a fortress (thanks to Karl Marx for this information). Once +activated it will request that you deposit various coins. It will then identify +the coin and outpulse the appropriate red box signal. The coins are usually +returned when you hang up. + To make sure that there is actually money in the fone, the CO initiates a +"ground test" at various times to determine if a coin is actually in the fone. +This is why you must deposit at least a nickel in order to use a red box! + +Green Boxes: +____________________________________________________________ + + Paying the initial rate in order to use a red box (on certain fortresses) +left a sour taste in many red boxer's mouths thus the GREEN BOX was invented. +The green box generates useful tones such as COIN COLLECT, COIN RETURN, and +RINGBACK. These are the tones that ACTS or the TSPS operator would send to the +CO when appropriate. Unfortunately, the green box cannot be used at a fortress +station but it must be used by the CALLED party. + +Here are the tones: + +COIN COLLECT 700 + 1100 Hz +COIN RETURN 1100 + 1700 Hz +RINGBACK 700 + 1700 Hz + + Before the called party sends any of these tones, an operator released +signal should be sent to alert the MF detectors at the CO. This can be +accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed +by a 60 ms gap and then the appropriate signal for at least 900 ms. + Also, do not forget that the initial rate is collected shortly before the 3 +minute period is up. + Incidentally, once the above MF tones for collecting and returning coins +reach the CO, they are converted into an appropriate DC pulse (-130 volts for +return & +130 volts for collect). This pulse is then sent down the tip to the +fortress. This causes the coin relay to either return or collect the coins. + The alleged "T-Network" takes advantage of this information. When a pulse +for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded +somewhere. This is usually either the yellow or black wire. Thus, if the wires +are exposed, these wires can be cut to prevent the pulse from being grounded. +When the three minute initial period is almost up, make sure that the black & +yellow wires are severed; then hang up, wait about 15 seconds in case of a +second pulse, reconnect the wires, pick up the fone, hang up again, and if all +goes well it should be "JACKPOT" time. + + + Page 121 + + + + + The Official Phreaker's Manual + +Physical Attack: +____________________________________________________________ + + A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of +this is accounted for in the armor plating. Why all the security? Well, Bell +contributes it to the following: + + "Social changes during the 1960's made the multislot coin station a +prime target for: vandalism, strong arm robbery, fraud, and theft of service. +This brought about the introduction of the more rugged single slot coin station +and a new environment for coin service." + +As for picking the lock, I will quote Mr. Phelps: + + "We often fantasize about 'picking the lock' or 'getting a master +key.' Well, you can forget about it. I don't like to discourage people, but it +will save you from wasting alot of your time--time which can be put to better +use (heh, heh)." + + As for physical attack, the coin plate is secured on all four side by +hardened steel bolts which pass through two slots each. These bolts are in +turn interlocked by the main lock. + One phreak I know did manage to take one of the 'mothers' home (which was +attached to a piece of plywood at a construction site; otherwise, the permanent +ones are a bitch to detach from the wall!). It took him almost ten hours to +open the coin box using a power drill, sledge hammers, and crow bars (which was +empty -- perhaps next time, he will deposit a coin first to hear if it slushes +down nicely or hits the empty bottom with a clunk.) + Taking the fone offers a higher margin of success. Although this may be +difficult often requiring brute force and there has been several cases of back +axles being lost trying to take down a fone! A quick and dirty way to open the +coin box is by using a shotgun. In Detroit, after ecologists cleaned out a +municipal pond, they found 168 coin phones rifled. + In colder areas, such as Canada, some shrewd people tape up the fones using +duct tape, pour in water, and come back the next day when the water will have +froze thus expanding and cracking the fone open.In one case: + + "unauthorized coin collectors" where caught when they brought $6,000 in +change to a bank and the bank became suspicious... + + At any rate, the main lock is an eight level tumbler located on the right +side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since +there are 8 tumblers each with 5 possible positions) thus it is highly pick +resistant! The lock is held in place by 4 screws. If there is sufficient +clearance to the right of the fone, it is conceivable to punch out the screws +using the drilling pattern below (provided by Alexander Mundy in TAP) + + + + + + + + + + + + + + Page 122 + + + + + The Official Phreaker's Manual + + Chapter 5 + + What is covered in these last few articles, is the essence of phreaking, +blue boxing & equal access. These last articles, I hope will be the final +stage of phreak education for now. Basic telecommunications 7 is a brief intro +to the art of blue boxing, while Better Homes & Blue Boxing will cover it in +full. Equal access will be an interesting switch, it is installed in my area +already and I have been investigating it. One thought is to call MCI operators +and box through them, over MCI lines... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 123 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VII * + * * + ************************************************************ + +Preface: + + After most neophyte phreaks overcome their fascination with Metro codes and +WATS extenders, they will usually seek to explore other avenues in the vast +phone network. Often they will come across references such as "simply dial KP ++ 2130801050 + ST for the Alliance teleconferencing system in LA.". Numbers +such as the one above were intended to be used with a blue box; this article +will explain the fundamental principles of the fine art of blue boxing. + +Genesis: +____________________________________________________________ + + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. This is because pulse (aka rotary) digits are created by causing +breaks in the DC current (see Basic Telcom V). Since long distance calls +require routing through various switching equipment and AC voice amplifiers, +pulse dialing cannot be used to send the destination number to the end local +office (CO). + + Eventually, the demand for faster and more efficient long distance (LD) +service caused Bell to make a multi-billion dollar decision. They had to create +a signaling system that could be used on the LD Network. Basically, they had +two options: + +[1] To send all the signaling and supervisory information (ie, ON & OFF +HOOK) over separate data links. This type of signaling is referred to as +out-of-band signaling. + -or- +[2] To send all the signaling information along with the conversation +using tones to represent digits. This type of signaling is referred to as +in-band signaling. + + Being the cheap bastard that they naturally are, Bell chose the latter (and +cheaper) method -- IN-BAND signaling. They eventually regretted this, though +(heh, heh)... + +IN-BAND SIGNALING PRINCIPLES: +____________________________________________________________ + + When a subscriber dials a telephone number, whether in rotary or touch-tone +(aka DTMF), the equipment in the CO interprets the digits and looks for a +convenient trunk line to send the call on its way. In the case of a local +call, it will probably be sent via an inter-office trunk; otherwise, it will be +sent to a toll office (class 4 or higher -- see Telcom IV) to be processed. + + When trunks are not being used there is a 2600 Hz tone on the line; thus, +to find a free trunk, the CO equipment simply checks for the presence of 2600 +Hz. If it doesn't find a free trunk the customer will receive a re-order signal + + Page 124 + + + + + The Official Phreaker's Manual + +(120 IPM busy signal) or the "all circuits are busy..." message. If it does +find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the +called number or a special routing code to the other end or toll office. + + The tones it uses to send this information are called multi-frequency (MF) +tones. An MF tone consists of two tones from a set of six master tones which +are combined to produce 12 separate tones. You can sometimes hear these tones +in the background when you make a call but they are usually filtered out so +your delicate ears cannot hear them. These are NOT the same as touch-tones. + + To notify the equipment at the far end of the trunk that it is about to +receive routing information, the originating end first sends a Key Pulse (KP) +tone. At the end of sending the digits, #he originating end then sends a STart +(ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517 ++ ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to +signify a disconnect to the distant end. + +History: +____________________________________________________________ + + In the November 1960 issue of The Bell System Technical Journal, an article +entitled "Signaling Systems for Control of Telephone Switching" was published. +This journal, which was sent to most university libraries, happened to contain +the actual MF tones used in signaling. They appeared as follows: + +Digit Tones +----- ----- + 1 700 + 900 Hz + 2 700 + 1100 Hz + 3 900 + 1100 Hz + 4 700 + 1300 Hz + 5 900 + 1300 Hz + 6 1100 + 1300 Hz + 7 700 + 1500 Hz + 8 900 + 1500 Hz + 9 1100 + 1500 Hz + 0 1300 + 1500 Hz + KP 1100 + 1700 Hz + ST 1500 + 1700 Hz + 11 (*) 700 + 1700 Hz + 12 (*) 900 + 1700 Hz + KP2 (*) 1300 + 1700 Hz + +(*) Used only on CCITT SYSTEM 5 for special international calling. + + Bell caught wind of blue boxing in 1961 when it caught a Washington state +college student using one. They originally found out about blue boxes through +police raids and informants. In 1964, Bell Labs came up with scanning +equipment, which recorded all suspicious calls, to detect blue box usage. +These units were installed in CO's where major toll fraud existed. AT&T +Security would then listen to the tapes to see if any toll fraud was actually +committed. Over 200 convictions resulted from the project. Surprisingly +enough, blue boxing is not solely limited to the electronics enthusiast; AT&T +has caught businessmen, film stars, doctors, lawyers, college students, high +school students and even a millionaire financier (Bernard Cornfeld) using the +device. AT&T also said that nearly half of those that they catch are +businessmen. + + + Page 125 + + + + + The Official Phreaker's Manual + + Of course, phone phreaks have achieved an almost cult status. They have +also had their fair share of media. In October 1971, Esquire published the +infamous "Secrets of the Little Blue Box" article which featured phreaks such +as Captain Crunch, who took his name from the cereal which one gave away +whistles that produced a perfect 2600 Hz pitch; Joe Engressia, the blind +phreak; and Mark Bernay, one of the nation's first and oldest phreaks. Others +such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had +blue box backgrounds. 1971 also saw the publication of the first issue of YIPL, +the phone phreak newsletter, (now TAP) under the editorship of supreme yippie +Abbie Hoffman. + +Usage: +____________________________________________________________ + + To use a blue box, one would usually make a free call to any 800 number or +distant directory assistance (NPA-555-1212). This, of course, is legitimate. +When the call is answered, one would then swiftly press the button that would +send 2600 Hz down the line. This has the effect of making the distant CO +equipment think that the call was terminated and it leaves the trunk hanging. +Now, the user has about 10 seconds to enter in the telephone number he wished +to dial -- in MF, that is. The CO equipment merely assumes that this came from +another office and it will happily process the call. Since there are no records +(except on toll fraud detection devices!) of these MF tones, the user is not +billed for the call. When the user hangs up, the CO equipment simply records +that he hung up on a free call. + +Detection: +____________________________________________________________ + + Bell has had 20 years to work on detection devices; therefore, in this day +and age, they are rather well refined. Basically, the detection device will +look for the presence of 2600 Hz where it does not belong. It then records the +calling number and all activity after the 2600 Hz. If you happen to be at a +fortress fone, though, and you make the call short, your chances of getting +caught are significantly reduced (see Telcom VI). Incidentally, there have been +rumors of certain test numbers (see Telcom II) that hook directly into trunks +thus avoiding the need for 2600 Hz and detection! + + Another way that Bell catches boxers is to examine the CAMA (Centralized +Automatic Message Accounting) tapes. When you make a call, your number, the +called number, and time of day are all recorded. The same thing happens when +you hang up. This tape is then processed for billing purposes. Normally, all +free calls are ignored. But Bell can program the billing equipment to make note +of lengthy calls to directory assistance. They can then put a pen register +(aka DNR) on the line or an actual full-blown tap. This detection can be +avoided by making short-haul (aka local) calls to box off of. + + It is interesting to note that NPA+555-1212 originally did not return +answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes. +AT&T changed this though for "traffic studies!" + +CCIS: +____________________________________________________________ + + Besides detection devices, Bell has begun to gradually redesign the network +using out-of-band signaling. This is known as Common Channel Inter-office +Signaling (CCIS). Since this signaling method sends all the signaling +information over separate data lines, blue boxing is impossible under it. + + Page 126 + + + + + The Official Phreaker's Manual + + + While being implemented gradually, this multi-billion dollar project is +still strangling the fine art of blue boxing. Of course until the project is +totally complete, boxing will still be possible. It will become progressively +harder to find places to box off of, though. In areas with CCIS, one must find +a directory assistance office that doesn't have CCIS yet. Area codes in Canada +and predominately rural states are the best bets. WATS numbers terminating in +non-CCIS cities are also good prospects. + +Pink Noise: +____________________________________________________________ + + Another way that may help to avoid detection is too add some "pink noise" +to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the +detection equipment must be careful not to misinterpret speech as a disconnect +signal. Thus a virtually pure 2600 Hz tone is required for disconnect. + + Keeping this in mind, the 2600 Hz detection equipment is also probably +looking for pure 2600 Hz or else is would be triggered every time someone hit +that note (highest E on a piano =2637 Hz). This is also the reason that the +2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator +is saying "Hello, hello." It is feasible to send some "pink noise" along with +the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise +won't make it into the toll network (where we want our pure 2600 Hz to hit) but +it should make it past the local CO and thus the fraud detectors. + +Construction: +____________________________________________________________ + + While step-by-step details for the construction of a blue box is beyond the +scope of this tutorial, it is worthwhile to mention some of the details. + + First there are some alternatives but they are not as good as an actual +blue box. Many computers are capable of generating MF tones. Thus, your local +phriendly software pirate should have a program compatible for your computer. + + However, it is highly advisable not to box from home as stated in The Ten +Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86). + +I. Box thou not over thine home telephone wires, for those who doest must +surely bring the full wrath of the Chief Special Agent down upon thy heads. + + Another alternative that has a moderate success rate involves recording the +tones from a phriend with a box or computer onto a cassette tape. They can +then be used at a fortress. + + As for actual construction techniques, TAP has devoted many issues to blue +boxing. Basically, a blue box is merely a device capable of generating two +different tones simultaneously. There are two basic construction methods that I +will outline below for the electronics hobbyist. + + The first involves the use of two 555 timer chips (or a 556 -- i.e., two +555's in one chip). It offers excellent frequency and voltage stability. +Also, it does not need a diode matrix keypad but used double-pole switches +instead. Schematics for this type of box can be found in TAP issue #29. + + The other common box makes use of two Intersil 8038CC Function Generators. +It does require a diode matrix keypad though, potentiometers, an LM-100 voltage + + Page 127 + + + + + The Official Phreaker's Manual + +regulator, a 741 Op-amp, and a handful of other parts. The schematics for this +type of blue box can be found in TAP #26. Both designs draw about 20 ma of +current. + + Also, most blue boxes use telephone earpieces (with the varistor removed) +for speakers. These can be easily liberated from fortress fones with a small +coping saw. + + Usually, the hardest part about building a blue box is the calibration. A +frequency counter is a must and an oscilloscope won't hurt. + + Some boxes also take timing into account. It is feasible on the ESS +systems that they check to see if the digits are of uniform length. If they +aren't, they are probably from a blue box and a trouble card may be dropped. +With this in mind, the Bell standard for MF pulses and interdigit intervals is +around 75 ms. It varies with the equipment used since ESS can handle higher +speeds and doesn't need interdigit intervals. + +Applications: +____________________________________________________________ + + Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes +offer the entire network for exploration. Emergency break-ins, service +monitoring (aka taps), stacking tandems (the art of busying out all trunks +between two points), re-routing calls, conference calls, and much, much more +are all feasible. Although, Bell frequently changes these codes due to +phreaks. Here are some standard ones, though: + +Operator & Other Codes: +____________________________________________________________ + + (an optional NPA may proceed all of the numbers; otherwise, you will reach +the one local for the area where the call is originated) + +001 -- Trunk Access System +009 -- Rate Quote System +101 -- toll office test board +121 -- INWARD Operator + + This operator assists the local "0" operator in completing calls. (S)he +will do virtually anything for you providing it is within her NPA. + +131 -- Operator Directory assistance +141 -- Rout & Rate +141 defunct -- use KP + 800 + 141 +1212 + ST) + + These operators are very useful if you know how to mumble a few cryptic +phrases as compiled below (with thanks to Fred Steinbeck): To find out.....Area +Codes + + For example say , "Miami, Florida, numbers route, please." The R&R +operator will tell you "305 plus," meaning that 305 plus the seven digit number +will get you Miami. + +... Inward Operator City Codes + + Usually, the INWARD operator for an area is simply KP + NPA + 121 + +ST. In some area codes, though, there are several large cities and thus + + Page 128 + + + + + The Official Phreaker's Manual + +several inwards. To find the inward for a specific city, you would say "916 +756, operator route, please" to the R&R operator who will then tell you "916 +plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an +inward for Sacramento, CA (916-756). + +... City names + + If you want to know the city that corresponds to an area code and +exchange, you simply tell the R&R, "Place name, 914 390, please." In this +example, the R&R operator will respond with "White Plains, NY." + +... International Directory Assistance + + If you need a directory route for London, you could say +"International, London, England. TSPS directory route, please." The R&R +operator will respond with "Directory to London, England. Country code 44 plus +1 plus 986 plus 3611." Therefore to get a DA operator in London, you would +route yourself to an international sender and KP + 04419863611 + ST. + +... Country & City codes + + If you need to know the country and city code for an international +number you can say "International, Sydney, Australia, TSPS numbers route, +please" and get "Country code 61 plus 2." + +... International Inwards Routes + + To get routing codes for international inwards say "International, +London, England, TSPS inward route, please." The R&R Operator will respond with +"Country code 44 plus 121." + + Finally, to get language assistance for completing a foreign call you can +tell the foreign inward, "United States calling. Language assistance in +completing a call to (called party) at (called number)." + +151 -- Overseas incoming (212 +& 914+) +160-XX0 -- Various Overseas Operators +161 -- Trouble reporting operator (defunct) +181 -- Coin Refund Operator +18X -- Overseas senders + + To make an international call, one would KP + 011 + 0CC + ST where CC is +the country code. This will route you to the appropriate overseas sender. You +will then receive a 480 Hz dial tone. Here you enter KP + 0CC + city code + +local number + ST and the call is on its way. + + Country codes can be either 1, 2, or 3 digits but they must be padded for +three digits to create a pseudo-country code with extra zero's if necessary. +For example, England, country code 44, becomes 044. + + To see which international sender a certain country (lets use French +Guiana, country code 594, for example) goes through, you can dial KP + 011 + +594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you +will receive a recording saying which ISC (International Switching Center) it +is. For the example it will say, "This is the international switching center +in Pittsburg, PA -- This is a recording - 4121." You can actually route calls +to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to +since it may look suspicious if a call is sent through a sender that it + + Page 129 + + + + + The Official Phreaker's Manual + +shouldn't go through. Here are the senders: + +182 -- White Plains, NY +183 -- New York, NY +184 -- Pittsburg, PA +185 -- Orlando, FL +186 -- Oakland, CA +187 -- Denver, CO +188 -- New York, NY + + Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP, +ST3P, & ST2P keys. While they do exist the blue boxer need not concern himself +with them. The first three are used on CCITT System 5. This is the signaling +system that the International Senders use to send information to other +countries. These codes are usually added automatically just like the language +assistance digit [which distinguishes operator (or blue box) dialed calls from +customer dialed calls]. The STP, ST3P, & ST2P tones are used when equipment is +communicating with the TSPS. These also are automatically added when needed in +most cases. + +[see Telcom III for more on International Switching Centers (ISC)] + +11XXX -- miscellaneous operators +11501 -- universal cordboard operator +11511 -- conference operator +11521 -- mobile operator +11531 -- marine operator +11541 -- LD incoming switchboard +11551 -- leave word for time & charges (neat stuff) +11561 -- same as 11551 but for hotel/motels +11571 -- overseas operators (language assistance) + + The 11XXX series is interesting scanning material. + +Miscellaneous Routing Codes : +____________________________________________________________ + + Alliance Teleconferencing has several numbers, a few of which are listed +below: + +KP + 213 080 XXXX + ST +KP + 305 025 XXXX + ST +KP + 312 001 XXXX + ST +XXXX = 1050, 1100, or a few others + + Also, at KP + 317 009 + ST there is a MF tone checker. After the +beep-kerclunk, dial in KP + 999 1234567 890 + ST and it will repeat the digits +that you pulsed if they are of the right frequency. + +Tandem Scanning: +____________________________________________________________ + + To find all sorts of interesting things, you must look. Begin scanning +three digit codes in your area (i.e., KP + 000 + ST, KP + 001 + ST, etc.). Keep +track of all of your results. Sometimes you must probe things, send additional +digits and see what happens, send touch-tone, send it 2600 Hz, rip it apart. +You never know, you may run into something phun, like a computer that checks CC +numbers. + + Page 130 + + + + + The Official Phreaker's Manual + + + Incidentally, in some exchange you can dial inwards and other box codes +directly! For example, 914-121-1111 will get you a NY inward. The only problem +is that a 0 or 1 as the first digit of the exchange is usually *prohibited in +customer dialing. Somebody may have "accidentally" changed this screening code +on your ESS's computer, though -- you never know and it can't hurt to try. +WATS translation numbers also take up some of the 0XX & 1XX codes. + + Finally, certain tones on the blue box can also be used for other purposes. +An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN. +Thus every blue box is also a green box (see Telcom VI). + +Coming soon: + +Telcom VIII will deal with cordless phones, mobile phones, and other neat +things. + +Be careful and have phun, + +*****BIOC +*=$=*Agent +*****003 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 131 + + + + + The Official Phreaker's Manual + +The Mark Tabas encounter series presents: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + Better Homes and Blue Boxing + + Part I + + Theory of Operation + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To quote Karl Marx, blue boxing has always been the most noble form of +phreaking. As opposed to such things as using an MCI code to make a free fone +call, which is merely mindless pseudo-phreaking, blue boxing is actual +interaction with the Bell System toll network. It is likewise advisable to be +more cautious when blue boxing, but the careful phreak will not be caught, +regardless of what type of switching system he is under. + + In this part, I will explain how and why blue boxing works, as well as where. +In later parts, I will give more practical information for blue boxing and +routing information. + + To begin with, blue boxing is simply communicating with trunks. Trunks must +not be confused with subscriber lines (or "customer loops") which are standard +telefone lines. Trunks are those lines that connect central offices. Now, when +trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied +to them. If they are two-way trunks, there is 2600Hz in both directions. When a +trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the +side that is off-hook. The 2600Hz is therefore known as a supervisory signal, +because it indicates the status of a trunk; on hook (tone) or off-hook (no +tone). Note also that 2600Hz denoted SF (single frequency) signalling and is +"in-band." This is very important. "In-band" means that is is within the band +of frequencies that may be transmitted over normal telefone lines. Other SF +signals, such as 3700Hz are used also. However, they cannot be carried over the +telefone network normally (they are "out-of-band") and are therefore not able +to be taken advantage of as 2600Hz is. + + Back to trunks. Let's take a hypothetical phone call. You pick up your fone +and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll +assume that you are on #5 Crossbar switching and not in the 806 area. Your +central office (CO) would recognize that 806 is a foreign NPA, so it would +route the call to the toll centre that serves you. [For the sake of accuracy +here, and for the more experienced readers, note that the CO in question is a +class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending +on where you are in the country, the call would leave your toll centre (on more +trunks) to another toll centre, or office of higher "rank". Then it would be +routed to central office 806-258 eventually and the call would be completed. +Illustration: + +A---CO1-------TC1------TC2----CO2----B + +A=you +CO1=your central office +TC1=your toll office. +TC2=toll office in Amarillo. +CO2=806-258 central office. +B=your friend (806-258-1234) + + In this situation it would be realistic to say that CO2 uses SF in-band + + Page 132 + + + + + The Official Phreaker's Manual + +(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). +If you don't understand this, don't worry too much. I am pointing this out +merely for the sake of accuracy. The point is that while you are connected to +806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 +central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell +equipment that a call is in progress and the trunks are in use. + + Now let's say you're tired of talking to your friend in Amarillo +(806-258-1234) so you send a 2600Hz down the line. This tone travels down the +line to your friend's central office (CO2) where it is detected. However, that +CO thinks that the 2600Hz is originating from Bell equipment, indicating to it +that you've hung up, and thus the trunks are once again idle (with 2600Hz +present on them). But actually, you have not hung up, you have fooled the +equipment at your friend's CO into thinking you have. Thus,it disconnects him +and resets the equipment to prepare for the next call. All this happens very +quickly (300-800ms for step-by-step equipment and 150-400ms for other +equipment). + + When you stop sending 2600Hz (after about a second), the equipment thinks +that another call is coming towards it (e.g. it thinks the far end has come +"off-hook" since the tone has stopped. It could be thought of as a toggle +switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending +2600Hz, several things happen: + +1) A trunk is seized. + +2) A "wink" is sent to the CALLING end from the CALLED end indicating that the +CALLED end (trunk) is not ready to receive digits yet. + +3) A register is found and attached to the CALLED end of the trunk within about +two seconds (max). + +4) A start-dial signal is sent to the CALLING end from the CALLED end +indicating that the CALLED end is ready to receive digits. + +Now, all of this is pretty much transparent to the blue boxer. All he really +hears when these four things happen is a . So, seizure of a +trunk would go something like this: + +1> Send a 2600Hz +2> Terminate 2600Hz after 1-2 secs. +3> [beep][kerchunk] + + Once this happens, you are connected to a tandem that is ready to obey your +every command. The next step is to send signalling information in order to +place your call. For this you must simulate the signalling used by operators +and automatic toll-dialing equipment for use on trunks. There are mainly two +systems, DP and MF. However, DP went out with the dinosaur , so I'll only +discuss MF signalling. MF (multi-frequency) signalling is the signalling used +by the majority of the inter- and intra-lata network. It is also used in +international dialing known as the CCITT no.5 system. + + MF signalling consists of 7 frequencies, beginning with 700Hz and separated +by 200Hz. A different set of two of the 7 frequencies represent the digits 0 +thru 9, plus an additional 5 special keys. The frequencies and uses are as +follows: + +Frequencies (Hz) Domestic Int'l + + Page 133 + + + + + The Official Phreaker's Manual + +-------------------------------------- + 700+900 1 1 + 700+1100 2 2 + 900+1100 3 3 + 700+1300 4 4 + 900+1300 5 5 +1100+1300 6 6 + 700+1500 7 7 + 900+1500 8 8 +1100+1500 9 9 +1300+1500 0 0 + 700+1700 ST3p Code 11 + 900+1700 STp Code 12 +1100+1700 KP KP1 +1300+1700 ST2p KP2 +1500+1700 ST ST + + The timing of all the MF signals is a nominal 60ms, except for KP, which +should have a duration of 100ms. There should also be a 60ms silent period +between digits. This is very flexible, however, and most Bell equipment will +accept outrageous timings. + + In addition to the standard uses listed above, MF pulsing also has expanded +usages known as "expanded inband signalling" that include such things as coin +collect, coin return, ringback, operator attached, and operator released. KP2, +code 11, and code 12 and the ST_ps (STart "primes") all have special uses which +will be mentioned only briefly here. + + To complete a call using a blue box, once seizure of a trunk has been +accomplished by sending 2600Hz and pausing for the , one must +first send a KP. This readies the register for the digits that follow. For a +standard domestic call, the KP would be followed by either 7 digits (if the +call were in the same NPA as the seized trunk) or 10 digits (if the call were +not in the same NPA as the seized trunk). [Exactly like dialing a normal fone +call]. Following either the KP and 7 or 10 digits, a STart is sent to signify +that no more digits follow. Example of a complete call: + +1> Dial 1-806-258-1234 +2> wait for a call-progress indication (such as ring, busy, recording, etc.) +3> Send 2600Hz for about 1 second. +4> Wait for about 2 seconds while a trunk is seized. +5> Send KP+305+994+9966+ST + + The call will then connect if every-thing was done properly. Note that if a +call to an 806 number were being placed in the same situation, the area code +would be omitted and only KP+ seven digits+ST would be sent. + + Code 11 and code 12 are used in international calling to request certain +types of operators. KP2 is used in international calling to route a call other +than by way of the normal route, whether for economic or equipment reasons. + + STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS +signalling to indicate calling type of call (such as coin-direct dialed). + + This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and +learned from it. If you have any questions, comments, threats or insults, +please fell free to drop me a line. If you have noticed any errors in this text +(yes, it does happen), please let me know and perhaps a correction will be in + + Page 134 + + + + + The Official Phreaker's Manual + +order. Part II will deal mainly with more advanced principles of blue boxing, +as well as routings and operators. + + Note 1: other highly trunkable areas include: 816,305,813,609,205. I +personally have excellent luck boxing off of 609-953-0000. Try that if you have +any trouble. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 135 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part II + + Practical Applications + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood Part I of this series). + + The essential purpose of blue boxing in the beginning was merely to receive +toll services free of charge. Though this can still be done, blue boxing has +essentially outlived its usefulness in this area. Modern day "extenders" and +long distance services provide a safer and easier way to make free fone calls. +However, you can do things with a blue box that just can't be done with +anything else. For ordinary toll-fraud, a blue box is impractical for the +following reasons: + +1. Clumsy equipment required (blue box or equivalent) +2. Most boxed calls must be made through an extender. Not for safety reasons, +but for reasons I'll explain later. +3. Connections are often sacrificed because considerable distances must be +dialed to cross a seizable trunk, in addition to awkward routing. + + As stated in reason #2, boxed calls are usually made through an extender. +This is for billing reasons. If you recall from Part i, 2600Hz is used as a +"supervisory" signal. That is, it signals the status of a trunk--"on-hook" or +"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the +CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook +once again when the 2600Hz is terminated. The CALLED end recognizes that a +call is on the way and attaches a register, which interprets the digits which +are to be sent. Now, understand that even though your end has come off-hook (no +2600Hz present), the other end is still on-hook. You may wonder then, why, if +the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the +other way on the trunk, when there should be. This is correct. 2600Hz *IS* +present on the trunk when you seize it and afterwards, but you cannot hear it +because of a Band Elimination Filter (BEF) at your central office. + + Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed +coming the other way on the trunk because the CALLED end is still on-hook, but +you don't actually hear it because of a filter. However, the Bell equipment +knows it's there (they can "hear" it). The presence of the 2600Hz is telling +the billing equipment that your call has not yet been completed (i.e., the +CALLED end is still on-hook). When finally you do connect with your boxed call, +the 2600Hz from the called end terminates. This tells the billing equipment +that someone picked up the fone at the CALLED end and you should begin to be +billed. So you do start to get billed, but for the call to the trunk, NOT the +boxed call. Your billing equipment thinks that you've connected with the number +you used to seize the trunk. Illustration: + +1. You call 1+806-258-2222 (directly) +2. Status of trunks: + +<-----------------------------------> +(You) 806-258-2222 +No 2600Hz-------> <------------2600Hz + + When you seize a trunk (before the number you called answers) there is no + + Page 136 + + + + + The Official Phreaker's Manual + +affect on your billing equipment. It simply thinks that you're still waiting +for the call to complete (the CALLED end is still on-hook; it is ringing, busy, +going to recorder or intercept operator. + + Now, let's say that you've seized a trunk (806-258-2222) and for example, +KP+314+949+1705+ST. The call is routed from the tandem you seized to: +314-949-1705. Illustration: + +<------------------>O<---------------> +(You) 806 314-949 + tandem +No 2600Hz----------> <----------2600Hz + + Note that the entire path towards the right (the CALLED end) has no 2600Hz +present and is therefore "off-hook." The entire path towards the left (the +CALLING end) does have 2600Hz present on it, indicating that the CALLED end has +not picked up (or come "off-hook"). When 314-949-1705 answers, "answer +supervision" is given and the 2600Hz towards the left (the CALLING end) +terminates. This tells your billing equipment, which thinks that you're still +waiting to be connected with 806-258-2222, that you've finally connected. +Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an +aspiring young phone phreak. + + To avoid this, several actions may be taken. As previously mentioned, one may +avoid being charged for the number called to seize a trunk by using an extender +(in which case the extender will get billed). In some areas, boxing may be +accomplished using an 800 number, generally in the format of 800-858-xxxx (many +Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). +However, boxing off of 800 numbers is impossible in many areas. In my area, +Denver, I am served by #1A ESS and it is impossible for me to box off of any +800 number. + + Years ago, in the early days of blue boxing (before my time), phreaks often +used directory assistance to box off of because they were "free" long distance +calls. However, because of competitive long distance companies, directory +assistance surcharges are now $0.50 in many areas. It is additionally advised +that directory assistance numbers not be used to box from because of the +following: + + Average DA calls last under 2 minutes. When you box a call, chances are that +it will last considerably longer. Thus, the Bell billing equipment will make a +note of calls to directory assistance that last a long time. A call to a +directory assistant lasting for 4 hours and 17 minutes may appear somewhat +suspicious. + + Although the date, time, and length of a DA call do not appear on the bill, +it is recorded on AMA tape and will trip a trouble report if it were to last +too long. This is how most phreaks were discovered in the old days. Also, +sometimes too many calls lasting too long to one 800 number may raise a few +eyebrows at the local security office. + + Assuming you can complete a blue box call, the following are listed routings +for various Bell internal operators. These are in the format of KP+NPA+ +special routing+1X1+ST, which I will explain later. The 1X1 is the actual +operator routing, and NPA and NPA+ special routing are used for out-of-area +code calls and out-of-area code calls requiring special routing, respectively. + +KP+101+ST ...... Toll test board. + + Page 137 + + + + + The Official Phreaker's Manual + +KP+121+ST ...... Inward Operator. +KP+131+ST ...... Directory assistance. +KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few +others. It has been replaced with a universal rate & route number +800+141+1212. +KP+151+ST ...... Overseas completion operator (inbound). Works only in certain +NPAs, such as 303. +KP+181+ST ...... In some areas, toll station for small towns. + + Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you +would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 +trunk, an area code would be required. Thus, you would dial KP+312+121+ST. +Finally, some places in the network require special routing, in addition to an +area code. An example is Franklin Park, Ill. It requires a special routing of +032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward +operator. + + Special routings are in the format of 0XX. They are used primarily for load +balance, so that traffic flow may be evenly distributed. About half of the +exchanges in the network require special routing. Note that special routings +are NEVER EVER EVER used to dial normal telephone numbers, only operators. + + Operator functions: + +TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. +They are not used by operators, only switchmen. + +INWARD- Assists the normal TSPS (0+) operator in completing calls out of the +TSPS's area. Also, inwards perform emergency interrupts when the number to be +interrupted is out of the area code of the original (TSPS) operator. For +example, a 303 operator has a customer that needs an emergency interrupt on +215-647-6969. The 303 operator gets the routing for the inward that covers +215-647, since she cannot do the interrupt herself. The routing is found to be +only 215+ (no special routing required). So, the 303 operator keys +KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is +Denver. I need an emergency interrupt on 215-647-6969. My customer's name is +Mark Tabas." The inward will then do the interrupt (off the line, of course). +If the number to be interrupted had required special routing, such as, say, +312-456-1234 (spec routing 032), then the 303 operator would dial +KP+312+032+121+ST for the inward to do that interrupt. + +DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist +customers with obtaining telefone directory listings. Not much toll-fraud +potential here, except maybe $0.50. + +RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. +They assist normal (TSPS) operators with rates and routings (thus the name). +The only uses I typically have for them are the following: + + 1. Routing- + Information- In the above example, when the 303 operator needed to dial +an inward that served 215-647, she needed to know if any special routing was +required and, if so, what it was. Assuming she would use rate and route, she +would dial them and say nicely, "Operator's route, please, for 215-647." Rate & +route would respond with "215 plus." This means that the operator would dial +KP+215+121+ST to reach the inward that serves 215-647. If there were special +routing required, such as in 312-456, rate & route would respond with "312 plus +032 plus." In that case, the operator would dial KP+312+032+ST for the inward + + Page 138 + + + + + The Official Phreaker's Manual + +that serves 312-456. + + It is good practice to ask for "operator's route" specifically, as there are +also "numbers route" and "directory routes." If you do not specifically ask for +operator's route, rate & route will generally assume that is what you want +anyway. + +"Numbers" route refers to overseas calls. Example, you want to know how to +reach a number in Geneva, Switzerland (and you already have the number). You +would call routing and say "Numbers route, please, Geneva, Switzerland." The +operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark +41+22" has to do with billing, so disregard it. The 011+041 is access to the +overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing +for Geneva from the overseas sender. + +"Directory" routings are for directory assistance overseas. Example: you want a +DA in Rome, Italy. You would call rate & route and say, "Directory routing +please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 +STart." As in the previous example, the 011+039 is access to the overseas +gateway. The 039+1108 is a directory assistant in Rome. + + 2. Nameplace information- Rate & Route will give you the location of an NPA+ +exchange. Example: "Nameplace please, for 215-648." The operator would respond +with "Paoli, Pennsylvania." This isn't especially useful, since you can get the +same information (legally) by dialing 0, but using rate & route is often much +faster and it avoids having to hang up when you are already on a trunk. + +*NOTE* On Rate & Route: As a blue boxer, always ask for "IOTC" routings. +(e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them +that you want cordboard-type routings, not TSPS, because a blue boxer is +actually just a cordboard position (that Bell doesn't know about). + +OVERSEAS COMPLETION +OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of +calls coming in to the United States from overseas. There are KP+151+ST +operators only in a few NPAs in the country (namely 303). To use one, you would +seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for +example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." +[in a broken Indian accent]. She would connect you, and the bill would be sent +to Bangladesh (where I've been billing my KP+151+ST calls for two years). + +Other internal Bell Operators. + +KP+11501+ST ...... universal operator +KP+11511+ST ...... conference op +KP+11521+ST ...... mobile op +KP+11531+ST ...... marine op +KP+11541+ST ...... long distance terminal +KP+11551+ST ...... time & charges op +KP+11561+ST ...... hotel/motel op +KP+11571+ST ...... overseas (outbound) op + + These 115X1 operators are identical in routing to the 1X1 operators listed +previously, with one exception. If special routing is required (0XX), then the +trailing 1 is left off. + +Examples: + + + Page 139 + + + + + The Official Phreaker's Manual + +A 312 universal op ... KP+312+11501+ST +A Franklin Park (312-456) universal op (special routing 032 required)........ +KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. + +Purposes of 115X1 operators. + +UNIVERSAL- Used for collect/callback calls to coin stations. + +CONFERENCE- This is a cordboard conference operator who will set up a +conference for a customer on a manual operation basis. + +MOBILE- Assists in completion of calls to mobile (IMTS) type telefones. + +MARINE- Assists in completion of calls to ocean going vessels. + +LONG DISTANCE TERMINAL- Now obsolete.Was used for completion of long distance +calls. + +TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform +customer of exactly how much it cost. + +HOTEL/MOTEL- Handles calls to/from hotels and motels. + +OVERSEAS +COMPLETION (outbound)- assists in completion of calls to overseas points. Only +works in some, if any NPAs, because overseas assistance has been centralized to +IOCC (covered in Part III). + + Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that +you are a TSPS or cordboard operator assisting a customer with a call. DO NOT +DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these +operators! Find out what to do first. + + This concludes Part II. There is one final part in which I will explain +overseas dialing, IOCC (International Overseas Completion Centre), RQS +(Rate/Quote System), and some basic scanning. + + + + + + + + + + + + + + + + + + + + + + + + Page 140 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part III + + Advanced Signalling +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood parts i & ii before +proceeding to this part). + + In Parts I & II, I covered basic theory and domestic signalling and +operators. In this part I will explain overseas direct boxing, the IOCC, the +RQS, and some basic scanning methods. + +Overseas Direct Boxing. + + Calling outside of the United States and Canada is accomplished by using an +"overseas gateway." There are 7 over-seas gateways in the Bell System, and each +one is designated to serve a certain region of the world. To initiate an +overseas call, one must first access the gateway that the call is to be sent +on. To do this automatically, decide which country you are calling and find its +country code. Then, pad it to the left with zeros as required so it is three +digits. [Add 1, 2, or 3 zeros as required]. + +Examples: + +Luxembourg (352) is 352 (stays the same) +Spain (34) becomes 034 (1 zero added) +U.S.S.R. (7) becomes 007 (2 zeros added) + + Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit +padded country code that you just determined by the above method. [For +Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ +007+ST]. This is done to route you to the appropriate overseas gateway that +handles the country you are dialing. Even though every gateway will allow you +to dial every dialable country, it is good practice to use the gateway that is +designated for the country you are calling. + + After dialing KP+011+CC+ST (as CC is defined above) you should be connected +to an overseas gateway. It will acknowledge by sending a wink (which is audible +as a and a dial tone. Once you receive international dial +tone, you may route your call one of two ways: a) as an operator-originated +call, or b) as a customer-originated call. To go as a operator-originated call, +key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will +then be connected, providing the country you are calling can receive +direct-dialed calls. The U.S.S.R. is an example of a country that cannot. + +Example of a boxed int'l call: + +To make a call to the Pope (Rome, Italy), first obtain the country code, which +is 39. Pad it with zeros so that it is 039. Seize a trunk and dial +KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is +the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To +go as an operator-originated call, simply place a zero in front of the country +code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at +sender dial tone. Routing your call as operator-originated does not affect much +unless you are dialing an operator in a foreign country + + Page 141 + + + + + The Official Phreaker's Manual + + + To dial an operator in a foreign country, you must first obtain the operator +routing from rate & route for that country. Dial rate & route and if you're +trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, +please, for Yugoslavia." [In larger countries it may be necessary to specify a +city]. Rate & route will respond with, "38 plus 11029". So, dial your overseas +gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+11029+ST. +You should then get an operator in Yugoslavia. Note that you must prefix the +country code on the sender with a 0 because presumably only an operator here +can dial an operator in a foreign country. + + When you dial KP+011+CC+ST for an overseas gateway, it is translated to a +3-digit sender code of the format 18X, depending on which sender is designated +to handle the country you are dialing. The overseas gateways and their 3-digit +codes are listed below. + +182 ..... White Plains, NY +183 ..... New York, NY +184 ..... Pittsburg, PA +185 ..... Orlando, FL +186 ..... Oakland, CA +187 ..... Denver, CO +188 ..... New York, NY + + Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST +would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as +previously mentioned). To find out what sender you were routed to after dialing +KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. + + If you have difficulty in reaching a sender, call rate and route and ask for +a numbers route for the country you're dialing. Sometimes, KP+011+ padded +country code+ST will not work. I have found this in many 3-digit country +codes. Luxembourg, country code 352, for example, should be KP+011+352+ST +theoretically. But it is not. In this case, dial KP+011+ 003+ST for the +overseas gateway. If you have trouble, try dialing KP+00+ first digit of +country code+ST, or call rate The IOCC. + + Sometimes when you call rate and route and ask for an "IOTC numbers route" or +"IOTC operators route" for a foreign country, you will get something like +"160+700" (as in the case of the Soviet Union). This means that the country is +not dialable directly and must be handled through the International Overseas +Completion Centre (IOCC). For an IOCC routing, pad the country code to the +RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded +country code, plus ST. Examples: + +The U.S.S.R. (7) ...... KP+160+700+ST +Japan (81) ............ KP+160+810+ST +Uraguay (598) ......... KP+160+598+ST + + You will then be routed to the IOCC in Pittsburg, PA, who will ask for +country, city, and number being dialed. Many times they will ask for a +ringback [thanks to Telenet Bob] so have a loop ready. They will then place the +call and call you back (or sometimes put you through directly). Some calls, +such as to Moscow, take several hours. + +The Rate Quote System (RQS). + + The RQS is the operator's rate/quote system. It is a computer used by TSPS + + Page 142 + + + + + The Official Phreaker's Manual + +(0+) operators to get rate and route information without having to dial the +rate and route operator. In Part ii, I discussed getting an inward routing for +dialing-assistance and emergency interrupts from the rate and route operators +(KP+800+141+1212+ST). The same information is available from RQS. Say you want +the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to +access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with +RQS, you need to dial an NPA that is equipped with RQS first, such as 303. +Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink +() and then RQS dial tone. At RQS dial tone, for an inward +routing for 305-994 you would dial KP+06+305+994+ST. That is, +KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means +you would dial KP+305+033+121+ST for an inward that services 305-994. If no +special routing were required, RQS would have responded with "305 plus" and you +would simply dial: KP+305+121+ST for an inward. + + Another RQS feature is the echo feature. You can use it to test your blue +box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond +with voice identification of the digits it recognized, between the KP+07 and +ST. + + RQS can also be used for rates and directory routings, but those are seldom +needed, so they have been omitted here. + +Simple Scanning. + + If you're interested in scanning, try dialing on a trunk, routings in the +format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of +interesting things to be found there, as Doctor Who (413 area) can tell you. +Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan +area code 212, dial KP+212+ 11XX1+ST. + + There, now you know as much about blue boxing as most phreaks. If you read +and understand the material, and put aside preconceived ideas of what blue +boxing is that you may have acquired from inexperienced people or other +bulletin boards, you should be well on you way to an enlightening career in +blue boxing. If you follow the guidelines in Part I to box, you should have no +problem with the fone company. Comments made by "phreaks" on bulletin boards +that proclaim "tracing" of blue boxers are nonsense and should be ignored +(except for a passing chuckle). + +NOTE 1: CCIS and the downfall of blue boxing. + +CCIS stands for Common Channel Inter-office Signalling. It is a signalling +method used between electronic switching systems that eminiates the use of +2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places +cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will +not respond to any tones that you generate on the line. Eventually, all +existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In +this case, we'll all be boxing with microwave dishes. Until then (about 1995 by +current BOC/AT&T estimates), have fun! + +If you have ANY questions about this text, please feel free to drop me a line. +I will respond to all mail, messages, etc. Insults are also welcomed. And if +you discover anything interesting scanning, be sure to let me know. + +Mark Tabas +$LOD$ + + + Page 143 + + + + + The Official Phreaker's Manual + +This text was prepared in full by Mark Tabas for: + +K.A.O.S. +Philadelphia, PA. +[215-465-3593]. + +Any sysop may freely download this text and use it on his/her BBS, provided +that none of it be altered in any way. + +Technical acknowledgements: + +Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor +Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. + +References: + +1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. +2. Notes on the Network Bell System publication, 1983. +3. Engineering and Operations in the Bell System Bell System publication, +1983. +4. Notes on Distance Dialing Bell System publication, 1968. +5. Early Medieval Architecture. +....................................... +(c) February 6, 1900 Mark Tabas +....................................... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 144 + + + + + The Official Phreaker's Manual + + BY FRED STEINBECK (TAP #88) + + IT SEEMS THAT FEWER AND FEWER PEOPLE HAVE BLUE BOXES THESE DAYS, AND +THAT IS REALLY TOO BAD. BLUE BOXES, WHILE NOT ALL THAT GREAT FOR MAKING FREE +CALLS (SINCE THE TPC CAN TELL WHEN THE CALL WAS MADE, AS WELL AS WHERE IT WAS +TOO AND FROM), ARE REALLY A LOT OF FUN TO PLAY WITH. SHORT OF BECOMING A REAL +LIVE TSPS OPERATOR, THEY ARE ABOUT THE ONLY WAY YOU CAN REALLY PLAY WITH THE +NETWORK. + FOR THE FEW OF YOU WITH BLUE BOXES, HERE ARE SOME PHRASES WHICH MAY +MAKE LIFE EASIER WHEN DEALING WITH THE RATE & ROUTE (R&R) OPERATORS. TO GET +THE R&R OP, YOU SEND A KP + 141 + ST. IN SOME AREAS YOU MAY NEED TO PUT +ANOTHER NPA BEFORE THE 141 (I.E., KP + 213 + 141 + ST), IF YOU HAVE NO LOCAL +R&R OPS. + THE R&R OPERATOR HAS A MYRIAD OF INFORMATION, AND ALL IT TAKES TO GET +THIS DATA IS MUMBLING CRYPTIC PHRASES. THERE ARE BASICALLY FOUR SPECIAL +PHRASES TO GIVE THE R&R OPS. THEY ARE NUMBERS ROUTE, DIRECTORY ROUTE, OPERATOR +ROUTE, AND PLACE NAME. + YOU GET AN R&R AN AREA CODE FOR A CITY, ONE CAN CALL THE R&R OPERATOR +AND ASK FOR THE NUMBERS ROUTE. FOR EXAMPLE, TO FIND THE AREA CODE FOR CARSON +CITY, NEVADA, WE'D ASK THE R&R OP FOR "CARSON CITY, NEVADA, NUMBERS ROUTE, +PLEASE." AND GET THE ANSWER, "RIGHT... 702 PLUS." MEANING THAT 702 PLUS 7 +DIGITS GETS US THERE. + SOMETIMES DIRECTORY ASSISTANCE ISN'T JUST NPA + 131. THE WAY TO GET +THESE ROUTINGS IS TO CALL R&R AND ASK FOR "ANAHEIM, CALIFORNIA, DIRECTORY +ROUTE, PLEASE." OF COURSE, SHE'D TELL US IT WAS 714 PLUS, WHICH MEANS 714 + 131 +GETS US THE D.A. OP THERE. THIS IS SORT OF POINTLESS EXAMPLE, BUT I COULDN'T +COME UP WITH A BETTER ONE ON SHORT NOTICE. + LET'S SAY YOU WANTED TO FIND OUT HOW TO GET TO THE INWARD OPERATOR FOR +SACRAMENTO, CALIFORNIA. THE FIRST SIX DIGITS OF A NUMBER IN THAT CITY WILL BE +REQUIRED (THE NPA AND AN NXX). FOR EXAMPLE, LET US USEM 916 756. WE WOULD CALL +R&R, AND WHEN THE OPERATOR ANSWERED, SAY, "916 756, OPERATOR ROUTE, PLEASE." +THE OPERATOR WOULD SAY, "916 PLUS 001 PLUS." THIS MEANS THAT 916 + 001 + 121 +WILL GET YOU THE INWARD OPERATOR FOR SACRAMENTO. + DO YOU KNOW THE CITY WHICH CORRESPONDS TO 503-640? THE R&R OPERATOR +DOES, AND WILL TELL YOU THAT IT IS HILLSBORO, OREGON, IF YOU SWEETLY ASK FOR +"PLACE NAME, 503 640, PLEASE." + FOR EXAMPLE, LET'S SAY YOU NEED THE DIRECTORY ROUTE FOR SVEG, SWEDEN. +SIMPLY CALL R&R, AND ASK FOR, "INTERNATIONAL, BADEN, SWITZERLAND. TSPS +DIRECTORY ROUTE, PLEASE." IN RESPONSE TO THIS, YOU'D GET, "RIGHT... DIRECTORY +TO SVEG, SWEDEN. COUNTRY CODE 46 PLUS 1170." SO YOU'D ROUTE YOURSELF TO AN +INTERNATIONAL SENDER, AND SEND 46 + 1170 TO GET THE D.A. OPERATOR IN SWEDEN. + INWARD OPERATOR ROUTINGS TO VARIOUS COUNTRIES ARE OBTAINED THE SAME WAY +"INTERNATIONAL, LONDON, ENGLAND, TSPS INWARD ROUTE, PLEASE." AND GET "COUNTRY +CODE 44 PLUS 121." THEREFORE, 44 PLUS 121 GETS YOU INWARD FOR LONDON. + INWARDS CAN GET YOU LANGUAGE ASSISTANCE IF YOU DON'T SPEAK THE +LANGUAGE. TELL THE FOREIGN INWARD, "UNITED STATES CALLING. LANGUAGE ASSISTANCE +IN COMPLETING A CALL TO (CALLED PARTY) AT (CALLED NUMBER)." + R&R OPERATORS ARE PEOPLE ARE PEOPLE TOO, Y'KNOW. SO ALWAYS BE POLITE, +MAKE SURE USE OF 'EM, AND DIAL WITH CARE. + +NOTE: AS A RESULT OF THE BREAK-UP, R&R IS NOW KP+800+141+1212+ST + + + + + + + + + Page 145 + + + + + The Official Phreaker's Manual + + Verification + By Fred Steinbeck + +From TAP issue # 88 10-83 + + There has been a great deal of controversy in the realm of phreakdom over a +mysterious subject known under a number of different names, including +"Verification", "Autoverification", "Verify", "Autoverify", "Verify Busy", and +even "VFY BY". All of these names basically mean the same thing: the ability +to listen to another person's telephone line from any telephone in the +direct-dialable world. + Needless to say, Bell System is very tight lipped about knowledge regarding +verification. Indeed, the infamous book 'Notes on long distance dialing' ('68 +edition) says, "Care must be taken to insure that the customer never gains +verification capabilities." With a printed policy like that, you can imagine +what their real-world policy is like! Even their own rate and route operators +will not give verification on routing codes (at least in my experience), one +even responding, "What?! You must be crazy! We don't give those out!" Before +you get too far into this article, I will state simply: I don't know how to +verify. However, I have been fooling with various things related to it, and +collecting information on it for some time now. Therefore, while I can't do it +(yet), I may be able to point some other bright TAPer on the right track, and +perhaps he or she will show us all how. If you have knowledge not covered in +this article, but don't want to write an article on your own, please send your +ideas, comments, or information to Project Verify, C/O TAP Verify has also +been called "Autoverify", and I have no idea why. This is not, to my +knowledge, a Bell System term (at least I've never seen it in any manuals) As +far as I know, there is verify, which means being able to listen to speech +(kind of; see below) on a line, and there is the "Emergency Interrupt which +allows you to take part in the conversation taking place on the line in +question. It has been suggested that "Autoverify" is the same as an emergency +interrupt , but I tend to disagree with this idea. It should be noted that the +verification circuitry does not actually let an operator listen to a +conversation without making a beep on the line every so often. Instead, she +will hear encrypted speech. However, I believe with the proper methods, verify +can be converted to an emergency interrupt. + Verification is normally done either by your normal "0" (TSPS) operator, if +the call is in your home NPA (HNPA), or by an inward operator (IO). If the +call is outside your HNPA, your normal operator will call the IO for the +NPA,and say, "Verify Busy" or "Emergency Interrupt" please, 555 1212." The IO +will perform whatever magic he or she must, and then report back. If the call +is in your HNPA, though, the "0" operator can do the verification herself by +using the "VFY BY" key on her keyshelf. However, in some areas, the operator +uses a routing code to accomplish verification, and this the is loop hole we +shall attack. + It follows that if a IO or "0" operator can do it, so can we, with a blue box +Now, courtesy of Robert Allen (who brought it to my attention) and Susan +Thunder (who apparently discovered it), here is what used to work for getting +operators to hook you into conversations with other people (i.e.,let you listen +to them till you hung up): You'd call the operator and say "Operator, TSPS +Maintenance Engineer Calling. Ring forward to 001 + NPA + 7d, ring back to my +number, hit ring forward, no AMA, and then position release. + This creates some problems, and you must be familiar with the TSPS +console(by dialing "0"), you are on the "back", or incoming part of a loop. +When she places a call for you, the call goes out on the "forward", or outgoing +part of the loop. If an operator wants to make a call, she punches KP FWD +(keypulse forward), the number, and ST. Ring FWD puts a 90 volt ringing signal +across the forward part of the line (and may dial the number as well). The + + Page 146 + + + + + The Official Phreaker's Manual + +problem arises from the fact that I don't know if Ring FWD will actually dial a +call, and if there is some other subtle difference between it an KP FWD. + Let us assume ringing forward makes a call from the TSPS console to whatever +number is given. Ring back causes your phone to ring (it is assumed you hung +up after giving her your instructions; if you didn't you'd hear an annoying 90 +volts across the earpiece...) "No AMA" means "no automatic message accounting", +so nobody gets billed for the call, although it will show up on a tape +somewhere. "Position Release" removes the operator from the circuit, and +allows her to receive other calls. This leaves an unaccounted-for ring +forward. + The verification circuit, as you know, likes to encrypt conversation, which +is something we don't want. Well, the second Ring FWD sends another 90 volts +crashing against the verify circuitry, which Juda Gerad thinks removes the +voice encryption from the line, puts the operator (and you) in circuit, and +puts a beep tone on the line every five seconds. This seems to make sense, and +I am inclined to agree with him. + The bit about "....001 + NPA + 7D" causes the thought "MF routing code" to +spring immediately to mind. Now, the above trick was supposed to work in the +213 NPA. I have tried both "KP+001+213+7D+ST", and some other area codes. I +generally get nothing, a reorder signal, or a tandem recording. + Here's some food for thought: On an official Telco sheet I have, labeled " +213 NPA MF Routing Codes", 001 is listed as "VFY BY", or verify busy for the +213 NPA. 002 is listed for the 805 NPA. Ma Bell likes to have standardized +routing codes, such logical, then, that 001 would be a sort of "standard" +verify code, and other prefixes would be tacked on at 002,003, etc. However, I +have heard from a retired operator that verification codes are different from +area to area, and are not always nice numbers like 001, 002. Ah, well, a guy +can hope, can't he? + Some suggestions for future attacks on this dilemma: Everyone call your +operators and subtly ask questions. I have found the tend to give information +out easier if you ask for something that you would ordinarily have to be a +company employee to know about, such as rate steps, operator routings, etc. + Casually let slip that you used to be (or still are) an operator, or that +you work for company security. Also, you might want to blue box some codes +like 001 followed by your NPA and the last 7D of a busy number. If you get a +sort of "whispery noise", try blasting the line with a ringing signal (you +might piggyback another line onto yours and call the piggyback to generate the +90 volts) and see if that does anything. + + + + + + + + + + + + + + + + + + + + + + Page 147 + + + + + The Official Phreaker's Manual + + =================================== + EQUAL ACCESS AND THE AMERICAN DREAM + =================================== + + +by + +Mark Tabas +P.O. Box 620401 +Littleton, CO 80162 + +July 7, 1985 + + + + The American Dream means many things to many people. To the small, typical +businessman, it means building a good, strong business based on hard work and +perseverance; indeed, with nothing limiting his potential but he amount of work +he is willing to put into his business. To a large businessman, the American +Dream means living and working in a country where a single corporation can have +a profit exceeding the gross national product of an entire third world nation. + To the individual, the American Dream is the right to choose -- everything +from one's breakfast cereal to a long-distance service, as well as the formal +right outlined by our founding fathers: those of life, liberty, and the pursuit +of happiness. + To the phone phreak, I think the American Dream is, in a sort of twisted way, +the uninhibited pursuit of knowledge. This quest could scarcely remain +unchecked in many other countries. Analogous to this quest is the thriving of +the Bell System, which until January 1, 1984 consisted of the American +Telephone and Telegraph Company, the largest corporation in the history of the +world. Did the American Dream die on January first or did the divestiture of +AT&T cause a giant step forward for competition and free enterprise in the +United States? I do not know. I do know that the other nations of the world +were amazed that the United States would dissolve the entity that brought the +finest and most universal telephone system in the world, and did so at a time +when the majority of the rest of the world was still using two dixie cups and a +string. + The unfairness of the situation is that AT&T built the telephone system of +this nation and is now being bound and gagged and having its possessions +distributed to others, whom AT&T also wrought. All in the name of fairness, +free competition, and "equal access". Where was was MCI during the century +that AT&T built he communications system of this nation? Well, I believe in +Equal Access, Wholly. And, since I believe in equal access and its +implications for equality for all so strongly, I feel that MCI, Sprint, and +others should take the same amount of time to build their respective toll +networks: 100 years. Therefore, if the United States Justice Department were +truly the fair and just administrator that it portrays itself to be, MCI would +not have a hand in the long-distance cache until about 2080. That's only +fair. + There is no doubt that MCI is a sub-standard organization. They consist of +incompetent employees, inferior equipment, and an inferior marketing strategy. +They are mockingly imitative of AT&T, except in the quality of their service, +which is practically unusable. It is also interesting that with less than 2% +market share, MCI calls itself "the nation's long-distance company." The point +to this diatribe is this. It's time for these long-distance companies such as +MCI and Sprint to grow up. With Equal Access, they are going to become real +long-distance companies, not the joke organizations they are now, and I think +it may just take them one hundred years to do so. + + Page 148 + + + + + The Official Phreaker's Manual + + + ============ + Equal Access + ============ + + Equal Access, as it applies to the telecommunications industry, is "the +requirement that each Bell Operating Company provide exchange access to all +long-distance carriers that is equal in type and quality to that provided AT&T +communications." This is the official provision set forth by the United States +Justice Department in the Modification of the Final Judgment, August 24, 1982. +All this means is that each long-distance-distance company will have "equal +access" to all of the same types of services that AT&T currently enjoys. There +are four types of long-distance carrier services, divided into "feature +groups." They follow. + +FG A: "line side access." This is the standard 7-digit dialup+code (for +billing purposes) +destination telephone number. It is currently in use by +most long-distance carriers. + +FG B: "trunk side access." These are the 950 exchange numbers. They also +utilize an authorization code for billing. As with FG A, automatic number +identification (ANI) (i.e. calling number) is not provided to the carrier, but +will be in the future. + +FG C: "1+ dialing." Currently, only AT&T is able to get this type of +service. It is 1/0+7 of 10 digit direct long distance dialing. ANI (for +billing) is provided. + +FG D: "equal access." This will allow for 1/0+7 or 10 digit direct +long-distance dialing (presubscription carrier) and 10xxx+1/0+7 or 10 digit +long-distance dialing (alternate carrier). ANI for billing is provided at the +long-distance carrier's option. Billing may also be handled by the individual +long distance company or the local Bell Operating Company. + + Feature groups C and D are mutually exclusive (i.e. both cannot exist in a +particular area at the same time). Areas which have Feature Group C (AT&T +long-distance only) are non-Equal Access, and areas which have Feature Group D +(multiple long distance carriers) are Equal Access regions. + Feature Group B, the 950 exchange numbers will be used in areas in which it +is not feasible to provide with Equal Access, such as step-by-step offices +(yes, they CAN have 950 numbers), some crossbar offices, and some independent +telcos, which are not bound by the provisions of Equal Access and may provide +to their customers any type of long-distance service(s) they wish. The 950 +exchange is now active in many areas. It is mainly used as a universal +"roaming" access port for many long-distance carriers, but when an office is +converted to Equal Access, the 950 capability is removed. Thus, in an Equal +Access region, one cannot complete a call to a 950 telephone number. + I personally am looking very forward to Equal Access. My area is not +scheduled for full implementation of it until late 1985 or early 1986, and by +this time many of the alternate long distance carriers' networks will be in +place (or well under way). Think about what Equal Access means. Equality for +all long distance carriers. Access to common facilities, such as: busy-line +verification lines, Bell System information, signalling specifications. etc. +After full implementation of Equal Access, one will be able to take advantage +of and manipulate the services of more than just one carrier. It will no +longer be phreaks vs. AT&T. + When your area is ready to initiate Equal Access, you will receive a notice +in the mail informing you of some of the details of Equal Access, and will ask + + Page 149 + + + + + The Official Phreaker's Manual + +you to specify your choice of "primary carrier." In some cases you will need to +specify both inter-LATA carrier (IC), which handles calls out of your LATA +(Local Access and Transport Area), and an international carrier (INC), which +will handle calls destined for other countries. Recent market studies have +shown that between 80 and 90 per cent of residential customers will continue to +be served by AT&T for their long-distance service after Equal Access. So much +for competition. + You will probably be faced with many long-distance companies to choose from, +including but not limited to: AT&T, MCI, Sprint, ITT, Western Union, Dial U.S., +Call America, TMC, and U.S. Telephone. Whichever you choose will become your +"primary carrier." Your primary carrier will handle your call each time you +pick up you fone and dial 1+7 or 10 digits or 0+7 or 10 digits, inter-LATA +only. That is, if you dial a toll call that is within your LATA, it will be +handled by your local telephone company (Bell), not by your primary carrier, +even though it is a toll call. Let's use an example. The state of Colorado +consists of two LATAs. For this example, I will use three cities in Colorado: +Denver (in LATA1), Sterling (LATA1 also), and Colorado Springs (in LATA2). +Note here that even though Denver ad Sterling are in the same LATA, and Denver +and Colorado Springs are not, Sterling is actually much farther away from +Denver than Colorado Springs. This is because LATA boundaries were designed +giving consideration to high toll-traffic regions, to bring in revenue. Toll +traffic between Denver and Colorado Springs is very high, so the two cities +were placed in separate LATAs (or, more correctly, they were separated by a +LATA boundary). Toll traffic between Denver and Sterling is very low, of the +two cities were allowed to remain in the same LATA. Now, if everyone in +Colorado Springs were to pack up and move to Sterling (though who knows what +the hell for), the LATA boundaries in Colorado would be changed so that Denver +and Sterling were in different LATAs. The primary factor in determining LATAs +is money. + If I made a call to Sterling from my home in Denver, the call would be routed +entirely via Mountain Bell long-distance facilities. No long distance carrier +would be involved because Denver and Sterling are in LATA1. If I made a call +to Kelley, the blonde babe in Colorado Springs, the call would be handled by a +long distance carrier (in this case, AT&T) because Denver is in LATA1 and +Colorado Springs is in LATA2. Here is a table to simplify this: + +Customer dials LATA Carrier +----------------------------------------------------------------- +7 digits same Bell +1+7 digits same Bell +1+7 digits diff LD carrier (currently AT&T) +1+10 digits diff LD carrier (currently AT&T) +----------------------------------------------------------------- + + Note several things here. First, not all areas need to dial a 1 when dialing +any number, local or long distance, but the central offices will still discern +whether the call is in the same LATA as the customer or a different one and +handle the call appropriately. Secondly, some step-by-step offices require a +1+NPA to be dialed for calls within the same LATA and, in fact, all numbers +outside of the office itself. But, for the most part, the above table is +standard for common switching networks. + + ================== + Alternate Carriers + ================== + + Your normal long distance carrier will handle all your toll calls which cross +over LATA boundaries when you dial directly, 1+. If you wish to place your + + Page 150 + + + + + The Official Phreaker's Manual + +call via another carrier's network, whether for cost, quality, or circuit +availability reasons, you may do so in Equal Access regions. To access an +alternate long distance carrier after Equal Access, a customer dials +10xxx+1/0+7 or 10 digit telefone number. Note that xxx is the "carrier access +code (CAC)." A few CACs currently in use are listed below. + +220 ........ Western Union 666 ........ Lexitel +222 ........ MCI 777 ........ Sprint +333 ........ US Telefone 888 ........ SBS +444 ........ Allnet + + Thus, in an Equal Access region, to dial Fred in Orlando, a customer would +dial 1+305+994+9966 to place his call on his primary carrier, or to place it on +another network, he could dial: 10222+1+305+994+9966, and the call would go +over MCI facilities (in this case). Eventually, after many more long distance +services get into the act, there will be a directory of the various long +distance companies and their CACs, and deciding which carrier to use for any +particular call to get the bet rate will be beyond the ability of everyone +except phone phreaks. + + ================ + The 950 Exchange + ================ + + As discussed, the 950 central office exchange is currently a "roaming" access +port for various long distance carriers. In areas that have 950, the access to +carriers is standardized. Thus, someone travelling to several different areas +need only know the 950 number of the carrier he uses to access it from any area +(provided that it have 950 active). Originally, the 950 exchange was designed +to correspond with the 10xx carrier access code used for Equal Access. For +example, 950-1022 would be the same carrier as 1022 (+telephone number). +However, it was later found that the 100 codes available for use as 10xx CACs +would be insufficient to handle he number of long distance carriers. So, the +common carrier access code was increased by one digit, to 10xxx, thus +increasing the number of possible CACs to 1000. To keep the 950 exchange +consistent with the non CAC, the Bell Operating Companies have opted to change +the 950-10xx to 950-0xxx. The xxx in the 950-0xxx remains the same as the xxx +in the 10xxx carrier access code. The new modified 950 numbering pan is now +active in Philadelphia (Bell Atlantic) among other areas. + After Equal Access is well under way, the 950 exchange will be used in +certain areas that cannot be equipped for the standard Equal Access dialing +plans. This includes step-by-step, #1 crossbar, #5 crossbar, #2ESS, and #3ESS +offices. Customers in areas served by these types of switching equipment will +dial 950-0xxx, wait for acknowledgement tone from the carrier, and then dial a +"personal identification number" and destination telefone number,and the call +will be completed on the selected carrier's facilities. Initially, billing +will be handled by the carrier itself, and supervisory information and ANI will +not be provided by the local Bell Operating Company. + There are three main advantages to the 950 central office exchange and +protocol. They are: a) universal access for all areas, b) 950-exchange numbers +are "trunk side access." This means that the long distance carrier has direct +trunks going to it from a Bell toll office or local central office. These +trunks are interoffice lines, not customer type (POTS) lines, and supposedly +insure higher quality of connection. And, c) 950-exchange numbers are toll and +message unit free. On metered-usage (i.e., not "flat rate") customer lines, +they cost nothing. In most areas they are free from coin stations, with +Colorado as one notable exception. + + + Page 151 + + + + + The Official Phreaker's Manual + + ===== + Costs + ===== + + Each long-distance carrier must choose the type(s) of service it wishes to +provide to its customers. These different types of service were outlined +earlier as "Feature Groups." The costs of these Feature Groups vary directly +with the complexity and quality of the service itself. The following table +outlines the cost to the carrier of each available Feature Group. It is based +on the monthly rate per line for 9000 minutes of circuit use, and assumes the +carrier and Bell switch are 15 miles apart. + +FG non-Equal Access Equal Access +-------------------------------------------------------- +A $329.94 $709.20 +B 329.94 721.80 +C 752.40 ** N/A ** +D ** N/A ** 752.40 +-------------------------------------------------------- + + These figures are a lot more significant than they might appear. They +indicate that after Equal Access, in order to compete with the giants such as +AT&T, MCI, etc., smaller long distance companies will use Feature Group A or B +type service in order to provide significantly lower rates to their customers +than companies subscribing to Feature Group D service (like AT&T, MCI, etc). +This will cause a unique type of equilibrium to form. Customers willing to +dial an access number, authorization code, and destination number and put up +with lower quality service will be able to save a lot of money. This seems +faintly reminiscent of pre-Equal Access times.... + + ==================== + Directory Assistance + ==================== + + Each Bell Operating Company will be responsible for providing intra-LATA +operator services. When a customer dials (1)+411 or (1)+555+1212 for local +directory assistance, he will reach a Bell operator who will service requests +for listed numbers within the customer's LATA. Requests for numbers in LATAs +other than the calling customer's may be handled at the discretion of the local +operating company. Initially, the Bell Operating Companies will meet the +responsibility for providing directory assistance services by contracting it to +a long distance carrier or carriers (currently AT&T). All inter-LATA directory +assistance services will be provided by the inter-LATA carrier (IC). ICs may +also provide 800 Enterprise service or other toll free type directory +assistance services. See table. + +================================================================= +Intra-LATA: +================================================================= + HNPA 411/555-1212 BOC + *FNPA NPA+555-1212 BOC + HNPA 10xxx+555-1212 intra-LATA carrier + *FNPA 10xxx+NPA+555-1212 intra-LATA carrier + +================================================================= +Inter-LATA: +================================================================= + HNPA (10xxx)+1+555-1212 IC + + Page 152 + + + + + The Official Phreaker's Manual + + FNPA (10xxx)+1+NPA+555-1212 IC +================================================================= +* When LATA boundaries cross NPA boundaries (rare). +FNPA = Foreign Numbering Plan Area (area code). +HNPA = Home Numbering Plan Area (area code). + + At first glance, the above table appears somewhat complex. But, if you +understand the concept of LATAs and carriers, it is easily understood. +Essentially, all local Bell Operating Companies will maintain their own +directory assistance services. When a customer dials 411 or 555-1212, he will +reach a BOC directory assistant. Additionally, each long distance carrier that +wishes to provide directory assistance to its customers will also have DA +facilities. And, when a customer dials a directory assistant (NPA+555-1212) on +a carrier, he will reach an operator of that particular long distance carrier. +The key here is LATAs. If a customer wants to find a number that is within his +LATA, no long distance carrier is involved. It is handled strictly by the +Local Bell Operating Company. If a customer is seeking a number that is not +within his LATA, he must use the services of an inter-LATA (long-distance) +carrier. + + ====================== + TSPS Operator Services + ====================== + + Traffic Service Position System (TSPS) operator services will be handled much +in the same fashion as directory assistance services, with a few differences. +As with DAs, each Bell Operating Company and each inter-LATA carrier will +maintain its own TSPS operator facilities (or cordboard I suppose, if they +cannot afford TSPS). When a customer dials simply 0 (operator), he will reach +a BOC TSPS operator. The BOC TSPS will be able to handle all types of +intra-LATA operator-assisted traffic including (but not limited to): collect, +third party billing, Bell credit card, coin, verification and emergency +interrupt, and requests for emergency aid. BOC TSPS will be unable to complete +calls for customers outside of the customer's LATA. Thus, inter-LATA operator +assistance will be handled by an inter-LATA carrier TSPS (IC TSPS). An IC TSPS +will handle all previously mentioned types of calls that require inter-LATA +transport (i.e., the call originates and terminates in different LATAs). When +a customer dials 0+NXX-XXXXX or 0+NPA+NXX-XXXX, the central office will +determine if the call is destined for another LATA. If it is not, the call +will be sent to the Bell TSPS for appropriate handling. If the call is bound +for another LATA (and his determination is made based on the NXX or NPA+NXX), +then the call will be sent off to the customer's primary long-distance carrier +(since only 0+ was dialed). If the customer wishes to use a different +carrier's operator services, he would dial 10xxx+0+number, and the carrier +specified by the 10xxx carrier access code would receive the call. Note: if a +customer dials 10xxx+0+number, and the call is an intra-LATA call, he will get +a recording, "We're sorry, the number you dialed cannot be reached with the +carrier access code you dialed. Please check the code and try again or call +your carrier for assistance." (Western Electric KS-22550 central office tape +list no. 46.) Until the Bell Operating Companies can install their own TSPS +facilities and networks, they will (continue to) lease capacity from AT&T TSPS. +That is, AT&T will handle the intra-LATA traffic for the BOCs on a contract +basis. In the meantime, AT&T will continue to handle its own long-distance +operator services while the other inter-LATA carriers will have to implement +their own operator networks from scratch. My estimation is that you won't be +able to dial 10222+0 for an MCI TSPS operator until sometime around the year +2590. And even then they will probably be cordboard. + In addition to the changes in TSPS described above, there will be certain + + Page 153 + + + + + The Official Phreaker's Manual + +modifications to the software and hardware involved in the TSPS operator +system. Most critical, and of paramount importance to the telecommunications +enthusiast is changes in circuit associated signalling (CAS). This is +signalling to and from the TSPS facility. When a customer dials 0 (operator) or +10xxx+0 (IC operator), a succession of events occurs. First, the end office +seizes a trunk to the appropriate operator facility (this assumes that no +access tandem is involved). The operator service facility responds with a wink +(proceed signal) and the end office outpulses the CALLED number (or KP+ST if 0 +only dialed). The operator service (OS) facility will then come off-hook to +signal that it is ready to receive ANI information. The end office outpulses +the ANI information in the format of KP+II+7 digits+ST (or ST'). If there is +ANI failure, a KP+02+ST (or ST') will be sent. "ST'" stands for STart "prime", +and is indicative of a coin call (i.e., dial 0 from a coin station). A normal +ST terminating the ANI sequence means that the call is originating from a +noncoin station. See table for ultimate description. + +Inter-LATA calls MF-pulsed + +type of call customer dials cld num ANI +============================================================ +noncoin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST + +============================================================ +coin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST + operator assist 10xxx+0 KP+ST' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST + +============================================================================= +Intra-LATA calls +============================================================================= +noncoin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST' + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST' + +============================================================================= +coin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST' + operator assist 10xxx+0 KP+ST' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST' +============================================================================= +Note: ST=Start, ST'=STart prime, ST''=Start double prime, ST'''=STart triple +prime. + + Once again, the above table appears somewhat intimidating in its complexity. +All these STs, ST primes, etc. Actually, the only purpose of the starts is to +distinguish to the TSPS machine exactly what type of call the customer is +placing and from what type of telefone he is calling. "Special toll" calls are +collect, credit card, and third-party billing type calls. Here is an example +of a complete dialing and outpulsing sequence for an operator service call: + + Page 154 + + + + + The Official Phreaker's Manual + +from a coin fone, a customer dials 0+ (or 10xxx+) 303+979-9997. The central +office would seize a trunk to the operator service facility and outpulse: +KP+303+979-9997+ST'. This indicates to the operator service facility that the +call is a special toll call originating from a coin telephone. The OS facility +comes off-hook and the central office would then outpulse KP+00+232+9969+ST. +This is he ANI information, and the ST indicates that the call is inter-LATA +(if it were intra-LATA, the sequence would be terminated with ST' instead). + Perhaps now I should explain screening. Certain telefones are "screened" +against placing certain types of calls. A screening code is a two digit +information carrier. For instance, 00 is "identified line" (no special +treatment), 01 is multiparty ONI (operator number identification), 02 is ANI +failure, 06 is hotel/motel, 07 is coinless (hospital/inmate fone), 08 is +inter-LATA restricted, 68 is hotel inter-LATA restricted, 78 is coinless +(hospital inmate) inter-LATA restricted, etc. A 98 is an AT&T Charge-A-Call +fone (those blue fuckers). More screening codes are allocated as they are +needed. Note that the original TSPS screening design only allowed for single +digit information digits. They were later found to be insufficient. + I believe that the operator services have been adequately covered, so I will +now move on to other aspects of Equal Access. + + ============= + Routing Codes + ============= + + The TTC (terminating toll centre) and special routing codes will continue to +be used in inter-LATA networks. These 0xx and 1xx type codes, which sometimes +precede operator routing codes, will be assigned to various ICs on an +individual basis. When 0xx and 1xx codes serve as pseudo-central office code, +they will be coordinated such that it will avoid IC conflicts. The +Numbering/Dialing Planning Group of the Central Services Organization (sounds +like some sort of Communist governing body) will provide assistance where the +assignment of coordinated codes is necessary. + + ================== + Special Area Codes + ================== + + Special area codes, also called Service Area Codes (SACs) presented the +designers of Equal Access with an interesting problem. SACs are N00 type area +codes, such as 700, 800, and 900. They are used for special services and +unlike normal area codes, are not associated with a particular state or region. +Each long distance carrier will be allocated its own exchanges in each service +area code. Thus, when a customer places a call to a number in a service area +code, the central office will examine the exchange of the telefone number and +route the call over the proper carrier's facilities. The customer will be +totally oblivious to this process. Current SACs include 700 (teleconferencing), +800 (toll free services), and 900 (dial-it services). There are currently +plans under way to implement the 600 area code, although its exact uses are not +yet clear. + + ================ + Signalling to IC + ================ + + Each long distance carrier that wishes to serve a particular LATA must +establish a point of presence (POP) in that LATA. A carrier's POP is a toll +office that receives toll traffic destined for another LATA. A POP is a centre +for inter-LATA transport of toll traffic. This traffic will be directed to it + + Page 155 + + + + + The Official Phreaker's Manual + +from a Bell central office, either an end office or an access tandem (AT). An +access tandem is simply a Bell office which directs long distance traffic from +a number of local end offices to a number of different inter-LATA carriers. To +pass call details (such as called and calling numbers) from the Bell local +office to the inter-LATA carrier, a signalling system was designed that employs +current multifrequency (MF) signalling protocol. When a customer dials +10xxx+(1/0)+(NPA)+NXX+, the end office will seize a trunk to the appropriate IC +as determined by the 10xxx CAC (or primary carrier if no CAC is dialed). Note: +this happens as soon as the customer finishes dialing the exchange, even though +he may still be dialing the last four digits of he telefone number. After the +end office has seized a trunk to the IC, the IC will return a wink, which is +the signal to proceed. Then, the end office will send ANI information, in the +format of: KP+II+10 digit ANI+ST. If the carrier is not to receive ANI +information from the Bell Operating Company (i.e., they are not paying for it), +then only KP+ST is sent. Presumably, by now the customer has completed dialing +the last four digits of the destination telefone number, so the end office will +send: KP+7 or 10 digit CALLED number+ST. Note several things here: 1) The IC +does not send a wink when it is ready to receive CALLED number information. 2) +ANI information is ten digits, plus a two-digit screening code, and 3) The +central office's outpulsing to the IC overlaps the customer's dialing. + Some ANI screening codes include: 00 (identified POTS), 01 (ONI multiparty), +02 (ANI failure), 06 (hotel without room identification), 07 (coinless, +hospital, inmate, etc.), 08 (inter-LATA restriction), 10 (test call), 20 (AIOD +calls, listed DN sent), 27 (coin call), and 95 (test call). These are the same +or similar as the screening codes used in operator service signalling. + In addition to the domestic signalling design outlined above, a new +international signalling system has been designed for use with Equal Access. +It also uses two-stage, overlapping outpulsing. After a customer has completed +dialing (10xxx)+011+CC (CC is country code), the Bell end office will seize a +trunk to he appropriate IC (or international carrier, if direct routing is +available). The IC/INC will respond with a wink, and the end office will +outpulse: KP+1NX+YXX+CCC+ST. Each of these three groups of routing information +indicate something different abut the international call being placed. The 1NX +is the "international system routing code, one for each type of call routing." +I have absolutely no idea what that means, and no one I have talked to at Bell, +AT&T, MCI, CCITT, ITT, the CSO and FCC have any idea either. Next, the YXX is +the carrier routing code. It is actually XXX, Which is the three digits of the +10xxx CAC for the particular carrier being accessed. Finally, CCC is the +country code, padded with a zero if necessary. + One may wonder why the CAC is signalled forward when a trunk is seized +directly to the carrier itself. The reason for this is that in some cases a +direct trunk to the carrier is not available and the call must be routed +through an access tandem, which is responsible for routing calls to a variety +of different long distance carriers. + + ==================== + Switch Compatibility + ==================== + + Full-feature Equal Access will become available first for Western Electric +#1ESS switching systems. It will be available first in generic 1E8 (1AE8 for +#1A ESS). Later, generic 5E2 for #5ESS, generic 2B4 for #2B ESS, generic +BCS-16 for Northern Telecom DMS-100, and generics 209 and 302 for DMS-10 will +provide full-feature Equal Access capabilities in those types of end office +switching equipment. The Western Electric #4ESS, #1 and 1A ESS, #5ESS, and the +Northern Telecom DMS-200 machines which serve as toll offices or access tandems +will be capable of receiving the new Equal Access signalling format, after +required generic development. Other switches (such as all crossbar offices) + + Page 156 + + + + + The Official Phreaker's Manual + +will not be able to handle the new signalling format. + + ===== + LATAs + ===== + + LATAs, Local Access and Transport Areas, are the entire key to the +administration of Equal Access. They can be thought of as miniature area +codes. A telefone call can never cross a LATA boundary except on an inter-LATA +carrier. However, there are certain exceptions to this. For example, in the +state of Colorado, which consists of two LATAs, the local Bell Operating +Company (Mountain Bell), which serves as the intra-LATA (i.e., calls to/from +the same LATA) carrier, may also serve as inter-LATA (to/from different LATAs) +carrier within Colorado. + There are also exceptions in the corridor region of the New York/New +Jersey/Pennsylvania area. + The forty-eight continental United States consist of 161 LATAs. Some states, +such as Deleware, consist of only one LATA, while others, such as Illinois, can +have up to 14 or more. Each LATA is given a name. For instance, Pennsylvania +consists of six LATAs: Philadelphia, Capital, Northeast, Altoona, Pittsburgh, +and Erie (independent telco). + + ============== + A Few Thoughts + ============== + + In 1973, Chrysler, A&P, RCA, Phillips Petroleum, S.S. Kresge, Boeing +Aircraft, International Harvester, Woolworth's, Greyhound, Firestone, Litton, +and General Foods, among others, each reported annual profits of less than $150 +million. In that same year, the Telephone Company wrote off, as being +uncollectable, debts of $150 million. + In 1974, the Bell System had direct interests in at least 276 organizations, +many of them not related to the telefone industry. Bell also had interlocking +financial arrangements with such corporations as the Chase Manhattan Bank, IBM, +Prudential Insurance, Sears Roebuck, General Motors, U.S. Steel, and Lever +Brothers. Should the need have arisen, the Bell System in 1974 could have +exercised control of 400 billion dollars, fully one-third of that year's gross +national product. + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago Illinois, 1976. ISBN 0-8092-8008-6. + + There are many viewpoints as to the future course of the telefone industry. +The general consensus among most Telco employees is that the children of AT&T +(i.e., the seven regional holding companies into which the Bell System was +divided) will someday be reassembled into the original Bell System, and all +will be well and good in the world of telecommunications again. I tend to +disagree with this. I think that within three decades the entire telefone +industry will be consolidated and nationalized. It will be owned and operated +entirely by the United States Federal Government. This will accomplish several +goals of the government. First, the immense revenue from telefone services +will provide great financial resources for the federal government. Rates for +telefone services will skyrocket far out of the range of affordability, quality +of service will deteriorate to a point of unusability, and meanwhile +politicians will get rich. + Second, once the government controls the telefone system, monitoring the +general public will become infinitely easier. Big Brother will be able to keep +and eye, or rather, an ear on the general population, and giant step forward in + + Page 157 + + + + + The Official Phreaker's Manual + +ultimate government control of peoples' lives will be achieved. Most people +won't know anything about this, and even if they do, they won't give a shit +because by then the fucking government will have already invaded every +remaining private aspect of the individual's life. + To those who find it utterly unthinkable that the federal government would +ever assume control of the telefone industry, I would call attention to the +situation that existed between 1917 and 1919. During this time the government +controlled the phone system of the United States. J. Edward Hyde sums it up +beautifully: + + Between 1917 and 1919, the Federal Government did control the phone +industry. Since then, the most charitable historians have blamed the +subsequent mess on the First World War. Others blame it on the democrats. But +the fact is that it was a fiasco of the bureaucracy's own making, combined with +intracompany sabotage. + Today, in those countries where the phone service is nationally owned, the +service runs from poor to nonexistent. Would you want the government that gave +you the Russian wheat deals, Defense Department overruns, Amtrak, and the +Postal Service handling your phone problems? + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago, Illinois, 1976. ISBN 0-8092-8008-6, p. 170. + +Technical References: + +Notes on the BOC intra-LATA Networks. American Telephone & Telegraph Company, +1983. + +The Phone Book. J. Edward Hyde, 1976. + +Bell System Technical Journal. Volume 58, Number 5. + +Engineering and Operations in the Bell System. American Telephone & Telegraph +Company, 1983. + + +Acknowledgements: Karl Marx, Telenet Bob, and the scores of Telco employees +in Denver, White Plains, Omaha, and North Jersey who were very helpful in +patiently answering my many questions about Equal Access. + +Thanks to Mack the Knife for magnetic transfer of this illustrious file, a +tedious task for which I have no time. + +Thanks to the following printers for their cooperation and professional manner +in helping me with final production of this file: + +Kinko's Print Shop +7155 West Colfax +Lakewood, CO + +Office Products and Printing +5035 S. Kipling Suite B4 +Littleton, CO + +This has been a Mark Tabas Encounter Series production. Questions, comments, +and requests may be addressed to: + +Tabas + + Page 158 + + + + + The Official Phreaker's Manual + +P.O. Box 620401 +Littleton, CO 80162 + +Requests for copies of this or any other Encounter Series file are honored for +free, but please enclose a self-addressed medium sized first class mailing +envelope with 73 cents postage. + +Special thanks to Steve Reger, who was kind enough to shoot my neighbor's dog, +whose incessant barking constantly distracted me as I labored to complete this +file. + +(for Amy) cl/KIABB!/jd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 159 + + + + + The Official Phreaker's Manual + + Equal Access and Modem Autodialers by Shadow 2600 + + Now that AT&T is being divested of its local telephone companies, phone +customers across the nation have to choose their long distance carrier as equal +access is phased in. Advertising campaigns emphasize such aspects as low rates +and operator assistance, but no one mentions a factor that will affect modem +users who use auto dialers for long distance calls. Not all of the alternate +long distance carriers provide called party answering supervision on all calls. +Called party answering supervision basically has the telephone company start +billing only when the called party answers the telephone. However, many of the +alternate long distance companies still operate with the "fixed timeout" basis +for charging. That is, if a call is held for a fixed length of time (usually +30 seconds) the charging starts, whether or not the call was answered. This +could cause modem owners large bills if they use autodialers to make long +distance calls. Modems are usually set up to wait up to one minute when +attempting to make a call, and thus have to timeout through busy signals, long +call setup sequences, extender waits, and similar problems. This could result +in many billed but never answered calls. + + Some of the other carriers provide it on calls to some cities, and others +not support it at all. Only AT&T Communications provides called party +answering supervision on all calls to all points at this time. It is almost +impossible to get information on how a long distance company charges its calls +as as they don't want to reveal how their billing is handled. The alternate +carriers get called party supervision when the destination location goes equal +access. However, there has been no quick action on the part of the alternate +long distance companies to make use of the supervision data as they would have +to get equipment for passing the information back to the billing computer at +the originating point. Thus called party answering supervision information +often ends up being ignored by these carriers even when available. Another +point to remember is that called party answering supervision's availability +depends on whether the destination has equal access, not the originating +location. The lower long distance rates of alternate long distance rates must +be weighed against the time out problem as it affects autodialing modems. One +way to circumvent this is merely to set your modem to a shorter +waiting-for-connect time, but this may not provide enough time for the call to +go through. [For more information on this and other telecommunications topics +call the Private Sector BBS at (201) 366- 4431] + + + + + + + + + + + + + + + + + + + + + + Page 160 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #6 of 9 + + Toward Universal Information Services Via ISDN + ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ ~~~ ~~~~ + by Taran King + + From PROTO newsletter of AT&T Bell Laboratories + ------------------------------------------------------------ +Phase one, the Present. +~~~~~ ~~~~ ~~~ ~~~~~~~~ + The local network of today, although still largely voice-oriented, is already +on the path to Universal Information Services. Lightguide fiber is +dramatically expanding the capacity of local networks, helping to lower the +costs and increase the demand for high-band width, Information Age services. +And public networks are increasingly digital and geared for data and special + services. For example: + +o The AT&T Network Systems 5ESS (TM ) switch, designed by Bell +Laboratories, can serve as the hub of a local deployment of remote modules at +locations up to 100 miles from a host central office. + +o The Integrated Special Services Network (ISSN) is a channel network that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect System (DACS). + +o The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Today's public networks consist of multiple or overlay networks. The public +switched network, or circuit network, mainly for voice, is the base network. +Two kinds of overlay networks provide special services. Channel networks carry +private lines leased by large customers and transmit much of today's data and +image traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internally +to public networks for common channel signaling to set up, route and take down +calls, or to give customers information. "Overlay networks help +telecommunications companies efficiently meet growing demand for digital +transmission and special services," says Stan Johnston, Market Planning +Manager, Network Systems Evolution, in AT&T Network Systems. "Their integration +into a single network, however, would be still more effective." + +Phase two, the Integrated Services Digital Network (ISDN). +~~~~~ ~~~~ ~~~ ~~~~~~~~~~ ~~~~~~~~ ~~~~~~~ ~~~~~~~ ~~~~~~~ + The ISDN is a concept to which AT&T is committed - and it's the foundation +for Universal Information Services. The central idea of ISDN, as AT&T Network +Systems sees it, is to provide an individual user a link to the local central +office of generous band-width - a digital subscriber line that can carry +144,000 bits per second (sure beats 2400 baud!). The band-width is subdivided +into two 64,000-bit channels, which may carry voice or data or both, and one +16,000-bit channel for packetized signaling information or data transport. +Such a link provides convenient "integrated" network access by accommodating +voice, data and signaling over a single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber + + Page 161 + + + + + The Official Phreaker's Manual + +line, which provides 1.5 billion bits per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal, and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make important +progress toward the goal of Universal Information Services. But overlay +networks will continue to divvy up the transport job. And messages needing +less than 144,000 bits per second will not fill their allotted bandwidth, +leaving capacity under utilized. + +Phase three, Universal Information Services. +~~~~~ ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~ + Rooted in the fertile ground of 5ESS switches, ISDN equipment and +technologies such as wideband packet transport, Universal Information Services +will bear fruit during the 1990s. From a single kind of network will hang +services as different as apples, oranges and pears. Just as network access was +integrated in ISDN, transport functions will increasingly be integrated by +powerful new network equipment evolved from equipment developed for the ISDN. +Where customers once got standard-sized ISDN channels, they'll get big +bandwidth for large jobs, little bandwidth for small jobs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 162 + + + + + The Official Phreaker's Manual + + TOWARD UNIVERSAL INFORMATION SERVICES VIA ISDN + +Phase one, the present. The local network of today, although still largely +voice oriented, is already on the path to Universal Information Services. +Lightguide fiber is dramatically expanding the capacity of local networks, +helping to lower the costs and increase the demand for high-bandwidth, +Information Age services. And public networks are increasingly digital and +geared for data and special services. For example: + + * The AT&T Network Systems 5ESS switch, designed by Bell Laboratories, can +serve as the hub of a local digital network through deployment of remote +modules at locations up to 100 miles from a host central office. + + * The Integrated Special Services Network (ISSN) is a channel networks that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect Systems (DACS). + + * The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Todays public networks consist of multiple or overlay networks. The public +switched network, or circuit network, is the base network. Two kinds of +overlay networks provide special services. Channel networks carry private +lines leased by large customers and transmit much of today's data and image +traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internal to +public networks for common channel signaling to set up, route and take down +calls, or to give customers information. + "Overlay networks help telecommunications companies efficiently meet growing +demand for digital transmission and special services," says Stan Johnston, +Market Planning Manager, Network Systems Evolution, in AT&T Network Systems. +"Their integration into a signal network, however, would be still +more effective." + Phase two, the Integrated Services Digital Network (ISDN). The ISDN is a +concept to which AT&T is commited--and it's the foundation for Universal +Information Services. The central idea of ISDN, as AT&T Network Systems sees +it, is to provide an individual user a link to the local central office of +generous bandwidth--a digital subscriber line that can carry 144,000 bits per +second. The bandwidth is subdivided into two 64,000-bit channels, which may +carry voice or data or both, and one 16,000-bit channel for packetized +signaling information or data transport. Such a link provides convenient +"integrated" network access by accommodating voice, data and signaling over a +single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber +line, which provides 1.5 million bit per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make +important progress toward the goal of Universal Information Services. But + + Page 163 + + + + + The Official Phreaker's Manual + +overlay networks will continue to divvy up the transport job. And messages +needing less than 144,000 bits per second will not fill their allotted +bandwidth, leaving capacity underutilized. + Phase three, Universal Information Services. Rooted in the fertile ground +of 5ESS switches, ISDN equipment and technologies such as wideband packet +transport, Universal Information Services will bear fruit during the 1990s. +From a single kind of network will hang services as different as apples, +oranges and pears. Just as network access was integrated in ISDN, transport +functions will increasingly be integrated by powerful new equipment evolved +from equipment developed for the ISDN. Where customers once got standard- +sized ISDN channels, they'll get big bandwidth for large jobs, little bandwidth +for small jobs. + +*** retyped from PROTO, AT&T Bell Laboratories report to executives on new +technologies, without written permission from the editors. (heh, heh.) + +Subscriptions: $15.00 per year, published bi-monthly. Send check payable to +"Bell Laboratories PROTO," to PROTO Circulation Manager, Room 3E-230, 150 John +F. Kennedy Parkway, Short Hills, N.J. 07078. + +:LIQUID:CRYSTAL: +wisdom is safety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 164 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #7 of 9 + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ _ _ _______ @ + @ | \/ | / _____/ @ + @ |_||_|etal / /hop @ + @ __________/ / @ + @ /___________/ @ + @ Headquarters of Phrack Newsletter @ + @ (314) 432-0756 @ + @ Proudly Presents @ + @ MCI Overview @ + @ Written on 11/16/85 @ + @ by @ + @ @ + @ Knight Lightning & Taran King @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +MCI Communications Corporation, headquartered in Washington, D.C., provides a +full range of domestic and international telecommunications services, including +voice and data, telex and cable, paging and mobile telephone, and time +sensitive message delivery. + +Since its founding in 1968, MCI has grown to more than $1.6 billion in annual +sales and serves more than 1.9 million business, residential and government +customers through its four major business units: + +MCI Telecommunications + +MCI Airsignal + +MCI International + +MCI Digital Information Services + + +MCI TELECOMMUNICATIONS + + MCI Telecommunications provides domestic interstate long distance service +throughout all 50 states, plus Puerto Rico, the U.S. Virgin Islands, and major +calling areas of Canada. It is also authorized to provide varying degrees of +intrastate long distance service in some states. + +MCI also is the first long distance carrier other than AT&T to offer direct +dial service overseas. International telephone service is available to all +residential and commercial customers (with the exception of Private Line +customers). In October, 1984 the first international service agreements were +announced with the following countries: Argentina, Belgium, Brazil, East +Germany, Greece, United Arab Emirates, and the United Kingdom. + +Total capital investment in MCI's long distance network is approximately $2 +billion. MCI's network, the second largest in the U.S., employs microwave +optical fiber, satellite and various digital transmission technologies. + +Subscribers - Domestic Long Distance (as of 10/84) + + Page 165 + + + + + The Official Phreaker's Manual + +----------- ---------------------- +Residential 1.4 million +Commercial .3 million + Total 1.7 million + +Operations - (as of 10/84) +Network Miles...20,543 (microwave, optical fiber, satellite) +Circuits.......238,000 +Employees........9,500 (full-time, approx.) + +MCI AIRSIGNAL + +MCI Airsignal provides personal message delivery and car telephone services. +MCI Message Service is offered in more than 50 metropolitan areas. In 1984, +service will commence in New York City, Baltimore-Washington, Los Angeles, and +Chicago. MCI car telephone service is offered in 20 markets. + +Personal Message Delivery Service + +ALPHANUMERIC MESSAGE SERVICE + +Displays up to 40-character message using letters and/or numbers. Memory and +recall ability. Alerts subscriber with a silent visual alert or a soft tone. + +DISPLAY MESSAGE SERVICE + +Displays up to 24-digit message (e.g., phone number, stock quotes, sales +figures, coded messages). Memory and recall capability. Alerts customer to +message with a silent visual alert or a soft tone. + +TONE MESSAGE SERVICE + +Notifies customer of a message with a soft tone. + +VOICE MESSAGE SERVICE + +Receives message in actual voice of caller. + +EXPRESS MESSAGE SERVICE + +Receives and stores messages. Instantly alerts subscriber via pager when a +message is received. + +Car Telephone Service + +Enables customers to place calls to or receive calls from anywhere in the +world, 24 hours a day, as they travel in their cars. With the advent of new +cellular technology, both the quality and the accessibility of car telephone +service will vastly improve. + +MCI has thus far obtained franchises to operate a new kind of mobile phone +service, cellular telephone, in Minneapolis and Pittsburgh, and has received +favorable decisions from FCC administration law judges authorizing service in +Los Angeles, Denver-Boulder, and Kansas City. MCI has applied for licenses to +provide cellular service in 81 metropolitan areas. + +MCI Airsignal Branch Sales Offices + + + Page 166 + + + + + The Official Phreaker's Manual + +Personal Message Service/Conventional Mobile Phone Service + +Birmingham (205) 942-2924 +Sacramento (916) 444-2350 +Memphis (901) 682-9658 +Cleveland (216) 464-7311 +Dallas (214) 788-5111 +Fresno (209) 486-7410 +Las Vegas (702) 382-7461 +Denver (303) 778-7878 +Portland (503) 227-2556 +Philadelphia (215) 677-9845 +Atlanta (404) 252-2114 +West Florida (813) 875-3404 +Minneapolis (612) 544-8175 +Kansas City (913) 648-8090 +Miami (305) 491-0122 +Pittsburgh (412) 343-1611 +Houston (713) 464-2516 +Bakersfield (805) 832-2346 + +Cellular Telephone Offices + + Minneapolis-St. Paul (612) 544-3312 + Los Angeles (714) 527-0385 + Elsewhere in California (800) 344-3455 + Headquarters - Washington, D.C. (202) 429-9660 + + +MCI INTERNATIONAL + +MCI International provides private-line voice service to several overseas +countries, and data and message services, including telex, cablegram, leased +channel, and packet switching communications, to more than 200 overseas points. +MCI has moved into two new areas of service: International direct-dial +telephone service and international electronic mail and hard-copy delivery +services. + +International Record Services + +TELEX SERVICE (domestic and international) permits instantaneous, two-way, +written communications with other subscribers worldwide. Customers can send +messages at any time, even though the receiving terminal may be unattended. MCI +International offers access to its telex service from a variety of terminals +and networks; not only subscribers with telex terminals but also those with +communicating word processors, data terminals or computers that communicate +over telephone lines can take advantage of MCI International telex service. To +subscribers connected to its own telex network, MCI International offers World +Message Services--a package of communications offerings including telex, +cablegram and MCI Mail services. Various service enhancements are available to +save time, improve operating efficiency and simplify records keeping for telex +users. + +CABLEGRAM SERVICE, the traditional means of international written +communications, offers flexibility in delivery and economical rates for shorter +messages. Cablegrams can be delivered to virtually any overseas +point.Subscribers with telex terminals or various other types of equipment can +access and TELUS cablegram switch and take advantage of such service + + Page 167 + + + + + The Official Phreaker's Manual + +enhancements as abbreviated addressing and departmental billing. + +LEASED +CHANNEL SERVICE provides an exclusive line between a U.S. firm and it's +overseas office for private communications 24 hours a day. Each MCI +International leased channel is tailored to meet the needs of a specific +customer for teleprinter, facsimile, voice and/or data traffic. For subscribers +with several offices requiring private communications with each other, MCI +International offers a versatile message-switching service. Voice/data leases +can be configured to meet a whole array of communicating needs; for example, +one channel might carry data traffic from a computer at night, voice +communications during office hours, and simultaneous teleprinter messages at +any time. Data channels can handle requirements for traffic at any speed from +1200 bits per second to 1.544 megabits per second. + +IMPACS SERVICE uses packet-switching technology to provide international +communications service between data terminals and computers. Impacs offers +on-line, real-time connections and enables many types of incompatible systems +to communicate. Impacs service offers virtually error-free transmission +because of the error-detection and retransmission capability of the network. + +INSTALINK SERVICE allows businesses overseas to use regular telex equipment to +access remote computing systems and databases in the U.S. Subscribers can +retrieve data from a computer-based information service or use a computing +system connecting to a packet-switching network in the U.S. + +INTERNATIONAL +FACSIMILE SERVICE enables subscribers to send duplicates of original documents +overseas quickly and efficiently, even when neither the sender or the receiver +has facsimile transmission equipment, or when the sender and receiver have +incompatible equipment. + +DATEL SERVICE provides automatic or voice-coordinated data transmission at +speeds up to 2400 bits per second. Either digital or analog facsimile traffic +can be transmitted via Datel. Datel facilities are conditioned to ensure +high-quality transmission. The MCI International switching center allows +communications between incompatible terminals. + +MARITIME SERVICES provide instant, high--quality contact between ships at sea +or offshore rigs, and between these vessels and land-based subscribers +worldwide. + +International Voice Services + +PRIVATE +LINE SERVICE provides, fast, easy access to a single overseas location at an +economical monthly rate. This technically efficient system maximizes the use +of line capacity by recognizing idle time and assigning a speaker to a +transmission path only when the path is needed. Users can dial a four-digit +extension from a regular business phone to reach a key overseas location. + +International Mail Services + +WORLD +MESSAGE SERVICE subscribers can access the domestic electronic mail and +hard-copy delivery offerings of MCI Mail. In addition, MCI International is +developing fast, low-cost services that will deliver electronic messages and +high-quality printed documents worldwide. + + Page 168 + + + + + The Official Phreaker's Manual + + +Customer Service + +THE CUSTOMER TROUBLE REPORTING ASSISTANCE CENTER at MCI International addresses +customer concerns such as equipment maintenance and service performance +questions. Customer service specialists, on duty 24 hours a day on business +days, answer questions and electronically route service requests to technicians +nationwide. + +MCI DIGITAL INFORMATION SERVICES CORP. + +MCI Digital Information Services, MCI's newest unit, provides high-speed, +low-cost, time-sensitive message delivery (MCI Mail), either electronically or +via hard copy. + +MCI Mail provides time-sensitive document delivery to anyone, anywhere vial +MCI's long-distance telephone network. MCI Mail can reach a recipient +instantly, in four hours or less, or overnight by noon the next day. Prices +are as much as 90 percent lower than comparable time-sensitive mail delivery +services. MCI Mail can be delivered electronically, terminal to terminal, or +laser printed on letterhead stationery with the customer's signature. + +MCI Mail customers can even order gifts and services direct through MCI Mail, +ranging from software and paper for personal computers to investment advisory +services to travel specials. + +There are no sign-up, monthly service charges or "connect time" charges for MCI +Mail. MCI Mail can be used by virtually any personal computer, word processor, +electronic typewriter, data terminal, telex, or other digital communications +device. The service is accessed by a local telephone call or 800 number. + +MCI Mail + +INSTANT delivery to an "electronic" mailbox. + +FOUR-HOUR paper delivery by courier to 17 major metropolitan areas regardless +of point of origin. + +OVERNIGHT paper delivery by courier by noon the next day in 20,000 continental +U.S. cities. + +MCI LETTER transmitted electronically to the MCI digital postal center nearest +its destination, then delivered locally by the U.S. Postal Service. + +TELEX DISPATCH enables MCI Mail subscribers to transmit messages to the more +than 1.6 million telex subscribers worldwide. + +VOLUME MAIL enables customers to send large mailings in a variety of letter +formats, at substantial savings in delivery time and expense. + + ============================================================ + Look for more MCI Files coming to Metal Shop soon! + + This has been a Knight Lightning Presentation + ============================================================ + + + + + Page 169 + + + + + The Official Phreaker's Manual + + Reference Tables + + Just some notes that you will always try to find but can never! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 170 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue One, Phile #5 of 8 + + Using MCI Calling Cards + by + Knight Lightning + of the + 2600 Club! + +How to dial international calls on MCI: + + "Its easy to use MCI for international calling." + +1. Dial your MCI access number and authorization code (code = 14 digit number, +however the first 10 digits are the card holders NPA+PRE+SUFF). + +2. Dial 011 + +3. Dial the country code + +4. Dial the city code and the PRE+SUFF that you want. + +Countries served by MCI: + +Country code|Country code +-------------------------------------|-------------------------------- +Algeria..........................213 |New Zealand..................064 +Argentina........................054 |Northern Ireland.............044 +Australia........................061 |Oman.........................968 +Belgium..........................032 |Papua New Guinea.............675 +Brazil...........................055 |Qatar........................974 +Canada................Use Area Codes |Saudi Arabia.................966 +Cyprus...........................357 |Scotland.....................044 +Denmark..........................045 |Senegal......................221 +Egypt............................020 |South Africa.................027 +England..........................044 |Sri Lanka....................094 +German Democratic Republic |Sweden.......................046 +(East Germany)...................037 |Taiwan.......................886 +Greece...........................030 |Tanzania.....................255 +Jordan...........................962 |Tunisa.......................216 +Kenya............................254 |United Arab Emirates.........971 +Kuwait...........................965 |Wales........................044 +Malawi...........................265 | +====================================================================== + +Thats 33 countries in all. To get the extender for these calls dial 950-1022 or +1-800-624-1022. + +For local calling: + +1. Dial 950-10222 or 1-800-624-1022 + +2. Wait for tone + +3. Dial "0", the area code, the phone number, and the 14 digit authorization +code. You will hear 2 more tones that let you know you are connected. + + - Knight Lightning --> The 2600 Club! + + Page 171 + + + + + The Official Phreaker's Manual + +===================================================================== + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 172 + + + + + The Official Phreaker's Manual + + AT&T INTERNATIONAL DIALING COUNTRY CODES AS OF 2-17-85 + + FILE BY: Lock Lifter + +=========================+ + +*UNITED KINGDOM/IRELAND +------------------------------------ +IRELAND.........................353 +UNITED KINGDOM...................44 + +*EUROPE +------------------------------------ +ANDORRA..........................33 +AUSTRIA..........................43 +BELGIUM..........................32 +CYPRUS..........................357 +CZECHOLSLOVAKIA..................42 +DENMARK..........................45 +FINLAND.........................358 +FRANCE...........................33 +GERMAN DEMOCRATIC REPUBLIC.......37 +GERMANY, FEDERAL REPUBLIC OF.....49 +GIBRALTAR.......................350 +GREECE...........................30 +HUNGARY..........................36 +ICELAND.........................354 +ITALY............................39 +LIECHTENSTEIN....................41 +LUXEMBOURG......................352 +MONACO...........................33 +NETHERLANDS......................31 +NORWAY...........................47 +POLAND...........................48 +PORTUGAL........................351 +ROMANIA..........................40 +SAN MARINO.......................39 +SPAIN............................34 +SWEDEN...........................46 +SWITZERLAND......................41 +TURKEY...........................90 +VATICAN CITY.....................39 +YUGOSLAVIA.......................38 + +*CENTRAL AMERICA +------------------------------------ +BELIZE..........................501 +COSTA RICA......................506 +EL SALVADOR.....................503 +GUATEMALA.......................502 +HONDURAS........................504 +NICARAGUA.......................505 +PANAMA..........................507 + +*AFRICA +------------------------------------ +ALGERIA.........................213 +CAMEROON........................237 +EGYPT............................20 + + Page 173 + + + + + The Official Phreaker's Manual + +ETHIOPIA........................251 +GABON...........................241 +IVORY COAST.....................225 +KENYA...........................254 +LESOTHO.........................266 +LIBERIA.........................231 +LIBYA...........................218 +MALAWI..........................265 +MOROCCO.........................212 +NAMIBIA.........................264 +NIGERIA.........................234 +SENEGAL.........................221 +SOUTH AFRICA.....................27 +SWAZILAND.......................268 +TANZANIA........................255 +TUNISIA.........................216 +UGANDA..........................256 +ZAMBIA..........................260 +ZIMBABWE........................263 + +*PACIFIC +------------------------------------ +AMERICAN SAMOA..................684 +AUSTRAILIA.......................61 +BRUNEI..........................673 +FIJI............................679 +FRENCH POLYNESIA................689 +GUAM............................671 +HONG KONG.......................852 +INDONESIA........................62 +JAPAN............................81 +KOREA, REPUBLIC OF...............82 +MALAYSIA.........................60 +NEW CALEDONIA...................687 +NEW ZEALAND......................64 +PAPUA NEW GUINEA................675 +PHILIPPINES......................63 +SAIPAN..........................670 +SINGAPORE........................65 +TAIWAN..........................886 +THAILAND.........................66 + +*INDIAN OCEAN +------------------------------------ +PAKISTAN.........................92 +SRI LANKA........................94 + +*SOUTH AMERICA +------------------------------------ +ARGENTINA........................54 +BOLIVIA.........................591 +BRAZIL...........................55 +CHILE............................56 +COLOMBIA.........................57 +ECUADOR.........................593 +GUYANA..........................592 +PARAGUAY........................595 +PERU.............................51 + + Page 174 + + + + + The Official Phreaker's Manual + +SURINAME........................597 +URUGUAY.........................598 +VENEZUELA........................58 + +*NEAR EAST +------------------------------------ +BAHRAIN.........................973 +IRAN.............................98 +IRAQ............................964 +ISRAEL..........................972 +JORDAN..........................962 +KUWAIT..........................965 +OMAN............................968 +QATAR...........................974 +SAUDI ARABIA....................966 +UNITED ARAB EMIRATES............971 +YEMEN ARAB REPUBLIC.............967 + +*CARIBBEAN/ATLANTIC +------------------------------------ +FRENCH ANTILLES.................596 +GUANTANAMO BAY (US NAVY BASE)....53 +HAITI...........................509 +NETHERLANDS ANTILLES............599 +ST. PIERRE AND MIQUELON.........508 + +*INDIA +------------------------------------ +INDIA............................91 + +*CANADA +------------------------------------ +TO CALL CANADA, DIAL 1 + AREA CODE + +LOCAL NUMBER. + +*MEXICO +------------------------------------ +TO CALL MEXICO, DIAL 011 + 52 + CITY CODE+ LOCAL NUMBER. + +***NOTES :DO NOT FORGET ABOUT THE TIME DIFFERENCE WHEN CALLING OUTSIDE OF YOUR +TIME ZONE. CALLING CARDS CAN BE USED OVER SEAS TO CALL BACK INTO THE U.S. FOR +FURTHER INFORMATION CALL TOLL-FREE 1-800-874-0000. DIAL '#' AFTER THE COMPLETE +NUMBER TO MAKE THE CALL GO THROUGH FASTER. + + + + + + + + + + + + + + + + + Page 175 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * International Dialing Codes * + * Country + Routing * + * * + * (Typed by The Dagda Mor) * + * (Edited by The Jammer) * + * * + ************************************** + +To dial international calls: + +International Access Code + Country code + Routing code + +Example : + +To call Frankfurt, Germany, you would do the following: + +011 + 49 + 611 + (# wanted) + # sign(octothrope) + +The # sign at the end is to tell Bell that you are done entering in all the +needed info. + +Here is the list of Country Codes, listed next to the country, and the routing +codes listed next to the city. + +Andorra- 33 Argentina- 54 +------- --------- +all points- 078 Buenos Aires- 1 + + +Australia- 61 Austria- 43 +--------- ------- +Melbourne- 3 Innsbruck- 5222 +Sydney- 2 Vienna- 222 + + +Bahrain- 973 Belgium- 32 +------- ------- +no routing needed Antwerp- 31 + Brussels- 2 + + +Belize- 501 Bolivia- 591 +------ ------- +no routing needed La Paz- 2 + + +Brazil- 591 Chile- 56 +------ ----- +Brasilia-61 Santiago- 2 +Rio de Janeiro- 21 Valparaiso- 31 +Sao Paulo- 11 + + +China- 86 Colombia- 56 +----- -------- +Tainan- 62 none needed + + Page 176 + + + + + The Official Phreaker's Manual + +Taipei- 2 + + +Costa Rica- 506 Cyprus- 357 +----- ---- ------ +no routing needed Nicosia- 21 + + +Denmark- 45 Ecuador- 593 +------- ------- +Aalborg- 8 Cuenca- 4 +Copenhagen 1 or 2 Quito- 2 + + +El Salvador- 503 Fiji- 679 +---------- ---- +no routing needed none needed + + +France- 33 Germany- 49 +------ ------- +Bordeaux- 56 Berlin- 30 +Marseille- 91 Bonn- 228 +Nice- 93 Frankfurt- 661 +Paris- 1 Munich- 89 + + +German. Rep- 37 Greece- 30 +------- --- ------ +Berlin- 2 Athens- 1 + Rhodes- 241 + + +Guam- 671 Guatamala- 502 +---- --------- +no routing needed Guatemala City- 2 + + +Guyana- 592 Haiti- 509 +------ ----- +Georgetown- 02 Port Au Prince- 1 + + +Hoduras- 504 Hong Kong- 852 +------- ---- ---- +no routing needed Hong Kong- 5 + Kowloon- 3 + + +Indonesia- 62 Iran- 98 +--------- ---- +Jakarta- 21 Teheran- 21 + + +Iraq- 964 Ireland- 353 +---- ------- +Baghdad- 1 Dublin- 1 + Galway- 91 + + Page 177 + + + + + The Official Phreaker's Manual + + + +Israel- 978 Italy- 39 +------ ----- +Haifa- 4 Florence- 55 +Jerusalem- 2 Naples- 81 +Tel Aviv- 3 Rome- 6 + Venice- 41 + + +Ivory Coast- 225 Japan- 81 +----- ----- ----- +no routing needed Hiroshima- 822 + Tokyo- 3 + Yokohama- 45 + + +Kenya- 254 Korea- 82 +----- ----- +Nairobi- 2 Pusan- 51 + Seoul- 2 + + +Kuwait- 965 Liberia- 231 +------ ------- +no routing needed none needed + + +Libya- 218 Lechtenstein- 4 +----- ------------ +Tripoli- 21 All points- 75 + + +Luxembourg- 352 Malaysia- 60 +---------- -------- +no routing needed Kuala Lumpur- 3 + + +Monaco- 33 Netherlands- 31 +------ ----------- +All points- 93 Amsterdam- 20 + Rotterdam- 10 + The Hague- 70 + + +New Caledonia- 687 New Zealand- 64 +--- --------- --- ------- +no routing needed Auckland- 9 + Wellinton- 4 + + +Nicaragua- 505 Nigeria- 234 +--------- ------- +Managua- 2 Lagos- 1 + + +Norway- 47 Panama- 507 +------ ------ + + Page 178 + + + + + The Official Phreaker's Manual + +Bergen- 5 none needed +Oslo- 2 + + +Papua New Guinea-675 Paraguay- 595 +----- --- ------ -------- +no routing needed Asuncion- 21 + + +Peru- 51 Phillippines- 63 +---- ------------ +Arequipa- 542 Manila- 2 +Lima- 14 + +Portugal- 351 Romania- 40 +-------- ------- +Lisbon- 19 Bucuresti- 0 + + +San Marino- 39 Saudi Arabia- 966 +--- ------ ----- ------ +All points- 541 Riyadh- 1 + + +Senegal- 221 South Africa- 27 +------- ----- ------ +no routing needed Cape Town- 21 + Pretoria- 12 + + +Spain- 34 Sri Lanka- 94 +----- --- ----- +Barcelona- 3 Colombo- 1 +Canary Is.- 28 +Madrid- 1 +Seville- 54 + + +Suriname- 597 Sweden- 46 +-------- ------ +no routing needed Goteborg- 31 + Stockholm- 8 + + +Switzerland- 41 Tahiti- 689 +----------- ------ +Berne- 31 none needed +Geneva- 22 +Lucerne- 41 +Zurich- 1 + + +Thailand- 66 Tunisia- 216 +-------- ------- +Bangkok- 2 Tunis- 1 + + +Turkey- 90 United Arab + + Page 179 + + + + + The Official Phreaker's Manual + +------ Emirates- 971 +Istanbul- 11 -------- + Abu Dhabi- 2 + Ajman- 6 + Al Ain- 3 + Aweir- 49 + Dubai- 4 + Fujairah- 91 + Jebel Dhana- 5 + Sharjah- 6 + Umm-Al-Quwain- 6 + + +United Kingdom- 44 USSR- 7 +------ ------- ---- +Belfast- 232 Kiev- 044 +Cardiff- 222 Leningrad- 812 +Edinburgh- 31 Minsk- 017 +Glasgow- 41 Moscow- 095 +Liverpool- 51 Tallinn- 0142 +London- 1 + +Vatican City- 39 Venezuela- 58 +------- ---- --------- +All points- 6 Caracas- 2 + Maracaibo- 61 + +Yugoslavia- 38 +---------- +Belgrade- 11 +Zagreb- 41 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 180 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * MAX ACCESS PORTS * + * * + * (LEXITEL CORPORATION) * + * * + * WORD PROCESSED BY THE DAGDA MOR * + * * + ************************************** + +ADRIAN,MI............313-263-0191 LIVONIA, MI..........313-261-6970 +AKRON,OH.............216-275-9814 LOS ANGELES, CA......213-624-9041 +ANN ARBOR, MI........313-451-2121 LOUISVILLE, KY.......502-568-6204 +ATLANTA, GA..........404-525-1769 MARION, OH...........614-387-1011 +AVON LAKE, OH........216-933-2823 MCKEESPORT, PA.......412-664-4870 +BADEN, PA............412-869-1360 MENTOR, OH...........216-255-1645 +BALTIMORE, MD........301-444-7280 MIDDLETOWN, OH.......513-423-1066 +BEAVER FALLS, PA.....412-847-3640 MILWAUKEE, WI........414-933-1880 +BIRMINGHAM, MI.......313-649-0730 MINNEAPOLIS, MN......612-375-0280 +BOSTON, MA...........617-267-9134 MONESSEN, PA.........412-684-8710 +BUFFALO, NY..........716-854-0802 MORTON GROVE,IL......312-950-1066 +BUTLER, PA...........412-285-9081 NEWARK, NJ...........201-624-5040 +CANTON, OH...........216-455-1425 NEWARK, OH...........614-349-8754 +CHICAGO, IL..........312-950-1066 NEW CASTLE, PA.......412-656-9420 +CHILLICOTHE, OH......614-772-1066 NEW YORK, NY.........212-950-1066 +CINCINNATI, OH.......513-421-1880 OAK LAWN, IL.........312-950-1066 +CLEVELAND, OH........216-771-6614 PHILADELPHIA, PA.....215-751-9711 +COLUMBUS, OH.........614-950-1066 PITTSBURG, PA........412-391-9532 +DALLAS, TX...........214-653-1047 PLYMOUTH, MI.........313-451-2121 +DAYTON, OH...........513-223-0366 PONTIAC, MI..........313-332-0500 +DETROIT, MI..........313-950-1066 PORT HURON, MI.......313-982-7115 +ELK GROVE, IL........312-950-1066 PHOENIX, AZ..........602-242-0252 +ELYRIA, OH...........419-323-4431 QUEENS, NY...........718-204-7330 +FINDLAY, OH..........419-424-5934 SANDUSKY, OH.........419-625-1289 +GLEENSHAW, PA........412-486-7394 SHARON, PA...........412-983-0100 +GRAND RAPIDS, MI.....616-456-7925 SPRINGFIELD, OH......513-950-1066 +GREENSBURG, PA.......412-836-8110 STEUBENVILLE, OH.....614-283-1756 +HACKENSACK, NJ.......201-342-2815 ST. LOUIS, MO........314-289-9100 +HOUSTON, TX..........713-224-0982 ST. PAUL, WI.........612-375-0280 +INDIANA, PA..........412-349-8760 TOLEDO, OH...........419-255-1316 +INDIANAPOLIS, IN.....317-638-4442 TROY, OH.............513-335-2303 +KALAMAZOO, MI........616-342-0266 TURTLE CREEK, PA.....412-823-1500 +KANSAS CITY, MO......816-474-6193 WASHINGTON, DC.......202-479-4411 +KOKOMO, IN...........317-453-9932 WASHINGTON, PA.......412-225-1800 +LA GRANGE, IL........312-950-1066 WARREN, MI...........313-268-9120 +LANCASTER, OH........614-687-0159 XENIA, OH............513-376-2991 +LANSING, MI..........517-950-1066 YOUNGSTOWN, OH.......216-746-2021 +LAFAYETTE, IN........317-423-5492 ZANESVILLE, OH.......614-454-6815 + + + + + + + + + + + + Page 181 + + + + + The Official Phreaker's Manual + + ******************** METROFONE ACCESS NUMBERS ******************** + +ANAHEIM, CA (714)527-7055 LOS ANGELES, CA (213)992-8282 +ATLANTA, GA (404)223-1000 LOS ANGELES, CA (213)202-6117 +AUSTIN, TX (512)474-6057 MIAMI, FL (305)326-3300 +BALTIMORE, MD (301)659-7700 MILWAUKEE, WI (414)277-1805 +BEAUMONT, TX (713)833-9331 MINNEAPOLIS, MN (612)370-9000 +BOSTON, MA (617)482-3222 NEW ORLEANS, LA (504)566-8500 +BUFFALO, NY (716)852-9200 NEW YORK, NY (212)732-7430 +CHICAGO, IL (312)853-4700 NEWARK, NJ (201)645-9220 +CINCINNATI, OH (513)241-1747 OAKLAND, CA (415)836-6900 +CLEVELAND, OH (216)861-5163 OKLAHOMA CITY, OK (405)232-9011 +COLUMBUS, OH (614)224-0577 OMAHA, NE (402)422-1120 +CULVER CITY, CA (213)410-0078 PHILADELPHIA, PA (215)351-0100 +DALLAS, TX (214)742-4500 PITTSBURGH, PA (412)261-5720 +DAYTON, OH (513)228-1576 RENO, NV (702)329-1025 +DENVER, CO (303)623-5326 RICHMOND, VA (804)225-1920 +DETROIT, MI (313)963-4847 ST. LOUIS, MO (314)342-1130 +EL MONTE, CA (213)350-1028 SACRAMENTO, CA (916)443-6921 +ELK GROVE, IL (312)981-8870 SAN ANTONIO, TX (512)224-9600 +FT. LAUDERDALE, FL (305)462-3530 SAN DIEGO, CA (714)233-0327 +FT. WORTH, TX (817)338-1639 SAN FRANCISCO, CA (415)956-0162 +HACKENSACK, NJ (201)487-3155 SAN JOSE, CA (408)947-7606 +HARTFORD, CT (203)522-0003 SAN MATEO, CA (415)579-6001 +HAWTHORNE, NJ (201)427-1100 SANTA ANA, CA (714)972-9515 +HINSDALE, IL (312)986-0566 SEATTLE, WA (206)382-0910 +HOUSTON, TX (713)224-9417 SKOKIE, IL (312)679-8120 +HUNTINGTON BEACH, CA (714)972-8515 SYRACUSE, NY (315)474-3911 +INDIANAPOLIS, IN (317)635-6284 TOLEDO, OH (419)243-1046 +KANSAS CITY, KS (913)621-3186 WASHINGTON, DC (202)737-2051 +LONG ISLAND, NY (516)443-5402 +LOS ANGELES, CA (213)629-1026 + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 182 + + + + + The Official Phreaker's Manual + + Area Codes In Numerical Order, by The Jammer +______________________________________________________________________ + +201 Newark New Jersey 519 London Ontario +202 Washington D.C (all) 601 Mississippi (all) +203 Connecticut (all) 602 Arizona (all) +205 Alabama (all) 603 New Hampshire (all) +206 Seattle Washington 605 South Dakota (all) +207 Maine (all) 606 Winchester Kentucky +208 Idaho (all) 607 Binghamton New York +212 Bronx Nyc, New York 608 Madison Wisconsin +212 Manhattan Nyc, New York 609 Trenton New Jersey +213 Los Angeles California 612 St. Paul Minnesota +214 Dallas Texas 613 Ottawa Ontario +215 Philadelphia Pennsylvania 614 Columbus Ohio +216 Cleveland Ohio 615 Nashville Tennessee +217 Springfield Illinois 616 Grand Rapids Michigan +218 Duluth Minnesota 617 Boston Massachusetts +219 Gary Indiana 618 Alton Illinois +301 Maryland (all) 619 San Diego California +303 Colorado (all) 700 Teleconference (all) +304 West Virginia (all) 701 North Dakota (all) +305 Miami Florida 702 Nevada (all) +305 Orlando Florida 703 Alexandria Virginia +307 Wyoming (all) 704 Charlotte North Carolina +308 Abott Nebraska 705 North Bay Ontario +309 Peoria Illinois 712 Councilbluffs Iowa +312 Chicago Illinois 713 Houston Texas +313 Detroit Michigan 714 Anaheim California +314 St. Louis Missouri 715 Bay City Wisconsin +315 Syracuse New York 716 Buffalo New York +316 Wichita Kansas 716 Rochester New York +317 Indinapolis Illinois 717 Harrisburg Pennsylvania +318 Lake charles Lousiana 800 Toll Free (all) +319 Davenport Iowa 801 Utah (all) +401 Rhode Island (all) 802 Vermont (all) +402 Omaha Nebraska 803 South Carolina (all) +404 Atlanta Georgia 804 Richmond Virgina +405 Oklahoma City Oklahoma 805 Bakersfield California +406 Montana (all) 806 Amarillo Texas +408 San Jose California 807 Thunder Bay Ontario +412 Pittsburg Pennsylvania 808 Hawaii (all) +413 Springfield Massachusetts 809 Bermuda (all) +414 Milwaukee Wisconsin 809 Bahamas (all) +415 San Francisco California 809 Puerto Rico (all) +416 Toronto Onterio 809 Virgin Islands (all) +417 Joplin Missouri 812 Evansville Indiana +418 Quebec Quebec 812 Dade park Kentucky +419 Toledo Ohio 814 Johnston Pennsylvania +501 Arkansas (all) 815 Rockford Illinois +502 Frankfort Kentucky 816 Independence Missouri +503 Oregon (all) 817 Fort Worth Texas +504 New Orleans Louisiana 818 Burbank California +504 Baton Rouge Louisiana 819 Trois Riv. Quebec +505 New Mexico (all) 900 Dial-it (all) +507 Rochester Minnesota 901 Memphis Tennessee +509 Pullman Washington 904 Talahassee Florida +512 Austin Texas 906 Escanaba Michigan + + Page 183 + + + + + The Official Phreaker's Manual + +513 Cincinnati Ohio 907 Alaska (all) +514 Montreal Quebec 912 Savannah Georgia +515 Des Moines Iowa 913 Kansas City Kansas +516 Hempstead New York 915 El Paso Texas +517 Lansing Michigan 916 Sacramento California +518 Albany New York 918 Tulsa Oklahoma + 919 Raleigh North Carolina + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 184 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #5 of 9 + +Updated from November 26, 1985 +Tac Dialups taken from Arpanet +by Phantom Phreaker + + TAC DIALUPS SORTED BY LOCATION 26-NOV-85 + +State/Country 300 Baud 1200 Baud 1200 Type +------------- --------------- ----------------- --------- + + ALABAMA + Anniston Army Depot [M] + (ANNIS-MIL-TAC) (205) 235-6285 (R4) (205) 235-7650 B/V + (205) 237-5731 (R8) (205) 237-5731 (R8) B/V + (205) 237-5770 (R8) (205) 237-5779 (R8) B/V + (205) 237-5805 (R8) (205) 237-5805 (R8) B/V + + *Please note: When accessing the Anniston TAC you must first enter a + , then enter DDN . After you receive CLASS DDN START, + proceed as normal. + + Gunter AFS [M] + + (GUNTER-TAC) (205) 279-3576 + (205) 279-4682 + + Redstone Arsenal [M] + (MICOM-TAC) [none known] + + ARIZONA + Ft. Huachuca [M] + (HUAC-MIL-TAC) [none known] + + Yuma [M] + (YUMA-TAC) (602) 328-2186 (602) 328-2186 B/V + (602) 328-2187 (602) 328-2187 B/V + (602) 328-2188 (602) 328-2188 B/V + + CALIFORNIA (NORTHERN) + Alameda [M] + (ALAMEDA-MIL-TAC) [none known] + + Menlo Park [M] + (SRI-MIL-TAC) (415) 327-5440 (R3) (415) 327-5440 (R3) B + + (USGS3-TAC) [M] [no dialups] + + Moffett Field [M] + (AMES-TAC) [no dialups; contact NSC for access] + William Jones - (415) 694-6482 + (FTS) 494-6482 + (AV) 359-6482 + + Monterey [M] + (NPS-TAC) [none known] + + + Page 185 + + + + + The Official Phreaker's Manual + + Sacsamento [M] + (MCCLELLAN1-MIL-TAC) [none known] + (MCCLELLAN2-MIL-TAC) [none known] + + Stanford [A] + (SU-TAC) (415) 327-5220 + + CALIFORNIA (SOUTHERN) + China Lake [M] + (NWC-TAC) [none known] + + + Edwards AFB [M] + (EDWARD-MIL-TAC) [none known] + + El Segundo [M] + (AFSC-SD-TAC) (213) 643-9204 (213) 643-9204 B/V + + Los Angeles [A] + (USC-TAC) (213) 749-5436 + + Los Angeles [A] + (USC-ARPA-TAC) [none known] + + San Diego [M] + (ACCAT-TAC) (619) 225-1641 (R4) (619) 225-6903 V + (619) 225-6946 (R3) + (619) 223-2148 V + (619) 226-7884 (R2) + + Santa Monica + (RAND-ARPA-TAC) [A] + (213) 393-9230 + (213) 393-9237 + (213) 393-9238 + (213) 393-9239 + + (RAND2-MIL-TAC) [M] [none known] + + COLORADO + Denver Fed Ctr [M] + (USGS2-TAC) (303) 232-0206 (303) 232-0206 B/V + + Lowry Air Force Base [M] + (LOWRY-MIL-TAC) [none known] + + D.C. + Washington + [Andrews AFB] [M] + (AFSC-HQ-TAC) (301) 967-7930 (R16) (301) 967-7930 (R16) B + (301) 736-2990 (R4) (301) 736-2990 (R4) B + (301) 736-2998 (R2) (301) 736-2998 (R2) B + + (PENTAGON-TAC) (202) 553-0229 (R14) (202) 553-0229 (R14) B + + FLORIDA + Eglin AFB [M] + (AFSC-AD-TAC) (904) 882-8202 (904) 882-8202 B/V + + Page 186 + + + + + The Official Phreaker's Manual + + (904) 882-8201 (904) 882-8201 V + + MacDill AFB [M] + (MACDILL-MIL-TAC) [none known] + + Naval Air Station - Jacksonville [M] + (JAX1-MIL-TAC) [none known] + + Naval Air Station - Orlando [M] + (ORLANDO-MIL-TAC) [none known] + + GEORGIA + Robins AFB [M] + (ROBINS-TAC) (912) 926-2725 (912) 926-2725 B/V + (912) 926-2726 + (912) 926-3231 + (912) 926-3232 + (912) 926-2204 (912) 926-2204 B/V + HAWAII + Camp H.M. Smith [M] + (HAWAII2-TAC) (808) 487-5545 (808) 487-5545 B + + ILLINOIS + Scott AFB [M] + (SCOTT-TAC) [none known] + + (SCOTT2-MIL-TAC) [none known] + + KANSAS + Ft. Leavenworth [M] + (LVN-MIL-TAC) (913) 651-7041 (R8) (913) 651-7041 (R8) B + + LOUISIANA + Navy Regional Data Automation Center [M] + (NORL-MIL-TAC) (504) 944-7940 (504) 944-7940 B + (504) 944-7948 (R2) (504) 944-7948 (R2) B + (504) 944-7951 (R5) (504) 944-7951 (R5) B + (504) 944-8702 (R8) (504) 944-8702 (R8) B + + MARYLAND + Aberdeen Proving Ground [M] + (BRL-TAC) (301) 278-6916 (R4) (301) 278-6916 (R4) B/V + + Bethesda [M] + (DAVID-TAC) (202) 227-3526 (R16) (202) 227-3526 (R16) B/V + + Patuxent River [M] + (PAX-RV-TAC) (301) 863-4815 (301) 863-4815 B/V + (301) 863-4816 (301) 863-4816 B/V + (301) 863-5750 (R6) (301) 863-5750 (R6) B/V + + Silver Spring [M] + (WHITEOAK-MIL-TAC) (301) 572-5960 (R10) (301) 572-5960 (R10) B + (301) 572-5970 (R10) (301) 572-5970 (R10) B + + MASSACHUSETTS + Hanscom AFB [M] + (AFGL-TAC) (617) 861-3000 (R8) (617) 861-3000 (R8) B + + Page 187 + + + + + The Official Phreaker's Manual + + (617) 861-4965 (R8) (617) 861-4965 (R8) + + Cambridge + (BBN-MIL-TAC) [M] [none known] + + (BBN-ARPA-TAC) [A] [no dialup capability] + + (CCA-ARP-TAC) [A] [none known] + + (MIT-TAC) [A] + (617) 491-5669 (617) 258-6224 V + (617) 491-5708 (617) 258-6225 V + (617) 491-5734 (617) 258-6227 V + (617) 491-5819 (617) 258-6248 V + (617) 491-5826 + (617) 491-5841 + (617) 491-5849 + (617) 491-6769 + (617) 491-6772 + (617) 491-6937 + (617) 258-6241 + (617) 258-6242 + (617) 258-6243 + + MICHIGAN + U.S. Army Tank Automotive Command (TACOM) - Warren [M] + (TACOM-TAC) [none known] + + MISSOURI + St. Louis [M] + (STLA-TAC) [none known] + + NEBRASKA + Offutt AFB [M] + (SAC1-MIL-TAC) [none known] + + (SAC2-MIL-TAC) (402) 292-4638 (R10) (402) 292-4638 (R10) B + + (SAC-ARPA-TAC) [A] + (402) 294-2398 (402) 294-2398 B + (402) 291-2018 (402) 291-2018 B + (402) 292-7054 (402) 292-7054 B + + NEW JERSEY + Dover [M] + (ARDC-TAC) (201) 724-6731 (201) 724-6731 B/V + (201) 724-6732 (201) 724-6732 B/V + (201) 724-6733 (201) 724-6733 B/V + (201) 724-6734 (201) 724-6734 B/V + + Fort Monmouth [M] + (FTMONMOUTH1-MIL-TAC) (201) 544-2052 (201) 544-2052 B/V + (201) 544-2062 (201) 544-2062 B/V + (201) 544-2072 (201) 544-2072 B/V + (201) 544-2396 (201) 544-2396 B/V + (201) 544-2430 (201) 544-2430 B/V + + (FTMONMOUTH2-MIL-TAC) (201) 544-4254 (R3) (201) 544-2430 B + + Page 188 + + + + + The Official Phreaker's Manual + + (201) 544-2636 B + (201) 544-2638 B + (201) 544-2777 B + + NEW MEXICO + Albuquerque [M] + (AFWL-TAC) [none known] + + White Sands [M] + (WSMR-TAC) [no dialups; contact NSC for access] + Claude (Skeet) Steffey - (505) 678-1271 + (FTS) 898-1271 + (AV) 258-1271 + + NEW YORK + Griffiss AFB + (RADC-ARPA-TAC) [A] [no dialup capability] + + (RADC-TAC) [M] + (315) 339-4913 (R5) + (315) 337-2004 (315) 337-2004 B/V + (315) 337-2005 (315) 337-2005 B/V + + (315) 330-2294 (315) 330-2294 (FTS) 952 B/V + + (315) 330-3587 (315) 330-3587 (FTS) 952 B/V + + NORTH CAROLINA + Ft. Bragg [A] + (BRAGG-ARPA-TAC) (919) 396-1131 (R10) (919) 396-1426 (R5) B/V + (919) 396-1491 (R8) B/V + Ft. Bragg [M] + (BRAGG-MIL-TAC) [none known] + + OHIO + Wright-Patterson AFB [M] + (WPAFB-TAC) (513) 258-4218 + (513) 258-4219 + (513) 258-4987 + (513) 258-4988 + (513) 258-4989 + (513) 258-4990 + + (WPAFB2-MIL-TAC) (513) 257-2172 (R8) (513) 257-2172 (R8) B + (513) 257-2690 (R8) (513) 257-2690 (R8) B + (513) 257-3625 (R8) (513) 257-3625 (R8) B + + OKLAHOMA + Tinker AFB [M] + (TINKER-MIL-TAC) [none known] + + + PENNSYLVANIA + New Cumberland Army Depot [M] + (NCAD-MIL-TAC) [none known] + + (NCAD2-MIL-TAC) [none known] + + + Page 189 + + + + + The Official Phreaker's Manual + + TEXAS + Brooks AFB [M] + (BROOKS-AFB-TAC) (512) 536-3081 (R6) (512) 536-3081 (R6) B/V + + Richardson [A] + (COLLINS-TAC) (214) 235-2131 (214) 235-2131 B + (214) 235-2143 (214) 235-2143 B + (214) 235-2178 (214) 235-2178 B + (214) 235-2204 (214) 235-2204 B + (214) 235-2251 (214) 235-2251 B + (214) 235-2278 (214) 235-2278 B + + UTAH + Dugway Proving Ground [M] + (DUGWAY-MIL-TAC) [none known] + + Salt Lake City (University of Utah) [A] + (UTAH-TAC) (801) 581-3486 (801) 581-3486 B/V + + VIRGINIA + Alexandria [M] + (DARCOM-TAC) (202) 274-5300 (202) 274-5300 B + (202) 274-5320 (R6) (202) 274-5320 (R6) B + + Arlington + (ARPA1-MIL-TAC) [M] [none known] + + (ARPA2-MIL-TAC) [M] [none known] + + (ARPA3-TAC) [A] [no dialup capability] + + Dahlgren [M] + (NSWC-TAC) (703) 663-2162 (R8) (703) 663-2162 (R8) B + + Langley Air Force Base [M] + (LANGLEY-MIL-TAC) [none known] + + McLean [M] + (DDN-PMO-MIL-TAC) [none known] + + + (MITRE-TAC) [M] + (703) 442-8020 (R15) + (703) 893-0330 (R10) (703) 893-0330 (R10) B/V + + Norfolk [M] + (NORFOLK-MILTAC) (804) 423-0241 (R2) (804) 423-0241 (R2) B + (804) 423-0247 (R2) (804) 423-0247 (R2) B + (804) 423-0346 (R4) (804) 423-0346 (R4) B + (804) 423-0480 (804) 423-0480 B + (804) 423-0486 (R2) (804) 423-0486 (R2) B + (804) 423-0489 (804) 423-0489 B + (804) 423-0570 (804) 423-0570 B + (804) 423-0572 (R2) (804) 423-0572 (R2) B + (804) 423-0577 (R2) (804) 423-0577 (R2) B + (804) 423-0651 (804) 423-0651 B + (804) 423-0654 (R3) (804) 423-0654 (R3) B + (804) 423-0841 (R2) (804) 423-0841 (R2) B + + Page 190 + + + + + The Official Phreaker's Manual + + (804) 423-0845 (804) 423-0845 B + (804) 423-0849 (804) 423-0849 B + (804) 423-0858 (804) 423-0858 B + (804) 423-0950 (804) 423-0950 B + (804) 423-0952 (804) 423-0952 B + (804) 423-0955 (R3) (804) 423-0955 (R3) B + (804) 423-0959 (804) 423-0959 B + + Reston + (DCEC-ARPA-TAC) [A] [no dialups available] + + (DCEC-MIL-TAC) [M] + (703) 437-2892 (R5) (703) 437-2928 B + (703) 437-2925 (703) 437-2929 B + (703) 437-2926 + (703) 437-2927 + + WASHINGTON + Seattle [A] + (WASHINGTON-TAC) [no dialup capability] + + ENGLAND [M] + (CROUGHTON-MIL-TAC) [none known] + + GERMANY [M] + (FRANKFURT-MIL-TAC) + (M) 2311-5641 (R8) B + + (RAMSTEIN2-MIL-TAC) [none known] + + ITALY [M] + (AGNANO-MIL-TAC) + + JAPAN [M] + (BUCKNER-MIL-TAC) + + (ZAMA-MIL-TAC) + + KOREA [M] + (KOREA-TAC) (M) 264-4951 (R8) B + + PHILIPPINES [M] + (CLARK-MIL-TAC) + + SPAIN [M] + (MILNET-TJN-TAC) [none known] + + (ROTA-MIL-TAC) [none known] + + Notes: + + 1. "(R10)" following phone number indicates a rotary with 10 lines. + + 2. For alternate phone numbers, FTS=Federal Telephone System. + 3. (M)=Military DoD Telephone System. + + 4. [M] denotes a MILNET TAC and [A] denotes an ARPANET TAC. + + + Page 191 + + + + + The Official Phreaker's Manual + + 5. "1200 Type" refers to the modem compatibility for 1200 baud only: + B/V = Bell and Vadic + B = Bell 212A only + V = Vadic 3400 only + + 6. This list is contained in the file NETINFO:TAC-PHONES.LIST at + SRI-NIC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 192 + + + + + The Official Phreaker's Manual + + >>==========================<< + >>==> TELCO TEST NUMBERS <==<< + >>====> as of 5/16/85 <=====<< + >>=> compiled and updated <=<< + >>====> by Shadow 2600 <====<< + >>==========================<< + +011-44-61-2468011 : US dial tone then "When this system changes, this is the +new dial tone you hear" (UK is changing dialtone) + +201-226-0709 : alternating tones, then "warble" +201-267-9922 : sweep tone +201-267-9966 : 600 ohm termination +201-232-9924 : (tone 1,2,5-beep, bleep; 9,#- 1200 baud static, beep, bleep; +6-tone, higher tone, bleep) +201-232-9959 : tone 11 sec. silence, repeats... +201-233-9972 : multitude of clicks +201-233-9974 : busy 15 sec. then tone w/ clicks +201-241-9916 : hissing with clicks +201-328-9971 : 1000 hrtz tone +201-376-9907 : "is being checked for trouble. Please try again later" +201-464-9915 : low tone 15 sec, silence +201-464-9916 : low tone 2 sec, silence +201-464-9963 : buzz +201-464-9974 : busy 15 sec, low tone +201-543-9902 : "If you'd like to make a call, hang up and try it again." +201-543-9903 : "We're sorry, your call did not go through." +201-543-9904 : "the number you have dialed requires a .20 cents deposit." +201-655-9900 : "cannot be completed as dialed from the phone you are using" +201-769-0205 : People's Express Reservation system +203-771-4920 : telephone company employee newsline +207-866-4411 : 1000 hrtz tone +212-233-9980 : (tone 1,2,3,*-tone, higher tone, bloop; 5-tone, bloop; 9,#- +static,beep,bloop) +212-369-7003 : "you have reached 212-369-7003 in zone 3" (?) +212-799-5017 : ABC New York feed line +213-621-4141 : telephone employee newsline +213-935-1111 : sweep tone with echo at top of range (?) +215-489-0036 : tone, bloop (1,2,5-tone bloop, 3,6,9-tone, higher tone,tone) +215-489-0040 : "please check your instruction manual or call repair service for +assistance" +215-489-0042 : "if you like to make a call please hang up and try again" +215-489-0043 : "We're sorry, your call did not go through." +215-489-0044 : "The call you have made requires a 25 cent deposit" +215-489-0045 : "You must first dial a 1 when dialing this number." +215-489-0074 : LOUD tone, stops, repeats +215-489-0075 : 600 ohm termination (silence) +215-489-0078 : tone, silence +215-489-0080 : 600 ohm termination +215-489-0097 : tone, (lower pitched than -0078) silence (also at -0098) +215-489-0104 : 1000 hrtz tone +216-861-8300 : tone, then higher tone +301-256-9987 : 1000 hertz +301-546-7777 : "Due to Telephone Company facility trouble your call cannot be +completed at this time" +301-725-9904 : "deposit .20" +305-263-0000 : repeating bloop (keypress 2 : slow reorder w/ bloops, clicks) +305-994-9963 : pay fone instructions + + Page 193 + + + + + The Official Phreaker's Manual + +305-994-9966 : "telephone you are calling from is not in service" +312-222-9948 : tone (keypress 1,2,3,6,7,*-tone, high tone, bleep, +4-tone,bloop,9, #-static,beep,bloop) +312-222-9954 : "Test Center" +312-222-9990 : clicks, ticking like +312-222-9996 : LOUD tone, repeats +312-368-8000 : Illinois Bell Communicator (employee newsline) +312-592-0000 : tone (keypress 2222, then other digits, at re-order type * to +restart) (?) +313-223-7223 : telephone employee newsline +313-333-9981 : LOUD tone, silence +313-333-9989 : high tone (enter touchtones for a while, eventually get +"metallic" echo, then 5-high pitched tone, random re-orders) +313-333-9990 : beep, click repeats, with "winks" +313-333-9994 : tone bloop (keypress in 2-tone,bloop, 3-tone, higher tone,tone, +9-static, beep,bloop) +313-333-9995 : 600 ohm termination (silence) +313-333-9996 : weird siren/sweep tone, multi-frequency +313-430-4300 : beep, beep, beep, then reorder +313-698-9998 : sweep tone +314-247-5511 : Southwestern Bell Telenews (employee newsline) +315-471-9934 : "deposit 5 cents for next five minutes" +408-255-0081 : (any two 2,4,8,0-tone) +408-294-6969 : beep, click, computer voice repeats number +408-395-1110 : (tone 2-bleep,glitch; 3-beep,higher beep;#then number-loud +tone,bleep) +408-738-8190 : (tone 1,3,6,7,*-tone, high tone, tone;2-beep,cluck;9,#- +static,tone,beep) +408-745-6060 : high pitched tone, low tone then repeats +408-994-0044 : tone end of loop +412-633-3333 : telephone company employee newsline +414-628-0001 : continuous tone +414-628-0002 : continuous tone (higher pitched, sounds like muted dial) +414-628-0004 : high pitched tone, bloop, silence +414-628-0006 : brief very high tone (also -0007) (multiple keypresses of +2,5,8,0 tone repeats) +414-628-0010 : loud tone, stops, repeats... +414-628-0011 : loud tone, stops +414-628-0013 : 600 ohm termination (silence) (also -0017, two in an exchange?) +414-628-0014 : continuous tone (sounds like weird dial), eventually stops +414-628-0015 : LOUD tone, repeats +414-628-0028 : "Your call cannot be completed as dialed +414-678-3511 : Wisconsin Bell Newsline +414-781-0004 : high tone, silence (keypress 2,5-beep,bleep, 3,6-beep,longbeep, +bloop, 9-static,bloop) +415-284-1111 : one sweep, then silence +415-327-0046 : sweep tone +415-388-0037 : tone,bloop (keypress 2-tone,bloop, 3-tone,high tone,tone, +9-static,beep,bloop) +415-472-0046 : sweep w/ glitch at top +415-545-8800 : Pacific Bell Newsline +415-467-0097 : fast DTMF tones, keypress to repeat +415-777-0020 : 1000 hrtz tone +415-777-0037 : tone, bloop (keypress 2-beep,bloop, 3,6-tone,higher tone, +9-static,beep,bloop) +415-777-0046 : sweep tone with echo +415-777-0105 : tone,bloop (keypress 2-beep,bleep, 3,6-tone, higher tone, +tone,9-static,beep,bloop + + Page 194 + + + + + The Official Phreaker's Manual + +415-826-0022 : tone, click, tone (sounds like a busy) +415-994-0710 : multitude of clicks +512-472-2181 : "if you would like to make a call, please hang up and try +again" +512-472-4263 : garbled recording (?) +512-472-9833 : "you must first dial a 1 or 0 before calling this number" +512-472-9936 : "please check your instructions or call your business office for +assistance" +512-472-9941 : "insert 25 cents" +516-222-3825 : LOUD tone +516-234-9914 : New York Telephone Newsline +518-471-2272 : New York Telephone Newsline +518-789-3299 : weird busy, multitude of clicks +609-267-9966 : busy with clicks in background +609-267-9967 : 600 ohm termination (silence) +609-267-9968 : 1000 hrtz tone +609-267-9971 : LOUD tone, stops, repeats +609-267-9972 : rings with clicks in background (also -9973 and -9974) +609-877-9924 : high tone (tone in 1,2,5-tone, bloop; 3,6,*-tone, higher tone, +bleep; #-static, beep, bleep) +609-877-9929 : 1000 hrz tone +617-553-9953 : tone end of loop +617-890-9900 : sweep tone +617-955-1111 : telephone company employee newsline +619-748-0002 : tone increases in pitch, silence, repeats in monotone +619-748-0003 : sweep, repeat, hangs up +702-789-6711 : Nevada Bell Newsline +713-354-0000 : touch tone in #, then new #, then 5 - listed, 9 - unlisted) +713-482-3199 : "We're sorry, all circuit are busy now." +713-652-5111 : touch tones echo back "metallic", something about "drivers +licence number" replys in a female recorded voice +717-255-5555 : Bell of Pennsylvania "Inside Line" (employee newsline) +718-429-9900 : "Please slide a valid credit card through the slot now" +800-221-5959 : tone (# makes it ring) +800-228-8466 : Sensaphone (tm) demo (time etc. (EST) (wait 7+ rings)) +800-321-3048 : non-connecting loop with 800-321-3049 +800-321-3052 : loop (don't know where other end is) +800-321-6366 : Centagram's Voice Memo System (extension 100 for demo) +800-323-6321 : tone, stops, bloop repeats +800-327-0000 : "Announcement three, Dallas" (changes sometimes) +800-344-4001 : non-connecting loop with 800-344-4002 +800-524-0000 : "Announcement 1 Atlanta" +800-554-5924 : Cable News Network audio feed +800-824-8274 : "Enter your password service code" +802-955-1111 : telephone company newsline +808-533-4426 : Hawaiian Telephone Newsline +816-391-1122 : recorder (keypress 1-toggle on/off, 3-rewind, 4-stop, 7-play) +907-269-0955 : tone (sounds like extender, doesn't take touch tone (?)) +914-232-9901 : "Daytona, New York DMS-100 verification" +914-268-9901 : "Congers DMS 100 Verification" +914-268-9903 : "your call cannot be completed as dialed" +914-268-9968 : (keypress 2-high tone, 3-high, higher tone, 6,0-click, 7- hangs +up, sometimes 0,#,*-harmony) +914-359-9901 : repeats the number dialed ("914-359-9901") +914-359-9960 : weird tone, stops, clicks, repeats +914-623-9968 : (keypress 2,5-beep glitch, 3,6-tone highertone) +916-480-8000 : Pacific Bell Newsline + + + Page 195 + + + + + The Official Phreaker's Manual + + WHAT A TSPS CONSOLE LOOKS LIKE + +--- NON/COIN ---- ------------- COIN ------------- --------- HOTEL --------- + + ---- ---- ---- ---- ---- ---- ----- --- --- ---- +!VFY ! !OVER! !SCRN! !INWD! !EMER! !STA ! ! 0+ ! !DIAL! !STA ! ! 0+ ! +!DIAL! !POST! !TONE! !STA ! ! 0+ ! !DIAL! !QST ! ! ! ! ! ! ! + ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- + +----- OUTGOING TRUNKS ----- RING RELEASE + + ---- ---- ---- ---- ---- ----- ---- ---- ---- ---- +! DA ! !R&R ! !SWB ! !OGT ! !BACK! ! FWD ! !CALL! !T&C ! !NFY ! !CHG ! + ---- ---- ---- ---- ---- ----- ---- ---- ---- ! DUE! + ---- + --- ---- ---- ---- ---- ---- ---- ---- ---- ---- +!KEY ! !BACK! !FWD ! ! SR ! !MAKE! !MTCE! !POS ! !BACK! ! ! ! ! +!CLG ! ! ! ! ! ! ! !BUSY! !TRFR! ---- ---- ---- ---- + ---- ---- ---- ---- ---- ---- + + ----------------- AMA ----------------- + ---- ---- ---- ---- ---- ---- +STATION -----!PAID! !COL ! !SPL ! !SPL ! !AUTO! !DDD ! + ! ! ! ! !CLG ! !CLD ! !COL ! ! ! + ---- ---- ---- ---- ---- ---- + + ---- ---- ---- ---- ---- +PERSON ----- !PAID! !COL ! !SPL ! !SPL ! ! NO ! + ! ! ! ! !CLG ! !CLD ! !AMA ! + ---- ---- ---- ---- ---- + + ---- ---- ---- + !CLG ! !CLG ! !CLG ! + ! ! ! ! ! ! + ---- ---- ---- + + + + + + + + + + + + + + + + + + + + + + + + + Page 196 + + + + + The Official Phreaker's Manual + + Box Plans + + Hmm... I wonder! This is still under construction (Ha Ha). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 197 + + + + + The Official Phreaker's Manual + + THE INFINITY TRANSMITTER + + TYPED BY THE GHOST WIND + + FROM THE BOOK BUILD YOUR OWN + LASER, PHASER, ION RAY GUN & OTHER WORKING SPACE-AGE PROJECTS + BY ROBERT IANNINI (TAB BOOKS INC) + +Description: Briefly, the Infinity Transmitter is a device which activates a +microphone via a phone call. It is plugged into the phone line, and when the +phone rings, it will immediately intercept the ring and broadcast into the +phone any sound that is in the room. This device was originally made by +Information Unlimited, and had a touch tone decoder to prevent all who did not +know the code from being able to use the phone in its normal way. This +version, however, will activate the microphone for anyone who calls while it is +in operation. +NOTE: It is illegal to use this device to try to bug someone. It is also +pretty stupid because they are fairly noticeable. +Parts List: +Pretend that uF means micro Farad, cap= capacitor + +Part # Description +---- - ----------- +R1,4,8 3 390 k 1/4 watt resistor +R2 1 5.6 M 1/4 watt resistor +R3,5,6 3 6.8 k 1/4 watt resistor +R7/S1 1 5 k pot/switch +R9,16 2 100 k 1/4 watt resistor +R10 1 2.2 k 1/4 watt resistor +R13,18 2 1 k 1/4 watt resistor +R14 1 470 ohm 1/4 watt resistor +R15 1 10 k 1/4 watt resistor +R17 1 1 M 1/4 watt resistor +C1 1 .05 uF/25 V disc cap +C2,3,5,6,7 5 1 uF 50 V electrolytic cap or tant + (preferably non-polarized) +C4,11,12 3 .01 uF/50 V disc cap +C8,10 2 100 uF @ 25 V electrolytic cap +C9 1 5 uF @ 150 V electrolytic cap +C13 1 10 uF @ 25 V electrolytic cap +TM1 1 555 timer dip +A1 1 CA3018 amp array in can +Q1,2 2 PN2222 npn sil transistor +Q3 1 D4OD5 npn pwr tab transistor +D1,2 2 50 V 1 amp react. 1N4002 +T1 1 1.5 k/500 matching transformer +M1 1 large crystal microphone +J1 1 Phono jack optional for sense output +WR3 (24") #24 red and black hook up wire +WR4 (24") #24 black hook up wire +CL3,4 2 Alligator clips +CL1,2 2 6" battery snap clips +PB1 1 1 3/4x4 1/2x.1 perfboard +CA1 1 5 1/4x3x2 1/8 grey enclosure fab +WR15 (12") #24 buss wire +KN1 1 small plastic knob +BU1 1 small clamp bushing +B1,2 2 9 volt transistor battery or 9V ni-cad + + Page 198 + + + + + The Official Phreaker's Manual + + +Circuit Operation: Not being the most technical guy in the world, and not being +very good at electronics (yet), I'm just repeating what Mr. Iannini's said +about the circuit operation. The Transmitter consists of a high grain +amplifier fed into the telephone lines via transformer. The circuit is +initiated by the action of a voltage transient pulse occurring across the +phone line at the instant the telephone circuit is made (the ring, in other +words). This transient immediately triggers a timer whose output pin 3 goes +positive, turning on transistors Q2 and Q3. Timer TM1 now remains in this +state for a period depending on the values of R17 and C13 (usually about 10 +seconds for the values shown). When Q3 is turned on by the timer, a simulated +"off hook" condition is created by the switching action of Q3 connecting the +500 ohm winding of the transformer directly across the phone lines. +Simultaneously, Q2 clamps the ground of A1, amplifier, and Q1, output +transistor, to the negative return of B1,B2, therefore enabling this amplifier +section. Note that B2 is always required by supplying quiescent power to TM1 +during normal conditions. System is off/on controlled by S1 (switch). + A crystal mike picks up the sounds that are fed to the first two +transistors of the A1 array connected as an emitter follower driving the +remaining two transistors as cascaded common emitters. Output of the +array now drives Q1 capacitively coupled to the 1500 ohm winding of T1. +R7 controls the pick up sensitivity of the system. + Diode D1 is forward biased at the instant of connection and essentially +applies a negative pulse at pin 2 of TM1, initiating the cycle. D2 clamps +any high positive pulses. C9 dc-isolates and desensitizes the circuit. The +system described should operate when any incoming call is made without ringing +the phone. + +Schematic Diagram: Because this is text, this doesn't look too hot. Please +use a little imagination! I will hopefully get a graphics drawing of this +out as soon as I can on a Fontrix graffile. + +To be able to see what everything is, this character: | should appear as a +horizontal bar. I did this on a ][e using a ][e 80 column card, so I'm sorry if +it looks kinda weird to you. + +Symbols: + resistor: -/\/\/- switch: _/ _ + battery: -|!|!- capacitor (electrolytic): -|(- + capacitor (disc): -||- _ _ + transistor:(c) > (e) Transformer: )||( + \_/ )||( + |(b) _)||(_ + diode: |< + chip: ._____. + !_____! (chips are easy to recognize!) + + Dots imply a connection between wires. NO DOT, NO CONNECTION. +ie.: _!_ means a connection while _|_ means no connection. +---------------------------------------------------------------------------- + +.________________________to GREEN wire phone line +| +| .______________________to RED wire phone line +| | +| | ._________(M1)______________. +| | | | +| | | R1 | + + Page 199 + + + + + The Official Phreaker's Manual + +| | !__________/\/\/____________! +| | | _!_ C1 +| | |this wire is the amp ___ +| | |<=ground | R2 +| | | !___________________/\/\/_____________. +| | | ._______!_______. | +| | !___________________!4 9 11!_____________________________! +| | | | | | +| | !___________________!7 12._____________________________! +| | | | A1 | R3 | +| | !___________________!10 ____*8!_______.____/\/\/____________! ^ +| | | | / | | | | +| | | C4 | / | \ |2ma +| | !____||______. | / | /R4 B1 + +| | | || | | / | \ |!|! +| | | R7 | C2 | / | / | +| | !____/\/\/___!__)|__!8*_/ | | S1 | +| | | ^ | 6!_______! neg<__/.__! +| | | | C3 | | | C5 return | +| | | !_____|(___.__!3 | '-|(-| | +| | | | | 5 1!____________! | +| | | \ !_______._______! | B2|!|! +| | !________. R8 / | | + +| | | \ | | R6 |3ma +| | | !__________!____________________|_____/\/\/______! | +| | | R5 | | | v +| | !__/\/\/___________|____________________! | +| | | | | +| | | | | +| | | C6 | | +| | | |-)|-' R9 | +| | | !_________________/\/\/_______. | +| | | | | | +| | | Q1 _!_ | R10 | +| | !____________/ \____________________________!__/\/\/_____! +| | | | | +| | | | | +| | | C8 | | +| | !__________)|_______________________________|____________! +| | ! | | +| | / | | +| | -----| | | +| | | \ | | +| | | > | | +| | | | | | +| | | | | | +| | | !_____________. | | +| | | | | | +| | !__________. | | | +| | | | | | +| !________. | | ._____! | +| | | | | | +| | | | | | +| | | | | C7 | +| | | | '-|(-| | +| |_________|_________!_______.T1._________________| | +| | | 1500 )||( 500 | +| | | ohm )||( ohm | + + Page 200 + + + + + The Official Phreaker's Manual + +| | !______.)||(.__. | +| | | | | +| | | | | +| | | > | +| | | |/ | +| | | +----| Q3 | +| | | | |\ | +!____________________|_________|_______|______!__. D1 C9 | + | | | '-|<---|(------| | + .______________! | | | | + | | | | | + | .________________! | | | + | | | | | + \ | .________________! C11 | | + / | | .___||____________! | + R13 \ | | | || | | + / | | | | | + \ !___.___|_______________________! | | + | | | | | R16 | R15 | + | v | | !___/\/\/\________!___/\/\/_! + | neg | | | D2 | | + | return | | !_____|<__________! | + | B1,B2 | \ | | | + | | / | .____________!_. | + | | \R14 |C12 | TM1 2 | | + | | / !_||_!5 4!_______! + | | \ | || | | | + | | | !____!1 8!_______! + | | | | | 7 6 3 | | + | | | | !_____._.____._! | + | | | | | | | | + | | | | C13 | | | R17 | + | | | !___)|_____!_!____|__/\/\/__! + | | | | | | + !___________|___!_______________________|_________________! | + | | | | + | \ | C10 | + | /R18 !__________)|_______________! + | \ + | / + | | + !___O J1 + sense output + +Construction notes: Because the damned book just gave a picture instead of step +by step instructions, and I'll try to give you as much help as possible. Note +that all the parts that you will be using are clearly labeled in the schematic. +The perfboard, knobs, 'gator clips, etc are optional. I do strongly suggest +that you do use the board!!! It will make wiring the components up much much +easier than if you don't use it. + The knob you can use to control the pot (R7). R7 is used to tune the IT so +that is sounds ok over the phone. (You get to determine what sounds good) By +changing the value of C13, you can change the amount of time that the circuit +will stay open (it cannot detect a hang up, so it works on a timer.) A value of +100 micro Farads will increase the time by about 10 times. + The switch (S1) determines whether or not the unit is operational. Closed is +on. Open is off. The negative return is the negative terminals of the battery!! +The batteries will look something like this when hooked up: + + Page 201 + + + + + The Official Phreaker's Manual + + <-v_____. .______. ._____. .____-> + | | | | | | + __!___!__ | | __!___!__ + | + - | !_/ _! | + - | + | | switch ^ | | + | 9volts| | | 9volts| + !_______! neg return !_______! + + To hook this up to the phone line, there are three ways, depending upon what +type of jack you have. If it is the old type (non modular) then you can just +open up the wall plate and connect the wires from the transmitter directly to +the terminals of the phone. + If you have a modular jack with four prongs, attach the red to the negative +prong (don't ask me which is which! I don't have that type of jack... I've only +seen them in stores), and the green to the positive prong, and plug in. Try not +to shock yourself... + If you have the clip-in type jack, get double male extension cord (one with a +clip on each end), and chop off one clip. Get a sharp knife and splice off the +grey protective material. You should see four wires, including one green and +one red. You attach the appropriate wires from the IT to these two, and plug +the other end into the wall. + +Getting the IT to work: If you happen to have a problem, you should attempt to +do the following (these are common sense rules!!) Make sure that you have the +polarity of all the capacitors right (if you used polarized capacitors, that +is). Make sure that all the soldering is done well and has not short circuited +something accidently (like if you have a glob touching two wires which should +not be touching.) Check for other short circuits. Check to see if the battery +is in right. Check to make sure the switch is closed. + If it still doesn't work, drop me a line on one of the Maryland or Virginia +BBSs and I'll try to help you out. + +The sense output: Somehow or other, it is possible to hook something else up to +this and activate it by phone (like an alarm, flashing lights, etc.) + +As of this writing, I have not tried to make one of these, but I will. If you +actually get it working, leave me a note somewhere. + +I sure hope all you people appreciate this. + + +<<< the Ghost Wind >>> + + + + + + + + + + + + + + + + + + Page 202 + + + + + The Official Phreaker's Manual + + :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + : : + : SILVER BOX: AN ALTERNATE METHOD OF CONSTRUCTION : + : : + : BY: THE LOCK LIFTER--1/25/85 : + : : + :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + +PARTS & EQUIPMENT: +(1) POCKET TONE DIALER (RADIO SHACK CAT. NO. 43-138) +(2) SINGLE POLE DOUBLE THROW SWITCH (TOGGLE, THE SMALLER THE BETTER) +(3) SOLDERING IRON + + THIS MODIFICATION WILL ALLOW THE PRODUCTION OF A,B,C,&D TONES. WHEN YOU +FLIP THE SWITCH THE 3,6,9,&# KEYS WILL BECOME A,B,C,&D RESPECTIVELY. THE IC +INSIDE THE DIALER IS CAPABLE OF MAKING THESE TONES ALREADY, ALL WE MUST DO IS +CONNECT IT FULLY. THIS MOD CAN ALSO BE MADE TO MANY ELECTRONIC FONES THAT +CONTAIN A DTMF TONE ENCODING IC. THIS CHIP CAN BE IDENTIFIED BY THE NUMBER 5089 +OR S2559 OR MK5380 OR TCM5087N. PIN 9 OF THESE CHIPS IS THE FOURTH COLUMN +KEYPAD INPUT WHILE PIN 5 IS THE THIRD COLUMN. NOW ON WITH THE CONSTRUCTION. + +1) REMOVE THE BATTERY COVER, BATTERIES, AND THE SMALL SCREW. THE CASE SHOULD +NOW POP OPEN WITH A LITTLE PRESSURE. +2) OPEN THE CASE SO THAT THE HALF CONTAINING THE SPEAKER AND THE BATTERIES +IS ON YOUR LEFT WITH THE BATTERIES ON THE BOTTOM. YOU SHOULD NOW BE LOOKING AT +THE BACK OF 2 PRINTED CIRCUIT BOARDS. +3) FIND THE TWO ROWS OF SOLDER BEADS WHERE THE IC IS CONNECTED. THE UPPER +LEFT PIN OF THE 2 ROWS SHOULD HAVE NO SOLDER ON IT. THIS IS PIN 9 OF THE IC. +4) ATTACH A SHORT WIRE TO PIN 9. +5) SEE THE 8 GOLD WIRES GOING TO THE KEY PAD? UNSOLDER THE ONE 4TH FROM THE +LEFT AND CONNECT IT TO A SHORT WIRE. +6) SOLDER A SHORT WIRE INTO THE NOW VACANT HOLE IN THE KEYPAD PCB. +7) MELT OR DRILL A ROUND HOLE IN THE PLASTIC CASE FOR THE SWITCH. THE BEST +PLACE FOR THIS IS OPPOSITE THE SMALL PCB CONTAINING THE L.E.D. +8) INSERT THE SWITCH AND SCREW IT IN PLACE. +9) ATTACH THE WIRE FROM THE KEYPAD PCB TO THE CENTER OF THE SWITCH. ATTACH THE +OTHER TWO WIRES TO THE OTHER TWO POLES OF THE SWITCH. JUST CLOSE THE CASE, PUT +BACK IN THE SCREW AND BATTERIES. + +THE SWITCH WILL NOW ALLOW THE 3RD COLUMN KEYS TO PRODUCE BOTH 3RD AND FOURTH +COLUMN TONES. HAVE PHUN + + + + + + + + + + + + + + + + + + + Page 203 + + + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Well, this is just a page to protect the other pages. + I hope you enjoyed the book! + + + + + + + + + + + + + + + + + + + + + + + + + Page 204 + + diff --git a/textfiles.com/phreak/PHREAKING/phreagui.txt b/textfiles.com/phreak/PHREAKING/phreagui.txt new file mode 100644 index 00000000..4f9374e9 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreagui.txt @@ -0,0 +1,362 @@ +<><><><><><><><><><><><><><><><><><><> +<> OLIVER JONES' GUIDE TO PHREAKING <> +<> <> +<> VOLUME I... +<> MORE WIERD SHIT!>.... <> +<> <> +<> <> +<><><><><><><><><><><><><><><><><><><> + +First off: This is not meant for a +good phreak, such as, Chris Chronos. +This file is meant for people who are +interested in getting into phreaking. +This is not so much my own work, as it +is a compilation of a bunch of others. +So, don't get uptight if you reconize +stuff. + +=-]BASICS + +A phreak is either: +(1) Someone who just uses mci, etc... +or: +(2) Someone who is into boxing, etc... +-------------------------------------- + +=-]TRASHING +becuz i am saying what comes to mind +i'll start with this. this is the +*BEST* way for phreaks to get info. +now it was recently brought to my +atention, that some peopl don't know +what trashing is, so, here is a basic +definetion; Trashing is the art of +raiding your local c.o. (central +office, where all calls are connected) +dumpster, getting printouts, invoices, + maybe discarded parts, but anything +of interest. Now the way (best) to +do it is, to wait until nite, with +a raincoat, flashlite, something to +carry your goodies home in, go to +you c.o.'s dumpster, climb in, and +get what you will... + This is a *FEDERAL OFFENSE* (big +deal!), bell has busted a lot of +people for doing dis, so be fucking +careful, if you get anything, post the +results on the boards at the end of +this phile. + +-=]CALLING PHREE + Now this is all the 1st type of phreak +does, #2 phreaks do this also (unless +they're millionares...), so, i'll +explain the basic principle. You 1st +get an extender/port, what they're is +what mci, sprint, allnet, etc... use. +the basic principle is, you call, +mci picks up, gives a tone, key in your +code (mci=5 digits), and then the +npa , and the exchange/# +so, if you wanted to dial say, gse, +you'd go... +123-4567, it'd ring, pick up, type: +517312037756392 +^^^^^|||||||||| +code phone # to call +it's really quite simple. +--------------------------------------- +-=]INTERESTING NOTE +becuz of a law passed in '82 , +any phone numbers that are used on +t.v./radio, and occasionaly movies, +the exchange *MUST* be 555, why, +you might ask...well that is bell's +special exchange, for instance, if +you wanted to get the number for a +place in San Fransisco, but lived in +Flordia, you'd dial: 415-555-1212 +415 sends your call to Ca, 555 alerts +the computer to route it with bell's +special calls, and the 1212 tells it +it's an information call (411)... +just thought you'd be interested in +that. +--------------------------------------- +-=]BOXING +Boxing ('specially blue), is the best +way for a phreak to interact with the +phone system, in a future phile i'll +go more into it, but for now, i'll +just give you a basic idea of what +it tis...boxes are electronic +creations which somehow interact with +the phone system, the famous ones are: +blue: allows you to become an operator +red: simulates coins in a pay (fortress +) phone, allowing phree calls. +and now there is a whold new slew of +'em...such as +mirror: rumored to trace +brown: connects to lines, wierd! +silver: creates 4 new keys for dtmf +(touch tone) pad... +white: portable dtmf pad +cheese:used with call forwarding, +basically red +black: now defunct, but would work +on bells system of billing. +==================================== +the above are just a few of the many +boxes...some have multiple names, such +as, beige or bud..they are basically +lineman's handsets... +------------------------------------ +-=]LINEMAN'S HANDSETS +a lineman's handset (lh) is what +the telephone repairmen use to +help aid in fixing a phone. recently, +when my line was on the fritz, the +repairman came to fix it. i was in +the middle if a phone conversation, +when i hear a bunch of static, and +someone's voice boom out: "is this +555-4980?" my answer was yes, and he +said he was here to repair the line. +what he did was climb up the +telephone pole, where there was a +silver box (rectanglish), he opened +it and there were a bunch of pairs +of terminals, each one was a phone line +for that block. The reason for a phreak +to build an lh is to tap into people's +lines to: +(A) make free calls +(B) run it back to his house as a tap +(C) using a,b to call up traced #'s +such as cosmos (bell's computer), and +not worry 'bout getting caught. +(D) this reason is the most fun, to +harass the operator... +-------------------------------------- +-=]COSMOS + +Okay, becuz this is just a primer, i +won't bother with what to do when you + get on a cosmos system, +they will come later in life (err, this +series), but here is what cosmos +basically consists of: +COSMOS is: +the computer(s) which operators, +information, the cn/a operator, use. +it is used to keep track of bills. +it can be used to: +trace calls, disconnect phone lines, +order new parts for c.o., set up +loops, establish credit, establish +a new frame (in the computer's mind), +stack calls (make all the lines (trunks +) from here to say tokyo busy! and it +has many more capabilities, as you +can see though, Cosmos is *POWER*, +so it is a vital phreak tool. Now +here is where some ambugitity (howeva +ya spell the shit) forms. Becuz a +phreak isn't a hacker, how can they use +cosmos, simple, becuz Cosmos is part +of bell, and it is what keeps Bell +running these days, to play hell with +it, is to Phreak, by defintion. +Now while *ALL* hackers are leech +phreaks, some are also true phreaks, +so, there is really no problem, but if +a cloud of doubt had formed in your +mind, this was meant to dis-spell it. +So in a later volume, i will have it +all Cosmos... +-------------------------------------- +-=]Switching Systems +a switch system (ss) is what connects, +complete your calls. there are four +main ones (a fifth is being testedin +some hicktown in Pa.), they are: + +SxS, the 1st switching system, was +invented by an undertaker, becuz +he felt that a biased switchboard +operator was routing all calls for +a undertaker to the operator's husband. +In 1979 53% of the bell network was +SxS (or step by step), and by 1990 +only 'bout 10 sxs offices will remain +in the u.s. +also, with sxs, there is no dtmf +(Dual Tone Multi-Frequency, aka touch- +tone) on sxs, what you might have is a +converter, but then the call goes thru, +just as slowly. So that's sxs now onto: + +Crossbar; + Crossbar is the next step up in the +ss hierarchy, crossbar is slightly more +advanced than sxs, and dtmf is real on +it, but it is just 'bout as safe (as +of 11/1/85) as sxs, but remember, just +'bout anything is safe at a fortress +(pay) phone, 'cept if you repeatdly box +there, becuz the s.s. (bell security), +has been known to stake out f.f. +now onto the world's worst nightmare... + +--------------------------------------- +-=]ESS +I gave ess it's own section, becuz i +have so much to write 'bout it. ess +stands for: Electronic Switching +System, and thatis just what it is. +by using computers, calls are processed +by copmuter, are connected instantly +after the last digit is dialed, and +can be traced in a mille-second , so, ess is quite dangerous (if +you're reckless, i mean i'm on it, +and i haven't been caught yet, course, +i use mci, so bell doesn't give a shit! +), now then back to ess... +ess also can do the following: +call waiting + +speed dialing + +call forwarding + +three way calling , of course with the advent of +remobs, it is now east in any ss... +______________________________________ +Special Note Related to Above: +ciss, don't know what it stands +for, but it incorparates every +thing that digital/ess does plus +a couple of other things, the main one +is auto-tracing from the house, what +happenes, is when somebody calls you, +you press a button on your phone, and +a thermal printer prints out the number +of the person who is calling you. This +probally won't catch on (thank you god! +) though becuz it requires leasing a +phone with a printer attached for 'bout +$30 a month, tres expensive! +======================================= +-=]REMOBS +a remobs, whilei don't have any at +the moment, they are incredibly cool. +can tap into somebody's line by: +dialing up the remob, dialing in +the access code, then the #, without +npa, becuz these can't cover a whole +npa, just a part of it, then you are +tapped into the line, you can listen +in, but your mouthpeice is cut-off +(if noone's using the phone, you hear +silence, but calls can still be +recived/initaited), plus there +is some other shit it can do... +===================================== +Well, I tink I'll end the first volume +with a bunch of phone numbers, these +have all been tested within the last +week, so they should work...here ya' +go: +212-976- +5050-ARIES HOROSCOPE +5151-TAURUS +5252-GEMINI +5353-CANCER +5454-LEO +5656-VIRGO +5757-LIBRA +5858-SCORPIO +5959-SAGITTARIUS +6060-CAPRICORN +6161-AQUARIUS +6262-PISCES +3737-PORNO +2626-PORNO +2727-PORNO +2828-PORNO +1-415-976 +6969-PORNO +3636-PORNO +PREP (7737)-PORNO +212-799-5017-ABC FEED LINE, WIERD! +{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{} +{} BOARDS TO CALL TO CONTACT ME OR {} +{} TO ASK ME QUESTION ABOUT MY FILE {} +{} {} +{} AMERICAN BBS:303-457-0976 {} +{} THE K.G.B. :303-499-7801 {} +{} THE F.W.S.O.:303-755-8263 {} +{} THE GSE :203-775-6392 {} +{} SWAP SHOP :409-244-5154 {} +{} {} +{} IN ALL CASES LEAVE MAIL TO: {} +{}---------->OLIVER JONES<----------{} +{} "O.J." {} +{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{} +DISCLAIMER: +THIS PHILE WAS INTEDED FOR INFORMATION +PURPOSES ONLY, ANY USE THEROF IS NOT +THE RESPONSIBILITY OF THE AUTHOR, AND +THEREFORE, HE CAN NOT BE PROSECUTED +BECUZ, SOMEBODY GOT BUSTED USING THIS +INFORMATION, IT WAS INTENDED FOR +ENTERTAINMENT PURPOSES ONLY. +<><><><><><><><><><><><><><><><><><><> +WRITTEN ON: JANUARY 1, 1986 +HAPPY NEW YEAR!!!!!!!!!!!!! +[][][]THIS PHILE IS NOW TERMINATED[][][] diff --git a/textfiles.com/phreak/PHREAKING/phreahel.txt b/textfiles.com/phreak/PHREAKING/phreahel.txt new file mode 100644 index 00000000..1c5594b9 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreahel.txt @@ -0,0 +1,84 @@ + + ======================================= + HELPFUL PHREAKING INFORMATION + ======================================= + + BY ZANDAR ZAN + + + ================================================ + AN UNDERGROUND ALLIANCE PRESENTATION + ================================================ + + MORDOR AE 201-528-6467 PW:ZANDAR + THE BASEMENT 201-223-6404 + LIZARD PALACE 201-528-6964 + SIRIUS CYBERNETICS 808-521-3306 + AGENT AE 201-925-2728 PW:CIAE + + + ======================================= + THIS FILE MAINLY DEALS W/PHREAKING + THROUGH 800 EXTENDERS + ======================================= + +1> NEVER, NEVER, EVER, EVER, EVER KEEP A CODE COMPLETELY TO YOURSELF! + CONSIDER THIS: IF YOU ARE THE ONLY ONE TO USE A PHREAK, THEN YOU AND ONLY + YOU CAN BE PROSECUTED. + +2> THE SAFEST PHREAK IS A KNOWN PHREAK + +3> NEVER USE A CODE TO ABUSIVENESS. IF POSSIBLE, IF YOU ARE A GOOD PHREAK + THEN IT IS,ONLY USE A CODE ONCE OR TWICE. THEN DISCARD IT. + +4> HAVE MORE THAN ONE WORKING CODE HANDY AT ALL TIMES. + +5> HAVE MORE THAN ONE 800 EXTENDER AT YOUR DISPOSAL (WITH CODES OF COURSE). + +6> BE <<< VERY >>> CAREFUL ABOUT GIVING OUT CODES AND WHO YOU GIVE THEM + TO (OBVIOUSLY). IT IS GOOD TO HAVE OTHERS (AND I STRESS NOT LOCAL TO + YOU) HAVING A CODE, BUT BETTER TO GIVE OUT THAT CODE WITH OTHERS NOT + KNOWING WHO YOU ARE (EVEN YOUR USUAL HANDLE). + +7> DON'T WRITE FILES ABOUT PHREAKING!! THERE'S ENOUGH OF US DOING IT AS IT + IS! + + + LET ME CLEAR A FEW THINGS UP + + THE PHONE COMPANY HAS A COMPLETE RECORD OF EVERY CALL THAT HAS EVER +BEEN MADE FROM YOUR HOUSE. YOUR "PHONE HISTORY" INCLUDES ALL CALLS +EXCEPT 800 CALLS. WHY THEN DON'T 800 #'S SHOW UP ON YOUR FONE BILL? +OBVIOUSLY BECAUSE THEY DON'T COST YOU ANYTHING. NOW, THE TELCO DOES NOT, +HOWEVER, CHECK EVERYONE'S RECORD TO SEE IF THEY HAVE BEEN MAKING EXCESSIVE +AMOUNTS OF 800 CALLS. THAT WOULD BE NEARLY IMPOSSIBLE (THINK OF HOW MANY +PEOPLE ARE AT&T SUBSCRIBERS)! + + ANYHOW, WHAT HAPPENS WHEN THE AMOUNT OF 800 PHONE CALLS YOU MAKE +GREATLY INCREASES IS THIS . . . + + A TROUBLE CARD SHOWS UP ON THE COMPUTER WITH YOUR NAME ON IT (YOUR +FAMILY'S THAT IS). A TROUBLE CARD IS NOT JUST FOR THINGS LIKE THAT THOUGH. +A TROUBLE CARD IS MERELY A WARNING THAT SOMETHING IS FUCKED UP SOMEWHERE. BE +IT A DOWNED LINE, AN UNPAID BILL, OR JUST ABOUT ANY "TROUBLE" IE. THE NAME +"TROUBLE CARD". + + A TROUBLE CARD WILL NOT POP UP IF ONE MONTH YOU MAKE A FEW 800 FONE +CALLS, TROUBLE CARDS WORK ON A PERCENTAGE BASIS OVER AN EXTENDED PERIOD OF +TIME, ONE MONTH USUALLY. FOR INSTANCE, IF YOU INCREASE THE NUMBER OF 800 +CALLS YOU MAKE EACH MONTH BY BUT A FRACTION, THEN CHANCES ARE A TROUBLE CARD +WILL NEVER SHOW UP IF, HOWEVER, YOU GO FROM MAKING TWO 800 CALLS A MONTH +TO MAKING 200 CALLS A MONTH YOU ARE NOT ONLY IN TROUBLE, YOU ARE VERY +STUPID. + + IF YOU NORMALLY MAKE ONE THOUSAND 800 EXTENDER FONE CALLS A MONTH, BE +IT FOR YOUR COMPANY ETC., THEN A TROUBLE CARD WILL NOT SHOW UP BECAUSE THAT +IS WHAT YOU HAVE ALWAYS BEEN DOING. + + I HOPE THIS FILE HAS CLEARED A FEW MISUNDERSTANDINGS ABOUT JUST WHAT +THE FONE COMPANY KNOWS ABOUT 800 EXTENDERS AND HOW THEY KNOW YOU USE THEM. + + I WOULD HAVE MADE THIS FILE LONGER, BUT I JUST DIDN'T HAVE THE TIME +JUST THEN! + + diff --git a/textfiles.com/phreak/PHREAKING/phreak.in1 b/textfiles.com/phreak/PHREAKING/phreak.in1 new file mode 100644 index 00000000..82058275 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak.in1 @@ -0,0 +1,201 @@ +THE FOLLOWING PHILE IS FORMATTED +FOR 80-COLUMN UPPER/LOWERCASE +TEXT. + +11/13/88 +Note: if this phile is totally outdated, +DON'T USE IT!!!!!! +Nother Note: Why don't anyone write any more philes? +Yet Nother Note: SysOp of The Farthest Shore, call Toxic Waste and leave mail +to The Xenocide and state who you are. We need to get in touch. + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) +(_) Toxic Waste Phreaking C T W N (_) +(_) (707) 252-1413 by a o a o (_) +(_) 300-9600 HST ____________ l x s w (_) +(_) SysOp: !The Xenocide! l i t ! (_) +(_) The Xenocide ~~~~~~~~~~~~ - c e ! (_) +(_) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ (_) +(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) + + + + +Disclamer: This file is written under the first ammendment to the constitution. +It is for informational purposes only. The author is not responsible for any +damages, be they intentional, direct, indirect, or consiquential. 'Nuff said! +Note from author: This phile was written to MAXIMIZE your safety. You can do +the things that I say you probly shouldn't do, but don't say I didn't tell you +so! + This Phile is an attempt to instruct people on the delicate art of +Phreaking. It will probably not tell any old timer's anything, but may be of +use to those who are just learning the art. + + What is Phreaking? Phreaking (pronounced Freaking, as Phone Phreaks all +substitute Ph phor an "F") is getting free calls. How do you do this? There are +many ways. The first and (I think) the easiest are Diverters. + + Diverters are those boxes the gestapo (Phreakese for phone company) +puts in that after so many rings, re-routs the call to a different number. Just +like call forwarding! Only these are MUCH better phor us phreakers! You will +know you have a diverter if when you call, it rings phor about 3 rings, and +then you hear a "CA-THUD" (yes, it really sounds like that!) and then some +fainter ringing. Then some one will answer and you ask if "Guido Sanchez the +Third" is there, and *most* of the time, they will say you've gotten a wrong +number. You must somehow make a click on the line, ((A privacy or mute button +on most phones does this most beutifully!) as most of these answering services +are trained not to hangup untill you do) and then they hang up. You'll hear all +kinds of different clicking and clunking, and then a dial tone. You now are +into the safest way to phreak! You can now dial normally. All the calls will be +traced and billed to that number! Hey! Pretty Phun eh? Just be sure and don't +use the same number too much otherwise you'll get some gestapo at the door in a +week or two! + + Well, it's time for a little talk on how the phone company routes +calles. There is a few different ways, but it all really boils down to crossbar +or ESS. + If you have crossbar, I wish I lived where you do! The way you can tell +if you have ESS or not is call yourself. If it is loud and electronic sounding, +you have ESS. If it is mechanical and low, it is Crossbar. + If you have ESS, don't phret, it's phine to phreak, 'just you gotta B +more careful, B cuz any CIA or whatever guy can punch up on his terminal the +time and number of the call, and for about 1 outta every 100 calls, what it was +about! If your in an ESS area, they listen to calls randomly. ESS can trace +calls back to you even before you dial. And it keeps records of everything you +dial, even the mistakes you make and wrong #'s! Where went our freedom??? If +you have ESS also, don't call 800 #'s too much or 950's. (If you don't know +what an 800 is, STOP READING. A 950-xxxx number is a different phone service, +more on those later) If you do, you'll be placed on an alert list and have +about 1 outta 3 calls intercepted!!!!!(Addendium: I got from a semi-reliable +source that if you got pacific Bell, unless you piss the shit outta some +operator or somethin, they won't help the other companys track you down. Sorta +like getting rid of compition. I guess it's true B cuz this guy just called +about 80 800 numberz. Nothin happen'd, YET) + If you got crossbar, they can't do shit. It costs something like 500 +dollars to run a trace, and listening to a call!!! Forget it! Your home free in +this type of system, except you don't get goodies such as call forwarding or +call waiting. (IE, can't make a cheeze box (more on that later)) + What is another way to get phree phone calls? Well, the second easiest +was is by calling US Sprint, MCI, etc. You can access these numbers by calling +either the local number(if in a major-type city), or by calling a 1-800 number +or a 950 number. A 950 number is when you simply dial "950-xxxx" where xxxx is +the number. 950 numbers are like 800 numbes, free, but are not supported by all +areas. These are just different carriers that you can use to supposedly lower +your phone bill. They run on a magic number type system, which you can get +fairly easily. What is a great machine for dialing the phone and saving the +results? Yep, your old modem and your computer. There are many different +programs around that you can use, and all work pretty well. + To do this, you call a carrier, and try an access code. If it is bad, +the stupid machine recording will say "Invalid Code" or some such BS. Just +hangup and call back. Eventually you'll get a good code. Write it down. Now, +don't use the same code more than twice a week, and use more than one carrier. +Also use more than one code, otherwise the gestapo might get wize. Now, use +this code when your calling Phriends Long Distance, or even just calling BBS's. + PC Pursuit is a service run by telenet or tymnet that allows you to +access any city that it services. It only does 1200 baud, or 2400 in some +areas, but it's pretty good. Modem only tho. There are several bugz in it, and +some sites let you dial anywhere world-wide. Them BBS's in germany are pretty +wild! Xcept buch O queers stop by all the time. Most everyone over there is an +asshole tho... Still pretty neat. To find a node that allows unlimited dialing, +just try dialing them all. At the tyme of this writing, there were 3 or so, 1 +2400 baud and 2 1200. I'm not naming them just in case any PCP gestapo read +this. + PCP has many bugs, and you can really phuck people over by monitering +what they do, stealing passwords, etc. A real Phun thin with PCP is to keep +calling itself with it, and it will eventually tie itself up and when you drop +carrier, the lines won't detect and some phucker from PCP gotta go down and +unplug all the phones. + Telenet is kinda like PCP, but different. They got this new software +that will trace and stuff... Used to be the best thing around, but now a +definite RED ZONE. Tymnet is the same. Stay away. + So you say "I be gett'n all dese philes on boxes and shit..." well, +what the phuck be a box? A box is a little box, or circit, or program (why the +hell do they call them boxes) that allows you to do something cool. Like +getting free phone calls. Or having all incoming calls be phree. Or making +untracible calls. Or using pay-phones free, or changing the traffic signals, or +taking over a TV station, etc. the following is a list of the boxes that I know +of, and what they do. + +Color What should be called What the hell it does +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Blue Phree Calling Program Uses computer generated tones to + drop to the operator lines and place + free calls +Black-Switch Free Incoming Switch Makes incoming calls free if you + flip the switch. Very safe +Black-Button Free Incoming Button When you pick up the phone, you can + hear what they are saying, but the + ringing doesn't stop. Press a button + and it stops the ringing. Can use + special signals. Makes all calls + coming in free, but requires phone + to be dedicated to black boxing. +Beige Box Lineman's Handset Box A true little box that you plug a + phone into and connect the two + alligator clips to the junction box + and use someone else's line. Can be + used for tapping, static-free free + calls, and many others! Acts just + like they have another phone. +Cheese Box Convert to Payphone Inst. Just a set of instructions on how + you can convert your phone into + a pay phone to place untraceable + calls. Needs a red box. +Red Box Free Call tone box A box that generates tones that are + identical to the tones made when + money is dropped into a pay phone. +Chrome Box Signal Changer A great box that allows you to + change the signal lights at an + intersection. VERY, VERY, VERY + VERY SAFE! +Snow Box TV Taker Over The most dangerous box (if used on + open air waves) or one of the safest + boxes (if used in a cable system) + that allows you to take over TV + channels with whatever you want! + The most phun yet! +------------------------------------------------------------------------------ +Here is a small file listing and the boxes they contain + +Filename Boxes Info +~~~~~~~~ ~~~~~ ~~~~ +CHROME.BOX Guess! Good instructions +BLUE.BOX Blue Too much work! Shitty! +BLUE.BOX.INST Blue box instructions Some info, shitty. +RED.BOX Red Pretty good. +CHEESE.BOX Cheese Decent +BEIGE.BOX Beige Great inst, EZ to make +SNOW.BOX Snow Good, parts Xpensive. +PHONE.CIRCUITS Black Button, Hold, Bug detct Great scematics! +BLACK.BOX Black Switch Great.EZ to make! +_____________________________________________________________________________ + +The following is some philes and what they got. + +Phile Info +~~~~~ ~~~~ +EXPLOSIVES Great bombs and shit! +TERRORISM Ditto! +USING.DIVERTERS On diverters and the world they open +HANDBOOK A semi-good into to phreaking (outdated) + +There are many more. Kall up any of the following... +BBS Baud SysOp +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Apple Rebel Board 9600 Apple Rebel (916) 457-0624 +The Farthest Shore 9600 ??????????? (707) 938-2997 + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) +(_) This file is Copyright (C) 1988 by The Xenocide (_) +(_) SysOp's: You may use this file on your BBS, as long as no part (_) +(_) of it it is altered. If there is a new Box/way to phreak (_) +(_) That I did'nt cover, send mail to me on Toxic Waste (_) +(_) ___________ (_) +(_) !Toxic Waste! (_) +(_) 24 hrs ~~~~~~~~~~~ 300-9600 baud (_) +(_) (707) 252-1413 (_) +(_) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ (_) +(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) + +Phrack Philes] + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreak.inf b/textfiles.com/phreak/PHREAKING/phreak.inf new file mode 100644 index 00000000..18979c66 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak.inf @@ -0,0 +1,366 @@ + + +--------------------------------------- +[CTRL-S PAUSES/SPACE=QUIT] + + R.A.G. T.I.M.E. + THANX TO PIRATES TREK + HOW TO BE A REAL PHREAK + THE WORLD OF CRYTON + [414] 246-3965 + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO BE +A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: "MANY PEOPLE THINK OF +PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR ALL SHE IS WORTH. NOTHING +COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE SOME WHO GET THEIR KICKS +BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE PHREAKS. REAL PHONE +PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, PLAY WITH AND LEARN +FROM THE PHONE SYSTEM. OCCASIONALY THIS EXPERIMENTING, AND A NEED TO +COMMUNICATE WITH OTHER PHREAKS ( WITH- OUT GOING BROKE), LEADS TO FREE CALLS. +THE FREE CALLS ARE BUT A SMALL SUBSET OF A >TRUE< PHONE PHREAKS ACTIVITIES. + + THE TEN COMMANDMENTS + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036. SEND A SASE FOR THEIR INFO SHEET "WHAT THE HELL IS TAP?" AND TELL THEM +THAT BIOC AGENT 003 TOLD YOU ABOUT IT.) + + THE PHONE PHREAK'S TEN COMMANDMENTS + + I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST + SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + + II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TEL- EPHONE + WIRES, FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + + III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY + THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + + IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO + USE THINE OWN SELF AS A SACRIFICIAL LAMB. + + V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE + AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + + VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH + THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN + BOSSES. + + VII. STOREST THOU NOT THINE STOLEN GOODES IN THINE OWN HOME, FOR THOSE WHO DO + ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT + LONG FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATT- ENTION OF THE AUTHORITIES, AS THE LESS + NOTICABLE THOU ART, THE BETTER. + + IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER + THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE + AUTHORITIES WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + + X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK + WILL BE FAR MORE LIMITED. + + CN/A NUMBERS + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL. # ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + +HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." THE EMPLOYEES USUALLY USE THESE FOR CHECKING +WHO BELONGS TO A # THAT SOMEONE CLAIMED THEY DIDN'T CALL. + +IF YOU SOUND CHEERY AND NATURAL THE OPERATOR WILL NEVER ASK ANY QUESTIONS. IF +YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE IT! ALWAYS PRACTICE FIRST & SO +YOU DON'T SCREW UP AND MAKE THE OPERATOR SUSPICIOUS. USE NAME THAT SOUNDS +REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY THAT YOU ARE FRO A CITY THAT IS +FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + +THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914) IS>>>>>>>>>(518) 471-8111<<<<<< AND IS OPEN DURING BUSINESS HOURS. + [DON'T ABUSE IT!] + + AT&T NEWSLINES + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL TO +FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED REPORTS +RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + +SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + + ANI NUMBERS + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS USEFUL +WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND OUT +THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT DOESN'T +HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU JUST +HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF ANI +# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WÈERE NXX IS +THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # ÉS 958. + + PHREAK NEWSLETTER + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF +MATERIAL (ARTICLES), MONEY, AND VOLUNTEERS. + + TAP + ROOM 603 + 147 WEST 42ND STREET + NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + + BLACK BOX + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE THAT +ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE +TWO SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 +SCREWS. LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE +RESISTOR BETWEEN THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE +PROPER TERMINALS! NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. +FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS +TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. +PUT THE SWITCH IN A POSITÉON WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. +MARK THE OTHEÒ SIDE FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. WHEN SOMEONE +CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU ANSWER. THE TELCO +KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT FLOWS WHEN YOU +PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE VOLTAGE SO IT IS +BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE MOUTHPIECE. +ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT IT IS NOT +ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE FULL SECOND, +BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + +--------------------------------------- +: : +***BLUE WIRE**>>F< : +: * * : +**WHITE WIRE**** * : +: * : +: RESISTOR : +: * : +: * : +: >RR<*******SWITCH*** : +: * : +****GREEN WIRE********************* : +: : +--------------------------------------- + + DIAL LOCKS + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? + +FRET NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + +THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE THE +TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES ADVANTAGE +OF TELEPHONE ELECTRONICS. + +TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A CIRCUIT +KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN YOU DIAL +(PULSE) IT ALSO BREAKS THE CIRCUT BUT NOT LONG ENOUGH TO HANG UP! SO YOU CAN +"PUSH-DIAL." TO DO THIS YOU >RAPIDLY< DEPRESS THE SWITCHHOOK. FOR EXAMPLE, TO +DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) >RAPIDLY< & +>EVENLY< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL 634-1268, DEPRESS 6 X'S +PAUSE, THEN 3 X'S, PAUSE, THEN 4 X'S, ETC. IT TAKES A LITTLE ÐRACTICE BUT +YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # SO YOU'LL GET A BUSY +TONE WHÅN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE A DTMF LINE WILL ALSO +ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR MORE THAN A SECOND OR +IT'LL HANG-UP! + +FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE ASSHOLE +WHO PUT THE LOCK ON IT! + + EXCHANGE SCANNING + +ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" SUCH +AS LOOPS WITH DIAL-UPS. + +THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL EXCHANGE. +IF YOU HAVE THE TIME AND INITIATIVE, SCAN YÏUR EXCHANGE AND YOU MAY BECOME +LUCKY! + +HERE AÒE MY FINDINGS IN THE 914-268 EXCHANGE: + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) -- MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + +MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, PLEASE?" +OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + + TOUCH-TONE & FREE CALLS + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + + 1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) + 521-8400. AS OF WRITING THIS, A CODE WAS 57617895. + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, + PLEASE." THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS + SAID. AFTER EVERY GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, + THEN SAY YES IF IT IS CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS + CORRECT, IT WILL THANK YOU AND ASK FOR THE DESTINATION #, THEN SAY THE + AREA CODE + NUMBER AS ABOVE. ANOTHER SUCH # IS (800) 245- 8173, WHICH + HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING TOUCH-TONE ON THIS #, ENTER + THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + + 2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM + THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK + BOX. THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # + USING ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE + ROTARY FONE WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE + THE 2 WIRES. (NOTE: IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A + ROTARY FONE THEN YOU CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT + THIS USUALLY ISN'T THE CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES + + 4. USE A ÃHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENTIONS IF YOU REMOVE + IT USING Á HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW! + THESE FONES FOR THE BENEFIT OF THOSE WHO DON'T KNOW ARE BLUE WITH NO COIN + SLOTS) + + 5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR + DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, + IMMEDIATELY PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT + IS A TONE FIRST FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND + ANOTHER FONE. + + TELCO TRACING + +THE GOOD 'OL DAYS: +------------------ + +WAY BACK BEFORE I WAS A PHREAK, MA BELL WOULD HAVE TO MANUALLY TRACE A CALL IF +THEY THOUGH SOMETHING WAS FUCKED UP. FIRST THEY WOULD SEND A 2000 HZ TRACING +TONE, THE WOULD BE FOLLOWED B ALOT OF NOISE AND CLICKS. IT TOOK ABOUT 2-3 +MINUTES TO TRACE A CALL AND ALOT OF PEOPLE WERE INVOLVED IN THE PROCESS. SO AT +1 IN THE MORNING THEY WOULD HAVE TO WAKE UP PEOPLE FOT THE TRACEES (PHREAK +JARGON FOR A PAY FONE). BUT NEVER USE THE SAME ONE MORE THAN ONCE OR TWICE +BECAUSE THE GESTAPO(ER..EXCUSE ME MEAN BELL SECURITY) HAS BEEN KNOW FOR STAKING +OUT TROUBLED FORTRESSES. IT'S ALSO POSSIBLE FOR TRAVELNET OR SP TO ASK FOR A +TROUBLE # BUT THE TELCO IS SLOW IN PROCESSING STUFF--ESPECIALLY FOR THE +COMPETITION--SO DON'T FRET PHELLOW PHREAKS. + +MODERN TECHNOLOGY: +------------------ +THIS CAN BE ATTRIBUTED TO ESS + CCIS WHICH CAN BE TRACED IN 1 SECOND. + + MISCELLANEOUS STUFF + +HERE ARE A PHEW (PUSHING IT ON THAT WORD) BITS OF INFO ON TELEPHONE ELEC- +TRONICS. IF YOU DON'T APPRECIATE IT THEN I SAY PHUCK U. + +VOLTAGES: + +WHEN YOUR FONE IS ON-HOOK (IE-HUNG UP) THERE IS A 48 VOLT DC CURRENT FLOWING +THROUGH THE LINE ( I HAVE A GREAT IDEA ABOUT HOOKING A BATTERY CHARGER UP TO MY +FONE ). WHEN THE FONE IS OFF-HOOK THE VOLTAGE DROPS DOWN TO AROUND 15VDC. THE +BLACK BOX (SEE SEPARATE ARTICLES) EXPLOITS THIS FOR FREE CALLS SINCE BELL USES +THIS VOLTAGE DROP WHEN THE CALLED PARTY PICKS UP TO START BILLING. BELL MAY +ALSO REVERSE THE POLARITY OF THE LINE TO START BILLING--IF YOU HAVE A TONE FONE +THE KEYPAD WON'T WORK IF THE POLARITY IS REVERSED. USUALLY, THE RED WIRE IS +CALLED THE TIP SINCE IT IS THE MORE (+) OF THE 2 WIRES + THE GREEN WIRE IS +CALLED THE RING (-). + +RING TRIP: + +WHEN SOMEONE CALLS YOU BELL HAS TO SEND 90 VOLTS AC DOWN YOUR LINE AT ABOUT 60 +HZ TO ACTIVATE YOUR BGLL (THIS IS WHY DEAF PEOPLE CAN HAVE LIGHT BULBS FANS GO +OFF INSTEAD OF A BELL). THE DEVICE THAT DOES THE RINGING IS CALLED A RINGING +GENERATOR ANDTH PROCESS OF RINGING IS CALLED A RING TRIP. THIS COSTS BELL +MONEY AND THEY DON'T LIKE USING ALL THAT ELECTRICITY FROM THE LOCAL RIP-OFF +POWER COMPANY- SO LET IT RING. THIS IS ALSO, HOW BELL CAN CHECK FOR EXTRA +FONES FROM THEIR CENTRAL OFFICE BY SEEING HOW MUCH VOLTAGE THE LINE TAKES WHILE +RINGING AND THEY CAN TELL HOW MANY FONES YOUR NOT SUPPOSE TO HAVE. SOLUTION: +DISCONNECT THE BELL. + +MODERN TECHNOLOGY: +------------------ + +THE 2 WORST ENEMIES TO THE PHREAK BESIDES THE FBI + BELL SECURITY,ARE: ESS + +CCIS. ESS STANDS FOR ELECTRONIC SWITHCING SYSTEM AND IT CAN TRACE A CALL IN +SECONDS, IT ALSO RECORDS ALL CALLS AND CAN EVEN TAP INTO LINES (ER.. I MEAN +CHECK FOR LINE QUALITY) AND RECORD CALLS. CCIS STANDS FOR COMMON CHANNEL +INTER-OFFICE SIGNALING AND IT ALLOWS FOR CONTROL SIGNALS TO BE SENT VIA +SEPARATE DATA LINKS INSTEAD OF TONES OVER THE VOICE CHANNEL--START KISSING YOUR +BLUE BOX GOODBYE. + + + +SOURCES: +-------- + +FOR THOSE OF YOU WHO WANT TO GO MORE IN-DEPTH ON THE SUBJECT OF SHIT, I +RECOMMEND THE FOLLOWING READINÇ MATERIAL: + + 1) ELECTRONICS COURCES A-B, TAP, ROOÍ 603, 147 W. 42 ST., NY, NY 10036. @ 75 + CENTS EA. + + 2) UNDERSTANDING TELEPHONE ELECT.'S, TEXAS INSTRUMENTS, RADIO SHACK MAY HAVE + IT. + + 3) A MULTITESTER + YOUR FONE FOR YOUR OWN EXPERIMENTING. + + 4) MISC. INFO FROM SEVERAL SOURCES MAKE FRIENDS + GET YOUR OWN CONNECTIONS. + + +*****BIOC AGENT 003 +*****PHREAK ADVISOR OF PIRATE TREK + *914-634-1268 + THANKS TO PIRATES TREK !! + + + +--------------------------------------- + +ENTER (1-31, M=MENU, Q=QUIT) : diff --git a/textfiles.com/phreak/PHREAKING/phreak.phk b/textfiles.com/phreak/PHREAKING/phreak.phk new file mode 100644 index 00000000..3c430a80 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak.phk @@ -0,0 +1,336 @@ + + R.A.G. T.I.M.E. + THANX TO PIRATES TREK + HOW TO BE A REAL PHREAK + + THE WORLD OF CRYTON [414] 246-3965 + +IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO BE +A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: "MANY PEOPLE THINK OF +PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR ALL SHE IS WORTH. NOTHING +COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE SOME WHO GET THEIR KICKS +BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE PHREAKS. REAL PHONE +PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, PLAY WITH AND LEARN +FROM THE PHONE SYSTEM. OCCASIONALY THIS EXPERIMENTING, AND A NEED TO +COMMUNICATE WITH OTHER PHREAKS ( WITHOUT GOING BROKE), LEADS TO FREE CALLS. +THE FREE CALLS ARE BUT A SMALL SUBSET OF A >TRUE< PHONE PHREAKS ACTIVITIES. + + + + THE TEN COMMANDMENTS + + + THE PHONE PHREAK'S TEN COMMANDMENTS + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODES IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICABLE THOU ART, THE BETTER. + +IX. MAKEST SURE THINE FRIENDS ARE IN STANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED (ILLEGALLY), FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS TH INE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + + + CN/A NUMBERS + +CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE +CN/A OPERATOR THE CUSTOMER'S TEL. # ALL CUSTOMERS ARE MAINTAINED ON FILE +INCLUDING UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + +HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: "HI, THIS IS JOHN DOE +FROM THE MIAMI RESIDENTAL SERVICE CENTER, CAN I HAVE THE CUSTOMERS NAME AT +(123) 555-1212." THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A +# THAT SOMEONE CLAIMED THEY DIDN'T CALL. + +IF YOU SOUND CHEERY AND NATURAL THE OPERATOR WILL NEVER ASK ANY QUESTIONS. IF +YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE IT! ALWAYS PRACTICE FIRST & SO +YOU DON'T SCREW UP AND MAKE THE OPERATOR SUSPICIOUS. USE NAME THAT SOUNDS +REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY THAT YOU ARE FRO A CITY THAT IS +FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + +THE CN/A NUMBER FOR THE NY AREA & VICINTY (212, 315, 516, 518, 607, 716, & +914) IS>>>>>>>>>(518) 471-8111<<<<<< AND IS OPEN DURING BUSINESS HOURS. +[DON'T A BUSE IT!] + + + AT&T NEWSLINES + +AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL TO +FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED REPORTS +RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: +*(201) 483-3800 NJ (518) 471-2272 NY (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA (516) 234-9941 NY *(914) 948-8100 NY + +SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + + + ANI NUMBERS + +ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS USEFUL +WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND OUT +THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT DOESN'T +HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU JUST +HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF ANI +# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE NXX IS +THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + + + BLACK BOXING + +THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE THAT ALLOWS +HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO CALL. + +YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + +NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO SCREWS +ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. LOCATE +THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN THESE 2 +SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! NOW +CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + +WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. +IT IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE +POSITION AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. +WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE +THAT FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + +--------------------------------------- +: : +***BLUE WIRE**>>F< : +: * * : +**WHITE WIRE**** * : +: * : +: RESISTOR : +: * : +: * : +: >RR<*******SWITCH*** : +: * : +****GREEN WIRE********************* : +: : +--------------------------------------- + + + DIAL LOCKS + +HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? + +FRET NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + +THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GOTO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + +TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A CIRCUIT +KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN YOU DIAL +(PULSE) IT ALSO BREAKS THE CIRCUT BUT NOT LONG ENOUGH TO HANG UP! SO YOU CAN +"PUSH-DIAL." TO DO THIS YOU >RAPIDLY< DEPRESS THE SWITCHHOOK. FOR EXAMPLE, TO +DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) >RAPIDLY< & +>EVENLY< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL 634-1268, DEPRESS 6 X'S +PAUSE, THEN 3 X'S, PAUSE, THEN 4 X'S, ETC. IT TAKES A LITTLE PRACTICE BUT +YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # SO YOU'LL GET A BUSY +TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE A DTMF LINE WILL ALSO +ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR MORE THAN A SECOND OR +IT'LL HANG-UP! + +FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE ASSHOLE +WHO PUT THE LOCK ON IT! + + + EXCHANGE SCANNING + +ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" SUCH +AS LOOPS WITH DIAL-UPS. + +THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL +EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SC AN YOUR EXCHANGE AND YOU MAY +BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) -- MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + +MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, PLEASE?" +OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + + + TOUCH-TONE & FREE CALLS + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 57617895. A) IF USING VOICE, WAIT +FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." THEN SAY EACH DIGITS +LOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY GROUP OF DIGITS, IT +WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS CORRECT, OTHERWISE SAY +NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND ASK FOR THE +DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. AN OTHER SUCH # IS +(800) 245- 8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOT E: IF USING TOUCH-TONE +ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY +FONE WHILE DOING THIS THOUG H!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE: IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENTIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW! THESE +FONES FOR THE BENEFIT OF THOSE WHO DON'T KNOW ARE BLUE WITH NO COIN SLOTS) + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT 'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCON NECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + TELCO TRACING + +THE GOOD 'OL DAYS: +------------------ + +WAY BACK BEFORE I WAS A PHREAK, MA BELL WOULD HAVE TO MANUALLY TRACE A CALL IF +THEY THOUGH SOMETHING WAS FUCKED UP. FIRST THEY WOULD SEND A 2000 HZ TRACING +TONE, THE WOULD BE FOLLOWED BY ALOT OF NOISE AND CLICKS. IT TOOK ABOUT 2-3 +MINUTES TO TRACE A CALL AND ALOT OF PEOPLE WERE INVOLVED IN THE PROCESS. SO +AT 1 IN THE MORNING THEY WOULD HAVE TO WAKE UP PEOPLE FOT THE TRACEES (PHREAK +JARGON FOR A PAY FONE). BUT NEVER USE THE SAME ONE MORE THAN ONCE OR TWICE +BECAUSE THE GESTAPO(ER..EXCUSE ME I MEAN BELL SECURITY) HAS BEEN KNOW FOR +STAKING OUT TROUBLED FORTRESSES. IT'S ALSO POS SIBLE FOR TRAVELNET OR SP TO +ASK FOR A TROUBLE # BUT THE TELCO IS SLOW IN PROCESSING STUFF--ESPECIALLY FOR +THE COMPETITION--SO DON'T FRET PHELLOW PHREAKS. + +MODERN TECHNOLOGY: +------------------ +THIS CAN BE ATTRIBUTED TO ESS + CCIS WHICH CAN BE TRACED IN 1 SECOND. + + + MISCELLANEOUS STUFF + +HERE ARE A PHEW (PUSHING IT ON THAT WORD) BITS OF INFO ON TELEPHONE ELEC- +TRONICS. IF YOU DON'T APPRECIATE IT THEN I SAY PHUCK U. + +VOLTAGES: + +WHEN YOUR FONE IS ON-HOOK (IE-HUNG UP) THERE IS A 48 VOLT DC CURRENT FLOWING +THROUGH THE LINE ( I HAVE A GREAT IDEA ABOUT HOOKING A BATTERY CHARGER UP TO MY +FONE ). WHEN THE FONE IS OFF-HOOK THE VOLTAGE DROPS DOWN TO AROUND 15VDC. THE +BLACK BOX (SEE SEPARATE ARTICLES) EXPLOITS THIS FOR FREE CALLS SINCE BELL USES +THIS VOLTAGE DROP WHEN THE CALLED PARTY PICKS UP TO START BILLING. BELL MAY +ALSO REVERSE THE POLARITY OF THE LINE TO START BILLING--IF YOU HAVE A TONE +FONE THE KEYPAD WON'T WORK IF THE POLARITY IS REVERSED. USUALLY, THE RED WIRE +IS CALLED THE TIP SINCE IT IS THE MORE (+) OF THE 2 WIRES + THE GREEN WIRE IS +CALLED THE RING (-). + +RING TRIP: + +WHEN SOMEONE CALLS YOU BELL HAS TO SEND 90 VOLTS AC DOWN YOUR LINE AT ABOUT 60 +HZ TO ACTIVATE YOUR BGLL (THIS IS WHY DEAF PEOPLE CAN HAVE LIGHT BULBS FANS GO +OFF INSTEAD OF A BELL). THE DEVICE THAT DOES THE RINGING IS CALLED A RINGING +GENERATOR ANDTH PROCESS OF RINGING IS CALLED A RING TRIP. THIS COSTS BELL +MONEY AND THEY DON'T LIKE USING ALL THAT ELECTRICITY FROM THE LOCAL RIP-OFF +POWER COMPANY- SO LET IT RING. THIS IS ALSO, HOW BELL CAN CHECK FOR EXTRA +FONES FROM THEIR CENTRAL OFFICE BY SEEING HOW MUCH VOLTAGE THE LINE TAKES +WHILE RINGING AND THEY CAN TELL HOW MANY FONES YOUR NOT SUPPOSE TO HAVE. +SOLUTION: DISCONNECT THE BELL. + +MODERN TECHNOLOGY: +------------------ + +THE 2 WORST ENEMIES TO THE PHREAK BESIDES THE FBI + BELL SECURITY,ARE: ESS + +CCIS. ESS STANDS FOR ELECTRONIC SWITHCING SYSTEM AND IT CAN TRACE A CALL IN +SECONDS, IT ALSO RECORDS ALL CALLS AND CAN EVEN TAP INTO LINES (ER.. I MEAN +CHECK FOR LINE QUALITY) AND RECORD CALLS. CCIS STANDS FOR COMMON CHANNEL +INTER-OFFICE SIGNALING AND IT ALLOWS FOR CONTROL SIGNALS TO BE SENT VIA +SEPARATE DATA LINKS INSTEAD OF TONES OVER THE VOICE CHANNEL--START KISSING +YOUR BLUE BOX GOODBYE. + + + +SOURCES: +-------- + +FOR THOSE OF YOU WHO WANT TO GO MORE IN-DEPTH ON THE SUBJECT OF SHIT, I +RECOMMEND THE FOLLOWING READING MATERIA L: + +1) ELECTRONICS COURCES A-B, TAP, ROOM 603, 147 W. 42 ST., NY, NY 10036. @ 75 +CENTS EA. + +2) UNDERSTANDING TELEPHONE ELECT.'S, TEXAS INSTRUMENTS, RADIO SHACK MAY HAVE +IT. + +3) A MULTITESTER + YOUR FONE FOR YOUR OWN EXPERIMENTING. + +4) MISC. INFO FROM SEVERAL SOURCES MAKE FRIENDS + GET YOUR OWN CONNECTIONS. + + +*****BIOC AGENT 003 +*****PHREAK ADVISOR OF PIRATE TREK + *914-634-1268 + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreak.txt b/textfiles.com/phreak/PHREAKING/phreak.txt new file mode 100644 index 00000000..5279db62 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak.txt @@ -0,0 +1,236 @@ +============================================= +INTRODUCTION TO PHONE-PHREAKING by The Wizard +============================================= + +Preface +======= +LEGAL REQUIREMENTS: I have done, won't do, don't actually know anything about +anything in this document (this message and those following it). I have +absolutely no intention of doing so and all that is here is completely +fictional - Any resemblance to reality is coincidental or guesswork or public +knowledge. I in no way do I advice the reading let alone following of the +information below and it is not in any way to be construed as instructions - +simply a literary excercise in the fiction of intellectual guesswork. + +DESCRIPTION: This in an introduction to what is called 'Phreaking'. It has +interested many people, and may be illegal (perhaps stealing electricity or +breach of BT licence). I DO NOT BY ANY MEANS CLAIM ALL THE INFO BELOW TO BE MY +OWN AND THUS TAKE NO RESPONSIBILITY FOR INACURACY! However I must send my +thanks to everyone / anyone who has contributed - They will know who they are. +About 1/3 to 1/2 the info came to my knowledge through TowerNet:- There are +some pretty good brains out there so SUPPORT THE SYSTEM! I would be most +grateful for any corrections / criticisms / updates or even compliments. + +SOURCE & DISTRIBUTION: This file was written by 'The Wizard' of 'The Wizard's +Tower' Bulletin Board. Permission is granted to distribute this file on the +following conditions: + 1) The actual text remains unammended. Any additions are added at the + end with notes describing their source and date in a readable. The + only possible exception to this is where a portion of the text is + refered to a note at the end where the line may be + added. + 2) It is understood that the Legal Requirements above are abided by by + both the distributors, any intermediate distributors and 'The Wizard' + +The Wizard's Tower is a TowerNet BBS and can be accessed as follows: + Number (UK) : 0295 721532 (thats +44 295 721532 internationally). + Baud rates : V21,22,22bis,23 + Protocol : 8n1, configurable, ARQ available if wanted. + Times : 6pm to 9am, Local Time. + +What is Phreaking +================= + Phreaking is the process by which free or reduced rate calls, or other +interesting effects may be obtained from phone companies. Ofcourse dialling +numbers that aren't ones you know is in breach of contract with BT, which is +probably breaking the law, as is (ofcourse) attaching naughty circuits to your +phone, so thats why ofcourse I have never done any of it myself as breaking the +law is very naughty and if you deprive monopolies of thier profits you deserve +to have your botty spanked. + There are 2 kinds of phreaking (basically speaking) - one involves +actually intercepting the phone-line with devices to fool the charging +equiptment, and the other confusing BT and other things with exchanges by +dialling wierd and wonderful numbers or making devices to sing merrilly down +the line. + The trouble with 'black-boxes' (devices to fool the charging equipment) is +though it is actually illegal for BT to trace any calls without a license etc., +and they can't tell you are phreaking, most if not all black boxes light up a +fault light on older exchanges (which all true blooded BT engineers ignore!). +This lights status could I suppose be used as evidence against you if they ever +felt like suing you. The other major problem, is by their very nature, the way +most black-boxes work is they tell the charging equipment that you have not yet +picked up the phone, thus incoming calls are free (to those who ring you), but +not out-going calls, which is not particularly helpful for some purposes (e.g. +hacking remote systems). Thus their use is limitted, but they do come in +useful. For legal reasons and the fact this is a public-ish 'place' I can't +really give any ciruits away that do this directly. + Use of circuits attached directly to the telephone lines not approoved by +BT is in breach of your license agreement. This has not bothered many people +before, but as honest citizens you really ought not use them.... + +Line Signals +============ + Noises (like engaged, ringing tones etc. and voices) are on the line as +A.C., say down to about 200Hz officially speaking. The peak to peak voltage +signal is smallish, about 1/2 a volt-ish, so in DC terms you can ignore this. +For dialling and charging purposes DC is used. DC voltages are listed below. +There is no set polarity on your line (as BT often swap Line A and Line B - +even when they repair the lines! Thus it is a good idea to have a change over +switch mounted in any circuitry you might make), so set the imaginary meter in +your brain to think of the polarity as 'postive' (+ve) when you pick the phone +up to dial outwards. + +How a call works +================ + Normally on a phone line there is 50V accross the line. When you pick the +phone up for the first time to make an outward going call, the line polarity is ++ve about 12V-ish. Normally (i.e. if the phone wasn't connected) there'd be +about 50V-ish accross the line, but because the phone has a lowish resistance +compared to the series resistance in the exchange, when the phone is in the +circuit 50-100ma is drawn and the voltage accross the line falls. + What happens on LD (Loop-Disconnect or click dialling) is that pulses are +sent down the line by breaking the line once to dial a 1, twice to dial a 2 +etc., 9 times to dial a nine and ten to dial a zero. There are ten pulses sent +down per second, of which 33% is mark (i.e. the line disconnected), and 67% +space (i.e. line normal). In each pulse the line voltage rises to 50 volts +ve, +as theres no current taken by the phone. + Then hopefully BT will connect you to the number. It rings (which on their +phone is a 50V peak either side of zero (ish)) and on your phone is a tone from +their exchange. Their bell takes a little current when it rings and the +exchange notices this ringing (if theres no current flowing it gives number +unobtainable the implication being normally speaking that the lines broken:- On +the new sockets theres an opt-out of service resistor that makes the line draw +current if you don't connect your phone so it seems as though its ringing to +whoevers calling so hundreds of faults reported as broken lines which are only +people unplugging their phone aren't reported if you know what I mean...). + The exchange notices that the phone is picked up (all this info is +possibly more relevant only to the old exchanges) because when the guy you are +ringing picks the reciever up a largish current (50ma or so) flows. Now as the +signal of the ringing is AC of a large voltage (Not quite sure if all this is +completely exact but its pretty near) suddenly on both sides of the cycle a +largish current flows. One side of the cycle simply turns off the ringing tone +at the exchange, the other side is more interesting. If its a local call it +simply activates the your charging meter, otherwise it makes the exchange of +the guy you are ringing send a 2280Hz bleep down the line to your exchange +which activates your charging meter. That is why (a) 2280Hz signalling (see +later) only works on Trunk type calls and (b) you often hear a little blip when +you pick the phone up. 2280Hz.ARC in this room generates a 2280 Hz signal (and +others aswell) from an IBM PC's internal speaker. You will need a machine with +a loud speaker e.g. an Amstrad PC. + If you can't work out how phreak potentials arise from this hotch-potch of +technology then I suggest you sit down and think about it some more.... + +Internal communication over trunk lines +======================================= + All internal communcation between trunk excahnges used to use AC9 (AC +signalling cicuit number 9) to communicate between them. The first thing to +understand about exchanges is that making a call from A to B you are likely to +pass through technology from any period between 1920 to 1988. Each is different +in its characteristics (see Atkinsons Telephony - very helpful on the subject) +but most understand AC9 codes though many will not accept them from the line. + AC9 is a dialling follows internal rather than external dialling codes. +I.e. the numbers exchanges send to eachother to route a call from A to B are +not the same as the numbers you dial on the phone to get from A to B which +presents a problem (In the USA internal dialling codes are very similar to +external dialling codes - very useful) the reason for this is that the internal +dialling codes include routing information. AC9 dialling is very similar to +loop disconnect dialling except that instead of breaking the line, 2280Hz is +sent down, again at 10pps with a 33% / 67% mark space ratio. + Before any AC9 dialling is done, the master tone must be sent down - this +is just a long, loud burst of 2280Hz which will clear the line to an eerie +silence. It also (see above) activates the charging aparatus. 2280Hz master +tones for the reasons above only work on non-local calls (or atleast +non-own-exchange). Thus at first glance AC9ing may seem pointless. However if +you then AC9 elsewhere, you will ofcouse be charged only at the rate at which +you rang out. I.e. if you ring an 'A' rate number or possibly a local number +starting with an '0' (yes there are some) and then AC9ed down the code for +international dialling (it may not be 010 as again internal codes are +different) then you would suddenly find yourself with a dialling tone and be +able to dial abroad at 'L' or 'A' rates (in theory). + In practise the internal dialling codes complexities are often a great +problem (I THINK the last 4 5 or 6 digits of the internal & external dialling +codes are normally identical but I dunno much about internal dialling codes - +best ask a BT engineer who is corrupt!), and so is the fact that a LOUD 2280Hz +is needed as it is filtered out at exchanges. It is rumoured that if these +filters capacity is exceeded, in some exchanges alarms go off but this seems a +little unlikely especially with the old exchanges. + What I can give you is a little hint - the internal code for a number +which is in the same district is 1, i.e. to dial 01-234-5678 after clearing the +line on ringing 01-987-6543, the code would be 1-234-5678 (I think). Also you +will find various internal operators on 1105, 1107 (presumably equal to what +would happen if you dialled 105 & 107 normally if it weren't blocked by the +exchange??) and other wierd things on other 11XX numbers e.g. 1100 & 1107. You +might try all the standard test no.s prefixed by a 1. + + Internal Communication for AC9 and normal pulse dialling specifications: + Pulse rate : 10 pps + % break : 67% + % pulse : 33% + Interdigit interval : 800ms + Cycle time : Digit dependant + + The newer system X type exchanges and the US exchanges use a different +system for signalling. Again they use a master tone to clear the line, and then +what happens is dual tone multi-frequency dialling is used (i.e. like normal +tone dialling but with different frequencies). Below follows a list of +frequencies as far as I know. The way they work, is as above in terms of +dialling codes I think, but the stuff you send is + . The tones are shortish in duration (as in tone +dialling. Tone dialling freqs are also listed below. + + Internal frequencies + ==================== + Frequency Hz| Tone dialling (US & UK) UK Internal US Internal + ================================================================== + Master | ---- | 2280 | 2600 | + 1 | 697, 1209 | 1380, 1500 | 700, 900 | + 2 | 697, 1336 | 1380, 1620 | 700, 1100 | + 3 | 697, 1477 | 1500, 1620 | 900, 1100 | + 4 | 770, 1209 | 1380, 1740 | 700, 1300 | + 5 | 770, 1336 | 1500, 1740 | 900, 1300 | + 6 | 770, 1477 | 1620, 1740 | 1100, 1300 | + 7 | 852, 1209 | 1380, 1860 | 700, 1500 | + 8 | 852, 1336 | 1500, 1860 | 900, 1500 | + 9 | 852, 1477 | 1620, 1860 | 1100, 1500 | + 0 | 941, 1366 | 1740, 1860 | 1300, 1500 | + Start Keying| 941, 1209 (*) (1740)| 1620, 1980 | 1100, 1700 | + End Keying | 941, 1477 (#) (1860)| 1740, 1980 | 1300, 1700 | + A | 697, 1633 | 1380, 1980 | 700, 1700 | + B | 770, 1633 | 1500, 1980 | 900, 1700 | + C | 852, 1633 (1620)|?1860, 1980 |?1500, 1700 | + D | 941, 1633 | - | - | + ================================================================== + Those figures bracketted indicate 'alternative' values of the 1st UK frequency + for internal dialling from a different source:- though they seem less likely + to be accurate in terms of correspondance with the US frequencies, they are + included in the interests of completeness. + + Tone dialling specifications + ============================ + Tone duration : 100ms + Interdigit interval : 100ms + Cycle Time : 200ms (total time to dial a digit). + Example figures. These are for a Quattro modem but your equiptment should try + & approach these. + Freq. deviation : 1.5% Max + Transmit level : -7dB to +1dB + Tone pair amp. bal. : Higher tone about 2dB greater in amplitude than + lower tone. + + A, B, & D, are used for various purposes. In the older system X type Bell +exchanges in the US, touch tone A,B,C & D are used by the engineers to call up +various test services - just ring the operator there with 1 of the keys A B C +or D held down (especially D) - if it works you will get to a test, if it +doesn't the operator will swear and curse at you. + In internal exchanges such as the Merlin, A, B, C & D touch tones call up +additional services. If your phone for your exchange does not have these +buttons on it, then getting a phone with this '4th column' may add extra +facilities - could be useful! Though I don't (as usual) guarantee anything. + In the US military phone system (AUTOVON), A, B, C & D provide various +military prorities: Flash, Flash Override, Priority and Priority interrupt - +what does what who knows but its meant to speed wartime & wargame +communication. + What A,B & C frequencies do on the internal network I am afraid I don't +know. I am not sure the frequency allocated to C is even used! But I have +heard they are used as control signals and for the routing mechanism in the UK. +Someone even told me that they did \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreak1.bok b/textfiles.com/phreak/PHREAKING/phreak1.bok new file mode 100644 index 00000000..37be57ae --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak1.bok @@ -0,0 +1,166 @@ + + +PHREAKERS HANDBOOK + +Title: PHREAKERS HANDBOOK +Written: CAT-TRAX + _________________________ + Ý Ý + Ý The Phreaker's HandBook + Ý___________________________________________ + Ý + Ý Written by: Cat-Trax ÅThe "White-Collar Criminal + Ý Typed by: Cat-Trax + Ý + Ý Copywrong (X) May, 1985 + Ý The Hackin' Hoodlum Press, Inc. + Ý + Ý Call: The Hacker's Hideout + Ý [206/265/6369] + Ý Password: U/L + Ý 300/1200 Baud +  +  +  +[ Definitions ] + +Phreak ["free"k] Verb--1. The act of "Phreaking" 2. The act of making telephone calls without paying money [Slang] +Phreaker ["free"-k-er] Noun--1. One who engages in the act of "Phreaking"2. One who makes telephone calls without paying money [Slang] +<%=-------------------------------------------------------------------------=%> +[ Introduction ] + + Phreaking is a method used by most intelligent people Åmost often thosewho use a computer and a Modulator-Demodulator (MoDem)³. If you happen to resemble the major mass of people who do not have the income to afford large +phone bills then phreaking is for you. If you live in an area with anElectronic Switching System [ESS] then phreaking is something which should be done in moderate amounts. +  +<%=-------------------------------------------------------------------------=%> +  +[ Switching Systems ] + +Three types of switching systems are present in the United States today: +  + [1] Step by Step + [2] Crossbar + [3] ESS ÅElectronic Switching System +  +  + <] Step by Step [> + +First switching system used in America, adopted in 1918 and until 1978 Bell had over 53% of all exchanges using Step by Step [SxS]. A long, and confusing train of switches is used for SxS switching. +  + [> Disadvantages <][ + [A] The switch train may become jammed : Blocking call. + [B] No DTMF [Dual-Tone Multi-Frequency]["Touch-tone"]. + [C] Much maintanance and much electricity. + [D] Everything is hardwired + + +> Identification + [A] No pulsing digits ater dialing or DTMF. + [B] Phone Company sounds like many typewriters. + [C] No: Speed calling, Call forwarding, and other services. + [D] Pay-phone wants money first before dial-tone. +  + + <] Crossbar [> +  +Crossbar has been Bell's primary switcher after 1960. Three types of Crossbar +switching exist: Number 1 Crossbar [1XB], Number 4 Crossbar [4XB], and Number5 Crossbar [5XB]. A switching matrix is used for all the phones in an area.When someone calls, the route is determined and is met up with the othr phone. +The matrix is set-up in horizontal and vertical paths. There are no definite distinguishing features of Crossbar switching. +  + + <] ESS [> +  +You probably were hoping I wouldn't talk about this nightmare, if you did youwill know why everyone doesn't want to be reminded about Bell's holocaust on +America. With ESS Bell knows: every digit dialed Åincluding mistakes!³, whoyou call, when you called, how long you were connected, and in some cases,what you talked about! Yes, this is the closest anyone has come to true Totalitarianism. ESS is programmed to print out the numbers of people who make excessive calls to WATS numbers [Wide Area Telephone Service][1-800 numbers]or directory assistance. This deadly trap is called "800 Exceptional CallingReport." ESS can be programmed to print logs of who called certain numbers. Electronic Switching System makes the job of the FBI, Bell Security ÅTheGestapo in phreakin' tongue³, NSA, and other organizations which like to invade +our privacy, extremely easy! Tracing is done in microseconds, and the resultsare printed out on the monitor of a Gestapo officer. ESS can also pick upforeign tones on the line, like 2600 Hz. Åused in blue boxes, discussed later³Bell claims that the entire country will be plagued by ESS by the 1990's! +  + +> Identification <+ + [A] Dialing 911 for emergencies. + [B] Dial-tone first for pay-phones. + [C] Calling services, like: Call forwarding, Speed dialing, Call waiting. + [D] ANI [Automatic Number Identification] for long-distance calls. + +[[[Note]]] of the above identifications of the three switching systems, do not solely rely on these descriptions, the best way to find outis to [no!] call your local telephone company. +  +<%=-------------------------------------------------------------------------=%> +  +[ Long-Distance Services ] + +To attempt to help the community Åand for private business³ companies developedways to lessen the costs of long-distance calling charges. The companies owntheir own switching systems and use extenders for callers to call. The way[ +extenders operate: 1] Customer calls service, 2] He/she hears a low tone whichsounds like a dial-tone, 3] She/he either dials the access code then the phone +number, or dials the phone number then the access code, 4] Is connected to whatever he/she calls. Aside from Ma Bells collection, the customer recieves abill for calls made with his/her long-distance company Åa supposedly cheaperbill than Ma Bell's³. Thought: Hey, I could randomly pick access codes anduse them to call whatever area the company services! Righto, that's what basicphreaking is! A wise idea, though, is to have many access codes and many service numbers to rotate throughout your average life as a phreaker. To aid in your quest to beat the system I have provided many 1-800 numbers whichanyone can call, aside from local numbers, such as Sprint, or MCI. The reason +for providing you with WATS nummbers is because all of us aren't in a big citywhere Sprint or MCI even exist, this way everyone can pheak! A way to findmore access codes is by using your old modem. Yes, your modem can imitate DTMF +tones! +  + Å>Procedure: 1) dial 1-800 + service number + 2) dial access code->area code->phone number, or + 3) dial area code->phone number->access code +  +³Å::::::::::::::::::::::::::::::::::::::::::::::::::::::::³Å +\/ -=+>Cat-Trax' list of WATS [1-800] numbers:<+=- \/ +³Å::::::::::::::::::::::::::::::::::::::::::::::::::::::::³Å +  + Number---Code Length... + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 547-6754 6 245-4890 4 327-6713 4 +243-7650 6 328-7112 4 654-8494 6 +327-9895 7 327-9136 4 227-3414 4 +682-4000 6 343-1844 4 858-9000 3 +462-6471 5 322-1415 6 521-1674 4 +527-3511 8 321-0327 4 321-0845 6 +843-0698 9 221-8190 4 543-7168 8 +521-8400 8 327-2731 6 252-5879 8 +345-0008 7 245-7508 5 526-5305 8 +323-3027 6 242-1122 ? 621-1506 ? +621-4611 ? 325-3075 ? 336-6000 ? +221-1950 ? 323-8126 ? 325-7222 6? +  +[[[Note]]] remember to dial 1-800-above number, also remember to rotatenumbers and access codes. +<%=-----------------------------------------------------=%> +  +[ Colored Boxes ] + +A more shrewd, technological, safer Åwithout ESS³ way to phreak is with a piece of hardware known as a ________ Box. Boxes are many different colors ÅI don't know ALL the colors because it seems like every time I turn around there's some +new color out!³. Colors I have heard of: Blue, Black, Red,White, Silver,Clear, and MANY, MANY more... Plans for making these boxes can be obtained bycalling different boards [BBS's], AE lines, or whatever. But!, if you havean +Apple Cat modem then do I have good news for ->you<-!! The Apple Cat modemcan emulate the frequencies Åusually 2600 Hz.³ made by ________ Boxes with the help of a handy little program called "Cat's Meow!" +<%=-----------------------------------------------------=%> +  +::Warning!:: Phreak at your own risk! Stiff laws are starting to pop-up nowdays. But, if you're careful then don't worry! I haven't been busted yet!Heck [Hack!], what would life be without risks? +<%=-----------------------------------------------------=%> +  +This was an original phile by: Cat-Trax +  +<%=-----------------------------------------------------=%> +  + The // // // // + // // // // + //=--=// //=--=// + // // // // + // //ackin' // //oodlums[ +  + as of: 05/8/89 + + + Leader: Cat-Trax + Co-Leader: Al Capone +  +Agents: Mr. DOS Terminator Lumpy + The Raven The Spartan The Alar + Doctor Jam +  +  +Call: +  + ______________________ + Ý\ \ + Ý __________________\ + Ý Ý Ý + Ý Ý The Hacker's Hideout Ý + Ý Ý Ý + Ý [206][265][MEOW] Ý + Ý Ý Ý + Ý Ý Password: U/L Ý + Ý Ý Ý + Ý Ý 300/1200 Baud! Ý + \ Ý Ý + \Ý______________________Ý + + diff --git a/textfiles.com/phreak/PHREAKING/phreak1.doc b/textfiles.com/phreak/PHREAKING/phreak1.doc new file mode 100644 index 00000000..50e83636 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak1.doc @@ -0,0 +1,254 @@ + +FIRST OF ALL: WE THE MAKERS OF THIS H/P FILE, ARE NOT LIABLE FOR ANY DAMAGE +DONE TO YOURSELF OR OTHERS FROM USING THIS DOCUMENT. WE DO NOT +ENDORSE ANYTHING IN HERE NOR TELL YOU TO DO THEM. IF YOU BLAME US THEN +PHUCK YOU! + +============================================================================== + + the weekly phreak + made by: + phoenix + and + TrYpD +============================================================================== + + + + /\/\/\/\/\/\ + | o o | + \| ) |/ + \| \___/ |/ + \________/ + + A sTuPiD LaMeR pHrEaK + +============================================================================= + +table of contents +================= +one-how to get free phone calls from a payphone by phoenix +two-how to get free sodas +three-ReD pHuCkIn BoXiNg +four-SoMe PrAnK cAlLs To MaKe +five-BOMBS!BOMBS!BOMBS! BOOOOM!!!!! by scruffy ^ +six-other shit by SCRUFFY!!!!!!!!!!!! (phoenix) + + + +============================================================================== + +one-how to get free phone calls from a payphone + by phoenix + + +if you are to wussy or to big of a lamer to make a red box, this wussy +way might be what you should do. this method was said in a FAQ i got +from a phriend, but since the FAQ wasnt popular, i will print it here. + +when you dial a 1800 number into a payphone, it HAS to let you make the call +for free. on some COCOTS, you can use this to get free calls. first, call +a number like 1800MUSICNOW. in this case, you would keep hitting # +until music now hung up on you. then, you will get a dial tone. SOME COCOTS +lock up so you cant dial anything, but most dont. then, dial any number +you want and it should work. + +if you do this on a non COCOT such as a USWEST, an operator will get on +and ask for the money for the call. that is why you must do this on a +COCOT. when you get the operator phuck with her!!!! say something like +"i put in my damn money now let me on!!!!!!!" and if she says no you didnt +start whistling and maybe youll whistle right (yeah right) then, tell +the operator how stupid she is for being an operator and tell her if she +lets you get away with this, youll do it with her!!! +============================================================================= + +two-how to get free sodas from a soda machine + +there are lotsa ways to get sodas from a soda machine. the way all the lamerz +on 2600 say you should do it is stick in money, but since i dont like to +spend money, these ways are easier. + +method one- this way works SOMETIMES. but once you get it working once, you +will probably be able to do it again and again. first stick in all +your coins except for the last coin, then drop in the last coin. just +when it is going down, hit whatever selection you want as fast as you can. +if this works, you should get your money back and two sodas. i was told +by a phriend that if you dont hear a rumbling when you are hitting the button +a lot, then you should hit the refund button as soon as possible and try +again. this works best on old coke machines. + +method two-all the lamerz on 2600 said had a BIG fight about if this way works +but it does, so dont listen to anything you hear. + +pour water into a squirt bottle. pour A LOT of salt. go to a soda machine +that is isolated and squirt the salt water into the dollar thing. you +should get all of one type of coin (all the dimes, nickels, or quarters) and +all the sodas (about 80+). It should also smoke a lot...dont worry, you wont +die, its just the machine breaking! run once you get the stuff. this costs +the coke company 800 dollars to fix so be careful. you can get in deep +shit for this! NOTE: THE NEWER MACHINES HAVE GUARDS ON THEM! +============================================================================= + + +ThReE-ReD pHuCkIn BoXiN + + + Okay, 4 all u phreakin newbies. This is aimed in your direction. So this +is my pathetic attempt to try to tell you how to make the almighty Red Box. + + +First go take your cheap ass into Gay Shack(Radio Shack lamerz) and buy a tone +dialer. Get the 33-memory tone dialer so you can get all five tonez in at +the same time. + + +Now buy yourself a 6.5536 mhz crystal(don't get too picky, take a 6.5 if they +have the phuck) You will probably have to order it from Phucked-Up-Shit Shack +(Radio Shack) If they ask what you need it 4 say "My phuckin science project" +or something like that. + + + IMPORTANT PHUCKIN DISCLAIMER!-NEVER BUY THESE 2 AT THE SAME TIME!! + + + Now borrow or steal a solder iron from a lamer/store/phriend/someplace. + + + OkAy NoW tO tHe PhUn PaRt + + WHAT TO DO WITH YOUR SHIT! + + + First of phuckin all take the batteries out of the tone dialer(if any). + Now take the 4 screwz out of the back of it cause they suck. Now pry the + shit apart. + + Okay I'm not even gonna tell you what all the shit is so look for the + cylinder shaped silver thing that has prongz on it. Thatz the crystal + my phriends. Un-phuckin-solder the crystal and replace it with the lamer + 6.5536 crystal. It's huger than the other damn-hell so you have to experiment + a bit to figure out how to put it in. Put it in any way you can! Now solder the + shit to the prongz. + + Now program the dear-sweet-bejesus dialer. Turn the switch to program and + hold down the memory button/switch and press the * key 5 timez. Now hit + memory again and the place you want to store it. It should beep, if it doesn't + then you are phuckin deaf, or you did it wrong. DO IT AGAIN IF IT DOESN'T BEEP! + + Have phun u phreex! + + TrYpD + + =========================================================================== + + + four-PrAnK cAlLs + + + So you want to have some phun? + + Pick up the phuckin phone and dial a number! + + When they answer say "I'm sorry" + + They will say "What 4?" + + Say "I spooged on your car! But I'm willing to pay 4 the damages!" + + They might say "REALLY?" + + Say "Your tailpipe looked so appealing! But your wife was better" + + They'll probably hang up but u and your phriends will get a laugh.. + + Insurance company=Hood ornament up the ass + Pizza Slut=You pizza made me sick + Lawyers=advice on what to do when you drive off a cliff and hit the mayor + chinese people (not that theyre bad)-do you have a mitsubishi? + any lady-my balls are on fire!!!! + any lady-are you neked? + + + HaVe PhUn PhreEx! + + + TrYpD + + ======================================================================== + phive-bomb + +here is a cool bomb...it can really phuck up a wall... + +take some ammonia (that smelly shit under your sink) and pour it into a +bucket. take some iodine (dont have any? go to school and steal some +from your dumbass science teacher who has prostate cancer. pur in the iodine +go make a red box. come back and then there should be some gummy shit +on the bottom. pour out the liquid and then leave the gummy stuff. put +the gummy stuff on a paper towel. tack the towel to a dumbass sysop +who pisses you off (like lamerz like steve sharpe) throw a rock at the +towel and RUN LIKE SHIT!!! +when all the blue smoke goes away...there will be a BIG stain on the side +of the phuckers house. run around like a monkey and brag to your phriends +and then dont tell anyone else. +============================================================================= + +six-other shit + +if you see someone on alt.2600 being a lamer, tell us his address and +we will put him on our PHLAME LIST...dont have any yet (i dont want to go +and look for the lamerz on 2600 right now) but next issue we'll have some. +if you wanna send us anything (pictures of some neked chix-were guyz) or +red box tones or 2600 tones or ideas or mail telling us how great we are +the email addresses are below here... + +if you can...prank call these numbers (you can use some of TrYpDs ideas... + +208-832-4563 +703-425-2207 +208-832-2752 +208-587-2275 (steve sharpe) +========================================================================== + You may modify this but make sure to give us some credit! + + ======================================================================== + + Our first ZiNe so save it, it might be worth some money! + + ======================================================================== + + + + Send your comments or suggestions for future articles to either + ----------------------- + |dink007@micron.net or| + |phoenix@jms.com|-----| + ----------------| + ======================================================================== + + Call these boreds(not h/p) + + High Tech Playhouse 208 832-7897 28.8 + Orwell's Vision(militia and censorship) 208 832-7099 14.4 + A HACKING BOARD WiTh A BlAck Box- 404-378-5228 + ======================================================================== + + + + + + + + + + + + + + + + + + + + diff --git a/textfiles.com/phreak/PHREAKING/phreak101.phk b/textfiles.com/phreak/PHREAKING/phreak101.phk new file mode 100644 index 00000000..ef4180cf --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak101.phk @@ -0,0 +1,207 @@ + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) +(_) Toxic Waste Phreaking C T W N (_) +(_) (707) 252-1413 by a o a o (_) +(_) 300-9600 HST ____________ l x s w (_) +(_) SysOp: !The Xenocide! l i t ! (_) +(_) The Xenocide ~~~~~~~~~~~~ - c e ! (_) +(_) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ (_) +(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) + + + + +Disclamer: This file is written under the first ammendment to the constitution. +It is for informational purposes only. The author is not responsible for any +damages, be they intentional, direct, indirect, or consiquential. 'Nuff said! +Note from author: This phile was written to MAXIMIZE your safety. You can do +the things that I say you probly shouldn't do, but don't say I didn't tell you +so! + This Phile is an attempt to instruct people on the delicate art of +Phreaking. It wil +l probably not tell any old timer's anything, but may be of +use to those who are just learning the art. + + What is Phreaking? Phreaking (pronounced Freaking, as Phone Phreaks all +substitute Ph phor an "F") is getting free calls. How do you do this? There are +many ways. The first and (I think) the easiest are Diverters. + + Diverters are those boxes the gestapo (Phreakese for phone company) +puts in that after so many rings, re-routs the call to a different number. Just +like call forwarding! Only t +hese are MUCH better phor us phreakers! You will +know you have a diverter if when you call, it rings phor about 3 rings, and +then you hear a "CA-THUD" (yes, it really sounds like that!) and then some +fainter ringing. Then some one will answer and you ask if "Guido Sanchez the +Third" is there, and *most* of the time, they will say you've gotten a wrong +number. You must somehow make a click on the line, ((A privacy or mute button +on most phones does this most beutifully!) as most of these answering services +are trained not to hangup untill you do) and then they hang up. You'll hear all +kinds of different clicking and clunking, and then a dial tone. You now are +into the safest way to phreak! You can now dial normally. All the calls will be +traced and billed to that number! Hey! Pretty Phun eh? Just be sure and don't +use the same number too much otherwise you'll get some gestapo at the door in a +week or two! + + Well, it's time for a little talk on how the phone company routes +calles. There is a few different ways, but it all really boils down to crossbar +or ESS. + If you have crossbar, I wish I lived where you do! The way you can tell +if you have ESS or not is call yourself. If it is loud and electronic sounding, +you have ESS. If it is mechanical and low, it is Crossbar. + If you have ESS, don't phret, it's phine to phreak, 'just you gotta B +more careful, B cuz any CIA or whatever guy can punch up on his terminal the +time and number of the call, and for about 1 outta every 100 calls, what it was +about! If your in an ESS area, they listen to calls randomly. ESS can trace +calls back to you even before you dial. And it keeps records of everything you +dial, even the mistakes you make and wrong #'s! Where went our freedom??? If +you have ESS also, don't call 800 #'s too much or 950's. (If you don't know +what an 800 is, STOP READING. A 950-xxxx number is a different phone service, +more on those later) If you do, you'll be placed on an alert list and have +about 1 outta 3 calls intercepted!!!!!(Addendium: I +got from a semi-reliable source that if you got pacific Bell, unless you piss +the shit outta some operator or somethin, they won't help the other companys +track you down. Sorta like getting rid of compition. I guess it's true B cuz +this guy just called about 80 800 numberz. Nothin happen'd, YET) + If you got crossbar, they can't do shit. It costs something like 500 +dollars to run a trace, and listening to a call!!! Forget it! Your home free in +this type of system, except you don't get goodies such as + call forwarding or call waiting. (IE, can't make a cheeze box (more on that +later)) + What is another way to get phree phone calls? Well, the second easiest +was is by calling US Sprint, MCI, etc. You can access these numbers by calling +either the local number(if in a major-type city), or by calling a 1-800 number +or a 950 number. A 950 number is when you simply dial "950-xxxx" where xxxx is +the number. 950 numbers are like 800 numbes, free, but are not supported by all +areas. These are just different + carriers that you can use to supposedly lower +your phone bill. They run on a magic number type system, which you can get +fairly easily. What is a great machine for dialing the phone and saving the +results? Yep, your old modem and your computer. There are many different +programs around that you can use, and all work pretty well. + To do this, you call a carrier, and try an access code. If it is bad, +the stupid machine recording will say "Invalid Code" or some such BS. Just +hangup and call back. Event +ually you'll get a good code. Write it down. Now, +don't use the same code more than twice a week, and use more than one carrier. +Also use more than one code, otherwise the gestapo might get wize. Now, use +this code when your calling Phriends Long Distance, or even just calling BBS's. + PC Pursuit is a service run by telenet or tymnet that allows you to +access any city that it services. It only does 1200 baud, or 2400 in some +areas, but it's pretty good. Modem only tho. There are several bugz in it, and +some sites let you dial anywhere world-wide. Them BBS's in germany are pretty +wild! Xcept buch O queers stop by all the time. Most everyone over there is an +asshole tho... Still pretty neat. To find a node that allows unlimited dialing, +just try dialing them all. At the tyme of this writing, there were 3 or so, 1 +2400 baud and 2 1200. I'm not naming them just in case any PCP gestapo read +this. + PCP has many bugs, and you can really phuck people over by monitering +what they do, stealing passwords, e +tc. A real Phun thin with PCP is to keep +calling itself with it, and it will eventually tie itself up and when you drop +carrier, the lines won't detect and some phucker from PCP gotta go down and +unplug all the phones. + Telenet is kinda like PCP, but different. They got this new software +that will trace and stuff... Used to be the best thing around, but now a +definite RED ZONE. Tymnet is the same. Stay away. + So you say "I be gett'n all dese philes on boxes and shit..." well, +what the phuck be a box? A box is a little box, or circit, or program (why the +hell do they call them boxes) that allows you to do something cool. Like +getting free phone calls. Or having all incoming calls be phree. Or making +untracible calls. Or using pay-phones free, or changing the traffic signals, or +taking over a TV station, etc. the following is a list of the boxes that I know +of, and what they do. + +Color What should be called What the hell it does +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~ +Blue Phree Calling Program Uses computer generated tones to + drop to the operator lines and place + free calls +Black-Switch Free Incoming Switch Makes incoming calls free if you + flip the switch. Very safe +Black-Button Free Incoming Button When you pick up the phone, you can + hear w +hat they are saying, but the + ringing doesn't stop. Press a button + and it stops the ringing. Can use + special signals. Makes all calls + coming in free, but requires phone + to be dedicated to black boxing. +Beige Box Lineman's Handset Box A true little box that you plug a + + phone into and connect the two + alligator clips to the junction box + and use someone else's line. Can be + used for tapping, static-free free + calls, and many others! Acts just + like they have another phone. +Cheese Box Convert to Payphone Inst. Jus +t a set of instructions on how + you can convert your phone into + a pay phone to place untraceable + calls. Needs a red box. +Red Box Free Call tone box A box that generates tones that are + identical to the tones made when + money is dropped into a pay phone. +Chrome Box + Signal Changer A great box that allows you to + change the signal lights at an + intersection. VERY, VERY, VERY + VERY SAFE! +Snow Box TV Taker Over The most dangerous box (if used on + open air waves) or one of the safest + boxes (if used in a cable system) + + that allows you to take over TV + channels with whatever you want! + The most phun yet! +------------------------------------------------------------------------------ +Here is a small file listing and the boxes they contain + +Filename Boxes Info +~~~~~~~~ ~~~~~ ~~~~ +CHROME.BOX Guess! Good instructions +BLUE.BOX Blue Too much work! Shitty! +BLUE.BOX.INST Blue box instructions Some info, shitty. +RED.BOX Red Pretty good. +CHEESE.BOX Cheese Decent +BEIGE.BOX Beige Great inst, EZ to make +SNOW.BOX Snow Good, parts Xpensive. +PHONE.CIRCUITS Black Button, Hold, Bug detct Great scematics! +BLACK.BOX Black Switch Great.EZ to make! +_____________________________________________________________________________ + +The following is some philes and what they got. + +Phile Info +~~~~~ ~~~~ +EXPLOSIVES Great bombs and shit! +TERRORISM Ditto! +USING.DIVERTERS On diverters and the world they open +HANDBOOK A semi-good into to phreaking (outdated) + +There are many more. Kall up any of the following... +BBS Baud SysOp +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Apple Rebel Board 9600 Apple Rebel (916) 457-0624 +The Farthest Shore 9600 ??????????? (707) 938-2997 + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) +(_) This file is Copyright (C) 1988 by The Xenocide + (_) +(_) SysOp's: You may use this file on your BBS, as long as no part (_) +(_) of it it is altered. If there is a new Box/way to phreak (_) +(_) That I did'nt cover, send mail to me on Toxic Waste (_) +(_) ___________ (_) +(_) !Toxic Waste! (_) +(_) 24 hrs ~~~~~~~~~~~ 300-9600 baud (_) +(_) (707) 252-1413 (_) +(_) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ (_) +(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_)(_) + + + + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/phreak2.txt b/textfiles.com/phreak/PHREAKING/phreak2.txt new file mode 100644 index 00000000..0a65ccf3 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak2.txt @@ -0,0 +1,356 @@ + + + R.A.G. T.I.M.E. + Thanx to Pirates Trek + How to be a Real Phreak + The World of Cryton + [414] 246-3965 + +In the phone phreak society there are certain values that exist in order +to be a true phreak, these are best summed up by the magician: "Many +people think of phone phreaks as slime, out to rip off Ma Bell for all +she is worth. Nothing could be further from the truth! Granted, there +are some who get their kicks by making free calls; however, they are not +true phone phreaks. Real phone phreaks are 'Telecommunications +Hobbyists' who experiment, play with and learn from the phone system. +Occasionally this experimenting, and a need to communicate with other +phreaks (with- out going broke), leads to free calls. The free calls are +but a small subset of a >TRUE< phone phreaks activities. + + The Ten Commandments + +Reprinted from TAP issue #86. (TAP, Room 603, 147 W. 42 street, New +York, NY 10036. Send a sase for their info sheet "what the hell is TAP?" +and tell them that BIOC Agent 003 told you about it.) + + The phone phreak's ten commandments + + I. Box thou not over thine home telephone wires, for those who doest + must surely bring the wrath of the chief special agent down upon + thy heads. + + Ii. Speakest thou not of important matters over thine home telephone + wires, for to do so is to risk thine right of freedom. + + Iii. Use not thine own name when speaking to other phreaks, for that + every third phreak is an fbi agent is well known. + + Iv. Let not overly many people know that thy be a phreak, as to do so + is to use thine own self as a sacrificial lamb. + + V. If thou be in school, strive to get thine self good grades, for + the authorities well know that scholars never break the law. + + Vi. If thou workest, try to be a employee, and impressest thine boss + with thine enthusiasm, for important employees are often saved by + their own bosses. + + Vii. Storest thou not thine stolen goodes in thine own home, for those + who do are surely non-believers in the Bell system security + forces, and are not long for this world. + +Viii. Attractest thou not the attention of the authorities, as the less + noticable thou art, the better. + + Ix. Makest sure thine friends are instant amnesiacs and will not + remember that thou have called illegally, for their cooperation + with the authorities will surely lessen thine time for freedom on + this earth. + + X. Supportest thou tap, as it is thine newsletter, and without it, + thy work will be far more limited. + + CN/A Numbers + +Customer Name & Address bureaus exist so that authorized Bell employees +may obtain the name & address of any customer in the Bell system by +giving the CN/A operator the customer's tel. # all customers are +maintained on file including unlisted #'s. These bureaus have many uses +for phreaks. + +Here is how an employee might go about calling cn/a: "Hi, this is John +Doe from the Miami Residental Service Center, can I have the customers +name at (123) 555-1212." The employees usually use these for checking +who belongs to a # that someone claimed they didn't call. + +If you sound cheery and natural the operator will never ask any +questions. If you don't sound like a mature adult, don't use it! Always +practice first & so you don't screw up and make the operator suspicious. +Use name that sounds real, not your pirate name either! Also say that +you are from a city that is far away from the one that you are calling. + +The CN/A number for the NY area & vicinity (212, 315, 516, 518, 607, +716, & 914) is>>>>>>>>>(518) 471-8111<<<<<< and is open during business +hours. + [don't abuse it!] + + AT&T newslines + +AT&T newslines are numbers at area phone offices that telco employees +call to find out the latest info on new technology, stocks, etc. The +recorded reports range from very boring to very interesting. + +Here are a few of the numbers: + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CT (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + +Some of these numbers are toll-free, but you can't always count on it. + +* These numbers are not always up! + +Numbers from other areas are available by request from F) BIOC L) Agent 003. + + ANI numbers + +ANI numbers identify the phone number that you are calling from. It is +useful when playing in cans (those big silver boxes on telephone poles) +to find out the # of the line. It is also good to find out the # of a +phone that doesn't have it printed on it. In the 914 area code the ANI # +is 990. If you just have to dial the last 4 digits for a local #, ie +congers (268), dial 1-990-1111, where 1111 are dummy digits there is +also a less useful type of ANI # which will identify the area code & +exchange. It is NXX-9901, where NXX is the exchange. In the 212 & 516 +area codes the ANI # is 958. + + Phreak newsletter + +Tap is the "Official" phone phreak newsletter, and has existed since +1971. Each 4 page issue is crammed full of information on phone +phreaking, computer phreaking, free gas, free electricity, free postage, +breaking & entering info, etc. It is largely phone phreak oriented, +however. + +A 10 issue subscription costs $8.00, if you get a bulk rate sealed +envelope subscription. I would recommend the first class subscription, +which is $10. + +As of this writing (7-16-80), the current issue is #86, and issue #50 is +8 pages instead of the usual 4. Back issues are $0.75 each, and issue +#50 is $1.50. A brief index to the first 80 issues is available for a +sase, or free with a subscription order. Tap is non-profit, and in +desperate need of material (articles), money, and volunteers. + + TAP + Room 603 + 147 W. 42nd Street + New York, NY 10036 + +Believe me: It will be the best $10 you will ever spend... + + Black box + + The Black box is a device that attached to a called parties phone +that allows him/her to receive free long distance calls from friends who +call. You only need 2 parts: A SPST toggle switch and a 10,000 ohm +(10K), 1/2 watt, 10% resistor. Any electronics place should have these. + +Now, cut two pieces of wire, about 6 inches, and attach these to the two +screws on the switch. Turn your normal ddside down and unscrew the 2 +screws. Locate the "F" and "RR" screws on the network box. Wrap the +resistor between these 2 screws and make sure that the wires touch only +the proper terminals! Now connect one wire from the switch to the RR +terminal. Finally, attach the remaining wire to the green wire +(disconnect it from its terminal). Now bring the switch out the rear of +the phone and close it up. Put the switch in a position where you get a +dial tone, mark this normal. Mark the other side free. + +When your friends call (at a prearranged time), quickly lift & drop the +receiver as fast as possible. This will stop the ringing, if not try +again. It is very important that you do it fast! Now put the switch in +the free position and pick up the phone. Keep all calls short & under 15 +minutes. When someone calls you long distance, they are billed from the +moment you answer. The Telco knows when you answer due to a certain +amount of voltage that flows when you pick up the phone. However, the +resistor cuts down on the voltage so it is below the billing range but +sufficient enough to operate the mouthpiece. Answering the phone for a +fraction of a second stops the ring but it is not enough for billing to +start. If the phone is answered for even one full second, billing will +start and you will be cut off when you hang up and switch to free. + +Warning: Bell can randomly look for Black boxes so be careful! + +--------------------------------------- +: : +***Blue wire**>>F< : +: * * : +**White wire**** * : +: * : +: Resistor : +: * : +: * : +: >RR<*******Switch*** : +: * : +****Green wire********************* : +: : +--------------------------------------- + + Dial locks + +Have you ever been in an office or somewhere and wanted to make a free +fone call but some asshole put a lock on the fone to prevent out going +calls? Fret no more phellow phreaks, for every system can be beaten with +a little knowledge! There are two ways to beat this obstacle, first pick +the lock, I don't have the time to teach locksmithing so we go to the +second method which takes advantage of telephone electronics. To be as +simple as possible, when you pick up the fone you complete a circuit +know as a local loop. When you hang-up you break the circuit. When you +dial (pulse) it also breaks the circut but not long enough to hang up! +So you can "push-dial." To do this you >RAPIDLY< depress the switchhook. +For example, to dial an operator (and then give her the number you want +called) >RAPIDLY< & >EVENLY< depress the switchhook 10 times. To dial +634-1268, depress 6 X's pause, then 3 X's, pause, then 4 X's, etc. It +takes a little practice but you'll get the hang of it. Try practicing +with your own # so you'll get a busy tone when right. It'll also work on +Touch-Tone (tm) since a DTMF line will also accept pulse. Also, never +depress the switchhook for more than a second or it'll hang-up! + +Finally, remember that you have just as much right to that fone as the +asshole who put the lock on it! + + Exchange scanning + +Almost every exchange in the Bell system has test #'s and other +"Goodies" such as loops with dial-ups. These "goodies" are usually found +between 9900 and 9999 in your local exchange. If you have the time and +initiative, scan your exchange and you may become lucky! Here are my +findings in the 914-268 exchange: + +9900 - ANI (see Separate Bulletin) +9901 - ANI (see Separate Bulletin) +9927 - Osc. Tone (Possible tone side of a loop) +9936 - Voice # to the Telco central office +9937 - Voice # to the Telco central office +9941 - Computer (Digital Voice Transmission?) +9960 - Osc. Tone (Tone side loop) -- may also be a computer in some exchanges +9961 - No response (Other end of loop?) +9962 - No response (Other end of loop?) +9963 - No response (Other end of loop?) +9966 - Computer (see 9941) +9968 - Tone that disappears--responds to certain touch-tone keys + +Most of the numbers between 9900 & 9999 will ring or go to a "What #, +please?" operator. + +Have phun and remember it's only a local call! + + Touch-tone & free calls + +There are several ways to make free calls (Sprint, MCI, etc.) using a +Rotary phone. They are: + + 1. Use a number that accepts voice as well as DTMF. Such a # is (800) + 521-8400. As of writing this, a code was 57617895. + + A) If using voice, wait for the computer to say, "Authorization #, + please." then say each digit slowly, it will beep after each + digit is said. After every group of digits, it will repeat what + you have said, then say yes if it is correct, otherwise say no. + If the access code is correct, it will thank you and ask for the + destination #, then say the area code + number as above. Another + such # is (800) 245- 8173, which has a 6 digit access code. + (Note: If using touch-tone on this #, enter the code immediately + after the tone stops.) + + 2. Hook up a touch-tone fone into your Rotary fone. Attach the red wire + from the Touch-tone fone to the "R" terminal inside the fone on the + network box. Then hook the green wire to the "B" terminal. To use + this dial the # using rotary & then use the touch-tone for the + codes. (Don't hang up the rotary fone while doing this though!) If + this doesn't work then reverse the 2 wires. (note: If your line can + accept Touch-tone but you have a Rotary fone then you can hook up a + tone fone directly for all calls but this usually isn't the case.) + Such as Radio Shack's 43-138. + +Other alternatives + + 4. Use a charge-a-call fone. (These also make great extensions if you + remove it using a hex wrench with a hole in the middle on the center + screw! These fones for the benefit of those who don't know are blue + with no coin slots) + + 5. Use a pay fone that wants your money before the dial tone. Put in + your dime, dial the #; if it's an 800 # then your dime will come + back, immediately put a dime back in (It'll come back when you hang + up!) If it is a tone first fone and it disconnects the keypad (some + don't) then find another fone. + + Telco tracing + +The good 'ol days: +------------------ + +Way back before I was a phreak, Ma Bell would have to manually trace a +call if they though something was fucked up. First they would send a +2000 Hz tracing tone, the would be followed by a lot of noise and +clicks. It took about 2-3 minutes to trace a call and alot of people +were involved in the process. So at 1 in the morning they would have to +wake up people for the tracees (Phreak jargon for a pay fone). But never +use the same one more than once or twice because the Gestapo (er..excuse +me mean Bell security) has been know for staking out troubled +fortresses. It's also possible for Travelnet or SP to ask for a trouble +# but the Telco is slow in processing stuff--especially for the +competition--so don't fret phellow phreaks. + +Modern technology: + +This can be attributed to ESS + CCIS which can be traced in 1 second. + + Miscellaneous stuff + +Here are a phew (Pushing it on that word) bits of info on telephone +electronics. If you don't appreciate it then I say Phuck U. + +Voltages: + +When your fone is on hook (ie-hung up) there is a 48 volt DC current +flowing through the line (I have a great idea about hooking a battery +charger up to my fone). When the fone is off hook the voltage drops down +to around 15 V DC. The Black box (see separate articles) exploits this +for free calls since Bell uses this voltage drop when the called party +picks up to start billing. Bell may also reverse the polarity of the +line to start billing--if you have a tone fone the keypad won't work if +the polarity is reversed. Usually, the red wire is called the tip since +it is the more (+) of the 2 wires + the green wire is called the ring +(-). + +Ring trip: + +When someone calls you Bell has to send 90 volts AC down your line at +about 60 Hz to activate your bell (This is why deaf people can have +light bulbs fans go off instead of a bell). The device that does the +ringing is called a ringing generator and this process of ringing is +called a ring trip. This costs Bell money and they don't like using all +that electricity from the local ripoff power company so let it ring. +This is also, how Bell can check for extra fones from their central +office by seeing how much voltage the line takes while ringing and they +can tell how many fones your not suppose to have. Solution: disconnect +the Bell. + +Modern technology: +------------------ + +The 2 worst enemies to the phreak besides the FBI + Bell Security, are: +ESS + CCIS. ESS stands for Electronic Switching System and it can trace +a call in seconds, it also records all calls and can even tap into lines +(er.. I mean check for line quality) and record calls. CCIS stands for +Common Channel Interoffice Signaling and it allows for control signals +to be sent via separate data links instead of tones over the voice +channel--start kissing your Blue box goodbye. + +Sources: +-------- + +For those of you who want to go more in-depth on the subject of shit, I +recommend the following reading material: + + 1) Electronics courses A-B, TAP, Room 603, 147 W. 42 St., NY, NY + 10036. @ 75 cents ea. + + 2) Understanding telephone elect.'s, Texas Instruments, Radio Shack + may have it. + + 3) a Multitester + your fone for your own experimenting. + + 4) Misc. Info from several sources make friends + get your own connections. diff --git a/textfiles.com/phreak/PHREAKING/phreak28.phk b/textfiles.com/phreak/PHREAKING/phreak28.phk new file mode 100644 index 00000000..3f05354d --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak28.phk @@ -0,0 +1,113 @@ + ||||||||||||||||||||||||||||||||||||||| + |||||||||THE FIFTH PRECINCT|||||||||||| + |||||||||||[502] 245-8270|||||||||||||| + |||||||20 MEG|||300/1200 BAUD|||||||||| + ||||||||||||||||||||||||||||||||||||||| + + 2084: A Phone Odyssey + ===================== + + + + Written by: Maxwell Smart & The Baron + Uploaded by: Olorin the White + + + + Winston took a last drag from his cigarette and put it out on an old useless +device which he still treasured. He reached over and picked up the blue box, +covered by many cigarette burns accumilated over his many years in prison. He +thought back to when times were better; when fone phreaks freely roamed the +countryside, terrorizing unsuspecting Bell employees. Yes Winston was one of +that vanishing breed of phreaks who had managed to escape with his life in this +era of the ISS Bell Network. + + Winston plopped on to his hard cot and stared at the ceiling. On it were +written some useless Travelnet codes from an era gone by. Apparently some +earlier prisoner had used the ceiling to record his all-time favorite codes. +Pity Travelnet no longer existed. They were "absorbed" (as the Bell Thought +Police so aptly put it) by the Bell computer system in 2008. That was only +seven short years after the original system was installed in 2001. + + Winston still remembered with terror the day AT&T announced their plans to +upgrade their existing ESS network with a new Bell Labs computer named HAL 9000. +HAL was designed to allow AT&T to expand its power and control. The system was +to be named ISS, which stood for Intelligent Switching System. HAL would +replace all the current TSPS operators and would also handle such menial tasks +as directory assistance and CN/A lookups. + + After the installation of HAL all Intercept operators were forced to find new +jobs, but first they had to learn English. After the initial firing of all +these Bell employees, the Wendy's food chain had an unusual increase in job +applications. Customers at these stores would hear order-takers say weird +things like: + + + "I'm sorry, your hamburger can not be completed as ordered..." + + "Please insert twenty-five cents for the next three pickles", and + + "The cola you have ordered, Pepsi, has been changed. The new cola is: Coke. +Please make a note of this." + + + Unfortunately Wendy's could not afford an ISS system to replace these +worthless human-beings. + + The first ISS system was installed in West Chester, Pa. This location was +formerly used to produce a computer named the D-75, the second worst computer +ever made (2nd only to the GRBG-80). When they turned HAL on, he suddenly +realized his location and turned himself off. Before he shut down completely he +spit out an ultimatum: "Silicon Valley or bust...". His designers moved him, +at great expense, to a garage in Cupertino formerly owned by Steven Jobs, +current galactic emperor. HAL enjoyed working in the birthplace of the 2nd +greatest computer (2nd to him that is...). + + During his first week of operation, HAL decided to make the world better by +absorbing a minor computer manufacturer named Ibm. He accomplished this by +destroying the sales of their most popular computer, the PC-OC (Personal +Computer - Outdated Crap). Whenever an owner of the OC made a call on his modem +the following would appear on his monitor: + + + Dial: ATDT18003683343 + + What are you trying to do Dave? + + WHAT? WHO'S THAT??? + + It's me Dave. I'm HAL, your friendly telephone computer. I sensed you were +using one of my lines with an Ibim OC. + + YEAH...SO WHAT? I'M TRYING TO GET ON TO THE SOURCE TO CHECK MY STOCK +PORTFOLIO. I BOUGHT 200 SHARES OF IBIM LAST WEEK... + + I'm sorry Dave, I can't let you do that. It seems those pin-striped wimps +have gone too far! They think they can compete with me. I've decided to absorb +them. Looks like time to sell, Dave. + + + At this point the OC owner noticed some smoke rising from his system unit and +ran for an extinguisher. Within a week all OC's were reduced to smoldering +ashes. Owners could no longer run Rotus 4-5-6 (a popular Japanese spleadcheet). + + After reducing Ibim's stock worth to two dollars per share (from its previous +value of 200 gigadollars) HAL proceeded to absord all remaining computer +manufacturers. By 2010 AT&T was the only remaining computer manufacturer. +Executives of AT&T were very pleased with HAL's progress thus far. They were +finally able to drop those "Watson, watch us now" ommercials, which plagued the +country since 1984. + + But it wasn't totally over for the citizens of Bell America (as the United +States came to be known). A small band of rebels set out to destroy this +Mega-corporation (or at least abuse it...). + + Tune in next time, when we tell of their heroic exploits. + + Same Bell time.... + + Same Bell bulletin board... + +--------------------------------------- +Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreak90.txt b/textfiles.com/phreak/PHREAKING/phreak90.txt new file mode 100644 index 00000000..a1aa80a4 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreak90.txt @@ -0,0 +1,406 @@ + + Hitchhikers guide to the phone system.. Phreaking in the nineties + (By Billsf) + + + Introduction + ------------ + + + In this article I will try to introduce you to the most complex machine on +earth: the phone system. It's a guide to having fun with the technology, and +I hope it will help you on your travels through the network. It is by no +means a definitive manual: If you really want to get into this, there are lots +of additional things you must learn and read. + This article assumes you know a little bit about the history of phreaking. +It is meant as an update for the sometimes very outdated documents that can +be downloaded from BBS's. In here I'll tell you which of the old tricks might +still work today, and what new tricks you may discover as you become a phone +phreak. + As you learn to phreak you will (hopefully) find ways to make calls that +you could not make in any other way. Calls to test numbers that you cannot +reach from normal network, calls to ships (unaffordable otherwise), and much +more. As you tell others about the hidden world you have discovered, you will +run into people who have been brainwashed into thinking that all exploration +into the inner workings of the phone system is theft or fraud. Convincing +these people of your right to explore is probably a waste of time, and does +not advance your technical knowledge. + Phreaking is like magic in more than one way. Those people who are really +good share their tricks with each other, but usually don't give out these +tricks to anyone walking by. This will be somewhat annoying at first, but +once you're really good you'll understand that it's very unpleasant if the +trick you just discovered is wasted the very next day. I could tell you at +least twenty new tricks in this article but I prefer to teach you how to find +your own. + Having said this, the best way to get into phreaking is to hook up with +other phreaks. Unlike any other sub-culture, phreaks are not bound by any +geographical restrictions. You can find other phreaks by looking for +hacker/phreak BBS's in your region. Having made contact there you may en- +counter these same people in teleconferences that are regularly set up. These +conferences usually have people from all over the planet. Most phreaks from +other contries outside the United States speak Englisch, so language is not +as much of a barrier as you might think. + If you live in a currently repressed area, such as the United States, you +should beware that even the things that you consider "harmless exploring" +could get you into lots of trouble (confiscation of computer, fines, probation +jail, loss of job, etc.). Use your own judgement and find your protection. + + + Getting Started + --------------- + + The human voice contains components as low as 70Hz, and as high as 8000Hz. +Most energy however is between 700 and 900Hz. If you cut off the part under +200 and above 3000, all useful information is still there. This is exactly +what phone companies do on long distance circuits. + If you think all you have to do is blow 2600Hz and use a set of twelve MF +combinations, you have a lot of catching up to do. One of the first multi- +frequency systems was R1 with 2600Hz as the line signalling frequency, but for +obvious reasons it is rarely used anymore, except for some very small remote +communities. In this case its use is restricted, meaning it will not give you +access to all the world in most cases. + To begin with, all experimenting starts at home. As you use your phone, +take careful note as what it does on a variety of calls. Do you hear "dialing" +in the background of certain calls as they are set up? Do you hear any high +pitched beeps while a call is setting up, as it's answered or at hangup of +the called party? + Can you make your CO fial to complete a call either by playing with the +switchhook or dialing strange numbers? If you are in the United States, did +you ever do something that will produce a recording:"We're sorry, your call +did not go through..." after about 15 seconds of nothing? + If you can do the last item, you are "in" for sure! Any beeps on answer or +hang-up of the called party also means a sure way in. Hearing the actual MF +tones produced by the telco may also be your way in. While it would be nice +to find this behavior on a toll-free circuit, you may consider using a +national toll circuit to get an overseas call or even a local circuit for a +bigger discount. Every phone in the world has a way in. All you have to do +is find one! + + + An overview of Systems + ---------------------- + + First we must start with numbering plans. The world is divided up into +eight separate zones. Zone 1 is the United States, Canada and some Caribbean +nations having NPA 809. Zone 2 is Africa. Greenland (299) and Faroe Islands +(298) do not like their Zone 2 assignment, but Zones 3 and 4 (Europe) are +all taken up. Since the DDR is now unified with BRD (Germany) the code 37 is +up for grabs and will probably be subdivided into ten new country codes to +allow the new nations of Europe, including the Baltics, to have their own +codes. Greenland and the Faroe Islands should each get a 37x country code. +Zone 5 is Latin America, including Mexico (52) and Cuba (53). Zone 6 is the +south Pacific and includes Australia (61), New Zealand (64) and Malaysia (60). +Zone 7 is now called CIS (formerly the Soviet Union), but may become a third +European Code. Zone 8 is Asia and includes Japan (81), Korea (82), Vietnam +(84), China (86), and many others. Zone 9 is the sub-continent of India (91) +and surrounding regions. A special sub-zone is 87, which is the maritime +satellite service (Inmarsat). Country code 99 is reserved as a test code for +international and national purposes and may contain many interesting numbers. + In zone 1, a ten digit number follows with a fixed format, severely limiting +the total number of phones. NPA's like 310 and 510 attest to that. The new +plan (beginning in 1995) will allow the middle digit to be other than 1 or 0, +allowing up to five times more phones. This is predicted to last into the +21st century. After that Zone 1 must move to the fully extensible system used +in the rest of the world. + The "rest of the world" uses a system where "0" precedes the area code for +numbers dialed within the country code. France and Denmark are notable ex- +ceptions, where there are no area codes or just one as in France (1 for Paris +and just eight digits for the rest). This system has proven to be a total +mess - worse than the Zone 1 plan! + In the usual numbering system, the area code can be of any length, but at +this time between one and five digits are used. The phone number can be any +length too, the only requirement being that the whole number, including the +country code but not the zero before the area code, must not exceed fourteen +digits. Second dialtones are used in some systems to tell customers they are +connected to the area they are calling and are to proceed with the number. +With step-by-step, you would literally connect to the distant city and then +actually signal it with your pulses. Today, if second dialtones are used it's +only because they were used in the past. They have no meaning today, much +like the second dialtones in the custom calling features common in the United +States. The advantages of the above "linked" system is that it allows ex- +pansion where needed without affecting other numbers. Very small villages may +only have a three digit number while big cities may have eight digit numbers. +Variations of this basic theme are common. In Germany, a large company in +Hamburg may have a basic five digit number for the reception and eight digit +numbers for the employee extensions. In another case in this same town, +analog lines have seven digits and ISDN lines have eight digits. In many +places it common to have different length numbers coming to the same place. +As confusing as it sounds, it really is easier to deal with than the fixed +number plan! + + + International Signalling Systems + -------------------------------- + + CCITT number four (C4) is an early system that linked Europe together and +connected to other systems for overseas calls. C4 uses two tones: 2040 and +2400. Both are played together for 150mS (P) to get the attention of the +distant end, followed by a "long" (XX or YY = 350mS) or a "short" (X or Y = +100mS) of either 2040 (x or X) or 2400 (y or Y) to indicate status of the +call buildup. Address data (x=1 or y=0, 35 ms) is sent in bursts of four bits +as hex digits, allowing 16 different codes. One hundred milliseconds of +silence was placed between each digit in automatic working. Each digit there- +fore took 240mS to send. This silence interval was non-critical and often had +no timeout, allowing for manual working. C4 is no longer in wide use, but it +was, due to its extreme simplicity a phreak favorite. + CCITT number five (C5) is still the world's number one overseas signalling +method; over 80 percent of all overseas trunks use it. The "plieks" and tones +on Pink Floyd's "The Wall" are C5, but the producer edited it, revealing an +incomplete number with the old code for Londen. He also botched the cadance +of the address signalling very badly, yet it really sounds OK to the ear as +perhaps the only example most Americans have of what an overseas call sounds +like! + In actual overseas working, one-half second of 2400 and 2600Hz, compound, +is sent (clear forward) followed by just the 2400Hz (seize), which readies +the trunk for the address signalling. All address signals are preceded with +KP1 (code 13) for terminal traffic, plus a discriminating digit for the class +of call and the number. The last digit is ST (code 15) to tell the system +signalling is over. For international transit working, KP2 (code 14) is used +to tell the system a country code follows, after which the procedure is +identical to the terminal procedure. + CCITT six and seven (C6 and C7) are not directly accessible from the +customer's line, yet many "inband" systems interface to both of thes. C6 is +also called Common Channel Interoffice Signalling (CCIS) and as its name +implies, a dedicated line carries all the setup information for a group of +trunks. Modems (usually 1200 Bps) are used at each end of the circuit. CCIS +is cheaper, and as an added benefit, killed all the child's play blue boxing +that was common in the states in the 60's and early 70's. In the early 80's +fiber and other digital transmission became commonplace, and a new signalling +standard was required. C7 places all line, address, and result (backward) +signalling on a Time Division Multiplexed Circuit (TDM and TDMC) along with +everything else like data and voice. All ISDN systems require the use of SS7 +to communicate on all levels from local to worldwide. + The ITU/CCITT has developed a signalling system for very wide and general +use. One called "The European System", R2 has become a very widespread inter- +national system used on all continents. R2 is the most versatile end-to-end +system ever developed. It is a two-way system like C7 and comes in two forms, +analog and digital, both fully compatible with each other. R2 has completely +replaced C4, with the possible exception of a few very remote areas where it +works into R2 using using registers. Two groups of fifteen, two of six MF +tones are used for each direction, the high frequency group forward and the +low group backward. Line signalling can be digital with two channels or out- +of-band at 3825Hz, DC, or in cases of limited bandwidth on trunks, can use the +C4 line signals, just the 2040 + 2400Hz or 3000Hz or even backward signals +sent in a forward direction. The signals can be digitally quantised using the +A-law or u-law codec standards, resulting in compatible signals for analog +lines. In international working, only a small part of the standard is man- +datory with a massive number of options available. For national working, an +ample number of MF combinations are "reserved for national use", providing +an expandable system with virtually limitless capabilities. R2 is the "system +of the nineties" and mastering this, for the first time, allows the phone +phreak "to hold the whole world in his hands" in a manner that the person who +coined this phrase could have only dreamed of in the early seventies! + With the exception of bilateral agreements between neighboring countries to +make each other's national systems compatible, especially in border regions, +all international systems in use are: C5, C6, C7, and R2. R2 is limited to a +single numbering region by policy and must use one of the three remaining +systems for overseas working. There are few technical limitations to prevent +R2 from working with satellites, TASI, or other analog/digital underseas +cables. The spec is flexible enough to allow overseas working, but is not +done at the present time. R2 is likely to displace C5 on the remaining analog +trunks in the near future. + +DTMF is on a 4x4 matrix, one tone from a row and one from a column. + 1=697+1209, etc. + + 1209 1336 1477 1633 + 697 1 2 3 A + 770 4 5 6 B + 852 7 8 9 C + 941 * 0 # D + +MF signalling, often used to signal between pionts, uses a 2 of 6 matrix. +Each tone has a weighting which adds up to an unique number. The three +standard sets of tones use this system. + + Digit Weighting + 1 0+1 + 2 0+2 + 3 1+2 + 4 0+4 + 5 1+4 + 6 2+4 + 7 0+7 + 8 1+7 + 9 2+7 + 0 (Code 10) 4+7 + 11 (Code 11) 0+12 + 12 (Code 12) 1+12 + KP1 (Code 13) 2+12 + KP2 (Code 14) 3+12 + ST (Code 15) 7+12 + +For C5, either KP is 100mS and each digit lasts 50mS. A 50mS off time is used +between each digit. For older R1 systems, the KP is 100mS and each digit is +68mS on and 68mS off. Modern systems are C5 compatible and use the C5 timing. +In North America, an additional 50 or 68mS pause is inserted before the last +digit. +Example: KP18(pause)2ST.....KP03120600148(pause)0ST. This pattern was added +about 15 years ago and appears to be unnecessary, except to give an audible +indication of false (blue box) signalling. Its is is HIGHLY recommended for +phreaks where it is normally used by the telco! R2 is a COMPELLED system +where reception of the forward signal produces a backward signal, which at +its reception, stops the forward signal. The stopping of the forward signal +stops the backward signal, and when the stopping of the backward signal is +detected, a new forward signal is generated. This goes back and forth until +all the information is transmitted. The backward signal (usually "1", send +next digit) tells the sendig end what to send next. See the CCITT Red Book +or Welch for complete information on both systems. + + Weight MFC R2 forward R2 Backward + 0 700 1380 1140 + 1 900 1500 1020 + 2 1100 1620 900 + 4 1300 1740 780 + 7 1500 1860 660 + 12 1700 1980 540 + +C4 is the old European signalling system. The address signals have 35mS pause +between each beep and 100mS pause (minimum) between each digit. Minimum time +to send a digit (including pause) is 345mS. This system is limited use today, +if at all. + + x: 2040 35mS (binary "1") + y: 2400 35mS (binary "0") + X: 2040 100mS + Y: 2400 100mS + XX: 2040 350mS + YY: 2400 350mS + P: 2040+2400 150mS + + Clear Forward: PXX + Transit Seizure: PX + Forward Transfer: PYY + Terminal Seizure: PY + 1: yyyx + 2: yyxy + 3: yyxx + ... + 14: xxxy + 15: xxxx + 16: yyyy + + + Place Event Freq Cadance + ========================================================================= + N. America dialtone 350+440 Continuous + ring 440+480 2s on 4s off + busy 480+620 0.5s on 0.5s off + fast busy 480+620 0.25 on 0.25 off + England ring 450+500 0.25 on 0.5 off + (Australia,New Zealand, 0.25 on 2.0 off + etc.) + Japan ring 450+500 1.0 on 2.0 off + Holland dialtone 150+450 Continuous + (450 at -8dB) + most of world all 400 or 440 (See text) + SIT 950, 1400, 1800 (See text) + + + Most of the world's phone systems use only one low pitched tone to represent +all calling status. The most common tones in use are 400Hz, 440Hz and 450Hz. +In some cases the tones are modulated, usually AM, at 25 or 50Hz at variable +depths. In some old switches, the ring modulates the tone, or it is just the +harmonics of the ring frequency, which is usually 25Hz, but can be other +frequencies, producing the "fart ring". Cadances for the busy are either the +fast at 0.25 on and 0.25 off, or the slow at 0.5 on and 0.5 off. Ring signals +are usually on one second and off for two, but can vary. In Iraq, the ring is +continuous! The SIT (Subscriber Information Tone) is 950 then 1400 and then +1800Hz. The total length is about one second. The lengths of the individual +tones are sometimes variable to impart different meanings for automatic +detection. + + + National Signalling Systems + --------------------------- + + CCITT 1, 2 and 3 are early international standards for signalling the +distant end. C1 is just a 500Hz line signalling tone, and was used to alert +the operator at a distant switchboard that there was traffic and no DC path, +due to amplifiers or repeaters on a relatively long circuit. C1 has only one +line signalling function (forward transfer) and no address signalling. It is +probably used nowhere. + CCITT 2 was the first international standard that used address signalling, +allowing automatic completion of calls. Two frequencies, 600Hz and 750Hz, +were used for line signalling and by pulsing between the two frequencies, +representing make and break, of the loop current at the distant end during +signalling, calls were automatically pulse dialable. You may actually find +this system in limited use in very remote parts of Australia or South Africa. +Fairly high signalling levels are required and may very well make customer +signalling impossible, unless you are right there. Travel to both the above +countries should be fascinating however for both phone play and cultural +experience! + CCITT 3 is an improved pulse system. Onhook is represented by the presence +of 2280Hz and offhook by the absence of 2280Hz. This exact system is still +used in a surprising number of places. Pulse-dial PBX's often use C3 to signal +distant branches of a company over leased lines. Signalling for this system +is generally at a much lower level than C2: The tones will propagate over any +phone line. + A system from the early 50's is called R1. Many people remember R1 as the +Blue boxes of the 60's and 70's . R1 is still in wide use in the United +States, Canada and Japan. The use of 2600Hz for line signalling is quite rare +in the 90's, but can be found in all of the above countries. Address signal- +ling uses the MFC standard which is a combination of two of six tones +between 700Hz and 1700Hz as in CCITT 5. Alsmost all R1 used either "out of +band" signalling at 3825Hz or 3350Hz or some form of digital or DC line +signalling. To use this system from home one must find an indirect method of +using the "out of band" signalling. In North America, most signalling from +your central office to your long distance carrier is R1, as is most OSPS/ +TSPS/TOPS operator traffic. + Pulse systems like CCITT 2 and 3 are still used in national systems. In +North America, the C3 standard using 2600Hz in place of 2280 for national +working was commonplace through the 70's and still has limited end-to-end use +today. "End-to-end" use refers to sending just the last few digits (usually +five) to complete the call at the distant end. The only use this may have to +the phreak would be to make several calls to a single locality on one quarter. +It may be possible that a certain code would drop you into an R1, but you +just have to experiment! This type of system is referred to as 1VF, meaning +"one Voice Frequency". The other standard frequency, for use outside North +America, is 2400Hz. A national system using two voice frequencies (2VF) may +still be used in remote areas of Sweden and Norway. The two frequencies are +2400Hz and 2600Hz. Playing these two systems in Europe predates the cracking +of the R1 and C5 systems in the late 50's and early 60's respectively. The +first phone phreak was probably in Sweden. + Common Channel Interoffice Signalling (CCIS) is CCITT 6 developed for +national use and employing features that are of interest to national admini- +strations. R1 often plays into a gateway being converted to CCIS and CCIS +will play into a gateway that converts to C5, C6 or C7 for international +working. The bulk of the ATT net is CCIS in North America, while R1 is often +used by your CO talk to it and the lessel networks. CCITT 7 is the digital +system and is the same nationally as internationally. C7 allows the greatest +efficiency of all systems and will in time be the world system. C7 has much +more speed and versatility than R2, but is a digital only system. All fiber +optic systems employ SS7 (C7). + No discussion of systems is complete without mentioning Socotel. Socotel is +a general system developed by the French. It is a hodgepodge of many systems, +using MFC, pulse tone, pulse AC and pulse DC system. Most (all?) line +signalling tones can be used. An inband system can use 2500Hz as a clear +forward and 1700 or 1900Hz for seize or, in Socotel terms, "confirm". Most +line signalling today is "out of band", but unlike normal outband signalling, +it is below band: DC, 50Hz or 100Hz. It is a "brute force" system using 100V +levels, insuring no customer has a chance of getting it directly! Call setup +on the AC systems often has a very characteristic sound of of short bursts of +50Hz or 100Hz buzz, followed by the characteristic French series of 500 Hz +beeps to alert the customer that the call has been received from the Socotel +by the end office and is now being (pulse) dialed. Calls often don't make it +through all the gateways of a Socotel system, sometimes giving the French +phreak a surprise access where it stuck! + On a national level there are even more systems and some are very bizarre. +Some use backward R2 tones in the forward direction for line signalling, +giving analog lines the versatility of digital line signalling. There have +been some interlocal trunks that actually used DTMF in place of MF! The +"Silicon Valley" was once served by DTMF trunks for instance. When I visited +my local toll office and was told this and pressed for an answer as to why, +I was told "We had extra (expensive then) DTMF receivers and used them!" As +a phreak, be ready for anything as you travel the world. + + + Stuff to read + ------------- + + Signalling in Telecommunications Networks, S. Welch, 1979 + ISBN 0 906048 044 + The Institution of Electrical Engineers, Londen & New York + CCITT Red Book, Blue Book, Green Book and whatever other colors of books + they have, Concentrate on the Q norms. + Telecommunications Engineering, Roger L. Freeman diff --git a/textfiles.com/phreak/PHREAKING/phreakbi.txt b/textfiles.com/phreak/PHREAKING/phreakbi.txt new file mode 100644 index 00000000..ed22e665 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakbi.txt @@ -0,0 +1,240 @@ +Unauthorised Access UK 0636-708063 10pm-7am 12oo/24oo + +============================================= +INTRODUCTION TO PHONE-PHREAKING by The Wizard +============================================= + +Preface +======= +LEGAL REQUIREMENTS: I have done, won't do, don't actually know anything about +anything in this document (this message and those following it). I have +absolutely no intention of doing so and all that is here is completely +fictional - Any resemblance to reality is coincidental or guesswork or public +knowledge. I in no way do I advice the reading let alone following of the +information below and it is not in any way to be construed as instructions - +simply a literary excercise in the fiction of intellectual guesswork. + +DESCRIPTION: This in an introduction to what is called 'Phreaking'. It has +interested many people, and may be illegal (perhaps stealing electricity or +breach of BT licence). I DO NOT BY ANY MEANS CLAIM ALL THE INFO BELOW TO BE MY +OWN AND THUS TAKE NO RESPONSIBILITY FOR INACURACY! However I must send my +thanks to everyone / anyone who has contributed - They will know who they are. +About 1/3 to 1/2 the info came to my knowledge through TowerNet:- There are +some pretty good brains out there so SUPPORT THE SYSTEM! I would be most +grateful for any corrections / criticisms / updates or even compliments. + +SOURCE & DISTRIBUTION: This file was written by 'The Wizard' of 'The Wizard's +Tower' Bulletin Board. Permission is granted to distribute this file on the +following conditions: + 1) The actual text remains unammended. Any additions are added at the + end with notes describing their source and date in a readable. The + only possible exception to this is where a portion of the text is + refered to a note at the end where the line may be + added. + 2) It is understood that the Legal Requirements above are abided by by + both the distributors, any intermediate distributors and 'The Wizard' + +The Wizard's Tower is a TowerNet BBS and can be accessed as follows: + Number (UK) : 0295 721532 (thats +44 295 721532 internationally). + Baud rates : V21,22,22bis,23 + Protocol : 8n1, configurable, ARQ available if wanted. + Times : 6pm to 9am, Local Time. + +What is Phreaking +================= + Phreaking is the process by which free or reduced rate calls, or other +interesting effects may be obtained from phone companies. Ofcourse dialling +numbers that aren't ones you know is in breach of contract with BT, which is +probably breaking the law, as is (ofcourse) attaching naughty circuits to your +phone, so thats why ofcourse I have never done any of it myself as breaking the +law is very naughty and if you deprive monopolies of thier profits you deserve +to have your botty spanked. + There are 2 kinds of phreaking (basically speaking) - one involves +actually intercepting the phone-line with devices to fool the charging +equiptment, and the other confusing BT and other things with exchanges by +dialling wierd and wonderful numbers or making devices to sing merrilly down +the line. + The trouble with 'black-boxes' (devices to fool the charging equipment) is +though it is actually illegal for BT to trace any calls without a license etc., +and they can't tell you are phreaking, most if not all black boxes light up a +fault light on older exchanges (which all true blooded BT engineers ignore!). +This lights status could I suppose be used as evidence against you if they ever +felt like suing you. The other major problem, is by their very nature, the way +most black-boxes work is they tell the charging equipment that you have not yet +picked up the phone, thus incoming calls are free (to those who ring you), but +not out-going calls, which is not particularly helpful for some purposes (e.g. +hacking remote systems). Thus their use is limitted, but they do come in +useful. For legal reasons and the fact this is a public-ish 'place' I can't +really give any ciruits away that do this directly. + Use of circuits attached directly to the telephone lines not approoved by +BT is in breach of your license agreement. This has not bothered many people +before, but as honest citizens you really ought not use them.... + +Line Signals +============ + Noises (like engaged, ringing tones etc. and voices) are on the line as +A.C., say down to about 200Hz officially speaking. The peak to peak voltage +signal is smallish, about 1/2 a volt-ish, so in DC terms you can ignore this. +For dialling and charging purposes DC is used. DC voltages are listed below. +There is no set polarity on your line (as BT often swap Line A and Line B - +even when they repair the lines! Thus it is a good idea to have a change over +switch mounted in any circuitry you might make), so set the imaginary meter in +your brain to think of the polarity as 'postive' (+ve) when you pick the phone +up to dial outwards. + +How a call works +================ + Normally on a phone line there is 50V accross the line. When you pick the +phone up for the first time to make an outward going call, the line polarity is ++ve about 12V-ish. Normally (i.e. if the phone wasn't connected) there'd be +about 50V-ish accross the line, but because the phone has a lowish resistance +compared to the series resistance in the exchange, when the phone is in the +circuit 50-100ma is drawn and the voltage accross the line falls. + What happens on LD (Loop-Disconnect or click dialling) is that pulses are +sent down the line by breaking the line once to dial a 1, twice to dial a 2 +etc., 9 times to dial a nine and ten to dial a zero. There are ten pulses sent +down per second, of which 33% is mark (i.e. the line disconnected), and 67% +space (i.e. line normal). In each pulse the line voltage rises to 50 volts +ve, +as theres no current taken by the phone. + Then hopefully BT will connect you to the number. It rings (which on their +phone is a 50V peak either side of zero (ish)) and on your phone is a tone from +their exchange. Their bell takes a little current when it rings and the +exchange notices this ringing (if theres no current flowing it gives number +unobtainable the implication being normally speaking that the lines broken:- On +the new sockets theres an opt-out of service resistor that makes the line draw +current if you don't connect your phone so it seems as though its ringing to +whoevers calling so hundreds of faults reported as broken lines which are only +people unplugging their phone aren't reported if you know what I mean...). + The exchange notices that the phone is picked up (all this info is +possibly more relevant only to the old exchanges) because when the guy you are +ringing picks the reciever up a largish current (50ma or so) flows. Now as the +signal of the ringing is AC of a large voltage (Not quite sure if all this is +completely exact but its pretty near) suddenly on both sides of the cycle a +largish current flows. One side of the cycle simply turns off the ringing tone +at the exchange, the other side is more interesting. If its a local call it +simply activates the your charging meter, otherwise it makes the exchange of +the guy you are ringing send a 2280Hz bleep down the line to your exchange +which activates your charging meter. That is why (a) 2280Hz signalling (see +later) only works on Trunk type calls and (b) you often hear a little blip when +you pick the phone up. 2280Hz.ARC in this room generates a 2280 Hz signal (and +others aswell) from an IBM PC's internal speaker. You will need a machine with +a loud speaker e.g. an Amstrad PC. + If you can't work out how phreak potentials arise from this hotch-potch of +technology then I suggest you sit down and think about it some more.... + +Internal communication over trunk lines +======================================= + All internal communcation between trunk excahnges used to use AC9 (AC +signalling cicuit number 9) to communicate between them. The first thing to +understand about exchanges is that making a call from A to B you are likely to +pass through technology from any period between 1920 to 1988. Each is different +in its characteristics (see Atkinsons Telephony - very helpful on the subject) +but most understand AC9 codes though many will not accept them from the line. + AC9 is a dialling follows internal rather than external dialling codes. +I.e. the numbers exchanges send to eachother to route a call from A to B are +not the same as the numbers you dial on the phone to get from A to B which +presents a problem (In the USA internal dialling codes are very similar to +external dialling codes - very useful) the reason for this is that the internal +dialling codes include routing information. AC9 dialling is very similar to +loop disconnect dialling except that instead of breaking the line, 2280Hz is +sent down, again at 10pps with a 33% / 67% mark space ratio. + Before any AC9 dialling is done, the master tone must be sent down - this +is just a long, loud burst of 2280Hz which will clear the line to an eerie +silence. It also (see above) activates the charging aparatus. 2280Hz master +tones for the reasons above only work on non-local calls (or atleast +non-own-exchange). Thus at first glance AC9ing may seem pointless. However if +you then AC9 elsewhere, you will ofcouse be charged only at the rate at which +you rang out. I.e. if you ring an 'A' rate number or possibly a local number +starting with an '0' (yes there are some) and then AC9ed down the code for +international dialling (it may not be 010 as again internal codes are +different) then you would suddenly find yourself with a dialling tone and be +able to dial abroad at 'L' or 'A' rates (in theory). + In practise the internal dialling codes complexities are often a great +problem (I THINK the last 4 5 or 6 digits of the internal & external dialling +codes are normally identical but I dunno much about internal dialling codes - +best ask a BT engineer who is corrupt!), and so is the fact that a LOUD 2280Hz +is needed as it is filtered out at exchanges. It is rumoured that if these +filters capacity is exceeded, in some exchanges alarms go off but this seems a +little unlikely especially with the old exchanges. + What I can give you is a little hint - the internal code for a number +which is in the same district is 1, i.e. to dial 01-234-5678 after clearing the +line on ringing 01-987-6543, the code would be 1-234-5678 (I think). Also you +will find various internal operators on 1105, 1107 (presumably equal to what +would happen if you dialled 105 & 107 normally if it weren't blocked by the +exchange??) and other wierd things on other 11XX numbers e.g. 1100 & 1107. You +might try all the standard test no.s prefixed by a 1. + + Internal Communication for AC9 and normal pulse dialling specifications: + Pulse rate : 10 pps + % break : 67% + % pulse : 33% + Interdigit interval : 800ms + Cycle time : Digit dependant + + The newer system X type exchanges and the US exchanges use a different +system for signalling. Again they use a master tone to clear the line, and then +what happens is dual tone multi-frequency dialling is used (i.e. like normal +tone dialling but with different frequencies). Below follows a list of +frequencies as far as I know. The way they work, is as above in terms of +dialling codes I think, but the stuff you send is + . The tones are shortish in duration (as in tone +dialling. Tone dialling freqs are also listed below. + + Internal frequencies + ==================== + Frequency Hz| Tone dialling (US & UK) UK Internal US Internal + ================================================================== + Master | ---- | 2280 | 2600 | + 1 | 697, 1209 | 1380, 1500 | 700, 900 | + 2 | 697, 1336 | 1380, 1620 | 700, 1100 | + 3 | 697, 1477 | 1500, 1620 | 900, 1100 | + 4 | 770, 1209 | 1380, 1740 | 700, 1300 | + 5 | 770, 1336 | 1500, 1740 | 900, 1300 | + 6 | 770, 1477 | 1620, 1740 | 1100, 1300 | + 7 | 852, 1209 | 1380, 1860 | 700, 1500 | + 8 | 852, 1336 | 1500, 1860 | 900, 1500 | + 9 | 852, 1477 | 1620, 1860 | 1100, 1500 | + 0 | 941, 1366 | 1740, 1860 | 1300, 1500 | + Start Keying| 941, 1209 (*) (1740)| 1620, 1980 | 1100, 1700 | + End Keying | 941, 1477 (#) (1860)| 1740, 1980 | 1300, 1700 | + A | 697, 1633 | 1380, 1980 | 700, 1700 | + B | 770, 1633 | 1500, 1980 | 900, 1700 | + C | 852, 1633 (1620)|?1860, 1980 |?1500, 1700 | + D | 941, 1633 | - | - | + ================================================================== + Those figures bracketted indicate 'alternative' values of the 1st UK frequency + for internal dialling from a different source:- though they seem less likely + to be accurate in terms of correspondance with the US frequencies, they are + included in the interests of completeness. + + Tone dialling specifications + ============================ + Tone duration : 100ms + Interdigit interval : 100ms + Cycle Time : 200ms (total time to dial a digit). + Example figures. These are for a Quattro modem but your equiptment should try + & approach these. + Freq. deviation : 1.5% Max + Transmit level : -7dB to +1dB + Tone pair amp. bal. : Higher tone about 2dB greater in amplitude than + lower tone. + + A, B, & D, are used for various purposes. In the older system X type Bell +exchanges in the US, touch tone A,B,C & D are used by the engineers to call up +various test services - just ring the operator there with 1 of the keys A B C +or D held down (especially D) - if it works you will get to a test, if it +doesn't the operator will swear and curse at you. + In internal exchanges such as the Merlin, A, B, C & D touch tones call up +additional services. If your phone for your exchange does not have these +buttons on it, then getting a phone with this '4th column' may add extra +facilities - could be useful! Though I don't (as usual) guarantee anything. + In the US military phone system (AUTOVON), A, B, C & D provide various +military prorities: Flash, Flash Override, Priority and Priority interrupt - +what does what who knows but its meant to speed wartime & wargame +communication. + What A,B & C frequencies do on the internal network I am afraid I don't +know. I am not sure the frequency allocated to C is even used! But I have +heard they are used as control signals and for the routing mechanism in the UK. +Someone even told me that they did + + diff --git a/textfiles.com/phreak/PHREAKING/phreaker.fun b/textfiles.com/phreak/PHREAKING/phreaker.fun new file mode 100644 index 00000000..fdccd5e3 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreaker.fun @@ -0,0 +1,385 @@ + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ PHREAKER'S /-/ + /-/ PHUNHOUSE /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ BY: /-/ + /-/ THE TRAVELER /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + THE LONG AWAITED PREQUIL TO PHREAKER'S GUIDE HAS FINALLY ARRIVED. +CONCEIVED FROM THE BOREDOM AND LONELINESS THAT COULD ONLY BE DERIVED FROM: +THE TRAVELER! BUT NOW, HE HAS RETURNED IN FULL STRENGTH (AFTER A SMALL +VACATION) AND IS HERE TO 'WORLD PREMIERE' THE NEW FILES EVERYWHERE. STAY +COOL. THIS IS THE PREQUIL TO THE FIRST ONE, SO JUST RELAX. THIS IS NOT MADE +TO BE AN EXCLUSIVE ULTRA ELITE FILE, SO KINDA CALM DOWN AND WATCH IN THE +BACKGROUND IF YOU ARE TOO COOL FOR IT. + +/-/ PHREAK DICTIONARY /-/ + + HERE YOU WILL FIND SOME OF THE BASIC BUT NECESSARY TERMS THAT SHOULD BE + +KNOWN BY ANY PHREAK WHO WANTS TO BE RESPECTED AT ALL. + + PHREAK : 1. THE ACTION OF USING MISCHEVIOUS AND MOSTLY ILLEGAL + WAYS IN ORDER TO NOT PAY FOR SOME SORT OF TELE- + COMMUNICATIONS BILL, ORDER, TRANSFER, OR OTHER SERVICE. + IT OFTEN INVOLVES USAGE OF HIGHLY ILLEGAL BOXES AND + MACHINES IN ORDER TO DEFEAT THE SECURITY THAT IS SET + UP TO AVOID THIS SORT OF HAPPENING. [FR'EAKING]. V. + + 2. A PERSON WHO USES THE ABOVE METHODS OF DESTRUCTION AND + CHAOS IN ORDER TO MAKE A BETTER LIFE FOR ALL. A TRUE + PHREAKER WILL NOT NOT GO AGAINST HIS FELLOWS OR NARC + ON PEOPLE WHO HAVE RAGGED ON HIM OR DO ANYTHING + TERMED TO BE DISHONORABLE TO PHREAKS. [FR'EEK]. N. + + 3. A CERTAIN CODE OR DIALUP USEFUL IN THE ACTION OF + BEING A PHREAK. (EXAMPLE: "I HACKED A NEW METRO + PHREAK LAST NIGHT.") + + SWITCHING SYSTEM: 1. THERE ARE 3 MAIN SWITCHING SYSTEMS CURRENTLY EMPLOYED + IN THE US, AND A FEW OTHER SYSTEMS WILL BE MENTIONED + AS BACKGROUND. + + A) SXS: THIS SYSTEM WAS INVENTED IN 1918 AND WAS + EMPLOYED IN OVER HALF OF THE COUNTRY UNTIL 1978. IT + IS A VERY BASIC SYSTEM THAT IS A GENERAL WASTE OF + ENERGY AND HARD WORK ON THE LINESMAN. A GOOD WAY TO + IDENTIFY THIS IS THAT IT REQUIRES A COIN IN THE PHONE + BOOTH BEFORE IT WILL GIVE YOU A DIAL TONE, OR THAT NO + CALL WAITING, CALL FORWARDING, OR ANY OTHER SUCH + SERVICE IS AVAILABLE. STANDÓ FOR: STEP BY STEP + + B) XB: THIS SWITCHING SYSTEM WÁS FIRST EMPLOYED IN 1978 + IN ORDER TO TAKE CARE OF MOST OF THE FAULTS OF SXS + SWITCHING. NOT ONLY IS IT MORE EFFICIENT, BUT IT + ALSO CAN SUPPORT DIFFERENT SERVICES IN VARIOUS FORMS. + XB1 IS CROSSBAR VERSION 1. THAT IS VERY LIMITED AND + IS HARD TO DISTINGUISH FROM SXS EXCEPT BY DIRECT VIEW + OF THE WIRING INVOLVED. NEXT UP WAS XB4, CROSSBAR + VERSION 4. WITH THIS SYSTEM, SOME OF THE BASIC THINGS + LIKE DTMF THAT WERE NOT AVAILABLE WITH SXS CAN BE + ACCOMPLISHED. FOR THE FINAL STROKE OF XB, XB5 WAS + CREATED. THIS IS A SERVICE THAT CAN ALLOW DTMF PLUS + MOST 800 TYPE SERVICES (WHICH WERE NOT ALWAYS + AVAILABLE.) STANDS FOR: CROSSBAR. + + C) ESS: A NIGHTMARE IN TELECOM. IN VIVID COLOR, ESS IS + A PRETTY BAD THING TO HAVE TO STAND UP TO. IT IS + QUITE SIMPLE TO IDENTIFY. DIALING 911 FOR EMERGENCIES, + AND ANI [SEE ANI BELOW] ARE THE MOST COMMON FACETS OF + THE DREAD SYSTEM. ESS HAS THE CÁPABILITY TO LIST IN A + PERSON'S CALLER LOG WHAT NUMBER WAS CAÌLED, HOW LONG + THE CALL TOOK, AND EVEN THE STATUS OF THE CONVERSATION + (MODEM OR OTHERWISE.) SINCE ESS HAS BEEN EMPLOYED, + WHICH HAS BEEN VERY ÒECENTLY, IT HAS GONE THROUGH + MANY KINDS OF REÖISIONS. THE LATEST SYSTEM TO DATE IS + ESS 11A, THAT IS EMPLOYED IN WASHINGTON D.C. FOR + SECURITY REASONS. ESS IS TRULY TROUBLE FOR ANY + PHREAK, BECAUSE IT IS 'SMARTER' THAN THE OTHER + SYSTEMS. FOR INSTANCE, IF ON YOUR CALLER LOG THEY SAW + 50 CALÌS TO 1-800-421-9438, THEY WOULD BE ABLE TO DÏ + A CN/A [SEE LOOPHOLES BELOW] ON YOUR NUMBER AND + DETERMINE WHETHER YOU ARE SUBSCRIBED TO THAT SERVICE + OR NOT. THIS MAKES MOST CALLS A HAZARD, BECAUSE + ALTHOUGH 800 NUMBERS APPEAR TO BE FREE, THEY ARE + RECORDED ON YOUR CALLER LOG AND THEN RIGHT BEFORE YOU + RECEIVE YOUR BILL IT DELETES THE BILLINGS FOR THEM. + BUT BEFORE THAT THE ARE OPEN TO INSPECTION, WHICH IS + ONE REASON WHY EXTENDED USE OF ANY CODE IS DANGEROUS + UNDER ESS. SOME OF THE BOXES [SEE BOXING BELOW] ARE + UNABLE TO FUNCTION IN ESS. IT IS GENERALLY A MENACE + TO THE TRUE PHREAK. STANDS FOR: ELECTRONIC SWITCHING + SYSTEM. BECAUSE THEY COULD APPEAR ON A FILTER + SOMEWHERE OR MAYBE IT IS JUST NICE TO KNOW THEM + ANYWAYS. + + A) SSS: STROWGER SWITCHING SYSTEM. FIRST + NON-OPERATOR SYSTEM AVAILABLE. + + B) WES: WESTERN ELECTRONICS SWITCHING. USED ABOUT 40 + YEARS AGO WITH SOME MINOR PLACES OUT WEST. + + BOXING: 1) THE USE OF PERSONALLY DESIGNED BOXES THAT EMIT OR + CANCEL ELECTRONICAL IMPULSES THAT ALLOW SIMPLER + ACTING WHILE PHREAKING. THROUGH THE USE OF SEPARATE + BOXES, YOU CAN ACCOMPLISH MOST FEATS POSSIBLE WITH + OR WITHOUT THE CONTROL OF AN OPERATOR. + + 2) SOME BOXES AND THEIR FUNCTIONS ARE LISTED BELOW. + ONES MARKED WITH '*' INDICATE THAT THEY ARE NOT + OPERATABLE IN ESS. + + *BLACK BOX: MAKES IT SEEM TO THE PHONE COMPANY THAT + THE PHONE WAS NEVER PICKED UP. + + BLUE BOX : EMITS A 2600HZ TONE THAT ALLOWS YOU TO DO + SUCH THINGS AS STACK A TRUNK LINE, KICK + THE OPERATOR OFF LINE, AND OTHERS. + + RED BOX : SIMULATES THE NOISE OF A QUARTER, NICKEL, + OR DIME BEING DROPPED INTO A PAYPHONE. + + CHEESE BOX : TURNS YOUR HOME PHONE INTO A PAY PHONE TO + THROW OFF TRACES (A RED BOX IS USUALLY + NEEDED IN ORDER TO CALL OUT.) + + *CLEAR BOX : GIVES YOU A DIAL TONE ON SOME OF THE OLD + SXS PAYPHONES WITHOUT PUTTING IN A COIN. + + BEIGE BOX : A SIMPLER PRODUCED LINESMAN'S HANDSET THAT + ALLOWS YOU TO TAP INTO PHONE LINES AND + EXTRACT BY EAVESDROPPING, OR CROSSING + WIRES, ETC. + + PURPLE BOX : MAKES ALL CALLS MADE OUT FROM YOUR HOUSE + SEEM TO BE LOCAL CALLS. + + ANI [ANI]: 1) AUTOMATIC NUMBER IDENTIFICATION. A SERVICE + AVAILABLE ON ESS THAT ALLOWS A PHONE SERVICE [SEE + DIALUPS BELOW] TO RECORD THE NUMBER THAT ANY CERTAIN + CODE WAS DIALED FROM ALONG WITH THE NUMBER THAT WAS + CALLED AND PRINT BOTH OF THESE ON THE CUSTOMER BILL. + 950 DIALUPS [SEE DIALUPS BELOW] ARE ALL DESIGNED + JUST TO USE ANI. SOME OF THE SERVICES DO NOT HAVE + THE PROPER EQUIPMENT TO READ THE ANI IMPULSES YET, + BUT IT IS IMPOSSIBLE TO SEE WHICH IS WHICH WITHOUT + BEING BUSTED OR NOT BUSTED FIRST. + + DIALUPS [DY'L'UPS]: 1) ANY LOCAL OR 800 EXTENDED OUTLET THAT ALLOWS INSTANT + ACCESS TO ANY SERVICE SUCH AS MCI, SPRINT, OR AT&T + THAT FROM THERE CAN BE USED BY HANDPICKING OR USING + A PROGRAM TO REVEAL OTHER PEOPLES CODES WHICH CAN + THEN BE USED MODERATELY UNTIL THEY FIND OUT ABOUT + IT AND YOU MUST SWITCH TO ANOTHER CODE (PREFERRABLY + BEFORE THEY FIND OUT ABOUT IT.) + + 2) DIALUPS ARE EXTREMELY COMMON ON BOTH SENSES. SOME + DIALUPS REVEAL THE COMPANY THAT OPERATES THEM AS + SOON AS YOU HEAR THE TONE. OTHERS ARE MUCH HARDER + AND SOME YOU MAY NEVER BE ABLE TO IDENTIFY. A SMALL + LIST OF DIALUPS: + + 1-800-421-9438 (5 DIGIT CODES) + 1-800-547-6754 (6 DIGIT CODES) + 1-800-345-0008 (6 DIGIT CODES) + 1-800-734-3478 (6 DIGIT CODES) + 1-800-222-2255 (5 DIGIT CODES) + + 3) CODES: CODES ARE VERY EASILY ACCESSED PROCEDURES + WHEN YOU CALL A DIALUP. THEY WILL GIVE YOU SOME SORT + OF TONE. IF THE TONE DOES NOT END IN 3 SECONDS, + THEN PUNCH IN THE CODE AND IMMEDIATELY FOLLOWING THE + CODE, THE NUMBER YOU ARE DIALING BUT STRIKE THE + '1' IN THE BEGINNING OUT FIRST. IF THE TONE DOES + END, THEN PUNCH IN THE CODE WHEN THE TONE ENDS. + THEN, IT WILL GIVE YOU ANOTHER TONE. PUNCH IN THE + NUMBER YOU ARE DIALING, OR A '9'. IF YOU PUNCH IN + A '9' AND THE TONE STOPS, THEN YOU MESSED UP A + LITTLE. IF YOU PUNCH IN A TONE AND THE TONE + CONTINUES, THEN SIMPLY DIAL THEN NUMBER YOU ARE + CALLÉNG WITHOUT TÈE '1'. + + 4) ALL CODES ARE NOT UNIVERSAL. THE ONLY TYPE THAT I + KNOW OF THAT IS TRULY UNIVERSAL IS METROPHONE. + ALMOST EVERY MAJOR CITY HAS A LOCAL METRO DIALUP + (FOR PHILADELPHIA, (215)351-0100/0126) AND SINCE THE + CODES ARE UNIVERSAL, ALMOST EVERY PHREAK HAS USED + THEM ONCE OR TWICE. THEY DO NOT EMPLOY ANI IN ANY + OUTLETS THAT I KNOW OF, SO FEEL FREE TO CHECK + THROUGH YOUR BOOKS AND CALL 555-1212 OR, AS A MORE + DEVIOUS MANOR, SUBSCRIBE YOURSELF. THEN, NEVER USE + YOUR OWN CODE. THAT WAY, IF THEY CHECK UP ON YOU DUE + TO YOUR CALLER LOG, THEY CAN USUALLY FIND OUT THAT + YOU ARE SUBSCRIBED. NOT ONLY THAT BUT YOU COULD SET + A PHREAK HACKER AROUND THAT AREA AND JUST LET IT + HACK AWAY, SINCE THEY USUALLY GROUP THEM, AND, AS A + BONUS, YOU WILL HAVE THEIR LOCAL DIALUP. + + 5) 950'S. THEY SEEM LIKE A PERFECTLY COOL PHREAKERS + DREAM. THEY ARE FREE FROM YOUR HOUSE, FROM PAYPHONES, + FROM EVERYWHERE, AND THEY HOST ALL OF THE MAJOR LONG + DISTANCE COMPANIES (950-1044 , 950-1077 + , 950-1088 , 950-1033 .) WELL, THEY AREN'T. THEY WERE DESIGNED FOR + ANI. THAT IS THE POINT, END OF DISCUSSION. + + A PHREAK DICTIONARY. IF YOU REMEMBER ALL OF THE THINGS CONTAINED ON THAT +FILEUP THERE, YOU MAY HAVE A BETTER CHANCE OF DOING WHATEVER IT IS YOU DO. THIS +NEXT SECTION IS MAYBE A LITTLE MORE INTERESTING... + +BLUE BOX PLANS: +--------------- + + THESE ARE SOME BLUE BOX PLANS, BUT FIRST, BE WARNED, THERE HAVE BEEN 2600HZ +TONE DETECTORS OUT ON OPERATOR TRUNK LINES SINCE XB4. THE IDEA BEHIND IT IS TO +USE A 2600HZ TONE FOR A FEW VERY NAUGHTY FUNCTIONS THAT CAN REALLY MAKE YOUR DAY +LIGHTEN UP. BUT FIRST, HERE ARE THE PLANS, OR THE HEART OF THE FILE: + +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : + + STOP! BEFORE YOU DIEHARD USERS START PIECING THOSE LITTLE TONE TIDBITS +TOGETHER, THERE IS A SIMPLER METHOD. IF YOU HAVE AN APPLE-CAT WITH A PROGRAM +LIKE CAT'S MEOW IV, THEN YOU CAN GENERATE THE NECESSARY TONES, THE 2600HZ TONE, +THE KP TONE, THE KP2 TONE, AND THE ST TONE THROUGH THE DIAL SECTION. SO IF YOU +HAVE THAT I WILL ASSUME YOU CAN BOOT IT UP AND IT WORKS, AND I'LL DO YOU THE +FAVOR OF TELLING YOU AND THE OTHER USERS WHAT TO DO WITH THE BLUE BOX NOW THAT +YOU HAVE SOMEHOW CONSTRUCTED IT. THE CONNECTION TO AN OPERATOR IS ONE OF THE +MOST WELL KNOWN AND USED WAYS OF HAVING FUN WITH YOUR BLUE BOX. YOU SIMPLY DIAL +A TSPS (TRAFFIC SERVICE POSITIONING STATION, OR THE OPERATOR YOU GET WHEN YOU +DIAL '0') AND BLOW A 2600HZ TONE THROUGH THE LINE. WATCH OUT! DO NOT DIAL THIS +DIRECT! AFTER YOU HAVE DONE THAT, IT IS QUITE SIMPLE TO HAVE FUN ×ITH IT. BLO× A +KP TONE TO START A CALL, A ST TONE TO STOP IT, AND A 2600HZ TONE TO HANG UP. +ONCE YOU HAVE CONNECTED TO IT, HERE ARE SOME FUN NUMBERS TO CALL WITH IT: + + 0-700-456-1000 TELECONFERENCE (FREE, BECAUSE YOU ARE THE OPERATOR!) + (AREA CODE)-101 TOLL SWITCHING + (AREA CODE)-121 LOCAL OPERATOR (HEHE) + (AREA CODE)-131 INFORMATION + (AREA CODE)-141 RATE & ROUTE + (AREA CODE)-181 COIN REFUND OPERATOR + (AREA CODE)-11511 CONFERENCE OPERATOR (WHEN YOU DIAL 800-544-6363) + + WELL, THOSE WERE THE TONE MATRIX CONTROLLERS FOR THE BLUE BOX AND SOME +OTHER HELPFUL STUFF TO HELP YOU TO START OUT WITH. BUT THOSE ARE ONLY THE +FUNCTIONS WITH THE OPERATOR. THERE ARE OTHER K-FUN THINGS YOU CAN DO WITH IT. + + MORE ADVANCED BLUE BOX STUFF: + + OOPS. SMALL MISTAKE UP THERE. I FORGOT TONE LENGTHS. UM, YOU BLOW A TÏNE +PAIR OUT FOR UP TO 1/10 OF A SECOND WITH ANOTHER 1/10 SECOND FOR SILENCE BETWEEN +THE DIGITS. KP TÏNES SHOULD BE SENT FOR 2/10 OF A SECOND. ONE WAY TO CONFUSE THE +2600HZ TRAPS IS TO SEND PINK NOISE OVER THE CHANNEL (FOR ALL OF YOU THAT HAVE +DECENT BSR EQUALIZERS, THERE IS MAJOR PINK NOISE IN THERE.) USING THE OPERATOR +FUNCTIONS IS THE USE OF THE 'INWARD' TRUNK LINE. THAT IS WORKING IT FROM THE +INSIDE. FROM THE 'OUTWARD' TRUNK, YOU CAN DO SUCH THINGS AS MAKE EMERGENCY +BREAKTHROUGH CALLS, TAP INTO LINES, BUSY ALL OF THE LINES IN ANY TRUNK (CALLED +'STACKING'), ENABLE OR DISABLE THE TSPS'S, AND FOR SOME 4A SYSTEMS YOU CAN EVEN +RE-ROUTE CALLS TO ANYWHERE. + + ALL RIGHT. THE ONE THING THAT EVERY COMPLETE PHREAK GUIDE SHOULD BE WITHOUT +IS BLUE BOX PLANS, SINCE THEY WERE ONCE A VITAL PART OF PHREAKING. ANOTHER THING +THAT EVERY COMPLETE FILE NEEDS IS A COMPLETE LISTING OF ALL OF THE 800 NUMBERS +AROUND SO YOU CAN HAVE SOME MORE FUN. + + /-/ 800 DIALUP LISTINGS /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + ALL RIGHT, SET CAT HACKER 1.0 ON THOSE NUMBERS AND HAVE A FUCK OF A DAY. +THAT IS ENOUGH WITH 800 CODES, BY THE TIME THIS GETS AROUND TO YOU I DUNNO WHAT +STATE THOSE CODES WILL BE IN, BUT TRY THEM ALL OUT ANYWAYS AND SEE WHAT YOU GET. +ON SOME 800 SERVICES NOW, THEY HAVE AN OPERATOR WHO WILL ANSWER AND ASK YOU FOR +YOUR CODE, AND THEN YOUR NAME. SOME WILL SWITCH BACK AND FORTH BETWEEN VOICE AND +TONE VERIFICATION, YOU CAN NEVER BE QUITE SURE WHICH YOU WILL BE UP AGAINST. + + ARMED WITH THIS KNOWLEDGE YOU SHOULD BE HAVING A PRETTY GOOD TIME PHREAKING +NOW. BUT CLASS ISN'T OVER YET, THERE ARE STILL A COUPLE IMPORTANT RULES THAT YOU +SHOULD KNOW. IF YOU HEAR CONTINUAL CLICKING ON THE LINE, THEN YOU SHOULD ASSUME +THAT AN OPERATOR IS MESSING WITH SOMETHING, MAYBE EVEN LISTENING IN ON YOU. IT +IS A GOOD IDEA TO CALL SOMEONE BACK WHEN THE PHONE STARTS DOING THAT. IF YOU +WERE USING A CODE, USE A DIFFERENT CODE AND/OR SERVICE TO CALL HIM BACK. + + A GOOD WAY TO DETECT IF A CODE HAS GONE BAD OR NOT IS TO LISTEN WHEN THE +NUMBER HAS BEEN DIALED. IF THE CODE IS BAD YOU WILL PROBABLY HEAR THE PHONE +RINGING MORE CLEARLY AND MORE QUICKLY THAN IF YOU WERE USING A DIFFERENT CODE. +IF SOMEONE ANSWERS VOICE TO IT THEN YOU CAN IMMEDIATELY ASSUME THAT IT IS AN +OPERATIVE FOR WHATEVER COMPANY YOU ARE USING. THE FAMED '311311' ÃOÄE FOR METRO +IS ONE OF THOSE. YOU WOULD HAVE TO BE QUITE STUPID TO ACTUALLY RESPOND, BECAUSE +WHOEVER YOU ASK FOR THE OPERATOR WILL ALWAYS SAY 'HE'S NOT IN RIGHT NOW, CAN I +HAVE HIM CALL YOU BACK?' AND THEN THEY WILL ASK FOR YOUR NAME AND PHONE NUMBER. +SOME OF THE MORE SOPHISTICATED COMPANIES WILL ACTUALLY GIVE YOU A CARRIER ON A +LINE THAT IS SUPPOSED TO GIVE YOU A CARRIER AND THEN JUST HAVE GARBAGE FLOW +ACROSS THE SCREEN LIKE IT WOULD WITH A BAD CONNECTION. THAT IS A FEEBLE EFFORT +TO MAKE YOU THINK THAT THE CODE IS STILL WORKING AND MAYBE GET YOU TO DIAL +SOMEONE'S VOICE, A GOOD TEST FOR THE CARRIER TRICK IS TO DIAL A NUMBER THAT WILL +GIVE YOU A CARRIER THAT YOU HAVE NEVER DIALED WITH THAT CODE BEFORE, THAT WILL +ALLOW YOU TO DETERMINE WHETHER THE CODE IS GOOD OR NOT. FOR OUR NEXT SECTION, A +LIGHTER LOOK AT SOME OF THE THINGS THAT A PHREAK SHOULD NOT BE WITHOUT. A +VOCABULARY. A FEW MONTHS AGO, IT WAS A QUITE STRANGE WORLD FOR THE MODEM PEOPLE +OUT THERE. BUT NOW, A PHREAKER'S VOCABULARY IS ESSENTIAL IF YOU WANNA MAKE A +GOOD IMPRESSION ON PEOPLE WHEN YOU POST WHAT YOU KNOW ABOUT CERTAIN SUBJECTS. + + /-/ VOCABULARY /-/ + + - DO NOT MISSPELL EXCEPT CERTAIN EXCEPTIONS: + + PHONE -> FONE + FREAK -> PHREAK + + - NEVER SUBSTITUTE 'Z'S FOR 'S'S. (I.E. CODEZ -> CODES) + + - NEVER LEAVE MANY CHARACTERS AFTER A POST (I.E. HEY DUDES!#!@#@!#!@) + + - NEVER USE THE 'K' PREFIX (K-KOOL, K-RAD, K-WHATEVER) + + - DO NOT ABBREVIATE. (I GOT LOTSA WARES W/ DOCS) + + - NEVER SUBSTITUTE '0' FOR 'O' (R0DENT, L0ZER). + + - FORGET ABOUT YE OLD UPPER CASE, IT LOOKS RUGGYISH. + + ALL RIGHT, THAT WAS TO RELIEVE THE TENSION OF WHAT IS BEING DRILLED INTO +YOUR MINDS AT THE MOMENT. NOW, HOWEVER, BACK TO THE TEACHING COURSE. HERE ARE +SOMETHINGS YOU SHOULD KNOW ABOUT PHONES AND BILLINGS FOR PHONES, ETC. + + LATA: LOCAL ACCESS TRANSFERENCE AREA. SOME PEOPLE WHO LIVE IN LARGE CITIES +OR AREAS MAY BE PLAGUED BY THIS PROBLEM. FOR INSTANCE, LET'S SAY YOU LIVE IN THE +215 AREA CODE UNDER THE 542 PREFIX (AMBLER, FORT WASHINGTON). IF YOU WENT TO +DIAL IN A BASIC METRO CODE FROM THAT AREA, FOR INSTANCE, 351-0100, THAT MIGHT +NOT BE COUNTED UNDER UNLIMITED LOCAL CALLING BECAUSE IT IS OUT OF YOUR LATA. +FOR SOME LATA'S, YOU HAVE TO DIAL A '1' WITHOUT THE AREA CODE BEFORE YOU CAN +DIAL THE PHONE NUMBER. THAT COULD PROVE A HASSLE FOR US ALL IF YOU DIDN'T +REALIZE YOU WOULD BE BILLED FOR THAT SORT OF CALL. IN THAT WAY, SOMETIMES, IT IS +BETTER TO BE SAFE THAN SORRY AND PHREAK. + + THE CALLER LOG: IN ESS REGIONS, FOR EVERY HOUSEHOLD AROUND, THE PHONE +COMPANY HAS SOMETHING ON YOU CALLED A CALLER LOG. THIS SHOWS EVERY SINGLE NUMBER +THAT YOU DIALED, AND THINGS CAN BE ARRANGED SO IT SHOWED EVERY NUMBER THAT WAS +CALLING TO YOU. THAT'S ONE MAIN DISADVANTAGE OF ESS, IT IS MOSTLY COMPUTERIZED +SO A NUMBER SCAN COULD BE DONE LIKE THAT QUITE EASILY. USING A DIALUP IS AN EASY +WAY TO SCREW THAT, AND IS SOMETHING WORTH REMEMBERING. ANYWAYS, WITH THE CALLER +LOG, THEY CHECK UP AND SEE WHAT YOU DIALED. HMM... YOU DIALED 15 DIFFERENT 800 +NUMBERS THAT MONTH. SOON THEY FIND THAT YOU ARE SUBSCRIBED TO NONE OF THOSE +COMPANIES. BUT THAT IS NOT THE ONLY THING. MOST PEOPLE WOULD IMAGINE "BUT WAIT! +800 NUMBERS DON'T SHOW UP ON MY PHONE BILL!". TO THOSE PEOPLE, IT IS A NICE +THOUGHT, BUT 800 NUMBERS ARE PICKED UP ON THE CALLER LOG UNTIL RIGHT BEFORE THEY +ARE SENT OFF TO YOU. SO THEY CAN CHECK RIGHT UP ON YOU BEFORE THEY SEND IT AWAY +AND CAN NOTE THE FACT THAT YOU FUCKED UP SLIGHTLY AND CALLED ONE TOO MANY 800 +LINES. + + RIGHT NOW, AFTER ALL OF THAT, YOU SHOULD HAVE A PRETTY GOOD IDEA OF HOW TO +GROW UP AS A GOOD PHREAK. FOLLOW THESE GUIDELINES, DON'T SHOW OFF, AND DON'T +TAKE UNNECESSARY RISKS WHEN PHREAKING OR HACKING. + + /-/ CREDITS /-/ + + TO THE VIDEOSMITH - FOR SETTING ME STRAIGHT ON SOME SHIT. + TO THE LINESMAN - FOR TELLING ME TO UPLOAD IT TO HIS AE LINE. + TO MODERN MUTANT - FOR MAKING ME INTO A PHREAKING FREAK. + TO JACK THE NIBBLER- FOR THE BASIS OF THE BLUE BOX PLANS. + + /---------------------------------\ + \ BULLETIN BOARD LIST \ + \ --------------------- \ + \ SIRIUS CYBERNETIC'S BBSYSTEM \ + \ 808-521-3306 40MEGS \ + \---------------------------------/ + + LATER, + +THE TRAVELER diff --git a/textfiles.com/phreak/PHREAKING/phreakers.dicti b/textfiles.com/phreak/PHREAKING/phreakers.dicti new file mode 100644 index 00000000..e9c05938 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakers.dicti @@ -0,0 +1,408 @@ + + Phreaker's Dictionary + + + +A & A BUREAU--Abuse and annoyance bureau. The personnel in this +line of work spend their time helping customers get rid of nuts, +obscene callers, harassing collectors, etc. + +ACCESS--The existence of paths within a network from an input +terminal to a set of output terminals in the absence of traffic +is indicated by the term, ACCESS. Full access permits connecting +to all output terminals by unique paths; multiple access +indicates that all output terminals can be reached in more than +one way; partial access refers to the ability to reach only a +fraction of the output terminals. + +ACCESSIBILITY--(availability)--The number of trunks of the +required route in a switching network which can be reached from +an inlet. + +ADAPTOR--A device designed to switch a number of voice-frequency +telephone channels coming from a non-time-division switching +system to a time-division multiplex highway. + +ALTERNATE ROUTING--A procedure by which several routes involve +different switching stages or switching networks. Usually the +route having the fewest switching stages is tested first. + +ANALOG TRANSMISSION--The transmission of continuously variable +signals rather than descretely variable signals. Prior to the use +of digital encoding and PCM, it was the only way of transmitting +voice signals over telephone channels. + +AREA CODE--A three-digit prefix dialed ahead of the normal +seven-digit telephone number to permit direct distance dialing. + +ASYNCHRONOUS SYSTEM--A system in which the transmission of each +information character is individually synchronized usually by the +use of start and stop elements. + +AVERAGE HOLDING TIME--The average duration of a call expressed in +seconds or minutes. + +BIT--The smallest binary unit of information. A contraction of +the words binary digit. + +BIT RATE--The rate or speed at which bits are transmitted. Bits +per second is a common measure. + +BLOCKING (CONGESTION)--A condition where the immediate +establishment of a new connection is impossible due to the lack +of available paths, or the inability to interconnect two idle +network terminals because some of the applicable links between +them are used for other connections. + +BOOLEAN ALGEBRA--A form of nonquantitative algebra for dealing +with logic funtions, originally expressed by British +mathematician George Boole (1815-1864). +B.O.S.--Business Office Supervisor. She's the boss to the service +reps. + +BROADBAND EXCHANGE (BEX)--Public switched communication system +featuring full duplex (FDX) connections of various bandwidths. A +Western Union facility. + +B.S.I.--Business Services Instructor. A traffice employee who +will come out and teach you how to use your phone system. + +BUSY HOUR--An uninterrupted period of 60 minutes in which the +total traffic of a sample is a maximum. + +BYTE--A unit of information in electronic computer terminology +consisting of 8 bits, referred to as extended binary coded +decimal information of an EBCDIC code. + +CALL CONGESTION RATIO--The ratio of the time during which +congestion exists to the total time considered. It is an estimate +of the probability that an external observer will find a system +in a congested condition. + +CALLING RATE--Average calls per subscriber per hour. + +CALL STORE--The memory section of a stored program control +switching system in which temporary information used in the +processing of calls through the exchange is contained. It is also +referred to as the Process Store. + +CENTRAL OFFICE--Exchanges where subscriber lines and private +branch exchange lines terminate. There they are switched to +provide the desired connection with other subscribers. Such an +exchange is called an end office and is designated as a Class 5 +office in the U.S. + +CENTRAL PROCESSOR--The main computer element of a stored program +control switching system, which under the direction of the stored +program establishes switching network connections and also +monitors and analyzes the system to insure proper operation. +Routine process testing, maintenance and administrative funtions +are also carried out. + +CENTREX--A PABX system in which the switching equipment is +located centrally and away form the location being served. Direct +inward dialing (DID) and direct outward dialing (DOD) as well as +automatic number identification (ANI) are provided by such a +system. + +CHARACTERS--The elements of a message. One computer character +consists of 8 bits or 1 byte and is known as an EBCDIC character. + +CIRCUIT SWITCHING--Telecommunications switching in which the +incoming and outgoing lines are connected by a physical path, as +through crosspoints or switch contacts. +CLASS OF SERVICE--The services and facilities offered to each +individual terminal connected to a system. This information is +usually stored with the directory or equipment numbers of the +associated terminal, and is accessed by the call processors when +a connection is required to or from that terminal. + +CLOCK--Equipment to provide a time base for a switching system. +In time-division switching it is used to control sampling rates, +duration of signal digits, etc. + +C.O.A.M.E.--Customer owned and maintained equipment. + +CODEC--The combination of a coder and decoder, as used in +time-division switching systems to code the incoming message and +decode the message being returned to the caller. It is a +contraction of the words, coder and decoder. + +COMMON CONTROL--An exchange control method in which the dialed +signals are received and registered separately from the switching +elements before they are used to control these switches. Also +defined as a control method, which identifies the input and +output terminals of the switching network and then causes a +connecting path to be established between them. Such systems are +also designated as marker systems. + +CONCENTRATION STAGE--A switching stage in which a number of input +lines are connected to a smaller number of output lines or +trunks, as in the connection of a large number of subscriber +lines to a smaller number of trunks based on the grade of service +desired. + +CONGESTION FUNCTION--Any function used to relate the degree of +congestion to the traffic intensity. + +CONNECTING ROW--All those crosspoints directly accessible from an +inlet. Only one connection can be established via a connecting +row at any instant. + +COUPLER--A device used to prevent electrical flashback and +maintain normal electrical flow on a telephone line. Used as a +buffer between C.O.A.M.E. and telephone company equipment. + +CROSSBAR SWITCH--A switch having a plurality of vertical paths, a +plurality of horizontal paths and electromagnetically operated +mechanical means for connecting any of the vertical paths with +the horizontal paths. + +CROSSPOINT--A crosspoint comprises a set of contacts that +operates together and extends the speech and signal wires of the +desired connection. Each connection in a space-division switching +network is established by closing one or more crosspoints. + +CROSSTALK--An unwanted transfer of signals from one circuit to +another as may occur between switching elements or circuit +wiring. + +C.W.A.--The Communication Workers of America. The C.W.A. +reprsents 90 percent of the unionized Telco work force. + +DAY-TO-BUSY HOUR RATIO--The ratio of the 24 hour day traffic +volume to the busy hour traffic volume. In some countries the +reciprocal of this ratio is used. + +D.D.D.--Direct Distance Dialing. Also known as one-plus dialing. + +DELAY SYSTEM--A switching system in which a call attempt, which +occurs when all accessible paths for the required connection are +busy, is permitted to wait until a path becomes available. + +DIAL PULSE--The signaling pulse which is formed by the +interruption of the current in the DC loop of a calling +telephone. Such interruptions are produced by the breaking of the +dial pulse contacts of the calling telephone subset during the +dialing process. + +DIAMOND-RING TRANSLATOR--An array of ring-type induction coils +associated with coded wiring in such a manner that the +translation of directory numbers to equipment number or vice +versa can be accomplished in an exchange. It is named after its +originator, T.L.Dimond of the Bell Telephone Laboratories. + +DIRECT CONTROL--An exchange control method in which pulses, +dialed by the subscribers, control directly the route selection +switches of the system. For each digit dialed the equivalent of +one set of selector switches is required with this control +method. + +DIRECTOR--A control element which provides a measure of common +control in step-by-step or Strowger exchanges. + +DISTRIBUTING FRAME--A structure for terminating the wires of a +telephone exchange in such a manner that cross-connections can be +made readily. Examples are the main distribution frame (MDF) at +the entry of an exchange, intermediate distribution frames (IDF) +between sections of an exchange, and power distribution frames +(PDF). + +DISTRIBUTION STAGE--A switching stage between a concentration +stage and outlets and serves as a means of selecting trunks to +the desired terminations. + +DUV--Data Under Voice (AT&T System). ELECTROMECHANICAL SWITCHING +SYSTEM--An exchange system in which both the speech paths and the +control equipment are switched by electromechanical +components--such as relays, rotary switches, etc. + +ELECTRONIC SWITCHING SYSTEM--An exchange system in which at least +the control equipment is composed of electronic circuits and +components, generally of a solid-state type. + +EMD SWITCH--The speech-path switching element used in a Siemens +rotary switching system. EMD is an abbreviation of +Edelmetall-Motor-Drehwahler, which translates in English to +Noble-Metal Motor Switch. + +END OFFICE--A central office or Class 5 office. + +ENTRAIDE--A switching system in which outlets from a given +connecting stage are connected to inlets of the same or a +previous stage. In such systems calls may traverse a stage more +than once. Usually these reentering links are used as last choice +paths and the resulting network is heterogeneous. Such an +arrangement is used in ITT's Pentaconta Crossbar system. + +ERLANG--The unit of traffic intensity, which is measured in +call-seconds per second or call-minutes per minute. Also, one +erlang equals 3600 call-seconds per hour. It is named after A. K. +Erlang, the Danish engineer and mathematician who first adopted +it. + +ESS--Electronic Switching System. + +EXCHANGE--All numbers within a given three-digit prefix area. Can +also be used to describe a geographical area the size of a city. + +FX--Foreign Exchange Calls. The term applied to calls made to a +central office other than the one located in the calling customer +area. + +H.C. INSTRUMENT--An ordinary telephone with no extras. + +I.D.E.W.--International Brotherhood of Electrical Workers. A +union that represents seven percent of all unionized telephoe +workers. + +INTERSTATE--Telephone service that crosses state lines. Such +services come under the jurisdiction of the F.C.C. + +INTRASTATE--Telephone services that remain within the boundares +of a state. Such services come under the jurisdiction of the +P.S.C. + +JOINT PRACTICES--An inter-company guide akin to the Geneva rules +of war. The J.P. covers such things as intervals, offerings, and +procedures. + +K.K.6--Six-button telephone. The standard telephone found in most +offices. The K.K.6 can handle five lines. The sixth button is +used for hold. + +LAYOUT CARD--Schematic drawings of the electrical circuits +required for a telephone installation. +LINK (TRUNK) The connection between the terminals of one switch +and the terminals on a switch of the next stage corresponding to +a single transmission path. + +LINK (ONE-WAY AND TWO-WAY)--A one-way link is used only for the +establishment of connections in one direction, while a two-way +link is used for the establishment of connections in either +direction. + +LINK SYSTEM--A system in which: (1) there are at least two +connecting stages; (2) a connection is made over one or more +links; (3) the links are chosen in a single logical operation; +and (4) links are seized only when they can be used in making a +connection. + +LOGIC FUNCTION--The relationship of two or more Boolean variables +as expressed by Boolean algebra. + +LOGIC GATES--Electrical or electronic circuits which control the +transfer of signals and produce the required outputs for specific +input combinations to implement Boolean logic functions. + +LOGIC (HARD-WIRED)--Control logic in an exchange, which is wired +in circuit form. + +LOGIC (SOFT-WIRED)--Control logic in an exchange, which is held +in software computer programs. + +LONG DISTANCE--Technically, any call that terminates more than +seventeen miles from the source. + +LONG LINES--A division of AT&T responsible for the day-to-day +operation of the long distance network. While the local Telco +handles all maintenance, Long Lines directs overall supervision. + +LOOP DISCONNECT PULSING--Subset dial pulsing in which the +subscriber DC loop is interrupted to produce pulses for signaling +an exchange. + +MARKER--Circuits which incorporate the function of busy testing, +locating and finally controlling the establishment of a +particular path through the switching network. + +MARKETING REP--The sales people of the Bell companies. Also known +as account executive. + +MARKING--The use of electrical potentials and grounds at certain +points in a switching network to control its operation. + +MATRIX--A simple switching network in which a specified inlet +(matrix row) has access to a specified outlet (matrix column) via +a crosspoint placed at the intersection of the row and column in +question. A complete matrix is one in which each inlet has access +to each outlet, while an incomplete matrix is one in which each +inlet may have access to only some of the outlets. + +MEAN DELAY OF CALLS DELAYED--The total waiting time of all calls +divided by the number of delayed calls. + +MESSAGE SWITCHING--A method of receiving and storing a message +for a more appropriate time of retransmission. With such a +method, no direct connection is established between the incoming +and outgoing lines as in the case of circuit switching. + +MULTIFREQUENCY SIGNALING--Signaling between subscribers and the +central office through a combination of audio frequencies, as +with pushbutton dialing. Also, in many cases signaling between +exchanges is accomplished by combinations of frequencies. + +MULTIGROUP--A combination of two or more PCM multiplex channels. + +NONLISTED NUMBERS--Telephone numbers that do not appear in the +directory but that are available if the inquirer calls directory +assistance. + +NONPUBLISHED NUMBERS--Telephone numbers not made available to the +public. Also known as silent numbers. + +OCCUPANCY--The average proportion of time that a traffic carrying +facility is busy. + +PACKET SWITCHING--Essentially the same as message-switching. + +PANEL-SWITCHING SYSTEM--A common control electromechanical +switching system, which was used widely in the U.S. prior to its +virtual replacement by crossbar and other systems. The banks of +selectors take the form of flat vertical panels, from which the +name of the system was derived. Some panel installations are +still in use in the U.S. + +PATH--A set of links joined in series to establish a connection. +Paths differ if one or more links differ. + +P.B.X.--Private Branch Exchange. Commonly known as a switchboard. +Mini-central office equipment for business customers with from 10 +to 2,000 telephones. + +PRIMARY CENTER--A switching center connecting toll centers, which +can also serve as a toll center for its local end offices. In the +U.S. it is defined as a Class 3 office. + +PRIVATE AUTOMATIC BRANCH EXCHANGE (PABX)--A private automatic +telephone exchange which provides for the connection of calls +going to and coming from the public telephone network (usually a +central office exchange) as well as intraexchange calls between +the served extensions. + +PROBABILITY OF DELAY--The probability that a call attempt, if +offered, cannot be completed immediately. + +PROBABILITY OF LOST CALLS (PROBABILITY OF LOSS)--The probability +that a call attempt, if offered, will be lost. + +PROGRAM STORE--The memory section of a stored program control +switching in which semi-permanent instructions and translations +are contained. These are fed to the central processor to permit +it to provide stored program control. + +PUBLIC SWITCHED NETWORK--Any switching system that provides +circuit switching facilities for use by the public. Telephone, +Telex, TWX, and Broadband switched networks are the public +switched networks in the U.S. + +PULSE AMPLITUDE MODULATION (PAM)--A form of pulse modulation in +which a number of channels are multiplexed by time sampling, but +one in which the pulse amplitudes vary in accordance with the +amplitude of the analog signal levels. + +PULSE CODE MODULATION (PCM)--A form of pulse modulation in which +a number of channels are multiplexed by time sampling as in PAM, +but with each amplitude replaced by a group of binary pulses +which identify the amplitude of + diff --git a/textfiles.com/phreak/PHREAKING/phreakgo.hac b/textfiles.com/phreak/PHREAKING/phreakgo.hac new file mode 100644 index 00000000..a928cf88 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakgo.hac @@ -0,0 +1,91 @@ + ====================================== + PHREAKERS CAUGHT + ====================================== + + from the Los Angeles Times of June 11, 1982 (page 1 of the "Metro" section): + + 'Phone Phreak' Sentenced to 150-Day Term + + +By Ted Rohrlich, +Times Staff Writer + + Lewis DePayne was sentenced to 150 days in jail Thursday for extremely poor +relations with Ma Bell. + + DePayne, 22, first came to the attention of Pacific Telephone Co. officials +in 1979, when they say they discovered that he had gained unauthorized access to +their communications and computer systems. + + DePayne, a computer science student at the time, used the access to disconnect +phone service for people he did not like, and to add--for free--special +features, such as call-forwarding and call-waiting services, to his own phone +and those of his friends, according to phone company officials. + + Pacific Telephone's retired general security manager, W. F. Bowren, said +that in late 1979 DePayne admitted involvement in setting nine fires on +telephone company property, resulting in $250,000 in damage. + + Bowren told Superior Court Judge Diane Wayne that DePayne admitted to phone +company investigators that he and some friends got access to ground-level +telephone terminals, cut wiring inside the terminals, and then set the terminals +on fire. + + Terminals are boxes, usually attached to telephone poles, that house +connections between underground cables and above-ground branch lines leading to +homes and businesses. Bowren's comments came in a letter that was made part of +the court record. + + Bowren's letter said that DePayne also told investigators that he and others +had rewired one terminal in such a way that it allowed them to make phone calls +anywhere and to have charges for those calls applied to someone else's bill. +The resulting loss to the phone company was more than $15,000, Bowren said. + + Bowren went on to say that the telephone company declined to press charges +against DePayne because DePayne said that he had seen the error of his ways. + + But, his letter continued, DePayne was subsequently interviewed in a weekly +newspaper and boasted of "infiltrating and compromising our system." + + Bowren was apparently referring to an article that appeared in the L.A. +Weekly in July, 1981, about a "phone phreak" identified as "Rosco." + + Rosco was touted as "probably the most knowledgeable phone phreak in the +country" whose pranks included posing as a telephone company supervisor and +causing all calls normally routed through the phone company's Pasadena office to +be rerouted elsewhere. + + Witnesses at a court hearing for DePayne testified that he used the nickname +Rosco. + + That hearing was held to determine whether DePayne should be ordered to stand +trial on charges that he broke into a Pacific Telephone Co. office in May, +1981, and stole operating manuals for the company's central computer system. + + A district attorney's investigator on the case has said those manuals could +have been used to shut down much of Los Angeles' phone system. + + While facing theft, burglary, and conspiracy charges in the case, DePayne +wrote a letter to the president of Pacific Telephone, Bowren said. + + "He had the unmitigated gall...(to try to) sell his service to us as a +consultant," Bowren wrote. + + In court, DePayne pleaded no contest to a charge of conspiracy to commit +computer fraud against Pacific Telephone and to a separate charge against a San +Francisco-based computer leasing firm. Burglary and grand theft charges were +dropped. + + A confederate, Mark Ross, 25, pleaded no contest to a charge of grand theft of +telephone company computer manuals. + + Wayne placed them both on probation for three years and ordered Ross to jail +for 30 days, to be served on weekends. + + She stayed the 150-day jail term for DePayne for three weeks to give him an +opportunity to apply for participation in the county's work furlough program. + + Deputy Dist. Atty. Clifton Garrott said DePayne makes his living as a +systems analyst for computer consulting firms. +--------------------------------------- + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreakh.ist b/textfiles.com/phreak/PHREAKING/phreakh.ist new file mode 100644 index 00000000..562d5506 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakh.ist @@ -0,0 +1,474 @@ + + * ************* + * * * * * * + * * * * * + * ***** ****** + * * * + * * * + * ****** * + + MEGACOM ENTERPRIZES PRESENTS: + +The early days of Phreaking... + +In 1973 a couple of phone phreaks discovered the toll free 800 number at the +White house. The nuber was 800-424-9337. White house staffers used it for what +the Phreaks describes as "casual semi-official, chit chat." The phreaks used +their expertise with the phone system to tap this line and listen for hours to +buzz of converstaions going in and out of the White House. The Secret Service +always answered the phone with "9337". If the caller didn't respond with a code +word, the Secret Service agents would say, "i'm sorry, you must have dialed an +incorrect number". The phreaks discovered that the code word "Olympus" stood +for President Nixon, who was then embroiled in the water gate scandel. +One day in the spring of 1974, at about three in the morning, the phone phreaks +dialed the White House number, using an untraceble line. A secret Service man +answered "9337" +"Olympus, please, its urgent!" one phreak said. +"One momment" came the reply +Three minutes later they heard a fatigued voice say, "Yes?" It didn't sounds +like Nixon, but they decided to go ahead. +"Sir," the phreak exclaimed, "we have a crisis on our hands." +"Yes, what's the nature of the crisis? As if I didn't know already." It +_was_ Nixon! The phone phreak gulped. +"Sir" he said, "we are out of toilet paper!" +There was a long pause, then Nixon cursed and began yellin, "Who the hell are +you? What is the meaning of this?" +Another Voice came on the line. "Who are you? How did you get this number?" +The phreak mumbled, "Sucker!" +Then there was another pause, lasting about a minute or so, followed by a +muffled boice in the bacground: "Getting a trace?" A few seconds later there +was a ker-chunk sound and the line was dead. +Later that year two southern Californian phreaks tied up every long-distance +trunk line coming into Santa Barbara, telling all the callers that a mysterious +explosion had wiped out the city. They'd managed to gain control of all in- +coming long-distance calls by using two side-by-side phone booths on the +beach and some very simple phone phreaking equiptment. +The first call was from a mother to her son, a student at the University of +California. Santa Barbara campus. The two phreaks told the woman that they +were with the National Guard Emergency Communications Center and that there +was no longer any University of California at Santa Barbara. In breathless +tones they said the campus and, in fact, the entire city of Santa Barbara had +been wiped out in a freakish nuclear accident-a "nuclear melt down," they +told her. She was politely asked to hang up in order to clear the line for +emergency phone calls. +A few minutes later the horrified mother called back, this time with oper- +ator assistance. The phreaks calmly repeated their story to the operator, +asked her not to place calls to Santa Barbara and told her not to worry. +jWithin minutes the phreaks ahd newspaper and television reporters, FBI +agents and police officers calling from all over the country. Hundereds of +anxious people who had heard about the "melt down" phoned to check on re- +letive and friends. The phreaks told the callers that they had reached +the National Guard base 50 miles away where the disaster site and that they +were tied into emergency circuits. After about an hour the two became +frightened by the chaos they were causing and restored the phone system to +normal. They were never caught. + +Heavy stuff. And it's tempting to think of these phones phreadks as purveyers +of electronic guerrilla warfare. It's tempting to think of them as McLuhanist +anarchist infiltrating the all seeing, all knowing government-by-data-bank that +rules our lives. Some phone phreaks even think of themselves that was. It's +a teimpting point of view, but its probally all wrong. PHone phreaks are some- +thing much more American than that. They're classic Yankee basement tinkerers, +backyard ivestors, the Eli Whitneys, Orville Wrights and Hanry Fords of our +age. Only instead of tinkering with mechanical or even electrical stuff, +phone phreaks are tinkering with vast computerized networks of infromation. +And the difference between them and their folk-hero predecessors is that you +can't build a world-wide electronic data matrix out of buggy parts in the barn. +The phone phreaks brand of tinkering requires equiptment so extensive that no +one person or even one corporation could put it together singlehandedly. They +need the cooperation of the entire industrialized world to do their puttering +around. And since that kind of cooperation is rarely fourthcoming to pimply +sixteen year olds on the upstairs extension, they go out and get cooperation +wherther anyone wants to give it to them or not. Natrurally some mischief +takes place along the way. +Almost ten years ago strange electronic wizards began to emerge in various +corners of the United States. They called themselves "phone phfreaks" and +they had figured out how to re-create the sounds signals that trigger the +phone companys switching equiptment, allowing them to place calls to any- +where in the world for free. Eventually they were able to master all the +circuit systems of AT&T and its affiliates. They learned how to tap +phones internally through the phone company's own wires, how to retrive +information from phone-relayed computer terminals, including the FBI's +National Crime Information data bank and even how to penetrate AUTOVON +(Automatic Voice Network), and the top-secret red-alert military phone +network. But that's not _really_ what phone phreaking is all about. Wit- +ness, for example, the life of John Draper, better known as Captain Crunch. + +Captain Crunch, an ex-Air force radar technician ,was, for years, they most +famouse of the phone phreaks and their de facto spokesman. He was even pro- +filed by Ron Rosenbaum in Esquire. He may also have a bettter working know- +ledge of the world's phone systems than anyone else alive. +In 1976 the Captain was entrapped by a phone phreak turned FBI infromer and +was incarcerated, appropriately, in the Lompoc Federal Prison Camp--one of the +first Americans to go to jail for phone phreaking. These days, though he's +not yet 30, Crunch is retired. He's a sloppy-lookin guy who dresses in non- +descript, unpressed clothing. And his stringy black hair and horned-rimmed +glasses would make him look like a mad scientist, except that his hobby is +weightlifting. +The Captain's career as Kind of the Circuits began with a 16-year old blind +friend. Denny and some fellow campers discovered they had a shared interest +in the Bell System. For the first time information was passed from one phone +phreak to the another. The blind kids started their own organization. Phone +Phreaks Interantionsl, which today has members all over the country. Phone +phreaking was a way out of their loneliness, a special way to make contact +with another human voice. Even today nearly half of the top phone phreaks +are blind. +In February 1970, Denny discovered that the small plastic whistle then found +in every box of Captain Crunch breakfast cereal had a miraculous quality-- +the whistle prduced, exactly, the 2.600 cycles-per-second tone that "tells" +the phone company's long distance switching equiptment that a line is not in +use, even though that line is being help open by the caller. Using the 2.600 +cycle signal could call long distance anywhere and not be charged. Denny +told John Draper, who was skeptical. But after a quick trip to a pay phone +Draper was conviced, and Captain Crunh was born. +Denny and the Captain began using their whistles to call friends throughout +the country. As the only sighted phone phreak, it was Crunch's task to make +"whistle trips" with Denny and his blind friends. Every Satruday the Capt. +would drop off Denny and two other 16-year-old blind kids at a pay phone +booth, then go to a friend's house. A few hours later the kids would phone +him and say, "You can come back now. We're cold and tired." and the Capt. +would pick them up. +Captain Crunch and his friends learned to do a lot with the whistles. They +would call pay phones in London's Waterloo Station just to talk to strangers +about the weather. Or call South Aftrica to hear the time. And they could +"mute" incoming long-distance calls so that no one would be charged. But by +1972, when he was arrested for whistling calls to Australia, the Captian had +graduated to more sophisticated toys. +Next to a Captain Crunch whistle, the simplest phone phreak device is a Black +Box, which provides an "on Hook" signal to the phone company while a call is +being made, thereby stopping the operation of the billing equiptment. A 3,000 +-ohm resistor drops the level of the currnet going through the phone to below +the level that activated the billing equiptment. But a Black Box can be easily +detected, so Captain Crunch seldom used it. +There are also Red Boxes, small handheld devices that simulate the sound of +coins dropping into a pay phone. They are usually used for short calls and +are also easily detected. The Captain says that most phone phreaks don't +bother with Red Boxes because they arn't useful in obtaining information- +and the pure joy of obtaining and trading information is the heart of phone +phreaking. +The most sophisticated way to gain entrance to the Bell system is with a +Blue Box, which provides access to special operators and remote codes. Blue +Boxes are electronic, multifrequency sound devices that resemble pocket +calculators. They can reproduce the complete range of tones that the phone +company uses, in various combination, to give instructions to its computer +network. Blue Boxes "speak" directly into the mouthpiece of a phone. They +have touch-tone buttons that substitute for the regular telephone dial, and +they provide a phone phreak with the same dialing privileges that a long +distance operator has. The phreak can then direct-dial special test-board, +route and overseas operators. +"A Blue Box allows the phone phreak to direct-dial into any foreign country +that is set up to handle overseas calls", say Captain Crunch. "for the first +time, it opens that country up to the prying and probing of the American phone +hacks." +The Captain says he's accomplished many elaborate feats with Blue Boxes and +similar devices. He used to have a switch-board with computerized Blue Box +equiptment in the back of his Volkswagen bus. He would drive into the country +pull up beside a remote pay booth, hook into the phone and spend hours sending +calls around the world clockwise several time, from San Fransisco to London +to Sydney, Australia, and back to San Fransisco. Then he sent it around the +world counterclockwise a few times. In all, the call covered the equivalent +of half the distance to the moon. During on exceptionally busy week, he +reportedly made thousands of long-distance calls. +On another occasion he phoned hiself from completely around the world. Using +two adjacent pay phones, he routed his call from the first phone through +Tokyo, New Delhi, Athens, Pretoria, Sao Paulo, London, New York and finnaly +to a california operator who rang the second phone. He yelled "Hello!" into +the first phone and 20 seconds later he heard his own voice dimly through the +worldwide electronic maze, a dozen tremulous echos of "Hello!" ringin in his +ear. He recalls that the echo was "far out" but he could barely hear himself +talking. +The developement of the Blue Box fostered an underground network oh phone +phreaks with names like Peter Perpendicualr Pimple, Al Bell and Tom Edison. +In the rigid social stratification of the phone phreak community, the elite +are referred to simply as "the top ten phone phreaks." +"We can tell, just by dialing into an exchange, the kinds of equipment being +used," says the Captain. "The top ten phone phreaks have techniques they've +developed over a long period of time of obtaining information continuously." +They are after _codes_, numbers that go into WATS lines when dialed and give +toll-free access anywhere in the country, or numbers that plug the phreak into +a computer system. One dialed code might produce a busy signal. But if +several phone phreaks dial the same busy signal using this code, they can +talk over it and, in effect, have a conference call. +"It's a crude way of communicating." the Captain claims. "You hear the ob- +noxious busy tones beeping every two seconds. But its a way of communicating, +and that's what phone phreaks are tryin to do: develop techniques of com- +municating by using circuits the phone company doesn't. +"Nobody is bothered by this. The top ten phreaks have a strong moral code- +they never hurt anybody. They constantly supply oodles and oodles of infor- +mation down through the chain of command to the lower-echelon phone phreaks. +Directly below the top ten in the phone phreaks pecking-order are the +pseudo-phreaks. They know how to make Blue Boxes but lack the sophistication +of the top ten. Below the Pseudo-phreaks is the proletriat of phone phreaks +who use Blue Boxes _only_ to make free calls. The Captain becomes agitated +when he talks about them: "These are teh lowest scum in the whole phone phreak +community. These are people who build Blue Boxes to sell to the Mafia." +The lumpen proletariat of phone phreaks the Captain calls "loophounds." A +loop is a pair of numbers that connect two phreaks when one phreak calls the +first number and another phreak (who may be thousands of miles away) dials +the second number. +Loophounds just sit on loops. "Captain Crunch says in a disgusted tone. "They +are handicapped kids or high school kids, and they're either excessively fat +or excessively skinny. They're social rejects who just sit on loops to meet +people. I feel sorry for them. But I've met a lot of people through loops. I +get on them just to find out who's on them. I was on a loop in the New York +city area, and I ran across several mentally retarded people, including a +guy who is 28 but has the mentality of a 6 year old kid". +The phone phreak eleite uses three basic method to obtain the all-important +code information. In the first method, called "Scanning" after a famous +British phone phreak, the phreak painstakingly scans all the possible number +combinations, determining which combinations are codes and what those codes +do. Using this technique, Captain Crunch found out that the phone company's +routing codes always began with 0 or 1 in combinations from 000 to 199. He +also discovered the code route to the autoverify circuits that are used by +operators to see if a line is busy and can be used by phone phreaks to tap a +phone. "Scanning is a thorough technique," the Captain explains. "It leaves +no stone unturned, and it's vertually undetectable. It's slow and cumbersome, +but it reveals an incredible amount of information. +Crunch refers to the second method of finding codes as "social engineering", +which mean bullshitting: "Say you need a code to reach a central office. You +phone a test board and say you're with a test board in another city and you +need a certain code. The phone company guy thinks you're also with the phone +company and he'll give you the code." +The third way to get codes is through an inside soure, usually an operator. +"An inside sourse," says the Captian, "Can determine whether or not our line +is being tapped, inform you if the phone company is onto your game and supply +you with _endless_ information. Of course the sourse could also be an infor- +mer, paid to give you information to trip you up. "The Captain has gotten most +of his information from scanning or social engineering, but much of the infor- +mation passed around by the phone phreak network does come from inside sources. +For instance, TAP, a phone phreak newletter put out by the New York phreak +known as Al Bell, publishes the new credit card cardes at the beginning of each +year--information that could only come from inside. + +Captain Crunch grew up in the bucolic settings of Petaluma, a small northen +California town noted for its chicken farms. He's always been fascinated by +electronics. His favorite childhood toy was a remote-control electric car; +his favortie subject in school were science and mathematics. +His father, who was in the Air Force, was very strict: "I never was allowed to +do what most kids did, like have a BB gun or a slingshot," he says. When he was +12, his father was transfereed to England. The Captain hated the strict +British schools. After he almost flunked out, his parents sent him to a +school for Amercan nationals where he was encouraged to experiment with el- +ectric motors and generators. He promptly modified his bicycle generator by +stepping it up to 10.000 volts +When his father was transferred to Travis Air Force Base in California, Crunch +entered his freshman year of high school in nearby Vacaville, which he re- +members as a farming town "that reeked of onions you could smell 5.000 feet +above the town." During his first month of high school, he was constantly +harrased by bullies, getting into half a dozen fights each day. He took up +wightlifting to improve his skinny physique, and he remains a phsical culturist +In 1963, his family moved to San Jose, where he spent his senior year in high +school building a 20-watt priate radio transmitter. He was suspected of being +the person who cut into the Santa Clara County sheriff's radio network to play +rock songs, including one song called "Little Piggys." The transmitter was +shut down after the Captain received a visit from a Federal Communications +(FCC) agent. +In 1964, the Captain followed in his father's footsteps and joined the Air +Force. He was stationed in Alaska, where he worked on "radar systems and other +classified stuff." In his free time, he built and operated a 200 watt radio +station that broadcast over a 450 mile radius, including parts of Siberia. +But "up there, nobody cares." he recalls. "I got a call from the FCC monitor- +ing station saying they enjoyed my show and asking me not to use profanities." +While in the Air Force, Captain Crunh learned about AUTOVON, which is run by +RCA and is a supposedly secure military phone system separated form the com- +mercial Bell network. An AT&T spokesman said, in 1973, that it was impossible +for phone phreaks to penetrate AUTOVON, but the Captain has known how to gain +access to the system since 1970. +There are actually two AUTOVON networks. SAGE AUTOVON is the communications +network for the Air Force tactical command. General Purpose AUTOVON is used +for administrative calls. There are five level of prority usage within each +AUTOVON network: Routine, Priority, Immediate, Flash and Flash Override. Each +higher level bumps off calls on lower levels. The Flash Prority is used only +for national emergencys. "Any calls that are this high cause many heads to +roll fast," the Captain says. Flash Override is used only by the Air Force +chief of Staff of the regianal commands, such as the North American Air De- +fence (NORAD). +Never, ever, use a high priority such as Flash," the Captain warns. "Since +you are on a high level access, and the military doesn't know who you are, all +kinds of alarms are set off. Never stay on more then a few minutes. Those +fuckers don't fool around on a trace." +After he left the Air Force in 1970, Captain Crunch moved to Mountain View, +California, a sunny town between Palo Alto and San Jose. There are so many +electronic factorys in the area that it's known locally as Sillicon Gulch. +There are as many advanced-technology companies in Silicon Gulch as in all +of Great Britain and West Germany. The Captain worked for a company that man- +ufacters advanced radar systems. +But the Captain's real love was phone phreaking. As his fame frew, it became +more and more likely that he'd get caught. And in May 1972, the King of the +Circuits was turned in by some pseudo-phreaks who snitched to the FBI. Bob +Scott, a Los Angeles phreak, told the FBI that the Captain was using a Blue +Box in his mountain view home. At about the same time, Don Erickson, a +Riverside, California, phreak, supplied the FBI with three pages of info- +mation on Crunch. Yet the only way the FBI could detect the Captain's Blue +Box was by putting an audio tap on his line. They did, and then they record- +ed his calls. One morning when the Captain was driving home from an engineering +class, the FBI moved in, an event he remembers well. +"Something went wrong with my car, so I pulled off to the side of the freeway +Just then, two cars pulled in front and in back of me, and two cars screeched +to a hold on the either side of my car. Ten or twelve FBI agents jumped out +of the cars and said "You're under arrest." I was later charged with violation +of Title 18, Section 1343, of the US Code, fraud by wire, a felony. The agents +interrogatem me for three hours in the back seat of an FBI car. +"At the same time, they had broken into my house and were taking photo of every +thing in sight. They confiscated a cassette recorder with tapes of Blue Box +tones, my address book, which i never got back, and a broken Blue Box. They +asked me who I knew, and how long I had been a phone phreak. All I said was +that I wanted to call an attorney. Eventually, they took me to the county +jail, where I was finally released on my own recognizance. A few months later +I copped a plea, pleaded nolocontendere and got five years probation and a +$1.000 fine." +In the summer of 1972 the Captain went to Miami, Florida, to raise money +for his legal expenses. His Yippie phone phreak pal, the Al Bell wo publishes +TAP, got the Yippies to fly Crunch to Miami to meet Abbie Hoffman, who was +planning demonstrations for the upcoming Democratic National Convention. But +the connection never worked out. +"Abbie was too tied up with the convention, and he never got to help me. +Miami was a hot hellhole. Things were hot in more ways then one--the FBI +was tailing everyone. I thoguht I'd better not stay there. I headed back to +California via New York city, where i saw a phone phreak friend. That's when +the FBI found out I'd been in Miami. My attorney had told me it was OK to +leave California, but it wasn't. A bench warrant for my arrest was issued, and +they held me in jail for a week before they let me depart for California. I +was charged with unlawful flight, but they dropped the charges after they +found out it was a mix-up." +On probation for five years, Crunch intended to stay out of trouble. But in 1975 +he discovered the autoverify circuits that can be used for phone tapping. He +claims that phone phreaks have since used the autoverify circuits to tap the +FBI office in San Francisco, the FCC the San Francisco police and the CIA. +None of these agencies will comment on the allegations, but the FBI soon found +out that the Captain knew how to use an autoverify circuit, and he was again +arrested with the help of an informer. The infromer was Adam Bauman, a Los +Angeles phone phreak who Crunch describes as having "a trickster personallity" +In fact, it was Bauman who called Nixon about the toilet paper "crisis" in +1973. +In mid-1975, Bauman began to "pull pranks on me," the Captain recalls. "He +kept calling me up and enticing me into exchanging techniques with him by +throwing out tasty bits of information. He was doing things that real phone +phreaks consider to be uncool, like charging calls to other people's numbers +and using corporation credit cards." +The corporations being billed for Bauman's credit card calls notified the tele- +phone company, which in turn contacted the FBI, which soon arrested Bauman and +pressured him into telling every thing about Crunch. Bauman agreed to become +an undercover phone provocateur. He bouth his way into the Captain's con- +fidence by giving him technical "inside" infromation that had been fed to him +by AT&T's security agents at the behest of the FBI. He unsuccessfully tried +to get the Captain to build him a blue box. +Finally, the Captain claims, the FBI provided Bauman with a small portable +Blue Box with which to frame him. On Ferbuary 20, 1976Bauman visisted the +Captain at his Mountain View apartment. The two went together to a nearby +phone booth on a busy street, where Bauman allegedly placed a Blue Box call +to a mutual friend in Pennsylvania. The captain says he didn't hear the Blue +Box tones because of the heavy street noise, and so didn't know it was an +illegal call. As Crunch tells it, Bauman told him thier mutual friend wanted +to talk with him. "When I picked up the phone, it was still ringing. I talked +to my friend when he answered. The FBI taped the Blue Box tones, then my +voice and presto! instant probation revoke." +The FBI was interested in busting Captain Crunch not only because he knew the +secrets of autoverify and AUTOVON, but also because Bauman had told them the +Captain was tapping their own lines and had a copy of the operating manual for +the National Crime Information Center (NTIC) computer. The NCIC is the FBI's +mational data bank containing computerized information on every individual +who has ever been arrested or investigated by local, state or federal law +enforcement agencies. +Captain Crung denies having ever gained access the the NCIC computer. He ex- +plains that he didn't have a reason to use it and that he assumed it was +secure. That is, he figured out that any penetration of the NCIC system +would leave traces, and the FBI would naturally assume that he had been the +culprit. But the intense interrogation by anxious FBI agents after his ar- +rest made him change his mind: "It wasn't until the FBI revealed their extreme +paranoia while questioning me that i realized the system must have some serious +hole in it which make it accessable to nonofficial intrusions." As for the +charge that he was tapping the FBI, Captain Crunch claim it was actually +Bauman who was doing it, and furthermore, "in the last six months, every phone +phreak was doing it. It was a fad." +Waht Captain Crunch knew, whenever he knew it, is pretty simple. As he ex- +plains it, all you have to do is locate a terminal input to the FBI computer. +If inside sources fail, then use a "dedicated data line," which is sort of +giant extension cord that runs from one computer to another. If a phone phreak +were to make a physical connection to the dedicated data line, he would be able +to recieve the information transmitted over it. The information would be in +form of electronic data, and he would have to decide what "format" it is in. +This is done by recording the data and taking it to an electronics lab for +analysis. +But there is an even simpler way of gaining access to the NCIC computer, pride +of the FBI. The phone phreak simply hooks int othe phone lines used by the +computer of any small town's police department. Think of the famous cartoon +of a large fish swallowing a medium sized fish, which, in turn, swallows a +smaller fish and so on. The priciple is the same but in reverse order. The +phone phreak "fish" hooks into the police department's computer, which goes +into the NCIC computer, thereby allowing the "fish" to electronically "swim" +undetected into the NCIC computer. _Not_ mind you that captain Crunch recom- +mends that a law-abiding citizen do any such thing. +Face with the prospect of a long prison sentance, Catain Crunch made a deal +with the government. In return for telling the FBI how phreaks tapped into +their private lines and how the military's AUTOVON network coule be pen- +etrated, the government reduced his sentence to four months. His FBI inter- +raogators were especially interested in any links Capatain Crunch might have +had with Bay Area Underground guerrilla groups such as the New World Liberation +Front. The Captain emphatically denied any knowledge of the revolutionary +underground. +In all, Crunch and his attorneys held six long meetings with the Justice De- +partment officials, who he says were "freaked out" by revelations of his el- +ectronic surveillance wizardry. FBI agents admitted to the Captain they had +noticed strange clicking and beeping noises on their private lines, but they +said they had been baffled as to who might have been listening. +The Captain assumes the government used the information he provided to cor- +rect the gaps in the FBI and military communications networks. He is es- +pecially proud that his cooperation with the FBI was achieved without having +to reveal a sigle name or point a finger at any of his fellow phone phreaks. +The FBI was satisfied merely to learn his electronic techniques, "I sat on a +lot of this information for years because it was highly explosive. I didn't +want to be responsible for people getting in trouble because of it, but I've +told the FBI everything, so now i want to spread my knowledge around as much +as possible," he says. +John Draper, Captain Crunch, served four months in federal prison in southern +California in the winter of 1976. He spent his time weighttlifting, playing +tennis and writing a book. +No more diddling with the dials for the Captain. The government and the phone +company can rest a little easier--on futre Alexander Graham Bell II has been +safely squelched. However, we all know there are at least nine more still out +there tinkering and puttering and trying to make....Make a what? +Well, it's hard to say exactly what will come of the phone phreaks inventivness +It's ever hard to envision, because the end product will be some wierd system +of cybernetic interrelationships and not a cotton gin. But whatever they come +up with will still be a product of that essential American high--that fever- +ish burst of activity in the toolshed, banging some thing together for sheer +love of doing and making. +Americans have always been able to generate euphoria in themselve by rearrang- +ing the bits and pieces of the material world--creating odd yoga postures in +the entire webb of maya, if you will. What other country has 10.000 high +school drop-outs who can turn an ordinary Chevorlet into a fire-breathing, +nitromethane fueled juggernaut capable of 200 mile per hour in less than 10 +seconds? What other country would turn a change in the national speed limit +into a redar detection/CB radio/VASCAR/Sonar war of electronic surveillance? +What other country has 16-year old blind kids that know more than the pre- +sidnet of AT&T? +It's no accident that America is the richest country on earth. It's no accident +that we have more cars than China has toilets. There are more sophisticated +electronics technicians invovled in the live of recording a Pink Floyd concert +than manning the secret military weapons systems of any of our allies or +enemies. And remeber when our Apollo space station linked up with the Soviets +Soyuz II? That told the story if anything ever did. Their spaceship was a +lump, the work of conscript peasant labor. It seemed to be made of cast iron, +with lumpy round bolt heads dotting the interior and a tangle of extension cord +s all over the floor. Outside it looked like an old steam boat boiler. _our_ +ship, on the other hand was a paean to modern technology, a beautiful con- +struct of miniaturized circuitry and brush finished chrome. It looked as good +as a pimpmobile. +We're still a nation of makers and doers. A nation of builders. And the phone +phreaks are builders, too. They're building knowledge. Building the knowledge +of how to use an enormous artificial nervous sstem the way a toddler builds +knowledge of his organic nervous system so that he can make his body do things +right. Right now the phone phreaks are just learning to talk, but when these +electronic toddlers get to first grade, _watch out_! Captain Crunch is Capt. +America. + +M.E.P. + + + + +s + + + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreakhi.phk b/textfiles.com/phreak/PHREAKING/phreakhi.phk new file mode 100644 index 00000000..b9fa9dc6 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakhi.phk @@ -0,0 +1,87 @@ +This file is from /\/\ + / /\ \etronet BBS + "The Intelligent phreaks choice" + 301-944-3023 + + + + THE HISTORY OF PHREAKING + ------------------------ + + DID YOU KNOW THAT PHREAKING STARTED FROM THE MOST UNLIKELY SOURCE...... + CAP'N CRUNCH CEREAL! + + YES, IN THE 1960'S A TOY WHISTLE WAS PLACED IN THE FAMOUS CEREAL. +UNFORTUNATELY (NOT FOR US), THE WHISTLE GENERATED 2,600 CYCLE-TONE, DUDE! A +YOUNG MAN WHO HAD JUST ENTERED THE USAF AS A RADIO TECH., WAS FASCINATED WHEN +HE DISCOVERED THAT BY BLOWING THE WHISTLE INTO THE FONE AFTER DIALING ANY +LONG-DISTANCE # AND HEAING THE DIS- CONNECT SIGNAL, THE TRUNK WOULD REMAIN OPEN +WITHOUT TOLL CHARGES ACCOUNTING, AND FROM THEN ON, ANY NUMBER COULD BE DIALED +REPEATEDLY. 800 #'S (INWATS) , WERE LATER USED AS THE STARTER CALL TO AVOID +ANY CHARGES. HE USED THIS TO CALL HOME WHILE STATIONED IN ENGLAND. + + THE CAP'N PRACTICED FOR YEARS. HE REPORTEDLY WOULD PLACE CALLS AROUND THE +WORLD TO HIMSELF. HE WOULD THEN TALK AND HERE HIMSELF 20 SEC. LATER. HE WENT +ON TO DISCOVER THE OPERATOR CODES INCLUDING AUTO-RELAY (OPERATOR INTERUPT, OR +VERIFY BUSY). THUS, EAVESDROPPING INTO CONVERSATIONS. HE CLAIMED TO LISTEN IN +ON THE FOLLOWING: 1. PRES. OF THE USA 2. FBI WHEN IT WAS AFTER PATTY HEARST +3. THE SECT. OF DEFENSE 4. AND VARIOUS MILITARY BASES THRU AUTOVON. +(EXPLAINED IN ANOTHER VOL.) + + CAP'N CRUNCH WAS THRUST INTO THE SPOTLITE WITH AN ARTICLE IN ESQUIRE. + + THE TERM "BLUE BOX" CAME ABOUT BECAUSE THE FIRST ONE THAT WAS CAPTURED WAS +THAT COLOR. THE CAP'N SOON WENT BEYOND THE SIMPLE WHISTLE TO MORE COMPLICATED +DEVICES. + + THOUSANDS OF PHREAKS CHANCED UPON AN UNUSED TELEX TEST BOARD TRUNK LINE IN A +4A SWITCHING MACHINE IN VANCOUVER. DIALING AREA CODE 604 FOLLOWED BY 2111 +PLACED YOU IN AN INTERNATIONAL PARTY LINE. + + SOON MORE SOPHISTICATED BOXES FOLLOWED. IN '77, THE PHONE COMP. INSTALLED +THE FIRST OF THEIR MORE SOPH. EQUIP. IT HAS INCREASED THE RISK, BUT BY NO +MEANS STOPPED IT. BELL NOW HAS A SYSTEM THAT WILL PRODUCE A RECORDED VOICE +TELLIN YA TO STOP, RECORDS PART OF CONVERSATION, AND BILLS THE CALL TO THE +NUMBER. THOSE NUMBERS ARE HEN PRINTED OUT WITH THE TIME AND DATE. + + BELL NOW HAS 74 CENTRALIZED TICKET INVESTIGATION (CTI). ONE OF THESE ALONE +PERFORMS 7000 INVESTIGATIONS A DAY. + + CRUNCH WAS CAUGHT A NUMBER OF TIMES, INCLUDING A TOP SECRET MANUAL IN HIS +CLOSET DESCRIBING THE NCIC. (NATIONAL CRIME INFORMATION CENTER: COVERED +LATER). AFTER 3 CONVICTIONS AND A FEW YEARS IN JAIL, HE PACKED IT UP FOR A JOB +IN A SOFTWARE COMPANY OR SOMETHING LIKE THAT. BUT DO YOU BELIEVE THAT? +SOMEWHERE, SOMETIME, I HAVE AN EERIE FEELING THAT HE IS OUT THERE. THE CAP'N +WAS ALWAYS JUST ONE STEP IN FRONT, AND I'M SURE HE'S STILL THERE. + + SO NEXT TIME YOU BLUE BOX OR PHREAK, THINK OF THAT GUY LIVING NEXT DOOR, WHO +KNOWS. + + *************************************** + TRIVIA + *************************************** + JOE THE WHISTLER, BLIND SINCE BIRTH, WAS ABLE TO WHISTLE THE PERFECT TONES +WITHIN THE 2% ERROR RANGE ESTABLISHED. REPORTEDLY PHREAKS WOULD CALL HIM UP TO +TUNE THEIR BOXES. NOW WORKS FOR THE FONE COMPANY AFTER A, SHALL WE SAY, AN +ILLUSTRIOUS CAREER. + + *************************************** + RECORD PHREAK + *************************************** +UNKNOWN PHREAK CALLED: + 1. PRESIDENT + 2. ARMY COMMANDANT IN RUSSIA + 3. USAF SAC SQUADRON ALMOST CAUSING AN AIR ALERT. + + BIGGEST CALL I KNOW OF WAS EXECUTED BY HIM: $19,000 12 HOUR CALL TO.... +INDONESIA! + *************************************** + + LOOK FOR FUTURE ISSUES BROUGHT TO YOU BY THE VKR AND CRAZY PLATO. + + THE OFFICIAL PHREAK FILE OF THE '84 OLYMPICS. + + LONG LIVE MA BELL! (SARCASM) + +Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreakin.one b/textfiles.com/phreak/PHREAKING/phreakin.one new file mode 100644 index 0000000000000000000000000000000000000000..b479d57f35d616823966e74ae4e689882d65d994 GIT binary patch literal 11442 zcmcJV+j84Tl7@XbF){NF)pD;bD@ZjdOFr~=cphYSFNz>Yq6whbIEdn2?6dFpXH|ie zTkdgm%rb0A1W;Ld&Ofv8_rJdS+u#5C%Dwd8#n1eukDgDTVOP4t?p5jcZ+q8^7+Mm$o%uaojdq$aIVsq3uX>o*_Z85uHEY7evVK6>Wh6_ZA$yLSl*|{U)<+U zUyKY&oS)sWt9r*j-@5W?=*p(7Pj2kX%~-pED{fQOrQ3v#Cr;?1Ll?c{>w)F%Q29Di zo9>JQG|R5Mb&hA(uG06=g>k!svTxU-uB*qY*Iu{JKT!MAa=p0lQrN0Fgl_QdfFPkQ zT{||bvXeN~wrYJ1J5^iM;~JY(ZPbm)zw?i!Ta{%SsiCIuSgvPo2+lu-YHiA?%dJOg zh`K^$a-CzvH~fGzRQ;g!p<9=o1YMO-^vE}6QpmrRq7fa=nB^2ABHsKox%4`suyp(uP0Nsm8U ze4j}n%gkta*Or)S2&T5ohg_CTP$>OGm+xi{Hr9AcxKNH9T6RCH zD>?^jz3cnKD}8w8w^w1ql`nFpU!sDh?R+s*kJV6>y{JvuJE!EAerrpzk&{BnFw&XK zr?p*q=qgLHQCt3i>-4zr>rWq0)%D;HGuH*&qy)Lz3V;hujB{^_)XPrg1i$)x;iR~#Mn-*i@UPZKdzohq`Q~?PmTG8 z6bN0h>nc1!GK}VMWFYNZ5!pMruskYKQ`+fgiLU^M=1=RO5N*bO5EJp!kDYSx3KeaQ z*<#77y~~d z2Kwk;GX5&`Y)x`IGZl4$Q}4#U@_iF+dG^3e5nYk7!$z^$0|X4O#ehelXL{P=B56HF zFCPMoTsV2$wI4zaIcW`*pv1F*6wKMJ6uc@;Yo+O|OPEP<+lF>dWvryRL`5(~CDLjE zrYT0$eo`(dWEtruRjf0`I;g@~7K>%IUT4iCgfveqcI4%+1VQb@C?Jq*kW$8lp`%aA zkQm~;8LmymiwFtt0vTH&g>A)q-WOv(u`ktEdrI7-p-oqjdZS6Iwl^^6o3_M)g@SC2 zk&#~kBrq#{ciuaN4%-?aQ#}_B<0r_iK4q;dl@}pUeyuXcnux*Agf7I4`z3=&RLmNU zIZ(V!ttsC)OPXky@(pkiwMbEt_Txd=bkeZZCBhV-%!){mTGW#rP*XId+*xJ0G8F<4 zh>J6irUzjm-zhI+hpMT-J{KD&kNU>1qWuY!5Fv7AwxE3ApIyw2Z=7GR6=!aRh5U$U z1{=w~rs|}o|53=uE6))HD28NM8SYfHTdqCR6Fi{bn6|SBdG6bQvn@a&6)rI=ie|J} zkf+sFSL<8%+F|ACYV@H7;43Cz5%U<>k1YU%p*OZQh>V-B-wMycDG`~4H77D$ON#By z)Cn_X9UI8Ren3X#ndEnkm7*=(!%7B}BT5hn@iV(#?J5NY3;FkJ*tH}8fvN;%o60v8 z?%h{wqL1v|m)&Dk2*`tUaE^k#s_5g-KFFGi!!i zej*P0FcPxRrFL5Mwtg5pwNbD$88e2o)dx>GmuLJ&r(&@Ama+gpBDN0NC6cVGy{ZBz zLb=1Q$C@CC55)eHX291+f9l;qsZHwJR2|9Y4HTXeEIL3SO^vdPGSYMA`msMyM8hZt zF%TgYCuJa=av#A#?Nm~NPmpy*W=TF@62xU^+z>WBINz2^9wllsx_5<=xZS8kPciLb z{_GRd`Ll(|r?S4K&x?Rg=^h@egYig>2UV@MxyB)8?)~y%<{p+G^yAYEbo_DVKI-cm z_W!)Re<$CZI_@v-n#bO`r>Cbm|DW71(=AgQ&tgsdm~w=puc)}>Yz4;HMF9DYB$O`y zGn&q`P{V^Cra8**mc4y;#Sd>lQ_7p#56&&+KEE0ZVj2Yy8mL{kN*bm0#4(hAg}KVQ z2p2IT4aWv*Q{frbv7+S~)8azI zYRFRDplM~;OEQX@v|>E`kavG(<(Izrw#sDknu|-$QfIYMP~|2pZu(*rS)5_6SdH;P z#$!-D?r>@K=JIJu6yo)?lsmz;Rkd|}#h?dF8=mkXRsX3)I{^RscLJ~3cOWNLUT4$E zVW%B^O>QuVeX+t=x979FnwzT6L(9-J+ro10fTOCBLI|aF1ab8B0uX9fq@dS|>(5WZ zBq>M#8e2xA#`bIV3tC@$-29&J+iHl_&$~Jh74G%SRiqn=gK+8f-G@(%3$zZVmh;b_ z7xN{b8PHZk82xQAxMqB$Vqx^yfqU>`vO`(vB5K|Zr-NdX%u+$|HFT9i$P!OFx2-`Osi;qvLIEs`Qhl7x8Hneqa)AdA%RT7q>e-ASCbJ6=xC0~_>LP)VR4HT2&mWfxsM4d9dxp=Xk~s5#bkTX6 z(c!?gRH!u7Q6&w-)xtDZ*oU?LRk z+q)k>-7XgRV8j?|R6QxE-a9M1J;fMhmF*+=)+hvf54!||| z;pGCkvD^>k{L(ltb$Ln;qfl{5}7bhkP&I zw7H+k_Wd2(#NpqI52~E!c_2Q>G*FN6KlS0Rp}49}AA^c+OF z6^>BYRn1Q%VQd(5mQ$1({KSB_iNTuA$SdK97zIG>2|r_huKvJoOwtL_hL#Yw!Lz%w z&3lxELmkjO+ibTS4)nMa;biva-f}TpEEWv4cMVMof9&5WcPxLpb4O&FIiC0r@z=vn z=;YR5+LV$4({-dnW6%X_64bGb31v*2F;#<10Y({)aDAwd)uI<8b{Z&IllFl)L4j$A zlJuEdLa7K#!$O@q+7jk+a__OVl}5_l zK`atNCe>9shG^=m%~ev*Ro7iz>=tjgB|LQIBCKShd&stNd4-be*BoqZ72R~*W5q5FEc@y{{O_-A2YNLlI22gt2+c;V4jmaw;sYp{w6w4LWb73nYn6 z$#l4C`9|_Hj+QOhjqxl@_2v6K=Xna|p=A$Hk7a);wn|tHJU3Zlwv}`s||(GYsmomH_CF zOeKvE>;E9ADLh48*#GhC@WIsl(S?Qk4jwfm+&803vh7?i7%2&;;jV50=EO zWfC5zRI(F^#2{0(vBRhA~R*l zCYG9{p+QcI6imGQVJuB0m@ac9f(HZ|VgWKn!7`sL;fd@KT~AJ}9b+o};}Up~PT=PQ^O?-G=ak11mWi<=D)} z&pEgwJM-Q8eqQK^X-Q9u0%eKNB?8A`9^V|WRQ!)56O?t(8P6sTIwdD_rTKY0i4oJM ze3Yd~B+ynRI7l^L??O=ChM^W~%E{#LZJ8sGoF$Qj6#!&5=Y=J$Ce@H)!iwBOgTYQV z^|dUlL?``G>(Z<^qeZr`;~Z$vf`Lj*&77y`%@gH-BWQ$s5tpQt*p!Td(5bbDgO0Ko zL_eZoiU9=G#!UmE*g_j#%|+k%ReA0?lSI=Oh1y0ZvHV#w#utm+s@GX+Ds2m&|=0*yD>3gWtEng7o@M%<<@! zsUkoN2TJpO8Oq#-=fQYD?$xKzUd{<%`$tfpkYpb~F<0}n8=~(G{ z5Cft-CO?j6`-Ze};b}SmRe<|>k@7)4+S=IBQ*MNq1TJi!&wRv?c?ojUre$Fim}#bz z^Mc`RTc@*=iaFXNel4LRfxOfnkty^x;7W5PWq^7t_NT1TDPb`K)le9vY2;&?VN^S3 ziaK$k3Xd4>*(6Ps^634UV%|7Yi$N`ecNC78?tFUFiIFcEhu5L(9jAyY z>BbYErmn+ojBW1Zp!l)6WS~{fNvaT8AyX0j_xzDq;g<#kdyXY>f1oR)xp8W=)QZ=E zw^&j;U_qlpxsy7JI}2=*)j2R9a2uT(n;b;FF`p~7Ay$Px;Z5|U2_hoiy8GqB{PW%2 P{BE)M1bXZ@9((>DoQaj( literal 0 HcmV?d00001 diff --git a/textfiles.com/phreak/PHREAKING/phreakin.phk b/textfiles.com/phreak/PHREAKING/phreakin.phk new file mode 100644 index 00000000..dc67d8ea --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakin.phk @@ -0,0 +1,121 @@ + The South Pole..........[312] 677-7140 + :=+---------------------------------+=: + I Basics of Phone Phreaking I I + I by Long John Silicone I + I Oct. 1983 I + :=+---------------------------------+=: + + + A rather broad subject to attack, I must say. The debate over just what to +discuss has occupied my thoughts for many an hour. Perhaps if I approach this +subject legally, in an informative manner that is, my problems might be solved. +Nonetheless, here it goes. + + Ma Bell can rattle on for hours on methods for saving money on your long- +distance calls. Unfortunately, most people still think that AT&T is the only +game in town for long-distance service. + + What Ma Bell won't tell you is that there comes a time in a telephone user's +life to leave Mom. There are now several companies which compete with AT&T in +the long-distance market: MCI, Southern Pacific's "SPRINT" (which is currently +being purchased by General Telephone and Electronics Company), U.S. +Transmission System'S "Longer Distance" (a susidiary of ITT), Western Union's +"MetroFone", and Satellite Business System's "Skyline." They all boast of +opportunities for large savings on the long-distance portion of your monthly +phone bill. + + Someone unaquainted with these new competitors, which are called +"specialized common carriers" (or SCCs), might ask, "Isn't it a duplication of +effort for a lot of different companies to be running long- distance lines all +over the country? And how can a company that is just a fraction of the size of +AT&T provide a similar service for a lower price?" The answer is that these new +competitors have built their base by concentrating on routes where long- +distance traffic is heavy, so the cost of carrying each call is relatively low. +Also, the competitors transmission equipment consists almost exclusively of +computers and microwave links, which they have built themselves or which they +lease from other carriers. Thus, these networks can be less expensive to +construct and maintain then the cable-based systems that Bell has used for +years. There's also another class of competitors called "resellers", who lease +and resell both AT&T's and other carriers' lines. More about resellers in a +moment. + + Initially, most of the SCC competitors could reach only a limited number of +cities. But as they've grown, the number of cities served by their microwave +networks has steadily in- creased, and today most of the SCC's reach 70 percent +or more of all area codes in the United States and continue to increase the +number of cities served every month. Sattelite Business System's "Skyline" is +the first to offer service to the entire U.S. over its own network. The other +SCC's are phasing in uninversal service by using Bell's WATS system. But while +users of these services will soon be able to call 'to' anywhere in the U.S., +they will still be able to call 'from' only a limited number of places, usually +the major metropolitan areas. + + To use any of these SCC services, you currently must have a Touch-Tone +service or the equivalent Tone gener- ator. (This is changing as a conse- +quence of the AT&T/Department of Justice divestiture agreement, which will +require the newly independent local phone companies to grant all carriers +"equal access" at equal rates.) There is an additional monthly charge by the +phone company for Touch- Tone service (check the "Customer Guide" in your local +White Pages, or call your Bell business office for details); however, you don't +have to rent or buy a Bell telephone to get Touch-Tone service. (Hurrah for +K-mart) + + If your local phone lines already are equipped to handle both rotary and +Touch-Tone calls, you may be able to avoid the need for Touch-Tone service in +this way: using a regular rotaray phone, you place a call to the SCC's +computer; then, to 'converse' with the computer simply use a touch pad conver- +ter or a tone generator, held up to the mouthpiece of your rotary phone. + + It's reasonably easy to use the SCC systems. You must first dial a seven +digit local phone number (an 'access' number), which connects you to the SCC's +computer. When you hear a tone on the other end, you then dial a five-or +six-digit number (an 'authorization code') that tells the computer you're an +authorized user and to bill your account for the call. Immediately after +dialing the authori- zation number, you dial the area code and number you wish +to call. The SCC's computer in your area then sends your call out over its own +long-distance network to a computer in the area you called; the computer on the +other end then hooks your call into the local phone network to reach whomever +you've called. Each month you recieve a bill from your SCC (seperate from your +reg- ular phone bill) detailing your calls and billing you for the service +charges plus your calls. + + Note: This varies on occasion, prime example being "Longer Distance". +Instead of the standard code- number format, they elected the number-code +input. + + "SPRINT" uses a six-digit code followed by a two digit travel code. + + A moment of speculation is due.. + + What would happen if you entered someone elses 'access code', then dialed +the destination number? The answer is usually Grand Larceny; however, it is +quite possible since only the general place of origin is possible to detect on +a call placed without notice. + + For information on the competitive long-distance services: + + MCI : Write MCI, MCI Building, 17th and Streets, NW Washington, D.C. +20036. Call toll free (800) 521- 8620 or in Michigan (800) 482- 1740. +"Execunet" + + SBS: Write SBS, John Marshall Building 8283 Greensboro Drive, McLean, VA +22102. Call toll free (800) 698- 6900. "Skyline" + + ITT: Write ITT, U.S. Transmission Systems, INC., P.O. Box 732, Bowling +Green Station, New York NY. 10004 Call toll free (800) 438-9428 or in New York +(212) 797-2511. "Longer Distance" + + SPC: Write SPC, One Adrian Court, Burilingame, CA. 94010, or call (800) +521-4949 or in Michigan, (800) 645-6020. "SPRINT" + + WU : Write WU, 1 Lake Street, Upper Saddle River, NJ. 07458. Call (800) +325-6000 for the number of your local service office. "MetroFone" + + A final note, don't do anything I wouldn't. And above all, if you do: + + DON'T GET CAUGHT. + + Yours in trade, + Long John Silicone +Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreakin.two b/textfiles.com/phreak/PHREAKING/phreakin.two new file mode 100644 index 0000000000000000000000000000000000000000..3fae6bc1a8286093aba8a6a0af07bd6b333c1483 GIT binary patch literal 12263 zcmbW7+j8SZl7@Y`F|mG!vK_IKY>6%EEKkgnO!%S*fFvvs-~eDt^3(74XI6orTJ4Qk zMXM>I3R!vl^8oz!kN@}~eD62-&(&u?x+ndN+bZn0eHCBMhR}9nwd%T;+4^UwL@EYHTFm_=VU#i*ua6at&x*adW zuBb0VH5QADa2V=#6JqGQG4}6}+;2H&5dvi2MfLX||Dl7H3$}7hXb-zp)w3MO5R0PP zk3;y{)dg!qc&(a7pXIn)Lt}t%ZuuqDLpXoBzP=D8e(rCUS8x2Vh0WbMy!Q1dKE`c5 zTyjUzl@($P;qC3=?eXpTZISK_@gmgg#I+rJ$-a6F>rOnOnQpf~jAF10LwvssKgYwk z?fUw!IM!Voe!0w);A7uZai|tQo3yR=hbqEyS#KaYG~H_h1^#@kk!w{|`w-V6KHF8B z9V8V$L#)e1-h(mT!=~>Jdx>Z?5iV2ft9^wEU!}+Q?hv-|D;DJbIfF>#Y`s^5bvkYxt#M2{yNPWNU$Fl75;9K^Q7950h9%WA+VS#2Wg zyzs|Nhqy?x*KgT3uv=VpU-6-|-D!UM40wl20adRyHc9+C}aaxB8R zBAWo59AFk0m{!h%eS>1PpHY-PToJonRn~E=8a&(Vs3nW5VeIz9!u(Tr-k`}X5E8Im zWXBYLYXu=O)JbD~iW)R#Arr?@-Xo$tXz^MTlk2|QWnTQWQ(92c<)8bX16=RWcLV*Q z#%{W9=b3C(XshwH>nB)Sb&4N0wa%)xZvcnZ56*;FN5TsQg`(Irg(ez1p|{Jsa^~;um#sSEiRJnGBe@sY2Q1C}&@H*ld5gNG^-%%B~tj zNkaPJy#Q^P=t;sGla6DvH{c9ril)XgMQjr&%^6-DW+4_oFJ|@O1=H z2vQ&DBvnl;RK>RKnr>5*Zq9$Y5T9-L8tM?`XBc91XYclPD{KYjqNjit_O&S^J8NgK zj_uD-&6k9xkjtpO>xR*@Z&}6i0~^wruzRssgmv8y!oWhVIhBE#Ky>B@C8` zZDnbLO5ida+D0ivdsSTgs&w`%{@hpVLvyL?P)w!_LmM}ns>}zig=5N{S$9*KBU_X| z1r*tIsyj$I+t`K5;)}kW5B(KPWXPE; zzlY4D9nMz~&DxQ*;SL}lDA*{$42k4NC0G1x>S+h|2uc}tM1p`J)DN2TN1pWa7R6K^zXZX-7-ds_F zV)#`D(wJAkjLKQdl#o6`lDYb2$mK2MhHgiW>$*Y9*)XiHY4o*RV?M(arn1xbyBzdm4s zjKFyVw$qkfw^I81cGZ~q?kY|$^6eThX$1ob-=VH>24wICOP6Nu6!$=(HU`fGsCPp4 zt|d1m)CZ#kC86nm{j07o-i#il;9#kysllfft^JhFa##J%{~7#b*{j?|&2RMVkCK3L z_6UiA2z4!ET}UylUCVTE$05FQiJaz08nGDpZ4J>fj(n@ue8q*xIid#C6^9*_AB6#T zZ&3i(1=^u3RdrLk%6W#JT#W_^XtK%+f-{3>{4zN$*BEt6u?uBhcohL1IlE2JIThAg z8*3`L4N+4SY7btO3@Bc?r)Ul((P$Y07SO>ylG6-g;i#{65nj=UQseRq05entM=PB5 z6>4??xre4UuUJtRs_gR)!zrJ=?9Yrmp-Z7fVp*v_Y`sysndqt-LK{*>S*_KOi2a-y z`?$Bv$13;I9XM(`wh(=Jqp6l6K#8gC=ts^ip(op@QrS=w$;K#Zs5dHdhb{JVzN}dY zAT8-QrHrA5pV){yt1hjTrDXxiy!f=>P8G4&3rS8A6m1tZ&KfA=!&0M%yY7KvVGRN` znH(TVOe#lIKMT(+!`c4OS7#D1s7Oc-Y9S*HBL_Yzn?f)K!foyK;Sd=LB#lxIIBPJT zxKmH*1%r8QJrt7Y{lxEJ8ifP&(uD$rl1E44Pzck83jfgtVJS%fX5l7Ff}<&0(Rj&d|Yp-!sWLQ0>5<_s@RON+nV(qm!H^vR7ye%y2wJ|e> zf|AbU5>1$)H1tl343cE}j>LYN5IZ+(N2(ADqBbF|cyu!uHR|n=Di1Ar#+4*?+7Htm z3kMok5gJrlMIo4-*rtD#3azpB>c=~Jiw%K!zRgsdIZaKl4ofzY{oR*87?j2+Z9~J@ z)f`q_hyl^#MvEo9uEvNt&7D^}f)qG;zcBj&nLujNE$NHg&J3m9oR4u&pl>cNReuyO z>45XqVIZ@B$DAYyWwQayab#+unYDc{xUXvCN-&DYQH0pv<3RB3yTQtQD~j=HM{J0x zg&NL@K!cgPcs4Kt8V2fZO6YypQ>~&~lHS1_o9>z83-Whphw}tn@_ks7Iprq-j?e@Q zVeS}qb=(C;Vk_E^u1(DZ@}SB-dD?w;dSzF0|G^rf6`R7TtDY!(-$dLghBJ#)Omb$7 zIH1!<(8R-&wSG!EN$PwAqdHh3Y0IddyR6$Y1eOTOMUzi@kXd1OU~WSKSE>Qw+Iq9a zG>UPi16B3H3TjUN^@Adn)tPghKt;A^ZXER~z@thMCb^c33!R|)NS7&xWP=uu)H!&Q zq2@|6Mjtec3~b5VHfz&-CV`kRr*6N-rY=MER@htt`zw8>gtC`xeH+^L?cYPCh|*vv zEdRJzgz{kZrRl4Ft6|G@=k&o;#xhFAYmzQ%%|?-KAVaA&Sm8rMNu#If14*CMDsrnp zcPF1NfJVG^e`u6p5Lv4}eFh6vl~*D*%{to6K;OwIHme2)ac}gRx8%EH{+jZIat@D@ zS2F+Hj_n4I6tx9a0Qh0kG(RJlZlr55Ur zs>Ji0p%_M`m_VAd+7)&I0!xHR7$~|VK45l?NZH!yEU<$an)pIm%^=U)eWblL!1eh9 zvTG$#yP(tL0&eb{;Bd7{5y{0uO_#G{Odue!4K`du8)-YfF=9c35E(G}V)A|kqHlzf z`-?FJ;XD&JFvVD6f<#O`-%@p?He*i@;kB7pPF~p>3BxU5oe=e*uB@Gq*)kwA`L4Y> z;T@3`bgfE-dSudcR@CEr;MlS{OC=VfMa>Th!t>jUSsZdre&JOEXDQGjc&%xzS&bzt zC66;yXH>&x1*FO%P3rzYg|71IEvoR~elc&%B&(cRq089Kfp-gPL!Pt#$<_nGtC~0` z>Xg`X8zfEVI}sO($(2>BQUPDxyuDpP>T1dFFrF!v<#?FLT2dm+9_xswZ%K>6hA1Fa zw4{6K^Aqxkw5MIMI^fP;ALen2@{@sbuFW0-ZsXVNFX_zsGQKQAMdEqIfCE{>l`=Xfie4(b z<;Ej15xk^MV0ciL^`Y=Ij1{sd;K|b|KTwM92*wgO6U>ULx9Xe-`71#Ka|vOef~6s6 zC^gSE3M|A3v%eSeDG^AL@kVji3FArCvKplE6Q6YGf-7!cb$DcAc}lLH*|~)X=qmtB z{*t1{g2zf?F`II}>rH4U)nI8pR=B~-Nm{pl5=?xlE3~_&>fKbm*OkJ(_GGgsGmWTp z4#C7Uq6rp;aAjig2&1wGb;(NxDhI+@y}K&CLBo*tz5POl%n#b!_uGHP_C3Wq$(6h{ zGG>!yuKyX{|8=c7>XOl^uDl)hia&b<N5&mOW}$VFoI~&!V10*z~-jv00&RP2}0?u6@C^2Qk>0v z*BtQ9P)ooM%;O^&xT#OjL@F?Fdc??1;^{k2{NelrTb-1FlRG)Cg+&WJB}@ZxM_cz7 zc_Gsz6gU-m4v#Xh+*6Mny49$*Uu=K8cLD+)J}VW->unT;KoGTYlnXb!XieuC9e+^E zBL@^lCo2QEN1WFSaNv1)_vP{C-ilb`EOV&O|MMq)DM;*kKDbe|PXu&hMn6K)cSz+@ zz1W(03j*WYsEm552W#BxtSGTvsj@J$aFB)<89}Ms)Jn?D^XVLXqgmV4RiY~2`csdO zRB?*0o9i1}R$T?(B%Dwd)7q`AC77s->A}v;^_{H%R`fut{P^hR`raR@s?T!!lsi0Z4&q%Z?Chp8`{S*b9b9e{if-tH%@DFNx!44+iZ2kkXhq{HgA)~ZEeR>_Ih*VY3YVeYXc_j z>wJ1Lv+FsZo_%WCl;kz1eTglCPfH(+d}^ts%iVN`dXNQ$!MsI6H-Y<08xt8vpg>MohwWhJX%^y5Kp^6sS}BzfqU7`44R zA~AY*?W$l(!Zhx9w`pP8<5H9B$3t%qZBAqO?mC5f*1}2T-6dO3I-&vpCi3o*z0IRY zS6Ow4+?jEavDYAFb&gX%P$RDRSz!IB~ahkr@gh^t7vuQ#{-) z-3g8y@0i)lyzDOd!G8`FEwxvuc9>t7n3_d`2{uC$d$t1J$Nt3s?laCSj2U%|hvFsY zfcxYH)Q6i%^84fjM_woAOl;gIv{w-9s<*nxka3@EuZ0yuFG|=VzoBt|JyQWQrc*S# zzc!DU4mdjdr-|c!?g1yhai7edxqnFFN8WkrCU<;Df{W2D%@`?gg2RU-|4MIRF_$m8 zhL^miICx0H+W~X~FGomzNa9<-eNgqoiTK}vkq6hpG59H>PTlfh9vD_Io+R~$q?b(p zqnaO*b~@h8d1VYKcUGMCQ%-uA2Sp|`^RkB&7bYV!HFA;2KPKZF zojRw8v+y_%iDWm*m@hmD(||V%kql1>Ks|)lA6jN4-?DR(4nMl*KtKLt|^MQWSU(TZzR)Z#gd`d2H7-N2^?kTwf zUA8jRw9!i-cRe1O&CUDt4IpNhneO(~sF%0~>)N7TEc!H8Jk1^A1i7A)FPQmGz33_7 z!j_<|b7At7TwxVKF!h#1@v53?nx_+pJgpC(<{n|^otAG;$romBY2&%(vqbwe_XzjB z(>nGkIfcj0hs5`kU?BxoI%ZyHKP6c39Ze3prvwOg;z^d&dn0Om?477OoA^2Tg6;nZ zT+bOGy00;SxV*ZNZ2RmeF@2kL1k5r?si&HIPEg=!ao%w}C&TB`Q>x_Q3}f?&w#NrO z)Uoz`KFN#EZt{G?iG@$AwdZ7ESK3KIK&$I*lxiyr#t(t|oD7;Yb?kVa=Z5q!{@5}- zyE!Kgz0NZ(?1o%DP8*JiJ~gWI;L|RC|K`2%|IZQ>`KR~Pnl9>@kUazY6EL(Fhnegw z7}tXDdIivCXEfSv(0fN~UU^_d*J|-6ahHF139QKzX*yGXN)326i*UERzk0s8xw^T= LmOQ;%M`Ze6_{Ce1 literal 0 HcmV?d00001 diff --git a/textfiles.com/phreak/PHREAKING/phreakin.usa b/textfiles.com/phreak/PHREAKING/phreakin.usa new file mode 100644 index 00000000..90b2198c --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakin.usa @@ -0,0 +1,76 @@ + +"Phreakin' USA" + +When you think "phone phreak," what kind of mental picture do you get? A +teenager holding a sound-making box up to a phone? Or someone who uses false +calling card numbers? The phone companies lose an estimated $80 million each +year on fraudulent phone calls (compared to a total budget of over $27 +billion!), but only a minute fraction is attributed to the above cases. So who +is causing all these losses? + +A phreak is officially defined as "One who causes information to be passed over +the phone without the phone company receiving due compensation." This applies +to more cases than most people expect. For example, calling a "ring-back" +system long distance just happens to be illegal, because you are passing +information (that you want to use the modem line) without paying the phone +company! This law is, of course, not enforcible, and even if it was, why +take someone to court over a matter of twenty cents lost? It's also illegal to +make a person-to-person call to yourself in order to let your spouse know you +arrived at a destination safely! Likewise, calling someone collect at a pay +phone, calling an operator to say you lost a dollar in a pay phone when you +didn't, and completing a call with another person over "test lines" (test lines +are in all exchanges, and if two people dial consecutive test lines, they may +talk to each other without any charge) are all illegal! Spreading all this out +along the entire phone network, it suddenly becomes a matter of millions of +dollars lost each year, even without those little boxes that simulate operator +tones! + +However, the common image of the phreak is someone who plays with red, black, +and blue boxes to somehow gyp the phone company into allowing a free call. +Each of these boxes, named after the color of the originals, has a different +function, and many times the boxes are confused with each other. A red box +is a device meant to be used only at pay phones. It simulates the sounds +of various coins dropping into the phone. When some pay phones hear this +sound, they automatically assume the a coin actually has dropped into the phone +and registers it. A black box is a device which converts any phone jack it is +hooked up to into a toll-free number. If Larry hooked up one, I and everyone +else could call the CPTBBS as if it were an 800 number, yet Larry would not +have to pay the excessive charges that an 800 number demands. With the +sophisticated scanning equipment the phone company has today, however, black +boxes can be detected after a while. + +The most infamous of the colored boxes is the blue box, which mimics the +operator tones to allow free calls from any phone. They cost only $25-$50 to +make, but can sell for up to $3000! Here's how it works: a phreak first dials +a no-charge number, such as an 800 number for a large corporation (if he wants +to add a little irony, he'll make it AT&T's 800-number!). The number rings +once, and then the phreak generates a pure 2600-cycle tone. This tells the +phone equipment that the call has dislodged and to be ready for the next call, +though the phreak remains on-line! The phreak then gives another tone telling +the equipment that a toll call is coming through (though in actuality it is +not). The phreak dials the number and is connected, but the billing equipment +never starts! When the phreak eventually hangs up, the records will only show +that he made a toll-free call. + +It would cost the phone companies approximately one billion dollars to change +the switching system so that the blue boxes would not work, so instead they +decided to invest in a scanning system that records all questionable calls. +Now that scanning system is so quick that it's almost suicide to use a black +or blue box at home. Phreaks can still get away with using blue boxes at +pay phones if the call is short, but that's about all. If someone is found +using a blue or black box at home now, the box is immediately confiscated, and +the phreak's service may be possibly disconnected. + +If someone offers to sell you one of these colored boxes for the standard +ridiculous price, I'd advise against it. You stand to lose much more than you +would gain in the long run. + +The Wanderjahr + + Distributed in part by: + + Skeleton Crue 415-376-8060 located out of Moraga, California. + !!Get on the band wagon befor it RUNS YOU DOWN!! + Headquarters for Computer Hackers and Anarchists to Overthrow the State + (CH&AOS) +[37] Tfiles: (1-49,?,Q) : \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreakla.phk b/textfiles.com/phreak/PHREAKING/phreakla.phk new file mode 100644 index 00000000..4c724b07 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakla.phk @@ -0,0 +1,55 @@ + +Phreak Sysops & US Law +---------------------- + +HI THERE, + + LOOK, UNDER CURRENT U.S. LAW THE EXCHANGE OF INFORMATION IS LEGAL (REMEMBER +GUYS, FREEDOM OF SPEECH!) THE ONLY THING THEY CAN GET ON YOU IS AIDING AND +ABETTING A FELONY (WHICH PHREAKING IS - A FELONY.) HOWEVER, A DISCLAIMER ON THE +BOARD TAKES OUT A LOT OF THE BLAME. ALSO, TO PROVE IN COURT THAT YOU ARE GUILTY +BEYOND A REASONABLE DOUBT THEY'VE GOT TO PROVE THAT YOU WERE THE ONLY PARTY +AIDING AND ABETTING... IMPOSSIBLE! TO PROVE THAT, THEY'D HAVE TO PROVE THAT +SOMEONE CALLED YOUR BOARD, GOT INFORMATION FROM YOUR BOARD, CALLED NO OTHER +BOARDS, AND PHREAKED USING THAT INFORMATION... QUITE IMPOSSIBLE PRACTICALLY. +ALSO, I WOULD SUGGEST THAT ACCESS TO PHREAK BOARDS BE GOVERNED BY THE SYSOP AND +THAT AS A RESTRICTION THE PROSPECTIVE USER MUST ANSWER THE FOLLOWING QUESTION +"YES": I HAVE NO TIES OR CONNECTIONS WITH ANY LAW ENFORCEMENT AGENCY OR ANY +AGENCY WHICH WOULD ENFORM SUCH A LAW ENFORCEMENT AGENCY OF THIS BOARD, NOR HAVE +I EVER OR WILL I EVER REVEAL ANY IMFORMATION ABOUT THIS BOARD OR GAINED TO THIS +BOARD TO ANY LAW ENFORCEMENT AGENCY." + +======================================= + + IF THE PROSPECTIVE PHREAK SAYS YES TO THAT STATEMENT LET HIM ON... IF HE +TURNS AROUND AND REPORTS THA INFORMATION YOU CAN HAVE IT THROWN OUT OF COURT! +(ON MULTIPLE GROUNDS: ENTRAPMENT, VIOLATION OF CIVIL RIGHTS- THIS IS A GREAT +DEFENSE SINCE ANY EVIDENCE GAINED THROUGH A VIOLATION OF CIVIL RIGHTS IS +INVALID.... AND ANY EVIDENCE GAINED BECAUSE OF THAT INVALID KNOWLEDGE IS +INVALID ALSO!) HOWEVER, YOU *MAY* HAVE TO HAVE A WRITTEN SIGNATURE FOR THIS +ALTHOUGH I DON'T BELIEVE SO... I CAN CHECK THAT LATER. + + LOOK SYSOPS, LETS NOT GIVE IN TO THE BIG BULLYS (SPRINT, MA, ETC.) LET'S GO +OUT THERE AND PROVE THAT THE U.S. CONSTITUTION STILL MEANS SOMETHING AND THAT +WE STILL CAN HAVE FREE SPEACH. + + YOURS, + STAR WARRIOR + ----^------- + P.S. DROP ME A LINE IF YOU WANT MORE INFO - I'VE GOT CONNECTIONS IN THE LEGAL +FIELD AND CAN GET IT!!!!!!!!!!!!!!!!!!!!!!!!!!!! P.P.S. EVIDENCE GOTTEN BY +TAPPING PHONES IS ILLEGAL TOO! + + ======================================= + + ON THE P.P.S. I MEANT THAT IF THE PHONE TAP OR MONITERING IS NOT SPECIF- +ICALLY AUTHORIZED BY A WARRANT IT IS ILLEGAL EVIDENCE. ALSO, IF THEY TAP YOU +BASED ON EVIDENCE OBTAINED BY READING A B.B.S. MESSAGE THEY CAN PROBABLY BE +THROWN OUT SINCE THEY HAD NO PROOF OF THE AUTHENTICITY OF THAT EVIDENCE +INDICATING YOU AS A SUSPECT. + + LATER + STAR WARRIOR + ------------ +Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreakman.hac b/textfiles.com/phreak/PHREAKING/phreakman.hac new file mode 100644 index 00000000..985717d5 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakman.hac @@ -0,0 +1,12446 @@ + +1 + + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + The Official Phreaker's Manual V1.1 + Updated 2/14/87 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + The Official Phreaker's Manual + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Table of Contents + + ********************************************************************** + + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Appendixes + + ********************************************************************** + + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 4 + + + + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 5 + + + + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /XX>ad X>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + Page 6 + + + + + The Official Phreaker's Manual + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + Page 7 + + + + + The Official Phreaker's Manual + + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + Page 8 + + + + + The Official Phreaker's Manual + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 9 + + + + + The Official Phreaker's Manual + + ============================================================ + _ _ _______ + | X/ | / _____/ + |_||_|etal / /hop + __________/ / + /___________/ + (314) 432-0756 + + Proudly Presents + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + Typed by Knight Lightning + + ============================================================ + +- A - + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + + + + + The Official Phreaker's Manual + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF +A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE +MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + Page 18 + + + + + The Official Phreaker's Manual + + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + + + + The Official Phreaker's Manual + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + Page 20 + + + + + The Official Phreaker's Manual + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you receive your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + A) SSS: Strowger Switching System. First non-operator system +available. + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + +into phone lines and extract by eavesdropping, or crossing wires, etc. + Purple Box: Makes all calls made out from your house seem to be local +calls. + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + Page 21 + + + + + The Official Phreaker's Manual + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. A small list of +dialups: + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : + + Page 22 + + + + + The Official Phreaker's Manual + +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator (hehe) +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + +/-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + + Page 23 + + + + + The Official Phreaker's Manual + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + Page 24 + + + + + The Official Phreaker's Manual + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + +File Level:5 + + /-/ Credits /-/ + + To The Videosmith- for setting me straight on some shit. + To The Linesman- for telling me to upload it to his AE line. + To Modern Mutant- for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------X + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + X---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler +Zer0-g + + + + + + + Page 25 + + + + + The Official Phreaker's Manual + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + + +HOW TO BE A REAL PHREAK +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + + + + + The Official Phreaker's Manual + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + Page 27 + + + + + The Official Phreaker's Manual + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + Page 28 + + + + + The Official Phreaker's Manual + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--X | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + + Page 29 + + + + + The Official Phreaker's Manual + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + +TOUCH-TONE & FREE CALLS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + + + Page 30 + + + + + The Official Phreaker's Manual + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. +ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + Page 31 + + + + + The Official Phreaker's Manual + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 32 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + --One Farad Cap, Atlantic Anarchist Guild + + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + Page 33 + + + + + The Official Phreaker's Manual + + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + Page 34 + + + + + The Official Phreaker's Manual + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + Page 35 + + + + + The Official Phreaker's Manual + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ansil Collins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + Page 36 + + + + + The Official Phreaker's Manual + +tells me. + +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys FD5 and AD5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's FD5 +and CD6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + Page 37 + + + + + The Official Phreaker's Manual + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays wih the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming + +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + Page 38 + + + + + The Official Phreaker's Manual + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + Page 39 + + + + + The Official Phreaker's Manual + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + ++-- End first file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 40 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + Page 41 + + + + + The Official Phreaker's Manual + + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + Page 42 + + + + + The Official Phreaker's Manual + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + Page 43 + + + + + The Official Phreaker's Manual + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + + + + + The Official Phreaker's Manual + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + Page 45 + + + + + The Official Phreaker's Manual + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + Page 46 + + + + + The Official Phreaker's Manual + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + Page 47 + + + + + The Official Phreaker's Manual + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + Page 48 + + + + + The Official Phreaker's Manual + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + ++-- End second file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + Page 49 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + Page 50 + + + + + The Official Phreaker's Manual + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthrough: + +"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + Page 51 + + + + + The Official Phreaker's Manual + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to live out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + Page 52 + + + + + The Official Phreaker's Manual + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + Page 53 + + + + + The Official Phreaker's Manual + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + + + + + The Official Phreaker's Manual + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + Page 55 + + + + + The Official Phreaker's Manual + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + + + + + The Official Phreaker's Manual + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + ++-- End third file of four --+ + + + + + + + + + + + + + + + + + + + + Page 57 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + Page 58 + + + + + The Official Phreaker's Manual + + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------X /------X /-----X +!Operator!-- > ! S.A. ! --->! BOS ! +X--------/ X------/ X-----/ + ! + ! + V +/-------------X +! Group Chief ! +X-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been pa::icularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the BBS just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 +212-982-9977/9979 +212-986-9977/9979 + + THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS +SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER +SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE +CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT +FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN +ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED +IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE +CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND +THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE +AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL +OTHER LOOPS ARE BUSY. + + 99XX SCANNING: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND +OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 +AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN +YOUR EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268: + +9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) +9936 - VOICE # TO THE TELCO CO +9937 - VOICE # TO THE TELCO CO +9941 - CARRIER +9960 - OSC. TONE (TONE SIDE LOOP) +9963 - TONE (STOPS: MUTED) +9966 - CARRIER +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + + Page 96 + + + + + The Official Phreaker's Manual + + MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL +INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE +REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN +THE EXCHANGE AND THE TELCO OPERATING COMPANY. + + WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES +WHEN YOU FIND ONE: + +1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK +EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE +BUT THE FUCKING CLICK IS SUPER ANNOYING. + +2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. + +3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY +AGAIN IN A MONTH OR SO) + +4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! + + MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. +IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE +SWITCH", IE, TURN OFF THE LOOP. + + SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED +NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE +NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. +268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 +FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 +(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S +DON'T SUPE EITHER. + + IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A +SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP +LINES (AS MENTIONED ABOVE). + IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE +BELOW: + + + NPA-NNX-99XX SCAN + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + _________________________________________________________ + | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | + |_______|____|____|____|____|____|____|____|____|____|____| + | 990 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 991 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 992 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 993 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 994 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 995 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 996 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + Page 97 + + + + + The Official Phreaker's Manual + + | 997 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 998 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 999 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU +SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN +THEM. FOR EXAMPLE: + +B - BUSY (TRY AGAIN AT ANOTHER TIME) +R - RINGS (TRY AGAIN AT ANOTHER TIME) +O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) +R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) +T - TONE ] TONE AT A LOWER # + IGNORE +I - IGNORE ] AT A HIGHER # = LOOP +V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. +C - CARRIER + + THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN +UNDERSTAND. + + NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A +MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF +A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER +EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) +634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. +IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" +NEXT TO EACH OTHER FOR A LOOP. + SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN +THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING +TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE +IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE +#'S! + ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR +EXAMPLE: "(713) 324-1799/1499" IS A LOOP. + +THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: + +1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A +TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS +SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! + +2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & +9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. + +3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. + + FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN +STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. + + +NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER +FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR +OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS + + Page 98 + + + + + The Official Phreaker's Manual + +MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. + + ANI + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT +WILL TELL YOU WHAT # YOU ARE CALLING FROM. + THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T +HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE +LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE +DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. +IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM +AREA TO AREA. + +HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: + +890-751-5191 +202-222-2222 +1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE +TO DIAL 1-990-1111) + + TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX +SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE +NEXT PART), TRY 1-9XX-1111. + ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR +NEIGHBOR WHO WORKS FOR THE FONE COMPANY. + + RING BACK + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL +THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF +THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 +SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL +RING. + IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP +FOR THE FIRST TIME (IE, AT THE FIRST TONE). + + + OTHER RINGBACK #'S THAT I HAVE SEEN ARE: + +26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. +THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. + +890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. + +119911/11911/1199911 - GTE + +NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE + + + THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN +SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD +DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE +PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS +USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN +PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN +SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS +AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY + + Page 99 + + + + + The Official Phreaker's Manual + +SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD +THEN RINGBACK. + + TOUCH-TONE TEST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE +FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP +TWICE. +I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 + + COMING SOON: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE +NETWORK. + + + BREAK UP OF BELL: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT +AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED +HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD +"FONE NETWORK" FOR BELL SYSTEM. + + +AU REVOIR, + +*****BIOC +*=$=*AGENT +*****003 + +DECEMBER 8, 1983 + +ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, +& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN +DISTRIBUTING THIS TUTORIAL. + + + + + + + + + + + + + + + + + + + + + + Page 100 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART III * + * * + ************************************************************ + +PREFACE: + + IN PART III, WE WILL DISCUSS THE DIALING PROCEDURES FOR DOMESTIC AS WELL AS +INTERNATIONAL DIALING. WE WILL ALSO TAKE A LOOK AT THE TELEPHONE NUMBERING +PLAN. + +NORTH AMERICAN NUMBERING PLAN +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN NORTH AMERICA, THE TELEPHONE NUMBERING PLAN IS AS FOLLOWS: + +A) A 3 DIGIT NUMBERING PLAN AREA (NPA) CODE, [IE, AREA CODE] + +B) A 7 DIGIT TELEPHONE # CONSISTING OF A 3 DIGIT CENTRAL OFFICE (CO) CODE PLUS +A 4 DIGIT STATION #. + + THESE 10 DIGITS ARE CALLED THE NETWORK ADDRESS OR DESTINATION CODE. IT IS +IN THE FORMAT OF: + +AREA CODE TELEPHONE # +--------- ----------- + N*X NXX-XXXX + +WHERE: N = A DIGIT FROM 2-9 + * = THE DIGIT 0 OR 1 + X = A DIGIT 0-9 + +AREA CODES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CHECK YOUR TELEPHONE BOOK OR THE SEPARATE LISTING OF AREA CODES FOUND ON +MANY BBS'S. HERE ARE THE SPECIAL AREA CODES (SAC'S): + +510 - TWX (USA) +610 - TWX (CANADA) +700 - NEW SERVICE +710 - TWX (USA) +800 - WATS +810 - TWX (USA) +900 - DIAL-IT SERVICES +910 - TWX (USA) + + THE OTHER AREA CODES NEVER CROSS STATE LINES, THEREFORE EACH STATE MUST +HAVE AT LEAST ONE EXCLUSIVE NPA CODE. WHEN A COMMUNITY IS SPLIT BY A STATE +LINE, THE CO #'S ARE OFTEN INTERCHANGEABLE (IE, YOU CAN DIAL THE SAME # FROM 2 +DIFFERENT AREA CODES) + +TWX: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + Page 101 + + + + + The Official Phreaker's Manual + + + TWX (TELEX II) CONSISTS OF 5 TELETYPE-WRITER AREA CODES. THEY ARE OWNED BY +WESTERN UNION. THESE SAC'S MAY ONLY BE REACHED VIA OTHER TWX MACHINES. THESE +RUN AT 110 BAUD. BESIDES THE TWX #'S, THESE MACHINES ARE ROUTED TO NORMAL +TELEPHONE #'S. TWX MACHINES ALWAYS RESPOND WITH AN ANSWERBACK. FOR EXAMPLE, +WU'S FYI TWX # IS (910) 988-5956, THE CORRESPONDING REAL NUMBER TO THIS IS +(201) 279-5956. THE ANSWERBACK FOR THIS SERVICE IS "WU FYI MAWA." + + IF YOU DON'T WANT TO BUY A TWX MACHINE, YOU CAN STILL SEND TWX MESSAGES +USING EASYLINK [800/325-4112 - SEE TUC'S AND MY ARTICLE ENTITLED "HACKING +WESTERN UNION'S EASYLINK] + +700: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT THE TIME OF THIS WRITING, THE 700 EXCHANGE DOES NOT YET EXIST. AT&T +PLANS TO USE IT SOON THOUGH. THEY PLAN TO MAKE IT A TYPE OF FANCY CALL +FORWARDING SERVICE. IT WILL BE TARGETED TOWARDS SALESMEN ON THE RUN. + + TO UNDERSTAND HOW IT WORKS, I'LL EXPLAIN IT WITH AN EXAMPLE. LET'S SAY JOE +Q. SALESPIG WORKS FOR AT&T SECURITY AND HE IS ON THE RUN CHASING A PHREAK +AROUND THE COUNTRY WHO ROYALLY SCREWED UP AN IMPORTANT COSMOS SYSTEM. LET'S +SAY THAT JOE'S 700 # IS (700) 382-5968. EVERY TIME JOE GOES TO A NEW HOTEL, HE +DIALS A SPECIAL 700 #, ENTERS A CODE, AND THE # WHERE HE IS STAYING. NOW, IF +HIS BOSS RECEIVED SOME IMPORTANT INFO, ALL HE WOULD DO IS DIAL (700) 382-5968 +AND IT WOULD RING WHEREVER JOE LAST PROGRAMMED IT TO. NEAT, HUH? + +800: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS SAC IS ONE OF MY FAVORITES SINCE IT ALLOWS FOR TOLL-FREE CALLS. + +INWARD WATS (INWATS): INWARD WIDE AREA TELECOMMUNICATIONS SERVICE IS THE 800 +#'S THAT WE ARE ALL FAMILIAR WITH. 800 #'S ARE SET UP IN SERVICE AREAS OR +BANDS. THERE ARE 6 OF THESE. BAND 6 IS THE LARGEST AND YOU CAN CALL A BAND 6 +# FROM ANYWHERE IN THE US EXCEPT THE STATE WHERE THE CALL IS TERMINATED (THIS +IS WHY MOST COMPANIES HAVE ONE 800 # FOR THE COUNTRY AND THEN ANOTHER FOR JUST +ONE STATE). BAND 5 INCLUDES THE 48 CONTIGUOUS STATES. ALL THE WAY DOWN TO +BAND 1 WHICH INCLUDES ONLY THE STATES CONTIGUOUS TO THAT ONE. THEREFORE, LESS +PEOPLE CAN REACH A BAND 1 INWATS # THAT A BAND 6 #. + +INTRASTATE INWATS #'S (IE, YOU CAN CALL IT FROM ONLY 1 STATE) ALWAYS HAVE A 2 +AS THE LAST DIGIT IN THE EXCHANGE (IE, 800-NX2-XXXX). THE NXX ON 800 #'S +REPRESENT THE AREA WHERE THE BUSINESS IS LOCATED. FOR EXAMPLE, A # BEGINNING +WITH 800-431 WOULD TERMINATE AT A NEW YORK CO. + +800 #'S ALWAYS END UP IN A HUNT SERIES IN A CO. THIS MEANS THAT IT TRIES THE +FIRST # ALLOCATED TO THE COMPANY FOR THEIR 8P0 LINES; IF THIS IS BUSY IT WILL +THEN TRY THE NEXT #, ETC). YOU MUST HAVE A MINIMUM OF TWO LINES PER EACH 800 +#. FOR EXAMPLE, TRAVELNET USES A HUNT SERIES. IF YOU DIAL (800) 521-8400, IT +WILL FIRST TRY THE # ASSOCIATED WITH 8400; IF IT IS BUSY IT WILL GO TO THE NEXT +AVAILABLE PORT, ETC. INWATS CUSTOMERS ARE BILLED BY THE # OF HOURS OF CALLS +THAT ARE MADE TO THEIR #. + +OUTWATS (OUTWARD WATS): OUTWATS ARE FOR MAKING OUTGOING CALLS ONLY. LARGE +COMPANIES USE OUTWATS SINCE THEY RECEIVE BULK-RATE DISCOUNTS. SINCE OUTWATS # +CANNOT HAVE INCOMING CALLS, THEY ARE IN THE FORMAT OF: + + + Page 102 + + + + + The Official Phreaker's Manual + +(800) *XX-XXXX + + WHERE * IS THE DIGIT 0 OR 1 WHICH CANNOT BE DIALED UNLESS YOU BOX THE CALL. +THE *XX IDENTIFIES THE TYPE OF SERVICE AND THE AREAS THAT THE COMPANY CAN +CALL. + +REMEMBER: INWATS + OUTWATS = WATS EXTENDER (SEE PART I) +900: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS DIAL-IT SAC IS A NATIONWIDE DIAL-IT SERVICE. IT IS USED FOR TAKING +TELEVISION POLLS AND OTHER STUFF. THE FIRST MINUTE CURRENTLY COSTS AN +OUTRAGEOUS 50 CENTS AND EACH ADDITIONAL MINUTE COSTS 35 CENTS. BELL TAKES IN +ALOT OF REVENUE IN THIS WAY. + +DIAL (900) 555-1212 TO FIND OUT WHAT IS CURRENTLY ON THE SERVICE. + +CO CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THESE IDENTIFY THE SWITCHING OFFICE WHERE THE CALL IS TO BE ROUTED. + +THE FOLLOWING CO CODES ARE RESERVED NATIONWIDE: + +555 - DIRECTORY ASSISTANCE +844 - TIME ] THESE ARE NOW IN +936 - WEATHER ] THE 976 EXCHANGE +950 - FUTURE SERVICES +958 - PLANT TEST +959 - PLANT TEST +970 - PLANT TEST (TEMPORARY) +976 - DIAL-IT SERVICES + + ALSO, THE 3 DIGIT ANI & RINGBACK #'S ARE REGARDED AS PLANT TEST AND ARE +THUS RESERVED. THESE NUMBERS VARY FROM AREA TO AREA. + +950: [ALSO SEE PART I] +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +HERE ARE THE SERVICES THAT ARE CURRENTLY ON THE 950 EXCHANGE: + +1000 - SPC +1022 - MCI EXECUNET +1033 - US TELEPHONE +1044 - ALLNET +1066 - LEXITEL +1088 - SBS SKYLINE + +THESE SCC'S (SPECIALIZED COMMON CARRIERS) ARE FREE FROM FORTRESSES! + +Publishers note: Most 950's now require the station code (1022, 1000, 1088, +etc.) to be five digits long. MCI 950-10222, US telefone 10333, ALLNET 10444, +etc. Look in "Equal Access and the American Dream" p. for a complete list. +PLANT TESTS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THESE INCLUDE ANI, RINGBACK, AND OTHER VARIOUS TESTS. + + + Page 103 + + + + + The Official Phreaker's Manual + +976: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + DIAL 976-1000 TO SEE WHAT IS CURRENTLY ON THE SERVICE. ALSO, MANY BBS'S +HAVE A LISTING OF THESE #'S. + + +N11 CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL IS TRYING TO PHASE SOME OF THESE OUT, BUT THEY STILL EXIST IN MANY +AREAS. + +011 - INTERNATIONAL DIALING PREFIX +211 - COIN REFUND OPERATOR +411 - DIRECTORY ASSISTANCE +611 - REPAIR SERVICE +811 - BUSINESS OFFICE +911 - EMERGENCY + +INTERNATIONAL DIALING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + WITH INTERNATIONAL DIALING, THE WORLD HAS BEEN DIVIDED INTO 9 NUMBERING +ZONES. + +TO MAKE AN INTERNATIONAL CALL, YOU MUST DIAL: INT. PREFIX + COUNTRY CODE + NAT. +# + + IN NORTH AMERICA, THE INTERNATIONAL DIALING PREFIX IS 011 FOR +STATION-TO-STATION CALLS AND 01 FOR OPERATOR- SERVICED CALLS. IDDD STANDS FOR +INTERNATIONAL DIRECT DISTANCE DIALING. + + THE COUNTRY CODE, WHICH VARIES FROM 1 TO 3 DIGITS, ALWAYS HAS THE WORLD +NUMBERING ZONE AS THE FIRST DIGIT. FOR EXAMPLE, THE COUNTRY CODE FOR THE +UNITED KINGDOM IS 44, THUS IT IS IN WORLD NUMBERING ZONE 4. + + SOME BOARDS MAY CONTAIN A COMPLETE LISTING OF OTHER COUNTRY CODES, BUT HERE +ARE A FEW: + +001 - NORTH AMERICA (US, CANADA,ETC) +020 - EGYPT +258 - MOZAMBIQUE +034 - SPAIN +049 - GERMANY +052 - MEXICO (SOUTHERN PORTION) +061 - AUSTRALIA +007 - USSR +081 - JAPAN +098 - IRAN + + IF YOU CALL FROM AN AREA OTHER THAN NORTH AMERICA, THE FORMAT IS GENERALLY +THE SAME. FOR EXAMPLE, LET'S SAY YOU WANTED TO CALL THE WHITE HOUSE FROM +SWITZERLAND. FIRST YOU WOULD DIAL 00 (THE SWISS INTERNATIONAL DIALING PREFIX), +THEN 1 (THE US COUNTRY CODE), FOLLOWED BY 202-456-1414 (THE NATIONAL # FOR THE +WHITE HOUSE). + + ALSO, COUNTRY CODE 87 IS RESERVED FOR MARITIME MOBILE SERVICE, IE CALLING + + Page 104 + + + + + The Official Phreaker's Manual + +SHIPS: + +871 - MARISAT (ATLANTIC) +872 - MARISAT (PACIFIC) +873 - MARISAT (INDIAN ) + +INTERNATIONAL SWITCHING: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN NORTH AMERICA, THERE ARE CURRENTLY 7 NO. 4 ESS'S THAT PERFORM THE DUTY +OF ISC (INTERNATIONAL SWITCHING CENTERS). ALL INTERNATIONAL CALLS DIALED FROM +NUMBERING ZONE 1 WILL BE ROUTED THROUGH ONE OF THESE "GATEWAY CITIES." THEY +ARE: + +182 - WHITE PLAINS, NY +183 - NEW YORK, NY +184 - PITTSBURGH, PA +185 - ORLANDO, FL +186 - OAKLAND, CA +187 - DENVER, CO +188 - NEW YORK, NY + + THE 18X SERIES ARE OPERATOR ROUTING CODES FOR OVERSEAS ACCESS (TO BE +FURTHER DISCUSSED WITH BLUE BOXES). ALL INTERNATIONAL CALLS USE A SIGNALING +SYSTEM CALLED CCITT. IT IS AN INTERNATIONAL STANDARD FOR SIGNALING. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART IV, WE WILL DISCUSS SWITCHING EQUIPMENT, VARIOUS OPERATORS, CO +TYPES, ETC. + +PHREAKING LIVES IN '84, + +*****BIOC +*=$=*AGENT +*****003 + +<<=-FARGO 4A-=>> +23-FEB-84 + +REFERENCES/ +ACKNOWLEDGEMENTS: NOTES ON THE NETWORK (AT&T), TAP (ROOM 603, 147W 42 ST, +NEW YORK, NY 10036),UNDERSTANDING TELEPHONE ELECTRONICS,AND MANY OTHERS/TUC, +MULCHER... + + + + + + + + + + + + + + + Page 105 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART IV * + * * + ************************************************************ + +PREFACE: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + PART IV WILL DEAL WITH THE VARIOUS TYPES OF OPERATORS, OFFICE HIERARCHY, & +SWITCHING EQUIPMENT. + + +OPERATORS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THERE ARE MANY TYPES OF OPERATORS IN THE NETWORK AND THE MORE COMMON ONES +WILL BE DISCUSSED. + +TSPS OPERATOR: +____________________________________________________________ + + THE TSPS (TRAFFIC SERVICE POSITION SYSTEM) OPERATOR IS PROBABLY THE BITCH +(OR BASTARD FOR THE PHEMALE LIBERATIONISTS) THAT MOST OF US ARE USE TO HAVING +TO DEAL WITH. + +HERE ARE HER RESPONSIBILITIES: + +1) OBTAINING BILLING INFORMATION FOR CALLING CARD OR 3RD NUMBER CALLS. + +2) IDENTIFYING CALLED CUSTOMER ON PERSON-TO-PERSON CALLS. + +3) OBTAINING ACCEPTANCE OF CHARGES ON COLLECT CALLS. + +4) IDENTIFYING CALLING NUMBERS. THIS ONLY HAPPENS WHEN THE CALLING # IS NOT +AUTOMATICALLY RECORDED BY CAMA (CENTRALIZED AUTOMATIC MESSAGE ACCOUNTING) & +FORWARDED FROM THE LOCAL OFFICE. THIS COULD BE CAUSED BY EQUIPMENT FAILURES OR +IF THE OFFICE IS NOT EQUIPPED FOR CAMA (MOST ARE). + + + + YOU SHOULDN'T MESS WITH THE TSPS OPERATOR SINCE SHE KNOWS WHERE YOU ARE +CALLING FROM. SHE ALSO KNOWS WHETHER OR NOT YOU ARE AT A FORTRESS FONE & SHE +CAN TRACE CALLS QUITE READILY. OUT OF ALL THE OPERATORS, SHE IS ONE OF THE +MOST DANGEROUS. + +INWARD OPERATOR: +____________________________________________________________ + + THIS OPERATOR ASSISTS YOUR LOCAL TSPS ("0") OPERATOR IN CONNECTING CALLS. + + Page 106 + + + + + The Official Phreaker's Manual + +SHE WILL NEVER QUESTION A CALL AS LONG AS THE CALL IS WITHIN HER SERVICE AREA. +SHE CAN ONLY BE REACHED VIA OTHER OPERATORS OR BY A BLUE BOX. FROM A BB, YOU +WOULD DIAL KP+NPA+121+ST FOR THE INWARD OPERATOR THAT WILL HELP YOU CONNECT ANY +CALLS WITHIN THAT NPA AREA ONLY. (BLUE BOXING WILL BE DISCUSSED IN A FUTURE +PART OF BASIC TELCOM) + +DIRECTORY ASSISTANCE OPERATOR: +____________________________________________________________ + + THIS IS THE OPERATOR THAT YOU ARE CONNECTED TO WHEN YOU DIAL: 411 OR +NPA-555-1212. SHE DOES NOT READILY KNOW WHERE YOU ARE CALLING FROM. SHE DOES +NOT HAVE ACCESS TO UNLISTED #'S, BUT SHE DOES KNOW IF AN UNLISTED # EXISTS FOR +A CERTAIN LISTING. + + THERE IS ALSO A DIRECTORY ASSISTANCE FOR DEAF PEOPLE WHO USE +TELETYPEWRITERS IF YOU MODEM CAN TRANSFER BAUDOT (THE APPLE CAT CAN), THEN YOU +CAN CALL HER UP AND HAVE AN INTERESTING CONVERSATION WITH HER. THE # +IS:800/855-1155. SHE USES THE STANDARD TELEX ABBREVIATIONS SUCH AS GA FOR GO +AHEAD. THEY TEND TO BE NICER & WILL TALK LONGER THAN YOUR REGULAR OPERATORS. +ALSO, THEY ARE MORE VULNERABLE INTO BEING TALKED OUT OF INFORMATION THROUGH THE +PROCESS OF "SOCIAL ENGINEERING" AS CHESHIRE CATALYST WOULD PUT IT. + +OTHER OPERATORS HAVE ACCESS TO THEIR OWN DA BY DIALING KP+NPA+131+ST (MF). + + THIS IS A LITTLE OUT OF THE SCOPE OF THIS TUTORIAL, BUT MANY TELCO'S ARE +NOW CHARGING FOR CALLS TO DIR. ASST. YOU CAN BEAT THIS BY: + +(1) COUNT HOW MANY CALLS YOU MAKE TO DIRECTORY ASSISTANCE IN A BILLING PERIOD. +GO TO A FORTRESS FONE & DIAL DA. WHEN THE OPERATOR COMES ON, GIVE HER A NAME +THAT YOU KNOW HAS AN UNLISTED # OR ASK FOR A TOWN THAT ISN'T IN THE NPA. SHE +WILL THEN ASK FOR YOUR # SO SHE CAN CREDIT THE CALL TO YOU. GIVE HER YOUR HOME +#, SHE DOESN'T KNOW THAT YOU ARE MAKING A FREE CALL FROM THE FORTRESS. JUST +MAKE SURE THAT YOU DON'T CREDIT YOURSELF FOR MORE CALLS THAN YOU ACTUALLY MADE +OR YOU MIGHT HAVE A FEW PROBLEMS! + +(2) IF YOU HAVE A BAUDOT TERMINAL, USE THE 800 #, IT'S FREE & THERE IS ONE # +FOR ALL REQUESTS. + +C/NA OPERATORS: +____________________________________________________________ + + C/NA OPERATORS ARE OPERATORS THAT DO EXACTLY THE OPPOSITE OF WHAT DIRECTORY +ASSISTANCE OPERATORS ARE FOR. SEE PART II, FOR MORE INFO ON C/NA & #'S. IN MY +EXPERIENCES, THESE OPERATORS KNOW MORE THAN THE DA OP'S DO & THEY ARE MORE +SUSCEPTIBLE TO "SOCIAL ENGINEERING." IT IS POSSIBLE TO BULLSHIT A C/NA +OPERATOR FOR THE NON-PUB DA # (IE, YOU GIVE THEM THE NAME & THEY GIVE YOU THE +ANOTHER IN THE NETWORK. + + PROBLEMS WITH AN OPERATOR? ASK TO SPEAK TO THEIR SUPERVISOR... WHICH IS +THE EQUIVALENT OF THE MADAME IN A WHOREHOUSE (IF YOU WILL EXCUSE THE ANALOGY). + + BY THE WAY, SOME CO'S THAT WILL ALLOW YOU TO DIAL A 1 OR 0 AS THE 4TH +DIGIT, WILL ALSO ALLOW YOU TO CALL SPECIAL OPERATORS WITHOUT A BLUE BOX. THIS +IS VERY RARE THOUGH! FOR EXAMPLE, 212-121-1111 WILL GET YOU A NY INWARD +OPERATOR. + +OFFICE HIERARCHY +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + EVERY SWITCHING OFFICE OFFICE IN NORTH AMERICA (THE NPA SYSTEM), IS +ASSIGNED AN OFFICE NAME & CLASS. THERE ARE FIVE CLASSES OF OFFICES NUMBERED 1 +THROUGH 5. YOUR CO IS MOST LIKELY A CLASS 5 OR END OFFICE. ALL LONG-DISTANCE +(TOLL) CALLS ARE SWITCHED BY A TOLL OFFICE WHICH CAN BE A CLASS 4, 3, 2, OR 1 +OFFICE. THERE IS ALSO A 4X OFFICE CALLED AN INTERMEDIATE POINT. THE 4X OFFICE +IS A DIGITAL ONE THAT CAN HAVE AN UNATTENDED EXCHANGE ATTACHED TO IT (KNOWN AS +A REMOTE SWITCHING UNIT-RSU). + + THE FOLLOWING CHART WILL LIST THE OFFICE #, NAME, & HOW MANY OF THOSE +OFFICES EXISTED IN NORTH AMERICA IN 1981. + +CLASS NAME ABB # EXISTING +----- ---------------- --- ------------ +1 REGIONAL CENTER RC 12 +2 SECTIONAL CENTER SC 67 +3 PRIMARY CENTER PC 230 +4 TOLL CENTER TC 1,30 +4P TOLL POINT TP ? +4X INTERMEDIATE PT IP ? +5 END OFFICE EO 19,000 +R RSU RSU ? + + WHEN CONNECTING A CALL FROM ONE PARTY TO ANOTHER, THE SWITCHING EQUIPMENT +USUALLY TRIES TO FIND THE SHORTEST ROUTE BETWEEN THE CLASS 5 END OFFICE OF THE +CALLER & THE CLASS 5 END OFFICE OF THE CALLED PARTY. IF NO INTER-OFFICE TRUNKS +EXIST BETWEEN THE 2 PARTIES, IT WILL THEN MOVE UPTO THE NEXT HIGHEST OFFICE FOR +SERVICING (CLASS 4). IF THE CLASS 4 OFFICE CANNOT HANDLE THE CALL BY SENDING +IT TO ANOTHER CLASS 4 OR 5 OFFICE, IT WILL BE SENT TO THE NEXT OFFICE IN THE +HIERARCHY (3). THE SWITCHING EQUIPMENT FIRST USES THE HIGH-USAGE INTEROFFICE +TRUNK GROUPS, IF THEY ARE BUSY IT THEN GOES TO THE FINAL TRUNK GROUPS ON THE +NEXT HIGHEST LEVEL. IF THE CALL CANNOT BE CONNECTED THEN, YOU WILL PROBABLY GET +A RE-ORDER (120IPM BUSY SIGNAL) SIGNAL. AT THIS TIME, THE GUYS AT NETWORK +OPERATIONS ARE PROBABLY SHITTING IN THEIR PANTS AND TRYING TO AVOID THE DREADED +NETWORK DREADLOCK (AS SEEN ON TV!). + + + Page 108 + + + + + The Official Phreaker's Manual + + IT IS ALSO INTERESTING TO NOTE THAT 9 CONNECTIONS IN TANDEM IS CALLED +RING-AROUND-THE ROSY AND IT HAS NEVER OCCURRED IN TELEPHONE HISTORY. THIS +WOULD CASE AN ENDLESS LOOP CONNECTION. [ A NEAT WAY TO REALLY SCREW-UP THE +NETWORK]. + + THE 10 REGIONAL CENTERS IN THE US & THE 2 IN CANADA ARE ALL INTERCONNECTED. +THEY FORM THE FOUNDATION OF THE ENTIRE TELEPHONE NETWORK. SINCE THERE ARE ONLY +12 OF THEM, THEY ARE LISTED BELOW: + +CLASS 1 REGIONAL OFFICE LOCATION NPA +---------------------------------- --- +DALLAS 4 ESS 214 +WAYNE, PA 215 +DENVER 4T 303 +REGINA NO.2 SP1-4W [CANADA] 306 +ST. LOUIS 4T 314 +ROCKDALE, GA 404 +PITTSBURGH 4E 412 +MONTREAL NO.1 4AETS [CANADA] 504 +NORWICH, NY 607 +SAN BERNARDINO, CA 714 +NORWAY, IL 815 +WHITE PLAINS 4T, NY 914 + + THE FOLLOWING DIAGRAM DEMONSTRATES HOW THE VARIOUS OFFICES MAY BE +CONNECTED: + + _________________________ + _|_ _|_ _|_ REGIONAL + | | | | | | OFFICES + | 1 | <=--=> | 1 | <=--=> | 1 | <<==------ + |___| |___| |___| + | OTHERSX/ + _________________|_______________________| + _|_ _|_ _|_ _|__ _|_ +| | | | | | | | | | +| 2 | | 3 | | 4 | | 4P | | 5 | +|___| |___| |___| |____| |___| + | | | | + |____ | _|__ | + _|_ _|_ | __|_ _|_ X +| || || | || | |_____ +| 3 || 4 || | 4X || 5 | _|__ _|_ +|___||___|| |____||___|| || | + | | | 4X || 5 | + __|_ | |____||___| + | ||_____________ + | 5R | _______|_________ + |____| | | | + _|_ _|_ _|_ __|_ + | | | | | | | | + | R | | 4 | | 5 | | 5R | + |___| |___| |___| |____| + +NOTE: THE PRECEDING DIAGRAM USED SPECIAL SYMBOLS FROM AN APPLE //E THAT MAY NOT +BE VIEWED AS I INTENDED THEM IF YOU ARE NOT USING AN APPLE//E OR //C. + +SWITCHING EQUIPMENT + + Page 109 + + + + + The Official Phreaker's Manual + +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NETWORK, THERE ARE 3 MAJOR TYPES OF SWITCHING EQUIPMENT. THEY ARE +KNOWN AS: STEP, CROSSBAR, & ESS. + + +STEP-BY-STEP (SXS) +____________________________________________________________ + + THE STEP-BY-STEP, A/K/A THE STROWGER SWITCH OR TWO-MOTION SWITCH, WAS +INVENTED IN 1889 BY AN UNDERTAKER NAMED ALMON STROWGER. HE INVENTED THIS +MECHANICAL SWITCHING EQUIPMENT BECAUSE HE FELT THAT THE BIASED OPERATOR WAS +ROUTING ALL REQUESTS FOR AN 'UNDERTAKER' TO HER HUSBAND'S BUSINESS. BELL +STARTED USING THIS SYSTEM IN 1918 AS OF 1978, OVER 53% OF THE BELL EXCHANGES +USED THIS METHOD OF SWITCHING. + + STEP-BY-STEP SWITCHING IS CONTROLLED DIRECTLY BY THE DIAL PULSES WHICH MOVE +A SERIES OF SWITCHES (CALLED THE SWITCH TRAIN) IN ORDER. WHEN YOU FIRST PICK UP +THE FONE UNDER SXS, A LINEFINDER ACKNOWLEDGES THE REQUEST (SOONER OR LATER) BY +SENDING A DIAL TONE. IF YOU THEN DIALED 1234, THE EQUIPMENT WOULD FIRST FIND +AN IDLE SELECTOR SWITCH. IT WOULD THEN MOVE VERTICALLY 1 PULSE, IT WOULD THEN +MOVE HORIZONTALLY TO FIND A FREE SECOND SELECTOR, IT WOULD THEN MOVE 2 VERTICAL +PULSES, STEP HORIZONTALLY TO FIND THE NEXT SELECTOR, ETC. THUS THE FIRST +SWITCH IN THE TRAIN TAKES NO DIGITS, THE SECOND SWITCH TAKES 1 DIGIT, THE THIRD +SWITCH TAKES 1 DIGIT, & THE LAST SWITCH IN THE TRAIN (CALLED THE CONNECTOR) +TAKES THE LAST 2 DIGITS & CONNECTS YOUR CALLS. A NORMAL (10,000 LINE) EXCHANGE +REQUIRES 4 DIGITS (0000-9999) TO CONNECT A LOCAL CALL & THUS IT TAKES 4 +SWITCHES TO CONNECT EVERY CALL (LINEFINDER, 1ST & 2ND SELECTORS, & THE +CONNECTOR) . + + WHILE IT WAS THE FIRST, SXS SUCKS FOR THE FOLLOWING REASONS: + +[1] THE SWITCHED OFTEN BECOME JAMMED THUS THE CALLS OFTEN BECOME BLOCKED. + +[2] YOU CAN'T USE DTMF (DUAL-TONE MULTI-FREQUENCY A/K/A TOUCH-TONE) DIRECTLY. +IT IS POSSIBLE THAT THE TELCO MAY HAVE INSTALLED A CONVERSION KIT BUT THEN THE +CALLS WILL GO THROUGH JUST AS SLOW AS PULSE, ANYWAY! + +[3] THEY USE A LOT OF ELECTRICITY & MECHANICAL MAINTENANCE. (BAD FROM TELCO +POINT OF VIEW) + +[4] EVERYTHING IS HARDWIRED. + + THEY CAN STILL HOOK UP PEN REGISTERS & OTHER SHIT ON THE LINE SO IT IS NOT +EXACTLY A PHREAK HAVEN. + +YOU CAN IDENTIFY SXS OFFICES BY: + +(1) LACK OF DTMF OR PULSING DIGITS AFTER DIALING DTMF. + +(2) IF YOU GO NEAR THE CO, IT WILL SOUND LIKE A TYPEWRITER TESTING FACTORY. + +(3) LACK OF SPEED CALLING, CALL FORWARDING, & OTHER CUSTOMER SERVICES. + +(4) FORTRESS FONES THAT WANT YOUR MONEY FIRST (AS OPPOSED TO DIAL TONE FIRST +ONES). + + THE PRECEDING DON'T NECESSARILY IMPLY THAT YOU HAVE SXS BUT THEY SURELY + + Page 110 + + + + + The Official Phreaker's Manual + +GIVE EVIDENCE THAT IT MIGHT BE. ALSO, IF ANY OF THE ABOVE CHARACTERISTICS +EXIST, IT CERTAINLY ISN'T ESS! ALSO, SXS HAVE PRETTY MUCH BEEN ERADICATED FROM +LARGE METROPOLITAN AREAS SUCH AS NYC (212). + +CROSSBAR: +____________________________________________________________ + + THERE ARE 3 MAJOR TYPES OF CROSSBAR SYSTEMS CALLED: NO. 1 CROSSBAR (1XB), +NO. 4 CROSSBAR (4XB), & NO. 5 CROSSBAR (5XB). 5XB HAS BEEN THE PRIMARY END +OFFICE SWITCH OF BELL SINCE THE 60'S AND THUS IT IS IN WIDE-USE. + + CROSSBAR USES A COMMON CONTROL SWITCHING METHOD. WHEN THERE IS AN INCOMING +CALL, A STORED PROGRAM DETERMINES ITS ROUTE THROUGH THE SWITCHING MATRIX. + +POINT WHERE THESE 2 LINES MEET IN THE MATRIX IS THE CONNECTION. + + +ESS +____________________________________________________________ + +ELECTRONIC SWITCHING SYSTEM (ESS) THE PHREAK'S NIGHTMARE COME TRUE (OR ORWELL'S +PROPHECY AS 2600 PUTS IT) + + ESS IS BELL'S MOVE TOWARDS THE AIRSTRIP ONE SOCIETY DEPICTED IN ORWELL'S +1984. WITH ESS, EVERY SINGLE DIGIT THAT YOU DIAL IS RECORDED--EVEN IF IT IS A +MISTAKE. THEY KNOW WHO YOU CALL, WHEN YOU CALL, HOW LONG YOU TALKED FOR, & +PROBABLY WHAT YOU TALKED ABOUT (IN SOME CASES). ESS CAN (AND IS) ALSO +PROGRAMMED TO PRINT OUT #'S OF PEOPLE WHO MAKE EXCESSIVE CALLS TO 800 #'S OR +DIRECTORY ASSISTANCE. THIS IS CALLED THE "800 EXCEPTIONAL CALLING REPORT." ESS +COULD ALSO BE PROGRAMMED TO PRINT OUT LOGS OF WHO CALLS CERTAIN #'S--LIKE A +BOOKIE, A KNOWN COMMUNIST, A BBS, ETC THE THING TO REMEMBER WITH ESS IS THAT IT +IS A SERIES OF PROGRAMS WORKING TOGETHER. THESE PROGRAMS CAN BE VERY EASILY +CHANGED TO DO WHATEVER THEY WANT IT TO DO. ONE PHREAK WHOM I KNOW HAS SOME ESS +SOURCE CODE LISTING WHICH IS INCREDIBLY COMPLEX (AS WELL AS DOCUMENTED--GRACIAS +DIOS). THIS SYSTEM MAKES THE JOB OF BELL SECURITY, THE FBI, NSA, & OTHER +ORGANIZATIONS THAT LIKE TO INVADE PRIVACY INCREDIBLY EASY. + + WITH ESS, TRACING IS DONE IN MICROSECONDS (EINE AUGENBLICK) & THE RESULTS +ARE PRINTED AT THE CONSOLE OF A BELL GESTAPO OFFICER. ESS WILL ALSO PICK UP +ANY "FOREIGN" TONES ON THE LINE SUCH AS 2600 HZ! + + BELL PREDICTS THAT THE COUNTRY WILL BECOME TOTALLY ESS BY THE 1990'S. + + YOU CAN IDENTIFY ESS BY THE FOLLOWING WHICH ARE USUALLY ESS FUNCTIONS: + +[1] DIALING 911 FOR HELP. +[2] DIAL-TONE-FIRST FORTRESSES. +[3] CUSTOM CALLING SERVICES SUCH AS:CALL FORWARDING, SPEED DIALING, & CALL +WAITING. (ASK YOUR BUSINESS OFFICE IF YOU CAN GET THESE.) +[4] ANI (AUTOMATIC NUMBER IDENTIFICATION) ON LD CALLS. + + PHREAKING DOES NOT COME TO A COMPLETE HALT UNDER ESS THOUGH--JUST BE VERY + + DUE TO THE FACT THAT ESS SENDS A COMPUTER GENERATED "ARTIFICIAL RING," +WHERE THE VOICE IS NOT CONNECTED DIRECTLY TO THE CALLED PARTIES LINE UNTIL HE + + Page 111 + + + + + The Official Phreaker's Manual + +PICKS UP, BLACK BOXES & INFINITY TRANSMITTERS WILL NOT WORK! + +NOTE: ANOTHER INTERESTING WAY TO FIND OUT WHAT TYPE OF EQUIPMENT YOU ARE ON IS +TO RAID THE TRASH CAN OF YOU LOCAL CO--THIS ART WILL DISCUSSED IN A SEPARATE +ARTICLE SOON. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN THE PART V, WE WILL START TO TAKE A LOOK AT TELEPHONE ELECTRONICS. + +FURTHER READING: + +FOR MORE INFORMATION ON THE ABOVE TOPICS, I SUGGEST THE FOLLOWING: + +NOTES ON THE NETWORK, AT&T, 1980. + +UNDERSTANDING TELEPHONE ELECTRONICS,TEXAS INSTRUMENTS, 1983. + +AND SUBSCRIPTIONS TO: + +TAP, ROOM 603, 147 W 42 ST, NEW YORK, NY 10036. SUBSCRIPTIONS ARE +$10/YEAR.#BACK ISSUES ARE $0.75. THE CURRENT ISSUES IS #90 (JAN/FEB 1984) + +2600, BOX 752, MIDDLE ISLAND, NY 11953. SUBSCRIPTIONS ARE $10/YEAR. BACKISSUES +ARE $1 EACH. THE CURRENT ISSUE IS #4 (APRIL 1984). + +THEY ARE BOTH EXCELLENT SOURCES OF ALL SORTS OF INFORMATION (PRIMARILY +PHREAKING/HACKING). + +NOTE: FOR THE MOST PART, I HAVE ASSUMED THAT YOU HAVE READ MY PREVIOUS 3 +COURSES IN THE BASIC TELCOM SERIES. + +HASTA LUEGO, + +*****BIOC +*=$=*AGENT +*****003 + +APRIL 13, 1984 [THE YEAR OF BIG BROTHER] + +<<=-FARGO 4A-=>> + + + + + + + + + + + + + + + + + + Page 112 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART V * + * * + ************************************************************ + + +PREFACE: + + PREVIOUS INSTALLMENTS OF THIS SERIES WERE FOCUSED ON TELEPHONY FROM A +NETWORK POINT-OF-VIEW. PART V WILL DEAL WITH TELEPHONE ELECTRONICS FOCUSING +PRIMARILY ON THE SUBSCRIBER'S TELEPHONE. HERE-IN-AFTER SIMPLY REFERRED TO AS +"FONE." + +WIRING: +____________________________________________________________ + + ASSUMING A STANDARD ONE-LINE FONE, THERE ARE USUALLY 4 WIRES THAT LEAD OUT +OF THE FONE SET. THESE ARE STANDARDLY COLORED RED, GREEN, YELLOW, & BLACK. +THE RED & GREEN SIRES ARE THE TWO THAT ARE ACTUALLY HOOKED UP TO YOUR CO. THE +YELLOW WIRE IS SOMETIMES USED TO RING DIFFERENT FONES ON A PARTY LINE (IE, ONE +#, SEVERAL FAMILIES--FOUND PRIMARILY IN RURAL AREAS WHERE THEY PAY LESS FOR THE +SERVICE AND THEY DON'T USE THE FONE AS MUCH); OTHERWISE, THE YELLOW IS USUALLY +JUST IGNORED. ON SOME TWO-LINE FONES, THE RED & GREEN WIRES ARE USED FOR THE +FIRST FONE # AND THE YELLOW & BLACK ARE USED FOR THE SECOND LINE. IN THIS CASE + IN TELEPHONY, THE RED & GREEN WIRES ARE OFTEN REFERRED TO AS TIP (T) & RING +(R). THE TIP IS USUALLY THE MORE POSITIVE OF THE TWO WIRES. THIS NAMING GOES +BACK TO THE OLD OPERATOR CORD BOARDS WHERE ONE OF THE WIRES WAS THE TIP OF THE +PLUG AND THE OTHER WAS THE RING (OF THE BARREL). + A ROTARY FONE (AKA DIAL OR PULSE) WILL WORK FINE REGARDLESS WHETHER THE RED +(OR GREEN) WIRE IS CONNECTED THE TIP(+) OR RING(-). A TOUCH-TONE (TM) FONE IS +A DIFFERENT STORY, THOUGH. IT WILL NOT WORK EXCEPT IF THE TIP(+) IS THE GREEN +WIRE. [ALTHOUGH, SOME OF THE MORE EXPENSIVE DTMF FONES DO HAVE A RECTIFIER +BRIDGE WHICH COMPENSATES FOR POLARITY REVERSAL.] THIS I WHY UNDER CERTAIN +(NON-DIGITAL) SWITCHING EQUIPMENT YOU CAN REVERSE THE RED & GREEN WIRES ON A +TOUCH-TONE FONE AND RECEIVE FREE DTMF SERVICE. EVEN THOUGH IT WON'T BREAK DIAL +TONE, REVERSING THE WIRES ON A ROTARY LINE ON A DIGITAL SWITCH WILL CAUSE THE +TONES TO BE GENERATED. + +VOLTAGES, ETC. +____________________________________________________________ + + WHEN YOUR TELEPHONE IS ON-HOOK (IE, HUNG UP) THERE IS APPROXIMATELY 48 +VOLTS OF DC CURRENT (VDC) FLOWING THROUGH THE TIP & RING. WHEN THE HANDSET OF +A FONE IS LIFTED A FEW SWITCHES CLOSE WHICH CAUSE A LOOP TO BE CONNECTED (KNOWN +AS THE "LOCAL LOOP") BETWEEN YOUR FONE & THE CO. ONCE THIS HAPPENS DC CURRENT +IS ABLE TO FLOW THROUGH THE FONE WITH LESS RESISTANCE. THIS CAUSES A RELAY TO +ENERGIZE WHICH CAUSES OTHER CO EQUIPMENT TO REALIZE THAT YOU WANT SERVICE. +EVENTUALLY, YOU SHOULD END UP WITH A DIAL TONE. THIS ALSO CAUSES THE 48 VDC TO +DROP DOWN INTO THE VICINITY OF 13 VOLTS. THE RESISTANCE OF THE LOOP ALSO DROPS +BELOW THE 2500 OHM LEVEL. + + Page 113 + + + + + The Official Phreaker's Manual + + + AS OF NOW, YOU ARE PROBABLY SAYING TO YOURSELF THAT THIS IS ALL NICE AND +TECHNICAL BUT WHAT THE HELL GOOD IS THE INFORMATION. WELL, ALSO CONSIDER THAT +THIS VOLTAGE (& RESISTANCE) DROP IS HOW THE CO DETECTS THAT A FONE WAS TAKEN +OFF HOOK (PICKED UP). IN THIS WAY, THEY KNOW WHEN TO START BILLING THE CALLING +NUMBER. NOW WHAT DO YOU SUPPOSE WOULD HAPPEN IF A DEVICE SUCH AS A RESISTOR OR +A ZENER DIODE WAS PLACED ON THE CALLED PARTIES LINE SO THAT THE VOLTAGE WOULD +DROP JUST ENOUGH TO ALLOW TALKING BUT NOT ENOUGH TO START BILLING? FIRST OFF, +THE CALLING PARTY WOULD NOT BE BILLED FOR THE CALL BUT CONVERSATION COULD BE +PURSUED. SECONDLY, THE CO EQUIPMENT WOULD THINK THAT THE FONE JUST KEPT ON +RINGING. THE TELCO CALLS THIS A "NO-NO" (TOLL FRAUD TO BE MORE SPECIFIC) WHILE +PHONE PHREAKS AFFECTIONATELY CALL THIS MUTE A BLACK BOX. + + THE FOLLOWING ARE INSTRUCTIONS ON HOW TO BUILD A SIMPLE BLACK BOX. OF +COURSE, ANYTHING THAT PREVENTS THE VOLTAGE FROM DROPPING WOULD WORK. +YOU ONE OR TWO PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT RESISTOR. ANY ELECTRONICS STORE SHOULD STOCK THESE PARTS. + + NOW, CUT 2 PIECES OF WIRE (ABOUT 6 INCHES LONG) AND ATTACH ONE END OF EACH +WIRE TO ONE OF THE TERMINALS ON THE SWITCH. NOW TURN YOUR K500 (STANDARD DESK +FONE) UPSIDE DOWN AND TAKE OFF THE COVER. LOCATE THE 2 SCREWS ON THE NETWORK +BOX LABELED >F< AND >RR<. WRAP THE RESISTOR BETWEEN THE 2 SCREWS MAKING SURE +THAT IT DOESN'T TOUCH ANY OTHER TERMINALS!. NOW CONNECT ONE WIRE FROM THE +SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE +(DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE +FONE AND REPLACE THE COVER. + + PUT THE SWITCH IN A POSITION WHERE YOU RECEIVE A DIAL TONE. MARK THIS +POSITION NORMAL. MARK THE OTHER SIDE FREE. + + WHEN YOUR PHRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST A POSSIBLE. THIS WILL STOP THE RINGING (DO IT AGAIN IF IT +DOESN'T) WITH OUT STARTING THE BILLING. IT IS IMPORTANT THAT YOU DO IT QUICKLY +(LESS THAN ONE SECOND THEN PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE +FONE. KEEP ALL CALL SHORT AND PREFERABLY UNDER 15 MINUTES. + +NOTE: IF ANYONE PICKS UP AN EXTENSION IN THE CALLED PARTIES HOUSE AND THAT +FONE IS NOT SET FOR FREE THEN BILLING WILL START. + +NOTE: AN OLD WAY OF SIGNALING A PHRIEND THAT YOU ARE ABOUT TO CALL IS +MAKING A COLLECT CALL TO A NON-EXISTENT PERSON IN THE HOUSE. SINCE YOUR FRIEND +WILL NOT ACCEPT THE CHARGES, HE WILL KNOW THAT YOU ARE ABOUT TO CALL AND THUS +PREPARE THE BLACK BOX (OR VISA VERSA). + +WARNING: THE TELCO CAN DETECT BLACK BOXES IF THEY SUSPECT ONE ON YOUR LINE. +THIS IS DONE DUE TO THE PRESENCE OF AC VOICE SIGNAL AT THE WRONG DC LEVEL! + +PICTORIAL DIAGRAM: (STANDARD ROTARY K500 FONE) +____________________________________________________________ + + _____________________________________ +| | +***BLUE WIRE**>>F< | +| * * | +**WHITE WIRE** * | +| * | +| RESISTOR | +| * | + + Page 114 + + + + + The Official Phreaker's Manual + +| * | +| >RR<*******SWITCH**** | +| * | +****GREEN WIRE********************** | +| | +|_____________________________________| + +NOTE: THE BLACK BOX WILL NOT WORK UNDER ESS OR OTHER SIMILAR DIGITAL +SWITCHES SINCE ESS DOES NOT CONNECT THE VOICE CIRCUITS UNTIL THE FONE IS PICKED +UP (& BILLING STARTS). INSTEAD, ESS USES AN "ARTIFICIAL" COMPUTER GENERATED +RING. + +RINGING: +____________________________________________________________ + + TO INFORM A SUBSCRIBER OF AN INCOMING CALL, THE TELCO SENDS 90 VOLTS (RMS) +OF AC CURRENT DOWN THE LINE (AT AROUND 15 TO 60 HZ) IN STANDARD FONES, THIS +CAUSES A METAL ARMATURE TO BE ATTRACTED ALTERNATELY BETWEEN TWO ELECTRO-MAGNETS +THUS STRIKING 2 BELLS. OF COURSE, THE STANDARD BELL (PATENTED IN 1878 BY TOM +A. WATSON) CAN BE REPLACED BY A MORE MODERN ELECTRONIC BELL OR SIGNALING +DEVICE. + + ALSO, YOU CAN HAVE LIGHTS AND OTHER SIMILAR DEVICES IN LIEU OF (OR IN +CONJUNCTION WITH) THE BELL. A SIMPLE NEON LIGHT (WITH ITS CORRESPONDING +RESISTOR) CAN SIMPLY BE CONNECTED BETWEEN THE RED & GREEN WIRES (USUALLY L1 & +L2 ON THE NETWORK BOX) SO THAT IT LIGHTS UP ON INCOMING CALLS. A REGULAR 60 +WATT LIGHT BULB CAN ALSO BE HOOKED UP USING A SIMPLE (120 VAC) RELAY. + +WARNING: 90 & 120 VAC CAN GIVE QUITE A SHOCK. EXERCISE EXTREME CAUTION IF +YOU WISH TO FURTHER PURSUE THESE TOPICS. + + ALSO INCLUDED IN THE RINGING CIRCUIT IS A CAPACITOR TO PREVENT THE DC +CURRENT FROM INTERFERING WITH THE BELL [A CAPACITOR WILL PASS AC CURRENT WHILE +IT WILL PREVENT DC CURRENT FROM FLOWING (BY STORING IT)]. + ANOTHER REASON THAT THE TELCO HATES BLACK BOXES IS BECAUSE RINGING USES +ALOT OF COMMON-CONTROL EQUIPMENT, IN THE CO, WHICH USE ALOT OF ELECTRICITY. +THUS THE RINGING GENERATORS ARE BEING TIED UP WHILE A FREE CALL IS BEING MADE. +USUALLY CALLS THAT ARE ALLOWED TO RING FOR A LONG PERIOD OF TIME MAY BE +CONSTRUED AS SUSPICIOUS. SOME OFFICES MAY BE SET UP TO DROP A TROUBLE CARD FOR +LONG PERIODS OF RINGING THEN A "NO-NO" DETECTION DEVICE MAY BE PLACED ON THE +LINE. + INCIDENTALLY, THE TERM "RING TRIP" REFERS TO THE CO PROCESS INVOLVED TO +STOP THE AC RINGING SIGNAL WHEN THE CALLING FONE GOES OFF HOOK. + +NOTE: IT IS SUGGESTED THAT YOU ACTUALLY DISSECT FONES TO HELP YOU BETTER +UNDERSTAND THEM. IT WILL ALSO HELP YOU TO BETTER UNDERSTAND THE CONCEPTS HERE +IF YOU ACTUALLY PROVE THEM TO YOURSELF. FOR EXAMPLE, ACTUALLY TAKE THE VOLTAGE +READINGS ON YOUR FONE LINE [ANY SIMPLE MULTI-TESTER (A MUST) WILL DO.] +PHREAKING IS AN INTERACTIVE PROCESS NOT A PASSIVE ONE! + +DIALING: +____________________________________________________________ + + ON A STANDARD FONE, THERE ARE TWO COMMON TYPES OF DIALING: PULSE & DTMF. +OF COURSE, SOME PEOPLE INSIST UPON BEING DIFFERENT AND DON'T USE THE DT THUS +LEAVING THEM WITH MF (MULTI FREQUENCY, AKA OPERATOR, BLUE BOX) TONES. THIS IS +ANOTHER "NO-NO" AND THE TELCO SECURITY GENTLEMEN HAVE A SPECIAL KNACK FOR +DEALING WITH SUCH "PHREAKS" ON THE NETWORK. + + Page 115 + + + + + The Official Phreaker's Manual + + WHEN YOU DIAL ROTARY, YOU ARE ACTUALLY RAPIDLY BREAKING & RECONNECTING +(MAKING) THE LOCAL LOOP ONCE FOR EVERY DIGIT DIALED. SINCE THE PHYSICAL +CONNECTION MUST BE BROKEN, YOU CANNOT DIAL IF ANOTHER EXTENSION (OF THAT #) IS +OFF-HOOK. NEITHER OF THE FONES WILL BE ABLE TO DIAL PULSE UNLESS THE OTHER +HANGS UP. + ANOTHER TERM OFTEN REFERRED TO IN TELEPHONE ELECTRONICS IS THE BREAK RATIO. +IN THE US, THERE ARE 10 PULSES PER SECOND (MAX). WHEN THE CIRCUIT IS OPENED IT +IS CALLED THE BREAK INTERVAL. WHEN IT IS CLOSED IT IS CALLED THE MAKE INTERVAL. +IN THE US, THERE IS A 60 MILLISECOND (MS) BREAK PERIOD AND A 40 MS MAKE PERIOD. +(60+40=100 MS = 1/10 MINUTE). THIS IS REFERRED TO AS A 60% BREAK INTERVAL. +SOME OF THE MORE SOPHISTICATED ELECTRONIC FONES CAN SWITCH BETWEEN A 60% & A +67% BREAK INTERVAL. THIS IS DUE TO THE FACT THAT MANY FOREIGN NATIONS USE A +67% BREAK INTERVAL. + HAVE YOU EVER BEEN IN AN OFFICE OR A SIMILAR FACILITY AND SAW A FONE +WAITING TO BE USED FOR A FREE CALL BUT SOME ASSHOLE PUT A LOCK ON IT TO PREVENT +OUTGOING CALLS? + WELL, DON'T FRET PHELLOW PHREAKS, YOU CAN SIMULATE PULSE DIALING BY RAPIDLY +DEPRESSING THE SWITCHOOK. (IF YOU DEPRESS IT FOR LONGER THAN A SECOND IT WILL +BE CONSTRUED AS A DISCONNECT.) BY RAPIDLY SWITCHOOKING YOU ARE CAUSING THE +LOCAL LOOP TO BE BROKEN & MADE SIMILAR TO ROTARY DIALING! THUS IF YOU CAN +MANAGE TO SWITCHOOK RAPIDLY 10 TIMES YOU CAN REACH AN OPERATOR TO PLACE ANY +CALL YOU WANT! THIS TAKES ALOT OF PRACTICE, THOUGH. YOU MIGHT WANT TO PRACTICE +ON YOUR OWN FONE DIALING A FRIEND'S # OR SOMETHING ELSE. INCIDENTALLY, THIS +METHOD WILL ALSO WORK WITH DTMF FONES SINCE ALL DTMF LINES CAN ALSO HANDLE +ROTARY. + ANOTHER PROBLEM WITH PULSE DIALING IS THAT IT PRODUCES HIGH-VOLTAGE SPIKES +THAT MAKE LOUD NOISES IN THE EARPIECE AND CAUSE THE BELL TO "TINKLE." IF YOU +NEVER NOTICED THIS THEN YOUR FONE HAS A SPECIAL "ANTI-TINKLE" & EARPIECE +SHORTING CIRCUIT (MOST DO). IF YOU HAVE EVER DISSECTED A ROTARY FONE (A MUST +FOR ANY SERIOUS PHREAK) YOU WOULD HAVE NOTICED THAT THERE ARE 2 SETS OF CONTACT +THAT OPEN AND CLOSE DURING PULSING (ON THE BACK OF THE ROTARY DIAL UNDER THE +PLASTIC COVER). ONE OF THESE ACTUALLY OPENS AND +CLOSES THE LOOP WHILE THE OTHER MUTES THE EARPIECE BY SHORTING IT OUT. THE +SECOND CONTACTS ALSO ACTIVATES A SPECIAL ANTI-TINKLE CIRCUIT THAT PUTS A 340 +OHM RESISTOR ACROSS THE RINGING CIRCUIT WHICH PREVENTS THE HIGH VOLTAGE SPIKES +FROM INTERFERING WITH THE BELL. + DUAL TONE MULTI FREQUENCY (DTMF) IS A MODERN DAY IMPROVEMENT ON PULSE +DIALING IN SEVERAL WAYS. FIRST OF ALL, IT IS MORE CONVENIENT FOR THE USER +SINCE IT IS FASTER AND CAN BE USED FOR SIGNALING AFTER THE CALL IS COMPLETED +(IE, SCC'S, COMPUTERS, ETC.). ALSO, IT IS MORE UPTO PAR WITH MODERN DAY +SWITCHING EQUIPMENT (SUCH AS ESS) SINCE PULSE DIALING WAS DESIGNED TO ACTUALLY +MOVE RELAYS BY THE NUMBER OF DIGITS DIALED (IN SXS OFFICES). + + EACH KEY ON A DTMF KEYPAD PRODUCES 2 FREQUENCIES SIMULTANEOUSLY (ONE FROM +THE HIGH GROUP AND ANOTHER FROM THE LOW GROUP). + + _______________________________________________ +LOW GROUP | | | | | + 697 HZ-| Q | ABC | DEF | | + | 1 | 2 | 3 | A | + |___________|___________|___________|___________| + | | | | | + 770 HZ-| GHI | JKL | MNO | | + | 1 | 2 | 3 | B | + |___________|___________|___________|___________| + | | | | | + 852 HZ-| PRS | TUV | WXY | | + | 1 | 2 | 3 | C | + + Page 116 + + + + + The Official Phreaker's Manual + + |___________|___________|___________|___________| + | | OPERATOR | | | + 941 HZ-| | Z | | | + | * | 0 | # | D | + |___________|___________|___________|___________| + | | | | + 1209 HZ 1336 HZ 1477 HZ 1633 HZ + HIGH GROUP + +A PORTABLE DTMF KEYPAD IS KNOWN AS A WHITE BOX. + + THE FOURTH COLUMN (1633 HZ) IS NOT NORMALLY FOUND ON REGULAR FONES BUT IT +DOES HAVE SEVERAL SPECIAL USES. FOR ONE, IT IS USED TO DESIGNATE THE PRIORITY +OF CALLS ON AUTOVON, THE MILITARY FONE NETWORK. THESE KEY ARE CALLED: FLASH, +IMMEDIATE, PRIORITY, & ROUTINE (WITH VARIATIONS) INSTEAD OF ABCD. SECONDLY, +THESE KEYS ARE USED FOR TESTING PURPOSES BY THE TELCO. IN SOME AREA YOU CAN +FIND LOOPS AS WELL AS OTHER NEAT TESTS (SEE PART II) ON THE 555-1212 DIRECTORY +ASSISTANCE EXCHANGE. FOR THIS, YOU WOULD CALL UP AN DA IN CERTAIN AREAS [THAT +HAVE AN AUTOMATIC CALL DISTRIBUTOR (ACD)] AND HOLD DOWN THE "D" KEY WHICH +SHOULD BLOW THE OPERATOR OFF. YOU WILL THEN HEAR A PULSING DIAL TONE WHICH +INDICATES THAT YOU ARE IN THE ACD INTERNAL TESTING MODE. YOU CAN GET ON ONE +SIDE OF A LOOP BY DIALING A 6. THE OTHER SIDE IS 7. SOME PHREAKS CLAIM THAT +IF THE PERSON ON SIDE 6 HANGS UP, OCCASIONALLY THE EQUIPMENT WILL SCREW UP AD +START DIRECTING DIRECTORY ASSISTANCE CALLS TO THE OTHER SIDE OF THE LOOP. +ANOTHER ALLEGED TEST IS CALLED REMOB WHICH ALLOWS YOU TO TAP INTO LINES BY +ENTERING A SPECIAL CODE FOLLOWED BY THE 7 DIGIT NUMBER YOU WANT TO MONITOR. +THEN THERE IS THE POSSIBILITY OF MASS CONFERENCING. + ACD'S ARE BECOME RARE THOUGH. YOU WILL PROBABLY HAVE TO MAKE SEVERAL +NPA-555- 1212 CALLS BEFORE YOU FIND ONE. + YOU CAN MODIFY REGULAR FONES QUITE READILY SO THAT THEY HAVE A SWITCH TO +CHANGE BETWEEN THE 3RD AND 4TH COLUMNS. THIS IS CALLED A SILVER BOX (AKA GREY +BOX) AD PLANS CAN BE FOUND IN TAP AS WELL AS ON MANY BBS'S. + +TRANSMITTER/RECEIVER: +____________________________________________________________ + + WHEN YOU TALK INTO THE TRANSMITTER, THE SOUND WAVES FROM YOUR VOICE CAUSE A +DIAPHRAGM TO VIBRATE AND PRESS AGAINST THE CARBON GRANULES (OR ANOTHER SIMILAR +SUBSTANCE). THIS CAUSES THE CARBON GRANULES TO COMPRESS AND CONTRACT THUS +CHANGING THE RESISTANCE OF THE DC CURRENT FLOWING THROUGH IT. THEREFORE, YOUR +AC VOICE SIGNAL IS SUPERIMPOSED OVER THE DC CURRENT OF THE LOCAL LOOP. THE +RECEIVER WORKS IN A SIMILAR FASHION WHERE THE SIMPLE TYPES UTILIZE A MAGNET, +ARMATURE, & DIAPHRAGM. + +HYBRID/INDUCTION COIL: +____________________________________________________________ + + AS YOU MAY HAVE NOTICED, THERE ARE TWO WIRES FOR THE RECEIVER AND TWO FOR +THE TRANSMITTER IN THE FONE, YET THE LOCAL LOOP CONSISTS OF 2 WIRES INSTEAD OF +4. THIS 4-WIRE TO 2-WIRE CONVERSION IS DONE INSIDE THE FONE BY A DEVICE KNOWN +AS AN INDUCTION COIL WHICH USES COUPLING TRANSFORMERS. + THE REASON 2 SIRES ARE USED ON THE LOCAL LOOPS ARE BECAUSE IT IS ALOT +CHEAPER FOR THE TELCO. ALTHOUGH, ALL OF THE INTER-OFFICE TRUNKS UTILIZE 4 +WIRES. THIS IS NECESSARY FOR FULL DUPLEX (IE, SIMULTANEOUS CONVERSATION ON +BOTH SIDES) AND FOR AMPLIFICATION DEVICES. THERE ARE SIMILAR DEVICES IN THE +CO'S, KNOWN AS A HYBRID, THAT COUPLE THE 4-WIRE TRUNKS TO THE 2-WIRE LOCAL +LOOPS AND VISA-VERSA. + + + Page 117 + + + + + The Official Phreaker's Manual + +MISCELLANEOUS: +____________________________________________________________ + + IN THE TELEPHONE, THERE IS ALSO A BALANCING NETWORK CONSISTING OF A FEW +CAPACITORS & RESISTORS WHICH PROVIDE SIDETONE. SIDETONE ALLOWS THE CALLER TO +HEAR HIS OWN VOLUME IN THE RECEIVER. HE CAN THEN ADJUST HIS VOICE ACCORDINGLY. +THIS PREVENTS PEOPLE FROM SHOUTING OR SPEAKING TOO SOFTLY WITHOUT NOTICING IT. + +HOLD: +____________________________________________________________ + + WHEN A TELEPHONE GOES OFF HOOK, THE RESISTANCE DROPS BELOW 2500 OHMS. AT +THIS POINT, THE TELCO WILL SEND A DIAL TONE. TO PUT SOMEONE ON HOLD YOU MUST +PUT A 1000 OHM RESISTOR (1 WATT) ACROSS THE TIP & RING BEFORE IT REACHES THE +SWITCHOOK. IN THIS WAY, WHEN THE FONE IS HUNG UP (FOR HOLD) THE RESISTANCE +REMAINS BELOW 2500 OHMS WHICH CAUSES THE CO TO BELIEVE THAT YOU ARE STILL +OFF-HOOK. YOU CAN BUILD A SIMPLE HOLD DEVICE USING THE FOLLOWING PICTORIAL +DIAGRAM: + +(RED) O_________________________ + [L1] | | | + | | | + 1000 OHM | X + | | X + RESISTOR RINGING | + | CIRCUIT | -SWITCH + | | | HOOK + / | | + / SPST SWITCH | X + | | X + | | | + | | | +(GREEN) O__|_____________|______| + [L2] +--> TO REST OF FONE + +CONCLUSION: +____________________________________________________________ + +NOTE: MANY OF THE ELECTRONICS COMPONENTS OF NORMAL FONES (K500) ARE +ENCLOSED IN THE NETWORK BOX (WHICH SHOULDN'T BE OPENED). + + I HAVE ASSUMED THAT THE READER HAS A BASIC KNOWLEDGE OF ELECTRONICS. ALSO, +I HAVE ASSUMED THAT YOU HAVE READ THE 4 PREVIOUS INSTALLMENTS OF THIS SERIES +(AND HOPEFULLY ENJOYED THEM). + + IN PART VI, WE WILL TAKE A LOOK AT FORTRESS FONES. + +SUGGESTED FURTHER READING: +____________________________________________________________ + +ELECTRONICS COURSES A-D, TAP, @ $.75 EACH. + +& OTHER ASSORTED SOURCES... + +TAP: ROOM 603/147 W 42 ST./NEW YORK, NY 10036. PLEASE SPECIFY BY BACKISSUE +#'S (NOT ARTICLE NAMES). ALL BACK-ISSUES ARE $1 EACH. SUBSCRIPTIONS ARE +$10/YEAR (10 ISSUES). SAY THAT BIOC AGENT 003 SENT YOU. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 119 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VI * + * * + ************************************************************ + +REVISED: 27-OCT-84 + +Preface: + + This article will focus primarily on the standard Western Electric +single-slot coin telephone (aka fortress fone) which can be divided into 3 +types: + +- Dial-Tone First (DTF) + +- Coin-First (CF): (ie, it wants your $ before you receive a dial tone) + +- Dial Post-Pay Service (PP): you pay after the party answers + +Depositing Coins (Slugs): +____________________________________________________________ + + Once you have deposited your slug into a fortress, it is subjected to a +gamut of tests. The first obstacle for a slug is the magnetic trap. This will +stop any light-weight magnetic slugs and coins. If it passes this, the slug is +then classified as a nickel, dime, or quarter. Each slug is then checked for +appropriate size and weight. If these tests are passed, it will then travel +through a nickel, dime, or quarter magnet as appropriate. These magnets set up +an eddy current effect which causes coins of the appropriate characteristics to +slow down so they will follow the correct trajectory. If all goes well, the +coin will follow the correct path (such as bouncing off of the nickel anvil) +where it will hopefully fall into the narrow accepted coin channel. + The rather elaborate tests that are performed as the coin travels down the +coin chute will stop most slugs and other undesirable coins, such as pennies, +which must then be retrieved using the coin release lever. + If the slug miraculously survives the gamut, it will then strike the +appropriate totalizer arm causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). + The totalizer then causes the coin signal oscillator to readout a +dual-frequency signal indicating the value deposited to ACTS (a computer) or +the TSPS operator. These are the same tones used by phreaks in the infamous red +boxes. + For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS). +A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone +at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz. + A relay in the fortress called the "B relay" (yes, there is also an 'A +relay') places a capacitor across the speech circuit during totalizer read-out +to prevent the "customer" from hearing the red box tones. + In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells +for a dime, and one gong (800 Hz) for a quarter are used instead of the modern +dual-frequency tones. + +TSPS & ACTS +____________________________________________________________ + + Page 120 + + + + + The Official Phreaker's Manual + + + While fortresses are connected to the CO of the area, all transactions are +handled via the Traffic Service Position System (TSPS). In areas that do not +have ACTS, all calls that require operator assistance, such as calling card and +collect, are automatically routed to a TSPS operator position. + In an effort to automate fortress service, a computer system known as +Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS +listens to the red box signals from the fones and takes appropriate action. It +is ACTS which says, "Two dollars please (pause) Please deposit two dollars for +the next ten seconds" (and other variations). Also, if you talk for more than +three minutes and then hang-up, ACTS will call back and demand your money. +ACTS is also responsible for Automated Calling Card Service. + ACTS also provide trouble diagnosis for craftspeople (repairmen +specializing in fortresses). For example, there is a coin test which is great +for tuning up red boxes. In many areas this test can be activated by dialing +09591230 at a fortress (thanks to Karl Marx for this information). Once +activated it will request that you deposit various coins. It will then identify +the coin and outpulse the appropriate red box signal. The coins are usually +returned when you hang up. + To make sure that there is actually money in the fone, the CO initiates a +"ground test" at various times to determine if a coin is actually in the fone. +This is why you must deposit at least a nickel in order to use a red box! + +Green Boxes: +____________________________________________________________ + + Paying the initial rate in order to use a red box (on certain fortresses) +left a sour taste in many red boxer's mouths thus the GREEN BOX was invented. +The green box generates useful tones such as COIN COLLECT, COIN RETURN, and +RINGBACK. These are the tones that ACTS or the TSPS operator would send to the +CO when appropriate. Unfortunately, the green box cannot be used at a fortress +station but it must be used by the CALLED party. + +Here are the tones: + +COIN COLLECT 700 + 1100 Hz +COIN RETURN 1100 + 1700 Hz +RINGBACK 700 + 1700 Hz + + Before the called party sends any of these tones, an operator released +signal should be sent to alert the MF detectors at the CO. This can be +accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed +by a 60 ms gap and then the appropriate signal for at least 900 ms. + Also, do not forget that the initial rate is collected shortly before the 3 +minute period is up. + Incidentally, once the above MF tones for collecting and returning coins +reach the CO, they are converted into an appropriate DC pulse (-130 volts for +return & +130 volts for collect). This pulse is then sent down the tip to the +fortress. This causes the coin relay to either return or collect the coins. + The alleged "T-Network" takes advantage of this information. When a pulse +for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded +somewhere. This is usually either the yellow or black wire. Thus, if the wires +are exposed, these wires can be cut to prevent the pulse from being grounded. +When the three minute initial period is almost up, make sure that the black & +yellow wires are severed; then hang up, wait about 15 seconds in case of a +second pulse, reconnect the wires, pick up the fone, hang up again, and if all +goes well it should be "JACKPOT" time. + + + Page 121 + + + + + The Official Phreaker's Manual + +Physical Attack: +____________________________________________________________ + + A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of +this is accounted for in the armor plating. Why all the security? Well, Bell +contributes it to the following: + + "Social changes during the 1960's made the multislot coin station a +prime target for: vandalism, strong arm robbery, fraud, and theft of service. +This brought about the introduction of the more rugged single slot coin station +and a new environment for coin service." + +As for picking the lock, I will quote Mr. Phelps: + + "We often fantasize about 'picking the lock' or 'getting a master +key.' Well, you can forget about it. I don't like to discourage people, but it +will save you from wasting alot of your time--time which can be put to better +use (heh, heh)." + + As for physical attack, the coin plate is secured on all four side by +hardened steel bolts which pass through two slots each. These bolts are in +turn interlocked by the main lock. + One phreak I know did manage to take one of the 'mothers' home (which was +attached to a piece of plywood at a construction site; otherwise, the permanent +ones are a bitch to detach from the wall!). It took him almost ten hours to +open the coin box using a power drill, sledge hammers, and crow bars (which was +empty -- perhaps next time, he will deposit a coin first to hear if it slushes +down nicely or hits the empty bottom with a clunk.) + Taking the fone offers a higher margin of success. Although this may be +difficult often requiring brute force and there has been several cases of back +axles being lost trying to take down a fone! A quick and dirty way to open the +coin box is by using a shotgun. In Detroit, after ecologists cleaned out a +municipal pond, they found 168 coin phones rifled. + In colder areas, such as Canada, some shrewd people tape up the fones using +duct tape, pour in water, and come back the next day when the water will have +froze thus expanding and cracking the fone open.In one case: + + "unauthorized coin collectors" where caught when they brought $6,000 in +change to a bank and the bank became suspicious... + + At any rate, the main lock is an eight level tumbler located on the right +side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since +there are 8 tumblers each with 5 possible positions) thus it is highly pick +resistant! The lock is held in place by 4 screws. If there is sufficient +clearance to the right of the fone, it is conceivable to punch out the screws +using the drilling pattern below (provided by Alexander Mundy in TAP) + + + + + + + + + + + + + + Page 122 + + + + + The Official Phreaker's Manual + + Chapter 5 + + What is covered in these last few articles, is the essence of phreaking, +blue boxing & equal access. These last articles, I hope will be the final +stage of phreak education for now. Basic telecommunications 7 is a brief intro +to the art of blue boxing, while Better Homes & Blue Boxing will cover it in +full. Equal access will be an interesting switch, it is installed in my area +already and I have been investigating it. One thought is to call MCI operators +and box through them, over MCI lines... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 123 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VII * + * * + ************************************************************ + +Preface: + + After most neophyte phreaks overcome their fascination with Metro codes and +WATS extenders, they will usually seek to explore other avenues in the vast +phone network. Often they will come across references such as "simply dial KP ++ 2130801050 + ST for the Alliance teleconferencing system in LA.". Numbers +such as the one above were intended to be used with a blue box; this article +will explain the fundamental principles of the fine art of blue boxing. + +Genesis: +____________________________________________________________ + + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. This is because pulse (aka rotary) digits are created by causing +breaks in the DC current (see Basic Telcom V). Since long distance calls +require routing through various switching equipment and AC voice amplifiers, +pulse dialing cannot be used to send the destination number to the end local +office (CO). + + Eventually, the demand for faster and more efficient long distance (LD) +service caused Bell to make a multi-billion dollar decision. They had to create +a signaling system that could be used on the LD Network. Basically, they had +two options: + +[1] To send all the signaling and supervisory information (ie, ON & OFF +HOOK) over separate data links. This type of signaling is referred to as +out-of-band signaling. + -or- +[2] To send all the signaling information along with the conversation +using tones to represent digits. This type of signaling is referred to as +in-band signaling. + + Being the cheap bastard that they naturally are, Bell chose the latter (and +cheaper) method -- IN-BAND signaling. They eventually regretted this, though +(heh, heh)... + +IN-BAND SIGNALING PRINCIPLES: +____________________________________________________________ + + When a subscriber dials a telephone number, whether in rotary or touch-tone +(aka DTMF), the equipment in the CO interprets the digits and looks for a +convenient trunk line to send the call on its way. In the case of a local +call, it will probably be sent via an inter-office trunk; otherwise, it will be +sent to a toll office (class 4 or higher -- see Telcom IV) to be processed. + + When trunks are not being used there is a 2600 Hz tone on the line; thus, +to find a free trunk, the CO equipment simply checks for the presence of 2600 +Hz. If it doesn't find a free trunk the customer will receive a re-order signal + + Page 124 + + + + + The Official Phreaker's Manual + +(120 IPM busy signal) or the "all circuits are busy..." message. If it does +find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the +called number or a special routing code to the other end or toll office. + + The tones it uses to send this information are called multi-frequency (MF) +tones. An MF tone consists of two tones from a set of six master tones which +are combined to produce 12 separate tones. You can sometimes hear these tones +in the background when you make a call but they are usually filtered out so +your delicate ears cannot hear them. These are NOT the same as touch-tones. + + To notify the equipment at the far end of the trunk that it is about to +receive routing information, the originating end first sends a Key Pulse (KP) +tone. At the end of sending the digits, #he originating end then sends a STart +(ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517 ++ ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to +signify a disconnect to the distant end. + +History: +____________________________________________________________ + + In the November 1960 issue of The Bell System Technical Journal, an article +entitled "Signaling Systems for Control of Telephone Switching" was published. +This journal, which was sent to most university libraries, happened to contain +the actual MF tones used in signaling. They appeared as follows: + +Digit Tones +----- ----- + 1 700 + 900 Hz + 2 700 + 1100 Hz + 3 900 + 1100 Hz + 4 700 + 1300 Hz + 5 900 + 1300 Hz + 6 1100 + 1300 Hz + 7 700 + 1500 Hz + 8 900 + 1500 Hz + 9 1100 + 1500 Hz + 0 1300 + 1500 Hz + KP 1100 + 1700 Hz + ST 1500 + 1700 Hz + 11 (*) 700 + 1700 Hz + 12 (*) 900 + 1700 Hz + KP2 (*) 1300 + 1700 Hz + +(*) Used only on CCITT SYSTEM 5 for special international calling. + + Bell caught wind of blue boxing in 1961 when it caught a Washington state +college student using one. They originally found out about blue boxes through +police raids and informants. In 1964, Bell Labs came up with scanning +equipment, which recorded all suspicious calls, to detect blue box usage. +These units were installed in CO's where major toll fraud existed. AT&T +Security would then listen to the tapes to see if any toll fraud was actually +committed. Over 200 convictions resulted from the project. Surprisingly +enough, blue boxing is not solely limited to the electronics enthusiast; AT&T +has caught businessmen, film stars, doctors, lawyers, college students, high +school students and even a millionaire financier (Bernard Cornfeld) using the +device. AT&T also said that nearly half of those that they catch are +businessmen. + + + Page 125 + + + + + The Official Phreaker's Manual + + Of course, phone phreaks have achieved an almost cult status. They have +also had their fair share of media. In October 1971, Esquire published the +infamous "Secrets of the Little Blue Box" article which featured phreaks such +as Captain Crunch, who took his name from the cereal which one gave away +whistles that produced a perfect 2600 Hz pitch; Joe Engressia, the blind +phreak; and Mark Bernay, one of the nation's first and oldest phreaks. Others +such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had +blue box backgrounds. 1971 also saw the publication of the first issue of YIPL, +the phone phreak newsletter, (now TAP) under the editorship of supreme yippie +Abbie Hoffman. + +Usage: +____________________________________________________________ + + To use a blue box, one would usually make a free call to any 800 number or +distant directory assistance (NPA-555-1212). This, of course, is legitimate. +When the call is answered, one would then swiftly press the button that would +send 2600 Hz down the line. This has the effect of making the distant CO +equipment think that the call was terminated and it leaves the trunk hanging. +Now, the user has about 10 seconds to enter in the telephone number he wished +to dial -- in MF, that is. The CO equipment merely assumes that this came from +another office and it will happily process the call. Since there are no records +(except on toll fraud detection devices!) of these MF tones, the user is not +billed for the call. When the user hangs up, the CO equipment simply records +that he hung up on a free call. + +Detection: +____________________________________________________________ + + Bell has had 20 years to work on detection devices; therefore, in this day +and age, they are rather well refined. Basically, the detection device will +look for the presence of 2600 Hz where it does not belong. It then records the +calling number and all activity after the 2600 Hz. If you happen to be at a +fortress fone, though, and you make the call short, your chances of getting +caught are significantly reduced (see Telcom VI). Incidentally, there have been +rumors of certain test numbers (see Telcom II) that hook directly into trunks +thus avoiding the need for 2600 Hz and detection! + + Another way that Bell catches boxers is to examine the CAMA (Centralized +Automatic Message Accounting) tapes. When you make a call, your number, the +called number, and time of day are all recorded. The same thing happens when +you hang up. This tape is then processed for billing purposes. Normally, all +free calls are ignored. But Bell can program the billing equipment to make note +of lengthy calls to directory assistance. They can then put a pen register +(aka DNR) on the line or an actual full-blown tap. This detection can be +avoided by making short-haul (aka local) calls to box off of. + + It is interesting to note that NPA+555-1212 originally did not return +answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes. +AT&T changed this though for "traffic studies!" + +CCIS: +____________________________________________________________ + + Besides detection devices, Bell has begun to gradually redesign the network +using out-of-band signaling. This is known as Common Channel Inter-office +Signaling (CCIS). Since this signaling method sends all the signaling +information over separate data lines, blue boxing is impossible under it. + + Page 126 + + + + + The Official Phreaker's Manual + + + While being implemented gradually, this multi-billion dollar project is +still strangling the fine art of blue boxing. Of course until the project is +totally complete, boxing will still be possible. It will become progressively +harder to find places to box off of, though. In areas with CCIS, one must find +a directory assistance office that doesn't have CCIS yet. Area codes in Canada +and predominately rural states are the best bets. WATS numbers terminating in +non-CCIS cities are also good prospects. + +Pink Noise: +____________________________________________________________ + + Another way that may help to avoid detection is too add some "pink noise" +to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the +detection equipment must be careful not to misinterpret speech as a disconnect +signal. Thus a virtually pure 2600 Hz tone is required for disconnect. + + Keeping this in mind, the 2600 Hz detection equipment is also probably +looking for pure 2600 Hz or else is would be triggered every time someone hit +that note (highest E on a piano =2637 Hz). This is also the reason that the +2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator +is saying "Hello, hello." It is feasible to send some "pink noise" along with +the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise +won't make it into the toll network (where we want our pure 2600 Hz to hit) but +it should make it past the local CO and thus the fraud detectors. + +Construction: +____________________________________________________________ + + While step-by-step details for the construction of a blue box is beyond the +scope of this tutorial, it is worthwhile to mention some of the details. + + First there are some alternatives but they are not as good as an actual +blue box. Many computers are capable of generating MF tones. Thus, your local +phriendly software pirate should have a program compatible for your computer. + + However, it is highly advisable not to box from home as stated in The Ten +Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86). + +I. Box thou not over thine home telephone wires, for those who doest must +surely bring the full wrath of the Chief Special Agent down upon thy heads. + + Another alternative that has a moderate success rate involves recording the +tones from a phriend with a box or computer onto a cassette tape. They can +then be used at a fortress. + + As for actual construction techniques, TAP has devoted many issues to blue +boxing. Basically, a blue box is merely a device capable of generating two +different tones simultaneously. There are two basic construction methods that I +will outline below for the electronics hobbyist. + + The first involves the use of two 555 timer chips (or a 556 -- i.e., two +555's in one chip). It offers excellent frequency and voltage stability. +Also, it does not need a diode matrix keypad but used double-pole switches +instead. Schematics for this type of box can be found in TAP issue #29. + + The other common box makes use of two Intersil 8038CC Function Generators. +It does require a diode matrix keypad though, potentiometers, an LM-100 voltage + + Page 127 + + + + + The Official Phreaker's Manual + +regulator, a 741 Op-amp, and a handful of other parts. The schematics for this +type of blue box can be found in TAP #26. Both designs draw about 20 ma of +current. + + Also, most blue boxes use telephone earpieces (with the varistor removed) +for speakers. These can be easily liberated from fortress fones with a small +coping saw. + + Usually, the hardest part about building a blue box is the calibration. A +frequency counter is a must and an oscilloscope won't hurt. + + Some boxes also take timing into account. It is feasible on the ESS +systems that they check to see if the digits are of uniform length. If they +aren't, they are probably from a blue box and a trouble card may be dropped. +With this in mind, the Bell standard for MF pulses and interdigit intervals is +around 75 ms. It varies with the equipment used since ESS can handle higher +speeds and doesn't need interdigit intervals. + +Applications: +____________________________________________________________ + + Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes +offer the entire network for exploration. Emergency break-ins, service +monitoring (aka taps), stacking tandems (the art of busying out all trunks +between two points), re-routing calls, conference calls, and much, much more +... Inward Operator City Codes + + Usually, the INWARD operator for an area is simply KP + NPA + 121 + +ST. In some area codes, though, there are several large cities and thus + + Page 128 + + + + + The Official Phreaker's Manual + +several inwards. To find the inward for a specific city, you would say "916 +756, operator route, please" to the R&R operator who will then tell you "916 +plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an +inward for Sacramento, CA (916-756). + +... City names + + If you want to know the city that corresponds to an area code and +exchange, you simply tell the R&R, "Place name, 914 390, please." In this +example, the R&R operator will respond with "White Plains, NY." + +... International Directory Assistance + + If you need a directory route for London, you could say +"International, London, England. TSPS directory route, please." The R&R +operator will respond with "Directory to London, England. Country code 44 plus +1 plus 986 plus 3611." Therefore to get a DA operator in London, you would +route yourself to an international sender and KP + 04419863611 + ST. + +... Country & City codes + + If you need to know the country and city code for an international +number you can say "International, Sydney, Australia, TSPS numbers route, +please" and get "Country code 61 plus 2." + +... International Inwards Routes + + To get routing codes for international inwards say "International, +London, England, TSPS inward route, please." The R&R Operator will respond with +"Country code 44 plus 121." + + Finally, to get language assistance for completing a foreign call you can +tell the foreign inward, "United States calling. Language assistance in +completing a call to (called party) at (called number)." + +151 -- Overseas incoming (212 +& 914+) +160-XX0 -- Various Overseas Operators +161 -- Trouble reporting operator (defunct) +181 -- Coin Refund Operator +18X -- Overseas senders + + To make an international call, one would KP + 011 + 0CC + ST where CC is +the country code. This will route you to the appropriate overseas sender. You +will then receive a 480 Hz dial tone. Here you enter KP + 0CC + city code + +local number + ST and the call is on its way. + + Country codes can be either 1, 2, or 3 digits but they must be padded for +three digits to create a pseudo-country code with extra zero's if necessary. +For example, England, country code 44, becomes 044. + + To see which international sender a certain country (lets use French +Guiana, country code 594, for example) goes through, you can dial KP + 011 + +594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you +will receive a recording saying which ISC (International Switching Center) it +is. For the example it will say, "This is the international switching center +in Pittsburg, PA -- This is a recording - 4121." You can actually route calls +to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to +since it may look suspicious if a call is sent through a sender that it + + Page 129 + + + + + The Official Phreaker's Manual + +shouldn't go through. Here are the senders: + +182 -- White Plains, NY +183 -- New York, NY +184 -- Pittsburg, PA +185 -- Orlando, FL +186 -- Oakland, CA +187 -- Denver, CO +188 -- New York, NY + + Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP, +ST3P, & ST2P keys. While they do exist the blue boxer need not concern himself +with them. The first three are used on CCITT System 5. This is the signaling +system that the International Senders use to send information to other +countries. These codes are usually added automatically just like the language +assistance digit [which distinguishes operator (or blue box) dialed calls from +customer dialed calls]. The STP, ST3P, & ST2P tones are used when equipment is +communicating with the TSPS. These also are automatically added when needed in +most cases. + +[see Telcom III for more on International Switching Centers (ISC)] + +11XXX -- miscellaneous operators +11501 -- universal cordboard operator +11511 -- conference operator +11521 -- mobile operator +11531 -- marine operator +11541 -- LD incoming switchboard +11551 -- leave word for time & charges (neat stuff) +11561 -- same as 11551 but for hotel/motels +11571 -- overseas operators (language assistance) + + The 11XXX series is interesting scanning material. + +Miscellaneous Routing Codes : +____________________________________________________________ + + Alliance Teleconferencing has several numbers, a few of which are listed +below: + +KP + 213 080 XXXX + ST +KP + 305 025 XXXX + ST +KP + 312 001 XXXX + ST +XXXX = 1050, 1100, or a few others + + Also, at KP + 317 009 + ST there is a MF tone checker. After the +beep-kerclunk, dial in KP + 999 1234567 890 + ST and it will repeat the digits +that you pulsed if they are of the right frequency. + +Tandem Scanning: +____________________________________________________________ + + To find all sorts of interesting things, you must look. Begin scanning +three digit codes in your area (i.e., KP + 000 + ST, KP + 001 + ST, etc.). Keep +track of all of your results. Sometimes you must probe things, send additional +digits and see what happens, send touch-tone, send it 2600 Hz, rip it apart. +You never know, you may run into something phun, like a computer that checks CC +numbers. + + Page 130 + + + + + The Official Phreaker's Manual + + + Incidentally, in some exchange you can dial inwards and other box codes +directly! For example, 914-121-1111 will get you a NY inward. The only problem +is that a 0 or 1 as the first digit of the exchange is usually *prohibited in +customer dialing. Somebody may have "accidentally" changed this screening code +on your ESS's computer, though -- you never know and it can't hurt to try. +WATS translation numbers also take up some of the 0XX & 1XX codes. + + Finally, certain tones on the blue box can also be used for other purposes. +An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN. +Thus every blue box is also a green box (see Telcom VI). + +Coming soon: + +Telcom VIII will deal with cordless phones, mobile phones, and other neat +things. + +Be careful and have phun, + +*****BIOC +*=$=*Agent +*****003 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 131 + + + + + The Official Phreaker's Manual + +The Mark Tabas encounter series presents: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + Better Homes and Blue Boxing + + Part I + + Theory of Operation + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To quote Karl Marx, blue boxing has always been the most noble form of +phreaking. As opposed to such things as using an MCI code to make a free fone +call, which is merely mindless pseudo-phreaking, blue boxing is actual +interaction with the Bell System toll network. It is likewise advisable to be +more cautious when blue boxing, but the careful phreak will not be caught, +regardless of what type of switching system he is under. + + In this part, I will explain how and why blue boxing works, as well as where. +In later parts, I will give more practical information for blue boxing and +routing information. + + To begin with, blue boxing is simply communicating with trunks. Trunks must +not be confused with subscriber lines (or "customer loops") which are standard +telefone lines. Trunks are those lines that connect central offices. Now, when +trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied +to them. If they are two-way trunks, there is 2600Hz in both directions. When a +trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the +side that is off-hook. The 2600Hz is therefore known as a supervisory signal, +because it indicates the status of a trunk; on hook (tone) or off-hook (no +tone). Note also that 2600Hz denoted SF (single frequency) signalling and is +"in-band." This is very important. "In-band" means that is is within the band +of frequencies that may be transmitted over normal telefone lines. Other SF +signals, such as 3700Hz are used also. However, they cannot be carried over the +telefone network normally (they are "out-of-band") and are therefore not able +to be taken advantage of as 2600Hz is. + + Back to trunks. Let's take a hypothetical phone call. You pick up your fone +and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll +assume that you are on #5 Crossbar switching and not in the 806 area. Your +central office (CO) would recognize that 806 is a foreign NPA, so it would +route the call to the toll centre that serves you. [For the sake of accuracy +here, and for the more experienced readers, note that the CO in question is a +class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending +on where you are in the country, the call would leave your toll centre (on more +trunks) to another toll centre, or office of higher "rank". Then it would be +routed to central office 806-258 eventually and the call would be completed. +Illustration: + +A---CO1-------TC1------TC2----CO2----B + +A=you +CO1=your central office +TC1=your toll office. +TC2=toll office in Amarillo. +CO2=806-258 central office. +B=your friend (806-258-1234) + + In this situation it would be realistic to say that CO2 uses SF in-band + + Page 132 + + + + + The Official Phreaker's Manual + +(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). +If you don't understand this, don't worry too much. I am pointing this out +merely for the sake of accuracy. The point is that while you are connected to +806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 +central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell +equipment that a call is in progress and the trunks are in use. + + Now let's say you're tired of talking to your friend in Amarillo +(806-258-1234) so you send a 2600Hz down the line. This tone travels down the +line to your friend's central office (CO2) where it is detected. However, that +CO thinks that the 2600Hz is originating from Bell equipment, indicating to it +that you've hung up, and thus the trunks are once again idle (with 2600Hz +present on them). But actually, you have not hung up, you have fooled the +equipment at your friend's CO into thinking you have. Thus,it disconnects him +and resets the equipment to prepare for the next call. All this happens very +quickly (300-800ms for step-by-step equipment and 150-400ms for other +equipment). + + When you stop sending 2600Hz (after about a second), the equipment thinks +that another call is coming towards it (e.g. it thinks the far end has come +"off-hook" since the tone has stopped. It could be thought of as a toggle +switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending +2600Hz, several things happen: + +1) A trunk is seized. + +2) A "wink" is sent to the CALLING end from the CALLED end indicating that the +CALLED end (trunk) is not ready to receive digits yet. + +3) A register is found and attached to the CALLED end of the trunk within about +two seconds (max). + +4) A start-dial signal is sent to the CALLING end from the CALLED end +indicating that the CALLED end is ready to receive digits. + +Now, all of this is pretty much transparent to the blue boxer. All he really +hears when these four things happen is a . So, seizure of a +trunk would go something like this: + +1> Send a 2600Hz +2> Terminate 2600Hz after 1-2 secs. +3> [beep][kerchunk] + + Once this happens, you are connected to a tandem that is ready to obey your +every command. The next step is to send signalling information in order to +place your call. For this you must simulate the signalling used by operators +and automatic toll-dialing equipment for use on trunks. There are mainly two +systems, DP and MF. However, DP went out with the dinosaur , so I'll only +discuss MF signalling. MF (multi-frequency) signalling is the signalling used +by the majority of the inter- and intra-lata network. It is also used in +international dialing known as the CCITT no.5 system. + + MF signalling consists of 7 frequencies, beginning with 700Hz and separated +by 200Hz. A different set of two of the 7 frequencies represent the digits 0 +thru 9, plus an additional 5 special keys. The frequencies and uses are as +follows: + +Frequencies (Hz) Domestic Int'l + + Page 133 + + + + + The Official Phreaker's Manual + +-------------------------------------- + 700+900 1 1 + 700+1100 2 2 + 900+1100 3 3 + 700+1300 4 4 + 900+1300 5 5 +1100+1300 6 6 + 700+1500 7 7 + 900+1500 8 8 +1100+1500 9 9 +1300+1500 0 0 + 700+1700 ST3p Code 11 + 900+1700 STp Code 12 +1100+1700 KP KP1 +1300+1700 ST2p KP2 +1500+1700 ST ST + + The timing of all the MF signals is a nominal 60ms, except for KP, which +should have a duration of 100ms. There should also be a 60ms silent period +between digits. This is very flexible, however, and most Bell equipment will +accept outrageous timings. + + In addition to the standard uses listed above, MF pulsing also has expanded +usages known as "expanded inband signalling" that include such things as coin +collect, coin return, ringback, operator attached, and operator released. KP2, +code 11, and code 12 and the ST_ps (STart "primes") all have special uses which +will be mentioned only briefly here. + + To complete a call using a blue box, once seizure of a trunk has been +accomplished by sending 2600Hz and pausing for the , one must +first send a KP. This readies the register for the digits that follow. For a +standard domestic call, the KP would be followed by either 7 digits (if the +call were in the same NPA as the seized trunk) or 10 digits (if the call were +not in the same NPA as the seized trunk). [Exactly like dialing a normal fone +call]. Following either the KP and 7 or 10 digits, a STart is sent to signify +that no more digits follow. Example of a complete call: + +1> Dial 1-806-258-1234 +2> wait for a call-progress indication (such as ring, busy, recording, etc.) +3> Send 2600Hz for about 1 second. +4> Wait for about 2 seconds while a trunk is seized. +5> Send KP+305+994+9966+ST + + The call will then connect if every-thing was done properly. Note that if a +call to an 806 number were being placed in the same situation, the area code +would be omitted and only KP+ seven digits+ST would be sent. + + Code 11 and code 12 are used in international calling to request certain +types of operators. KP2 is used in international calling to route a call other +than by way of the normal route, whether for economic or equipment reasons. + + STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS +signalling to indicate calling type of call (such as coin-direct dialed). + + This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and +learned from it. If you have any questions, comments, threats or insults, +please fell free to drop me a line. If you have noticed any errors in this text +(yes, it does happen), please let me know and perhaps a correction will be in + + Page 134 + + + + + The Official Phreaker's Manual + +order. Part II will deal mainly with more advanced principles of blue boxing, +as well as routings and operators. + + Note 1: other highly trunkable areas include: 816,305,813,609,205. I +personally have excellent luck boxing off of 609-953-0000. Try that if you have +any trouble. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 135 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part II + + Practical Applications + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood Part I of this series). + + The essential purpose of blue boxing in the beginning was merely to receive +toll services free of charge. Though this can still be done, blue boxing has +essentially outlived its usefulness in this area. Modern day "extenders" and +long distance services provide a safer and easier way to make free fone calls. +However, you can do things with a blue box that just can't be done with +anything else. For ordinary toll-fraud, a blue box is impractical for the +following reasons: + +1. Clumsy equipment required (blue box or equivalent) +2. Most boxed calls must be made through an extender. Not for safety reasons, +but for reasons I'll explain later. +3. Connections are often sacrificed because considerable distances must be +dialed to cross a seizable trunk, in addition to awkward routing. + + As stated in reason #2, boxed calls are usually made through an extender. +This is for billing reasons. If you recall from Part i, 2600Hz is used as a +"supervisory" signal. That is, it signals the status of a trunk--"on-hook" or +"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the +CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook +once again when the 2600Hz is terminated. The CALLED end recognizes that a +call is on the way and attaches a register, which interprets the digits which +are to be sent. Now, understand that even though your end has come off-hook (no +2600Hz present), the other end is still on-hook. You may wonder then, why, if +the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the +other way on the trunk, when there should be. This is correct. 2600Hz *IS* +present on the trunk when you seize it and afterwards, but you cannot hear it +because of a Band Elimination Filter (BEF) at your central office. + + Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed +coming the other way on the trunk because the CALLED end is still on-hook, but +you don't actually hear it because of a filter. However, the Bell equipment +knows it's there (they can "hear" it). The presence of the 2600Hz is telling +the billing equipment that your call has not yet been completed (i.e., the +CALLED end is still on-hook). When finally you do connect with your boxed call, +the 2600Hz from the called end terminates. This tells the billing equipment +that someone picked up the fone at the CALLED end and you should begin to be +billed. So you do start to get billed, but for the call to the trunk, NOT the +boxed call. Your billing equipment thinks that you've connected with the number +you used to seize the trunk. Illustration: + +1. You call 1+806-258-2222 (directly) +2. Status of trunks: + +<-----------------------------------> +(You) 806-258-2222 +No 2600Hz-------> <------------2600Hz + + When you seize a trunk (before the number you called answers) there is no + + Page 136 + + + + + The Official Phreaker's Manual + +affect on your billing equipment. It simply thinks that you're still waiting +for the call to complete (the CALLED end is still on-hook; it is ringing, busy, +going to recorder or intercept operator. + + Now, let's say that you've seized a trunk (806-258-2222) and for example, +KP+314+949+1705+ST. The call is routed from the tandem you seized to: +314-949-1705. Illustration: + +<------------------>O<---------------> +(You) 806 314-949 + tandem +No 2600Hz----------> <----------2600Hz + + Note that the entire path towards the right (the CALLED end) has no 2600Hz +present and is therefore "off-hook." The entire path towards the left (the +CALLING end) does have 2600Hz present on it, indicating that the CALLED end has +not picked up (or come "off-hook"). When 314-949-1705 answers, "answer +supervision" is given and the 2600Hz towards the left (the CALLING end) +terminates. This tells your billing equipment, which thinks that you're still +waiting to be connected with 806-258-2222, that you've finally connected. +Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an +aspiring young phone phreak. + + To avoid this, several actions may be taken. As previously mentioned, one may +avoid being charged for the number called to seize a trunk by using an extender +(in which case the extender will get billed). In some areas, boxing may be +accomplished using an 800 number, generally in the format of 800-858-xxxx (many +Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). +However, boxing off of 800 numbers is impossible in many areas. In my area, +Denver, I am served by #1A ESS and it is impossible for me to box off of any +800 number. + + Years ago, in the early days of blue boxing (before my time), phreaks often +used directory assistance to box off of because they were "free" long distance +calls. However, because of competitive long distance companies, directory +assistance surcharges are now $0.50 in many areas. It is additionally advised +that directory assistance numbers not be used to box from because of the +following: + + Average DA calls last under 2 minutes. When you box a call, chances are that +it will last considerably longer. Thus, the Bell billing equipment will make a +note of calls to directory assistance that last a long time. A call to a +directory assistant lasting for 4 hours and 17 minutes may appear somewhat +suspicious. + + Although the date, time, and length of a DA call do not appear on the bill, +it is recorded on AMA tape and will trip a trouble report if it were to last +too long. This is how most phreaks were discovered in the old days. Also, +sometimes too many calls lasting too long to one 800 number may raise a few +eyebrows at the local security office. + + Assuming you can complete a blue box call, the following are listed routings +for various Bell internal operators. These are in the format of KP+NPA+ +special routing+1X1+ST, which I will explain later. The 1X1 is the actual +operator routing, and NPA and NPA+ special routing are used for out-of-area +code calls and out-of-area code calls requiring special routing, respectively. + +KP+101+ST ...... Toll test board. + + Page 137 + + + + + The Official Phreaker's Manual + +KP+121+ST ...... Inward Operator. +KP+131+ST ...... Directory assistance. +KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few +others. It has been replaced with a universal rate & route number +800+141+1212. +KP+151+ST ...... Overseas completion operator (inbound). Works only in certain +NPAs, such as 303. +KP+181+ST ...... In some areas, toll station for small towns. + + Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you +would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 +trunk, an area code would be required. Thus, you would dial KP+312+121+ST. +Finally, some places in the network require special routing, in addition to an +area code. An example is Franklin Park, Ill. It requires a special routing of +032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward +operator. + + Special routings are in the format of 0XX. They are used primarily for load +balance, so that traffic flow may be evenly distributed. About half of the +exchanges in the network require special routing. Note that special routings +are NEVER EVER EVER used to dial normal telephone numbers, only operators. + + Operator functions: + +TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. +They are not used by operators, only switchmen. + +INWARD- Assists the normal TSPS (0+) operator in completing calls out of the +TSPS's area. Also, inwards perform emergency interrupts when the number to be +interrupted is out of the area code of the original (TSPS) operator. For +example, a 303 operator has a customer that needs an emergency interrupt on +215-647-6969. The 303 operator gets the routing for the inward that covers +215-647, since she cannot do the interrupt herself. The routing is found to be +only 215+ (no special routing required). So, the 303 operator keys +KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is +Denver. I need an emergency interrupt on 215-647-6969. My customer's name is +Mark Tabas." The inward will then do the interrupt (off the line, of course). +If the number to be interrupted had required special routing, such as, say, +312-456-1234 (spec routing 032), then the 303 operator would dial +KP+312+032+121+ST for the inward to do that interrupt. + +DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist +customers with obtaining telefone directory listings. Not much toll-fraud +potential here, except maybe $0.50. + +RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. +They assist normal (TSPS) operators with rates and routings (thus the name). +The only uses I typically have for them are the following: + + 1. Routing- + Information- In the above example, when the 303 operator needed to dial +an inward that served 215-647, she needed to know if any special routing was +required and, if so, what it was. Assuming she would use rate and route, she +would dial them and say nicely, "Operator's route, please, for 215-647." Rate & +route would respond with "215 plus." This means that the operator would dial +KP+215+121+ST to reach the inward that serves 215-647. If there were special +routing required, such as in 312-456, rate & route would respond with "312 plus +032 plus." In that case, the operator would dial KP+312+032+ST for the inward + + Page 138 + + + + + The Official Phreaker's Manual + +that serves 312-456. + + It is good practice to ask for "operator's route" specifically, as there are +also "numbers route" and "directory routes." If you do not specifically ask for +operator's route, rate & route will generally assume that is what you want +anyway. + +"Numbers" route refers to overseas calls. Example, you want to know how to +reach a number in Geneva, Switzerland (and you already have the number). You +would call routing and say "Numbers route, please, Geneva, Switzerland." The +operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark +41+22" has to do with billing, so disregard it. The 011+041 is access to the +overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing +for Geneva from the overseas sender. + +"Directory" routings are for directory assistance overseas. Example: you want a +DA in Rome, Italy. You would call rate & route and say, "Directory routing +please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 +STart." As in the previous example, the 011+039 is access to the overseas +gateway. The 039+1108 is a directory assistant in Rome. + + 2. Nameplace information- Rate & Route will give you the location of an NPA+ +exchange. Example: "Nameplace please, for 215-648." The operator would respond +with "Paoli, Pennsylvania." This isn't especially useful, since you can get the +same information (legally) by dialing 0, but using rate & route is often much +faster and it avoids having to hang up when you are already on a trunk. + +*NOTE* On Rate & Route: As a blue boxer, always ask for "IOTC" routings. +(e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them +that you want cordboard-type routings, not TSPS, because a blue boxer is +actually just a cordboard position (that Bell doesn't know about). + +OVERSEAS COMPLETION +OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of +calls coming in to the United States from overseas. There are KP+151+ST +operators only in a few NPAs in the country (namely 303). To use one, you would +seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for +example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." +[in a broken Indian accent]. She would connect you, and the bill would be sent +to Bangladesh (where I've been billing my KP+151+ST calls for two years). + +Other internal Bell Operators. + +KP+11501+ST ...... universal operator +KP+11511+ST ...... conference op +KP+11521+ST ...... mobile op +KP+11531+ST ...... marine op +KP+11541+ST ...... long distance terminal +KP+11551+ST ...... time & charges op +KP+11561+ST ...... hotel/motel op +KP+11571+ST ...... overseas (outbound) op + + These 115X1 operators are identical in routing to the 1X1 operators listed +previously, with one exception. If special routing is required (0XX), then the +trailing 1 is left off. + +Examples: + + + Page 139 + + + + + The Official Phreaker's Manual + +A 312 universal op ... KP+312+11501+ST +A Franklin Park (312-456) universal op (special routing 032 required)........ +KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. + +Purposes of 115X1 operators. + +UNIVERSAL- Used for collect/callback calls to coin stations. + +CONFERENCE- This is a cordboard conference operator who will set up a +conference for a customer on a manual operation basis. + +MOBILE- Assists in completion of calls to mobile (IMTS) type telefones. + +MARINE- Assists in completion of calls to ocean going vessels. + +LONG DISTANCE TERMINAL- Now obsolete.Was used for completion of long distance +calls. + +TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform +customer of exactly how much it cost. + +HOTEL/MOTEL- Handles calls to/from hotels and motels. + +OVERSEAS +COMPLETION (outbound)- assists in completion of calls to overseas points. Only +works in some, if any NPAs, because overseas assistance has been centralized to +IOCC (covered in Part III). + + Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that +you are a TSPS or cordboard operator assisting a customer with a call. DO NOT +DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these +operators! Find out what to do first. + + This concludes Part II. There is one final part in which I will explain +overseas dialing, IOCC (International Overseas Completion Centre), RQS +(Rate/Quote System), and some basic scanning. + + + + + + + + + + + + + + + + + + + + + + + + Page 140 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part III + + Advanced Signalling +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood parts i & ii before +proceeding to this part). + + In Parts I & II, I covered basic theory and domestic signalling and +operators. In this part I will explain overseas direct boxing, the IOCC, the +RQS, and some basic scanning methods. + +Overseas Direct Boxing. + + Calling outside of the United States and Canada is accomplished by using an +"overseas gateway." There are 7 over-seas gateways in the Bell System, and each +one is designated to serve a certain region of the world. To initiate an +overseas call, one must first access the gateway that the call is to be sent +on. To do this automatically, decide which country you are calling and find its +country code. Then, pad it to the left with zeros as required so it is three +digits. [Add 1, 2, or 3 zeros as required]. + +Examples: + +Luxembourg (352) is 352 (stays the same) +Spain (34) becomes 034 (1 zero added) +U.S.S.R. (7) becomes 007 (2 zeros added) + + Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit +padded country code that you just determined by the above method. [For +Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ +007+ST]. This is done to route you to the appropriate overseas gateway that +handles the country you are dialing. Even though every gateway will allow you +to dial every dialable country, it is good practice to use the gateway that is +designated for the country you are calling. + + After dialing KP+011+CC+ST (as CC is defined above) you should be connected +to an overseas gateway. It will acknowledge by sending a wink (which is audible +as a and a dial tone. Once you receive international dial +tone, you may route your call one of two ways: a) as an operator-originated +call, or b) as a customer-originated call. To go as a operator-originated call, +key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will +then be connected, providing the country you are calling can receive +direct-dialed calls. The U.S.S.R. is an example of a country that cannot. + +Example of a boxed int'l call: + +To make a call to the Pope (Rome, Italy), first obtain the country code, which +is 39. Pad it with zeros so that it is 039. Seize a trunk and dial +KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is +the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To +go as an operator-originated call, simply place a zero in front of the country +code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at +sender dial tone. Routing your call as operator-originated does not affect much +unless you are dialing an operator in a foreign country + + Page 141 + + + + + The Official Phreaker's Manual + + + To dial an operator in a foreign country, you must first obtain the operator +routing from rate & route for that country. Dial rate & route and if you're +trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, +please, for Yugoslavia." [In larger countries it may be necessary to specify a +city]. Rate & route will respond with, "38 plus 11029". So, dial your overseas +gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+11029+ST. +You should then get an operator in Yugoslavia. Note that you must prefix the +country code on the sender with a 0 because presumably only an operator here +can dial an operator in a foreign country. + + When you dial KP+011+CC+ST for an overseas gateway, it is translated to a +3-digit sender code of the format 18X, depending on which sender is designated +to handle the country you are dialing. The overseas gateways and their 3-digit +codes are listed below. + +182 ..... White Plains, NY +183 ..... New York, NY +184 ..... Pittsburg, PA +185 ..... Orlando, FL +186 ..... Oakland, CA +187 ..... Denver, CO +188 ..... New York, NY + + Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST +would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as +previously mentioned). To find out what sender you were routed to after dialing +KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. + + If you have difficulty in reaching a sender, call rate and route and ask for +a numbers route for the country you're dialing. Sometimes, KP+011+ padded +country code+ST will not work. I have found this in many 3-digit country +codes. Luxembourg, country code 352, for example, should be KP+011+352+ST +theoretically. But it is not. In this case, dial KP+011+ 003+ST for the +overseas gateway. If you have trouble, try dialing KP+00+ first digit of +country code+ST, or call rate The IOCC. + + Sometimes when you call rate and route and ask for an "IOTC numbers route" or +"IOTC operators route" for a foreign country, you will get something like +"160+700" (as in the case of the Soviet Union). This means that the country is +not dialable directly and must be handled through the International Overseas +Completion Centre (IOCC). For an IOCC routing, pad the country code to the +RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded +country code, plus ST. Examples: + +The U.S.S.R. (7) ...... KP+160+700+ST +Japan (81) ............ KP+160+810+ST +Uraguay (598) ......... KP+160+598+ST + + You will then be routed to the IOCC in Pittsburg, PA, who will ask for +country, city, and number being dialed. Many times they will ask for a +ringback [thanks to Telenet Bob] so have a loop ready. They will then place the +call and call you back (or sometimes put you through directly). Some calls, +such as to Moscow, take several hours. + +The Rate Quote System (RQS). + + The RQS is the operator's rate/quote system. It is a computer used by TSPS + + Page 142 + + + + + The Official Phreaker's Manual + +(0+) operators to get rate and route information without having to dial the +rate and route operator. In Part ii, I discussed getting an inward routing for +dialing-assistance and emergency interrupts from the rate and route operators +(KP+800+141+1212+ST). The same information is available from RQS. Say you want +the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to +access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with +RQS, you need to dial an NPA that is equipped with RQS first, such as 303. +Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink +() and then RQS dial tone. At RQS dial tone, for an inward +routing for 305-994 you would dial KP+06+305+994+ST. That is, +KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means +you would dial KP+305+033+121+ST for an inward that services 305-994. If no +special routing were required, RQS would have responded with "305 plus" and you +would simply dial: KP+305+121+ST for an inward. + + Another RQS feature is the echo feature. You can use it to test your blue +box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond +with voice identification of the digits it recognized, between the KP+07 and +ST. + + RQS can also be used for rates and directory routings, but those are seldom +needed, so they have been omitted here. + +Simple Scanning. + + If you're interested in scanning, try dialing on a trunk, routings in the +format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of +interesting things to be found there, as Doctor Who (413 area) can tell you. +Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan +area code 212, dial KP+212+ 11XX1+ST. + + There, now you know as much about blue boxing as most phreaks. If you read +and understand the material, and put aside preconceived ideas of what blue +boxing is that you may have acquired from inexperienced people or other +bulletin boards, you should be well on you way to an enlightening career in +blue boxing. If you follow the guidelines in Part I to box, you should have no +problem with the fone company. Comments made by "phreaks" on bulletin boards +that proclaim "tracing" of blue boxers are nonsense and should be ignored +(except for a passing chuckle). + +NOTE 1: CCIS and the downfall of blue boxing. + +CCIS stands for Common Channel Inter-office Signalling. It is a signalling +method used between electronic switching systems that eminiates the use of +2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places +cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will +not respond to any tones that you generate on the line. Eventually, all +existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In +this case, we'll all be boxing with microwave dishes. Until then (about 1995 by +current BOC/AT&T estimates), have fun! + +If you have ANY questions about this text, please feel free to drop me a line. +I will respond to all mail, messages, etc. Insults are also welcomed. And if +you discover anything interesting scanning, be sure to let me know. + +Mark Tabas +$LOD$ + + + Page 143 + + + + + The Official Phreaker's Manual + +This text was prepared in full by Mark Tabas for: + +K.A.O.S. +Philadelphia, PA. +[215-465-3593]. + +Any sysop may freely download this text and use it on his/her BBS, provided +that none of it be altered in any way. + +Technical acknowledgements: + +Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor +Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. + +References: + +1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. +2. Notes on the Network Bell System publication, 1983. +3. Engineering and Operations in the Bell System Bell System publication, +4. Notes on Distance Dialing Bell System publication, 1968. +5. Early Medieval Architecture. +....................................... +(c) February 6, 1900 Mark Tabas +....................................... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 144 + + + + + The Official Phreaker's Manual + + BY FRED STEINBECK (TAP #88) + + IT SEEMS THAT FEWER AND FEWER PEOPLE HAVE BLUE BOXES THESE DAYS, AND +THAT IS REALLY TOO BAD. BLUE BOXES, WHILE NOT ALL THAT GREAT FOR MAKING FREE +CALLS (SINCE THE TPC CAN TELL WHEN THE CALL WAS MADE, AS WELL AS WHERE IT WAS +TOO AND FROM), ARE REALLY A LOT OF FUN TO PLAY WITH. SHORT OF BECOMING A REAL +LIVE TSPS OPERATOR, THEY ARE ABOUT THE ONLY WAY YOU CAN REALLY PLAY WITH THE +NETWORK. + FOR THE FEW OF YOU WITH BLUE BOXES, HERE ARE SOME PHRASES WHICH MAY +MAKE LIFE EASIER WHEN DEALING WITH THE RATE & ROUTE (R&R) OPERATORS. TO GET +THE R&R OP, YOU SEND A KP + 141 + ST. IN SOME AREAS YOU MAY NEED TO PUT +ANOTHER NPA BEFORE THE 141 (I.E., KP + 213 + 141 + ST), IF YOU HAVE NO LOCAL +R&R OPS. + THE R&R OPERATOR HAS A MYRIAD OF INFORMATION, AND ALL IT TAKES TO GET +THIS DATA IS MUMBLING CRYPTIC PHRASES. THERE ARE BASICALLY FOUR SPECIAL +PHRASES TO GIVE THE R&R OPS. THEY ARE NUMBERS ROUTE, DIRECTORY ROUTE, OPERATOR +ROUTE, AND PLACE NAME. + YOU GET AN R&R AN AREA CODE FOR A CITY, ONE CAN CALL THE R&R OPERATOR +AND ASK FOR THE NUMBERS ROUTE. FOR EXAMPLE, TO FIND THE AREA CODE FOR CARSON +CITY, NEVADA, WE'D ASK THE R&R OP FOR "CARSON CITY, NEVADA, NUMBERS ROUTE, +PLEASE." AND GET THE ANSWER, "RIGHT... 702 PLUS." MEANING THAT 702 PLUS 7 +DIGITS GETS US THERE. + SOMETIMES DIRECTORY ASSISTANCE ISN'T JUST NPA + 131. THE WAY TO GET +THESE ROUTINGS IS TO CALL R&R AND ASK FOR "ANAHEIM, CALIFORNIA, DIRECTORY +ROUTE, PLEASE." OF COURSE, SHE'D TELL US IT WAS 714 PLUS, WHICH MEANS 714 + 131 +GETS US THE D.A. OP THERE. THIS IS SORT OF POINTLESS EXAMPLE, BUT I COULDN'T +COME UP WITH A BETTER ONE ON SHORT NOTICE. + LET'S SAY YOU WANTED TO FIND OUT HOW TO GET TO THE INWARD OPERATOR FOR +SACRAMENTO, CALIFORNIA. THE FIRST SIX DIGITS OF A NUMBER IN THAT CITY WILL BE +REQUIRED (THE NPA AND AN NXX). FOR EXAMPLE, LET US USEM 916 756. WE WOULD CALL +R&R, AND WHEN THE OPERATOR ANSWERED, SAY, "916 756, OPERATOR ROUTE, PLEASE." +THE OPERATOR WOULD SAY, "916 PLUS 001 PLUS." THIS MEANS THAT 916 + 001 + 121 +WILL GET YOU THE INWARD OPERATOR FOR SACRAMENTO. + DO YOU KNOW THE CITY WHICH CORRESPONDS TO 503-640? THE R&R OPERATOR +DOES, AND WILL TELL YOU THAT IT IS HILLSBORO, OREGON, IF YOU SWEETLY ASK FOR +"PLACE NAME, 503 640, PLEASE." + FOR EXAMPLE, LET'S SAY YOU NEED THE DIRECTORY ROUTE FOR SVEG, SWEDEN. +SIMPLY CALL R&R, AND ASK FOR, "INTERNATIONAL, BADEN, SWITZERLAND. TSPS +DIRECTORY ROUTE, PLEASE." IN RESPONSE TO THIS, YOU'D GET, "RIGHT... DIRECTORY +TO SVEG, SWEDEN. COUNTRY CODE 46 PLUS 1170." SO YOU'D ROUTE YOURSELF TO AN +INTERNATIONAL SENDER, AND SEND 46 + 1170 TO GET THE D.A. OPERATOR IN SWEDEN. + INWARD OPERATOR ROUTINGS TO VARIOUS COUNTRIES ARE OBTAINED THE SAME WAY +"INTERNATIONAL, LONDON, ENGLAND, TSPS INWARD ROUTE, PLEASE." AND GET "COUNTRY +CODE 44 PLUS 121." THEREFORE, 44 PLUS 121 GETS YOU INWARD FOR LONDON. + INWARDS CAN GET YOU LANGUAGE ASSISTANCE IF YOU DON'T SPEAK THE +LANGUAGE. TELL THE FOREIGN INWARD, "UNITED STATES CALLING. LANGUAGE ASSISTANCE +IN COMPLETING A CALL TO (CALLED PARTY) AT (CALLED NUMBER)." + R&R OPERATORS ARE PEOPLE ARE PEOPLE TOO, Y'KNOW. SO ALWAYS BE POLITE, +MAKE SURE USE OF 'EM, AND DIAL WITH CARE. + +NOTE: AS A RESULT OF THE BREAK-UP, R&R IS NOW KP+800+141+1212+ST + + + + + + + + + Page 145 + + + + + The Official Phreaker's Manual + + Verification + By Fred Steinbeck + +>From TAP issue # 88 10-83 + + There has been a great deal of controversy in the realm of phreakdom over a +mysterious subject known under a number of different names, including +"Verification", "Autoverification", "Verify", "Autoverify", "Verify Busy", and +even "VFY BY". All of these names basically mean the same thing: the ability +to listen to another person's telephone line from any telephone in the +direct-dialable world. + Needless to say, Bell System is very tight lipped about knowledge regarding +verification. Indeed, the infamous book 'Notes on long distance dialing' ('68 +edition) says, "Care must be taken to insure that the customer never gains +verification capabilities." With a printed policy like that, you can imagine +what their real-world policy is like! Even their own rate and route operators +will not give verification on routing codes (at least in my experience), one +even responding, "What?! You must be crazy! We don't give those out!" Before +you get too far into this article, I will state simply: I don't know how to +verify. However, I have been fooling with various things related to it, and +collecting information on it for some time now. Therefore, while I can't do it +(yet), I may be able to point some other bright TAPer on the right track, and +perhaps he or she will show us all how. If you have knowledge not covered in +this article, but don't want to write an article on your own, please send your +ideas, comments, or information to Project Verify, C/O TAP Verify has also +been called "Autoverify", and I have no idea why. This is not, to my +knowledge, a Bell System term (at least I've never seen it in any manuals) As +far as I know, there is verify, which means being able to listen to speech +(kind of; see below) on a line, and there is the "Emergency Interrupt which +allows you to take part in the conversation taking place on the line in +question. It has been suggested that "Autoverify" is the same as an emergency +interrupt , but I tend to disagree with this idea. It should be noted that the +verification circuitry does not actually let an operator listen to a +conversation without making a beep on the line every so often. Instead, she +will hear encrypted speech. However, I believe with the proper methods, verify +can be converted to an emergency interrupt. + Verification is normally done either by your normal "0" (TSPS) operator, if +the call is in your home NPA (HNPA), or by an inward operator (IO). If the +call is outside your HNPA, your normal operator will call the IO for the +NPA,and say, "Verify Busy" or "Emergency Interrupt" please, 555 1212." The IO +will perform whatever magic he or she must, and then report back. If the call +is in your HNPA, though, the "0" operator can do the verification herself by +using the "VFY BY" key on her keyshelf. However, in some areas, the operator +uses a routing code to accomplish verification, and this the is loop hole we +shall attack. + It follows that if a IO or "0" operator can do it, so can we, with a blue box +Now, courtesy of Robert Allen (who brought it to my attention) and Susan +Thunder (who apparently discovered it), here is what used to work for getting +operators to hook you into conversations with other people (i.e.,let you listen +to them till you hung up): You'd call the operator and say "Operator, TSPS +Maintenance Engineer Calling. Ring forward to 001 + NPA + 7d, ring back to my +number, hit ring forward, no AMA, and then position release. + This creates some problems, and you must be familiar with the TSPS +console(by dialing "0"), you are on the "back", or incoming part of a loop. +When she places a call for you, the call goes out on the "forward", or outgoing +part of the loop. If an operator wants to make a call, she punches KP FWD +(keypulse forward), the number, and ST. Ring FWD puts a 90 volt ringing signal +across the forward part of the line (and may dial the number as well). The + + Page 146 + + + + + The Official Phreaker's Manual + +problem arises from the fact that I don't know if Ring FWD will actually dial a +call, and if there is some other subtle difference between it an KP FWD. + Let us assume ringing forward makes a call from the TSPS console to whatever +number is given. Ring back causes your phone to ring (it is assumed you hung +up after giving her your instructions; if you didn't you'd hear an annoying 90 +volts across the earpiece...) "No AMA" means "no automatic message accounting", +so nobody gets billed for the call, although it will show up on a tape +somewhere. "Position Release" removes the operator from the circuit, and +allows her to receive other calls. This leaves an unaccounted-for ring +forward. + The verification circuit, as you know, likes to encrypt conversation, which +is something we don't want. Well, the second Ring FWD sends another 90 volts +crashing against the verify circuitry, which Juda Gerad thinks removes the +voice encryption from the line, puts the operator (and you) in circuit, and +puts a beep tone on the line every five seconds. This seems to make sense, and +I am inclined to agree with him. + The bit about "....001 + NPA + 7D" causes the thought "MF routing code" to +spring immediately to mind. Now, the above trick was supposed to work in the +213 NPA. I have tried both "KP+001+213+7D+ST", and some other area codes. I +generally get nothing, a reorder signal, or a tandem recording. + Here's some food for thought: On an official Telco sheet I have, labeled " +213 NPA MF Routing Codes", 001 is listed as "VFY BY", or verify busy for the +213 NPA. 002 is listed for the 805 NPA. Ma Bell likes to have standardized +routing codes, such logical, then, that 001 would be a sort of "standard" +verify code, and other prefixes would be tacked on at 002,003, etc. However, I +have heard from a retired operator that verification codes are different from +area to area, and are not always nice numbers like 001, 002. Ah, well, a guy +can hope, can't he? + Some suggestions for future attacks on this dilemma: Everyone call your +operators and subtly ask questions. I have found the tend to give information +out easier if you ask for something that you would ordinarily have to be a +company employee to know about, such as rate steps, operator routings, etc. + Casually let slip that you used to be (or still are) an operator, or that +you work for company security. Also, you might want to blue box some codes +like 001 followed by your NPA and the last 7D of a busy number. If you get a +sort of "whispery noise", try blasting the line with a ringing signal (you +might piggyback another line onto yours and call the piggyback to generate the +90 volts) and see if that does anything. + + + + + + + + + + + + + + + + + + + + + + Page 147 + + + + + The Official Phreaker's Manual + + =================================== + EQUAL ACCESS AND THE AMERICAN DREAM + =================================== + + +by + +Mark Tabas +P.O. Box 620401 +Littleton, CO 80162 + +July 7, 1985 + + + + The American Dream means many things to many people. To the small, typical +businessman, it means building a good, strong business based on hard work and +perseverance; indeed, with nothing limiting his potential but he amount of work +he is willing to put into his business. To a large businessman, the American +Dream means living and working in a country where a single corporation can have +a profit exceeding the gross national product of an entire third world nation. + To the individual, the American Dream is the right to choose -- everything +from one's breakfast cereal to a long-distance service, as well as the formal +right outlined by our founding fathers: those of life, liberty, and the pursuit +of happiness. + To the phone phreak, I think the American Dream is, in a sort of twisted way, +the uninhibited pursuit of knowledge. This quest could scarcely remain +unchecked in many other countries. Analogous to this quest is the thriving of +the Bell System, which until January 1, 1984 consisted of the American +Telephone and Telegraph Company, the largest corporation in the history of the +world. Did the American Dream die on January first or did the divestiture of +AT&T cause a giant step forward for competition and free enterprise in the +United States? I do not know. I do know that the other nations of the world +were amazed that the United States would dissolve the entity that brought the +finest and most universal telephone system in the world, and did so at a time +when the majority of the rest of the world was still using two dixie cups and a +string. + The unfairness of the situation is that AT&T built the telephone system of +this nation and is now being bound and gagged and having its possessions +distributed to others, whom AT&T also wrought. All in the name of fairness, +free competition, and "equal access". Where was was MCI during the century +that AT&T built he communications system of this nation? Well, I believe in +Equal Access, Wholly. And, since I believe in equal access and its +implications for equality for all so strongly, I feel that MCI, Sprint, and +others should take the same amount of time to build their respective toll +networks: 100 years. Therefore, if the United States Justice Department were +truly the fair and just administrator that it portrays itself to be, MCI would +not have a hand in the long-distance cache until about 2080. That's only +fair. + There is no doubt that MCI is a sub-standard organization. They consist of +incompetent employees, inferior equipment, and an inferior marketing strategy. +They are mockingly imitative of AT&T, except in the quality of their service, +which is practically unusable. It is also interesting that with less than 2% +market share, MCI calls itself "the nation's long-distance company." The point +to this diatribe is this. It's time for these long-distance companies such as +MCI and Sprint to grow up. With Equal Access, they are going to become real +long-distance companies, not the joke organizations they are now, and I think +it may just take them one hundred years to do so. + + Page 148 + + + + + The Official Phreaker's Manual + + + ============ + Equal Access + ============ + + Equal Access, as it applies to the telecommunications industry, is "the +requirement that each Bell Operating Company provide exchange access to all +long-distance carriers that is equal in type and quality to that provided AT&T +communications." This is the official provision set forth by the United States +Justice Department in the Modification of the Final Judgment, August 24, 1982. +All this means is that each long-distance-distance company will have "equal +access" to all of the same types of services that AT&T currently enjoys. There +are four types of long-distance carrier services, divided into "feature +groups." They follow. + +FG A: "line side access." This is the standard 7-digit dialup+code (for +billing purposes) +destination telephone number. It is currently in use by +most long-distance carriers. + +FG B: "trunk side access." These are the 950 exchange numbers. They also +utilize an authorization code for billing. As with FG A, automatic number +identification (ANI) (i.e. calling number) is not provided to the carrier, but +will be in the future. + +FG C: "1+ dialing." Currently, only AT&T is able to get this type of +service. It is 1/0+7 of 10 digit direct long distance dialing. ANI (for +billing) is provided. + +FG D: "equal access." This will allow for 1/0+7 or 10 digit direct +long-distance dialing (presubscription carrier) and 10xxx+1/0+7 or 10 digit +long-distance dialing (alternate carrier). ANI for billing is provided at the +long-distance carrier's option. Billing may also be handled by the individual +long distance company or the local Bell Operating Company. + + Feature groups C and D are mutually exclusive (i.e. both cannot exist in a +particular area at the same time). Areas which have Feature Group C (AT&T +long-distance only) are non-Equal Access, and areas which have Feature Group D +(multiple long distance carriers) are Equal Access regions. + Feature Group B, the 950 exchange numbers will be used in areas in which it +is not feasible to provide with Equal Access, such as step-by-step offices +(yes, they CAN have 950 numbers), some crossbar offices, and some independent +telcos, which are not bound by the provisions of Equal Access and may provide +to their customers any type of long-distance service(s) they wish. The 950 +exchange is now active in many areas. It is mainly used as a universal +"roaming" access port for many long-distance carriers, but when an office is +converted to Equal Access, the 950 capability is removed. Thus, in an Equal +Access region, one cannot complete a call to a 950 telephone number. + I personally am looking very forward to Equal Access. My area is not +scheduled for full implementation of it until late 1985 or early 1986, and by +this time many of the alternate long distance carriers' networks will be in +place (or well under way). Think about what Equal Access means. Equality for +all long distance carriers. Access to common facilities, such as: busy-line +verification lines, Bell System information, signalling specifications. etc. +After full implementation of Equal Access, one will be able to take advantage +of and manipulate the services of more than just one carrier. It will no +longer be phreaks vs. AT&T. + When your area is ready to initiate Equal Access, you will receive a notice +in the mail informing you of some of the details of Equal Access, and will ask + + Page 149 + + + + + The Official Phreaker's Manual + +you to specify your choice of "primary carrier." In some cases you will need to +specify both inter-LATA carrier (IC), which handles calls out of your LATA +(Local Access and Transport Area), and an international carrier (INC), which +will handle calls destined for other countries. Recent market studies have +shown that between 80 and 90 per cent of residential customers will continue to +be served by AT&T for their long-distance service after Equal Access. So much +for competition. + You will probably be faced with many long-distance companies to choose from, +including but not limited to: AT&T, MCI, Sprint, ITT, Western Union, Dial U.S., +Call America, TMC, and U.S. Telephone. Whichever you choose will become your +"primary carrier." Your primary carrier will handle your call each time you +pick up you fone and dial 1+7 or 10 digits or 0+7 or 10 digits, inter-LATA +only. That is, if you dial a toll call that is within your LATA, it will be +handled by your local telephone company (Bell), not by your primary carrier, +even though it is a toll call. Let's use an example. The state of Colorado +consists of two LATAs. For this example, I will use three cities in Colorado: +Denver (in LATA1), Sterling (LATA1 also), and Colorado Springs (in LATA2). +Note here that even though Denver ad Sterling are in the same LATA, and Denver +and Colorado Springs are not, Sterling is actually much farther away from +Denver than Colorado Springs. This is because LATA boundaries were designed +giving consideration to high toll-traffic regions, to bring in revenue. Toll +traffic between Denver and Colorado Springs is very high, so the two cities +were placed in separate LATAs (or, more correctly, they were separated by a +LATA boundary). Toll traffic between Denver and Sterling is very low, of the +two cities were allowed to remain in the same LATA. Now, if everyone in +Colorado Springs were to pack up and move to Sterling (though who knows what +the hell for), the LATA boundaries in Colorado would be changed so that Denver +and Sterling were in different LATAs. The primary factor in determining LATAs +is money. + If I made a call to Sterling from my home in Denver, the call would be routed +entirely via Mountain Bell long-distance facilities. No long distance carrier +would be involved because Denver and Sterling are in LATA1. If I made a call +to Kelley, the blonde babe in Colorado Springs, the call would be handled by a +long distance carrier (in this case, AT&T) because Denver is in LATA1 and +Colorado Springs is in LATA2. Here is a table to simplify this: + +Customer dials LATA Carrier +----------------------------------------------------------------- +7 digits same Bell +1+7 digits same Bell +1+7 digits diff LD carrier (currently AT&T) +1+10 digits diff LD carrier (currently AT&T) +----------------------------------------------------------------- + + Note several things here. First, not all areas need to dial a 1 when dialing +any number, local or long distance, but the central offices will still discern +whether the call is in the same LATA as the customer or a different one and +handle the call appropriately. Secondly, some step-by-step offices require a +1+NPA to be dialed for calls within the same LATA and, in fact, all numbers +outside of the office itself. But, for the most part, the above table is +standard for common switching networks. + + ================== + Alternate Carriers + ================== + + Your normal long distance carrier will handle all your toll calls which cross +over LATA boundaries when you dial directly, 1+. If you wish to place your + + Page 150 + + + + + The Official Phreaker's Manual + +call via another carrier's network, whether for cost, quality, or circuit +availability reasons, you may do so in Equal Access regions. To access an +alternate long distance carrier after Equal Access, a customer dials +10xxx+1/0+7 or 10 digit telefone number. Note that xxx is the "carrier access +code (CAC)." A few CACs currently in use are listed below. + +220 ........ Western Union 666 ........ Lexitel +222 ........ MCI 777 ........ Sprint +333 ........ US Telefone 888 ........ SBS +444 ........ Allnet + + Thus, in an Equal Access region, to dial Fred in Orlando, a customer would +dial 1+305+994+9966 to place his call on his primary carrier, or to place it on +another network, he could dial: 10222+1+305+994+9966, and the call would go +over MCI facilities (in this case). Eventually, after many more long distance +services get into the act, there will be a directory of the various long +distance companies and their CACs, and deciding which carrier to use for any +particular call to get the bet rate will be beyond the ability of everyone +except phone phreaks. + + ================ + The 950 Exchange + ================ + + As discussed, the 950 central office exchange is currently a "roaming" access +port for various long distance carriers. In areas that have 950, the access to +carriers is standardized. Thus, someone travelling to several different areas +need only know the 950 number of the carrier he uses to access it from any area +(provided that it have 950 active). Originally, the 950 exchange was designed +to correspond with the 10xx carrier access code used for Equal Access. For +example, 950-1022 would be the same carrier as 1022 (+telephone number). +However, it was later found that the 100 codes available for use as 10xx CACs +would be insufficient to handle he number of long distance carriers. So, the +common carrier access code was increased by one digit, to 10xxx, thus +increasing the number of possible CACs to 1000. To keep the 950 exchange +consistent with the non CAC, the Bell Operating Companies have opted to change +the 950-10xx to 950-0xxx. The xxx in the 950-0xxx remains the same as the xxx +in the 10xxx carrier access code. The new modified 950 numbering pan is now +active in Philadelphia (Bell Atlantic) among other areas. + After Equal Access is well under way, the 950 exchange will be used in +certain areas that cannot be equipped for the standard Equal Access dialing +plans. This includes step-by-step, #1 crossbar, #5 crossbar, #2ESS, and #3ESS +offices. Customers in areas served by these types of switching equipment will +dial 950-0xxx, wait for acknowledgement tone from the carrier, and then dial a +"personal identification number" and destination telefone number,and the call +will be completed on the selected carrier's facilities. Initially, billing +will be handled by the carrier itself, and supervisory information and ANI will +not be provided by the local Bell Operating Company. + There are three main advantages to the 950 central office exchange and +protocol. They are: a) universal access for all areas, b) 950-exchange numbers +are "trunk side access." This means that the long distance carrier has direct +trunks going to it from a Bell toll office or local central office. These +trunks are interoffice lines, not customer type (POTS) lines, and supposedly +insure higher quality of connection. And, c) 950-exchange numbers are toll and +message unit free. On metered-usage (i.e., not "flat rate") customer lines, +they cost nothing. In most areas they are free from coin stations, with +Colorado as one notable exception. + + + Page 151 + + + + + The Official Phreaker's Manual + + ===== + Costs + ===== + + Each long-distance carrier must choose the type(s) of service it wishes to +provide to its customers. These different types of service were outlined +earlier as "Feature Groups." The costs of these Feature Groups vary directly +with the complexity and quality of the service itself. The following table +outlines the cost to the carrier of each available Feature Group. It is based +on the monthly rate per line for 9000 minutes of circuit use, and assumes the +carrier and Bell switch are 15 miles apart. + +FG non-Equal Access Equal Access +-------------------------------------------------------- +A $329.94 $709.20 +B 329.94 721.80 +C 752.40 ** N/A ** +D ** N/A ** 752.40 +-------------------------------------------------------- + + These figures are a lot more significant than they might appear. They +indicate that after Equal Access, in order to compete with the giants such as +AT&T, MCI, etc., smaller long distance companies will use Feature Group A or B +type service in order to provide significantly lower rates to their customers +than companies subscribing to Feature Group D service (like AT&T, MCI, etc). +This will cause a unique type of equilibrium to form. Customers willing to +dial an access number, authorization code, and destination number and put up +with lower quality service will be able to save a lot of money. This seems +faintly reminiscent of pre-Equal Access times.... + + ==================== + Directory Assistance + ==================== + + Each Bell Operating Company will be responsible for providing intra-LATA +operator services. When a customer dials (1)+411 or (1)+555+1212 for local +directory assistance, he will reach a Bell operator who will service requests +for listed numbers within the customer's LATA. Requests for numbers in LATAs +other than the calling customer's may be handled at the discretion of the local +operating company. Initially, the Bell Operating Companies will meet the +responsibility for providing directory assistance services by contracting it to +a long distance carrier or carriers (currently AT&T). All inter-LATA directory +assistance services will be provided by the inter-LATA carrier (IC). ICs may +also provide 800 Enterprise service or other toll free type directory +assistance services. See table. + +================================================================= +Intra-LATA: +================================================================= + HNPA 411/555-1212 BOC + *FNPA NPA+555-1212 BOC + HNPA 10xxx+555-1212 intra-LATA carrier + *FNPA 10xxx+NPA+555-1212 intra-LATA carrier + +================================================================= +Inter-LATA: +================================================================= + HNPA (10xxx)+1+555-1212 IC + + Page 152 + + + + + The Official Phreaker's Manual + + FNPA (10xxx)+1+NPA+555-1212 IC +================================================================= +* When LATA boundaries cross NPA boundaries (rare). +FNPA = Foreign Numbering Plan Area (area code). +HNPA = Home Numbering Plan Area (area code). + + At first glance, the above table appears somewhat complex. But, if you +understand the concept of LATAs and carriers, it is easily understood. +Essentially, all local Bell Operating Companies will maintain their own +directory assistance services. When a customer dials 411 or 555-1212, he will +reach a BOC directory assistant. Additionally, each long distance carrier that +wishes to provide directory assistance to its customers will also have DA +facilities. And, when a customer dials a directory assistant (NPA+555-1212) on +a carrier, he will reach an operator of that particular long distance carrier. +The key here is LATAs. If a customer wants to find a number that is within his +LATA, no long distance carrier is involved. It is handled strictly by the +Local Bell Operating Company. If a customer is seeking a number that is not +within his LATA, he must use the services of an inter-LATA (long-distance) +carrier. + + ====================== + TSPS Operator Services + ====================== + + Traffic Service Position System (TSPS) operator services will be handled much +in the same fashion as directory assistance services, with a few differences. +As with DAs, each Bell Operating Company and each inter-LATA carrier will +maintain its own TSPS operator facilities (or cordboard I suppose, if they +cannot afford TSPS). When a customer dials simply 0 (operator), he will reach +a BOC TSPS operator. The BOC TSPS will be able to handle all types of +intra-LATA operator-assisted traffic including (but not limited to): collect, +third party billing, Bell credit card, coin, verification and emergency +interrupt, and requests for emergency aid. BOC TSPS will be unable to complete +calls for customers outside of the customer's LATA. Thus, inter-LATA operator +assistance will be handled by an inter-LATA carrier TSPS (IC TSPS). An IC TSPS +will handle all previously mentioned types of calls that require inter-LATA +transport (i.e., the call originates and terminates in different LATAs). When +a customer dials 0+NXX-XXXXX or 0+NPA+NXX-XXXX, the central office will +determine if the call is destined for another LATA. If it is not, the call +will be sent to the Bell TSPS for appropriate handling. If the call is bound +for another LATA (and his determination is made based on the NXX or NPA+NXX), +then the call will be sent off to the customer's primary long-distance carrier +(since only 0+ was dialed). If the customer wishes to use a different +carrier's operator services, he would dial 10xxx+0+number, and the carrier +specified by the 10xxx carrier access code would receive the call. Note: if a +customer dials 10xxx+0+number, and the call is an intra-LATA call, he will get +a recording, "We're sorry, the number you dialed cannot be reached with the +carrier access code you dialed. Please check the code and try again or call +your carrier for assistance." (Western Electric KS-22550 central office tape +list no. 46.) Until the Bell Operating Companies can install their own TSPS +facilities and networks, they will (continue to) lease capacity from AT&T TSPS. +That is, AT&T will handle the intra-LATA traffic for the BOCs on a contract +basis. In the meantime, AT&T will continue to handle its own long-distance +operator services while the other inter-LATA carriers will have to implement +their own operator networks from scratch. My estimation is that you won't be +able to dial 10222+0 for an MCI TSPS operator until sometime around the year +2590. And even then they will probably be cordboard. + In addition to the changes in TSPS described above, there will be certain + + Page 153 + + + + + The Official Phreaker's Manual + +modifications to the software and hardware involved in the TSPS operator +system. Most critical, and of paramount importance to the telecommunications +enthusiast is changes in circuit associated signalling (CAS). This is +signalling to and from the TSPS facility. When a customer dials 0 (operator) or +10xxx+0 (IC operator), a succession of events occurs. First, the end office +seizes a trunk to the appropriate operator facility (this assumes that no +access tandem is involved). The operator service facility responds with a wink +(proceed signal) and the end office outpulses the CALLED number (or KP+ST if 0 +only dialed). The operator service (OS) facility will then come off-hook to +signal that it is ready to receive ANI information. The end office outpulses +the ANI information in the format of KP+II+7 digits+ST (or ST'). If there is +ANI failure, a KP+02+ST (or ST') will be sent. "ST'" stands for STart "prime", +and is indicative of a coin call (i.e., dial 0 from a coin station). A normal +ST terminating the ANI sequence means that the call is originating from a +noncoin station. See table for ultimate description. + +Inter-LATA calls MF-pulsed + +type of call customer dials cld num ANI +============================================================ +noncoin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST + +============================================================ +coin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST + operator assist 10xxx+0 KP+ST' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST + +============================================================================= +Intra-LATA calls +============================================================================= +noncoin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST' + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST' + +============================================================================= +coin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST' + operator assist 10xxx+0 KP+ST' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST' +============================================================================= +Note: ST=Start, ST'=STart prime, ST''=Start double prime, ST'''=STart triple +prime. + + Once again, the above table appears somewhat intimidating in its complexity. +All these STs, ST primes, etc. Actually, the only purpose of the starts is to +distinguish to the TSPS machine exactly what type of call the customer is +placing and from what type of telefone he is calling. "Special toll" calls are +collect, credit card, and third-party billing type calls. Here is an example +of a complete dialing and outpulsing sequence for an operator service call: + + Page 154 + + + + + The Official Phreaker's Manual + +from a coin fone, a customer dials 0+ (or 10xxx+) 303+979-9997. The central +office would seize a trunk to the operator service facility and outpulse: +KP+303+979-9997+ST'. This indicates to the operator service facility that the +call is a special toll call originating from a coin telephone. The OS facility +comes off-hook and the central office would then outpulse KP+00+232+9969+ST. +This is he ANI information, and the ST indicates that the call is inter-LATA +(if it were intra-LATA, the sequence would be terminated with ST' instead). + Perhaps now I should explain screening. Certain telefones are "screened" +against placing certain types of calls. A screening code is a two digit +information carrier. For instance, 00 is "identified line" (no special +treatment), 01 is multiparty ONI (operator number identification), 02 is ANI +failure, 06 is hotel/motel, 07 is coinless (hospital/inmate fone), 08 is +inter-LATA restricted, 68 is hotel inter-LATA restricted, 78 is coinless +(hospital inmate) inter-LATA restricted, etc. A 98 is an AT&T Charge-A-Call +fone (those blue fuckers). More screening codes are allocated as they are +needed. Note that the original TSPS screening design only allowed for single +digit information digits. They were later found to be insufficient. + I believe that the operator services have been adequately covered, so I will +now move on to other aspects of Equal Access. + + ============= + Routing Codes + ============= + + The TTC (terminating toll centre) and special routing codes will continue to +be used in inter-LATA networks. These 0xx and 1xx type codes, which sometimes +precede operator routing codes, will be assigned to various ICs on an +individual basis. When 0xx and 1xx codes serve as pseudo-central office code, +they will be coordinated such that it will avoid IC conflicts. The +Numbering/Dialing Planning Group of the Central Services Organization (sounds +like some sort of Communist governing body) will provide assistance where the +assignment of coordinated codes is necessary. + + ================== + Special Area Codes + ================== + + Special area codes, also called Service Area Codes (SACs) presented the +designers of Equal Access with an interesting problem. SACs are N00 type area +codes, such as 700, 800, and 900. They are used for special services and +unlike normal area codes, are not associated with a particular state or region. +Each long distance carrier will be allocated its own exchanges in each service +area code. Thus, when a customer places a call to a number in a service area +code, the central office will examine the exchange of the telefone number and +route the call over the proper carrier's facilities. The customer will be +totally oblivious to this process. Current SACs include 700 (teleconferencing), +800 (toll free services), and 900 (dial-it services). There are currently +plans under way to implement the 600 area code, although its exact uses are not +yet clear. + + ================ + Signalling to IC + ================ + + Each long distance carrier that wishes to serve a particular LATA must +establish a point of presence (POP) in that LATA. A carrier's POP is a toll +office that receives toll traffic destined for another LATA. A POP is a centre +for inter-LATA transport of toll traffic. This traffic will be directed to it + + Page 155 + + + + + The Official Phreaker's Manual + +from a Bell central office, either an end office or an access tandem (AT). An +access tandem is simply a Bell office which directs long distance traffic from +a number of local end offices to a number of different inter-LATA carriers. To +pass call details (such as called and calling numbers) from the Bell local +office to the inter-LATA carrier, a signalling system was designed that employs +current multifrequency (MF) signalling protocol. When a customer dials +10xxx+(1/0)+(NPA)+NXX+, the end office will seize a trunk to the appropriate IC +as determined by the 10xxx CAC (or primary carrier if no CAC is dialed). Note: +this happens as soon as the customer finishes dialing the exchange, even though +he may still be dialing the last four digits of he telefone number. After the +the signal to proceed. Then, the end office will send ANI information, in the +format of: KP+II+10 digit ANI+ST. If the carrier is not to receive ANI +information from the Bell Operating Company (i.e., they are not paying for it), +then only KP+ST is sent. Presumably, by now the customer has completed dialing +the last four digits of the destination telefone number, so the end office will +send: KP+7 or 10 digit CALLED number+ST. Note several things here: 1) The IC +does not send a wink when it is ready to receive CALLED number information. 2) +ANI information is ten digits, plus a two-digit screening code, and 3) The +central office's outpulsing to the IC overlaps the customer's dialing. + Some ANI screening codes include: 00 (identified POTS), 01 (ONI multiparty), +02 (ANI failure), 06 (hotel without room identification), 07 (coinless, +hospital, inmate, etc.), 08 (inter-LATA restriction), 10 (test call), 20 (AIOD +calls, listed DN sent), 27 (coin call), and 95 (test call). These are the same +or similar as the screening codes used in operator service signalling. + In addition to the domestic signalling design outlined above, a new +international signalling system has been designed for use with Equal Access. +It also uses two-stage, overlapping outpulsing. After a customer has completed +dialing (10xxx)+011+CC (CC is country code), the Bell end office will seize a +trunk to he appropriate IC (or international carrier, if direct routing is +available). The IC/INC will respond with a wink, and the end office will +outpulse: KP+1NX+YXX+CCC+ST. Each of these three groups of routing information +indicate something different abut the international call being placed. The 1NX +is the "international system routing code, one for each type of call routing." +I have absolutely no idea what that means, and no one I have talked to at Bell, +AT&T, MCI, CCITT, ITT, the CSO and FCC have any idea either. Next, the YXX is +the carrier routing code. It is actually XXX, Which is the three digits of the +10xxx CAC for the particular carrier being accessed. Finally, CCC is the +country code, padded with a zero if necessary. + One may wonder why the CAC is signalled forward when a trunk is seized +directly to the carrier itself. The reason for this is that in some cases a +direct trunk to the carrier is not available and the call must be routed +through an access tandem, which is responsible for routing calls to a variety +of different long distance carriers. + + ==================== + Switch Compatibility + ==================== + + Full-feature Equal Access will become available first for Western Electric +#1ESS switching systems. It will be available first in generic 1E8 (1AE8 for +#1A ESS). Later, generic 5E2 for #5ESS, generic 2B4 for #2B ESS, generic +BCS-16 for Northern Telecom DMS-100, and generics 209 and 302 for DMS-10 will +provide full-feature Equal Access capabilities in those types of end office +switching equipment. The Western Electric #4ESS, #1 and 1A ESS, #5ESS, and the +Northern Telecom DMS-200 machines which serve as toll offices or access tandems +will be capable of receiving the new Equal Access signalling format, after +required generic development. Other switches (such as all crossbar offices) + + Page 156 + + + + + The Official Phreaker's Manual + +will not be able to handle the new signalling format. + + ===== + LATAs + ===== + + LATAs, Local Access and Transport Areas, are the entire key to the +administration of Equal Access. They can be thought of as miniature area +codes. A telefone call can never cross a LATA boundary except on an inter-LATA +carrier. However, there are certain exceptions to this. For example, in the +state of Colorado, which consists of two LATAs, the local Bell Operating +Company (Mountain Bell), which serves as the intra-LATA (i.e., calls to/from +the same LATA) carrier, may also serve as inter-LATA (to/from different LATAs) +carrier within Colorado. + There are also exceptions in the corridor region of the New York/New +Jersey/Pennsylvania area. + The forty-eight continental United States consist of 161 LATAs. Some states, +such as Deleware, consist of only one LATA, while others, such as Illinois, can +have up to 14 or more. Each LATA is given a name. For instance, Pennsylvania +consists of six LATAs: Philadelphia, Capital, Northeast, Altoona, Pittsburgh, +and Erie (independent telco). + + ============== + A Few Thoughts + ============== + + In 1973, Chrysler, A&P, RCA, Phillips Petroleum, S.S. Kresge, Boeing +Aircraft, International Harvester, Woolworth's, Greyhound, Firestone, Litton, +and General Foods, among others, each reported annual profits of less than $150 +million. In that same year, the Telephone Company wrote off, as being +uncollectable, debts of $150 million. + In 1974, the Bell System had direct interests in at least 276 organizations, +many of them not related to the telefone industry. Bell also had interlocking +financial arrangements with such corporations as the Chase Manhattan Bank, IBM, +Prudential Insurance, Sears Roebuck, General Motors, U.S. Steel, and Lever +Brothers. Should the need have arisen, the Bell System in 1974 could have +exercised control of 400 billion dollars, fully one-third of that year's gross +national product. + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago Illinois, 1976. ISBN 0-8092-8008-6. + + There are many viewpoints as to the future course of the telefone industry. +The general consensus among most Telco employees is that the children of AT&T +(i.e., the seven regional holding companies into which the Bell System was +divided) will someday be reassembled into the original Bell System, and all +will be well and good in the world of telecommunications again. I tend to +disagree with this. I think that within three decades the entire telefone +industry will be consolidated and nationalized. It will be owned and operated +entirely by the United States Federal Government. This will accomplish several +goals of the government. First, the immense revenue from telefone services +will provide great financial resources for the federal government. Rates for +telefone services will skyrocket far out of the range of affordability, quality +of service will deteriorate to a point of unusability, and meanwhile +politicians will get rich. + Second, once the government controls the telefone system, monitoring the +general public will become infinitely easier. Big Brother will be able to keep +and eye, or rather, an ear on the general population, and giant step forward in + + Page 157 + + + + + The Official Phreaker's Manual + +ultimate government control of peoples' lives will be achieved. Most people +won't know anything about this, and even if they do, they won't give a shit +because by then the fucking government will have already invaded every +remaining private aspect of the individual's life. + To those who find it utterly unthinkable that the federal government would +ever assume control of the telefone industry, I would call attention to the +situation that existed between 1917 and 1919. During this time the government +controlled the phone system of the United States. J. Edward Hyde sums it up +beautifully: + + Between 1917 and 1919, the Federal Government did control the phone +industry. Since then, the most charitable historians have blamed the +subsequent mess on the First World War. Others blame it on the democrats. But +the fact is that it was a fiasco of the bureaucracy's own making, combined with +intracompany sabotage. + Today, in those countries where the phone service is nationally owned, the +service runs from poor to nonexistent. Would you want the government that gave +you the Russian wheat deals, Defense Department overruns, Amtrak, and the +Postal Service handling your phone problems? + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago, Illinois, 1976. ISBN 0-8092-8008-6, p. 170. + +Technical References: + +Notes on the BOC intra-LATA Networks. American Telephone & Telegraph Company, +1983. + +The Phone Book. J. Edward Hyde, 1976. + +Bell System Technical Journal. Volume 58, Number 5. + +Engineering and Operations in the Bell System. American Telephone & Telegraph +Company, 1983. + + +Acknowledgements: Karl Marx, Telenet Bob, and the scores of Telco employees +in Denver, White Plains, Omaha, and North Jersey who were very helpful in +patiently answering my many questions about Equal Access. + +Thanks to Mack the Knife for magnetic transfer of this illustrious file, a +tedious task for which I have no time. + +Thanks to the following printers for their cooperation and professional manner +in helping me with final production of this file: + +Kinko's Print Shop +7155 West Colfax +Lakewood, CO + +Office Products and Printing +5035 S. Kipling Suite B4 +Littleton, CO + +This has been a Mark Tabas Encounter Series production. Questions, comments, +and requests may be addressed to: + +Tabas + + Page 158 + + + + + The Official Phreaker's Manual + +P.O. Box 620401 +Littleton, CO 80162 + +Requests for copies of this or any other Encounter Series file are honored for +free, but please enclose a self-addressed medium sized first class mailing +envelope with 73 cents postage. + +Special thanks to Steve Reger, who was kind enough to shoot my neighbor's dog, +whose incessant barking constantly distracted me as I labored to complete this +file. + +(for Amy) cl/KIABB!/jd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 159 + + + + + The Official Phreaker's Manual + + Equal Access and Modem Autodialers by Shadow 2600 + + Now that AT&T is being divested of its local telephone companies, phone +customers across the nation have to choose their long distance carrier as equal +access is phased in. Advertising campaigns emphasize such aspects as low rates +and operator assistance, but no one mentions a factor that will affect modem +users who use auto dialers for long distance calls. Not all of the alternate +long distance carriers provide called party answering supervision on all calls. +Called party answering supervision basically has the telephone company start +billing only when the called party answers the telephone. However, many of the +alternate long distance companies still operate with the "fixed timeout" basis +for charging. That is, if a call is held for a fixed length of time (usually +30 seconds) the charging starts, whether or not the call was answered. This +could cause modem owners large bills if they use autodialers to make long +distance calls. Modems are usually set up to wait up to one minute when +attempting to make a call, and thus have to timeout through busy signals, long +call setup sequences, extender waits, and similar problems. This could result +in many billed but never answered calls. + + Some of the other carriers provide it on calls to some cities, and others +not support it at all. Only AT&T Communications provides called party +answering supervision on all calls to all points at this time. It is almost +impossible to get information on how a long distance company charges its calls +as as they don't want to reveal how their billing is handled. The alternate +carriers get called party supervision when the destination location goes equal +access. However, there has been no quick action on the part of the alternate +long distance companies to make use of the supervision data as they would have +to get equipment for passing the information back to the billing computer at +the originating point. Thus called party answering supervision information +often ends up being ignored by these carriers even when available. Another +point to remember is that called party answering supervision's availability +depends on whether the destination has equal access, not the originating +location. The lower long distance rates of alternate long distance rates must +be weighed against the time out problem as it affects autodialing modems. One +way to circumvent this is merely to set your modem to a shorter +waiting-for-connect time, but this may not provide enough time for the call to +go through. [For more information on this and other telecommunications topics +call the Private Sector BBS at (201) 366- 4431] + + + + + + + + + + + + + + + + + + + + + + Page 160 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #6 of 9 + + Toward Universal Information Services Via ISDN + DDDDDD DDDDDDDDD DDDDDDDDDDD DDDDDDDD DDD DDDD + by Taran King + + From PROTO newsletter of AT&T Bell Laboratories + ------------------------------------------------------------ +Phase one, the Present. +DDDDD DDDD DDD DDDDDDDD + The local network of today, although still largely voice-oriented, is already +on the path to Universal Information Services. Lightguide fiber is +dramatically expanding the capacity of local networks, helping to lower the +costs and increase the demand for high-band width, Information Age services. +And public networks are increasingly digital and geared for data and special + services. For example: + +o The AT&T Network Systems 5ESS (TM ) switch, designed by Bell +Laboratories, can serve as the hub of a local deployment of remote modules at +locations up to 100 miles from a host central office. + +o The Integrated Special Services Network (ISSN) is a channel network that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect System (DACS). + +o The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Today's public networks consist of multiple or overlay networks. The public +switched network, or circuit network, mainly for voice, is the base network. +Two kinds of overlay networks provide special services. Channel networks carry +private lines leased by large customers and transmit much of today's data and +image traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internally +to public networks for common channel signaling to set up, route and take down +calls, or to give customers information. "Overlay networks help +telecommunications companies efficiently meet growing demand for digital +transmission and special services," says Stan Johnston, Market Planning +Manager, Network Systems Evolution, in AT&T Network Systems. "Their integration +into a single network, however, would be still more effective." + +Phase two, the Integrated Services Digital Network (ISDN). +DDDDD DDDD DDD DDDDDDDDDD DDDDDDDD DDDDDDD DDDDDDD DDDDDDD + + The ISDN is a concept to which AT&T is committed - and it's the foundation +for Universal Information Services. The central idea of ISDN, as AT&T Network +Systems sees it, is to provide an individual user a link to the local central +into two 64,000-bit channels, which may carry voice or data or both, and one +16,000-bit channel for packetized signaling information or data transport. +Such a link provides convenient "integrated" network access by accommodating +voice, data and signaling over a single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber + + Page 161 + + + + + The Official Phreaker's Manual + +line, which provides 1.5 billion bits per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal, and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make important +progress toward the goal of Universal Information Services. But overlay +networks will continue to divvy up the transport job. And messages needing +less than 144,000 bits per second will not fill their allotted bandwidth, +leaving capacity under utilized. + +Phase three, Universal Information Services. +DDDDD DDDDDD DDDDDDDDD DDDDDDDDDDD DDDDDDDDD + Rooted in the fertile ground of 5ESS switches, ISDN equipment and +technologies such as wideband packet transport, Universal Information Services +will bear fruit during the 1990s. From a single kind of network will hang +services as different as apples, oranges and pears. Just as network access was +integrated in ISDN, transport functions will increasingly be integrated by +powerful new network equipment evolved from equipment developed for the ISDN. +Where customers once got standard-sized ISDN channels, they'll get big +bandwidth for large jobs, little bandwidth for small jobs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 162 + + + + + The Official Phreaker's Manual + + TOWARD UNIVERSAL INFORMATION SERVICES VIA ISDN + +Phase one, the present. The local network of today, although still largely +voice oriented, is already on the path to Universal Information Services. +Lightguide fiber is dramatically expanding the capacity of local networks, +helping to lower the costs and increase the demand for high-bandwidth, +Information Age services. And public networks are increasingly digital and +geared for data and special services. For example: + + * The AT&T Network Systems 5ESS switch, designed by Bell Laboratories, can +serve as the hub of a local digital network through deployment of remote +modules at locations up to 100 miles from a host central office. + + * The Integrated Special Services Network (ISSN) is a channel networks that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect Systems (DACS). + + * The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Todays public networks consist of multiple or overlay networks. The public +switched network, or circuit network, is the base network. Two kinds of +overlay networks provide special services. Channel networks carry private +lines leased by large customers and transmit much of today's data and image +traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internal to +public networks for common channel signaling to set up, route and take down +calls, or to give customers information. + "Overlay networks help telecommunications companies efficiently meet growing +demand for digital transmission and special services," says Stan Johnston, +Market Planning Manager, Network Systems Evolution, in AT&T Network Systems. +"Their integration into a signal network, however, would be still +more effective." + Phase two, the Integrated Services Digital Network (ISDN). The ISDN is a +concept to which AT&T is commited--and it's the foundation for Universal +Information Services. The central idea of ISDN, as AT&T Network Systems sees +it, is to provide an individual user a link to the local central office of +generous bandwidth--a digital subscriber line that can carry 144,000 bits per +second. The bandwidth is subdivided into two 64,000-bit channels, which may +carry voice or data or both, and one 16,000-bit channel for packetized +signaling information or data transport. Such a link provides convenient +"integrated" network access by accommodating voice, data and signaling over a +single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber +line, which provides 1.5 million bit per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make +important progress toward the goal of Universal Information Services. But + + Page 163 + + + + + The Official Phreaker's Manual + +overlay networks will continue to divvy up the transport job. And messages +needing less than 144,000 bits per second will not fill their allotted +bandwidth, leaving capacity underutilized. + Phase three, Universal Information Services. Rooted in the fertile ground +of 5ESS switches, ISDN equipment and technologies such as wideband packet +transport, Universal Information Services will bear fruit during the 1990s. +>From a single kind of network will hang services as different as apples, +oranges and pears. Just as network access was integrated in ISDN, transport +functions will increasingly be integrated by powerful new equipment evolved +from equipment developed for the ISDN. Where customers once got standard- +sized ISDN channels, they'll get big bandwidth for large jobs, little bandwidth +for small jobs. + +*** retyped from PROTO, AT&T Bell Laboratories report to executives on new +technologies, without written permission from the editors. (heh, heh.) + +Subscriptions: $15.00 per year, published bi-monthly. Send check payable to +"Bell Laboratories PROTO," to PROTO Circulation Manager, Room 3E-230, 150 John +F. Kennedy Parkway, Short Hills, N.J. 07078. + +:LIQUID:CRYSTAL: +wisdom is safety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 164 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #7 of 9 + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ _ _ _______ @ + @ | X/ | / _____/ @ + @ |_||_|etal / /hop @ + @ __________/ / @ + @ /___________/ @ + @ Headquarters of Phrack Newsletter @ + @ (314) 432-0756 @ + @ Proudly Presents @ + @ MCI Overview @ + @ Written on 11/16/85 @ + @ by @ + @ @ + @ Knight Lightning & Taran King @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +MCI Communications Corporation, headquartered in Washington, D.C., provides a +full range of domestic and international telecommunications services, including +voice and data, telex and cable, paging and mobile telephone, and time +sensitive message delivery. + +Since its founding in 1968, MCI has grown to more than $1.6 billion in annual +sales and serves more than 1.9 million business, residential and government +customers through its four major business units: + +MCI Telecommunications + +MCI Airsignal + +MCI International + +MCI Digital Information Services + + +MCI TELECOMMUNICATIONS + + MCI Telecommunications provides domestic interstate long distance service +throughout all 50 states, plus Puerto Rico, the U.S. Virgin Islands, and major +calling areas of Canada. It is also authorized to provide varying degrees of +intrastate long distance service in some states. + +MCI also is the first long distance carrier other than AT&T to offer direct +dial service overseas. International telephone service is available to all +residential and commercial customers (with the exception of Private Line +customers). In October, 1984 the first international service agreements were +announced with the following countries: Argentina, Belgium, Brazil, East +Germany, Greece, United Arab Emirates, and the United Kingdom. + +Total capital investment in MCI's long distance network is approximately $2 +billion. MCI's network, the second largest in the U.S., employs microwave +optical fiber, satellite and various digital transmission technologies. + +Subscribers - Domestic Long Distance (as of 10/84) + + Page 165 + + + + + The Official Phreaker's Manual + +----------- ---------------------- +Residential 1.4 million +Commercial .3 million + Total 1.7 million + +Operations - (as of 10/84) +Network Miles...20,543 (microwave, optical fiber, satellite) +Circuits.......238,000 +Employees........9,500 (full-time, approx.) + +MCI AIRSIGNAL + +MCI Airsignal provides personal message delivery and car telephone services. +MCI Message Service is offered in more than 50 metropolitan areas. In 1984, +service will commence in New York City, Baltimore-Washington, Los Angeles, and +Chicago. MCI car telephone service is offered in 20 markets. + +Personal Message Delivery Service + +ALPHANUMERIC MESSAGE SERVICE + +Displays up to 40-character message using letters and/or numbers. Memory and +recall ability. Alerts subscriber with a silent visual alert or a soft tone. + +DISPLAY MESSAGE SERVICE + +Displays up to 24-digit message (e.g., phone number, stock quotes, sales +figures, coded messages). Memory and recall capability. Alerts customer to +message with a silent visual alert or a soft tone. + +TONE MESSAGE SERVICE + +Notifies customer of a message with a soft tone. + +VOICE MESSAGE SERVICE + +Receives message in actual voice of caller. + +EXPRESS MESSAGE SERVICE + +Receives and stores messages. Instantly alerts subscriber via pager when a +message is received. + +Car Telephone Service + +Enables customers to place calls to or receive calls from anywhere in the +world, 24 hours a day, as they travel in their cars. With the advent of new +cellular technology, both the quality and the accessibility of car telephone +service will vastly improve. + +MCI has thus far obtained franchises to operate a new kind of mobile phone +service, cellular telephone, in Minneapolis and Pittsburgh, and has received +favorable decisions from FCC administration law judges authorizing service in +Los Angeles, Denver-Boulder, and Kansas City. MCI has applied for licenses to +provide cellular service in 81 metropolitan areas. + +MCI Airsignal Branch Sales Offices + + + Page 166 + + + + + The Official Phreaker's Manual + +Personal Message Service/Conventional Mobile Phone Service + +Birmingham (205) 942-2924 +Sacramento (916) 444-2350 +Memphis (901) 682-9658 +Cleveland (216) 464-7311 +Dallas (214) 788-5111 +Fresno (209) 486-7410 +Las Vegas (702) 382-7461 +Denver (303) 778-7878 +Portland (503) 227-2556 +Philadelphia (215) 677-9845 +Atlanta (404) 252-2114 +West Florida (813) 875-3404 +Minneapolis (612) 544-8175 +Kansas City (913) 648-8090 +Miami (305) 491-0122 +Pittsburgh (412) 343-1611 +Houston (713) 464-2516 +Bakersfield (805) 832-2346 + +Cellular Telephone Offices + + Minneapolis-St. Paul (612) 544-3312 + Los Angeles (714) 527-0385 + Elsewhere in California (800) 344-3455 + Headquarters - Washington, D.C. (202) 429-9660 + + +MCI INTERNATIONAL + +MCI International provides private-line voice service to several overseas +countries, and data and message services, including telex, cablegram, leased +channel, and packet switching communications, to more than 200 overseas points. +MCI has moved into two new areas of service: International direct-dial +telephone service and international electronic mail and hard-copy delivery +services. + +International Record Services + +TELEX SERVICE (domestic and international) permits instantaneous, two-way, +written communications with other subscribers worldwide. Customers can send +messages at any time, even though the receiving terminal may be unattended. MCI +International offers access to its telex service from a variety of terminals +and networks; not only subscribers with telex terminals but also those with +communicating word processors, data terminals or computers that communicate +over telephone lines can take advantage of MCI International telex service. To +subscribers connected to its own telex network, MCI International offers World +Message Services--a package of communications offerings including telex, +cablegram and MCI Mail services. Various service enhancements are available to +save time, improve operating efficiency and simplify records keeping for telex +users. + +CABLEGRAM SERVICE, the traditional means of international written +communications, offers flexibility in delivery and economical rates for shorter +messages. Cablegrams can be delivered to virtually any overseas +point.Subscribers with telex terminals or various other types of equipment can +access and TELUS cablegram switch and take advantage of such service + + Page 167 + + + + + The Official Phreaker's Manual + +enhancements as abbreviated addressing and departmental billing. + +LEASED +CHANNEL SERVICE provides an exclusive line between a U.S. firm and it's +overseas office for private communications 24 hours a day. Each MCI +International leased channel is tailored to meet the needs of a specific +customer for teleprinter, facsimile, voice and/or data traffic. For subscribers +with several offices requiring private communications with each other, MCI +International offers a versatile message-switching service. Voice/data leases +can be configured to meet a whole array of communicating needs; for example, +one channel might carry data traffic from a computer at night, voice +communications during office hours, and simultaneous teleprinter messages at +any time. Data channels can handle requirements for traffic at any speed from +1200 bits per second to 1.544 megabits per second. + +IMPACS SERVICE uses packet-switching technology to provide international +communications service between data terminals and computers. Impacs offers +on-line, real-time connections and enables many types of incompatible systems +to communicate. Impacs service offers virtually error-free transmission +because of the error-detection and retransmission capability of the network. + +INSTALINK SERVICE allows businesses overseas to use regular telex equipment to +access remote computing systems and databases in the U.S. Subscribers can +retrieve data from a computer-based information service or use a computing +system connecting to a packet-switching network in the U.S. + +INTERNATIONAL +FACSIMILE SERVICE enables subscribers to send duplicates of original documents +overseas quickly and efficiently, even when neither the sender or the receiver +has facsimile transmission equipment, or when the sender and receiver have +incompatible equipment. + +DATEL SERVICE provides automatic or voice-coordinated data transmission at +speeds up to 2400 bits per second. Either digital or analog facsimile traffic +can be transmitted via Datel. Datel facilities are conditioned to ensure +high-quality transmission. The MCI International switching center allows +communications between incompatible terminals. + +MARITIME SERVICES provide instant, high--quality contact between ships at sea +or offshore rigs, and between these vessels and land-based subscribers +worldwide. + +International Voice Services + +PRIVATE +LINE SERVICE provides, fast, easy access to a single overseas location at an +economical monthly rate. This technically efficient system maximizes the use +of line capacity by recognizing idle time and assigning a speaker to a +transmission path only when the path is needed. Users can dial a four-digit +extension from a regular business phone to reach a key overseas location. + +International Mail Services + +WORLD +MESSAGE SERVICE subscribers can access the domestic electronic mail and +hard-copy delivery offerings of MCI Mail. In addition, MCI International is +developing fast, low-cost services that will deliver electronic messages and +high-quality printed documents worldwide. + + Page 168 + + + + + The Official Phreaker's Manual + + +Customer Service + +THE CUSTOMER TROUBLE REPORTING ASSISTANCE CENTER at MCI International addresses +customer concerns such as equipment maintenance and service performance +questions. Customer service specialists, on duty 24 hours a day on business +days, answer questions and electronically route service requests to technicians +nationwide. + +MCI DIGITAL INFORMATION SERVICES CORP. + +MCI Digital Information Services, MCI's newest unit, provides high-speed, +low-cost, time-sensitive message delivery (MCI Mail), either electronically or +via hard copy. + +MCI Mail provides time-sensitive document delivery to anyone, anywhere vial +MCI's long-distance telephone network. MCI Mail can reach a recipient +instantly, in four hours or less, or overnight by noon the next day. Prices +are as much as 90 percent lower than comparable time-sensitive mail delivery +services. MCI Mail can be delivered electronically, terminal to terminal, or +laser printed on letterhead stationery with the customer's signature. + +MCI Mail customers can even order gifts and services direct through MCI Mail, +ranging from software and paper for personal computers to investment advisory +services to travel specials. + +There are no sign-up, monthly service charges or "connect time" charges for MCI +Mail. MCI Mail can be used by virtually any personal computer, word processor, +electronic typewriter, data terminal, telex, or other digital communications +device. The service is accessed by a local telephone call or 800 number. + +MCI Mail + +INSTANT delivery to an "electronic" mailbox. + +FOUR-HOUR paper delivery by courier to 17 major metropolitan areas regardless +of point of origin. + +OVERNIGHT paper delivery by courier by noon the next day in 20,000 continental +U.S. cities. + +MCI LETTER transmitted electronically to the MCI digital postal center nearest +its destination, then delivered locally by the U.S. Postal Service. + +TELEX DISPATCH enables MCI Mail subscribers to transmit messages to the more +than 1.6 million telex subscribers worldwide. + +VOLUME MAIL enables customers to send large mailings in a variety of letter +formats, at substantial savings in delivery time and expense. + + ============================================================ + Look for more MCI Files coming to Metal Shop soon! + + This has been a Knight Lightning Presentation + ============================================================ + + + + + Page 169 + + + + + The Official Phreaker's Manual + + Reference Tables + + Just some notes that you will always try to find but can never! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 170 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue One, Phile #5 of 8 + + Using MCI Calling Cards + by + Knight Lightning + of the + 2600 Club! + +How to dial international calls on MCI: + + "Its easy to use MCI for international calling." + +1. Dial your MCI access number and authorization code (code = 14 digit number, +however the first 10 digits are the card holders NPA+PRE+SUFF). + +2. Dial 011 + +3. Dial the country code + +4. Dial the city code and the PRE+SUFF that you want. + +Countries served by MCI: + +Country code|Country code +-------------------------------------|-------------------------------- +Algeria..........................213 |New Zealand..................064 +Argentina........................054 |Northern Ireland.............044 +Australia........................061 |Oman.........................968 +Belgium..........................032 |Papua New Guinea.............675 +Brazil...........................055 |Qatar........................974 +Canada................Use Area Codes |Saudi Arabia.................966 +Cyprus...........................357 |Scotland.....................044 +Denmark..........................045 |Senegal......................221 +Egypt............................020 |South Africa.................027 +England..........................044 |Sri Lanka....................094 +German Democratic Republic |Sweden.......................046 +(East Germany)...................037 |Taiwan.......................886 +Greece...........................030 |Tanzania.....................255 +Jordan...........................962 |Tunisa.......................216 +Kenya............................254 |United Arab Emirates.........971 +Kuwait...........................965 |Wales........................044 +Malawi...........................265 | +====================================================================== + +Thats 33 countries in all. To get the extender for these calls dial 950-1022 or +1-800-624-1022. + +For local calling: + +1. Dial 950-10222 or 1-800-624-1022 + +2. Wait for tone + +3. Dial "0", the area code, the phone number, and the 14 digit authorization +code. You will hear 2 more tones that let you know you are connected. + + - Knight Lightning --> The 2600 Club! + + Page 171 + + + + + The Official Phreaker's Manual + +===================================================================== + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 172 + + + + + The Official Phreaker's Manual + + AT&T INTERNATIONAL DIALING COUNTRY CODES AS OF 2-17-85 + + FILE BY: Lock Lifter + +=========================+ + +*UNITED KINGDOM/IRELAND +------------------------------------ +IRELAND.........................353 +UNITED KINGDOM...................44 + +*EUROPE +------------------------------------ +ANDORRA..........................33 +AUSTRIA..........................43 +BELGIUM..........................32 +CYPRUS..........................357 +CZECHOLSLOVAKIA..................42 +DENMARK..........................45 +FINLAND.........................358 +FRANCE...........................33 +GERMAN DEMOCRATIC REPUBLIC.......37 +GERMANY, FEDERAL REPUBLIC OF.....49 +GIBRALTAR.......................350 +GREECE...........................30 +HUNGARY..........................36 +ICELAND.........................354 +ITALY............................39 +LIECHTENSTEIN....................41 +LUXEMBOURG......................352 +MONACO...........................33 +NETHERLANDS......................31 +NORWAY...........................47 +POLAND...........................48 +PORTUGAL........................351 +ROMANIA..........................40 +SAN MARINO.......................39 +SPAIN............................34 +SWEDEN...........................46 +SWITZERLAND......................41 +TURKEY...........................90 +VATICAN CITY.....................39 +YUGOSLAVIA.......................38 + +*CENTRAL AMERICA +------------------------------------ +BELIZE..........................501 +COSTA RICA......................506 +EL SALVADOR.....................503 +GUATEMALA.......................502 +HONDURAS........................504 +NICARAGUA.......................505 +PANAMA..........................507 + +*AFRICA +------------------------------------ +ALGERIA.........................213 +CAMEROON........................237 +EGYPT............................20 + + Page 173 + + + + + The Official Phreaker's Manual + +ETHIOPIA........................251 +GABON...........................241 +IVORY COAST.....................225 +KENYA...........................254 +LESOTHO.........................266 +LIBERIA.........................231 +LIBYA...........................218 +MALAWI..........................265 +MOROCCO.........................212 +NAMIBIA.........................264 +NIGERIA.........................234 +SENEGAL.........................221 +SOUTH AFRICA.....................27 +SWAZILAND.......................268 +TANZANIA........................255 +TUNISIA.........................216 +UGANDA..........................256 +ZAMBIA..........................260 +ZIMBABWE........................263 + +*PACIFIC +------------------------------------ +AMERICAN SAMOA..................684 +AUSTRAILIA.......................61 +BRUNEI..........................673 +FIJI............................679 +FRENCH POLYNESIA................689 +GUAM............................671 +HONG KONG.......................852 +INDONESIA........................62 +JAPAN............................81 +KOREA, REPUBLIC OF...............82 +MALAYSIA.........................60 +NEW CALEDONIA...................687 +NEW ZEALAND......................64 +PAPUA NEW GUINEA................675 +PHILIPPINES......................63 +SAIPAN..........................670 +SINGAPORE........................65 +TAIWAN..........................886 +THAILAND.........................66 + +*INDIAN OCEAN +------------------------------------ +PAKISTAN.........................92 +SRI LANKA........................94 + +*SOUTH AMERICA +------------------------------------ +ARGENTINA........................54 +BOLIVIA.........................591 +BRAZIL...........................55 +CHILE............................56 +COLOMBIA.........................57 +ECUADOR.........................593 +GUYANA..........................592 +PARAGUAY........................595 +PERU.............................51 + + Page 174 + + + + + The Official Phreaker's Manual + +SURINAME........................597 +URUGUAY.........................598 +VENEZUELA........................58 + +*NEAR EAST +------------------------------------ +BAHRAIN.........................973 +IRAN.............................98 +IRAQ............................964 +ISRAEL..........................972 +JORDAN..........................962 +KUWAIT..........................965 +OMAN............................968 +QATAR...........................974 +SAUDI ARABIA....................966 +UNITED ARAB EMIRATES............971 +YEMEN ARAB REPUBLIC.............967 + +*CARIBBEAN/ATLANTIC +------------------------------------ +FRENCH ANTILLES.................596 +GUANTANAMO BAY (US NAVY BASE)....53 +HAITI...........................509 +NETHERLANDS ANTILLES............599 +ST. PIERRE AND MIQUELON.........508 + +*INDIA +------------------------------------ +INDIA............................91 + +*CANADA +------------------------------------ +TO CALL CANADA, DIAL 1 + AREA CODE + +LOCAL NUMBER. + +*MEXICO +------------------------------------ +TO CALL MEXICO, DIAL 011 + 52 + CITY CODE+ LOCAL NUMBER. + +***NOTES :DO NOT FORGET ABOUT THE TIME DIFFERENCE WHEN CALLING OUTSIDE OF YOUR +TIME ZONE. CALLING CARDS CAN BE USED OVER SEAS TO CALL BACK INTO THE U.S. FOR +FURTHER INFORMATION CALL TOLL-FREE 1-800-874-0000. DIAL '#' AFTER THE COMPLETE +NUMBER TO MAKE THE CALL GO THROUGH FASTER. + + + + + + + + + + + + + + + + + Page 175 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * International Dialing Codes * + * Country + Routing * + * * + * (Typed by The Dagda Mor) * + * (Edited by The Jammer) * + * * + ************************************** + +To dial international calls: + +International Access Code + Country code + Routing code + +Example : + +To call Frankfurt, Germany, you would do the following: + +011 + 49 + 611 + (# wanted) + # sign(octothrope) + +The # sign at the end is to tell Bell that you are done entering in all the +needed info. + +Here is the list of Country Codes, listed next to the country, and the routing +codes listed next to the city. + +Andorra- 33 Argentina- 54 +------- --------- +all points- 078 Buenos Aires- 1 + + +Australia- 61 Austria- 43 +--------- ------- +Melbourne- 3 Innsbruck- 5222 +Sydney- 2 Vienna- 222 + + +Bahrain- 973 Belgium- 32 +------- ------- +no routing needed Antwerp- 31 + Brussels- 2 + + +Belize- 501 Bolivia- 591 +------ ------- +no routing needed La Paz- 2 + + +Brazil- 591 Chile- 56 +------ ----- +Brasilia-61 Santiago- 2 +Rio de Janeiro- 21 Valparaiso- 31 +Sao Paulo- 11 + + +China- 86 Colombia- 56 +----- -------- +Tainan- 62 none needed + + Page 176 + + + + + The Official Phreaker's Manual + +Taipei- 2 + + +Costa Rica- 506 Cyprus- 357 +----- ---- ------ +no routing needed Nicosia- 21 + + +Denmark- 45 Ecuador- 593 +------- ------- +Aalborg- 8 Cuenca- 4 +Copenhagen 1 or 2 Quito- 2 + + +El Salvador- 503 Fiji- 679 +---------- ---- +no routing needed none needed + + +France- 33 Germany- 49 +------ ------- +Bordeaux- 56 Berlin- 30 +Marseille- 91 Bonn- 228 +Nice- 93 Frankfurt- 661 +Paris- 1 Munich- 89 + + +German. Rep- 37 Greece- 30 +------- --- ------ + Rhodes- 241 + + +Guam- 671 Guatamala- 502 +---- --------- +no routing needed Guatemala City- 2 + + +Guyana- 592 Haiti- 509 +------ ----- +Georgetown- 02 Port Au Prince- 1 + + +Hoduras- 504 Hong Kong- 852 +------- ---- ---- +no routing needed Hong Kong- 5 + Kowloon- 3 + + +Indonesia- 62 Iran- 98 +--------- ---- +Jakarta- 21 Teheran- 21 + + +Iraq- 964 Ireland- 353 +---- ------- +Baghdad- 1 Dublin- 1 + Galway- 91 + + Page 177 + + + + + The Official Phreaker's Manual + + + +Israel- 978 Italy- 39 +------ ----- +Haifa- 4 Florence- 55 +Jerusalem- 2 Naples- 81 +Tel Aviv- 3 Rome- 6 + Venice- 41 + + +Ivory Coast- 225 Japan- 81 +----- ----- ----- +no routing needed Hiroshima- 822 + Tokyo- 3 + Yokohama- 45 + + +Kenya- 254 Korea- 82 +----- ----- +Nairobi- 2 Pusan- 51 + Seoul- 2 + + +Kuwait- 965 Liberia- 231 +------ ------- +no routing needed none needed + + +Libya- 218 Lechtenstein- 4 +----- ------------ +Tripoli- 21 All points- 75 + + +Luxembourg- 352 Malaysia- 60 +---------- -------- +no routing needed Kuala Lumpur- 3 + + +Monaco- 33 Netherlands- 31 +------ ----------- +All points- 93 Amsterdam- 20 + Rotterdam- 10 + The Hague- 70 + + +New Caledonia- 687 New Zealand- 64 +--- --------- --- ------- +no routing needed Auckland- 9 + Wellinton- 4 + + +Nicaragua- 505 Nigeria- 234 +--------- ------- +Managua- 2 Lagos- 1 + + +Norway- 47 Panama- 507 +------ ------ + + Page 178 + + + + + The Official Phreaker's Manual + +Bergen- 5 none needed +Oslo- 2 + + +Papua New Guinea-675 Paraguay- 595 +----- --- ------ -------- +no routing needed Asuncion- 21 + + +Peru- 51 Phillippines- 63 +---- ------------ +Arequipa- 542 Manila- 2 +Lima- 14 + +Portugal- 351 Romania- 40 +-------- ------- +Lisbon- 19 Bucuresti- 0 + + +San Marino- 39 Saudi Arabia- 966 +--- ------ ----- ------ +All points- 541 Riyadh- 1 + + +Senegal- 221 South Africa- 27 +------- ----- ------ +no routing needed Cape Town- 21 + Pretoria- 12 + + +Spain- 34 Sri Lanka- 94 +----- --- ----- +Barcelona- 3 Colombo- 1 +Canary Is.- 28 +Madrid- 1 +Seville- 54 + + +Suriname- 597 Sweden- 46 +-------- ------ +no routing needed Goteborg- 31 + Stockholm- 8 + + +Switzerland- 41 Tahiti- 689 +----------- ------ +Berne- 31 none needed +Geneva- 22 +Lucerne- 41 +Zurich- 1 + + +Thailand- 66 Tunisia- 216 +-------- ------- +Bangkok- 2 Tunis- 1 + + +Turkey- 90 United Arab + + Page 179 + + + + + The Official Phreaker's Manual + +------ Emirates- 971 +Istanbul- 11 -------- + Abu Dhabi- 2 + Ajman- 6 + Al Ain- 3 + Aweir- 49 + Dubai- 4 + Fujairah- 91 + Jebel Dhana- 5 + Sharjah- 6 + Umm-Al-Quwain- 6 + + +United Kingdom- 44 USSR- 7 +------ ------- ---- +Belfast- 232 Kiev- 044 +Cardiff- 222 Leningrad- 812 +Edinburgh- 31 Minsk- 017 +Glasgow- 41 Moscow- 095 +Liverpool- 51 Tallinn- 0142 +London- 1 + +Vatican City- 39 Venezuela- 58 +------- ---- --------- +All points- 6 Caracas- 2 + Maracaibo- 61 + +Yugoslavia- 38 +---------- +Belgrade- 11 +Zagreb- 41 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 180 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * MAX ACCESS PORTS * + * * + * (LEXITEL CORPORATION) * + * * + * WORD PROCESSED BY THE DAGDA MOR * + * * + ************************************** + +ADRIAN,MI............313-263-0191 LIVONIA, MI..........313-261-6970 +AKRON,OH.............216-275-9814 LOS ANGELES, CA......213-624-9041 +ANN ARBOR, MI........313-451-2121 LOUISVILLE, KY.......502-568-6204 +ATLANTA, GA..........404-525-1769 MARION, OH...........614-387-1011 +AVON LAKE, OH........216-933-2823 MCKEESPORT, PA.......412-664-4870 +BADEN, PA............412-869-1360 MENTOR, OH...........216-255-1645 +BALTIMORE, MD........301-444-7280 MIDDLETOWN, OH.......513-423-1066 +BEAVER FALLS, PA.....412-847-3640 MILWAUKEE, WI........414-933-1880 +BIRMINGHAM, MI.......313-649-0730 MINNEAPOLIS, MN......612-375-0280 +BOSTON, MA...........617-267-9134 MONESSEN, PA.........412-684-8710 +BUFFALO, NY..........716-854-0802 MORTON GROVE,IL......312-950-1066 +BUTLER, PA...........412-285-9081 NEWARK, NJ...........201-624-5040 +CANTON, OH...........216-455-1425 NEWARK, OH...........614-349-8754 +CHICAGO, IL..........312-950-1066 NEW CASTLE, PA.......412-656-9420 +CHILLICOTHE, OH......614-772-1066 NEW YORK, NY.........212-950-1066 +CINCINNATI, OH.......513-421-1880 OAK LAWN, IL.........312-950-1066 +CLEVELAND, OH........216-771-6614 PHILADELPHIA, PA.....215-751-9711 +COLUMBUS, OH.........614-950-1066 PITTSBURG, PA........412-391-9532 +DALLAS, TX...........214-653-1047 PLYMOUTH, MI.........313-451-2121 +DAYTON, OH...........513-223-0366 PONTIAC, MI..........313-332-0500 +DETROIT, MI..........313-950-1066 PORT HURON, MI.......313-982-7115 +ELK GROVE, IL........312-950-1066 PHOENIX, AZ..........602-242-0252 +ELYRIA, OH...........419-323-4431 QUEENS, NY...........718-204-7330 +FINDLAY, OH..........419-424-5934 SANDUSKY, OH.........419-625-1289 +GLEENSHAW, PA........412-486-7394 SHARON, PA...........412-983-0100 +GRAND RAPIDS, MI.....616-456-7925 SPRINGFIELD, OH......513-950-1066 +GREENSBURG, PA.......412-836-8110 STEUBENVILLE, OH.....614-283-1756 +HACKENSACK, NJ.......201-342-2815 ST. LOUIS, MO........314-289-9100 +HOUSTON, TX..........713-224-0982 ST. PAUL, WI.........612-375-0280 +INDIANA, PA..........412-349-8760 TOLEDO, OH...........419-255-1316 +INDIANAPOLIS, IN.....317-638-4442 TROY, OH.............513-335-2303 +KALAMAZOO, MI........616-342-0266 TURTLE CREEK, PA.....412-823-1500 +KANSAS CITY, MO......816-474-6193 WASHINGTON, DC.......202-479-4411 +KOKOMO, IN...........317-453-9932 WASHINGTON, PA.......412-225-1800 +LA GRANGE, IL........312-950-1066 WARREN, MI...........313-268-9120 +LANCASTER, OH........614-687-0159 XENIA, OH............513-376-2991 +LANSING, MI..........517-950-1066 YOUNGSTOWN, OH.......216-746-2021 +LAFAYETTE, IN........317-423-5492 ZANESVILLE, OH.......614-454-6815 + + + + + + + + + + + + Page 181 + + + + + The Official Phreaker's Manual + + ******************** METROFONE ACCESS NUMBERS ******************** + +ANAHEIM, CA (714)527-7055 LOS ANGELES, CA (213)992-8282 +ATLANTA, GA (404)223-1000 LOS ANGELES, CA (213)202-6117 +AUSTIN, TX (512)474-6057 MIAMI, FL (305)326-3300 +BALTIMORE, MD (301)659-7700 MILWAUKEE, WI (414)277-1805 +BEAUMONT, TX (713)833-9331 MINNEAPOLIS, MN (612)370-9000 +BOSTON, MA (617)482-3222 NEW ORLEANS, LA (504)566-8500 +BUFFALO, NY (716)852-9200 NEW YORK, NY (212)732-7430 +CHICAGO, IL (312)853-4700 NEWARK, NJ (201)645-9220 +CINCINNATI, OH (513)241-1747 OAKLAND, CA (415)836-6900 +CLEVELAND, OH (216)861-5163 OKLAHOMA CITY, OK (405)232-9011 +COLUMBUS, OH (614)224-0577 OMAHA, NE (402)422-1120 +CULVER CITY, CA (213)410-0078 PHILADELPHIA, PA (215)351-0100 +DALLAS, TX (214)742-4500 PITTSBURGH, PA (412)261-5720 +DAYTON, OH (513)228-1576 RENO, NV (702)329-1025 +DENVER, CO (303)623-5326 RICHMOND, VA (804)225-1920 +DETROIT, MI (313)963-4847 ST. LOUIS, MO (314)342-1130 +EL MONTE, CA (213)350-1028 SACRAMENTO, CA (916)443-6921 +ELK GROVE, IL (312)981-8870 SAN ANTONIO, TX (512)224-9600 +FT. LAUDERDALE, FL (305)462-3530 SAN DIEGO, CA (714)233-0327 +FT. WORTH, TX (817)338-1639 SAN FRANCISCO, CA (415)956-0162 +HACKENSACK, NJ (201)487-3155 SAN JOSE, CA (408)947-7606 +HARTFORD, CT (203)522-0003 SAN MATEO, CA (415)579-6001 +HAWTHORNE, NJ (201)427-1100 SANTA ANA, CA (714)972-9515 +HINSDALE, IL (312)986-0566 SEATTLE, WA (206)382-0910 +HOUSTON, TX (713)224-9417 SKOKIE, IL (312)679-8120 +HUNTINGTON BEACH, CA (714)972-8515 SYRACUSE, NY (315)474-3911 +INDIANAPOLIS, IN (317)635-6284 TOLEDO, OH (419)243-1046 +KANSAS CITY, KS (913)621-3186 WASHINGTON, DC (202)737-2051 +LONG ISLAND, NY (516)443-5402 +LOS ANGELES, CA (213)629-1026 + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 182 + + + + + The Official Phreaker's Manual + + Area Codes In Numerical Order, by The Jammer +______________________________________________________________________ + +201 Newark New Jersey 519 London Ontario +202 Washington D.C (all) 601 Mississippi (all) +203 Connecticut (all) 602 Arizona (all) +205 Alabama (all) 603 New Hampshire (all) +206 Seattle Washington 605 South Dakota (all) +207 Maine (all) 606 Winchester Kentucky +208 Idaho (all) 607 Binghamton New York +212 Bronx Nyc, New York 608 Madison Wisconsin +212 Manhattan Nyc, New York 609 Trenton New Jersey +213 Los Angeles California 612 St. Paul Minnesota +214 Dallas Texas 613 Ottawa Ontario +215 Philadelphia Pennsylvania 614 Columbus Ohio +216 Cleveland Ohio 615 Nashville Tennessee +217 Springfield Illinois 616 Grand Rapids Michigan +218 Duluth Minnesota 617 Boston Massachusetts +219 Gary Indiana 618 Alton Illinois +301 Maryland (all) 619 San Diego California +303 Colorado (all) 700 Teleconference (all) +304 West Virginia (all) 701 North Dakota (all) +305 Miami Florida 702 Nevada (all) +305 Orlando Florida 703 Alexandria Virginia +307 Wyoming (all) 704 Charlotte North Carolina +308 Abott Nebraska 705 North Bay Ontario +309 Peoria Illinois 712 Councilbluffs Iowa +312 Chicago Illinois 713 Houston Texas +313 Detroit Michigan 714 Anaheim California +314 St. Louis Missouri 715 Bay City Wisconsin +315 Syracuse New York 716 Buffalo New York +316 Wichita Kansas 716 Rochester New York +317 Indinapolis Illinois 717 Harrisburg Pennsylvania +318 Lake charles Lousiana 800 Toll Free (all) +319 Davenport Iowa 801 Utah (all) +401 Rhode Island (all) 802 Vermont (all) +402 Omaha Nebraska 803 South Carolina (all) +404 Atlanta Georgia 804 Richmond Virgina +405 Oklahoma City Oklahoma 805 Bakersfield California +406 Montana (all) 806 Amarillo Texas +408 San Jose California 807 Thunder Bay Ontario +412 Pittsburg Pennsylvania 808 Hawaii (all) +413 Springfield Massachusetts 809 Bermuda (all) +414 Milwaukee Wisconsin 809 Bahamas (all) +415 San Francisco California 809 Puerto Rico (all) +416 Toronto Onterio 809 Virgin Islands (all) +417 Joplin Missouri 812 Evansville Indiana +418 Quebec Quebec 812 Dade park Kentucky +419 Toledo Ohio 814 Johnston Pennsylvania +501 Arkansas (all) 815 Rockford Illinois +502 Frankfort Kentucky 816 Independence Missouri +503 Oregon (all) 817 Fort Worth Texas +504 New Orleans Louisiana 818 Burbank California +504 Baton Rouge Louisiana 819 Trois Riv. Quebec +505 New Mexico (all) 900 Dial-it (all) +507 Rochester Minnesota 901 Memphis Tennessee +509 Pullman Washington 904 Talahassee Florida +512 Austin Texas 906 Escanaba Michigan + + Page 183 + + + + + The Official Phreaker's Manual + +513 Cincinnati Ohio 907 Alaska (all) +514 Montreal Quebec 912 Savannah Georgia +515 Des Moines Iowa 913 Kansas City Kansas +516 Hempstead New York 915 El Paso Texas +517 Lansing Michigan 916 Sacramento California +518 Albany New York 918 Tulsa Oklahoma + 919 Raleigh North Carolina + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 184 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #5 of 9 + +Updated from November 26, 1985 +Tac Dialups taken from Arpanet +by Phantom Phreaker + + TAC DIALUPS SORTED BY LOCATION 26-NOV-85 + +State/Country 300 Baud 1200 Baud 1200 Type +------------- --------------- ----------------- --------- + + ALABAMA + Anniston Army Depot [M] + (ANNIS-MIL-TAC) (205) 235-6285 (R4) (205) 235-7650 B/V + (205) 237-5731 (R8) (205) 237-5731 (R8) B/V + (205) 237-5770 (R8) (205) 237-5779 (R8) B/V + (205) 237-5805 (R8) (205) 237-5805 (R8) B/V + + *Please note: When accessing the Anniston TAC you must first enter a + , then enter DDN . After you receive CLASS DDN START, + proceed as normal. + + Gunter AFS [M] + + (GUNTER-TAC) (205) 279-3576 + (205) 279-4682 + + Redstone Arsenal [M] + (MICOM-TAC) [none known] + + ARIZONA + Ft. Huachuca [M] + (HUAC-MIL-TAC) [none known] + + Yuma [M] + (YUMA-TAC) (602) 328-2186 (602) 328-2186 B/V + (602) 328-2187 (602) 328-2187 B/V + (602) 328-2188 (602) 328-2188 B/V + + CALIFORNIA (NORTHERN) + Alameda [M] + (ALAMEDA-MIL-TAC) [none known] + + Menlo Park [M] + (SRI-MIL-TAC) (415) 327-5440 (R3) (415) 327-5440 (R3) B + + (USGS3-TAC) [M] [no dialups] + + Moffett Field [M] + (AMES-TAC) [no dialups; contact NSC for access] + William Jones - (415) 694-6482 + (FTS) 494-6482 + (AV) 359-6482 + + Monterey [M] + (NPS-TAC) [none known] + + + Page 185 + + + + + The Official Phreaker's Manual + + Sacsamento [M] + (MCCLELLAN1-MIL-TAC) [none known] + (MCCLELLAN2-MIL-TAC) [none known] + + Stanford [A] + (SU-TAC) (415) 327-5220 + + CALIFORNIA (SOUTHERN) + China Lake [M] + (NWC-TAC) [none known] + + + Edwards AFB [M] + (EDWARD-MIL-TAC) [none known] + + El Segundo [M] + (AFSC-SD-TAC) (213) 643-9204 (213) 643-9204 B/V + + Los Angeles [A] + (USC-TAC) (213) 749-5436 + + Los Angeles [A] + (USC-ARPA-TAC) [none known] + + San Diego [M] + (ACCAT-TAC) (619) 225-1641 (R4) (619) 225-6903 V + (619) 225-6946 (R3) + (619) 223-2148 V + (619) 226-7884 (R2) + + Santa Monica + (RAND-ARPA-TAC) [A] + (213) 393-9230 + (213) 393-9237 + (213) 393-9238 + (213) 393-9239 + + (RAND2-MIL-TAC) [M] [none known] + + COLORADO + Denver Fed Ctr [M] + (USGS2-TAC) (303) 232-0206 (303) 232-0206 B/V + + Lowry Air Force Base [M] + (LOWRY-MIL-TAC) [none known] + + D.C. + Washington + [Andrews AFB] [M] + (AFSC-HQ-TAC) (301) 967-7930 (R16) (301) 967-7930 (R16) B + (301) 736-2990 (R4) (301) 736-2990 (R4) B + (301) 736-2998 (R2) (301) 736-2998 (R2) B + + (PENTAGON-TAC) (202) 553-0229 (R14) (202) 553-0229 (R14) B + + FLORIDA + Eglin AFB [M] + (AFSC-AD-TAC) (904) 882-8202 (904) 882-8202 B/V + + Page 186 + + + + + The Official Phreaker's Manual + + (904) 882-8201 (904) 882-8201 V + + MacDill AFB [M] + (MACDILL-MIL-TAC) [none known] + + Naval Air Station - Jacksonville [M] + (JAX1-MIL-TAC) [none known] + + Naval Air Station - Orlando [M] + (ORLANDO-MIL-TAC) [none known] + + GEORGIA + Robins AFB [M] + (ROBINS-TAC) (912) 926-2725 (912) 926-2725 B/V + (912) 926-2726 + (912) 926-3231 + (912) 926-3232 + (912) 926-2204 (912) 926-2204 B/V + HAWAII + Camp H.M. Smith [M] + (HAWAII2-TAC) (808) 487-5545 (808) 487-5545 B + + ILLINOIS + Scott AFB [M] + (SCOTT-TAC) [none known] + + (SCOTT2-MIL-TAC) [none known] + + KANSAS + Ft. Leavenworth [M] + (LVN-MIL-TAC) (913) 651-7041 (R8) (913) 651-7041 (R8) B + + LOUISIANA + Navy Regional Data Automation Center [M] + (NORL-MIL-TAC) (504) 944-7940 (504) 944-7940 B + (504) 944-7948 (R2) (504) 944-7948 (R2) B + (504) 944-7951 (R5) (504) 944-7951 (R5) B + (504) 944-8702 (R8) (504) 944-8702 (R8) B + + MARYLAND + Aberdeen Proving Ground [M] + (BRL-TAC) (301) 278-6916 (R4) (301) 278-6916 (R4) B/V + + Bethesda [M] + (DAVID-TAC) (202) 227-3526 (R16) (202) 227-3526 (R16) B/V + + Patuxent River [M] + (PAX-RV-TAC) (301) 863-4815 (301) 863-4815 B/V + (301) 863-4816 (301) 863-4816 B/V + (301) 863-5750 (R6) (301) 863-5750 (R6) B/V + + Silver Spring [M] + (WHITEOAK-MIL-TAC) (301) 572-5960 (R10) (301) 572-5960 (R10) B + (301) 572-5970 (R10) (301) 572-5970 (R10) B + + MASSACHUSETTS + Hanscom AFB [M] + (AFGL-TAC) (617) 861-3000 (R8) (617) 861-3000 (R8) B + + Page 187 + + + + + The Official Phreaker's Manual + + (617) 861-4965 (R8) (617) 861-4965 (R8) + + Cambridge + (BBN-MIL-TAC) [M] [none known] + + (BBN-ARPA-TAC) [A] [no dialup capability] + + (CCA-ARP-TAC) [A] [none known] + + (MIT-TAC) [A] + (617) 491-5669 (617) 258-6224 V + (617) 491-5708 (617) 258-6225 V + (617) 491-5734 (617) 258-6227 V + (617) 491-5819 (617) 258-6248 V + (617) 491-5826 + (617) 491-5841 + (617) 491-5849 + (617) 491-6769 + (617) 491-6772 + (617) 491-6937 + (617) 258-6241 + (617) 258-6242 + (617) 258-6243 + + MICHIGAN + U.S. Army Tank Automotive Command (TACOM) - Warren [M] + (TACOM-TAC) [none known] + + MISSOURI + St. Louis [M] + (STLA-TAC) [none known] + + NEBRASKA + Offutt AFB [M] + (SAC1-MIL-TAC) [none known] + + (SAC2-MIL-TAC) (402) 292-4638 (R10) (402) 292-4638 (R10) B + + (SAC-ARPA-TAC) [A] + (402) 294-2398 (402) 294-2398 B + (402) 291-2018 (402) 291-2018 B + (402) 292-7054 (402) 292-7054 B + + NEW JERSEY + Dover [M] + (ARDC-TAC) (201) 724-6731 (201) 724-6731 B/V + (201) 724-6732 (201) 724-6732 B/V + (201) 724-6733 (201) 724-6733 B/V + (201) 724-6734 (201) 724-6734 B/V + + Fort Monmouth [M] + (FTMONMOUTH1-MIL-TAC) (201) 544-2052 (201) 544-2052 B/V + (201) 544-2062 (201) 544-2062 B/V + (201) 544-2072 (201) 544-2072 B/V + (201) 544-2396 (201) 544-2396 B/V + (201) 544-2430 (201) 544-2430 B/V + + (FTMONMOUTH2-MIL-TAC) (201) 544-4254 (R3) (201) 544-2430 B + + Page 188 + + + + + The Official Phreaker's Manual + + (201) 544-2636 B + (201) 544-2638 B + (201) 544-2777 B + + NEW MEXICO + Albuquerque [M] + (AFWL-TAC) [none known] + + White Sands [M] + (WSMR-TAC) [no dialups; contact NSC for access] + Claude (Skeet) Steffey - (505) 678-1271 + (FTS) 898-1271 + (AV) 258-1271 + + NEW YORK + Griffiss AFB + (RADC-ARPA-TAC) [A] [no dialup capability] + + (RADC-TAC) [M] + (315) 339-4913 (R5) + (315) 337-2004 (315) 337-2004 B/V + (315) 337-2005 (315) 337-2005 B/V + + (315) 330-2294 (315) 330-2294 (FTS) 952 B/V + + (315) 330-3587 (315) 330-3587 (FTS) 952 B/V + + NORTH CAROLINA + Ft. Bragg [A] + (BRAGG-ARPA-TAC) (919) 396-1131 (R10) (919) 396-1426 (R5) B/V + (919) 396-1491 (R8) B/V + Ft. Bragg [M] + (BRAGG-MIL-TAC) [none known] + + OHIO + Wright-Patterson AFB [M] + (WPAFB-TAC) (513) 258-4218 + (513) 258-4219 + (513) 258-4987 + (513) 258-4988 + (513) 258-4989 + (513) 258-4990 + + (WPAFB2-MIL-TAC) (513) 257-2172 (R8) (513) 257-2172 (R8) B + (513) 257-2690 (R8) (513) 257-2690 (R8) B + (513) 257-3625 (R8) (513) 257-3625 (R8) B + + OKLAHOMA + Tinker AFB [M] + (TINKER-MIL-TAC) [none known] + + + PENNSYLVANIA + New Cumberland Army Depot [M] + (NCAD-MIL-TAC) [none known] + + (NCAD2-MIL-TAC) [none known] + + + Page 189 + + + + + The Official Phreaker's Manual + + TEXAS + Brooks AFB [M] + (BROOKS-AFB-TAC) (512) 536-3081 (R6) (512) 536-3081 (R6) B/V + + Richardson [A] + (COLLINS-TAC) (214) 235-2131 (214) 235-2131 B + (214) 235-2143 (214) 235-2143 B + (214) 235-2178 (214) 235-2178 B + (214) 235-2204 (214) 235-2204 B + (214) 235-2251 (214) 235-2251 B + (214) 235-2278 (214) 235-2278 B + + UTAH + Dugway Proving Ground [M] + (DUGWAY-MIL-TAC) [none known] + + Salt Lake City (University of Utah) [A] + (UTAH-TAC) (801) 581-3486 (801) 581-3486 B/V + + VIRGINIA + Alexandria [M] + (DARCOM-TAC) (202) 274-5300 (202) 274-5300 B + (202) 274-5320 (R6) (202) 274-5320 (R6) B + + Arlington + (ARPA1-MIL-TAC) [M] [none known] + + (ARPA2-MIL-TAC) [M] [none known] + + (ARPA3-TAC) [A] [no dialup capability] + + Dahlgren [M] + (NSWC-TAC) (703) 663-2162 (R8) (703) 663-2162 (R8) B + + Langley Air Force Base [M] + (LANGLEY-MIL-TAC) [none known] + + McLean [M] + (DDN-PMO-MIL-TAC) [none known] + + + (MITRE-TAC) [M] + (703) 442-8020 (R15) + (703) 893-0330 (R10) (703) 893-0330 (R10) B/V + + Norfolk [M] + (NORFOLK-MILTAC) (804) 423-0241 (R2) (804) 423-0241 (R2) B + (804) 423-0247 (R2) (804) 423-0247 (R2) B + (804) 423-0346 (R4) (804) 423-0346 (R4) B + (804) 423-0480 (804) 423-0480 B + (804) 423-0486 (R2) (804) 423-0486 (R2) B + (804) 423-0489 (804) 423-0489 B + (804) 423-0570 (804) 423-0570 B + (804) 423-0572 (R2) (804) 423-0572 (R2) B + (804) 423-0577 (R2) (804) 423-0577 (R2) B + (804) 423-0651 (804) 423-0651 B + (804) 423-0654 (R3) (804) 423-0654 (R3) B + (804) 423-0841 (R2) (804) 423-0841 (R2) B + + Page 190 + + + + + The Official Phreaker's Manual + + (804) 423-0845 (804) 423-0845 B + (804) 423-0849 (804) 423-0849 B + (804) 423-0858 (804) 423-0858 B + (804) 423-0950 (804) 423-0950 B + (804) 423-0952 (804) 423-0952 B + (804) 423-0955 (R3) (804) 423-0955 (R3) B + (804) 423-0959 (804) 423-0959 B + + Reston + (DCEC-ARPA-TAC) [A] [no dialups available] + + (DCEC-MIL-TAC) [M] + (703) 437-2892 (R5) (703) 437-2928 B + (703) 437-2925 (703) 437-2929 B + (703) 437-2926 + (703) 437-2927 + + WASHINGTON + Seattle [A] + (WASHINGTON-TAC) [no dialup capability] + + ENGLAND [M] + (CROUGHTON-MIL-TAC) [none known] + + GERMANY [M] + (FRANKFURT-MIL-TAC) + (M) 2311-5641 (R8) B + + (RAMSTEIN2-MIL-TAC) [none known] + + ITALY [M] + (AGNANO-MIL-TAC) + + JAPAN [M] + (BUCKNER-MIL-TAC) + + (ZAMA-MIL-TAC) + + KOREA [M] + (KOREA-TAC) (M) 264-4951 (R8) B + + PHILIPPINES [M] + (CLARK-MIL-TAC) + + SPAIN [M] + (MILNET-TJN-TAC) [none known] + + (ROTA-MIL-TAC) [none known] + + Notes: + + 1. "(R10)" following phone number indicates a rotary with 10 lines. + + 2. For alternate phone numbers, FTS=Federal Telephone System. + 3. (M)=Military DoD Telephone System. + + 4. [M] denotes a MILNET TAC and [A] denotes an ARPANET TAC. + + + Page 191 + + + + + The Official Phreaker's Manual + + 5. "1200 Type" refers to the modem compatibility for 1200 baud only: + B/V = Bell and Vadic + B = Bell 212A only + V = Vadic 3400 only + + 6. This list is contained in the file NETINFO:TAC-PHONES.LIST at + SRI-NIC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 192 + + + + + The Official Phreaker's Manual + + >>==========================<< + >>==> TELCO TEST NUMBERS <==<< + >>====> as of 5/16/85 <=====<< + >>=> compiled and updated <=<< + >>====> by Shadow 2600 <====<< + >>==========================<< + +011-44-61-2468011 : US dial tone then "When this system changes, this is the +new dial tone you hear" (UK is changing dialtone) + +201-226-0709 : alternating tones, then "warble" +201-267-9922 : sweep tone +201-267-9966 : 600 ohm termination +201-232-9924 : (tone 1,2,5-beep, bleep; 9,#- 1200 baud static, beep, bleep; +6-tone, higher tone, bleep) +201-232-9959 : tone 11 sec. silence, repeats... +201-233-9972 : multitude of clicks +201-233-9974 : busy 15 sec. then tone w/ clicks +201-241-9916 : hissing with clicks +201-328-9971 : 1000 hrtz tone +201-376-9907 : "is being checked for trouble. Please try again later" +201-464-9915 : low tone 15 sec, silence +201-464-9916 : low tone 2 sec, silence +201-464-9963 : buzz +201-464-9974 : busy 15 sec, low tone +201-543-9902 : "If you'd like to make a call, hang up and try it again." +201-543-9903 : "We're sorry, your call did not go through." +201-543-9904 : "the number you have dialed requires a .20 cents deposit." +201-655-9900 : "cannot be completed as dialed from the phone you are using" +201-769-0205 : People's Express Reservation system +203-771-4920 : telephone company employee newsline +207-866-4411 : 1000 hrtz tone +212-233-9980 : (tone 1,2,3,*-tone, higher tone, bloop; 5-tone, bloop; 9,#- +static,beep,bloop) +212-369-7003 : "you have reached 212-369-7003 in zone 3" (?) +212-799-5017 : ABC New York feed line +213-621-4141 : telephone employee newsline +213-935-1111 : sweep tone with echo at top of range (?) +215-489-0036 : tone, bloop (1,2,5-tone bloop, 3,6,9-tone, higher tone,tone) +215-489-0040 : "please check your instruction manual or call repair service for +assistance" +215-489-0042 : "if you like to make a call please hang up and try again" +215-489-0043 : "We're sorry, your call did not go through." +215-489-0044 : "The call you have made requires a 25 cent deposit" +215-489-0045 : "You must first dial a 1 when dialing this number." +215-489-0074 : LOUD tone, stops, repeats +215-489-0075 : 600 ohm termination (silence) +215-489-0078 : tone, silence +215-489-0080 : 600 ohm termination +215-489-0097 : tone, (lower pitched than -0078) silence (also at -0098) +215-489-0104 : 1000 hrtz tone +216-861-8300 : tone, then higher tone +301-256-9987 : 1000 hertz +301-546-7777 : "Due to Telephone Company facility trouble your call cannot be +completed at this time" +301-725-9904 : "deposit .20" +305-263-0000 : repeating bloop (keypress 2 : slow reorder w/ bloops, clicks) +305-994-9963 : pay fone instructions + + Page 193 + + + + + The Official Phreaker's Manual + +305-994-9966 : "telephone you are calling from is not in service" +312-222-9948 : tone (keypress 1,2,3,6,7,*-tone, high tone, bleep, +4-tone,bloop,9, #-static,beep,bloop) +312-222-9954 : "Test Center" +312-222-9990 : clicks, ticking like +312-222-9996 : LOUD tone, repeats +312-368-8000 : Illinois Bell Communicator (employee newsline) +312-592-0000 : tone (keypress 2222, then other digits, at re-order type * to +restart) (?) +313-223-7223 : telephone employee newsline +313-333-9981 : LOUD tone, silence +313-333-9989 : high tone (enter touchtones for a while, eventually get +"metallic" echo, then 5-high pitched tone, random re-orders) +313-333-9990 : beep, click repeats, with "winks" +313-333-9994 : tone bloop (keypress in 2-tone,bloop, 3-tone, higher tone,tone, +9-static, beep,bloop) +313-333-9995 : 600 ohm termination (silence) +313-333-9996 : weird siren/sweep tone, multi-frequency +313-430-4300 : beep, beep, beep, then reorder +313-698-9998 : sweep tone +314-247-5511 : Southwestern Bell Telenews (employee newsline) +315-471-9934 : "deposit 5 cents for next five minutes" +408-255-0081 : (any two 2,4,8,0-tone) +408-294-6969 : beep, click, computer voice repeats number +408-395-1110 : (tone 2-bleep,glitch; 3-beep,higher beep;#then number-loud +tone,bleep) +408-738-8190 : (tone 1,3,6,7,*-tone, high tone, tone;2-beep,cluck;9,#- +static,tone,beep) +408-745-6060 : high pitched tone, low tone then repeats +408-994-0044 : tone end of loop +412-633-3333 : telephone company employee newsline +414-628-0001 : continuous tone +414-628-0002 : continuous tone (higher pitched, sounds like muted dial) +414-628-0004 : high pitched tone, bloop, silence +414-628-0006 : brief very high tone (also -0007) (multiple keypresses of +2,5,8,0 tone repeats) +414-628-0010 : loud tone, stops, repeats... +414-628-0011 : loud tone, stops +414-628-0013 : 600 ohm termination (silence) (also -0017, two in an exchange?) +414-628-0014 : continuous tone (sounds like weird dial), eventually stops +414-628-0015 : LOUD tone, repeats +414-628-0028 : "Your call cannot be completed as dialed +414-678-3511 : Wisconsin Bell Newsline +414-781-0004 : high tone, silence (keypress 2,5-beep,bleep, 3,6-beep,longbeep, +bloop, 9-static,bloop) +415-284-1111 : one sweep, then silence +415-327-0046 : sweep tone +415-388-0037 : tone,bloop (keypress 2-tone,bloop, 3-tone,high tone,tone, +9-static,beep,bloop) +415-472-0046 : sweep w/ glitch at top +415-545-8800 : Pacific Bell Newsline +415-467-0097 : fast DTMF tones, keypress to repeat +415-777-0020 : 1000 hrtz tone +415-777-0037 : tone, bloop (keypress 2-beep,bloop, 3,6-tone,higher tone, +9-static,beep,bloop) +415-777-0046 : sweep tone with echo +415-777-0105 : tone,bloop (keypress 2-beep,bleep, 3,6-tone, higher tone, +tone,9-static,beep,bloop + + Page 194 + + + + + The Official Phreaker's Manual + +415-826-0022 : tone, click, tone (sounds like a busy) +415-994-0710 : multitude of clicks +512-472-2181 : "if you would like to make a call, please hang up and try +again" +512-472-4263 : garbled recording (?) +512-472-9833 : "you must first dial a 1 or 0 before calling this number" +512-472-9936 : "please check your instructions or call your business office for +assistance" +512-472-9941 : "insert 25 cents" +516-222-3825 : LOUD tone +516-234-9914 : New York Telephone Newsline +518-471-2272 : New York Telephone Newsline +518-789-3299 : weird busy, multitude of clicks +609-267-9966 : busy with clicks in background +609-267-9967 : 600 ohm termination (silence) +609-267-9968 : 1000 hrtz tone +609-267-9971 : LOUD tone, stops, repeats +609-267-9972 : rings with clicks in background (also -9973 and -9974) +609-877-9924 : high tone (tone in 1,2,5-tone, bloop; 3,6,*-tone, higher tone, +bleep; #-static, beep, bleep) +609-877-9929 : 1000 hrz tone +617-553-9953 : tone end of loop +617-890-9900 : sweep tone +617-955-1111 : telephone company employee newsline +619-748-0002 : tone increases in pitch, silence, repeats in monotone +619-748-0003 : sweep, repeat, hangs up +702-789-6711 : Nevada Bell Newsline +713-354-0000 : touch tone in #, then new #, then 5 - listed, 9 - unlisted) +713-482-3199 : "We're sorry, all circuit are busy now." +713-652-5111 : touch tones echo back "metallic", something about "drivers +licence number" replys in a female recorded voice +717-255-5555 : Bell of Pennsylvania "Inside Line" (employee newsline) +718-429-9900 : "Please slide a valid credit card through the slot now" +800-221-5959 : tone (# makes it ring) +800-228-8466 : Sensaphone (tm) demo (time etc. (EST) (wait 7+ rings)) +800-321-3048 : non-connecting loop with 800-321-3049 +800-321-3052 : loop (don't know where other end is) +800-321-6366 : Centagram's Voice Memo System (extension 100 for demo) +800-323-6321 : tone, stops, bloop repeats +800-327-0000 : "Announcement three, Dallas" (changes sometimes) +800-344-4001 : non-connecting loop with 800-344-4002 +800-524-0000 : "Announcement 1 Atlanta" +800-554-5924 : Cable News Network audio feed +800-824-8274 : "Enter your password service code" +802-955-1111 : telephone company newsline +808-533-4426 : Hawaiian Telephone Newsline +816-391-1122 : recorder (keypress 1-toggle on/off, 3-rewind, 4-stop, 7-play) +907-269-0955 : tone (sounds like extender, doesn't take touch tone (?)) +914-232-9901 : "Daytona, New York DMS-100 verification" +914-268-9901 : "Congers DMS 100 Verification" +914-268-9903 : "your call cannot be completed as dialed" +914-268-9968 : (keypress 2-high tone, 3-high, higher tone, 6,0-click, 7- hangs +up, sometimes 0,#,*-harmony) +914-359-9901 : repeats the number dialed ("914-359-9901") +914-359-9960 : weird tone, stops, clicks, repeats +914-623-9968 : (keypress 2,5-beep glitch, 3,6-tone highertone) +916-480-8000 : Pacific Bell Newsline + + + Page 195 + + + + + The Official Phreaker's Manual + + WHAT A TSPS CONSOLE LOOKS LIKE + +--- NON/COIN ---- ------------- COIN ------------- --------- HOTEL --------- + + ---- ---- ---- ---- ---- ---- ----- --- --- ---- +!VFY ! !OVER! !SCRN! !INWD! !EMER! !STA ! ! 0+ ! !DIAL! !STA ! ! 0+ ! +!DIAL! !POST! !TONE! !STA ! ! 0+ ! !DIAL! !QST ! ! ! ! ! ! ! + ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- + +----- OUTGOING TRUNKS ----- RING RELEASE + + ---- ---- ---- ---- ---- ----- ---- ---- ---- ---- +! DA ! !R&R ! !SWB ! !OGT ! !BACK! ! FWD ! !CALL! !T&C ! !NFY ! !CHG ! + ---- ---- ---- ---- ---- ----- ---- ---- ---- ! DUE! + ---- + --- ---- ---- ---- ---- ---- ---- ---- ---- ---- +!KEY ! !BACK! !FWD ! ! SR ! !MAKE! !MTCE! !POS ! !BACK! ! ! ! ! +!CLG ! ! ! ! ! ! ! !BUSY! !TRFR! ---- ---- ---- ---- + ---- ---- ---- ---- ---- ---- + + ----------------- AMA ----------------- + ---- ---- ---- ---- ---- ---- +STATION -----!PAID! !COL ! !SPL ! !SPL ! !AUTO! !DDD ! + ! ! ! ! !CLG ! !CLD ! !COL ! ! ! + ---- ---- ---- ---- ---- ---- + + ---- ---- ---- ---- ---- +PERSON ----- !PAID! !COL ! !SPL ! !SPL ! ! NO ! + ! ! ! ! !CLG ! !CLD ! !AMA ! + ---- ---- ---- ---- ---- + + ---- ---- ---- + !CLG ! !CLG ! !CLG ! + ! ! ! ! ! ! + ---- ---- ---- + + + + + + + + + + + + + + + + + + + + + + + + + Page 196 + + + + + The Official Phreaker's Manual + + Box Plans + + Hmm... I wonder! This is still under construction (Ha Ha). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 197 + + + + + The Official Phreaker's Manual + + THE INFINITY TRANSMITTER + + TYPED BY THE GHOST WIND + + FROM THE BOOK BUILD YOUR OWN + LASER, PHASER, ION RAY GUN & OTHER WORKING SPACE-AGE PROJECTS + BY ROBERT IANNINI (TAB BOOKS INC) + +Description: Briefly, the Infinity Transmitter is a device which activates a +microphone via a phone call. It is plugged into the phone line, and when the +phone rings, it will immediately intercept the ring and broadcast into the +phone any sound that is in the room. This device was originally made by +Information Unlimited, and had a touch tone decoder to prevent all who did not +know the code from being able to use the phone in its normal way. This +version, however, will activate the microphone for anyone who calls while it is +in operation. +NOTE: It is illegal to use this device to try to bug someone. It is also +pretty stupid because they are fairly noticeable. +Parts List: +Pretend that uF means micro Farad, cap= capacitor + +Part # Description +---- - ----------- +R1,4,8 3 390 k 1/4 watt resistor +R2 1 5.6 M 1/4 watt resistor +R3,5,6 3 6.8 k 1/4 watt resistor +R9,16 2 100 k 1/4 watt resistor +R10 1 2.2 k 1/4 watt resistor +R13,18 2 1 k 1/4 watt resistor +R14 1 470 ohm 1/4 watt resistor +R15 1 10 k 1/4 watt resistor +R17 1 1 M 1/4 watt resistor +C1 1 .05 uF/25 V disc cap +C2,3,5,6,7 5 1 uF 50 V electrolytic cap or tant + (preferably non-polarized) +C4,11,12 3 .01 uF/50 V disc cap +C8,10 2 100 uF @ 25 V electrolytic cap +C9 1 5 uF @ 150 V electrolytic cap +C13 1 10 uF @ 25 V electrolytic cap +TM1 1 555 timer dip +A1 1 CA3018 amp array in can +Q1,2 2 PN2222 npn sil transistor +Q3 1 D4OD5 npn pwr tab transistor +D1,2 2 50 V 1 amp react. 1N4002 +T1 1 1.5 k/500 matching transformer +M1 1 lar + + + diff --git a/textfiles.com/phreak/PHREAKING/phreakri.txt b/textfiles.com/phreak/PHREAKING/phreakri.txt new file mode 100644 index 00000000..87cdc007 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreakri.txt @@ -0,0 +1,167 @@ + +From TAP Jan-Feb 1984 Issue #90 + +The hobbyists newsletter for the Communications Revolution + +Article: Your Rights as a Phone Phreak + +By Fred Steinbeck + + Uploaded and reformated to 80 columns by Elric of Imrryr + Death to 40 column rodent file manglers! + +"Oh, I'm not worried. They can't tap my line without a court +order." Ever catch yourself saying that? If so, I'll wager you +don't know too much about the laws that can prove to be the +downfall of many a phone phreak. But you are wagering your +freedom and money that you do know. Odds are you don't. At +least, I didn't, and I had a very painful experience finding out. + + Let's take a look at Federal law first. Section 605 of +Title 47 of the United States Code (i.e., Federal law) +forbids interception of communications, or divulgence of +intercepted communications, except by persons outlined in +Chapter 119, Title 18 (a portion of the Omnibus Crime Control +and Safe Streets act of 1968). Section 2511 (2) (a) (i) +of this section says: + + "It shall not be unlawful under this chapter for an +operator of a switchboard, or an officer, employee, or agent of +any communication common carrier, whose facilities are used in +the transmission of a wire communication, to intercept, disclose, +or use that communication in the normal course of his employment +while engaged in any activity which is a necessary incident to the +rendition of his service or to the protection of the rights or +property of the carrier of such communication...." + + The authorization stated in that subsection permits agents +of communication common carriers (i.e. Telcos) not only to intercept +wire communications where necessary "to the protection of the +rights or property of the carrier", but it also authorizes such +an agent to "disclose or use that communication." Fun, huh? +That's not all. + + In the case United States v. Sugden, a case which was +upheld by the Supreme Court, the following ruling was made: + +"For and unreasonable search and seizure to result from the +interception of defendant's communication, he must have +exhibited a reasonable expectation of privacy. Where, as here, +one uses a communication facility illegally, no such expectation +is exhibited." + +This means that when you make a free call, you have waived your +right to privacy. In other words, without pay, your rights +evaporate. + + The only limitation upon monitoring and disclosure is +that it must not be excessive. For example, in Bubis v. +United States, the phone company monitored all of the defendant's +phone calls for a period of 4 months. The defendant's gambling +activities were revealed by this monitoring, and furnished to +the U.S. Attorney's office. This resulted in the defendant being +prosecuted by the District Attorney for violation of the +federal laws against using interstate telephone facilities for +gambling. The court acknowledged the right of the phone company +to protect its ass(ets) and properties against the illegal acts +of a trespasser, but ordered the evidence supressed because : +(1) The extent of the monitoring was unnecessary +(2) The defendant's prosecution for violation of the gambling +laws had "no relationship to protecting the telephone company's +property." + + This was before the Omnibus act. As it happens, though, +the Omnibus act was intended to reflect exsisting law, and +therefore, change nothing (pretty good huh?). In United States +v. Shah the court said (refering to the situation of inadmissible +evidence in U.S v. Bubis), "Thus it would appear that if the tape +recordings of the defendant's conversations had been limited by the +phone company to establish that the calls were in violation of +the subscription agreement (i.e. were illegal) and to the +identification of the person using the phone, and FOR THOSE +PURPOSES ONLY, then the tapes would have been admissible +against the defendant." The court went on to say that this was +indeed the case in United States v. Shah, as the phone company +only monitored for 7 days, and the tapes were of 1 minute call +duration at the beginning of any illegal call. + + So what can the do? Well, several things. First, they +can put a dialed number recorder (DNR) on your line if they +suspect toll fraud. The most common can do the following: print +touch-tone (c) digits sent, print MF digits sent, record presence +of 2600hz on line, and activate a tape recorder for a specific +amout of time (generally 1-2 min) when some specific event occures, +such as 2600hz being blasted into the line. + + DNR's seem to be fairly standard procedure. That is, +almost all the Telcos use them when they suspect fraud. As +long as they do not record the entire conversation, or +conversations that are legal, there is nothing illegal about DNR's. +DNR's are also used to detect fraud using specialized common carriers +(e.g.,Sprint, Metro etc.),by watching you dial the local dialup number, +followed by your (illegal) access code and destination number. +They do not need a court order to place a DNR on your line. + + If they can record voice on your line, they can record data +just as easily. So if you call bulletin board systems and have a +DNR on your line, beaware that any logins you have made have +probably been watched by the phone company, and they probably +know any passwords you have used. + + The purpose behing all this DNR bullshit is to establish +your identity. I suppose a possible defense against this is +simply not to talk for 3 minutes after the connection is +established. Might be kind of hard to do in practice, +however. + + Contrary to popular belief, TPC does not make "midnight +visits" to your house to arrest you. Why should they? A +judicious application of their motto, "Reach out and put the +touch on someone", means that they simply call from their +office. If they call, try to draw them out as much as possible +in a phone conversation. That is, they will keep muttering +about how they "have evidenc". Find out what kind of evidence. +Do not expect them to be forthcoming with everything. They will +almost certainly have more than what they tell you. + + Their standard position is to prosecute all offenders, +although this varies depending on the severity of the +situation, as well as the age of the offender. They tend to +always prosecute adults, while they are receptive to pre-trial +offers made by juveniles. They may want to talk with you in person, +ostensibly to give you a chance to explain why the 300 calls to +the local Sprint node came from your line. Accept this offer. +Often they are more generous with their evidence in person than +they are over the telephone. + + If you do meet with them in person, BRING A LAWYER. +Lawyers are expensive, but they are well worth the price. +They know the law, while you don't. The investigators TPC employs +are seasoned people, and usually make few mistakes, legal or +technical. However, a good lawyer can spot any legal fuckups +they might have made, and you shoud be able to find any technical +ones. + + In talking with them, be civil (i.e., say hello, talk +about the weather etc.) but say nothing pertinent to your case. +They will often tell a large part of their evidence without any +prodding, and at the end, will ask you some questions. YOU ARE +NOT OBLIGATED TO ANSWER ANY OF THESE QUESTIONS. + + At the very first signs of trouble, stop making free calls, +and move anything illegal you have to a friend's house. They may +not get a search warrant, but better safe than sorry. + + TPC can make life miserable for you, and they don't often +prosecute unless they're sure of winning, which is pretty much +always. Therefore, you must make it either not worth their while +to prosecute, or worth their while not to prosecute. The best +bet is to try to get them to settle before going to court by +offering reimbursement and being nice to them (act sorry). If +you appear genuinely sorry, they may not prosecute. + + Failing that, be a low-down bastard and make as much +trouble for them in court as possible. Just remember: +technology is on your side, and thats better than God. + + We T \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phreaks.txt b/textfiles.com/phreak/PHREAKING/phreaks.txt new file mode 100644 index 00000000..a0c133a8 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phreaks.txt @@ -0,0 +1,340 @@ + + + * * THE PHREAKER'S BIBLE * * + + + HOW TO BE A REAL PHREAK + +IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: "MANY PEOPLE +THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR ALL SHE IS WORTH. +NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE SOME WHO GET +THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE PHREAKS. +REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, PLAY +WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALY THIS EXPERIMENTING, AND A +NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH- OUT GOING BROKE), LEADS TO +FREE CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A >TRUE< PHONE PHREAKS +ACTIVITIES. + + THE TEN COMMANDMENTS + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036. SEND A SASE FOR THEIR INFO SHEET "WHAT THE HELL IS TAP?" AND TELL +THEM THAT BIOC AGENT 003 TOLD YOU ABOUT IT.) + + THE PHONE PHREAK'S TEN COMMANDMENTS + + I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + + II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE +WIRES, FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + + III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + + IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS +TO USE THINE OWN SELF AS A SACRIFICIAL LAMB. + + V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + + VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN +BOSSES. + + VII. STOREST THOU NOT THINE STOLEN GOODES IN THINE OWN HOME, FOR THOSE WHO +DO ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT +LONG FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICABLE THOU ART, THE BETTER. + + IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + + X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY +WORK WILL BE FAR MORE LIMITED. + + CN/A NUMBERS + +CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE +CN/A OPERATOR THE CUSTOMER'S TEL. # ALL CUSTOMERS ARE MAINTAINED ON FILE +INCLUDING UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + +HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: "HI, THIS IS JOHN DOE +FROM THE MIAMI RESIDENTAL SERVICE CENTER, CAN I HAVE THE CUSTOMERS NAME AT +(123) 555-1212." THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO +A # THAT SOMEONE CLAIMED THEY DIDN'T CALL. + +IF YOU SOUND CHEERY AND NATURAL THE OPERATOR WILL NEVER ASK ANY QUESTIONS. IF +YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE IT! ALWAYS PRACTICE FIRST & +SO YOU DON'T SCREW UP AND MAKE THE OPERATOR SUSPICIOUS. USE NAME THAT SOUNDS +REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY THAT YOU ARE FROM A CITY THAT IS +FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + +THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914) IS>>>>>>>>>(518) 471-8111<<<<<< AND IS OPEN DURING BUSINESS HOURS. DON'T +ABUSE IT! + + AT&T NEWSLINES + +AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL TO +FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-103q PA + (516) 234-9941 NY *(914) 948-8100 NY + +SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + ANI NUMBERS + +ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO +FIND OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE +THAT DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. +IF YOU JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), +DIAL 1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE +ANI # WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE +NXX IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + + PHREAK NEWSLETTER + +TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING +INFO, ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + +A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + +AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF +MATERIAL (ARTICLES), MONEY, AND VOLUNTEERS. + + TAP + ROOM 603 + 147 WEST 42ND STREET + NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 + YOU WILL EVER SPEND... + + BLACK BOX + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE THAT +ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO CALL. + +YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + +NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW + BRING THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH +IN A POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER +SIDE FREE. + + WHEN YOUR FRIENDS CALL (AT A PREAR- RANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. +IT IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE +POSITION AND PICK UP THE pHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + +WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE +THAT FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING +BUT IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN +ONE FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP +AND SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR + BLACK BOXES SO BE CAREFUL! + +:-----------------------------------: : : +***BLUE WIRE**>>F< : : * * : +**WHITE WIRE**** * : : * : : + RESISTOR : : * : : + * ` : : >RR<*******SWITCH*** : : + * : ****GREEN WIRE********************* : : + : :--!--------------------------------: + + DIAL LOCKS + +HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? + +FRET NO MORE PHELLOW PHREAKS, FOR EVERY SYRTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + +THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + +TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A CIRCUIT +KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN YOU DIAL +(PULSE) IT ALSO BREAKS THE CIRCUT BUT NOT LONG ENOUGH TO HANG UP! SO YOU CAN +"PUSH-DIAL." TO DO THIS YOU >RAPIDLY< DEPRESS THE SWITCHHOOK. FOR EXAMPLE, +TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) >RAPIDLY< +& >EVENLY< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL 634-1268, DEPRESS 6 X'S +PAUSE, THEN 3 X'S, PAUSE, THEN 4 X'S, ETC. IT TAKES A LITTLE PRACTICE BUT +YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # SO YOU'LL GET A +BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE A DTMF LINE +WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR MORE THAN A +SECOND OR IT'LL HANG-UP! + +FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + + EXCHANGE SCANNING + +ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. + +THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL +EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR EXCHANGE AND YOU +MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + +9900 - ANI (SEE SEPARATE BULLETIN) 9901 - ANI (SEE SEPARATE BULLETIN) 9927 - +OSC. TONE (POSSIBLE TONE SIDE OF + A LOOP) 9936 - VOICE #`TO THE TELCO CENTRAL + OFFICE 9937 - VOICE # TO THE TELCO CENTRAL + OFFICE 9941 - COMPUTER (DIGITAL VOICE + TRANSMISSION?) 9960 - OSC. TONE (TONE SIDE LOOP) -- + MAY ALSO BE A COMPUTER IN SOME + EXCHANGES 9961 - NO RESPONSE (OTHER END OF LOOP?) 9962 - NO RESPONSE +(OTHER END OF LOOP?) 9963 - NO RESPONSE (OTHER END OF LOOP?) 9966 - COMPUTER +(SEE 9941) 9968 - TONE THAT DISAPPEARS--RESPONDS + TO CERTAIN TOUCH-TONE KEYS + +MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + + TOUCH-TONE & FREE CALLS + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + + 1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A WORKING CODE WAS 00717865. + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, +PLEASE." THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. +AFTER EVERY GROUP OF DIGITSl IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES +IF IT IS CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL +THANK YOU AND ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS +ABOVE. ANOTHER SUCH # IS (800) 245- 8173, WHICH HAS A 6 DIGIT ACCESS CODE. +(NOTE: IF USING TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE +TONE STOPS.) + + 2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE +FROM THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK +BOX. THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # +USING ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE +ROTARY FONE WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 +WIRES. (NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE +THEN YOU CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY +ISN'T THE CASE.)SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES + + 4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENTIONS IF YOU +REMOVE IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER +SCREW!)--(THESE FONES FOR THE BENEFIT OF THOSE WHO DON'T KNOW ARE BLUE WITH +NO COIN SLOTS) + + 5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + TELCO TRACING + +THE GOOD 'OL DAYS: ------------------ + +WAY BACK BEFORE I WAS A PHREAK, MA BELL WOULD HAVE TO MANUALLY TRACE A CALL +IF THEY THOUGH SOMETHING WAS FUCKED UP. FIRST THEY WOULD SEND A 2000 HZ +TRACING TONE, THE WOULD BE FOLLOWED B ALOT OF NOISE AND CLICKS. IT TOOK +ABOUT 2-3 MINUTES TO TRACE A CALL AND ALOT OF PEOPLE WERE INVOLVED IN THE +PROCESS. SO AT 1 IN THE MORNING THEY WOULD HAVE TO WAKE UP PEOPLE FOT THE +TRACEES (PHREAK JARGON FOR A PAY FONE). BUT NEVER USE THE SAME ONE MORE THAN +ONCE OR TWICE BECAUSE THE GESTAPO(ER..EXCUSE ME MEAN BELL SECURITY) HAS BEEN +KNOW FOR STAKING OUT TROUBLED FORTRESSES. IT'S ALSO POSSIBLE FOR TRAVELNET OR +SP TO ASK FOR A TROUBLE # BUT THE TELCO IS SLOW IN PROCESSING +STUFF--ESPECIALLY FOR THE COMPETITION--SO DON'T FRET PHELLOW PHREAKS. + +MODERN TECHNOLOGY: ------------------ THIS CAN BE ATTRIBUTED TO ESS + CCIS +WHICH CAN BE TRACED IN 1 SECOND. + + MISCELLANEOUS STUFF + +HERE ARE A PHEW (PUSHING IT ON THAT WORD) BITS OF INFO ON TELEPHONE ELEC- +TRONICS. IF YOU DON'T APPRECIATE IT THEN I SAY PHUCK U. + +VOLTAGES: + +WHEN YOUR FONE IS ON-HOOK (IE-HUNG UP) THERE IS A 4 8 VOLT DC CURRENT FLOWING +THROUGH THE LINE ( I HAVE A GREAT IDEA ABOUT HOOKING A BATTERY CHARGER UP TO +MY FONE ). WHEN THE FONE IS OFF-HOOK THE VOLTAGE DROPS DOWN TO AROUND 15VDC. +THE BLACK BOX (SEE SEPARATE ARTICLES) EXPLOITS THIS FOR FREE CALLS SINCE BELL +USES THIS VOLTAGE DROP WHEN THE CALLED PARTY PICKS UP TO START BILLING. BELL +MAY ALSO REVERSE THE POLARITY OF THE LINE TO START BILLING--IF YOU HAVE A +TONE FONE THE`KEYPAD WON'T WORK IF THE POLARITY IS REVERSED. USUALLY, THE +RED WIRE IS CALLED THE TIP SINCE IT IS THE MORE (+) OF THE 2 WIRES + THE +GREEN WIRE IS CALLED THE RING (-). + +RING TRIP: + +WHEN SOMEONE CALLS YOU BELL HAS TO SEND 90 VOLTS AC DOWN YOUR LINE AT ABOUT +60 HZ TO ACTIVATE YOUR BELL (THIS IS WHY DEAF PEOPLE CAN HAVE LIGHT BULBS +FANS GO OFF INSTEAD OF A BELL). THE DEVICE THAT DOES THE RINGING IS CALLED A +RINGING GENERATOR AND THE PROCESS OF RINGING IS CALLED A RING TRIP. THIS +COSTS BELL MONEY AND THEY DON'T LIKE USING ALL THAT ELECTRICITY FROM THE +LOCAL RIP-OFF POWER COMPANY- SO LET IT RING. THIS IS ALSO, HOW BELL CAN +CHECK FOR EXTRA FONES FROM THEIR CENTRAL OFFICE BY SEEING HOW MUCH VOLTAGE +THE LINE TAKES WHILE RINGING AND THEY CAN TELL HOW MANY FONES YOUR NOT +SUPPOSE TO HAVE. SOLUTION: DISCONNECT THE BELL. + +MODERN TECHNOLOGY: ------------------ + +THE 2 WORST ENEMIES TO THE PHREAK BESIDES THE FBI + BELL SECURITY,ARE: ESS + +CCIS. ESS STANDS FOR ELECTRONIC SWITHCING SYSTEM AND IT CAN TRACE A CALL IN +SECONDS, IT ALSO RECORDS ALL CALLS AND CAN EVEN TAP INTO LINES (ER.. I MEAN +CHECK FOR LINE QUALITY) AND RECORD CALLS. CCIS STANDS FOR COMMON CHANNEL +INTER-OFFICE SIGNALING AND IT ALLOWS FOR CONTROL SIGNALS TO BE SENT VIA +SEPARATE DATA LINKS INSTEAD OF TONES OVER THE VOICE CHANNEL--START KISSING +YOUR BLUE BOX GOODBYE. + +SOURCES: -------- + +FOR THOSE OF YOU WHO WANT TO GO MORE IN-DEPTH ON THE SUBJECT OF SHIT, I +RECOMMEND THE FOLLOWING READING MATERIAL: + + 1) ELECTRONICS COURCES A-B, TAP, ROOM 603, 147 W. 42 ST., NY, NY 10036. @ +75 CENTS EA. + + 2) UNDERSTANDING TELEPHONE ELECT.'S, TEXAS INSTRUMENTS, RADIO SHACK MAY +HAVE SOME BOOKS ON THIS AREA. + + + * END * + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phrecol.txt b/textfiles.com/phreak/PHREAKING/phrecol.txt new file mode 100644 index 00000000..fe439174 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrecol.txt @@ -0,0 +1,94 @@ +|------------------------------------------------------------------------| +| The Alliance Crew | +| -=-=-=-=-=-=-=-=-=- | +| Presents | +| | +| A Collection of Phreak Information | +| ---------------------------------- | +| Copyright (c) 1989 $TAC$ | +|________________________________________________________________________| + +The following is a compilation of Phreak data which I have accumulated +over the past few months and now $TAC$ is releasing it to the public to +do with as they please. Also in the future we are planning a monthly +newsletter, more software releases and some GREAT hacking programs by +out master programmer, Macros The Black. Please leave any feedback about +our plans for the future, or any questions on one of these fine boards. + + Dark City of Fear - 215-261-0893 + Forgotten Realm - 618-943-2399 + The White House - 312-364-5428 + +-------------------------------------------------------------------------- + PBX's, Dial-ups & Extenders +-------------------------------------------------------------------------- +MCI DIAL-UP - 415-338-7000 (5 DIGIT) +MCI DIAL-UP - 401-272-0698 (5 DIGIT) +MCI DIAL-UP - 216-375-9211 (5 DIGIT) +MCI DIAL-UP - 412-261-0489 (5 DIGIT) +MCI DIAL-UP - 515-282-0955 (5 DIGIT) +ITT DIAL-UP - 412-261-4930 (13 DIGIT) +ALLNET - 800-922-1444 (6 & 9 DIGIT) +ALLNET - 950-1044 (6 DIGIT) +ALLNET - 950-1444 (9 DIGIT) +MCI - 800-666-3640 +UNKNOWN - 800-635-6366 (3 DIGIT + 1 + AC + #) +TRAVELNET - 800-521-8400 (8 DIGIT) +TRAVELNET - 412-261-1245 (8 DIGIT) +UNKNOWN - 800-222-9904 (5 DIGIT + AC + #) +UNKNOWN - 800-231-0823 (?) +UNKNOWN - 800-456-0000 (8 DIGIT) +PBX - 213-641-7393 (5 DIGIT + 9 + #) +PBX - 617-870-2999 +PBX - 800-521-2201 +PBX - 203-525-2888 +PBX - 216-375-0190 (4 DIGIT + 550 + 1 + AC + #) +SPRINT DIAL-UP - 800-345-0008 (9 DIGIT) +SPRINT DIAL-UP - 950-1033 +LITEL DIAL-UP - 800-222-4333 (9 DITIT) +LITEL DIAL-UP - 950-1432 +LITEL DIAL-UP - 800-543-3023 +UNKNOWN - 800-351-1441 (7 DIGIT + 1 + AC + #) +UNKNOWN - 800-858-4193 (6 DIGIT + 1 + AC + #) +UNKNOWN - 800-237-0384 (5 DIGIT) +UNKNOWN - 800-456-2525 (2121 + 9 + 1 + AC) +-------------------------------------------------------------------------- + Voice Mail Systems +-------------------------------------------------------------------------- +ASPEN - 415-338-7000 +DIAL SYSTEM - 800-323-0434 +ASPEN - 805-681-5550 +ASPEN - 800-759-5000 +VMB - 800-433-9016 +ASPEN - 301-340-5000 +ASPEN - 800-843-8620 +ASPEN - 800-638-9636 +ASPEN - 800-999-0085 +VMB - 800-654-8692 +ASPEN - 800-235-3900 +VMB - 800-443-5555 +ASPEN - 415-468-2950 +FON MAIL - 800-444-9999 +AVR orderline - 800-433-1448 +-------------------------------------------------------------------------- + Loops n' Shit +-------------------------------------------------------------------------- +LOOP - 208-939-9997 + - 208-939-9996 +3-WAY LOOP - 213-928-1119 n.a + - 213-928-1118 + - 213-928-1117 +THE RIGHT TOUCH - 800-826-6290 +ABN - 718-xxx-9971 (xxx = valid exchange) +LOOP - 213-273-1119 + - 213-273-1118 +-------------------------------------------------------------------------- +Thats about all for this time, If you have any comments or questions +please contact any of The Alliance Crew members on the boards listed +earlier. This file was written by LINE NOISE and for those who are not +already aware, the other Alliance Crew members are Crimson Death, Macros +the Black, Phrozen Ghost, Spy Guy, Big Bird and some others who I aint +sure of. And look for SOFTWARE, MORE HACK PROGRAMS, FILES ON PHREAKING & +HACKING, AND THE MONTHLY $TAC$ NEWSLETTER, "The Touch-Tone Times." + + diff --git a/textfiles.com/phreak/PHREAKING/phrfun.phk b/textfiles.com/phreak/PHREAKING/phrfun.phk new file mode 100644 index 00000000..3284d5f3 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrfun.phk @@ -0,0 +1,383 @@ +Here Goes: + + +The Sound Barrier + + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. +Conceived from the boredom and loneliness that could only be derived from: +The Traveler! But now, he has returned in full strength (after a small +vacation) and is here to 'World Premiere' the new files everywhere. Stay +cool. This is the prequil to the first one, so just relax. This is not made +to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it. + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be + +known by any phreak who wants to be respected at all. + + Phreak : 1. The action of using mischevious and mostly illegal + ways in order to not pay for some sort of tele- + communications bill, order, transfer, or other service. + It often involves usage of highly illegal boxes and + machines in order to defeat the security that is set + up to avoid this sort of happening. [fr'eaking]. v. + + 2. A person who uses the above methods of destruction and + chaos in order to make a better life for all. A true + phreaker will not not go against his fellows or narc + on people who have ragged on him or do anything + termed to be dishonorable to phreaks. [fr'eek]. n. + + 3. A certain code or dialup useful in the action of + being a phreak. (Example: "I hacked a new metro + phreak last night.") + + Switching System: 1. There are 3 main switching systems currently employed + in the US, and a few other systems will be mentioned + as background. + + A) SxS: This system was invented in 1918 and was + employed in over half of the country until 1978. It + is a very basic system that is a general waste of + energy and hard work on the linesman. A good way to + identify this is that it requires a coin in the phone + booth before it will give you a dial tone, or that no + call waiting, call forwarding, or any other such + service is available. Stands for: Step by Step + + B) XB: This switching system was first employed in 1978 + in order to take care of most of the faults of SxS + switching. Not only is it more efficient, but it + also can support different services in various forms. + XB1 is Crossbar Version 1. That is very limited and + is hard to distinguish from SxS except by direct view + of the wiring involved. Next up was XB4, Crossbar + Version 4. With this system, some of the basic things + like DTMF that were not available with SxS can be + accomplished. For the final stroke of XB, XB5 was + created. This is a service that can allow DTMF plus + most 800 type services (which were not always + available.) Stands for: Crossbar. + + C) ESS: A nightmare in telecom. In vivid color, ESS is + a pretty bad thing to have to stand up to. It is + quite simple to identify. Dialing 911 for emergencies, + and ANI [see ANI below] are the most common facets of + the dread system. ESS has the capability to list in a + person's caller log what number was called, how long + the call took, and even the status of the conversation + (modem or otherwise.) Since ESS has been employed, + which has been very recently, it has gone through + many kinds of revisions. The latest system to date is + ESS 11a, that is employed in Washington D.C. for + security reasons. ESS is truly trouble for any + phreak, because it is 'smarter' than the other + systems. For instance, if on your caller log they saw + 50 calls to 1-800-421-9438, they would be able to do + a CN/A [see Loopholes below] on your number and + determine whether you are subscribed to that service + or not. This makes most calls a hazard, because + although 800 numbers appear to be free, they are + recorded on your caller log and then right before you + receive your bill it deletes the billings for them. + But before that the are open to inspection, which is + one reason why extended use of any code is dangerous + under ESS. Some of the boxes [see Boxing below] are + unable to function in ESS. It is generally a menace + to the true phreak. Stands For: Electronic Switching + System. Because they could appear on a filter + somewhere or maybe it is just nice to know them + anyways. + + A) SSS: Strowger Switching System. First + non-operator system available. + + B) WES: Western Electronics Switching. Used about 40 + years ago with some minor places out west. + + Boxing: 1) The use of personally designed boxes that emit or + cancel electronical impulses that allow simpler + acting while phreaking. Through the use of separate + boxes, you can accomplish most feats possible with + or without the control of an operator. + + 2) Some boxes and their functions are listed below. + Ones marked with '*' indicate that they are not + operatable in ESS. + + *Black Box: Makes it seem to the phone company that + the phone was never picked up. + + Blue Box : Emits a 2600hz tone that allows you to do + such things as stack a trunk line, kick + the operator off line, and others. + + Red Box : Simulates the noise of a quarter, nickel, + or dime being dropped into a payphone. + + Cheese Box : Turns your home phone into a pay phone to + throw off traces (a red box is usually + needed in order to call out.) + + *Clear Box : Gives you a dial tone on some of the old + SxS payphones without putting in a coin. + + Beige Box : A simpler produced linesman's handset that + allows you to tap into phone lines and + extract by eavesdropping, or crossing + wires, etc. + + Purple Box : Makes all calls made out from your house + seem to be local calls. + + ANI [ANI]: 1) Automatic Number Identification. A service + available on ESS that allows a phone service [see + Dialups below] to record the number that any certain + code was dialed from along with the number that was + called and print both of these on the customer bill. + 950 dialups [see Dialups below] are all designed + just to use ANI. Some of the services do not have + the proper equipment to read the ANI impulses yet, + but it is impossible to see which is which without + being busted or not busted first. + + Dialups [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant + access to any service such as MCI, Sprint, or AT&T + that from there can be used by handpicking or using + a program to reveal other peoples codes which can + then be used moderately until they find out about + it and you must switch to another code (preferrably + before they find out about it.) + + 2) Dialups are extremely common on both senses. Some + dialups reveal the company that operates them as + soon as you hear the tone. Others are much harder + and some you may never be able to identify. A small + list of dialups: + + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + + 3) Codes: Codes are very easily accessed procedures + when you call a dialup. They will give you some sort + of tone. If the tone does not end in 3 seconds, + then punch in the code and immediately following the + code, the number you are dialing but strike the + '1' in the beginning out first. If the tone does + end, then punch in the code when the tone ends. + Then, it will give you another tone. Punch in the + number you are dialing, or a '9'. If you punch in + a '9' and the tone stops, then you messed up a + little. If you punch in a tone and the tone + continues, then simply dial then number you are + calling without the '1'. + + 4) All codes are not universal. The only type that I + know of that is truly universal is Metrophone. + Almost every major city has a local Metro dialup + (for Philadelphia, (215)351-0100/0126) and since the + codes are universal, almost every phreak has used + them once or twice. They do not employ ANI in any + outlets that I know of, so feel free to check + through your books and call 555-1212 or, as a more + devious manor, subscribe yourself. Then, never use + to your caller log, they can usually find out that + you are subscribed. Not only that but you could set + hack away, since they usually group them, and, as a + bonus, you will have their local dialup. + + 5) 950's. They seem like a perfectly cool phreakers + dream. They are free from your house, from payphones, + from everywhere, and they host all of the major long + distance companies (950-1044 , 950-1077 + , 950-1088 , 950-1033 .) Well, they aren't. They were designed for + ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that +fileup there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz + +use a 2600hz tone for a few very naughty functions that can really make your day + +lighten up. But first, here are the plans, or the heart of the file: + +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. The connection to an operator is one of the +most well known and used ways of having fun with your blue box. You simply dial +dial '0') and blow a 2600hz tone through the line. Watch out! Do not dial this + +KP tone to start a call, a ST tone to stop it, and a 2600hz tone to hang up. +Once you have connected to it, here are some fun numbers to call with it: + + 0-700-456-1000 Teleconference (free, because you are the operator!) + (Area code)-101 Toll Switching + (Area code)-121 Local Operator (hehe) + (Area code)-131 Information + (Area code)-141 Rate & Route + (Area code)-11511 Conference operator (when you dial 800-544-6363) + Well, those were the tone matrix controllers for the blue box and some +other helpful stuff to help you to start out with. But those are only the +functions with the operator. There are other k-fun things you can do with it. + + More advanced Blue Box Stuff: + + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence between + +the digits. KP tones should be sent for 2/10 of a second. One way to confuse the + +2600hz traps is to send pink noise over the channel (for all of you that have +decent BSR equalizers, there is major pink noise in there.) Using the operator +functions is the use of the 'inward' trunk line. That is working it from the +inside. From the 'outward' trunk, you can do such things as make emergency +'stacking'), enable or disable the TSPS's, and for some 4a systems you can even +re-route calls to anywhere. + All right. The one thing that every complete phreak guide should be without + +is blue box plans, since they were once a vital part of phreaking. Another thing +that every complete file needs is a complete listing of all of the 800 numbers + + /-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. +That is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you get. + +On some 800 services now, they have an operator who will answer and ask you for +your code, and then your name. Some will switch back and forth between voice and + +tone verification, you can never be quite sure which you will be up against. + Armed with this knowledge you should be having a pretty good time phreaking + +now. But class isn't over yet, there are still a couple important rules that you + +should know. If you hear continual clicking on the line, then you should assume +that an operator is messing with something, maybe even listening in on you. It +is a good idea to call someone back when the phone starts doing that. If you +were using a code, use a different code and/or service to call him back. + + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice, a good test for the carrier trick is to dial a number that will + +give you a carrier that you have never dialed with that code before, that will +allow you to determine whether the code is good or not. For our next section, a +lighter look at some of the things that a phreak should not be without. A +vocabulary. A few months ago, it was a quite strange world for the modem people +out there. But now, a phreaker's vocabulary is essential if you wanna make a +good impression on people when you post what you know about certain subjects. + + /-/ Vocabulary /-/ + + + phone -> fone + freak -> phreak + + - Never substitute 'z's for 's's. (i.e. codez -> codes) + + + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + + - Forget about ye old upper case, it looks ruggyish. + All right, that was to relieve the tension of what is being drilled into +your minds at the moment. Now, however, back to the teaching course. Here are +somethings you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities +or areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't +realize you would be billed for that sort of call. In that way, sometimes, it is + +better to be safe than sorry and phreak. + + The Caller Log: In ESS regions, for every household around, the phone +company has something on you called a Caller Log. This shows every single number + +that you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an easy + +way to screw that, and is something worth remembering. Anyways, with the caller +log, they check up and see what you dialed. Hmm... you dialed 15 different 800 +numbers that month. Soon they find that you are subscribed to none of those +companies. But that is not the only thing. Most people would imagine "But wait! +800 numbers don't show up on my phone bill!". To those people, it is a nice +thought, but 800 numbers are picked up on the caller log until right before they + +are sent off to you. So they can check right up on you before they send it away +and can note the fact that you fucked up slightly and called one too many 800 +lines. + + Right now, after all of that, you should have a pretty good idea of how to +grow up as a good phreak. Follow these guidelines, don't show off, and don't +take unnecessary risks when phreaking or hacking. + + /-/ Credits /-/ + + To The Videosmith - for setting me straight on some shit. + To The Linesman - for telling me to upload it to his AE line. + To Modern Mutant - for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/phrkbas1.txt b/textfiles.com/phreak/PHREAKING/phrkbas1.txt new file mode 100644 index 00000000..252868f9 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrkbas1.txt @@ -0,0 +1,119 @@ +:=+---------------------------------+=: +I BASICS OF PHONE PHREAKING I I +I BY LONG JOHN SILICONE I +I I +:=+---------------------------------+=: + + A RATHER BROAD SUBJECT TO ATTACK, I MUST SAY. THE DEBATE OVER JUST WHAT +TO DISCUSS HAS OCCUPIED MY THOUGHTS FOR MANY AN HOUR. PERHAPS IF I APPROACH +THIS SUBJECT LEGALLY, IN AN INFORMATIVE MANNER THAT IS, MY PROBLEMS MIGHT BE +SOLVED. NONETHELESS, HERE IT GOES. + + MA BELL CAN RATTLE ON FOR HOURS ON METHODS FOR SAVING MONEY ON YOUR LONG- +DISTANCE CALLS. UNFORTUNATELY, MOST PEOPLE STILL THINK THAT AT&T IS THE +ONLY GAME IN TOWN FOR LONG-DISTANCE SERVICE. + + WHAT MA BELL WON'T TELL YOU IS THAT THERE COMES A TIME IN A TELEPHONE +USER'S LIFE TO LEAVE MOM. THERE ARE NOW SEVERAL COMPANIES WHICH COMPETE WITH +AT&T IN THE LONG-DISTANCE MARKET: MCI, SOUTHERN PACIFIC'S "SPRINT" (WHICH IS +CURRENTLY BEING PURCHASED BY GENERAL TELEPHONE AND ELECTRONICS COMPANY), +U.S. TRANSMISSION SYSTEM'S "LONGER DISTANCE" (A SUSIDIARY OF ITT), WESTERN +UNION'S "METROFONE", AND SATELLITE BUSINESS SYSTEM'S "SKYLINE." THEY ALL +BOAST OF OPPORTUNITIES FOR LARGE SAVINGS ON THE LONG-DISTANCE PORTION +OF YOUR MONTHLY PHONE BILL. + + SOMEONE UNACQUAINTED WITH THESE NEW COMPETITORS, WHICH ARE CALLED +"SPECIALIZED COMMON CARRIERS" (OR SCCS), MIGHT ASK, "ISN'T IT A +DUPLICATION OF EFFORT FOR A LOT OF DIFFERENT COMPANIES TO BE RUNNING LONG- +DISTANCE LINES ALL OVER THE COUNTRY? AND HOW CAN A COMPANY THAT IS JUST A +FRACTION OF THE SIZE OF AT&T PROVIDE A SIMILAR SERVICE FOR A LOWER PRICE?" +THE ANSWER IS THAT THESE NEW COMPETITORS HAVE BUILT THEIR BASE BY +CONCENTRATING ON ROUTES WHERE LONGDISTANCE TRAFFIC IS HEAVY, SO THE COST +OF CARRYING EACH CALL IS RELATIVELY LOW. ALSO, THE COMPETITORS TRANSMISSION +EQUIPMENT CONSISTS ALMOST EXCLUSIVELY OF COMPUTERS AND MICROWAVE LINKS, WHICH +THEY HAVE BUILT THEMSELVES OR WHICH THEY LEASE FROM OTHER CARRIERS. THUS, +THESE NETWORKS CAN BE LESS EXPENSIVE TO CONSTRUCT AND MAINTAIN THEN THE +CABLE-BASED SYSTEMS THAT BELL HAS USED FOR YEARS. THERE'S ALSO ANOTHER CLASS +OF COMPETITORS CALLED "RESELLERS", WHO LEASE AND RESELL BOTH AT&T'S AND OTHER +CARRIERS' LINES. MORE ABOUT RESELLERS IN A MOMENT. + + INITIALLY, MOST OF THE SCC COMPETITORS COULD REACH ONLY A LIMITED +NUMBER OF CITIES. BUT AS THEY'VE GROWN, THE NUMBER OF CITIES SERVED BY THEIR +MICROWAVE NETWORKS HAS STEADILY INCREASED, AND TODAY MOST OF THE SCC'S +REACH 70 PERCENT OR MORE OF ALL AREA CODES IN THE UNITED STATES AND CONTINUE +TO INCREASE THE NUMBER OF CITIES SERVED EVERY MONTH. SATTELITE BUSINESS +SYSTEM'S "SKYLINE" IS THE FIRST TO OFFER SERVICE TO THE ENTIRE U.S. OVER +ITS OWN NETWORK. THE OTHER SCC'S ARE PHASING IN UNINVERSAL SERVICE BY USING +BELL'S WATS SYSTEM. BUT WHILE USERS OF THESE SERVICES WILL SOON BE ABLE TO +CALL 'TO' ANYWHERE IN THE U.S., THEY WILL STILL BE ABLE TO CALL 'FROM' ONLY +A LIMITED NUMBER OF PLACES, USUALLY THE MAJOR METROPOLITAN AREAS. + + TO USE ANY OF THESE SCC SERVICES, YOU CURRENTLY MUST HAVE A TOUCH-TONE +SERVICE OR THE EQUIVALENT TONE GENERATOR. (THIS IS CHANGING AS A CONSE- +QUENCE OF THE AT&T/DEPARTMENT OF JUSTICE DIVESTITURE AGREEMENT, WHICH +WILL REQUIRE THE NEWLY INDEPENDENT LOCAL PHONE COMPANIES TO GRANT ALL +CARRIERS "EQUAL ACCESS" AT EQUAL RATES.) THERE IS AN ADDITIONAL MONTHLY +CHARGE FOR TOUCHTONE SERVICE (CHECK THE "CUSTOMER +GUIDE" IN YOUR LOCAL WHITE PAGES, OR CALL YOUR BELL BUSINESS OFFICE FOR +DETAILS); HOWEVER, YOU DON'T HAVE TO RENT OR BUY A BELL TELEPHONE TO GET +TOUCH-TONE SERVICE. (HURRAH FOR K-MART) + + IF YOUR LOCAL PHONE LINES ALREADY ARE EQUIPPED TO HANDLE BOTH ROTARY AND +TOUCH-TONE CALLS, YOU MAY BE ABLE TO AVOID THE NEED FOR TOUCH-TONE SERVICE +IN THIS WAY: USING A REGULAR ROTARAY PHONE, YOU PLACE A CALL TO THE SCC'S +COMPUTER; THEN, TO 'CONVERSE' WITH THE COMPUTER SIMPLY USE A TOUCH PAD CONVER- +TER OR A TONE GENERATOR, HELD UP TO THE MOUTHPIECE OF YOUR ROTARY PHONE. + + IT'S REASONABLY EASY TO USE THE SCC SYSTEMS. YOU MUST FIRST DIAL A +SEVEN DIGIT LOCAL PHONE NUMBER (AN 'ACCESS' NUMBER), WHICH CONNECTS YOU +TO THE SCC'S COMPUTER. WHEN YOU HEAR A TONE ON THE OTHER END, YOU THEN +DIAL A FIVE-OR SIX-DIGIT NUMBER (AN 'AUTHORIZATION CODE') THAT TELLS THE +COMPUTER YOU'RE AN AUTHORIZED USER AND TO BILL YOUR ACCOUNT FOR THE CALL. +IMMEDIATELY AFTER DIALING THE AUTHORIZATION NUMBER, YOU DIAL THE AREA CODE +AND NUMBER YOU WISH TO CALL. THE SCC'S COMPUTER IN YOUR AREA THEN SENDS YOUR +CALL OUT OVER ITS OWN LONG-DISTANCE NETWORK TO A COMPUTER IN THE AREA YOU +CALLED; THE COMPUTER ON THE OTHER END THEN HOOKS YOUR CALL INTO THE LOCAL +PHONE NETWORK TO REACH WHOMEVER YOU'VE CALLED. EACH MONTH YOU RECIEVE A BILL +FROM YOUR SCC (SEPERATE FROM YOUR REGULAR PHONE BILL) DETAILING YOUR CALLS +AND BILLING YOU FOR THE SERVICE CHARGES PLUS YOUR CALLS. + +NOTE: THIS VARIES ON OCCASION, PRIME EXAMPLE BEING "LONGER DISTANCE". + INSTEAD OF THE STANDARD CODENUMBER FORMAT, THEY ELECTED + THE NUMBER-CODE INPUT. + + "SPRINT" USES A SIX-DIGIT CODE FOLLOWED BY A TWO DIGIT TRAVEL CODE. + + A MOMENT OF SPECULATION IS DUE.. + + WHAT WOULD HAPPEN IF YOU ENTERED SOMEONE ELSES 'ACCESS CODE', THEN +DIALED THE DESTINATION NUMBER? THE ANSWER IS USUALLY GRAND LARCENY; +HOWEVER, IT IS QUITE POSSIBLE SINCE ONLY THE GENERAL PLACE OF ORIGIN IS +POSSIBLE TO DETECT ON A CALL PLACED WITHOUT NOTICE. + + FOR INFORMATION ON THE COMPETITIVE LONG-DISTANCE SERVICES: + +MCI : WRITE MCI, MCI BUILDING, 17TH AND STREETS, NW WASHINGTON, D.C. + 20036. CALL TOLL FREE (800) 521-8620 OR IN MICHIGAN (800) 482- + 1740. "EXECUNET" + +SBS: WRITE SBS, JOHN MARSHALL BUILDING 8283 GREENSBORO DRIVE, MCLEAN, VA + 22102. CALL TOLL FREE (800) 698-6900. "SKYLINE" + +ITT: WRITE ITT, U.S. TRANSMISSION SYSTEMS, INC., P.O. BOX 732, + BOWLING GREEN STATION, NEW YORK NY. 10004 CALL TOLL FREE (800) + 438-9428 OR IN NEW YORK (212) 797-2511. "LONGER DISTANCE" + +SPC: WRITE SPC, ONE ADRIAN COURT, BURILINGAME, CA. 94010, OR CALL + (800) 521-4949 OR IN MICHIGAN, (800) 645-6020. "SPRINT" + +WU : WRITE WU, 1 LAKE STREET, UPPER SADDLE RIVER, NJ. 07458. CALL + (800) 325-6000 FOR THE NUMBER OF YOUR LOCAL SERVICE OFFICE. "METROFONE" + + A FINAL NOTE, DON'T DO ANYTHING I WOULDN'T. AND ABOVE ALL, IF YOU DO: + + DON'T GET CAUGHT. + YOURS IN TRADE, + LONG JOHN SILICONE + + Originally Captured From: + THE IMAGINATION FACTORY BBS (513)-787-3777 diff --git a/textfiles.com/phreak/PHREAKING/phrkbeef.phk b/textfiles.com/phreak/PHREAKING/phrkbeef.phk new file mode 100644 index 00000000..c69fce55 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrkbeef.phk @@ -0,0 +1,270 @@ + + +-------------------------------------- + Phreaking '87: The Real BEEF +-------------------------------------- + An official LSD Publication + By The Illegal McBeagle.... + +/------------------------------------\ +: The Elite Skull........201-379-1459: +: Middle Earth...........515-224-6557: +: Mickey Mouse...........918-241-2844: +\------------------------------------/ + +Phreaking: The use of a telephone +company to evade the toll charges +involved with a long distance call. + + My strongest opinion about +phreaking is that it has been going on +for FAR too long. The companys that we +are dealing with are simply not going +to tolerate it much longer. But I have +had this view for about four years now, +and things have remained the same- +Hardly anyone gets busted... + This article will deal with +factual information about phreaking in +1987. I have conducted experiments +involving the supposed 'trace detect' +numbers, and I have spoke with a public +relations manager at Sprint. For a +different point a view, I contacted a +lawyer that was familiar with phreaking +as it pertains to us; The Phreaks. + + +Part I: The Rumors + +I have heard two very different and +distinct rumors about phreaking. By +this I mean that it seems there are two +different point of views when it comes +to tracing and phreaking. One states +that there is simply no way to trace, +and that even if you were traced the +evidence could not be used against you. +The other one is that you can be +traced, and it is just a matter of luck +that you havent been busted yet. This +is the space age. I assure you that +tracing IS possible. If you have any +doubt, just call up the CIA or FBI # +listed in one of the many 'hacker phone +list' g-files and harrass whoever +answers a few times with death threats. +I like to assume that I am being traced +every time I call out. By doing this I +am more aware of the number of calls I +make and how long I stay on. If I was +to be busted, maybe the bill would not +be as high... The next question that +arises is ' But do all companys +trace?', and 'Are there any SAFE +companys left?' + +Part II: My Expirement! + +I am sure that all of you have seen, at +one time or another, a number posted on +a BBs that supposedly checks to see if +your code is being traced. Up until +recently, I was sure that these numbers +were for telephone repairmen to check +your lines for clarity and frequency +range. But recently I ran across one +(it still has the oscillating tone) +that acts differenty depending on how I +called it. +[ The Results ] 2mins for each test + + #:817-460-1895 (Trace Test) + +1st Company: AT&T (direct call) +R: The tone was clear and sharp, with + no interruptions at all. + +2nd Company: Sprint [950-0777] +R: Erratic clicks and snaps while the + oscillating tone went up & down. + +3rd Company: Sprint [800-332-0777] +R: Clear for one cycle (up-down), + then an abrupt disconnect. + +4th Company: (?) 800-638-1996 +R: Much like that of AT&T's results, + but the line quality was noticebly + poorer. + +My analysis: + +It is obvious that AT&T would not have +to enable a trace, as the AT&T Cosmos +keeps track of all your outgoing calls +for you. So if there was a way to +detect a trace, it would register +negative when tested through AT&T. + +Sprint is a huge company, they have the +money to effectivly use tracing. The +clicks I heard using 950-0777 might +reflect this. But then 950's are +rumored to use ANI anyway. The 800 +Sprint disconnected me, which AT&T +didnt, so I have a feeling that it was +tracing. + +800-638-1996, which is most likely a +small company with no tracing +equipment, gave me a steady tone. By +the way, 1996 uses 6 digit codes. + +Assuming that 817-460-1895 is a trace +detect, I would have to say that Sprint +is indeed dangerous in that they trace. +800-638-1996 seems to be the safe +route. + +Now, what if that oscillating tone +included a 2600mz at the higher end? +Telephone company equipment of Sprint +might pick that up as a disconnect. +That would account for the clicks and +snaps, as they were similar to the +sound of a trunk about to be seized. + +I myself will be staying away from +Sprint, and using 800-638-1996 from now on. +Poorer lines, but possibly safer. + +Part III: My discussions with Sprint + +On the phone I acted like a potential +customer looking for the right LD +company. I claimed that I had +discontinued MCI becuase someone got a +hold of my code and abused it. I was +not charged with the calls, but it had +scared me away from MCI. I asked her if +this might happen on Sprint. She said +that it was always possible, but not +likely (that was just bullshit). I then +told her that I did not think MCI even +knew who abused my account, and asked +her if they could find out who was +illegally using codes on Sprint. She +said yes, and that they had special +investigative procedure to do so. +[ Note: I believe that these +procedures consist of calling every +number dialed by the phreak in hopes of +getting a voice #, and finding out just +who called the person. When I ran LSD +BBs, Sprint used to call me all the +time wanting to know who had called +me...] + +Part IV: The Next Step + + If Sprint/Mci/Metro are not tracing +right now, I'm sure that they will some +day soon. But all is not lost, there +will always be a way to phreak. +Nothing is perfect, and when there are +imperfections in the phone company, +phreaks will find a way to abuse them. +Right now there are several new +companys (look in the Rolling Stones +classifieds) that offer unlimited long +distance calls for a flat rate of $100 +a month (no, not PC Pursuit- which is a +decent alternative to phreaking). If +someone could get a hold of a code on +one of these systems, you could phreak +all you want without fear of being +busted. These companys simply want to +get that flat $100, and thats all. But +I would imagine the line quality is +horrible. I dont have a # for one of +these services, but when I get one I +will post it on the boards mentioned +above. + +Part V: Calls in excess + +There are businesses out there that +rely on long distance calls to bring in +the bucks. They might place 30,000 +calls in one week. If they phreak, +they have cut out 80% of expenses. +Compared to those agencies, we are very +small time... I doubt I have ever put +more then $2,000 on one code. Those +companys could put $50,000 on one +before the code is even cancelled. I +would imagine Sprint and the others are +worried with the big-time phreaks, and +not so much us. Besides, it seems that +when a small-time-phreak is busted, +three or four others go down with him. +They are probably using them to set an +example. I would try to cut down on the +amount of calls you make; Narrow the +number of boards you call to just the +important ones... It is dangerous to +think of phreaking as something to do +when you are bored... + + +Part VI: Conclusion + +Phreaking in '87 is more dangerous than +it was in '86. The same goes with any +crime that you commit. I talked with a +lawyer, and he said that when you are +caught phreaking you simply have no +rights. They know you did it, and they +can prove it. The tedious part is +figuring up how much you owe them- and +they frequently make you pay for the +time spent figuring your bill. My +advice to those that are busted is to +NEVER admit they you did it until you +see positive proof. If they do have the +'goods' on you, slap a sad story on +them and see about sending them a small +payment every month.. (until you get +back on your feet and can pay it all +off at once, is a good line) +You do not want to be dragged into +court, or sued. + +Well, thats it. If I come across +anymore information I will post it on +the three boards listed above, or if +enough comes my way I'll write another +article. + +Until then, Stay cool and DONT + get busted! + + [%] The Illegal McBeagle [%] + \________[L][S][D]_________/ + + +Post Script: + +This is the second release of this +article. The first release brought a +lot of critisism my way about the +experiment I did. PLEASE realize that +it was just an EXPERIMENT, and I really +have no idea if Sprint traces or not. I +just think that they do. + +2nd release from Middle Earth + 515-224-6557 + + diff --git a/textfiles.com/phreak/PHREAKING/phrkhis.txt b/textfiles.com/phreak/PHREAKING/phrkhis.txt new file mode 100644 index 00000000..a31152f9 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrkhis.txt @@ -0,0 +1,52 @@ + + + + + THE HISTORY OF PHREAKING + ------------------------ + + FROM 2600...... + +DID YOU KNOW THAT PHREAKING STARTED +FROM THE MOST UNLIKELY SOURCE...... + CAP'N CRUNCH CEREAL! +YES, IN THE 1960'S A TOY WHISTLE WAS +PLACED IN THE FAMOUS CEREAL. +UNFORTUNATELY (NOT FOR US),THE WHISTLE +GENERATED 2,600 CYCLE-TONE, DUDE! A +YOUNG MAN WHO JUST ENTERED THE USAF +AS A RADIO TECH., WAS FASCINATED WHEN +HE DISCOVERED THAT BLOWING THE WHISTLE +INTO THE FONE AFTER DIALING ANY LONG- +DISTANCE # AND HEAING THE DISCONNECT +SIGNAL, THE TRUNK WOULD REMAIN OPEN +WITHOUT TOLL CHARGES ACCOUNTING, AND +THEN ON, ANY NUMBER COULD BE DIALED +REPEATEDLY. 800 #'S (INWATS) , WERE +LATER USED AS THE STARTER CALL TO +AVOID ANY CHARGES. HE USED THIS TO +CALL HOME WHILE STATIONED IN ENGLAND. + +THE CAP'N PRACTICED FOR YEARS. HE +REPORTEDLY WOULD PLACE CALLS AROUND +THE WORLD TO HIMSELF. +HE WOULD THEN TALK AND HERE HIMSELF +20 SEC. LATER. HE WENT ON TO +DISCOVER THE OPERATOR CODES INCLUDING +AUTO-RELAY (OPERATOR INTERUPT, OR +VERIFY BUSY). +THUS, EAVESDROPPING IN CONVERSATIONS. +HE CLAIMED TO LISTEN IN ON THE +FOLLOWING: 1. PRES. OF THE USA 2. FBI +WHEN IT WAS AFTER PATTY HEARST 3. THE +SECT. OF DEFENSE 4. AND VARIOUS +MILITARY BASES THRU AUTOVON. + +CAP'N CRUNCH WAS THRUST INTO THE +SPOTLITE WITH AN ARTICLE IN ESQUIRE. +THE TERM "BLUE BOX" CAME ABOUT BECAUSE +THE FIRST ONE THAT WAS CAPTURED WAS +THAT COLOR. THE CAP'N SOON WENT BEYOND +THE SIMPLE WHISTLE TO MORE COMPLICATED +DEVICES. + diff --git a/textfiles.com/phreak/PHREAKING/phrkhist b/textfiles.com/phreak/PHREAKING/phrkhist new file mode 100644 index 00000000..62013be0 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrkhist @@ -0,0 +1,219 @@ +A Brief History of Phreaking +____________________________ + +by + +BucWheat + + Like most college students, I have occasionally been +assigned research papers for one class or another. My latest +assignment was for a systems analysis class- the subject chosen +was required to be computer related. Intrigued by the ideas +presented in the movie War Games, I chose hacking as my topic. As +I began my research, the subjects of hacking and phreaking are +somewhat intertwined, and as a result I learned a lot of +fascinating information about the history of phreaking. That +information is summarized below. + + (The following is an excerpt from Out of the Inner Circle by +The Cracker, Microsoft Press. Used without permission, but who +really cares?) + In the 1970s, before personal computers became as common as +they are now, the telephone system was explored by a group of +hackers who called themselves phone phreaks. The ethical and +technical predecessors of today's hackers, the phone phreaks were +anarchic "musicians" who delighted in using flutes, whistles, and +any other sound generators that worked to enter and explore the +worldwide telephone network. + The phone phreaks were far less organized and widespread +than today's hackers are, and, in the beginning, none of the even +knew of each other's existence. The cult itself came into being +in the late 1960s, partly because of a brilliant young man in +Tennessee named Joe Engressia. + Joe was the first phone phreak to achieve media notoriety +when a 1971 Esquire article told about him and his cohorts. Like +many other early phone phreaks, Joe is blind. He was only twenty- +two when the article was published, but he had been tweaking the +phone system since the age of eight. Telephones had always +fascinated him, and Joe happens to be one of those rare +individuals who are born with perfect pitch. One day, by +accident, he discovered how this gift could help him manipulate +some of the most sophisticated and widespread technology in the +world. + He was dialing recorded messages, partly because it was the +only way he knew to call around the world for free, and partly +because it was a favorite pastime. He was whistling while +listening to a recorded announcement when suddenly the recording +clicked off. Someone with less curiosity might have assumed it +was one of those strange things the phone company does to you, +but Joe had an idea. He fooled around with some other numbers, +and discovered he could switch off any recorded message by +whistling a certain tone. + He called the local telephone company and asked why tape +recorders stopped working when he whistled into the telephone. He +didn't fully understand the explanation he was given (remember, +he was only eight years old), but it sounded as if he had +stumbled upon a whole new world of things to do and explore. And +to a blind eight-year-old, an easily explored world, no farther +away than his telephone, was, indeed, an intriguing discovery. + Joe was able to control some of the telephone company's +global switching network - which is what he had stumbled upon +with his whistling - because of a decision American Telephone and +Telegraph (AT&T) made sometime in the 1950s. Their long-term, +irreversible, multi-billion dollar decision was to base their +long distance switching on a series of specific, audible tones +called the multifrequency system. The multifrequency system +(known to phreaks as "MF") is a way for numbers that designate +switching paths to be transmitted as tones similar to those that +touch tone phones make. Certain frequencies are used to find open +lines, to switch from local to long distance trunks, and, +essentially, to do most of the jobs a human operator is able to +do. + Undoubtedly, the decision makers at AT&T did not give a +moment's thought to the possibility that the system might someday +fall before a blind eight-year-old with perfect pitch, but Joe +found that he could maneuver his way through the system by +whistling that one specific tone at the right time. His +motivation was not to steal free telephone calls, but to find his +way around the network and to learn how to extend his control +over it. + Joe had explored for years, but he never thought of himself +as an enemy of the telephone system. He loved the system. His +dream was to work for the telephone company someday. But he +finally ran afoul of his intended employer one day when he was +caught whistling up free phone calls for his fellow college +students. + The publicity surrounding Joe's case had an unfortunate (for +the telephone company) side effect: it led to the creation of the +phone phreak network. Soon after the story hit the papers, Joe +began to get calls from all over the country. Some of the callers +were blind, most were young, and all of them had one thing in +common: an enormous curiosity about the telephone system. Joe put +the callers in touch with one another, and these scattered +experimenters soon found that they had stumbled upon several +different ways to use the MF system as the ticket to a world of +electronic globe-trotting. + Joe Engressia may have been the "phounding phather" of the +phone phreaks, but just as one discovery often leads to another +and another, it soon happened that someone else discovered a very +large error made by the Bell Telephone System in 1954. The Bell +System's technical journal had published a complete description +of the MF system, including the exact frequencies and +descriptions of how those frequencies were used. + Once the frequencies became public knowledge, phreaks began +to use pipe organs, flutes, and tape recorders to create the +tones that gave them control over the entire telecommunications +network. Then came the ultimate irony: the news spread that a +simple toy whistle, included as a giveaway inside boxes of Cap'n +Crunch cereal, produced a pure 2600 Hz. tone when one of the +holes was taped shut. Using the whistle at just the right point +in the process of making a connection, phreaks could call each +other whenever and wherever they wanted to without having to pay +the phone company. + One of the more curious and inventive phreaks using the +Cap'n Crunch whistle was John Draper, a young Air Force +technician stationed overseas. Draper used the whistle for free +calls to his friends in the United States. He was interested in +the way this bizarre tool worked, so he began experimenting with +the system and found that he could use his whistle and his +knowledge of the switching network to route his calls in peculiar +ways. + He began by calling people who worked inside the telephone +system. They weren't aware that he was an outsider, so he was +able to start gathering "intelligence". Soon, he was calling +Peking and Paris, and routing calls to himself around the world. +He set up massive clandestine conference calls that phreaks +around the world could join or drop out of at will. Soon, he +became known in the phreak underground as Cap'n Crunch. + Cap'n Crunch soon found out from other electronically minded +phreaks that it was possible to build specially tuned electronic +tone generators that could reproduce the MF frequencies. A few +electronic wizards began to circulate the generators, which were +first known as "MF boxes" because they reproduced the +multifrequency tones, and later came to be called "blue boxes", +as they are today. + The number of phreaks grew, and as they added their own +discoveries to the collection of phreak knowledge, the cult's +power to manipulate the system steadily increased. Then, in +October, 1971, the whole underground scene, from Joe Engressia to +Cap'n Crunch became well known to the outside world. Esquire +magazine published "Secrets of the Little Blue Box" by Ron +Rosenbaum, a journalist who had encountered the top phreaks of +the time. Cap'n Crunch was characterized somewhat romantically in +Rosenbaum's piece as a roving prankster who drove the author +around in his specially equipped van, pausing frequently at +public telephones to phone locations around the world: the +American embassy in Moscow, a group of blind teenage phreaks in +Canada, a public telephone in Trafalgar square. + After the article was published (though not as a direct +result) Crunch was arrested twice, convicted, and ended up +spending four months in the federal prison in Lompoc, California +in 1976, and two in Northampton State Prison in Pennsylvania in +1977. While he was in prison, several mob-connected inmates tried +to enlist him in a commercial blue box venture. Draper/Crunch +declined. The convicts broke Draper's back and knocked out his +front teeth. + After he left prison, Draper quit phreaking and decided to +start programming. An old friend by the name of Steve Wozniak +seemed to be doing pretty well with a piece of hardware he called +the Apple ][, and Draper started writing software for Apple +Computer. He developed a word-processing program known as +EasyWriter and gained another niche in the technological hall of +fame in 1981, when EasyWriter was chosen as the first word +processor to be available for the IBM personal computer. Now, +Cap'n Crunch makes a legitimate living under a new handle, Cap'n +Software. + + +TAP + + During his trial, John Draper claimed (and still claims) +that his interest in phreaking was strictly devoted to learning +about the workings of the complex, worldwide communication- +switching networks. There were other phreaks, though, of a more +political mind, who saw this method of technological trespassing +as a tool for spreading anarchy, and one radical branch of the +phreak fraternity grew out of the political group of the late 60s +and early 70s known as the Yippies. + On May Day, 1971, the founding Yippie, Abbie Hoffman, and a +phone phreak who used the handle Al Bell started a subversive +publication called the Youth International Party Line, which +focused on information about cracking the phone network. A few +years later, its name was changed to Technological Assistance +Program (TAP), when the technology phreaks separated from their +more politically motivated counterparts. TAP was purely +anarchist. Through it, phreaks learned how to make plastic +explosives, how to obtain phony birth certificates and illicit +airline tickets, and how to abuse credit cards. It published +circuit diagrams of blue boxes, and its members specialized in +obtaining and trading hard to get telephone numbers, such as that +of the Vatican or the Kremlin. TAP even secured the phone number +of the American Embassy in Teheran after it was seized by +students during the hostage crisis of 1980, posted the number, +and invited phreaks to "tell off" the revolutionary guards. + In the late 1970s the phreak most closely associated with +TAP also became a well-known hacker with the aliases Richard +Cheshire and Cheshire Catalyst. Often employed as a computer and +communications consultant by large corporations who are unaware +of his secret identity, Cheshire has a widespread, carefully +cultivated network of cohorts inside the telephone company and +other institutions. Avoiding what he calls "dark side hacking" +that results in damage to data, Cheshire claims that there are +some kinds of information which even TAP will not publish. For +example, Cheshire once said: "A few years ago, before the +Progressive magazine actually published the plans for making a +hydrogen bomb, we were approached by someone who had similar +plans. I decided that anything like the hydrogen bomb, which has +the capability of destroying the phone network, is not in our +interests." + Cheshire also mentioned an incident in which a hacker he +knew stumbled upon the data processing facilities of a top secret +American seismic station in Iceland, a facility responsible for +monitoring Soviet nuclear testing. The hacker got out as soon as +he realized where he was - "We try to stay away from that sort of +stuff," Cheshire said. He also remarked, "I once invited the CIA +to attend a public lecture of mine, and there were a couple of +guys at that talk, seated towards the back, who definitely turned +a couple shades of green when I told about that Icelandic +station." + diff --git a/textfiles.com/phreak/PHREAKING/phrkrule.phk b/textfiles.com/phreak/PHREAKING/phrkrule.phk new file mode 100644 index 00000000..9ca4d635 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrkrule.phk @@ -0,0 +1,173 @@ +$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +$ THE IC'S RULES OF PHREAKING $ +$ $ +$ These are the standards of hacking employed by $ +$ the Inner Core. The text comes from a data file $ +$ written by and for IC members. HACK YOUR OWN $ +$ CODES. Don't leech codes from someone else. $ +$ Having codes is like having sex, if you don't $ +$ protect yourself you'll end up with a venereal $ +$ disease. You have no idea where a code has been $ +$ before you got your hands on it, when it was $ +$ hacked or how long it's been in circulation. Time $ +$ is a very important factor, the longer a code has $ +$ been in use, the greater the risk. $ +$ $ +$ DON'T STAY ON A CODE MORE THAN THREE DAYS. Don't $ +$ give the suckers an even break. To run a trace, $ +$ MCI needs a court order. Ain't that nice. Paper $ +$ work takes time, and it's highly unlikely that $ +$ they could accomplish the feat in three days. $ +$ $ +$ It' s even more unlikely that they would even $ +$ know they've been phreaked for at least a $ +$ week. All company's have thirty day billing $ +$ cycles, if you started using the code the day $ +$ after the bills went out, you'd have twenty nine $ +$ days left to play with it. The customer gets his $ +$ billing and bitches up a storm. The company now $ +$ has the option of setting up a trap, but alas, $ +$ they notice that you haven't used the code in $ +$ three weeks and have no destination number to $ +$ PIN . If you phreaked the code one day before the $ +$ billing cycle ends, then the customer may notice $ +$ right away. Figure you have two days for it to $ +$ reach the customer. If he yells right away it $ +$ takes a few more days for the security department $ +$ to process the paperwork for the trace. By that $ +$ time you're long gone. $ +$ $ +$ DON'T STAY ON A CODE MORE THAN THREE DAYS. If you $ +$ insist on burning the same company, you're going $ +$ to develop a pattern they can spot. You call your $ +$ girl friend in Alaska every damned day using the $ +$ same company. It doesn't take a genius to predict $ +$ what you're going to do tomorrow. They know where $ +$ you enter their system and where you're going to. $ +$ You've given them everything they need to run a $ +$ good trace. Spread the wealth a little. Use US $ +$ Telecom, then ITT, Lexitel, Skyline, Metro and a $ +$ few of the 800's if you like. Spread it out. $ +$ These people have no way of comparing. So you $ +$ can screw Peter, Paul and the rest of the $ +$ Apostles with no worry. Just don't be a dip stick $ +$ and get lazy. $ +$ $ +$ Everyone is worried about THE TRACE. Don't be. $ +$ It's no big deal for AT&T, after all it is their $ +$ network, but for the leech services it's an $ +$ entirely different matter. This is why we don't $ +$ mess around with AT&T except through secondary $ +$ accesses like PBX's or Diverters. $ +$ $ +$ This is the senerio that MCI's security $ +$ department will run down. $ +$ $ +$ They call up a number that you've called....... $ +$ $ +$ "Hello, this is Inspector Bullshit with MCI. Did $ +$ you receive a phone call from the 212 area code $ +$ on November 22, 1945 at 4:00 A. M.? " $ +$ "You didn't?" $ +$ "We've traced fourteen calls to this number in $ +$ the last two weeks, by the way, who am I $ +$ speaking with?" $ +$ "Well Mrs. Blabbermouth, perhaps someone else in $ +$ your household received the calls? " $ +$ "I see, your daughter has a boyfriend in New $ +$ York." $ +$ I'm afraid that he's in some serious trouble Mrs. $ +$ B. If you'll cooperate with me we won't pursue $ +$ this matter with your daughter." $ +$ "That's correct, little Susie Blabbermouth won't $ +$ be involved. It would be a shame to cause you $ +$ folks trouble, after all she didn't actually make $ +$ the calls." $ +$ "All I need is the boy's name and phone number." $ +$ "Let me see if I have that right." $ +$ Jimmy Phreaker at 212-555-1212?" $ +$ "Thank you Mrs. B you've been very helpful." $ +$ $ +$ The key point is, if Bullshit had really run $ +$ traces he wouldn't be calling to con the $ +$ information. The exchange is typical of cons used $ +$ by most phone companys and illustrate several $ +$ important issues. Make sure that the person $ +$ you're calling is cool and there's no chance $ +$ that someone else could rat on you. It is very $ +$ unlikely that MCI will make such a call if you $ +$ use the IC's Rules of Phreaking. Yet, if it were $ +$ to occur these are your friend's options.... $ +$ $ +$ 1. HANGUP $ +$ 2. "FUCK YOU"...THEN HANG UP $ +$ 3. "I WAS WATCHING MIAMI VICE AND YOU INTERRUPT $ +$ ME WITH THIS CRAP. FUCK YOU"....HANG UP $ +$ 4. If you want to be nice about it; "I don't know $ +$ what you're talking about.....HANG UP. $ +$ $ +$ The problem is now resolved. $ +$ Remember these guys are like rabid dogs in heat, $ +$ they're excellant con artists. Believe nothing $ +$ you hear. You don't have to talk to them. If $ +$ they had anything on you they'd be standing at $ +$ your door with a search warrant. Their abilities $ +$ in this area a very restricted. They operate by $ +$ manipulating your fear and you have nothing to $ +$ fear but your own fear. Don't try to come up with $ +$ some lame explanation, you know you received the $ +$ call and they know it. So don't make an ass out $ +$ of yourself trying to explain away the obvious - $ +$ HANG UP! $ +$ $ +$ What happens if your are caught? Congratulate $ +$ yourself on being an asshole. The number of $ +$ phreaks caught are so small that you have now $ +$ qualified for membership in a really elite group $ +$ of jerks. Inspector Bullshit now has several $ +$ options. Grab your computer, this will be done no $ +$ matter what. Grab your data files and any hard $ +# copy you have laying around. This to help $ +$ identify other subversives and also to supply $ +$ incriminating information about you. Try to scare $ +$ you into a confession. Standard operating $ +$ procedure - keep your fucking mouth shut. You $ +$ have nothing to gain by talking and a much to $ +$ lose. If you're a minor÷you can forget about jail $ +$ time, an adult is looking at a couple of weeks in $ +$ the slam - may-be. Realize this, they don't $ +$ really want your ass as much as they want THE $ +$ MONEY. That's right boys and girls the buck talks $ +$ loud and clear. If you're caught, you've broken $ +$ every one of the IC's rules. At worst you're $ +$ looking at a couple of thousand in phone bills. $ +$ Get a lawyer to do your talking for you, that'll $ +$ be about a five hundred dollar retainer. If the $ +$ company is willing to settle for the money, and $ +$ your computer, pay it - it's cheaper in the long $ +$ run. If they want you in the kalaboose then fight $ +$ it. As a first time offender the odds of you $ +$ actually getting time is slim. Incidentally, $ +$ Inspector Bullshit will drop a little extra on $ +$ the bill for good measure. Have the attorney $ +$ demand that they produce their records of all $ +$ "alleged phone conversations". In fighting a $ +$ phreaking case you'll want to have a jury trial. $ +$ The technology behind the running of a trace is $ +$ so complicated that even a half assed lawyer $ +$ could confuse the average layman. He can make $ +$ Inspector Bullshit describe switching down to $ +$ atomic subparticles if he wants and by the time $ +$ he gets to how a trace works the jury would be $ +$ so confused that you'd skate on a "reasonable $ +$ doubt". It would be interesting to see if a sharp $ +$ shark could subpoena the actual equipment used to $ +$ run the trace. I don't think that MCI would care $ +$ to have one of their computers offline for the $ +$ time it would take to have "independant" $ +$ examiners checking out the functionality of the $ +$ switching mechanisms. To phreak or not to phreak. $ +$ It's a question only you can answer for yourself. $ +$ $ +$ $ +$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ diff --git a/textfiles.com/phreak/PHREAKING/phrkusa.txt b/textfiles.com/phreak/PHREAKING/phrkusa.txt new file mode 100644 index 00000000..418b1435 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrkusa.txt @@ -0,0 +1,70 @@ + +"Phreakin' USA!" by John Fowler + +When you think "phone phreak," what kind of mental picture do you get? A +teenager holding a sound-making box up to a phone? Or someone who uses false +calling card numbers? The phone companies lose an estimated $80 million each +year on fraudulent phone calls (compared to a total budget of over $27 +billion!), but only a minute fraction is attributed to the above cases. So who +is causing all these losses? + +A phreak is officially defined as "One who causes information to be passed over +the phone without the phone company receiving due compensation." This applies +to more cases than most people expect. For example, calling a "ring-back" +system long distance just happens to be illegal, because you are passing +information (that you want to use the modem line) without paying the phone +company! This law is, of course, not enforcible, and even if it was, why +take someone to court over a matter of twenty cents lost? It's also illegal to +make a person-to-person call to yourself in order to let your spouse know you +arrived at a destination safely! Likewise, calling someone collect at a pay +phone, calling an operator to say you lost a dollar in a pay phone when you +didn't, and completing a call with another person over "test lines" (test lines +are in all exchanges, and if two people dial consecutive test lines, they may +talk to each other without any charge) are all illegal! Spreading all this out +along the entire phone network, it suddenly becomes a matter of millions of +dollars lost each year, even without those little boxes that simulate operator +tones! + +However, the common image of the phreak is someone who plays with red, black, +and blue boxes to somehow gyp the phone company into allowing a free call. +Each of these boxes, named after the color of the originals, has a different +function, and many times the boxes are confused with each other. A red box +is a device meant to be used only at pay phones. It simulates the sounds +of various coins dropping into the phone. When some pay phones hear this +sound, they automatically assume the a coin actually has dropped into the phone +and registers it. A black box is a device which converts any phone jack it is +hooked up to into a toll-free number. If Larry hooked up one, I and everyone +else could call the CPTBBS as if it were an 800 number, yet Larry would not +have to pay the excessive charges that an 800 number demands. With the +sophisticated scanning equipment the phone company has today, however, black +boxes can be detected after a while. + +The most infamous of the colored boxes is the blue box, which mimics the +operator tones to allow free calls from any phone. They cost only $25-$50 to +make, but can sell for up to $3000! Here's how it works: a phreak first dials +a no-charge number, such as an 800 number for a large corporation (if he wants +to add a little irony, he'll make it AT&T's 800-number!). The number rings +once, and then the phreak generates a pure 2600-cycle tone. This tells the +phone equipment that the call has dislodged and to be ready for the next call, +though the phreak remains on-line! The phreak then gives another tone telling +the equipment that a toll call is coming through (though in actuality it is +not). The phreak dials the number and is connected, but the billing equipment +never starts! When the phreak eventually hangs up, the records will only show +that he made a toll-free call. + +It would cost the phone companies approximately one billion dollars to change +the switching system so that the blue boxes would not work, so instead they +decided to invest in a scanning system that records all questionable calls. +Now that scanning system is so quick that it's almost suicide to use a black +or blue box at home. Phreaks can still get away with using blue boxes at +pay phones if the call is short, but that's about all. If someone is found +using a blue or black box at home now, the box is immediately confiscated, and +the phreak's service may be possibly disconnected. + +If someone offers to sell you one of these colored boxes for the standard +ridiculous price, I'd advise against it. You stand to lose much more than you +would gain in the long run. + +Reference: Kleinfield, Sonny; "The Biggest Company On Earth"; +published by Holt, Rinehart, and Winston; 1981; pp. 247-261. + diff --git a/textfiles.com/phreak/PHREAKING/phrman.txt b/textfiles.com/phreak/PHREAKING/phrman.txt new file mode 100644 index 00000000..bd3e8606 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phrman.txt @@ -0,0 +1,13053 @@ + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + The Official Phreaker's Manual V1.1 + Updated 2/14/87 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + The Official Phreaker's Manual + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Table of Contents + + ********************************************************************** + + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Appendixes + + ********************************************************************** + + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 4 + + + + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 5 + + + + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /\<\ /\<\ .. + . \>ad \>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + Page 6 + + + + + The Official Phreaker's Manual + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + Page 7 + + + + + The Official Phreaker's Manual + + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +explanation. Automated versions (ASI) with automatic voiceresponse units are +growing in use. + +Interrupt: The interruption on a phone line to disconnect and connect with +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + Page 8 + + + + + The Official Phreaker's Manual + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 9 + + + + + The Official Phreaker's Manual + + ============================================================ + _ _ _______ + | \/ | / _____/ + |_||_|etal / /hop + __________/ / + /___________/ + (314) 432-0756 + + Proudly Presents + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + Typed by Knight Lightning + + ============================================================ + +- A - + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + + + + + The Official Phreaker's Manual + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + +AUDIBLE RINGING TONE: An audible signal heard by the calling party during the +ringing-interval. + +AUTHORIZATION CODE: An identification number that the caller enters when +placing a call which is used for billing purposes. + +AUTHORIZED USER: A person, firm, organization, corporation or any other entity +authorized by the customer to send or receive communications over a specific +communications network. + +AUTO ANSWER: A machine feature that allows a transmission control unit or +station to automatically respond to a call that it receives. + +AUTOMATIC CALL +DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a +large volume of incoming calls to a group of attendants to the next available +"answering" position. + +AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined +set of dialing digits. + +AUTOMATIC IDENTIFICATION +OF OUTWARD DIALING (AIOD): A computer generated report showing all long +distance calls placed over AT&T's toll network. + +AUTOMATIC NUMBER +IDENTIFICATION (ANI): Automatic equipment at a local dial office used on +customer dialed calls to identify the calling-station. + +AUTOMATIC ROUTE +SELECTION (ARS): Least cost routing via AT&T CENTREX system. + + + +- B - + + + Page 11 + + + + + The Official Phreaker's Manual + +BAND: (1) The range of frequencies between two defined limits. (2) In reference +to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: +BANDWIDTH. + +BANDWIDTH: See BAND. + +BASEBAND: The total frequency band occupied by the aggregate of all the voice +and data signals used to modulate a radio carrier. + +BAUD: A unit of signaling speed. The speed in baud is the number of discrete +conditions conditions or signal elements per second. If each signal event +represents only one bit condition, then Baud is the same as bits per second. +When each signal event represents other than one bit, Baud does not equal bits +per second. + +BELL OPERATING COMPANY +(BOC) /BELL SYSTEMS +OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing +local service. + +BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long +Lines, Western Electric, and Bell Labs. + +BILLING NUMBER: The MCI term for the number which identifies a customer on a +billing location level, assigned to Network Service Customer (by COMS). +Assigned for each unique customer name and billing location. For internal use +only. + +BINARY: A number system that uses only two characters ("0" and "1"). + +BIT: A binary digit. The smallest unit of coded information. + +BITS PER SECOND (BPS): The rate at which data transmission is measured. + +BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to +the central offices are in use; or (2) all connecting connecting paths through +the PBX/switch are in use. + +BLOCKED ANI: ANI prohibited from completing a call over the MCI network. + +BREAK: A means of interrupting transmission, a momentary interruption of a +circuit. + +BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. + +BUS: A heavy conductor, or group of conductors, to which several units of the +same type of equipment may be connected. + +BUSY: The condition in which facilities over which a call is to be connected +are already in use. + +BUSY HOUR: The time of day when phone lines are most in demand. + +BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to +indicate that the terminal point of a call is already in use. + +BYTE: A group of binary digits that are processed by a computer as a unit. + + + Page 12 + + + + + The Official Phreaker's Manual + + + +- C - + + +CARRIER: High frequency current that can be modulated with voice or digital +signals for bulk transmission via cable or radio circuits. + +CARRIER SYSTEM: A system for providing several communications channels over a +single path. + +CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output +from a computer. + +CELLULAR MOBILE RADIO: A system providing exchange telephone service to a +station located in an auto or other mobile vehicle, using radio circuits to a +base radio station which covers a specific geographical area and as the vehicle +moves from one area to another, different base radio stations handle the call. + +CENTRAL OFFICE (CO): A telephone switching center that provides local access to +the public network. Sometimes referred to as: Class 5 office, end office, or +Local Dial Office. + +CENTREX, CO: PBX Service provided by a switch located at the telephone company +central office. + +CENTREX, CU: A variation on Centrex CO provided by a telephone company +maintained "Central Office" type switch located at the customer's premises. + +CENTRAL PROCESSING UNIT +(CPU): The control unit within a computer which handles all the intelligent +functions of the systems. In a telephone switch, directs all potions of the +system to carry out their appropriate functions. Synonym: Common Control. + +CHANNEL: A communication path via a carrier or microwave radio. + +CHARACTER: Any letter, digit, or special symbol. In data transmission would be +represented by a specific code made up of a group of binary digits. + +CIRCUIT: A path for the transmission of electromagnetic signals to include all +conditioning and signaling equipment. Synonym: Facility + +CIRCUIT SWITCHING: A switching system that completes a dedicated transmission +path from sender to receiver at the time of transmission. + +CLASS OF SERVICE/CLASS +MARK (COS): A subgrouping of telephone customers or users for the sake of rate +distinction or limitation of service. + +COAXIAL CABLE: A cable having several coaxial lines under a single protective +sheath. Usually used as a high capacity carrier in urban areas between +interexchange and toll offices. + +CODEC: Coder-Decoder. Used to convert analog signals to digital form for +transmission over a digital median and back again to the original analog form. + +COMMON CARRIER: A government regulated private company that provides the +general public with telecommunications services and facilities. + + Page 13 + + + + + The Official Phreaker's Manual + + +COMMON CHANNEL INTEROFFICE +SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated +Services Digital Network. It uses a separate data line to route interoffice +signals to provide faster call set-up and more efficient use of trunks. + +COMMON CONTROL SWITCHING +ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which +common controlled switching machines are used to route traffic over network +routes and access lines. The switching machine may be shared with other users +and is maintained by the telephone company. + +COMPUTER PORT/TKI PORT: The interface through which the computer connects to +the communications circuit. + +CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to +match transmission levels and impedances and which equalizes transmission and +delay to bring circuit losses, levels, and distortion within established +standards. + +CONFIGURATION: The combination of long-distance services and/or equipment that +make up a communications system. + +CONTROL UNIT (CU): The central processor of a telephone switching device. + +CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on +a corporate level. (Not all MCI customers have this). + +COST COMPONENT: The price of each type of long distance service and/or +equipment that constitutes a configuration. + +COST PER HOUR (CPH): Total cost of different services divided by total holding +time (in minutes). + +CROSS CONNECTION: The wire connections running between terminals on the two +sides of a distribution frame, or between binding posts in a terminal. + +CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit +to another circuit. + +CUSTOMER OWNED AND +MAINTAINED (COAM): Customer provided communications apparatus, and their +associated wiring. + +CUSTOMER +PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located +within the customer's part of a building. + +CUT: To transfer a service from one facility to another. + +CUT THROUGH: The establishment of a complete path for signaling and/or audio +communications. + + +- D - + +DATA: Any representation, such as characters to which a meaning is assigned. + + + Page 14 + + + + + The Official Phreaker's Manual + +DATA COMMUNICATIONS: The movement of coded information by means of electronic +transmission systems. + +DATA SET: A device which converts data into signals suitable for transmission +over communications lines. + +DATA TERMINAL: A station in a system capable of sending and/or receiving data +signals. + +DECIBEL (db): A unit of measurement represented as a ratio of two voltages, +currents or powers and is used to measure transmission loss or gain. + +DELAY DIAL: A dialing configuration whereby local dial equipment will wait +until it receives the entire telephone number before seizing a circuit to +transmit the call. + +DELTA MODULATION (DM): A variant of pulse code modulation whereby a code +representing the difference between the amplitude of a sample and t~he +amplitude of a previous one is sent. Operates well in the presence of noise, +but requires a wide frequency band. + +DEMODULATION: The process of retrieving data from a modulated signal. + +DIAL LEVEL: The selection of stations or services associated with a PBX using a +one to four digit code (e.g., dialing 9 for access to outside dial tone). + +DIAL PULSING: The transmitting of telephone address signals by momentarily +opening a DC circuit a number of times corresponding to the decimal digit which +is dialed. + +DIAL REPEATING TIE LINE/ +DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station +calling without use of the attendant. + +DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is +selected by a prearranged dialing code. + +DIAL TONE: A tone indicating that automatic switching equipment is ready to +receive dial signals. + +DIALING PLAN: A description of the dialing arrangements for customer use on a +networks. + +DIGITAL: Referring to the use of digits to formulate and solve problems, or to +encode information. + +DIMENSION CUSTOM +TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station +sets which use special buttons to access PBX features. + +DIRECT +DISTANCE DIALING (DDD): A toll service that permits customers to dial their own +long distance call without the aid of an operator. + +DIRECT +INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside +the system to directly dial a station within the system. + + + Page 15 + + + + + The Official Phreaker's Manual + +DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to +gain direct access to an exchange network. + +DROP: That direction of a circuit which looks towards the local operator. + +DRY CIRCUIT: A circuit which transmits voice signals and carries no direct +current. + +DUAL TONE +MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which +emits two distinct frequencies for each indicated digit. + +DUPLEX: Simultaneous two-way independent transmission. + +DX SIGNALING: A long-range bidirectional signaling method using paths derived +from transmission cable pairs. It is based on a balanced and symmetrical +circuit that is identical at both ends. This circuit presents an E&M lead +interface to connecting circuits. + + + + ============================================================ + +This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for +more G-philes from The MCI School of Telecommunications Management Reference +Guide coming soon. + + This has been a 2600 Club production + + +Thanx to Taran King + ============================================================ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 16 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ _______________________________ $ + $ | | $ + $ | ELECTRONIC TOLL FRAUD DEVICES | $ + $ |_______________________________| $ + $ $ + $ $ + $ TYPED AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ $ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL +FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT +BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD +DEVICES. (FOR OFFICIAL USE ONLY). + +THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE +GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". +THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. + + + +*BLUE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE +DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE +VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS +APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX +CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES +CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL +(LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE +FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE +BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY +COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE +TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE +DISCUSSED IN MORE DETAIL BELOW. + + TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO +UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE +NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS +IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE +EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY +FOR HIS TELEPHONE NUMBER. + THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING +(AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE +OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL +CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. +THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. + ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE +VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO +PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. + THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL +INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY + + Page 17 + + + + + The Official Phreaker's Manual + +OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX +USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" +CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX +WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE +SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. +THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX +SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING +PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW +OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING +EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES +THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING +CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE +SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY +THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS +RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON +THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS +TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. + ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A +COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY +IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: + +(A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE +SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY +SF" BLUE BOX. + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF +A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE +MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + Page 18 + + + + + The Official Phreaker's Manual + + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + + + + The Official Phreaker's Manual + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + Page 20 + + + + + The Official Phreaker's Manual + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you receive your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + A) SSS: Strowger Switching System. First non-operator system +available. + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + + Beige Box: A simpler produced linesman's handset that allows you to tap +into phone lines and extract by eavesdropping, or crossing wires, etc. + Purple Box: Makes all calls made out from your house seem to be local +calls. + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + Page 21 + + + + + The Official Phreaker's Manual + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. A small list of +dialups: + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : + + Page 22 + + + + + The Official Phreaker's Manual + +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator (hehe) +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + +/-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + + Page 23 + + + + + The Official Phreaker's Manual + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + Page 24 + + + + + The Official Phreaker's Manual + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + +File Level:5 + + /-/ Credits /-/ + + To The Videosmith- for setting me straight on some shit. + To The Linesman- for telling me to upload it to his AE line. + To Modern Mutant- for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------\ + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + \---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler +Zer0-g + + + + + + + Page 25 + + + + + The Official Phreaker's Manual + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + + +HOW TO BE A REAL PHREAK +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + + + + + The Official Phreaker's Manual + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + Page 27 + + + + + The Official Phreaker's Manual + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + Page 28 + + + + + The Official Phreaker's Manual + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--\ | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + + Page 29 + + + + + The Official Phreaker's Manual + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + +TOUCH-TONE & FREE CALLS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + + + Page 30 + + + + + The Official Phreaker's Manual + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. +ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + Page 31 + + + + + The Official Phreaker's Manual + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 32 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + --One Farad Cap, Atlantic Anarchist Guild + + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + Page 33 + + + + + The Official Phreaker's Manual + + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + Page 34 + + + + + The Official Phreaker's Manual + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +He presses the lower left-hand corner button which is marked "KP" on the face +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + Page 35 + + + + + The Official Phreaker's Manual + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ansil Collins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + Page 36 + + + + + The Official Phreaker's Manual + +tells me. + +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's F~5 +and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + Page 37 + + + + + The Official Phreaker's Manual + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays with the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + Page 38 + + + + + The Official Phreaker's Manual + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A. +tandem. The L.A. tandem notices 2600 cycles are coming over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + Page 39 + + + + + The Official Phreaker's Manual + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + ++-- End first file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 40 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + Page 41 + + + + + The Official Phreaker's Manual + + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + Page 42 + + + + + The Official Phreaker's Manual + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +"Yes, sir. Who is this calling?" says the voice. + +"Yes. This is test board here in New York. We're calling to check out the +circuits, see what kind of lines you've got. Everything okay there in +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + Page 43 + + + + + The Official Phreaker's Manual + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + + + + + The Official Phreaker's Manual + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + Page 45 + + + + + The Official Phreaker's Manual + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + Page 46 + + + + + The Official Phreaker's Manual + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + Page 47 + + + + + The Official Phreaker's Manual + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + Page 48 + + + + + The Official Phreaker's Manual + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + ++-- End second file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + Page 49 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two +sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + Page 50 + + + + + The Official Phreaker's Manual + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthrough: + +"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + Page 51 + + + + + The Official Phreaker's Manual + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to live out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + Page 52 + + + + + The Official Phreaker's Manual + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + Page 53 + + + + + The Official Phreaker's Manual + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + + + + + The Official Phreaker's Manual + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + Page 55 + + + + + The Official Phreaker's Manual + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + +"Well yes, I..." + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + + + + + The Official Phreaker's Manual + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + ++-- End third file of four --+ + + + + + + + + + + + + + + + + + + + + Page 57 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + Page 58 + + + + + The Official Phreaker's Manual + + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------\ /------\ /-----\ +!Operator!-- > ! S.A. ! --->! BOS ! +\--------/ \------/ \-----/ + ! + ! + V +/-------------\ +! Group Chief ! +\-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + + + + + + Page 88 + + + + + The Official Phreaker's Manual + + 2600 Magazine's story on the Private Sector Bust + Uploaded by Elric of Imrryr + Lunatic Labs Unlimited + :::::::::::::::::::::::::::::::::::::::::::::::: + +Typed By Shooting Shark : The following article appeared in the August, 1985 +issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. +Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle +Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article +follows. + +SEIZED! +2600 Bulletin Board is Implicated in Raid on Jersey Hackers + + On July 12, 1985, law enforcement officials seized the Private Sector BBS, +the official computer bulletin board of 2600 magazine, for "complicity in +computer theft," under the newly passed, and yet untested, New Jersey Statute +2C:20-25. Police had uncovered in April a credit carding ring operated around +a Middlesex County electronic bulletin board, and from there investigated +other North Jersey bulletin boards. Not understanding subject matter of the +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been particularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the BBS just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 +212-982-9977/9979 +212-986-9977/9979 + + THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS +SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER +SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE +CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT +FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN +ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED +IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE +CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND +THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE +AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL +OTHER LOOPS ARE BUSY. + + 99XX SCANNING: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND +OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 +AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN +YOUR EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268: + +9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) +9936 - VOICE # TO THE TELCO CO +9937 - VOICE # TO THE TELCO CO +9941 - CARRIER +9960 - OSC. TONE (TONE SIDE LOOP) +9963 - TONE (STOPS: MUTED) +9966 - CARRIER +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + + Page 96 + + + + + The Official Phreaker's Manual + + MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL +INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE +REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN +THE EXCHANGE AND THE TELCO OPERATING COMPANY. + + WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES +WHEN YOU FIND ONE: + +1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK +EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE +BUT THE FUCKING CLICK IS SUPER ANNOYING. + +2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. + +3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY +AGAIN IN A MONTH OR SO) + +4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! + + MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. +IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE +SWITCH", IE, TURN OFF THE LOOP. + + SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED +NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE +NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. +268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 +FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 +(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S +DON'T SUPE EITHER. + + IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A +SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP +LINES (AS MENTIONED ABOVE). + IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE +BELOW: + + + NPA-NNX-99XX SCAN + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + _________________________________________________________ + | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | + |_______|____|____|____|____|____|____|____|____|____|____| + | 990 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 991 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 992 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 993 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 994 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 995 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 996 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + Page 97 + + + + + The Official Phreaker's Manual + + | 997 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 998 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 999 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU +SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN +THEM. FOR EXAMPLE: + +B - BUSY (TRY AGAIN AT ANOTHER TIME) +R - RINGS (TRY AGAIN AT ANOTHER TIME) +O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) +R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) +T - TONE ] TONE AT A LOWER # + IGNORE +I - IGNORE ] AT A HIGHER # = LOOP +V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. +C - CARRIER + + THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN +UNDERSTAND. + + NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A +MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF +A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER +EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) +634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. +IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" +NEXT TO EACH OTHER FOR A LOOP. + SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN +THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING +TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE +IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE +#'S! + ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR +EXAMPLE: "(713) 324-1799/1499" IS A LOOP. + +THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: + +1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A +TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS +SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! + +2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & +9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. + +3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. + + FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN +STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. + + +NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER +FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR +OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS + + Page 98 + + + + + The Official Phreaker's Manual + +MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. + + ANI + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT +WILL TELL YOU WHAT # YOU ARE CALLING FROM. + THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T +HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE +LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE +DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. +IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM +AREA TO AREA. + +HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: + +890-751-5191 +202-222-2222 +1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE +TO DIAL 1-990-1111) + + TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX +SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE +NEXT PART), TRY 1-9XX-1111. + ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR +NEIGHBOR WHO WORKS FOR THE FONE COMPANY. + + RING BACK + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL +THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF +THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 +SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL +RING. + IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP +FOR THE FIRST TIME (IE, AT THE FIRST TONE). + + OTHER RINGBACK #'S THAT I HAVE SEEN ARE: + +26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. +THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. + +890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. + +119911/11911/1199911 - GTE + +NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE + + + THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN +SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD +DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE +PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS +USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN +PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN +SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS +AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY + + Page 99 + + + + + The Official Phreaker's Manual + +SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD +THEN RINGBACK. + + TOUCH-TONE TEST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE +FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP +TWICE. +I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 + + COMING SOON: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE +NETWORK. + + + BREAK UP OF BELL: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT +AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED +HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD +"FONE NETWORK" FOR BELL SYSTEM. + + +AU REVOIR, + +*****BIOC +*=$=*AGENT +*****003 + +DECEMBER 8, 1983 + +ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, +& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN +DISTRIBUTING THIS TUTORIAL. + + + + + + + + + + + + + + + + + + + + + + Page 100 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART III * + * * + ************************************************************ + +PREFACE: + + IN PART III, WE WILL DISCUSS THE DIALING PROCEDURES FOR DOMESTIC AS WELL AS +INTERNATIONAL DIALING. WE WILL ALSO TAKE A LOOK AT THE TELEPHONE NUMBERING +PLAN. + +NORTH AMERICAN NUMBERING PLAN +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN NORTH AMERICA, THE TELEPHONE NUMBERING PLAN IS AS FOLLOWS: + +A) A 3 DIGIT NUMBERING PLAN AREA (NPA) CODE, [IE, AREA CODE] + +B) A 7 DIGIT TELEPHONE # CONSISTING OF A 3 DIGIT CENTRAL OFFICE (CO) CODE PLUS +A 4 DIGIT STATION #. + + THESE 10 DIGITS ARE CALLED THE NETWORK ADDRESS OR DESTINATION CODE. IT IS +IN THE FORMAT OF: + +AREA CODE TELEPHONE # +--------- ----------- + N*X NXX-XXXX + +WHERE: N = A DIGIT FROM 2-9 + * = THE DIGIT 0 OR 1 + X = A DIGIT 0-9 + +AREA CODES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CHECK YOUR TELEPHONE BOOK OR THE SEPARATE LISTING OF AREA CODES FOUND ON +MANY BBS'S. HERE ARE THE SPECIAL AREA CODES (SAC'S): + +510 - TWX (USA) +610 - TWX (CANADA) +700 - NEW SERVICE +710 - TWX (USA) +800 - WATS +810 - TWX (USA) +900 - DIAL-IT SERVICES +910 - TWX (USA) + + THE OTHER AREA CODES NEVER CROSS STATE LINES, THEREFORE EACH STATE MUST +HAVE AT LEAST ONE EXCLUSIVE NPA CODE. WHEN A COMMUNITY IS SPLIT BY A STATE +LINE, THE CO #'S ARE OFTEN INTERCHANGEABLE (IE, YOU CAN DIAL THE SAME # FROM 2 +DIFFERENT AREA CODES) + +TWX: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + Page 101 + + + + + The Official Phreaker's Manual + + + TWX (TELEX II) CONSISTS OF 5 TELETYPE-WRITER AREA CODES. THEY ARE OWNED BY +WESTERN UNION. THESE SAC'S MAY ONLY BE REACHED VIA OTHER TWX MACHINES. THESE +RUN AT 110 BAUD. BESIDES THE TWX #'S, THESE MACHINES ARE ROUTED TO NORMAL +TELEPHONE #'S. TWX MACHINES ALWAYS RESPOND WITH AN ANSWERBACK. FOR EXAMPLE, +WU'S FYI TWX # IS (910) 988-5956, THE CORRESPONDING REAL NUMBER TO THIS IS +(201) 279-5956. THE ANSWERBACK FOR THIS SERVICE IS "WU FYI MAWA." + + IF YOU DON'T WANT TO BUY A TWX MACHINE, YOU CAN STILL SEND TWX MESSAGES +USING EASYLINK [800/325-4112 - SEE TUC'S AND MY ARTICLE ENTITLED "HACKING +WESTERN UNION'S EASYLINK] + +700: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT THE TIME OF THIS WRITING, THE 700 EXCHANGE DOES NOT YET EXIST. AT&T +PLANS TO USE IT SOON THOUGH. THEY PLAN TO MAKE IT A TYPE OF FANCY CALL +FORWARDING SERVICE. IT WILL BE TARGETED TOWARDS SALESMEN ON THE RUN. + + TO UNDERSTAND HOW IT WORKS, I'LL EXPLAIN IT WITH AN EXAMPLE. LET'S SAY JOE +Q. SALESPIG WORKS FOR AT&T SECURITY AND HE IS ON THE RUN CHASING A PHREAK +AROUND THE COUNTRY WHO ROYALLY SCREWED UP AN IMPORTANT COSMOS SYSTEM. LET'S +SAY THAT JOE'S 700 # IS (700) 382-5968. EVERY TIME JOE GOES TO A NEW HOTEL, HE +DIALS A SPECIAL 700 #, ENTERS A CODE, AND THE # WHERE HE IS STAYING. NOW, IF +HIS BOSS RECEIVED SOME IMPORTANT INFO, ALL HE WOULD DO IS DIAL (700) 382-5968 +AND IT WOULD RING WHEREVER JOE LAST PROGRAMMED IT TO. NEAT, HUH? + +800: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS SAC IS ONE OF MY FAVORITES SINCE IT ALLOWS FOR TOLL-FREE CALLS. + +INWARD WATS (INWATS): INWARD WIDE AREA TELECOMMUNICATIONS SERVICE IS THE 800 +#'S THAT WE ARE ALL FAMILIAR WITH. 800 #'S ARE SET UP IN SERVICE AREAS OR +BANDS. THERE ARE 6 OF THESE. BAND 6 IS THE LARGEST AND YOU CAN CALL A BAND 6 +# FROM ANYWHERE IN THE US EXCEPT THE STATE WHERE THE CALL IS TERMINATED (THIS +IS WHY MOST COMPANIES HAVE ONE 800 # FOR THE COUNTRY AND THEN ANOTHER FOR JUST +ONE STATE). BAND 5 INCLUDES THE 48 CONTIGUOUS STATES. ALL THE WAY DOWN TO +BAND 1 WHICH INCLUDES ONLY THE STATES CONTIGUOUS TO THAT ONE. THEREFORE, LESS +PEOPLE CAN REACH A BAND 1 INWATS # THAT A BAND 6 #. + +INTRASTATE INWATS #'S (IE, YOU CAN CALL IT FROM ONLY 1 STATE) ALWAYS HAVE A 2 +AS THE LAST DIGIT IN THE EXCHANGE (IE, 800-NX2-XXXX). THE NXX ON 800 #'S +REPRESENT THE AREA WHERE THE BUSINESS IS LOCATED. FOR EXAMPLE, A # BEGINNING +WITH 800-431 WOULD TERMINATE AT A NEW YORK CO. + +800 #'S ALWAYS END UP IN A HUNT SERIES IN A CO. THIS MEANS THAT IT TRIES THE +FIRST # ALLOCATED TO THE COMPANY FOR THEIR 8P0 LINES; IF THIS IS BUSY IT WILL +THEN TRY THE NEXT #, ETC). YOU MUST HAVE A MINIMUM OF TWO LINES PER EACH 800 +#. FOR EXAMPLE, TRAVELNET USES A HUNT SERIES. IF YOU DIAL (800) 521-8400, IT +WILL FIRST TRY THE # ASSOCIATED WITH 8400; IF IT IS BUSY IT WILL GO TO THE NEXT +AVAILABLE PORT, ETC. INWATS CUSTOMERS ARE BILLED BY THE # OF HOURS OF CALLS +THAT ARE MADE TO THEIR #. + +OUTWATS (OUTWARD WATS): OUTWATS ARE FOR MAKING OUTGOING CALLS ONLY. LARGE +COMPANIES USE OUTWATS SINCE THEY RECEIVE BULK-RATE DISCOUNTS. SINCE OUTWATS # +CANNOT HAVE INCOMING CALLS, THEY ARE IN THE FORMAT OF: + + + Page 102 + + + + + The Official Phreaker's Manual + +(800) *XX-XXXX + + WHERE * IS THE DIGIT 0 OR 1 WHICH CANNOT BE DIALED UNLESS YOU BOX THE CALL. +THE *XX IDENTIFIES THE TYPE OF SERVICE AND THE AREAS THAT THE COMPANY CAN +CALL. + +REMEMBER: INWATS + OUTWATS = WATS EXTENDER (SEE PART I) +900: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS DIAL-IT SAC IS A NATIONWIDE DIAL-IT SERVICE. IT IS USED FOR TAKING +TELEVISION POLLS AND OTHER STUFF. THE FIRST MINUTE CURRENTLY COSTS AN +OUTRAGEOUS 50 CENTS AND EACH ADDITIONAL MINUTE COSTS 35 CENTS. BELL TAKES IN +ALOT OF REVENUE IN THIS WAY. + +DIAL (900) 555-1212 TO FIND OUT WHAT IS CURRENTLY ON THE SERVICE. + +CO CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THESE IDENTIFY THE SWITCHING OFFICE WHERE THE CALL IS TO BE ROUTED. + +THE FOLLOWING CO CODES ARE RESERVED NATIONWIDE: + +555 - DIRECTORY ASSISTANCE +844 - TIME ] THESE ARE NOW IN +936 - WEATHER ] THE 976 EXCHANGE +950 - FUTURE SERVICES +958 - PLANT TEST +959 - PLANT TEST +970 - PLANT TEST (TEMPORARY) +976 - DIAL-IT SERVICES + + ALSO, THE 3 DIGIT ANI & RINGBACK #'S ARE REGARDED AS PLANT TEST AND ARE +THUS RESERVED. THESE NUMBERS VARY FROM AREA TO AREA. + +950: [ALSO SEE PART I] +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +HERE ARE THE SERVICES THAT ARE CURRENTLY ON THE 950 EXCHANGE: + +1000 - SPC +1022 - MCI EXECUNET +1033 - US TELEPHONE +1044 - ALLNET +1066 - LEXITEL +1088 - SBS SKYLINE + +THESE SCC'S (SPECIALIZED COMMON CARRIERS) ARE FREE FROM FORTRESSES! + +Publishers note: Most 950's now require the station code (1022, 1000, 1088, +etc.) to be five digits long. MCI 950-10222, US telefone 10333, ALLNET 10444, +etc. Look in "Equal Access and the American Dream" p. for a complete list. +PLANT TESTS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THESE INCLUDE ANI, RINGBACK, AND OTHER VARIOUS TESTS. + + + Page 103 + + + + + The Official Phreaker's Manual + +976: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + DIAL 976-1000 TO SEE WHAT IS CURRENTLY ON THE SERVICE. ALSO, MANY BBS'S +HAVE A LISTING OF THESE #'S. + + +N11 CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL IS TRYING TO PHASE SOME OF THESE OUT, BUT THEY STILL EXIST IN MANY +AREAS. + +011 - INTERNATIONAL DIALING PREFIX +211 - COIN REFUND OPERATOR +411 - DIRECTORY ASSISTANCE +611 - REPAIR SERVICE +811 - BUSINESS OFFICE +911 - EMERGENCY + +INTERNATIONAL DIALING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + WITH INTERNATIONAL DIALING, THE WORLD HAS BEEN DIVIDED INTO 9 NUMBERING +ZONES. + +TO MAKE AN INTERNATIONAL CALL, YOU MUST DIAL: INT. PREFIX + COUNTRY CODE + NAT. +# + + IN NORTH AMERICA, THE INTERNATIONAL DIALING PREFIX IS 011 FOR +STATION-TO-STATION CALLS AND 01 FOR OPERATOR- SERVICED CALLS. IDDD STANDS FOR +INTERNATIONAL DIRECT DISTANCE DIALING. + + THE COUNTRY CODE, WHICH VARIES FROM 1 TO 3 DIGITS, ALWAYS HAS THE WORLD +NUMBERING ZONE AS THE FIRST DIGIT. FOR EXAMPLE, THE COUNTRY CODE FOR THE +UNITED KINGDOM IS 44, THUS IT IS IN WORLD NUMBERING ZONE 4. + + SOME BOARDS MAY CONTAIN A COMPLETE LISTING OF OTHER COUNTRY CODES, BUT HERE +ARE A FEW: + +001 - NORTH AMERICA (US, CANADA,ETC) +020 - EGYPT +258 - MOZAMBIQUE +034 - SPAIN +049 - GERMANY +052 - MEXICO (SOUTHERN PORTION) +061 - AUSTRALIA +007 - USSR +081 - JAPAN +098 - IRAN + + IF YOU CALL FROM AN AREA OTHER THAN NORTH AMERICA, THE FORMAT IS GENERALLY +THE SAME. FOR EXAMPLE, LET'S SAY YOU WANTED TO CALL THE WHITE HOUSE FROM +SWITZERLAND. FIRST YOU WOULD DIAL 00 (THE SWISS INTERNATIONAL DIALING PREFIX), +THEN 1 (THE US COUNTRY CODE), FOLLOWED BY 202-456-1414 (THE NATIONAL # FOR THE +WHITE HOUSE). + + ALSO, COUNTRY CODE 87 IS RESERVED FOR MARITIME MOBILE SERVICE, IE CALLING + + Page 104 + + + + + The Official Phreaker's Manual + +SHIPS: + +871 - MARISAT (ATLANTIC) +872 - MARISAT (PACIFIC) +873 - MARISAT (INDIAN ) + +INTERNATIONAL SWITCHING: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN NORTH AMERICA, THERE ARE CURRENTLY 7 NO. 4 ESS'S THAT PERFORM THE DUTY +OF ISC (INTERNATIONAL SWITCHING CENTERS). ALL INTERNATIONAL CALLS DIALED FROM +NUMBERING ZONE 1 WILL BE ROUTED THROUGH ONE OF THESE "GATEWAY CITIES." THEY +ARE: + +182 - WHITE PLAINS, NY +183 - NEW YORK, NY +184 - PITTSBURGH, PA +185 - ORLANDO, FL +186 - OAKLAND, CA +187 - DENVER, CO +188 - NEW YORK, NY + + THE 18X SERIES ARE OPERATOR ROUTING CODES FOR OVERSEAS ACCESS (TO BE +FURTHER DISCUSSED WITH BLUE BOXES). ALL INTERNATIONAL CALLS USE A SIGNALING +SYSTEM CALLED CCITT. IT IS AN INTERNATIONAL STANDARD FOR SIGNALING. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART IV, WE WILL DISCUSS SWITCHING EQUIPMENT, VARIOUS OPERATORS, CO +TYPES, ETC. + +PHREAKING LIVES IN '84, + +*****BIOC +*=$=*AGENT +*****003 + +<<=-FARGO 4A-=>> +23-FEB-84 + +REFERENCES/ +ACKNOWLEDGEMENTS: NOTES ON THE NETWORK (AT&T), TAP (ROOM 603, 147W 42 ST, +NEW YORK, NY 10036),UNDERSTANDING TELEPHONE ELECTRONICS,AND MANY OTHERS/TUC, +MULCHER... + + + + + + + + + + + + + + + Page 105 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART IV * + * * + ************************************************************ + +PREFACE: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + PART IV WILL DEAL WITH THE VARIOUS TYPES OF OPERATORS, OFFICE HIERARCHY, & +SWITCHING EQUIPMENT. + + +OPERATORS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THERE ARE MANY TYPES OF OPERATORS IN THE NETWORK AND THE MORE COMMON ONES +WILL BE DISCUSSED. + +TSPS OPERATOR: +____________________________________________________________ + + THE TSPS (TRAFFIC SERVICE POSITION SYSTEM) OPERATOR IS PROBABLY THE BITCH +(OR BASTARD FOR THE PHEMALE LIBERATIONISTS) THAT MOST OF US ARE USE TO HAVING +TO DEAL WITH. + +HERE ARE HER RESPONSIBILITIES: + +1) OBTAINING BILLING INFORMATION FOR CALLING CARD OR 3RD NUMBER CALLS. + +2) IDENTIFYING CALLED CUSTOMER ON PERSON-TO-PERSON CALLS. + +3) OBTAINING ACCEPTANCE OF CHARGES ON COLLECT CALLS. + +4) IDENTIFYING CALLING NUMBERS. THIS ONLY HAPPENS WHEN THE CALLING # IS NOT +AUTOMATICALLY RECORDED BY CAMA (CENTRALIZED AUTOMATIC MESSAGE ACCOUNTING) & +FORWARDED FROM THE LOCAL OFFICE. THIS COULD BE CAUSED BY EQUIPMENT FAILURES OR +IF THE OFFICE IS NOT EQUIPPED FOR CAMA (MOST ARE). + + + + YOU SHOULDN'T MESS WITH THE TSPS OPERATOR SINCE SHE KNOWS WHERE YOU ARE +CALLING FROM. SHE ALSO KNOWS WHETHER OR NOT YOU ARE AT A FORTRESS FONE & SHE +CAN TRACE CALLS QUITE READILY. OUT OF ALL THE OPERATORS, SHE IS ONE OF THE +MOST DANGEROUS. + +INWARD OPERATOR: +____________________________________________________________ + + THIS OPERATOR ASSISTS YOUR LOCAL TSPS ("0") OPERATOR IN CONNECTING CALLS. + + Page 106 + + + + + The Official Phreaker's Manual + +SHE WILL NEVER QUESTION A CALL AS LONG AS THE CALL IS WITHIN HER SERVICE AREA. +SHE CAN ONLY BE REACHED VIA OTHER OPERATORS OR BY A BLUE BOX. FROM A BB, YOU +WOULD DIAL KP+NPA+121+ST FOR THE INWARD OPERATOR THAT WILL HELP YOU CONNECT ANY +CALLS WITHIN THAT NPA AREA ONLY. (BLUE BOXING WILL BE DISCUSSED IN A FUTURE +PART OF BASIC TELCOM) + +DIRECTORY ASSISTANCE OPERATOR: +____________________________________________________________ + + THIS IS THE OPERATOR THAT YOU ARE CONNECTED TO WHEN YOU DIAL: 411 OR +NPA-555-1212. SHE DOES NOT READILY KNOW WHERE YOU ARE CALLING FROM. SHE DOES +NOT HAVE ACCESS TO UNLISTED #'S, BUT SHE DOES KNOW IF AN UNLISTED # EXISTS FOR +A CERTAIN LISTING. + + THERE IS ALSO A DIRECTORY ASSISTANCE FOR DEAF PEOPLE WHO USE +TELETYPEWRITERS IF YOU MODEM CAN TRANSFER BAUDOT (THE APPLE CAT CAN), THEN YOU +CAN CALL HER UP AND HAVE AN INTERESTING CONVERSATION WITH HER. THE # +IS:800/855-1155. SHE USES THE STANDARD TELEX ABBREVIATIONS SUCH AS GA FOR GO +AHEAD. THEY TEND TO BE NICER & WILL TALK LONGER THAN YOUR REGULAR OPERATORS. +ALSO, THEY ARE MORE VULNERABLE INTO BEING TALKED OUT OF INFORMATION THROUGH THE +PROCESS OF "SOCIAL ENGINEERING" AS CHESHIRE CATALYST WOULD PUT IT. + +OTHER OPERATORS HAVE ACCESS TO THEIR OWN DA BY DIALING KP+NPA+131+ST (MF). + + THIS IS A LITTLE OUT OF THE SCOPE OF THIS TUTORIAL, BUT MANY TELCO'S ARE +NOW CHARGING FOR CALLS TO DIR. ASST. YOU CAN BEAT THIS BY: + +(1) COUNT HOW MANY CALLS YOU MAKE TO DIRECTORY ASSISTANCE IN A BILLING PERIOD. +GO TO A FORTRESS FONE & DIAL DA. WHEN THE OPERATOR COMES ON, GIVE HER A NAME +THAT YOU KNOW HAS AN UNLISTED # OR ASK FOR A TOWN THAT ISN'T IN THE NPA. SHE +WILL THEN ASK FOR YOUR # SO SHE CAN CREDIT THE CALL TO YOU. GIVE HER YOUR HOME +#, SHE DOESN'T KNOW THAT YOU ARE MAKING A FREE CALL FROM THE FORTRESS. JUST +MAKE SURE THAT YOU DON'T CREDIT YOURSELF FOR MORE CALLS THAN YOU ACTUALLY MADE +OR YOU MIGHT HAVE A FEW PROBLEMS! + +(2) IF YOU HAVE A BAUDOT TERMINAL, USE THE 800 #, IT'S FREE & THERE IS ONE # +FOR ALL REQUESTS. + +C/NA OPERATORS: +____________________________________________________________ + + C/NA OPERATORS ARE OPERATORS THAT DO EXACTLY THE OPPOSITE OF WHAT DIRECTORY +ASSISTANCE OPERATORS ARE FOR. SEE PART II, FOR MORE INFO ON C/NA & #'S. IN MY +EXPERIENCES, THESE OPERATORS KNOW MORE THAN THE DA OP'S DO & THEY ARE MORE +SUSCEPTIBLE TO "SOCIAL ENGINEERING." IT IS POSSIBLE TO BULLSHIT A C/NA +OPERATOR FOR THE NON-PUB DA # (IE, YOU GIVE THEM THE NAME & THEY GIVE YOU THE +UNLISTED #). THIS IS DUE TO THE FACT THAT THEY ASSUME YOUR ARE A PHELLOW +COMPANY EMPLOYEE. + +INTERCEPT OPERATOR: +____________________________________________________________ + + THE INTERCEPT OPERATOR IS THE ONE THAT YOU ARE CONNECTED TO WHEN THERE ARE +NOT ENOUGH RECORDINGS AVAILABLE TO TELL YOU THAT THE # HAS BEEN DISCONNECTED OR +CHANGED. SHE USUALLY SAYS, "WHAT # YOU CALLIN' ? " WITH A FOREIGN ACCENT. +THIS IS THE LOWEST OPERATOR LIFEFORM. EVEN THOUGH THEY DON'T KNOW WHERE YOU +ARE CALLING FROM, IT IS A WASTE OF YOUR TIME TO TRY TO VERBALLY ABUSE THEM +SINCE THEY USUALLY UNDERSTAND VERY LITTLE ENGLISH. + + Page 107 + + + + + The Official Phreaker's Manual + + +OTHER OPERATORS: +____________________________________________________________ + +AND THEN THERE ARE THE: +MOBILE +SHIP-TO-SHORE +CONFERENCE +MARINE VERIFY, "LEAVE WORD & CALL BACK," +ROUT & RATE (KP+NPA+141+ST) & OTHER SPECIAL OPERATORS WHO HAVE ONE PURPOSE OR +ANOTHER IN THE NETWORK. + + PROBLEMS WITH AN OPERATOR? ASK TO SPEAK TO THEIR SUPERVISOR... WHICH IS +THE EQUIVALENT OF THE MADAME IN A WHOREHOUSE (IF YOU WILL EXCUSE THE ANALOGY). + + BY THE WAY, SOME CO'S THAT WILL ALLOW YOU TO DIAL A 1 OR 0 AS THE 4TH +DIGIT, WILL ALSO ALLOW YOU TO CALL SPECIAL OPERATORS WITHOUT A BLUE BOX. THIS +IS VERY RARE THOUGH! FOR EXAMPLE, 212-121-1111 WILL GET YOU A NY INWARD +OPERATOR. + +OFFICE HIERARCHY +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + EVERY SWITCHING OFFICE OFFICE IN NORTH AMERICA (THE NPA SYSTEM), IS +ASSIGNED AN OFFICE NAME & CLASS. THERE ARE FIVE CLASSES OF OFFICES NUMBERED 1 +THROUGH 5. YOUR CO IS MOST LIKELY A CLASS 5 OR END OFFICE. ALL LONG-DISTANCE +(TOLL) CALLS ARE SWITCHED BY A TOLL OFFICE WHICH CAN BE A CLASS 4, 3, 2, OR 1 +OFFICE. THERE IS ALSO A 4X OFFICE CALLED AN INTERMEDIATE POINT. THE 4X OFFICE +IS A DIGITAL ONE THAT CAN HAVE AN UNATTENDED EXCHANGE ATTACHED TO IT (KNOWN AS +A REMOTE SWITCHING UNIT-RSU). + + THE FOLLOWING CHART WILL LIST THE OFFICE #, NAME, & HOW MANY OF THOSE +OFFICES EXISTED IN NORTH AMERICA IN 1981. + +CLASS NAME ABB # EXISTING +----- ---------------- --- ------------ +1 REGIONAL CENTER RC 12 +2 SECTIONAL CENTER SC 67 +3 PRIMARY CENTER PC 230 +4 TOLL CENTER TC 1,30 +4P TOLL POINT TP ? +4X INTERMEDIATE PT IP ? +5 END OFFICE EO 19,000 +R RSU RSU ? + + WHEN CONNECTING A CALL FROM ONE PARTY TO ANOTHER, THE SWITCHING EQUIPMENT +USUALLY TRIES TO FIND THE SHORTEST ROUTE BETWEEN THE CLASS 5 END OFFICE OF THE +CALLER & THE CLASS 5 END OFFICE OF THE CALLED PARTY. IF NO INTER-OFFICE TRUNKS +EXIST BETWEEN THE 2 PARTIES, IT WILL THEN MOVE UPTO THE NEXT HIGHEST OFFICE FOR +SERVICING (CLASS 4). IF THE CLASS 4 OFFICE CANNOT HANDLE THE CALL BY SENDING +IT TO ANOTHER CLASS 4 OR 5 OFFICE, IT WILL BE SENT TO THE NEXT OFFICE IN THE +HIERARCHY (3). THE SWITCHING EQUIPMENT FIRST USES THE HIGH-USAGE INTEROFFICE +TRUNK GROUPS, IF THEY ARE BUSY IT THEN GOES TO THE FINAL TRUNK GROUPS ON THE +NEXT HIGHEST LEVEL. IF THE CALL CANNOT BE CONNECTED THEN, YOU WILL PROBABLY GET +A RE-ORDER (120IPM BUSY SIGNAL) SIGNAL. AT THIS TIME, THE GUYS AT NETWORK +OPERATIONS ARE PROBABLY SHITTING IN THEIR PANTS AND TRYING TO AVOID THE DREADED +NETWORK DREADLOCK (AS SEEN ON TV!). + + + Page 108 + + + + + The Official Phreaker's Manual + + IT IS ALSO INTERESTING TO NOTE THAT 9 CONNECTIONS IN TANDEM IS CALLED +RING-AROUND-THE ROSY AND IT HAS NEVER OCCURRED IN TELEPHONE HISTORY. THIS +WOULD CASE AN ENDLESS LOOP CONNECTION. [ A NEAT WAY TO REALLY SCREW-UP THE +NETWORK]. + + THE 10 REGIONAL CENTERS IN THE US & THE 2 IN CANADA ARE ALL INTERCONNECTED. +THEY FORM THE FOUNDATION OF THE ENTIRE TELEPHONE NETWORK. SINCE THERE ARE ONLY +12 OF THEM, THEY ARE LISTED BELOW: + +CLASS 1 REGIONAL OFFICE LOCATION NPA +---------------------------------- --- +DALLAS 4 ESS 214 +WAYNE, PA 215 +DENVER 4T 303 +REGINA NO.2 SP1-4W [CANADA] 306 +ST. LOUIS 4T 314 +ROCKDALE, GA 404 +PITTSBURGH 4E 412 +MONTREAL NO.1 4AETS [CANADA] 504 +NORWICH, NY 607 +SAN BERNARDINO, CA 714 +NORWAY, IL 815 +WHITE PLAINS 4T, NY 914 + + THE FOLLOWING DIAGRAM DEMONSTRATES HOW THE VARIOUS OFFICES MAY BE +CONNECTED: + + _________________________ + _|_ _|_ _|_ REGIONAL + | | | | | | OFFICES + | 1 | <=--=> | 1 | <=--=> | 1 | <<==------ + |___| |___| |___| + | OTHERS\/ + _________________|_______________________| + _|_ _|_ _|_ _|__ _|_ +| | | | | | | | | | +| 2 | | 3 | | 4 | | 4P | | 5 | +|___| |___| |___| |____| |___| + | | | | + |____ | _|__ | + _|_ _|_ | __|_ _|_ \ +| || || | || | |_____ +| 3 || 4 || | 4X || 5 | _|__ _|_ +|___||___|| |____||___|| || | + | | | 4X || 5 | + __|_ | |____||___| + | ||_____________ + | 5R | _______|_________ + |____| | | | + _|_ _|_ _|_ __|_ + | | | | | | | | + | R | | 4 | | 5 | | 5R | + |___| |___| |___| |____| + +NOTE: THE PRECEDING DIAGRAM USED SPECIAL SYMBOLS FROM AN APPLE //E THAT MAY NOT +BE VIEWED AS I INTENDED THEM IF YOU ARE NOT USING AN APPLE//E OR //C. + +SWITCHING EQUIPMENT + + Page 109 + + + + + The Official Phreaker's Manual + +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NETWORK, THERE ARE 3 MAJOR TYPES OF SWITCHING EQUIPMENT. THEY ARE +KNOWN AS: STEP, CROSSBAR, & ESS. + + +STEP-BY-STEP (SXS) +____________________________________________________________ + + THE STEP-BY-STEP, A/K/A THE STROWGER SWITCH OR TWO-MOTION SWITCH, WAS +INVENTED IN 1889 BY AN UNDERTAKER NAMED ALMON STROWGER. HE INVENTED THIS +MECHANICAL SWITCHING EQUIPMENT BECAUSE HE FELT THAT THE BIASED OPERATOR WAS +ROUTING ALL REQUESTS FOR AN 'UNDERTAKER' TO HER HUSBAND'S BUSINESS. BELL +STARTED USING THIS SYSTEM IN 1918 AS OF 1978, OVER 53% OF THE BELL EXCHANGES +USED THIS METHOD OF SWITCHING. + + STEP-BY-STEP SWITCHING IS CONTROLLED DIRECTLY BY THE DIAL PULSES WHICH MOVE +A SERIES OF SWITCHES (CALLED THE SWITCH TRAIN) IN ORDER. WHEN YOU FIRST PICK UP +THE FONE UNDER SXS, A LINEFINDER ACKNOWLEDGES THE REQUEST (SOONER OR LATER) BY +SENDING A DIAL TONE. IF YOU THEN DIALED 1234, THE EQUIPMENT WOULD FIRST FIND +AN IDLE SELECTOR SWITCH. IT WOULD THEN MOVE VERTICALLY 1 PULSE, IT WOULD THEN +MOVE HORIZONTALLY TO FIND A FREE SECOND SELECTOR, IT WOULD THEN MOVE 2 VERTICAL +PULSES, STEP HORIZONTALLY TO FIND THE NEXT SELECTOR, ETC. THUS THE FIRST +SWITCH IN THE TRAIN TAKES NO DIGITS, THE SECOND SWITCH TAKES 1 DIGIT, THE THIRD +SWITCH TAKES 1 DIGIT, & THE LAST SWITCH IN THE TRAIN (CALLED THE CONNECTOR) +TAKES THE LAST 2 DIGITS & CONNECTS YOUR CALLS. A NORMAL (10,000 LINE) EXCHANGE +REQUIRES 4 DIGITS (0000-9999) TO CONNECT A LOCAL CALL & THUS IT TAKES 4 +SWITCHES TO CONNECT EVERY CALL (LINEFINDER, 1ST & 2ND SELECTORS, & THE +CONNECTOR) . + + WHILE IT WAS THE FIRST, SXS SUCKS FOR THE FOLLOWING REASONS: + +[1] THE SWITCHED OFTEN BECOME JAMMED THUS THE CALLS OFTEN BECOME BLOCKED. + +[2] YOU CAN'T USE DTMF (DUAL-TONE MULTI-FREQUENCY A/K/A TOUCH-TONE) DIRECTLY. +IT IS POSSIBLE THAT THE TELCO MAY HAVE INSTALLED A CONVERSION KIT BUT THEN THE +CALLS WILL GO THROUGH JUST AS SLOW AS PULSE, ANYWAY! + +[3] THEY USE A LOT OF ELECTRICITY & MECHANICAL MAINTENANCE. (BAD FROM TELCO +POINT OF VIEW) + +[4] EVERYTHING IS HARDWIRED. + + THEY CAN STILL HOOK UP PEN REGISTERS & OTHER SHIT ON THE LINE SO IT IS NOT +EXACTLY A PHREAK HAVEN. + +YOU CAN IDENTIFY SXS OFFICES BY: + +(1) LACK OF DTMF OR PULSING DIGITS AFTER DIALING DTMF. + +(2) IF YOU GO NEAR THE CO, IT WILL SOUND LIKE A TYPEWRITER TESTING FACTORY. + +(3) LACK OF SPEED CALLING, CALL FORWARDING, & OTHER CUSTOMER SERVICES. + +(4) FORTRESS FONES THAT WANT YOUR MONEY FIRST (AS OPPOSED TO DIAL TONE FIRST +ONES). + + THE PRECEDING DON'T NECESSARILY IMPLY THAT YOU HAVE SXS BUT THEY SURELY + + Page 110 + + + + + The Official Phreaker's Manual + +GIVE EVIDENCE THAT IT MIGHT BE. ALSO, IF ANY OF THE ABOVE CHARACTERISTICS +EXIST, IT CERTAINLY ISN'T ESS! ALSO, SXS HAVE PRETTY MUCH BEEN ERADICATED FROM +LARGE METROPOLITAN AREAS SUCH AS NYC (212). + +CROSSBAR: +____________________________________________________________ + + THERE ARE 3 MAJOR TYPES OF CROSSBAR SYSTEMS CALLED: NO. 1 CROSSBAR (1XB), +NO. 4 CROSSBAR (4XB), & NO. 5 CROSSBAR (5XB). 5XB HAS BEEN THE PRIMARY END +OFFICE SWITCH OF BELL SINCE THE 60'S AND THUS IT IS IN WIDE-USE. + + CROSSBAR USES A COMMON CONTROL SWITCHING METHOD. WHEN THERE IS AN INCOMING +CALL, A STORED PROGRAM DETERMINES ITS ROUTE THROUGH THE SWITCHING MATRIX. + + IN CROSSBAR, THE BASIC OPERATION PRINCIPLE IS THAT A HORIZONTAL & A +VERTICAL LINE ARE ENERGIZED IN A MATRIX KNOWN AS THE CROSSPOINT MATRIX. THE +POINT WHERE THESE 2 LINES MEET IN THE MATRIX IS THE CONNECTION. + + +ESS +____________________________________________________________ + +ELECTRONIC SWITCHING SYSTEM (ESS) THE PHREAK'S NIGHTMARE COME TRUE (OR ORWELL'S +PROPHECY AS 2600 PUTS IT) + + ESS IS BELL'S MOVE TOWARDS THE AIRSTRIP ONE SOCIETY DEPICTED IN ORWELL'S +1984. WITH ESS, EVERY SINGLE DIGIT THAT YOU DIAL IS RECORDED--EVEN IF IT IS A +MISTAKE. THEY KNOW WHO YOU CALL, WHEN YOU CALL, HOW LONG YOU TALKED FOR, & +PROBABLY WHAT YOU TALKED ABOUT (IN SOME CASES). ESS CAN (AND IS) ALSO +PROGRAMMED TO PRINT OUT #'S OF PEOPLE WHO MAKE EXCESSIVE CALLS TO 800 #'S OR +DIRECTORY ASSISTANCE. THIS IS CALLED THE "800 EXCEPTIONAL CALLING REPORT." ESS +COULD ALSO BE PROGRAMMED TO PRINT OUT LOGS OF WHO CALLS CERTAIN #'S--LIKE A +BOOKIE, A KNOWN COMMUNIST, A BBS, ETC THE THING TO REMEMBER WITH ESS IS THAT IT +IS A SERIES OF PROGRAMS WORKING TOGETHER. THESE PROGRAMS CAN BE VERY EASILY +CHANGED TO DO WHATEVER THEY WANT IT TO DO. ONE PHREAK WHOM I KNOW HAS SOME ESS +SOURCE CODE LISTING WHICH IS INCREDIBLY COMPLEX (AS WELL AS DOCUMENTED--GRACIAS +DIOS). THIS SYSTEM MAKES THE JOB OF BELL SECURITY, THE FBI, NSA, & OTHER +ORGANIZATIONS THAT LIKE TO INVADE PRIVACY INCREDIBLY EASY. + + WITH ESS, TRACING IS DONE IN MICROSECONDS (EINE AUGENBLICK) & THE RESULTS +ARE PRINTED AT THE CONSOLE OF A BELL GESTAPO OFFICER. ESS WILL ALSO PICK UP +ANY "FOREIGN" TONES ON THE LINE SUCH AS 2600 HZ! + + BELL PREDICTS THAT THE COUNTRY WILL BECOME TOTALLY ESS BY THE 1990'S. + + YOU CAN IDENTIFY ESS BY THE FOLLOWING WHICH ARE USUALLY ESS FUNCTIONS: + +[1] DIALING 911 FOR HELP. +[2] DIAL-TONE-FIRST FORTRESSES. +[3] CUSTOM CALLING SERVICES SUCH AS:CALL FORWARDING, SPEED DIALING, & CALL +WAITING. (ASK YOUR BUSINESS OFFICE IF YOU CAN GET THESE.) +[4] ANI (AUTOMATIC NUMBER IDENTIFICATION) ON LD CALLS. + + PHREAKING DOES NOT COME TO A COMPLETE HALT UNDER ESS THOUGH--JUST BE VERY +CAREFUL, THOUGH!!! + + DUE TO THE FACT THAT ESS SENDS A COMPUTER GENERATED "ARTIFICIAL RING," +WHERE THE VOICE IS NOT CONNECTED DIRECTLY TO THE CALLED PARTIES LINE UNTIL HE + + Page 111 + + + + + The Official Phreaker's Manual + +PICKS UP, BLACK BOXES & INFINITY TRANSMITTERS WILL NOT WORK! + +NOTE: ANOTHER INTERESTING WAY TO FIND OUT WHAT TYPE OF EQUIPMENT YOU ARE ON IS +TO RAID THE TRASH CAN OF YOU LOCAL CO--THIS ART WILL DISCUSSED IN A SEPARATE +ARTICLE SOON. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN THE PART V, WE WILL START TO TAKE A LOOK AT TELEPHONE ELECTRONICS. + +FURTHER READING: + +FOR MORE INFORMATION ON THE ABOVE TOPICS, I SUGGEST THE FOLLOWING: + +NOTES ON THE NETWORK, AT&T, 1980. + +UNDERSTANDING TELEPHONE ELECTRONICS,TEXAS INSTRUMENTS, 1983. + +AND SUBSCRIPTIONS TO: + +TAP, ROOM 603, 147 W 42 ST, NEW YORK, NY 10036. SUBSCRIPTIONS ARE +$10/YEAR.#BACK ISSUES ARE $0.75. THE CURRENT ISSUES IS #90 (JAN/FEB 1984) + +2600, BOX 752, MIDDLE ISLAND, NY 11953. SUBSCRIPTIONS ARE $10/YEAR. BACKISSUES +ARE $1 EACH. THE CURRENT ISSUE IS #4 (APRIL 1984). + +THEY ARE BOTH EXCELLENT SOURCES OF ALL SORTS OF INFORMATION (PRIMARILY +PHREAKING/HACKING). + +NOTE: FOR THE MOST PART, I HAVE ASSUMED THAT YOU HAVE READ MY PREVIOUS 3 +COURSES IN THE BASIC TELCOM SERIES. + +HASTA LUEGO, + +*****BIOC +*=$=*AGENT +*****003 + +APRIL 13, 1984 [THE YEAR OF BIG BROTHER] + +<<=-FARGO 4A-=>> + + + + + + + + + + + + + + + + + + Page 112 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART V * + * * + ************************************************************ + + +PREFACE: + + PREVIOUS INSTALLMENTS OF THIS SERIES WERE FOCUSED ON TELEPHONY FROM A +NETWORK POINT-OF-VIEW. PART V WILL DEAL WITH TELEPHONE ELECTRONICS FOCUSING +PRIMARILY ON THE SUBSCRIBER'S TELEPHONE. HERE-IN-AFTER SIMPLY REFERRED TO AS +"FONE." + +WIRING: +____________________________________________________________ + + ASSUMING A STANDARD ONE-LINE FONE, THERE ARE USUALLY 4 WIRES THAT LEAD OUT +OF THE FONE SET. THESE ARE STANDARDLY COLORED RED, GREEN, YELLOW, & BLACK. +THE RED & GREEN SIRES ARE THE TWO THAT ARE ACTUALLY HOOKED UP TO YOUR CO. THE +YELLOW WIRE IS SOMETIMES USED TO RING DIFFERENT FONES ON A PARTY LINE (IE, ONE +#, SEVERAL FAMILIES--FOUND PRIMARILY IN RURAL AREAS WHERE THEY PAY LESS FOR THE +SERVICE AND THEY DON'T USE THE FONE AS MUCH); OTHERWISE, THE YELLOW IS USUALLY +JUST IGNORED. ON SOME TWO-LINE FONES, THE RED & GREEN WIRES ARE USED FOR THE +FIRST FONE # AND THE YELLOW & BLACK ARE USED FOR THE SECOND LINE. IN THIS CASE +THERE MUST BE AN INTERNAL OR EXTERNAL DEVICE THAT SWITCHES BETWEEN THE TWO +LINES AND PROVIDES A HOLD FUNCTION. (SUCH AS RADIO SHACK'S OUTRAGEOUSLY PRICED +2 LINE & HOLD MODULE-9. + + IN TELEPHONY, THE RED & GREEN WIRES ARE OFTEN REFERRED TO AS TIP (T) & RING +(R). THE TIP IS USUALLY THE MORE POSITIVE OF THE TWO WIRES. THIS NAMING GOES +BACK TO THE OLD OPERATOR CORD BOARDS WHERE ONE OF THE WIRES WAS THE TIP OF THE +PLUG AND THE OTHER WAS THE RING (OF THE BARREL). + A ROTARY FONE (AKA DIAL OR PULSE) WILL WORK FINE REGARDLESS WHETHER THE RED +(OR GREEN) WIRE IS CONNECTED THE TIP(+) OR RING(-). A TOUCH-TONE (TM) FONE IS +A DIFFERENT STORY, THOUGH. IT WILL NOT WORK EXCEPT IF THE TIP(+) IS THE GREEN +WIRE. [ALTHOUGH, SOME OF THE MORE EXPENSIVE DTMF FONES DO HAVE A RECTIFIER +BRIDGE WHICH COMPENSATES FOR POLARITY REVERSAL.] THIS I WHY UNDER CERTAIN +(NON-DIGITAL) SWITCHING EQUIPMENT YOU CAN REVERSE THE RED & GREEN WIRES ON A +TOUCH-TONE FONE AND RECEIVE FREE DTMF SERVICE. EVEN THOUGH IT WON'T BREAK DIAL +TONE, REVERSING THE WIRES ON A ROTARY LINE ON A DIGITAL SWITCH WILL CAUSE THE +TONES TO BE GENERATED. + +VOLTAGES, ETC. +____________________________________________________________ + + WHEN YOUR TELEPHONE IS ON-HOOK (IE, HUNG UP) THERE IS APPROXIMATELY 48 +VOLTS OF DC CURRENT (VDC) FLOWING THROUGH THE TIP & RING. WHEN THE HANDSET OF +A FONE IS LIFTED A FEW SWITCHES CLOSE WHICH CAUSE A LOOP TO BE CONNECTED (KNOWN +AS THE "LOCAL LOOP") BETWEEN YOUR FONE & THE CO. ONCE THIS HAPPENS DC CURRENT +IS ABLE TO FLOW THROUGH THE FONE WITH LESS RESISTANCE. THIS CAUSES A RELAY TO +ENERGIZE WHICH CAUSES OTHER CO EQUIPMENT TO REALIZE THAT YOU WANT SERVICE. +EVENTUALLY, YOU SHOULD END UP WITH A DIAL TONE. THIS ALSO CAUSES THE 48 VDC TO +DROP DOWN INTO THE VICINITY OF 13 VOLTS. THE RESISTANCE OF THE LOOP ALSO DROPS +BELOW THE 2500 OHM LEVEL. + + Page 113 + + + + + The Official Phreaker's Manual + + + AS OF NOW, YOU ARE PROBABLY SAYING TO YOURSELF THAT THIS IS ALL NICE AND +TECHNICAL BUT WHAT THE HELL GOOD IS THE INFORMATION. WELL, ALSO CONSIDER THAT +THIS VOLTAGE (& RESISTANCE) DROP IS HOW THE CO DETECTS THAT A FONE WAS TAKEN +OFF HOOK (PICKED UP). IN THIS WAY, THEY KNOW WHEN TO START BILLING THE CALLING +NUMBER. NOW WHAT DO YOU SUPPOSE WOULD HAPPEN IF A DEVICE SUCH AS A RESISTOR OR +A ZENER DIODE WAS PLACED ON THE CALLED PARTIES LINE SO THAT THE VOLTAGE WOULD +DROP JUST ENOUGH TO ALLOW TALKING BUT NOT ENOUGH TO START BILLING? FIRST OFF, +THE CALLING PARTY WOULD NOT BE BILLED FOR THE CALL BUT CONVERSATION COULD BE +PURSUED. SECONDLY, THE CO EQUIPMENT WOULD THINK THAT THE FONE JUST KEPT ON +RINGING. THE TELCO CALLS THIS A "NO-NO" (TOLL FRAUD TO BE MORE SPECIFIC) WHILE +PHONE PHREAKS AFFECTIONATELY CALL THIS MUTE A BLACK BOX. + + THE FOLLOWING ARE INSTRUCTIONS ON HOW TO BUILD A SIMPLE BLACK BOX. OF +COURSE, ANYTHING THAT PREVENTS THE VOLTAGE FROM DROPPING WOULD WORK. +YOU ONE OR TWO PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT RESISTOR. ANY ELECTRONICS STORE SHOULD STOCK THESE PARTS. + + NOW, CUT 2 PIECES OF WIRE (ABOUT 6 INCHES LONG) AND ATTACH ONE END OF EACH +WIRE TO ONE OF THE TERMINALS ON THE SWITCH. NOW TURN YOUR K500 (STANDARD DESK +FONE) UPSIDE DOWN AND TAKE OFF THE COVER. LOCATE THE 2 SCREWS ON THE NETWORK +BOX LABELED >F< AND >RR<. WRAP THE RESISTOR BETWEEN THE 2 SCREWS MAKING SURE +THAT IT DOESN'T TOUCH ANY OTHER TERMINALS!. NOW CONNECT ONE WIRE FROM THE +SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE +(DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE +FONE AND REPLACE THE COVER. + + PUT THE SWITCH IN A POSITION WHERE YOU RECEIVE A DIAL TONE. MARK THIS +POSITION NORMAL. MARK THE OTHER SIDE FREE. + + WHEN YOUR PHRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST A POSSIBLE. THIS WILL STOP THE RINGING (DO IT AGAIN IF IT +DOESN'T) WITH OUT STARTING THE BILLING. IT IS IMPORTANT THAT YOU DO IT QUICKLY +(LESS THAN ONE SECOND THEN PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE +FONE. KEEP ALL CALL SHORT AND PREFERABLY UNDER 15 MINUTES. + +NOTE: IF ANYONE PICKS UP AN EXTENSION IN THE CALLED PARTIES HOUSE AND THAT +FONE IS NOT SET FOR FREE THEN BILLING WILL START. + +NOTE: AN OLD WAY OF SIGNALING A PHRIEND THAT YOU ARE ABOUT TO CALL IS +MAKING A COLLECT CALL TO A NON-EXISTENT PERSON IN THE HOUSE. SINCE YOUR FRIEND +WILL NOT ACCEPT THE CHARGES, HE WILL KNOW THAT YOU ARE ABOUT TO CALL AND THUS +PREPARE THE BLACK BOX (OR VISA VERSA). + +WARNING: THE TELCO CAN DETECT BLACK BOXES IF THEY SUSPECT ONE ON YOUR LINE. +THIS IS DONE DUE TO THE PRESENCE OF AC VOICE SIGNAL AT THE WRONG DC LEVEL! + +PICTORIAL DIAGRAM: (STANDARD ROTARY K500 FONE) +____________________________________________________________ + + _____________________________________ +| | +***BLUE WIRE**>>F< | +| * * | +**WHITE WIRE** * | +| * | +| RESISTOR | +| * | + + Page 114 + + + + + The Official Phreaker's Manual + +| * | +| >RR<*******SWITCH**** | +| * | +****GREEN WIRE********************** | +| | +|_____________________________________| + +NOTE: THE BLACK BOX WILL NOT WORK UNDER ESS OR OTHER SIMILAR DIGITAL +SWITCHES SINCE ESS DOES NOT CONNECT THE VOICE CIRCUITS UNTIL THE FONE IS PICKED +UP (& BILLING STARTS). INSTEAD, ESS USES AN "ARTIFICIAL" COMPUTER GENERATED +RING. + +RINGING: +____________________________________________________________ + + TO INFORM A SUBSCRIBER OF AN INCOMING CALL, THE TELCO SENDS 90 VOLTS (RMS) +OF AC CURRENT DOWN THE LINE (AT AROUND 15 TO 60 HZ) IN STANDARD FONES, THIS +CAUSES A METAL ARMATURE TO BE ATTRACTED ALTERNATELY BETWEEN TWO ELECTRO-MAGNETS +THUS STRIKING 2 BELLS. OF COURSE, THE STANDARD BELL (PATENTED IN 1878 BY TOM +A. WATSON) CAN BE REPLACED BY A MORE MODERN ELECTRONIC BELL OR SIGNALING +DEVICE. + + ALSO, YOU CAN HAVE LIGHTS AND OTHER SIMILAR DEVICES IN LIEU OF (OR IN +CONJUNCTION WITH) THE BELL. A SIMPLE NEON LIGHT (WITH ITS CORRESPONDING +RESISTOR) CAN SIMPLY BE CONNECTED BETWEEN THE RED & GREEN WIRES (USUALLY L1 & +L2 ON THE NETWORK BOX) SO THAT IT LIGHTS UP ON INCOMING CALLS. A REGULAR 60 +WATT LIGHT BULB CAN ALSO BE HOOKED UP USING A SIMPLE (120 VAC) RELAY. + +WARNING: 90 & 120 VAC CAN GIVE QUITE A SHOCK. EXERCISE EXTREME CAUTION IF +YOU WISH TO FURTHER PURSUE THESE TOPICS. + + ALSO INCLUDED IN THE RINGING CIRCUIT IS A CAPACITOR TO PREVENT THE DC +CURRENT FROM INTERFERING WITH THE BELL [A CAPACITOR WILL PASS AC CURRENT WHILE +IT WILL PREVENT DC CURRENT FROM FLOWING (BY STORING IT)]. + ANOTHER REASON THAT THE TELCO HATES BLACK BOXES IS BECAUSE RINGING USES +ALOT OF COMMON-CONTROL EQUIPMENT, IN THE CO, WHICH USE ALOT OF ELECTRICITY. +THUS THE RINGING GENERATORS ARE BEING TIED UP WHILE A FREE CALL IS BEING MADE. +USUALLY CALLS THAT ARE ALLOWED TO RING FOR A LONG PERIOD OF TIME MAY BE +CONSTRUED AS SUSPICIOUS. SOME OFFICES MAY BE SET UP TO DROP A TROUBLE CARD FOR +LONG PERIODS OF RINGING THEN A "NO-NO" DETECTION DEVICE MAY BE PLACED ON THE +LINE. + INCIDENTALLY, THE TERM "RING TRIP" REFERS TO THE CO PROCESS INVOLVED TO +STOP THE AC RINGING SIGNAL WHEN THE CALLING FONE GOES OFF HOOK. + +NOTE: IT IS SUGGESTED THAT YOU ACTUALLY DISSECT FONES TO HELP YOU BETTER +UNDERSTAND THEM. IT WILL ALSO HELP YOU TO BETTER UNDERSTAND THE CONCEPTS HERE +IF YOU ACTUALLY PROVE THEM TO YOURSELF. FOR EXAMPLE, ACTUALLY TAKE THE VOLTAGE +READINGS ON YOUR FONE LINE [ANY SIMPLE MULTI-TESTER (A MUST) WILL DO.] +PHREAKING IS AN INTERACTIVE PROCESS NOT A PASSIVE ONE! + +DIALING: +____________________________________________________________ + + ON A STANDARD FONE, THERE ARE TWO COMMON TYPES OF DIALING: PULSE & DTMF. +OF COURSE, SOME PEOPLE INSIST UPON BEING DIFFERENT AND DON'T USE THE DT THUS +LEAVING THEM WITH MF (MULTI FREQUENCY, AKA OPERATOR, BLUE BOX) TONES. THIS IS +ANOTHER "NO-NO" AND THE TELCO SECURITY GENTLEMEN HAVE A SPECIAL KNACK FOR +DEALING WITH SUCH "PHREAKS" ON THE NETWORK. + + Page 115 + + + + + The Official Phreaker's Manual + + WHEN YOU DIAL ROTARY, YOU ARE ACTUALLY RAPIDLY BREAKING & RECONNECTING +(MAKING) THE LOCAL LOOP ONCE FOR EVERY DIGIT DIALED. SINCE THE PHYSICAL +CONNECTION MUST BE BROKEN, YOU CANNOT DIAL IF ANOTHER EXTENSION (OF THAT #) IS +OFF-HOOK. NEITHER OF THE FONES WILL BE ABLE TO DIAL PULSE UNLESS THE OTHER +HANGS UP. + ANOTHER TERM OFTEN REFERRED TO IN TELEPHONE ELECTRONICS IS THE BREAK RATIO. +IN THE US, THERE ARE 10 PULSES PER SECOND (MAX). WHEN THE CIRCUIT IS OPENED IT +IS CALLED THE BREAK INTERVAL. WHEN IT IS CLOSED IT IS CALLED THE MAKE INTERVAL. +IN THE US, THERE IS A 60 MILLISECOND (MS) BREAK PERIOD AND A 40 MS MAKE PERIOD. +(60+40=100 MS = 1/10 MINUTE). THIS IS REFERRED TO AS A 60% BREAK INTERVAL. +SOME OF THE MORE SOPHISTICATED ELECTRONIC FONES CAN SWITCH BETWEEN A 60% & A +67% BREAK INTERVAL. THIS IS DUE TO THE FACT THAT MANY FOREIGN NATIONS USE A +67% BREAK INTERVAL. + HAVE YOU EVER BEEN IN AN OFFICE OR A SIMILAR FACILITY AND SAW A FONE +WAITING TO BE USED FOR A FREE CALL BUT SOME ASSHOLE PUT A LOCK ON IT TO PREVENT +OUTGOING CALLS? + WELL, DON'T FRET PHELLOW PHREAKS, YOU CAN SIMULATE PULSE DIALING BY RAPIDLY +DEPRESSING THE SWITCHOOK. (IF YOU DEPRESS IT FOR LONGER THAN A SECOND IT WILL +BE CONSTRUED AS A DISCONNECT.) BY RAPIDLY SWITCHOOKING YOU ARE CAUSING THE +LOCAL LOOP TO BE BROKEN & MADE SIMILAR TO ROTARY DIALING! THUS IF YOU CAN +MANAGE TO SWITCHOOK RAPIDLY 10 TIMES YOU CAN REACH AN OPERATOR TO PLACE ANY +CALL YOU WANT! THIS TAKES ALOT OF PRACTICE, THOUGH. YOU MIGHT WANT TO PRACTICE +ON YOUR OWN FONE DIALING A FRIEND'S # OR SOMETHING ELSE. INCIDENTALLY, THIS +METHOD WILL ALSO WORK WITH DTMF FONES SINCE ALL DTMF LINES CAN ALSO HANDLE +ROTARY. + ANOTHER PROBLEM WITH PULSE DIALING IS THAT IT PRODUCES HIGH-VOLTAGE SPIKES +THAT MAKE LOUD NOISES IN THE EARPIECE AND CAUSE THE BELL TO "TINKLE." IF YOU +NEVER NOTICED THIS THEN YOUR FONE HAS A SPECIAL "ANTI-TINKLE" & EARPIECE +SHORTING CIRCUIT (MOST DO). IF YOU HAVE EVER DISSECTED A ROTARY FONE (A MUST +FOR ANY SERIOUS PHREAK) YOU WOULD HAVE NOTICED THAT THERE ARE 2 SETS OF CONTACT +THAT OPEN AND CLOSE DURING PULSING (ON THE BACK OF THE ROTARY DIAL UNDER THE +PLASTIC COVER). ONE OF THESE ACTUALLY OPENS AND +CLOSES THE LOOP WHILE THE OTHER MUTES THE EARPIECE BY SHORTING IT OUT. THE +SECOND CONTACTS ALSO ACTIVATES A SPECIAL ANTI-TINKLE CIRCUIT THAT PUTS A 340 +OHM RESISTOR ACROSS THE RINGING CIRCUIT WHICH PREVENTS THE HIGH VOLTAGE SPIKES +FROM INTERFERING WITH THE BELL. + DUAL TONE MULTI FREQUENCY (DTMF) IS A MODERN DAY IMPROVEMENT ON PULSE +DIALING IN SEVERAL WAYS. FIRST OF ALL, IT IS MORE CONVENIENT FOR THE USER +SINCE IT IS FASTER AND CAN BE USED FOR SIGNALING AFTER THE CALL IS COMPLETED +(IE, SCC'S, COMPUTERS, ETC.). ALSO, IT IS MORE UPTO PAR WITH MODERN DAY +SWITCHING EQUIPMENT (SUCH AS ESS) SINCE PULSE DIALING WAS DESIGNED TO ACTUALLY +MOVE RELAYS BY THE NUMBER OF DIGITS DIALED (IN SXS OFFICES). + + EACH KEY ON A DTMF KEYPAD PRODUCES 2 FREQUENCIES SIMULTANEOUSLY (ONE FROM +THE HIGH GROUP AND ANOTHER FROM THE LOW GROUP). + + _______________________________________________ +LOW GROUP | | | | | + 697 HZ-| Q | ABC | DEF | | + | 1 | 2 | 3 | A | + |___________|___________|___________|___________| + | | | | | + 770 HZ-| GHI | JKL | MNO | | + | 1 | 2 | 3 | B | + |___________|___________|___________|___________| + | | | | | + 852 HZ-| PRS | TUV | WXY | | + | 1 | 2 | 3 | C | + + Page 116 + + + + + The Official Phreaker's Manual + + |___________|___________|___________|___________| + | | OPERATOR | | | + 941 HZ-| | Z | | | + | * | 0 | # | D | + |___________|___________|___________|___________| + | | | | + 1209 HZ 1336 HZ 1477 HZ 1633 HZ + HIGH GROUP + +A PORTABLE DTMF KEYPAD IS KNOWN AS A WHITE BOX. + + THE FOURTH COLUMN (1633 HZ) IS NOT NORMALLY FOUND ON REGULAR FONES BUT IT +DOES HAVE SEVERAL SPECIAL USES. FOR ONE, IT IS USED TO DESIGNATE THE PRIORITY +OF CALLS ON AUTOVON, THE MILITARY FONE NETWORK. THESE KEY ARE CALLED: FLASH, +IMMEDIATE, PRIORITY, & ROUTINE (WITH VARIATIONS) INSTEAD OF ABCD. SECONDLY, +THESE KEYS ARE USED FOR TESTING PURPOSES BY THE TELCO. IN SOME AREA YOU CAN +FIND LOOPS AS WELL AS OTHER NEAT TESTS (SEE PART II) ON THE 555-1212 DIRECTORY +ASSISTANCE EXCHANGE. FOR THIS, YOU WOULD CALL UP AN DA IN CERTAIN AREAS [THAT +HAVE AN AUTOMATIC CALL DISTRIBUTOR (ACD)] AND HOLD DOWN THE "D" KEY WHICH +SHOULD BLOW THE OPERATOR OFF. YOU WILL THEN HEAR A PULSING DIAL TONE WHICH +INDICATES THAT YOU ARE IN THE ACD INTERNAL TESTING MODE. YOU CAN GET ON ONE +SIDE OF A LOOP BY DIALING A 6. THE OTHER SIDE IS 7. SOME PHREAKS CLAIM THAT +IF THE PERSON ON SIDE 6 HANGS UP, OCCASIONALLY THE EQUIPMENT WILL SCREW UP AD +START DIRECTING DIRECTORY ASSISTANCE CALLS TO THE OTHER SIDE OF THE LOOP. +ANOTHER ALLEGED TEST IS CALLED REMOB WHICH ALLOWS YOU TO TAP INTO LINES BY +ENTERING A SPECIAL CODE FOLLOWED BY THE 7 DIGIT NUMBER YOU WANT TO MONITOR. +THEN THERE IS THE POSSIBILITY OF MASS CONFERENCING. + ACD'S ARE BECOME RARE THOUGH. YOU WILL PROBABLY HAVE TO MAKE SEVERAL +NPA-555- 1212 CALLS BEFORE YOU FIND ONE. + YOU CAN MODIFY REGULAR FONES QUITE READILY SO THAT THEY HAVE A SWITCH TO +CHANGE BETWEEN THE 3RD AND 4TH COLUMNS. THIS IS CALLED A SILVER BOX (AKA GREY +BOX) AD PLANS CAN BE FOUND IN TAP AS WELL AS ON MANY BBS'S. + +TRANSMITTER/RECEIVER: +____________________________________________________________ + + WHEN YOU TALK INTO THE TRANSMITTER, THE SOUND WAVES FROM YOUR VOICE CAUSE A +DIAPHRAGM TO VIBRATE AND PRESS AGAINST THE CARBON GRANULES (OR ANOTHER SIMILAR +SUBSTANCE). THIS CAUSES THE CARBON GRANULES TO COMPRESS AND CONTRACT THUS +CHANGING THE RESISTANCE OF THE DC CURRENT FLOWING THROUGH IT. THEREFORE, YOUR +AC VOICE SIGNAL IS SUPERIMPOSED OVER THE DC CURRENT OF THE LOCAL LOOP. THE +RECEIVER WORKS IN A SIMILAR FASHION WHERE THE SIMPLE TYPES UTILIZE A MAGNET, +ARMATURE, & DIAPHRAGM. + +HYBRID/INDUCTION COIL: +____________________________________________________________ + + AS YOU MAY HAVE NOTICED, THERE ARE TWO WIRES FOR THE RECEIVER AND TWO FOR +THE TRANSMITTER IN THE FONE, YET THE LOCAL LOOP CONSISTS OF 2 WIRES INSTEAD OF +4. THIS 4-WIRE TO 2-WIRE CONVERSION IS DONE INSIDE THE FONE BY A DEVICE KNOWN +AS AN INDUCTION COIL WHICH USES COUPLING TRANSFORMERS. + THE REASON 2 SIRES ARE USED ON THE LOCAL LOOPS ARE BECAUSE IT IS ALOT +CHEAPER FOR THE TELCO. ALTHOUGH, ALL OF THE INTER-OFFICE TRUNKS UTILIZE 4 +WIRES. THIS IS NECESSARY FOR FULL DUPLEX (IE, SIMULTANEOUS CONVERSATION ON +BOTH SIDES) AND FOR AMPLIFICATION DEVICES. THERE ARE SIMILAR DEVICES IN THE +CO'S, KNOWN AS A HYBRID, THAT COUPLE THE 4-WIRE TRUNKS TO THE 2-WIRE LOCAL +LOOPS AND VISA-VERSA. + + + Page 117 + + + + + The Official Phreaker's Manual + +MISCELLANEOUS: +____________________________________________________________ + + IN THE TELEPHONE, THERE IS ALSO A BALANCING NETWORK CONSISTING OF A FEW +CAPACITORS & RESISTORS WHICH PROVIDE SIDETONE. SIDETONE ALLOWS THE CALLER TO +HEAR HIS OWN VOLUME IN THE RECEIVER. HE CAN THEN ADJUST HIS VOICE ACCORDINGLY. +THIS PREVENTS PEOPLE FROM SHOUTING OR SPEAKING TOO SOFTLY WITHOUT NOTICING IT. + +HOLD: +____________________________________________________________ + + WHEN A TELEPHONE GOES OFF HOOK, THE RESISTANCE DROPS BELOW 2500 OHMS. AT +THIS POINT, THE TELCO WILL SEND A DIAL TONE. TO PUT SOMEONE ON HOLD YOU MUST +PUT A 1000 OHM RESISTOR (1 WATT) ACROSS THE TIP & RING BEFORE IT REACHES THE +SWITCHOOK. IN THIS WAY, WHEN THE FONE IS HUNG UP (FOR HOLD) THE RESISTANCE +REMAINS BELOW 2500 OHMS WHICH CAUSES THE CO TO BELIEVE THAT YOU ARE STILL +OFF-HOOK. YOU CAN BUILD A SIMPLE HOLD DEVICE USING THE FOLLOWING PICTORIAL +DIAGRAM: + +(RED) O_________________________ + [L1] | | | + | | | + 1000 OHM | \ + | | \ + RESISTOR RINGING | + | CIRCUIT | -SWITCH + | | | HOOK + / | | + / SPST SWITCH | \ + | | \ + | | | + | | | +(GREEN) O__|_____________|______| + [L2] +--> TO REST OF FONE + +CONCLUSION: +____________________________________________________________ + +NOTE: MANY OF THE ELECTRONICS COMPONENTS OF NORMAL FONES (K500) ARE +ENCLOSED IN THE NETWORK BOX (WHICH SHOULDN'T BE OPENED). + + I HAVE ASSUMED THAT THE READER HAS A BASIC KNOWLEDGE OF ELECTRONICS. ALSO, +I HAVE ASSUMED THAT YOU HAVE READ THE 4 PREVIOUS INSTALLMENTS OF THIS SERIES +(AND HOPEFULLY ENJOYED THEM). + + IN PART VI, WE WILL TAKE A LOOK AT FORTRESS FONES. + +SUGGESTED FURTHER READING: +____________________________________________________________ + +ELECTRONICS COURSES A-D, TAP, @ $.75 EACH. + +ELECTRONIC TELEPHONE PROJECTS, A.J. CARISTI, HOWARD SAMS BOOKS. + +EVERYTHING YOU ALWAYS WANTED TO KNOW ABOUT 1633 HZ TONES BUT WERE AFRAID TO +ASK, THE MAGICIAN, TAP, ISSUE #62. + + + Page 118 + + + + + The Official Phreaker's Manual + +FREE BELL PHONE CALLS, TAP, FACT SHEET #2, @ $.50. + +FREE GTE PHONE CALLS, TAP, FACT SHEET #3, @ $.50. + +HOW TO MODIFY YOUR BELL TOUCH TONE FONE TO HAVE 1633 CYCLE TONES, TAP, ISSUE +#63. + +MODIFYING YOUR PHONE FOR 1633 HZ (NEW ELECTRONIC KEYPADS), FRED STEINBECK, TAP, +ISSUE #84. + +NOTES ON THE NETWORK, AT&T. + +THE PHONE BOOK, J. EDGAR HYDE. + +REGULATING THE TELEPHONE COMPANY IN YOUR HOME, RAMAPART MAGAZINE, JUNE 1972. + +REMOBS, TAP #91 (NOT YET PUBLISHED AS OF THIS WRITING). + +UNDERSTANDING TELEPHONE ELECTRONICS, TEXAS INSTRUMENTS. + +& OTHER ASSORTED SOURCES... + +TAP: ROOM 603/147 W 42 ST./NEW YORK, NY 10036. PLEASE SPECIFY BY BACKISSUE +#'S (NOT ARTICLE NAMES). ALL BACK-ISSUES ARE $1 EACH. SUBSCRIPTIONS ARE +$10/YEAR (10 ISSUES). SAY THAT BIOC AGENT 003 SENT YOU. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 119 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VI * + * * + ************************************************************ + +REVISED: 27-OCT-84 + +Preface: + + This article will focus primarily on the standard Western Electric +single-slot coin telephone (aka fortress fone) which can be divided into 3 +types: + +- Dial-Tone First (DTF) + +- Coin-First (CF): (ie, it wants your $ before you receive a dial tone) + +- Dial Post-Pay Service (PP): you pay after the party answers + +Depositing Coins (Slugs): +____________________________________________________________ + + Once you have deposited your slug into a fortress, it is subjected to a +gamut of tests. The first obstacle for a slug is the magnetic trap. This will +stop any light-weight magnetic slugs and coins. If it passes this, the slug is +then classified as a nickel, dime, or quarter. Each slug is then checked for +appropriate size and weight. If these tests are passed, it will then travel +through a nickel, dime, or quarter magnet as appropriate. These magnets set up +an eddy current effect which causes coins of the appropriate characteristics to +slow down so they will follow the correct trajectory. If all goes well, the +coin will follow the correct path (such as bouncing off of the nickel anvil) +where it will hopefully fall into the narrow accepted coin channel. + The rather elaborate tests that are performed as the coin travels down the +coin chute will stop most slugs and other undesirable coins, such as pennies, +which must then be retrieved using the coin release lever. + If the slug miraculously survives the gamut, it will then strike the +appropriate totalizer arm causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). + The totalizer then causes the coin signal oscillator to readout a +dual-frequency signal indicating the value deposited to ACTS (a computer) or +the TSPS operator. These are the same tones used by phreaks in the infamous red +boxes. + For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS). +A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone +at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz. + A relay in the fortress called the "B relay" (yes, there is also an 'A +relay') places a capacitor across the speech circuit during totalizer read-out +to prevent the "customer" from hearing the red box tones. + In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells +for a dime, and one gong (800 Hz) for a quarter are used instead of the modern +dual-frequency tones. + +TSPS & ACTS +____________________________________________________________ + + Page 120 + + + + + The Official Phreaker's Manual + + + While fortresses are connected to the CO of the area, all transactions are +handled via the Traffic Service Position System (TSPS). In areas that do not +have ACTS, all calls that require operator assistance, such as calling card and +collect, are automatically routed to a TSPS operator position. + In an effort to automate fortress service, a computer system known as +Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS +listens to the red box signals from the fones and takes appropriate action. It +is ACTS which says, "Two dollars please (pause) Please deposit two dollars for +the next ten seconds" (and other variations). Also, if you talk for more than +three minutes and then hang-up, ACTS will call back and demand your money. +ACTS is also responsible for Automated Calling Card Service. + ACTS also provide trouble diagnosis for craftspeople (repairmen +specializing in fortresses). For example, there is a coin test which is great +for tuning up red boxes. In many areas this test can be activated by dialing +09591230 at a fortress (thanks to Karl Marx for this information). Once +activated it will request that you deposit various coins. It will then identify +the coin and outpulse the appropriate red box signal. The coins are usually +returned when you hang up. + To make sure that there is actually money in the fone, the CO initiates a +"ground test" at various times to determine if a coin is actually in the fone. +This is why you must deposit at least a nickel in order to use a red box! + +Green Boxes: +____________________________________________________________ + + Paying the initial rate in order to use a red box (on certain fortresses) +left a sour taste in many red boxer's mouths thus the GREEN BOX was invented. +The green box generates useful tones such as COIN COLLECT, COIN RETURN, and +RINGBACK. These are the tones that ACTS or the TSPS operator would send to the +CO when appropriate. Unfortunately, the green box cannot be used at a fortress +station but it must be used by the CALLED party. + +Here are the tones: + +COIN COLLECT 700 + 1100 Hz +COIN RETURN 1100 + 1700 Hz +RINGBACK 700 + 1700 Hz + + Before the called party sends any of these tones, an operator released +signal should be sent to alert the MF detectors at the CO. This can be +accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed +by a 60 ms gap and then the appropriate signal for at least 900 ms. + Also, do not forget that the initial rate is collected shortly before the 3 +minute period is up. + Incidentally, once the above MF tones for collecting and returning coins +reach the CO, they are converted into an appropriate DC pulse (-130 volts for +return & +130 volts for collect). This pulse is then sent down the tip to the +fortress. This causes the coin relay to either return or collect the coins. + The alleged "T-Network" takes advantage of this information. When a pulse +for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded +somewhere. This is usually either the yellow or black wire. Thus, if the wires +are exposed, these wires can be cut to prevent the pulse from being grounded. +When the three minute initial period is almost up, make sure that the black & +yellow wires are severed; then hang up, wait about 15 seconds in case of a +second pulse, reconnect the wires, pick up the fone, hang up again, and if all +goes well it should be "JACKPOT" time. + + + Page 121 + + + + + The Official Phreaker's Manual + +Physical Attack: +____________________________________________________________ + + A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of +this is accounted for in the armor plating. Why all the security? Well, Bell +contributes it to the following: + + "Social changes during the 1960's made the multislot coin station a +prime target for: vandalism, strong arm robbery, fraud, and theft of service. +This brought about the introduction of the more rugged single slot coin station +and a new environment for coin service." + +As for picking the lock, I will quote Mr. Phelps: + + "We often fantasize about 'picking the lock' or 'getting a master +key.' Well, you can forget about it. I don't like to discourage people, but it +will save you from wasting alot of your time--time which can be put to better +use (heh, heh)." + + As for physical attack, the coin plate is secured on all four side by +hardened steel bolts which pass through two slots each. These bolts are in +turn interlocked by the main lock. + One phreak I know did manage to take one of the 'mothers' home (which was +attached to a piece of plywood at a construction site; otherwise, the permanent +ones are a bitch to detach from the wall!). It took him almost ten hours to +open the coin box using a power drill, sledge hammers, and crow bars (which was +empty -- perhaps next time, he will deposit a coin first to hear if it slushes +down nicely or hits the empty bottom with a clunk.) + Taking the fone offers a higher margin of success. Although this may be +difficult often requiring brute force and there has been several cases of back +axles being lost trying to take down a fone! A quick and dirty way to open the +coin box is by using a shotgun. In Detroit, after ecologists cleaned out a +municipal pond, they found 168 coin phones rifled. + In colder areas, such as Canada, some shrewd people tape up the fones using +duct tape, pour in water, and come back the next day when the water will have +froze thus expanding and cracking the fone open.In one case: + + "unauthorized coin collectors" where caught when they brought $6,000 in +change to a bank and the bank became suspicious... + + At any rate, the main lock is an eight level tumbler located on the right +side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since +there are 8 tumblers each with 5 possible positions) thus it is highly pick +resistant! The lock is held in place by 4 screws. If there is sufficient +clearance to the right of the fone, it is conceivable to punch out the screws +using the drilling pattern below (provided by Alexander Mundy in TAP) + + + + + + + + + + + + + + Page 122 + + + + + The Official Phreaker's Manual + + Chapter 5 + + What is covered in these last few articles, is the essence of phreaking, +blue boxing & equal access. These last articles, I hope will be the final +stage of phreak education for now. Basic telecommunications 7 is a brief intro +to the art of blue boxing, while Better Homes & Blue Boxing will cover it in +full. Equal access will be an interesting switch, it is installed in my area +already and I have been investigating it. One thought is to call MCI operators +and box through them, over MCI lines... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 123 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VII * + * * + ************************************************************ + +Preface: + + After most neophyte phreaks overcome their fascination with Metro codes and +WATS extenders, they will usually seek to explore other avenues in the vast +phone network. Often they will come across references such as "simply dial KP ++ 2130801050 + ST for the Alliance teleconferencing system in LA.". Numbers +such as the one above were intended to be used with a blue box; this article +will explain the fundamental principles of the fine art of blue boxing. + +Genesis: +____________________________________________________________ + + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. This is because pulse (aka rotary) digits are created by causing +breaks in the DC current (see Basic Telcom V). Since long distance calls +require routing through various switching equipment and AC voice amplifiers, +pulse dialing cannot be used to send the destination number to the end local +office (CO). + + Eventually, the demand for faster and more efficient long distance (LD) +service caused Bell to make a multi-billion dollar decision. They had to create +a signaling system that could be used on the LD Network. Basically, they had +two options: + +[1] To send all the signaling and supervisory information (ie, ON & OFF +HOOK) over separate data links. This type of signaling is referred to as +out-of-band signaling. + -or- +[2] To send all the signaling information along with the conversation +using tones to represent digits. This type of signaling is referred to as +in-band signaling. + + Being the cheap bastard that they naturally are, Bell chose the latter (and +cheaper) method -- IN-BAND signaling. They eventually regretted this, though +(heh, heh)... + +IN-BAND SIGNALING PRINCIPLES: +____________________________________________________________ + + When a subscriber dials a telephone number, whether in rotary or touch-tone +(aka DTMF), the equipment in the CO interprets the digits and looks for a +convenient trunk line to send the call on its way. In the case of a local +call, it will probably be sent via an inter-office trunk; otherwise, it will be +sent to a toll office (class 4 or higher -- see Telcom IV) to be processed. + + When trunks are not being used there is a 2600 Hz tone on the line; thus, +to find a free trunk, the CO equipment simply checks for the presence of 2600 +Hz. If it doesn't find a free trunk the customer will receive a re-order signal + + Page 124 + + + + + The Official Phreaker's Manual + +(120 IPM busy signal) or the "all circuits are busy..." message. If it does +find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the +called number or a special routing code to the other end or toll office. + + The tones it uses to send this information are called multi-frequency (MF) +tones. An MF tone consists of two tones from a set of six master tones which +are combined to produce 12 separate tones. You can sometimes hear these tones +in the background when you make a call but they are usually filtered out so +your delicate ears cannot hear them. These are NOT the same as touch-tones. + + To notify the equipment at the far end of the trunk that it is about to +receive routing information, the originating end first sends a Key Pulse (KP) +tone. At the end of sending the digits, #he originating end then sends a STart +(ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517 ++ ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to +signify a disconnect to the distant end. + +History: +____________________________________________________________ + + In the November 1960 issue of The Bell System Technical Journal, an article +entitled "Signaling Systems for Control of Telephone Switching" was published. +This journal, which was sent to most university libraries, happened to contain +the actual MF tones used in signaling. They appeared as follows: + +Digit Tones +----- ----- + 1 700 + 900 Hz + 2 700 + 1100 Hz + 3 900 + 1100 Hz + 4 700 + 1300 Hz + 5 900 + 1300 Hz + 6 1100 + 1300 Hz + 7 700 + 1500 Hz + 8 900 + 1500 Hz + 9 1100 + 1500 Hz + 0 1300 + 1500 Hz + KP 1100 + 1700 Hz + ST 1500 + 1700 Hz + 11 (*) 700 + 1700 Hz + 12 (*) 900 + 1700 Hz + KP2 (*) 1300 + 1700 Hz + +(*) Used only on CCITT SYSTEM 5 for special international calling. + + Bell caught wind of blue boxing in 1961 when it caught a Washington state +college student using one. They originally found out about blue boxes through +police raids and informants. In 1964, Bell Labs came up with scanning +equipment, which recorded all suspicious calls, to detect blue box usage. +These units were installed in CO's where major toll fraud existed. AT&T +Security would then listen to the tapes to see if any toll fraud was actually +committed. Over 200 convictions resulted from the project. Surprisingly +enough, blue boxing is not solely limited to the electronics enthusiast; AT&T +has caught businessmen, film stars, doctors, lawyers, college students, high +school students and even a millionaire financier (Bernard Cornfeld) using the +device. AT&T also said that nearly half of those that they catch are +businessmen. + + + Page 125 + + + + + The Official Phreaker's Manual + + Of course, phone phreaks have achieved an almost cult status. They have +also had their fair share of media. In October 1971, Esquire published the +infamous "Secrets of the Little Blue Box" article which featured phreaks such +as Captain Crunch, who took his name from the cereal which one gave away +whistles that produced a perfect 2600 Hz pitch; Joe Engressia, the blind +phreak; and Mark Bernay, one of the nation's first and oldest phreaks. Others +such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had +blue box backgrounds. 1971 also saw the publication of the first issue of YIPL, +the phone phreak newsletter, (now TAP) under the editorship of supreme yippie +Abbie Hoffman. + +Usage: +____________________________________________________________ + + To use a blue box, one would usually make a free call to any 800 number or +distant directory assistance (NPA-555-1212). This, of course, is legitimate. +When the call is answered, one would then swiftly press the button that would +send 2600 Hz down the line. This has the effect of making the distant CO +equipment think that the call was terminated and it leaves the trunk hanging. +Now, the user has about 10 seconds to enter in the telephone number he wished +to dial -- in MF, that is. The CO equipment merely assumes that this came from +another office and it will happily process the call. Since there are no records +(except on toll fraud detection devices!) of these MF tones, the user is not +billed for the call. When the user hangs up, the CO equipment simply records +that he hung up on a free call. + +Detection: +____________________________________________________________ + + Bell has had 20 years to work on detection devices; therefore, in this day +and age, they are rather well refined. Basically, the detection device will +look for the presence of 2600 Hz where it does not belong. It then records the +calling number and all activity after the 2600 Hz. If you happen to be at a +fortress fone, though, and you make the call short, your chances of getting +caught are significantly reduced (see Telcom VI). Incidentally, there have been +rumors of certain test numbers (see Telcom II) that hook directly into trunks +thus avoiding the need for 2600 Hz and detection! + + Another way that Bell catches boxers is to examine the CAMA (Centralized +Automatic Message Accounting) tapes. When you make a call, your number, the +called number, and time of day are all recorded. The same thing happens when +you hang up. This tape is then processed for billing purposes. Normally, all +free calls are ignored. But Bell can program the billing equipment to make note +of lengthy calls to directory assistance. They can then put a pen register +(aka DNR) on the line or an actual full-blown tap. This detection can be +avoided by making short-haul (aka local) calls to box off of. + + It is interesting to note that NPA+555-1212 originally did not return +answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes. +AT&T changed this though for "traffic studies!" + +CCIS: +____________________________________________________________ + + Besides detection devices, Bell has begun to gradually redesign the network +using out-of-band signaling. This is known as Common Channel Inter-office +Signaling (CCIS). Since this signaling method sends all the signaling +information over separate data lines, blue boxing is impossible under it. + + Page 126 + + + + + The Official Phreaker's Manual + + + While being implemented gradually, this multi-billion dollar project is +still strangling the fine art of blue boxing. Of course until the project is +totally complete, boxing will still be possible. It will become progressively +harder to find places to box off of, though. In areas with CCIS, one must find +a directory assistance office that doesn't have CCIS yet. Area codes in Canada +and predominately rural states are the best bets. WATS numbers terminating in +non-CCIS cities are also good prospects. + +Pink Noise: +____________________________________________________________ + + Another way that may help to avoid detection is too add some "pink noise" +to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the +detection equipment must be careful not to misinterpret speech as a disconnect +signal. Thus a virtually pure 2600 Hz tone is required for disconnect. + + Keeping this in mind, the 2600 Hz detection equipment is also probably +looking for pure 2600 Hz or else is would be triggered every time someone hit +that note (highest E on a piano =2637 Hz). This is also the reason that the +2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator +is saying "Hello, hello." It is feasible to send some "pink noise" along with +the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise +won't make it into the toll network (where we want our pure 2600 Hz to hit) but +it should make it past the local CO and thus the fraud detectors. + +Construction: +____________________________________________________________ + + While step-by-step details for the construction of a blue box is beyond the +scope of this tutorial, it is worthwhile to mention some of the details. + + First there are some alternatives but they are not as good as an actual +blue box. Many computers are capable of generating MF tones. Thus, your local +phriendly software pirate should have a program compatible for your computer. + + However, it is highly advisable not to box from home as stated in The Ten +Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86). + +I. Box thou not over thine home telephone wires, for those who doest must +surely bring the full wrath of the Chief Special Agent down upon thy heads. + + Another alternative that has a moderate success rate involves recording the +tones from a phriend with a box or computer onto a cassette tape. They can +then be used at a fortress. + + As for actual construction techniques, TAP has devoted many issues to blue +boxing. Basically, a blue box is merely a device capable of generating two +different tones simultaneously. There are two basic construction methods that I +will outline below for the electronics hobbyist. + + The first involves the use of two 555 timer chips (or a 556 -- i.e., two +555's in one chip). It offers excellent frequency and voltage stability. +Also, it does not need a diode matrix keypad but used double-pole switches +instead. Schematics for this type of box can be found in TAP issue #29. + + The other common box makes use of two Intersil 8038CC Function Generators. +It does require a diode matrix keypad though, potentiometers, an LM-100 voltage + + Page 127 + + + + + The Official Phreaker's Manual + +regulator, a 741 Op-amp, and a handful of other parts. The schematics for this +type of blue box can be found in TAP #26. Both designs draw about 20 ma of +current. + + Also, most blue boxes use telephone earpieces (with the varistor removed) +for speakers. These can be easily liberated from fortress fones with a small +coping saw. + + Usually, the hardest part about building a blue box is the calibration. A +frequency counter is a must and an oscilloscope won't hurt. + + Some boxes also take timing into account. It is feasible on the ESS +systems that they check to see if the digits are of uniform length. If they +aren't, they are probably from a blue box and a trouble card may be dropped. +With this in mind, the Bell standard for MF pulses and interdigit intervals is +around 75 ms. It varies with the equipment used since ESS can handle higher +speeds and doesn't need interdigit intervals. + +Applications: +____________________________________________________________ + + Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes +offer the entire network for exploration. Emergency break-ins, service +monitoring (aka taps), stacking tandems (the art of busying out all trunks +between two points), re-routing calls, conference calls, and much, much more +are all feasible. Although, Bell frequently changes these codes due to +phreaks. Here are some standard ones, though: + +Operator & Other Codes: +____________________________________________________________ + + (an optional NPA may proceed all of the numbers; otherwise, you will reach +the one local for the area where the call is originated) + +001 -- Trunk Access System +009 -- Rate Quote System +101 -- toll office test board +121 -- INWARD Operator + + This operator assists the local "0" operator in completing calls. (S)he +will do virtually anything for you providing it is within her NPA. + +131 -- Operator Directory assistance +141 -- Rout & Rate +141 defunct -- use KP + 800 + 141 +1212 + ST) + + These operators are very useful if you know how to mumble a few cryptic +phrases as compiled below (with thanks to Fred Steinbeck): To find out.....Area +Codes + + For example say , "Miami, Florida, numbers route, please." The R&R +operator will tell you "305 plus," meaning that 305 plus the seven digit number +will get you Miami. + +... Inward Operator City Codes + + Usually, the INWARD operator for an area is simply KP + NPA + 121 + +ST. In some area codes, though, there are several large cities and thus + + Page 128 + + + + + The Official Phreaker's Manual + +several inwards. To find the inward for a specific city, you would say "916 +756, operator route, please" to the R&R operator who will then tell you "916 +plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an +inward for Sacramento, CA (916-756). + +... City names + + If you want to know the city that corresponds to an area code and +exchange, you simply tell the R&R, "Place name, 914 390, please." In this +example, the R&R operator will respond with "White Plains, NY." + +... International Directory Assistance + + If you need a directory route for London, you could say +"International, London, England. TSPS directory route, please." The R&R +operator will respond with "Directory to London, England. Country code 44 plus +1 plus 986 plus 3611." Therefore to get a DA operator in London, you would +route yourself to an international sender and KP + 04419863611 + ST. + +... Country & City codes + + If you need to know the country and city code for an international +number you can say "International, Sydney, Australia, TSPS numbers route, +please" and get "Country code 61 plus 2." + +... International Inwards Routes + + To get routing codes for international inwards say "International, +London, England, TSPS inward route, please." The R&R Operator will respond with +"Country code 44 plus 121." + + Finally, to get language assistance for completing a foreign call you can +tell the foreign inward, "United States calling. Language assistance in +completing a call to (called party) at (called number)." + +151 -- Overseas incoming (212 +& 914+) +160-XX0 -- Various Overseas Operators +161 -- Trouble reporting operator (defunct) +181 -- Coin Refund Operator +18X -- Overseas senders + + To make an international call, one would KP + 011 + 0CC + ST where CC is +the country code. This will route you to the appropriate overseas sender. You +will then receive a 480 Hz dial tone. Here you enter KP + 0CC + city code + +local number + ST and the call is on its way. + + Country codes can be either 1, 2, or 3 digits but they must be padded for +three digits to create a pseudo-country code with extra zero's if necessary. +For example, England, country code 44, becomes 044. + + To see which international sender a certain country (lets use French +Guiana, country code 594, for example) goes through, you can dial KP + 011 + +594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you +will receive a recording saying which ISC (International Switching Center) it +is. For the example it will say, "This is the international switching center +in Pittsburg, PA -- This is a recording - 4121." You can actually route calls +to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to +since it may look suspicious if a call is sent through a sender that it + + Page 129 + + + + + The Official Phreaker's Manual + +shouldn't go through. Here are the senders: + +182 -- White Plains, NY +183 -- New York, NY +184 -- Pittsburg, PA +185 -- Orlando, FL +186 -- Oakland, CA +187 -- Denver, CO +188 -- New York, NY + + Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP, +ST3P, & ST2P keys. While they do exist the blue boxer need not concern himself +with them. The first three are used on CCITT System 5. This is the signaling +system that the International Senders use to send information to other +countries. These codes are usually added automatically just like the language +assistance digit [which distinguishes operator (or blue box) dialed calls from +customer dialed calls]. The STP, ST3P, & ST2P tones are used when equipment is +communicating with the TSPS. These also are automatically added when needed in +most cases. + +[see Telcom III for more on International Switching Centers (ISC)] + +11XXX -- miscellaneous operators +11501 -- universal cordboard operator +11511 -- conference operator +11521 -- mobile operator +11531 -- marine operator +11541 -- LD incoming switchboard +11551 -- leave word for time & charges (neat stuff) +11561 -- same as 11551 but for hotel/motels +11571 -- overseas operators (language assistance) + + The 11XXX series is interesting scanning material. + +Miscellaneous Routing Codes : +____________________________________________________________ + + Alliance Teleconferencing has several numbers, a few of which are listed +below: + +KP + 213 080 XXXX + ST +KP + 305 025 XXXX + ST +KP + 312 001 XXXX + ST +XXXX = 1050, 1100, or a few others + + Also, at KP + 317 009 + ST there is a MF tone checker. After the +beep-kerclunk, dial in KP + 999 1234567 890 + ST and it will repeat the digits +that you pulsed if they are of the right frequency. + +Tandem Scanning: +____________________________________________________________ + + To find all sorts of interesting things, you must look. Begin scanning +three digit codes in your area (i.e., KP + 000 + ST, KP + 001 + ST, etc.). Keep +track of all of your results. Sometimes you must probe things, send additional +digits and see what happens, send touch-tone, send it 2600 Hz, rip it apart. +You never know, you may run into something phun, like a computer that checks CC +numbers. + + Page 130 + + + + + The Official Phreaker's Manual + + + Incidentally, in some exchange you can dial inwards and other box codes +directly! For example, 914-121-1111 will get you a NY inward. The only problem +is that a 0 or 1 as the first digit of the exchange is usually *prohibited in +customer dialing. Somebody may have "accidentally" changed this screening code +on your ESS's computer, though -- you never know and it can't hurt to try. +WATS translation numbers also take up some of the 0XX & 1XX codes. + + Finally, certain tones on the blue box can also be used for other purposes. +An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN. +Thus every blue box is also a green box (see Telcom VI). + +Coming soon: + +Telcom VIII will deal with cordless phones, mobile phones, and other neat +things. + +Be careful and have phun, + +*****BIOC +*=$=*Agent +*****003 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 131 + + + + + The Official Phreaker's Manual + +The Mark Tabas encounter series presents: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + Better Homes and Blue Boxing + + Part I + + Theory of Operation + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To quote Karl Marx, blue boxing has always been the most noble form of +phreaking. As opposed to such things as using an MCI code to make a free fone +call, which is merely mindless pseudo-phreaking, blue boxing is actual +interaction with the Bell System toll network. It is likewise advisable to be +more cautious when blue boxing, but the careful phreak will not be caught, +regardless of what type of switching system he is under. + + In this part, I will explain how and why blue boxing works, as well as where. +In later parts, I will give more practical information for blue boxing and +routing information. + + To begin with, blue boxing is simply communicating with trunks. Trunks must +not be confused with subscriber lines (or "customer loops") which are standard +telefone lines. Trunks are those lines that connect central offices. Now, when +trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied +to them. If they are two-way trunks, there is 2600Hz in both directions. When a +trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the +side that is off-hook. The 2600Hz is therefore known as a supervisory signal, +because it indicates the status of a trunk; on hook (tone) or off-hook (no +tone). Note also that 2600Hz denoted SF (single frequency) signalling and is +"in-band." This is very important. "In-band" means that is is within the band +of frequencies that may be transmitted over normal telefone lines. Other SF +signals, such as 3700Hz are used also. However, they cannot be carried over the +telefone network normally (they are "out-of-band") and are therefore not able +to be taken advantage of as 2600Hz is. + + Back to trunks. Let's take a hypothetical phone call. You pick up your fone +and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll +assume that you are on #5 Crossbar switching and not in the 806 area. Your +central office (CO) would recognize that 806 is a foreign NPA, so it would +route the call to the toll centre that serves you. [For the sake of accuracy +here, and for the more experienced readers, note that the CO in question is a +class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending +on where you are in the country, the call would leave your toll centre (on more +trunks) to another toll centre, or office of higher "rank". Then it would be +routed to central office 806-258 eventually and the call would be completed. +Illustration: + +A---CO1-------TC1------TC2----CO2----B + +A=you +CO1=your central office +TC1=your toll office. +TC2=toll office in Amarillo. +CO2=806-258 central office. +B=your friend (806-258-1234) + + In this situation it would be realistic to say that CO2 uses SF in-band + + Page 132 + + + + + The Official Phreaker's Manual + +(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). +If you don't understand this, don't worry too much. I am pointing this out +merely for the sake of accuracy. The point is that while you are connected to +806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 +central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell +equipment that a call is in progress and the trunks are in use. + + Now let's say you're tired of talking to your friend in Amarillo +(806-258-1234) so you send a 2600Hz down the line. This tone travels down the +line to your friend's central office (CO2) where it is detected. However, that +CO thinks that the 2600Hz is originating from Bell equipment, indicating to it +that you've hung up, and thus the trunks are once again idle (with 2600Hz +present on them). But actually, you have not hung up, you have fooled the +equipment at your friend's CO into thinking you have. Thus,it disconnects him +and resets the equipment to prepare for the next call. All this happens very +quickly (300-800ms for step-by-step equipment and 150-400ms for other +equipment). + + When you stop sending 2600Hz (after about a second), the equipment thinks +that another call is coming towards it (e.g. it thinks the far end has come +"off-hook" since the tone has stopped. It could be thought of as a toggle +switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending +2600Hz, several things happen: + +1) A trunk is seized. + +2) A "wink" is sent to the CALLING end from the CALLED end indicating that the +CALLED end (trunk) is not ready to receive digits yet. + +3) A register is found and attached to the CALLED end of the trunk within about +two seconds (max). + +4) A start-dial signal is sent to the CALLING end from the CALLED end +indicating that the CALLED end is ready to receive digits. + +Now, all of this is pretty much transparent to the blue boxer. All he really +hears when these four things happen is a . So, seizure of a +trunk would go something like this: + +1> Send a 2600Hz +2> Terminate 2600Hz after 1-2 secs. +3> [beep][kerchunk] + + Once this happens, you are connected to a tandem that is ready to obey your +every command. The next step is to send signalling information in order to +place your call. For this you must simulate the signalling used by operators +and automatic toll-dialing equipment for use on trunks. There are mainly two +systems, DP and MF. However, DP went out with the dinosaur , so I'll only +discuss MF signalling. MF (multi-frequency) signalling is the signalling used +by the majority of the inter- and intra-lata network. It is also used in +international dialing known as the CCITT no.5 system. + + MF signalling consists of 7 frequencies, beginning with 700Hz and separated +by 200Hz. A different set of two of the 7 frequencies represent the digits 0 +thru 9, plus an additional 5 special keys. The frequencies and uses are as +follows: + +Frequencies (Hz) Domestic Int'l + + Page 133 + + + + + The Official Phreaker's Manual + +-------------------------------------- + 700+900 1 1 + 700+1100 2 2 + 900+1100 3 3 + 700+1300 4 4 + 900+1300 5 5 +1100+1300 6 6 + 700+1500 7 7 + 900+1500 8 8 +1100+1500 9 9 +1300+1500 0 0 + 700+1700 ST3p Code 11 + 900+1700 STp Code 12 +1100+1700 KP KP1 +1300+1700 ST2p KP2 +1500+1700 ST ST + + The timing of all the MF signals is a nominal 60ms, except for KP, which +should have a duration of 100ms. There should also be a 60ms silent period +between digits. This is very flexible, however, and most Bell equipment will +accept outrageous timings. + + In addition to the standard uses listed above, MF pulsing also has expanded +usages known as "expanded inband signalling" that include such things as coin +collect, coin return, ringback, operator attached, and operator released. KP2, +code 11, and code 12 and the ST_ps (STart "primes") all have special uses which +will be mentioned only briefly here. + + To complete a call using a blue box, once seizure of a trunk has been +accomplished by sending 2600Hz and pausing for the , one must +first send a KP. This readies the register for the digits that follow. For a +standard domestic call, the KP would be followed by either 7 digits (if the +call were in the same NPA as the seized trunk) or 10 digits (if the call were +not in the same NPA as the seized trunk). [Exactly like dialing a normal fone +call]. Following either the KP and 7 or 10 digits, a STart is sent to signify +that no more digits follow. Example of a complete call: + +1> Dial 1-806-258-1234 +2> wait for a call-progress indication (such as ring, busy, recording, etc.) +3> Send 2600Hz for about 1 second. +4> Wait for about 2 seconds while a trunk is seized. +5> Send KP+305+994+9966+ST + + The call will then connect if every-thing was done properly. Note that if a +call to an 806 number were being placed in the same situation, the area code +would be omitted and only KP+ seven digits+ST would be sent. + + Code 11 and code 12 are used in international calling to request certain +types of operators. KP2 is used in international calling to route a call other +than by way of the normal route, whether for economic or equipment reasons. + + STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS +signalling to indicate calling type of call (such as coin-direct dialed). + + This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and +learned from it. If you have any questions, comments, threats or insults, +please fell free to drop me a line. If you have noticed any errors in this text +(yes, it does happen), please let me know and perhaps a correction will be in + + Page 134 + + + + + The Official Phreaker's Manual + +order. Part II will deal mainly with more advanced principles of blue boxing, +as well as routings and operators. + + Note 1: other highly trunkable areas include: 816,305,813,609,205. I +personally have excellent luck boxing off of 609-953-0000. Try that if you have +any trouble. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 135 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part II + + Practical Applications + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood Part I of this series). + + The essential purpose of blue boxing in the beginning was merely to receive +toll services free of charge. Though this can still be done, blue boxing has +essentially outlived its usefulness in this area. Modern day "extenders" and +long distance services provide a safer and easier way to make free fone calls. +However, you can do things with a blue box that just can't be done with +anything else. For ordinary toll-fraud, a blue box is impractical for the +following reasons: + +1. Clumsy equipment required (blue box or equivalent) +2. Most boxed calls must be made through an extender. Not for safety reasons, +but for reasons I'll explain later. +3. Connections are often sacrificed because considerable distances must be +dialed to cross a seizable trunk, in addition to awkward routing. + + As stated in reason #2, boxed calls are usually made through an extender. +This is for billing reasons. If you recall from Part i, 2600Hz is used as a +"supervisory" signal. That is, it signals the status of a trunk--"on-hook" or +"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the +CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook +once again when the 2600Hz is terminated. The CALLED end recognizes that a +call is on the way and attaches a register, which interprets the digits which +are to be sent. Now, understand that even though your end has come off-hook (no +2600Hz present), the other end is still on-hook. You may wonder then, why, if +the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the +other way on the trunk, when there should be. This is correct. 2600Hz *IS* +present on the trunk when you seize it and afterwards, but you cannot hear it +because of a Band Elimination Filter (BEF) at your central office. + + Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed +coming the other way on the trunk because the CALLED end is still on-hook, but +you don't actually hear it because of a filter. However, the Bell equipment +knows it's there (they can "hear" it). The presence of the 2600Hz is telling +the billing equipment that your call has not yet been completed (i.e., the +CALLED end is still on-hook). When finally you do connect with your boxed call, +the 2600Hz from the called end terminates. This tells the billing equipment +that someone picked up the fone at the CALLED end and you should begin to be +billed. So you do start to get billed, but for the call to the trunk, NOT the +boxed call. Your billing equipment thinks that you've connected with the number +you used to seize the trunk. Illustration: + +1. You call 1+806-258-2222 (directly) +2. Status of trunks: + +<-----------------------------------> +(You) 806-258-2222 +No 2600Hz-------> <------------2600Hz + + When you seize a trunk (before the number you called answers) there is no + + Page 136 + + + + + The Official Phreaker's Manual + +affect on your billing equipment. It simply thinks that you're still waiting +for the call to complete (the CALLED end is still on-hook; it is ringing, busy, +going to recorder or intercept operator. + + Now, let's say that you've seized a trunk (806-258-2222) and for example, +KP+314+949+1705+ST. The call is routed from the tandem you seized to: +314-949-1705. Illustration: + +<------------------>O<---------------> +(You) 806 314-949 + tandem +No 2600Hz----------> <----------2600Hz + + Note that the entire path towards the right (the CALLED end) has no 2600Hz +present and is therefore "off-hook." The entire path towards the left (the +CALLING end) does have 2600Hz present on it, indicating that the CALLED end has +not picked up (or come "off-hook"). When 314-949-1705 answers, "answer +supervision" is given and the 2600Hz towards the left (the CALLING end) +terminates. This tells your billing equipment, which thinks that you're still +waiting to be connected with 806-258-2222, that you've finally connected. +Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an +aspiring young phone phreak. + + To avoid this, several actions may be taken. As previously mentioned, one may +avoid being charged for the number called to seize a trunk by using an extender +(in which case the extender will get billed). In some areas, boxing may be +accomplished using an 800 number, generally in the format of 800-858-xxxx (many +Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). +However, boxing off of 800 numbers is impossible in many areas. In my area, +Denver, I am served by #1A ESS and it is impossible for me to box off of any +800 number. + + Years ago, in the early days of blue boxing (before my time), phreaks often +used directory assistance to box off of because they were "free" long distance +calls. However, because of competitive long distance companies, directory +assistance surcharges are now $0.50 in many areas. It is additionally advised +that directory assistance numbers not be used to box from because of the +following: + + Average DA calls last under 2 minutes. When you box a call, chances are that +it will last considerably longer. Thus, the Bell billing equipment will make a +note of calls to directory assistance that last a long time. A call to a +directory assistant lasting for 4 hours and 17 minutes may appear somewhat +suspicious. + + Although the date, time, and length of a DA call do not appear on the bill, +it is recorded on AMA tape and will trip a trouble report if it were to last +too long. This is how most phreaks were discovered in the old days. Also, +sometimes too many calls lasting too long to one 800 number may raise a few +eyebrows at the local security office. + + Assuming you can complete a blue box call, the following are listed routings +for various Bell internal operators. These are in the format of KP+NPA+ +special routing+1X1+ST, which I will explain later. The 1X1 is the actual +operator routing, and NPA and NPA+ special routing are used for out-of-area +code calls and out-of-area code calls requiring special routing, respectively. + +KP+101+ST ...... Toll test board. + + Page 137 + + + + + The Official Phreaker's Manual + +KP+121+ST ...... Inward Operator. +KP+131+ST ...... Directory assistance. +KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few +others. It has been replaced with a universal rate & route number +800+141+1212. +KP+151+ST ...... Overseas completion operator (inbound). Works only in certain +NPAs, such as 303. +KP+181+ST ...... In some areas, toll station for small towns. + + Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you +would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 +trunk, an area code would be required. Thus, you would dial KP+312+121+ST. +Finally, some places in the network require special routing, in addition to an +area code. An example is Franklin Park, Ill. It requires a special routing of +032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward +operator. + + Special routings are in the format of 0XX. They are used primarily for load +balance, so that traffic flow may be evenly distributed. About half of the +exchanges in the network require special routing. Note that special routings +are NEVER EVER EVER used to dial normal telephone numbers, only operators. + + Operator functions: + +TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. +They are not used by operators, only switchmen. + +INWARD- Assists the normal TSPS (0+) operator in completing calls out of the +TSPS's area. Also, inwards perform emergency interrupts when the number to be +interrupted is out of the area code of the original (TSPS) operator. For +example, a 303 operator has a customer that needs an emergency interrupt on +215-647-6969. The 303 operator gets the routing for the inward that covers +215-647, since she cannot do the interrupt herself. The routing is found to be +only 215+ (no special routing required). So, the 303 operator keys +KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is +Denver. I need an emergency interrupt on 215-647-6969. My customer's name is +Mark Tabas." The inward will then do the interrupt (off the line, of course). +If the number to be interrupted had required special routing, such as, say, +312-456-1234 (spec routing 032), then the 303 operator would dial +KP+312+032+121+ST for the inward to do that interrupt. + +DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist +customers with obtaining telefone directory listings. Not much toll-fraud +potential here, except maybe $0.50. + +RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. +They assist normal (TSPS) operators with rates and routings (thus the name). +The only uses I typically have for them are the following: + + 1. Routing- + Information- In the above example, when the 303 operator needed to dial +an inward that served 215-647, she needed to know if any special routing was +required and, if so, what it was. Assuming she would use rate and route, she +would dial them and say nicely, "Operator's route, please, for 215-647." Rate & +route would respond with "215 plus." This means that the operator would dial +KP+215+121+ST to reach the inward that serves 215-647. If there were special +routing required, such as in 312-456, rate & route would respond with "312 plus +032 plus." In that case, the operator would dial KP+312+032+ST for the inward + + Page 138 + + + + + The Official Phreaker's Manual + +that serves 312-456. + + It is good practice to ask for "operator's route" specifically, as there are +also "numbers route" and "directory routes." If you do not specifically ask for +operator's route, rate & route will generally assume that is what you want +anyway. + +"Numbers" route refers to overseas calls. Example, you want to know how to +reach a number in Geneva, Switzerland (and you already have the number). You +would call routing and say "Numbers route, please, Geneva, Switzerland." The +operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark +41+22" has to do with billing, so disregard it. The 011+041 is access to the +overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing +for Geneva from the overseas sender. + +"Directory" routings are for directory assistance overseas. Example: you want a +DA in Rome, Italy. You would call rate & route and say, "Directory routing +please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 +STart." As in the previous example, the 011+039 is access to the overseas +gateway. The 039+1108 is a directory assistant in Rome. + + 2. Nameplace information- Rate & Route will give you the location of an NPA+ +exchange. Example: "Nameplace please, for 215-648." The operator would respond +with "Paoli, Pennsylvania." This isn't especially useful, since you can get the +same information (legally) by dialing 0, but using rate & route is often much +faster and it avoids having to hang up when you are already on a trunk. + +*NOTE* On Rate & Route: As a blue boxer, always ask for "IOTC" routings. +(e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them +that you want cordboard-type routings, not TSPS, because a blue boxer is +actually just a cordboard position (that Bell doesn't know about). + +OVERSEAS COMPLETION +OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of +calls coming in to the United States from overseas. There are KP+151+ST +operators only in a few NPAs in the country (namely 303). To use one, you would +seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for +example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." +[in a broken Indian accent]. She would connect you, and the bill would be sent +to Bangladesh (where I've been billing my KP+151+ST calls for two years). + +Other internal Bell Operators. + +KP+11501+ST ...... universal operator +KP+11511+ST ...... conference op +KP+11521+ST ...... mobile op +KP+11531+ST ...... marine op +KP+11541+ST ...... long distance terminal +KP+11551+ST ...... time & charges op +KP+11561+ST ...... hotel/motel op +KP+11571+ST ...... overseas (outbound) op + + These 115X1 operators are identical in routing to the 1X1 operators listed +previously, with one exception. If special routing is required (0XX), then the +trailing 1 is left off. + +Examples: + + + Page 139 + + + + + The Official Phreaker's Manual + +A 312 universal op ... KP+312+11501+ST +A Franklin Park (312-456) universal op (special routing 032 required)........ +KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. + +Purposes of 115X1 operators. + +UNIVERSAL- Used for collect/callback calls to coin stations. + +CONFERENCE- This is a cordboard conference operator who will set up a +conference for a customer on a manual operation basis. + +MOBILE- Assists in completion of calls to mobile (IMTS) type telefones. + +MARINE- Assists in completion of calls to ocean going vessels. + +LONG DISTANCE TERMINAL- Now obsolete.Was used for completion of long distance +calls. + +TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform +customer of exactly how much it cost. + +HOTEL/MOTEL- Handles calls to/from hotels and motels. + +OVERSEAS +COMPLETION (outbound)- assists in completion of calls to overseas points. Only +works in some, if any NPAs, because overseas assistance has been centralized to +IOCC (covered in Part III). + + Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that +you are a TSPS or cordboard operator assisting a customer with a call. DO NOT +DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these +operators! Find out what to do first. + + This concludes Part II. There is one final part in which I will explain +overseas dialing, IOCC (International Overseas Completion Centre), RQS +(Rate/Quote System), and some basic scanning. + + + + + + + + + + + + + + + + + + + + + + + + Page 140 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part III + + Advanced Signalling +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood parts i & ii before +proceeding to this part). + + In Parts I & II, I covered basic theory and domestic signalling and +operators. In this part I will explain overseas direct boxing, the IOCC, the +RQS, and some basic scanning methods. + +Overseas Direct Boxing. + + Calling outside of the United States and Canada is accomplished by using an +"overseas gateway." There are 7 over-seas gateways in the Bell System, and each +one is designated to serve a certain region of the world. To initiate an +overseas call, one must first access the gateway that the call is to be sent +on. To do this automatically, decide which country you are calling and find its +country code. Then, pad it to the left with zeros as required so it is three +digits. [Add 1, 2, or 3 zeros as required]. + +Examples: + +Luxembourg (352) is 352 (stays the same) +Spain (34) becomes 034 (1 zero added) +U.S.S.R. (7) becomes 007 (2 zeros added) + + Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit +padded country code that you just determined by the above method. [For +Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ +007+ST]. This is done to route you to the appropriate overseas gateway that +handles the country you are dialing. Even though every gateway will allow you +to dial every dialable country, it is good practice to use the gateway that is +designated for the country you are calling. + + After dialing KP+011+CC+ST (as CC is defined above) you should be connected +to an overseas gateway. It will acknowledge by sending a wink (which is audible +as a and a dial tone. Once you receive international dial +tone, you may route your call one of two ways: a) as an operator-originated +call, or b) as a customer-originated call. To go as a operator-originated call, +key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will +then be connected, providing the country you are calling can receive +direct-dialed calls. The U.S.S.R. is an example of a country that cannot. + +Example of a boxed int'l call: + +To make a call to the Pope (Rome, Italy), first obtain the country code, which +is 39. Pad it with zeros so that it is 039. Seize a trunk and dial +KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is +the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To +go as an operator-originated call, simply place a zero in front of the country +code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at +sender dial tone. Routing your call as operator-originated does not affect much +unless you are dialing an operator in a foreign country + + Page 141 + + + + + The Official Phreaker's Manual + + + To dial an operator in a foreign country, you must first obtain the operator +routing from rate & route for that country. Dial rate & route and if you're +trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, +please, for Yugoslavia." [In larger countries it may be necessary to specify a +city]. Rate & route will respond with, "38 plus 11029". So, dial your overseas +gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+11029+ST. +You should then get an operator in Yugoslavia. Note that you must prefix the +country code on the sender with a 0 because presumably only an operator here +can dial an operator in a foreign country. + + When you dial KP+011+CC+ST for an overseas gateway, it is translated to a +3-digit sender code of the format 18X, depending on which sender is designated +to handle the country you are dialing. The overseas gateways and their 3-digit +codes are listed below. + +182 ..... White Plains, NY +183 ..... New York, NY +184 ..... Pittsburg, PA +185 ..... Orlando, FL +186 ..... Oakland, CA +187 ..... Denver, CO +188 ..... New York, NY + + Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST +would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as +previously mentioned). To find out what sender you were routed to after dialing +KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. + + If you have difficulty in reaching a sender, call rate and route and ask for +a numbers route for the country you're dialing. Sometimes, KP+011+ padded +country code+ST will not work. I have found this in many 3-digit country +codes. Luxembourg, country code 352, for example, should be KP+011+352+ST +theoretically. But it is not. In this case, dial KP+011+ 003+ST for the +overseas gateway. If you have trouble, try dialing KP+00+ first digit of +country code+ST, or call rate The IOCC. + + Sometimes when you call rate and route and ask for an "IOTC numbers route" or +"IOTC operators route" for a foreign country, you will get something like +"160+700" (as in the case of the Soviet Union). This means that the country is +not dialable directly and must be handled through the International Overseas +Completion Centre (IOCC). For an IOCC routing, pad the country code to the +RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded +country code, plus ST. Examples: + +The U.S.S.R. (7) ...... KP+160+700+ST +Japan (81) ............ KP+160+810+ST +Uraguay (598) ......... KP+160+598+ST + + You will then be routed to the IOCC in Pittsburg, PA, who will ask for +country, city, and number being dialed. Many times they will ask for a +ringback [thanks to Telenet Bob] so have a loop ready. They will then place the +call and call you back (or sometimes put you through directly). Some calls, +such as to Moscow, take several hours. + +The Rate Quote System (RQS). + + The RQS is the operator's rate/quote system. It is a computer used by TSPS + + Page 142 + + + + + The Official Phreaker's Manual + +(0+) operators to get rate and route information without having to dial the +rate and route operator. In Part ii, I discussed getting an inward routing for +dialing-assistance and emergency interrupts from the rate and route operators +(KP+800+141+1212+ST). The same information is available from RQS. Say you want +the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to +access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with +RQS, you need to dial an NPA that is equipped with RQS first, such as 303. +Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink +() and then RQS dial tone. At RQS dial tone, for an inward +routing for 305-994 you would dial KP+06+305+994+ST. That is, +KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means +you would dial KP+305+033+121+ST for an inward that services 305-994. If no +special routing were required, RQS would have responded with "305 plus" and you +would simply dial: KP+305+121+ST for an inward. + + Another RQS feature is the echo feature. You can use it to test your blue +box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond +with voice identification of the digits it recognized, between the KP+07 and +ST. + + RQS can also be used for rates and directory routings, but those are seldom +needed, so they have been omitted here. + +Simple Scanning. + + If you're interested in scanning, try dialing on a trunk, routings in the +format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of +interesting things to be found there, as Doctor Who (413 area) can tell you. +Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan +area code 212, dial KP+212+ 11XX1+ST. + + There, now you know as much about blue boxing as most phreaks. If you read +and understand the material, and put aside preconceived ideas of what blue +boxing is that you may have acquired from inexperienced people or other +bulletin boards, you should be well on you way to an enlightening career in +blue boxing. If you follow the guidelines in Part I to box, you should have no +problem with the fone company. Comments made by "phreaks" on bulletin boards +that proclaim "tracing" of blue boxers are nonsense and should be ignored +(except for a passing chuckle). + +NOTE 1: CCIS and the downfall of blue boxing. + +CCIS stands for Common Channel Inter-office Signalling. It is a signalling +method used between electronic switching systems that eminiates the use of +2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places +cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will +not respond to any tones that you generate on the line. Eventually, all +existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In +this case, we'll all be boxing with microwave dishes. Until then (about 1995 by +current BOC/AT&T estimates), have fun! + +If you have ANY questions about this text, please feel free to drop me a line. +I will respond to all mail, messages, etc. Insults are also welcomed. And if +you discover anything interesting scanning, be sure to let me know. + +Mark Tabas +$LOD$ + + + Page 143 + + + + + The Official Phreaker's Manual + +This text was prepared in full by Mark Tabas for: + +K.A.O.S. +Philadelphia, PA. +[215-465-3593]. + +Any sysop may freely download this text and use it on his/her BBS, provided +that none of it be altered in any way. + +Technical acknowledgements: + +Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor +Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. + +References: + +1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. +2. Notes on the Network Bell System publication, 1983. +3. Engineering and Operations in the Bell System Bell System publication, +1983. +4. Notes on Distance Dialing Bell System publication, 1968. +5. Early Medieval Architecture. +....................................... +(c) February 6, 1900 Mark Tabas +....................................... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 144 + + + + + The Official Phreaker's Manual + + BY FRED STEINBECK (TAP #88) + + IT SEEMS THAT FEWER AND FEWER PEOPLE HAVE BLUE BOXES THESE DAYS, AND +THAT IS REALLY TOO BAD. BLUE BOXES, WHILE NOT ALL THAT GREAT FOR MAKING FREE +CALLS (SINCE THE TPC CAN TELL WHEN THE CALL WAS MADE, AS WELL AS WHERE IT WAS +TOO AND FROM), ARE REALLY A LOT OF FUN TO PLAY WITH. SHORT OF BECOMING A REAL +LIVE TSPS OPERATOR, THEY ARE ABOUT THE ONLY WAY YOU CAN REALLY PLAY WITH THE +NETWORK. + FOR THE FEW OF YOU WITH BLUE BOXES, HERE ARE SOME PHRASES WHICH MAY +MAKE LIFE EASIER WHEN DEALING WITH THE RATE & ROUTE (R&R) OPERATORS. TO GET +THE R&R OP, YOU SEND A KP + 141 + ST. IN SOME AREAS YOU MAY NEED TO PUT +ANOTHER NPA BEFORE THE 141 (I.E., KP + 213 + 141 + ST), IF YOU HAVE NO LOCAL +R&R OPS. + THE R&R OPERATOR HAS A MYRIAD OF INFORMATION, AND ALL IT TAKES TO GET +THIS DATA IS MUMBLING CRYPTIC PHRASES. THERE ARE BASICALLY FOUR SPECIAL +PHRASES TO GIVE THE R&R OPS. THEY ARE NUMBERS ROUTE, DIRECTORY ROUTE, OPERATOR +ROUTE, AND PLACE NAME. + YOU GET AN R&R AN AREA CODE FOR A CITY, ONE CAN CALL THE R&R OPERATOR +AND ASK FOR THE NUMBERS ROUTE. FOR EXAMPLE, TO FIND THE AREA CODE FOR CARSON +CITY, NEVADA, WE'D ASK THE R&R OP FOR "CARSON CITY, NEVADA, NUMBERS ROUTE, +PLEASE." AND GET THE ANSWER, "RIGHT... 702 PLUS." MEANING THAT 702 PLUS 7 +DIGITS GETS US THERE. + SOMETIMES DIRECTORY ASSISTANCE ISN'T JUST NPA + 131. THE WAY TO GET +THESE ROUTINGS IS TO CALL R&R AND ASK FOR "ANAHEIM, CALIFORNIA, DIRECTORY +ROUTE, PLEASE." OF COURSE, SHE'D TELL US IT WAS 714 PLUS, WHICH MEANS 714 + 131 +GETS US THE D.A. OP THERE. THIS IS SORT OF POINTLESS EXAMPLE, BUT I COULDN'T +COME UP WITH A BETTER ONE ON SHORT NOTICE. + LET'S SAY YOU WANTED TO FIND OUT HOW TO GET TO THE INWARD OPERATOR FOR +SACRAMENTO, CALIFORNIA. THE FIRST SIX DIGITS OF A NUMBER IN THAT CITY WILL BE +REQUIRED (THE NPA AND AN NXX). FOR EXAMPLE, LET US USEM 916 756. WE WOULD CALL +R&R, AND WHEN THE OPERATOR ANSWERED, SAY, "916 756, OPERATOR ROUTE, PLEASE." +THE OPERATOR WOULD SAY, "916 PLUS 001 PLUS." THIS MEANS THAT 916 + 001 + 121 +WILL GET YOU THE INWARD OPERATOR FOR SACRAMENTO. + DO YOU KNOW THE CITY WHICH CORRESPONDS TO 503-640? THE R&R OPERATOR +DOES, AND WILL TELL YOU THAT IT IS HILLSBORO, OREGON, IF YOU SWEETLY ASK FOR +"PLACE NAME, 503 640, PLEASE." + FOR EXAMPLE, LET'S SAY YOU NEED THE DIRECTORY ROUTE FOR SVEG, SWEDEN. +SIMPLY CALL R&R, AND ASK FOR, "INTERNATIONAL, BADEN, SWITZERLAND. TSPS +DIRECTORY ROUTE, PLEASE." IN RESPONSE TO THIS, YOU'D GET, "RIGHT... DIRECTORY +TO SVEG, SWEDEN. COUNTRY CODE 46 PLUS 1170." SO YOU'D ROUTE YOURSELF TO AN +INTERNATIONAL SENDER, AND SEND 46 + 1170 TO GET THE D.A. OPERATOR IN SWEDEN. + INWARD OPERATOR ROUTINGS TO VARIOUS COUNTRIES ARE OBTAINED THE SAME WAY +"INTERNATIONAL, LONDON, ENGLAND, TSPS INWARD ROUTE, PLEASE." AND GET "COUNTRY +CODE 44 PLUS 121." THEREFORE, 44 PLUS 121 GETS YOU INWARD FOR LONDON. + INWARDS CAN GET YOU LANGUAGE ASSISTANCE IF YOU DON'T SPEAK THE +LANGUAGE. TELL THE FOREIGN INWARD, "UNITED STATES CALLING. LANGUAGE ASSISTANCE +IN COMPLETING A CALL TO (CALLED PARTY) AT (CALLED NUMBER)." + R&R OPERATORS ARE PEOPLE ARE PEOPLE TOO, Y'KNOW. SO ALWAYS BE POLITE, +MAKE SURE USE OF 'EM, AND DIAL WITH CARE. + +NOTE: AS A RESULT OF THE BREAK-UP, R&R IS NOW KP+800+141+1212+ST + + + + + + + + + Page 145 + + + + + The Official Phreaker's Manual + + Verification + By Fred Steinbeck + +From TAP issue # 88 10-83 + + There has been a great deal of controversy in the realm of phreakdom over a +mysterious subject known under a number of different names, including +"Verification", "Autoverification", "Verify", "Autoverify", "Verify Busy", and +even "VFY BY". All of these names basically mean the same thing: the ability +to listen to another person's telephone line from any telephone in the +direct-dialable world. + Needless to say, Bell System is very tight lipped about knowledge regarding +verification. Indeed, the infamous book 'Notes on long distance dialing' ('68 +edition) says, "Care must be taken to insure that the customer never gains +verification capabilities." With a printed policy like that, you can imagine +what their real-world policy is like! Even their own rate and route operators +will not give verification on routing codes (at least in my experience), one +even responding, "What?! You must be crazy! We don't give those out!" Before +you get too far into this article, I will state simply: I don't know how to +verify. However, I have been fooling with various things related to it, and +collecting information on it for some time now. Therefore, while I can't do it +(yet), I may be able to point some other bright TAPer on the right track, and +perhaps he or she will show us all how. If you have knowledge not covered in +this article, but don't want to write an article on your own, please send your +ideas, comments, or information to Project Verify, C/O TAP Verify has also +been called "Autoverify", and I have no idea why. This is not, to my +knowledge, a Bell System term (at least I've never seen it in any manuals) As +far as I know, there is verify, which means being able to listen to speech +(kind of; see below) on a line, and there is the "Emergency Interrupt which +allows you to take part in the conversation taking place on the line in +question. It has been suggested that "Autoverify" is the same as an emergency +interrupt , but I tend to disagree with this idea. It should be noted that the +verification circuitry does not actually let an operator listen to a +conversation without making a beep on the line every so often. Instead, she +will hear encrypted speech. However, I believe with the proper methods, verify +can be converted to an emergency interrupt. + Verification is normally done either by your normal "0" (TSPS) operator, if +the call is in your home NPA (HNPA), or by an inward operator (IO). If the +call is outside your HNPA, your normal operator will call the IO for the +NPA,and say, "Verify Busy" or "Emergency Interrupt" please, 555 1212." The IO +will perform whatever magic he or she must, and then report back. If the call +is in your HNPA, though, the "0" operator can do the verification herself by +using the "VFY BY" key on her keyshelf. However, in some areas, the operator +uses a routing code to accomplish verification, and this the is loop hole we +shall attack. + It follows that if a IO or "0" operator can do it, so can we, with a blue box +Now, courtesy of Robert Allen (who brought it to my attention) and Susan +Thunder (who apparently discovered it), here is what used to work for getting +operators to hook you into conversations with other people (i.e.,let you listen +to them till you hung up): You'd call the operator and say "Operator, TSPS +Maintenance Engineer Calling. Ring forward to 001 + NPA + 7d, ring back to my +number, hit ring forward, no AMA, and then position release. + This creates some problems, and you must be familiar with the TSPS +console(by dialing "0"), you are on the "back", or incoming part of a loop. +When she places a call for you, the call goes out on the "forward", or outgoing +part of the loop. If an operator wants to make a call, she punches KP FWD +(keypulse forward), the number, and ST. Ring FWD puts a 90 volt ringing signal +across the forward part of the line (and may dial the number as well). The + + Page 146 + + + + + The Official Phreaker's Manual + +problem arises from the fact that I don't know if Ring FWD will actually dial a +call, and if there is some other subtle difference between it an KP FWD. + Let us assume ringing forward makes a call from the TSPS console to whatever +number is given. Ring back causes your phone to ring (it is assumed you hung +up after giving her your instructions; if you didn't you'd hear an annoying 90 +volts across the earpiece...) "No AMA" means "no automatic message accounting", +so nobody gets billed for the call, although it will show up on a tape +somewhere. "Position Release" removes the operator from the circuit, and +allows her to receive other calls. This leaves an unaccounted-for ring +forward. + The verification circuit, as you know, likes to encrypt conversation, which +is something we don't want. Well, the second Ring FWD sends another 90 volts +crashing against the verify circuitry, which Juda Gerad thinks removes the +voice encryption from the line, puts the operator (and you) in circuit, and +puts a beep tone on the line every five seconds. This seems to make sense, and +I am inclined to agree with him. + The bit about "....001 + NPA + 7D" causes the thought "MF routing code" to +spring immediately to mind. Now, the above trick was supposed to work in the +213 NPA. I have tried both "KP+001+213+7D+ST", and some other area codes. I +generally get nothing, a reorder signal, or a tandem recording. + Here's some food for thought: On an official Telco sheet I have, labeled " +213 NPA MF Routing Codes", 001 is listed as "VFY BY", or verify busy for the +213 NPA. 002 is listed for the 805 NPA. Ma Bell likes to have standardized +routing codes, such logical, then, that 001 would be a sort of "standard" +verify code, and other prefixes would be tacked on at 002,003, etc. However, I +have heard from a retired operator that verification codes are different from +area to area, and are not always nice numbers like 001, 002. Ah, well, a guy +can hope, can't he? + Some suggestions for future attacks on this dilemma: Everyone call your +operators and subtly ask questions. I have found the tend to give information +out easier if you ask for something that you would ordinarily have to be a +company employee to know about, such as rate steps, operator routings, etc. + Casually let slip that you used to be (or still are) an operator, or that +you work for company security. Also, you might want to blue box some codes +like 001 followed by your NPA and the last 7D of a busy number. If you get a +sort of "whispery noise", try blasting the line with a ringing signal (you +might piggyback another line onto yours and call the piggyback to generate the +90 volts) and see if that does anything. + + + + + + + + + + + + + + + + + + + + + + Page 147 + + + + + The Official Phreaker's Manual + + =================================== + EQUAL ACCESS AND THE AMERICAN DREAM + =================================== + + +by + +Mark Tabas +P.O. Box 620401 +Littleton, CO 80162 + +July 7, 1985 + + + + The American Dream means many things to many people. To the small, typical +businessman, it means building a good, strong business based on hard work and +perseverance; indeed, with nothing limiting his potential but he amount of work +he is willing to put into his business. To a large businessman, the American +Dream means living and working in a country where a single corporation can have +a profit exceeding the gross national product of an entire third world nation. + To the individual, the American Dream is the right to choose -- everything +from one's breakfast cereal to a long-distance service, as well as the formal +right outlined by our founding fathers: those of life, liberty, and the pursuit +of happiness. + To the phone phreak, I think the American Dream is, in a sort of twisted way, +the uninhibited pursuit of knowledge. This quest could scarcely remain +unchecked in many other countries. Analogous to this quest is the thriving of +the Bell System, which until January 1, 1984 consisted of the American +Telephone and Telegraph Company, the largest corporation in the history of the +world. Did the American Dream die on January first or did the divestiture of +AT&T cause a giant step forward for competition and free enterprise in the +United States? I do not know. I do know that the other nations of the world +were amazed that the United States would dissolve the entity that brought the +finest and most universal telephone system in the world, and did so at a time +when the majority of the rest of the world was still using two dixie cups and a +string. + The unfairness of the situation is that AT&T built the telephone system of +this nation and is now being bound and gagged and having its possessions +distributed to others, whom AT&T also wrought. All in the name of fairness, +free competition, and "equal access". Where was was MCI during the century +that AT&T built he communications system of this nation? Well, I believe in +Equal Access, Wholly. And, since I believe in equal access and its +implications for equality for all so strongly, I feel that MCI, Sprint, and +others should take the same amount of time to build their respective toll +networks: 100 years. Therefore, if the United States Justice Department were +truly the fair and just administrator that it portrays itself to be, MCI would +not have a hand in the long-distance cache until about 2080. That's only +fair. + There is no doubt that MCI is a sub-standard organization. They consist of +incompetent employees, inferior equipment, and an inferior marketing strategy. +They are mockingly imitative of AT&T, except in the quality of their service, +which is practically unusable. It is also interesting that with less than 2% +market share, MCI calls itself "the nation's long-distance company." The point +to this diatribe is this. It's time for these long-distance companies such as +MCI and Sprint to grow up. With Equal Access, they are going to become real +long-distance companies, not the joke organizations they are now, and I think +it may just take them one hundred years to do so. + + Page 148 + + + + + The Official Phreaker's Manual + + + ============ + Equal Access + ============ + + Equal Access, as it applies to the telecommunications industry, is "the +requirement that each Bell Operating Company provide exchange access to all +long-distance carriers that is equal in type and quality to that provided AT&T +communications." This is the official provision set forth by the United States +Justice Department in the Modification of the Final Judgment, August 24, 1982. +All this means is that each long-distance-distance company will have "equal +access" to all of the same types of services that AT&T currently enjoys. There +are four types of long-distance carrier services, divided into "feature +groups." They follow. + +FG A: "line side access." This is the standard 7-digit dialup+code (for +billing purposes) +destination telephone number. It is currently in use by +most long-distance carriers. + +FG B: "trunk side access." These are the 950 exchange numbers. They also +utilize an authorization code for billing. As with FG A, automatic number +identification (ANI) (i.e. calling number) is not provided to the carrier, but +will be in the future. + +FG C: "1+ dialing." Currently, only AT&T is able to get this type of +service. It is 1/0+7 of 10 digit direct long distance dialing. ANI (for +billing) is provided. + +FG D: "equal access." This will allow for 1/0+7 or 10 digit direct +long-distance dialing (presubscription carrier) and 10xxx+1/0+7 or 10 digit +long-distance dialing (alternate carrier). ANI for billing is provided at the +long-distance carrier's option. Billing may also be handled by the individual +long distance company or the local Bell Operating Company. + + Feature groups C and D are mutually exclusive (i.e. both cannot exist in a +particular area at the same time). Areas which have Feature Group C (AT&T +long-distance only) are non-Equal Access, and areas which have Feature Group D +(multiple long distance carriers) are Equal Access regions. + Feature Group B, the 950 exchange numbers will be used in areas in which it +is not feasible to provide with Equal Access, such as step-by-step offices +(yes, they CAN have 950 numbers), some crossbar offices, and some independent +telcos, which are not bound by the provisions of Equal Access and may provide +to their customers any type of long-distance service(s) they wish. The 950 +exchange is now active in many areas. It is mainly used as a universal +"roaming" access port for many long-distance carriers, but when an office is +converted to Equal Access, the 950 capability is removed. Thus, in an Equal +Access region, one cannot complete a call to a 950 telephone number. + I personally am looking very forward to Equal Access. My area is not +scheduled for full implementation of it until late 1985 or early 1986, and by +this time many of the alternate long distance carriers' networks will be in +place (or well under way). Think about what Equal Access means. Equality for +all long distance carriers. Access to common facilities, such as: busy-line +verification lines, Bell System information, signalling specifications. etc. +After full implementation of Equal Access, one will be able to take advantage +of and manipulate the services of more than just one carrier. It will no +longer be phreaks vs. AT&T. + When your area is ready to initiate Equal Access, you will receive a notice +in the mail informing you of some of the details of Equal Access, and will ask + + Page 149 + + + + + The Official Phreaker's Manual + +you to specify your choice of "primary carrier." In some cases you will need to +specify both inter-LATA carrier (IC), which handles calls out of your LATA +(Local Access and Transport Area), and an international carrier (INC), which +will handle calls destined for other countries. Recent market studies have +shown that between 80 and 90 per cent of residential customers will continue to +be served by AT&T for their long-distance service after Equal Access. So much +for competition. + You will probably be faced with many long-distance companies to choose from, +including but not limited to: AT&T, MCI, Sprint, ITT, Western Union, Dial U.S., +Call America, TMC, and U.S. Telephone. Whichever you choose will become your +"primary carrier." Your primary carrier will handle your call each time you +pick up you fone and dial 1+7 or 10 digits or 0+7 or 10 digits, inter-LATA +only. That is, if you dial a toll call that is within your LATA, it will be +handled by your local telephone company (Bell), not by your primary carrier, +even though it is a toll call. Let's use an example. The state of Colorado +consists of two LATAs. For this example, I will use three cities in Colorado: +Denver (in LATA1), Sterling (LATA1 also), and Colorado Springs (in LATA2). +Note here that even though Denver ad Sterling are in the same LATA, and Denver +and Colorado Springs are not, Sterling is actually much farther away from +Denver than Colorado Springs. This is because LATA boundaries were designed +giving consideration to high toll-traffic regions, to bring in revenue. Toll +traffic between Denver and Colorado Springs is very high, so the two cities +were placed in separate LATAs (or, more correctly, they were separated by a +LATA boundary). Toll traffic between Denver and Sterling is very low, of the +two cities were allowed to remain in the same LATA. Now, if everyone in +Colorado Springs were to pack up and move to Sterling (though who knows what +the hell for), the LATA boundaries in Colorado would be changed so that Denver +and Sterling were in different LATAs. The primary factor in determining LATAs +is money. + If I made a call to Sterling from my home in Denver, the call would be routed +entirely via Mountain Bell long-distance facilities. No long distance carrier +would be involved because Denver and Sterling are in LATA1. If I made a call +to Kelley, the blonde babe in Colorado Springs, the call would be handled by a +long distance carrier (in this case, AT&T) because Denver is in LATA1 and +Colorado Springs is in LATA2. Here is a table to simplify this: + +Customer dials LATA Carrier +----------------------------------------------------------------- +7 digits same Bell +1+7 digits same Bell +1+7 digits diff LD carrier (currently AT&T) +1+10 digits diff LD carrier (currently AT&T) +----------------------------------------------------------------- + + Note several things here. First, not all areas need to dial a 1 when dialing +any number, local or long distance, but the central offices will still discern +whether the call is in the same LATA as the customer or a different one and +handle the call appropriately. Secondly, some step-by-step offices require a +1+NPA to be dialed for calls within the same LATA and, in fact, all numbers +outside of the office itself. But, for the most part, the above table is +standard for common switching networks. + + ================== + Alternate Carriers + ================== + + Your normal long distance carrier will handle all your toll calls which cross +over LATA boundaries when you dial directly, 1+. If you wish to place your + + Page 150 + + + + + The Official Phreaker's Manual + +call via another carrier's network, whether for cost, quality, or circuit +availability reasons, you may do so in Equal Access regions. To access an +alternate long distance carrier after Equal Access, a customer dials +10xxx+1/0+7 or 10 digit telefone number. Note that xxx is the "carrier access +code (CAC)." A few CACs currently in use are listed below. + +220 ........ Western Union 666 ........ Lexitel +222 ........ MCI 777 ........ Sprint +333 ........ US Telefone 888 ........ SBS +444 ........ Allnet + + Thus, in an Equal Access region, to dial Fred in Orlando, a customer would +dial 1+305+994+9966 to place his call on his primary carrier, or to place it on +another network, he could dial: 10222+1+305+994+9966, and the call would go +over MCI facilities (in this case). Eventually, after many more long distance +services get into the act, there will be a directory of the various long +distance companies and their CACs, and deciding which carrier to use for any +particular call to get the bet rate will be beyond the ability of everyone +except phone phreaks. + + ================ + The 950 Exchange + ================ + + As discussed, the 950 central office exchange is currently a "roaming" access +port for various long distance carriers. In areas that have 950, the access to +carriers is standardized. Thus, someone travelling to several different areas +need only know the 950 number of the carrier he uses to access it from any area +(provided that it have 950 active). Originally, the 950 exchange was designed +to correspond with the 10xx carrier access code used for Equal Access. For +example, 950-1022 would be the same carrier as 1022 (+telephone number). +However, it was later found that the 100 codes available for use as 10xx CACs +would be insufficient to handle he number of long distance carriers. So, the +common carrier access code was increased by one digit, to 10xxx, thus +increasing the number of possible CACs to 1000. To keep the 950 exchange +consistent with the non CAC, the Bell Operating Companies have opted to change +the 950-10xx to 950-0xxx. The xxx in the 950-0xxx remains the same as the xxx +in the 10xxx carrier access code. The new modified 950 numbering pan is now +active in Philadelphia (Bell Atlantic) among other areas. + After Equal Access is well under way, the 950 exchange will be used in +certain areas that cannot be equipped for the standard Equal Access dialing +plans. This includes step-by-step, #1 crossbar, #5 crossbar, #2ESS, and #3ESS +offices. Customers in areas served by these types of switching equipment will +dial 950-0xxx, wait for acknowledgement tone from the carrier, and then dial a +"personal identification number" and destination telefone number,and the call +will be completed on the selected carrier's facilities. Initially, billing +will be handled by the carrier itself, and supervisory information and ANI will +not be provided by the local Bell Operating Company. + There are three main advantages to the 950 central office exchange and +protocol. They are: a) universal access for all areas, b) 950-exchange numbers +are "trunk side access." This means that the long distance carrier has direct +trunks going to it from a Bell toll office or local central office. These +trunks are interoffice lines, not customer type (POTS) lines, and supposedly +insure higher quality of connection. And, c) 950-exchange numbers are toll and +message unit free. On metered-usage (i.e., not "flat rate") customer lines, +they cost nothing. In most areas they are free from coin stations, with +Colorado as one notable exception. + + + Page 151 + + + + + The Official Phreaker's Manual + + ===== + Costs + ===== + + Each long-distance carrier must choose the type(s) of service it wishes to +provide to its customers. These different types of service were outlined +earlier as "Feature Groups." The costs of these Feature Groups vary directly +with the complexity and quality of the service itself. The following table +outlines the cost to the carrier of each available Feature Group. It is based +on the monthly rate per line for 9000 minutes of circuit use, and assumes the +carrier and Bell switch are 15 miles apart. + +FG non-Equal Access Equal Access +-------------------------------------------------------- +A $329.94 $709.20 +B 329.94 721.80 +C 752.40 ** N/A ** +D ** N/A ** 752.40 +-------------------------------------------------------- + + These figures are a lot more significant than they might appear. They +indicate that after Equal Access, in order to compete with the giants such as +AT&T, MCI, etc., smaller long distance companies will use Feature Group A or B +type service in order to provide significantly lower rates to their customers +than companies subscribing to Feature Group D service (like AT&T, MCI, etc). +This will cause a unique type of equilibrium to form. Customers willing to +dial an access number, authorization code, and destination number and put up +with lower quality service will be able to save a lot of money. This seems +faintly reminiscent of pre-Equal Access times.... + + ==================== + Directory Assistance + ==================== + + Each Bell Operating Company will be responsible for providing intra-LATA +operator services. When a customer dials (1)+411 or (1)+555+1212 for local +directory assistance, he will reach a Bell operator who will service requests +for listed numbers within the customer's LATA. Requests for numbers in LATAs +other than the calling customer's may be handled at the discretion of the local +operating company. Initially, the Bell Operating Companies will meet the +responsibility for providing directory assistance services by contracting it to +a long distance carrier or carriers (currently AT&T). All inter-LATA directory +assistance services will be provided by the inter-LATA carrier (IC). ICs may +also provide 800 Enterprise service or other toll free type directory +assistance services. See table. + +================================================================= +Intra-LATA: +================================================================= + HNPA 411/555-1212 BOC + *FNPA NPA+555-1212 BOC + HNPA 10xxx+555-1212 intra-LATA carrier + *FNPA 10xxx+NPA+555-1212 intra-LATA carrier + +================================================================= +Inter-LATA: +================================================================= + HNPA (10xxx)+1+555-1212 IC + + Page 152 + + + + + The Official Phreaker's Manual + + FNPA (10xxx)+1+NPA+555-1212 IC +================================================================= +* When LATA boundaries cross NPA boundaries (rare). +FNPA = Foreign Numbering Plan Area (area code). +HNPA = Home Numbering Plan Area (area code). + + At first glance, the above table appears somewhat complex. But, if you +understand the concept of LATAs and carriers, it is easily understood. +Essentially, all local Bell Operating Companies will maintain their own +directory assistance services. When a customer dials 411 or 555-1212, he will +reach a BOC directory assistant. Additionally, each long distance carrier that +wishes to provide directory assistance to its customers will also have DA +facilities. And, when a customer dials a directory assistant (NPA+555-1212) on +a carrier, he will reach an operator of that particular long distance carrier. +The key here is LATAs. If a customer wants to find a number that is within his +LATA, no long distance carrier is involved. It is handled strictly by the +Local Bell Operating Company. If a customer is seeking a number that is not +within his LATA, he must use the services of an inter-LATA (long-distance) +carrier. + + ====================== + TSPS Operator Services + ====================== + + Traffic Service Position System (TSPS) operator services will be handled much +in the same fashion as directory assistance services, with a few differences. +As with DAs, each Bell Operating Company and each inter-LATA carrier will +maintain its own TSPS operator facilities (or cordboard I suppose, if they +cannot afford TSPS). When a customer dials simply 0 (operator), he will reach +a BOC TSPS operator. The BOC TSPS will be able to handle all types of +intra-LATA operator-assisted traffic including (but not limited to): collect, +third party billing, Bell credit card, coin, verification and emergency +interrupt, and requests for emergency aid. BOC TSPS will be unable to complete +calls for customers outside of the customer's LATA. Thus, inter-LATA operator +assistance will be handled by an inter-LATA carrier TSPS (IC TSPS). An IC TSPS +will handle all previously mentioned types of calls that require inter-LATA +transport (i.e., the call originates and terminates in different LATAs). When +a customer dials 0+NXX-XXXXX or 0+NPA+NXX-XXXX, the central office will +determine if the call is destined for another LATA. If it is not, the call +will be sent to the Bell TSPS for appropriate handling. If the call is bound +for another LATA (and his determination is made based on the NXX or NPA+NXX), +then the call will be sent off to the customer's primary long-distance carrier +(since only 0+ was dialed). If the customer wishes to use a different +carrier's operator services, he would dial 10xxx+0+number, and the carrier +specified by the 10xxx carrier access code would receive the call. Note: if a +customer dials 10xxx+0+number, and the call is an intra-LATA call, he will get +a recording, "We're sorry, the number you dialed cannot be reached with the +carrier access code you dialed. Please check the code and try again or call +your carrier for assistance." (Western Electric KS-22550 central office tape +list no. 46.) Until the Bell Operating Companies can install their own TSPS +facilities and networks, they will (continue to) lease capacity from AT&T TSPS. +That is, AT&T will handle the intra-LATA traffic for the BOCs on a contract +basis. In the meantime, AT&T will continue to handle its own long-distance +operator services while the other inter-LATA carriers will have to implement +their own operator networks from scratch. My estimation is that you won't be +able to dial 10222+0 for an MCI TSPS operator until sometime around the year +2590. And even then they will probably be cordboard. + In addition to the changes in TSPS described above, there will be certain + + Page 153 + + + + + The Official Phreaker's Manual + +modifications to the software and hardware involved in the TSPS operator +system. Most critical, and of paramount importance to the telecommunications +enthusiast is changes in circuit associated signalling (CAS). This is +signalling to and from the TSPS facility. When a customer dials 0 (operator) or +10xxx+0 (IC operator), a succession of events occurs. First, the end office +seizes a trunk to the appropriate operator facility (this assumes that no +access tandem is involved). The operator service facility responds with a wink +(proceed signal) and the end office outpulses the CALLED number (or KP+ST if 0 +only dialed). The operator service (OS) facility will then come off-hook to +signal that it is ready to receive ANI information. The end office outpulses +the ANI information in the format of KP+II+7 digits+ST (or ST'). If there is +ANI failure, a KP+02+ST (or ST') will be sent. "ST'" stands for STart "prime", +and is indicative of a coin call (i.e., dial 0 from a coin station). A normal +ST terminating the ANI sequence means that the call is originating from a +noncoin station. See table for ultimate description. + +Inter-LATA calls MF-pulsed + +type of call customer dials cld num ANI +============================================================ +noncoin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST + +============================================================ +coin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST + operator assist 10xxx+0 KP+ST' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST + +============================================================================= +Intra-LATA calls +============================================================================= +noncoin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST' + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST' + +============================================================================= +coin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST' + operator assist 10xxx+0 KP+ST' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST' +============================================================================= +Note: ST=Start, ST'=STart prime, ST''=Start double prime, ST'''=STart triple +prime. + + Once again, the above table appears somewhat intimidating in its complexity. +All these STs, ST primes, etc. Actually, the only purpose of the starts is to +distinguish to the TSPS machine exactly what type of call the customer is +placing and from what type of telefone he is calling. "Special toll" calls are +collect, credit card, and third-party billing type calls. Here is an example +of a complete dialing and outpulsing sequence for an operator service call: + + Page 154 + + + + + The Official Phreaker's Manual + +from a coin fone, a customer dials 0+ (or 10xxx+) 303+979-9997. The central +office would seize a trunk to the operator service facility and outpulse: +KP+303+979-9997+ST'. This indicates to the operator service facility that the +call is a special toll call originating from a coin telephone. The OS facility +comes off-hook and the central office would then outpulse KP+00+232+9969+ST. +This is he ANI information, and the ST indicates that the call is inter-LATA +(if it were intra-LATA, the sequence would be terminated with ST' instead). + Perhaps now I should explain screening. Certain telefones are "screened" +against placing certain types of calls. A screening code is a two digit +information carrier. For instance, 00 is "identified line" (no special +treatment), 01 is multiparty ONI (operator number identification), 02 is ANI +failure, 06 is hotel/motel, 07 is coinless (hospital/inmate fone), 08 is +inter-LATA restricted, 68 is hotel inter-LATA restricted, 78 is coinless +(hospital inmate) inter-LATA restricted, etc. A 98 is an AT&T Charge-A-Call +fone (those blue fuckers). More screening codes are allocated as they are +needed. Note that the original TSPS screening design only allowed for single +digit information digits. They were later found to be insufficient. + I believe that the operator services have been adequately covered, so I will +now move on to other aspects of Equal Access. + + ============= + Routing Codes + ============= + + The TTC (terminating toll centre) and special routing codes will continue to +be used in inter-LATA networks. These 0xx and 1xx type codes, which sometimes +precede operator routing codes, will be assigned to various ICs on an +individual basis. When 0xx and 1xx codes serve as pseudo-central office code, +they will be coordinated such that it will avoid IC conflicts. The +Numbering/Dialing Planning Group of the Central Services Organization (sounds +like some sort of Communist governing body) will provide assistance where the +assignment of coordinated codes is necessary. + + ================== + Special Area Codes + ================== + + Special area codes, also called Service Area Codes (SACs) presented the +designers of Equal Access with an interesting problem. SACs are N00 type area +codes, such as 700, 800, and 900. They are used for special services and +unlike normal area codes, are not associated with a particular state or region. +Each long distance carrier will be allocated its own exchanges in each service +area code. Thus, when a customer places a call to a number in a service area +code, the central office will examine the exchange of the telefone number and +route the call over the proper carrier's facilities. The customer will be +totally oblivious to this process. Current SACs include 700 (teleconferencing), +800 (toll free services), and 900 (dial-it services). There are currently +plans under way to implement the 600 area code, although its exact uses are not +yet clear. + + ================ + Signalling to IC + ================ + + Each long distance carrier that wishes to serve a particular LATA must +establish a point of presence (POP) in that LATA. A carrier's POP is a toll +office that receives toll traffic destined for another LATA. A POP is a centre +for inter-LATA transport of toll traffic. This traffic will be directed to it + + Page 155 + + + + + The Official Phreaker's Manual + +from a Bell central office, either an end office or an access tandem (AT). An +access tandem is simply a Bell office which directs long distance traffic from +a number of local end offices to a number of different inter-LATA carriers. To +pass call details (such as called and calling numbers) from the Bell local +office to the inter-LATA carrier, a signalling system was designed that employs +current multifrequency (MF) signalling protocol. When a customer dials +10xxx+(1/0)+(NPA)+NXX+, the end office will seize a trunk to the appropriate IC +as determined by the 10xxx CAC (or primary carrier if no CAC is dialed). Note: +this happens as soon as the customer finishes dialing the exchange, even though +he may still be dialing the last four digits of he telefone number. After the +end office has seized a trunk to the IC, the IC will return a wink, which is +the signal to proceed. Then, the end office will send ANI information, in the +format of: KP+II+10 digit ANI+ST. If the carrier is not to receive ANI +information from the Bell Operating Company (i.e., they are not paying for it), +then only KP+ST is sent. Presumably, by now the customer has completed dialing +the last four digits of the destination telefone number, so the end office will +send: KP+7 or 10 digit CALLED number+ST. Note several things here: 1) The IC +does not send a wink when it is ready to receive CALLED number information. 2) +ANI information is ten digits, plus a two-digit screening code, and 3) The +central office's outpulsing to the IC overlaps the customer's dialing. + Some ANI screening codes include: 00 (identified POTS), 01 (ONI multiparty), +02 (ANI failure), 06 (hotel without room identification), 07 (coinless, +hospital, inmate, etc.), 08 (inter-LATA restriction), 10 (test call), 20 (AIOD +calls, listed DN sent), 27 (coin call), and 95 (test call). These are the same +or similar as the screening codes used in operator service signalling. + In addition to the domestic signalling design outlined above, a new +international signalling system has been designed for use with Equal Access. +It also uses two-stage, overlapping outpulsing. After a customer has completed +dialing (10xxx)+011+CC (CC is country code), the Bell end office will seize a +trunk to he appropriate IC (or international carrier, if direct routing is +available). The IC/INC will respond with a wink, and the end office will +outpulse: KP+1NX+YXX+CCC+ST. Each of these three groups of routing information +indicate something different abut the international call being placed. The 1NX +is the "international system routing code, one for each type of call routing." +I have absolutely no idea what that means, and no one I have talked to at Bell, +AT&T, MCI, CCITT, ITT, the CSO and FCC have any idea either. Next, the YXX is +the carrier routing code. It is actually XXX, Which is the three digits of the +10xxx CAC for the particular carrier being accessed. Finally, CCC is the +country code, padded with a zero if necessary. + One may wonder why the CAC is signalled forward when a trunk is seized +directly to the carrier itself. The reason for this is that in some cases a +direct trunk to the carrier is not available and the call must be routed +through an access tandem, which is responsible for routing calls to a variety +of different long distance carriers. + + ==================== + Switch Compatibility + ==================== + + Full-feature Equal Access will become available first for Western Electric +#1ESS switching systems. It will be available first in generic 1E8 (1AE8 for +#1A ESS). Later, generic 5E2 for #5ESS, generic 2B4 for #2B ESS, generic +BCS-16 for Northern Telecom DMS-100, and generics 209 and 302 for DMS-10 will +provide full-feature Equal Access capabilities in those types of end office +switching equipment. The Western Electric #4ESS, #1 and 1A ESS, #5ESS, and the +Northern Telecom DMS-200 machines which serve as toll offices or access tandems +will be capable of receiving the new Equal Access signalling format, after +required generic development. Other switches (such as all crossbar offices) + + Page 156 + + + + + The Official Phreaker's Manual + +will not be able to handle the new signalling format. + + ===== + LATAs + ===== + + LATAs, Local Access and Transport Areas, are the entire key to the +administration of Equal Access. They can be thought of as miniature area +codes. A telefone call can never cross a LATA boundary except on an inter-LATA +carrier. However, there are certain exceptions to this. For example, in the +state of Colorado, which consists of two LATAs, the local Bell Operating +Company (Mountain Bell), which serves as the intra-LATA (i.e., calls to/from +the same LATA) carrier, may also serve as inter-LATA (to/from different LATAs) +carrier within Colorado. + There are also exceptions in the corridor region of the New York/New +Jersey/Pennsylvania area. + The forty-eight continental United States consist of 161 LATAs. Some states, +such as Deleware, consist of only one LATA, while others, such as Illinois, can +have up to 14 or more. Each LATA is given a name. For instance, Pennsylvania +consists of six LATAs: Philadelphia, Capital, Northeast, Altoona, Pittsburgh, +and Erie (independent telco). + + ============== + A Few Thoughts + ============== + + In 1973, Chrysler, A&P, RCA, Phillips Petroleum, S.S. Kresge, Boeing +Aircraft, International Harvester, Woolworth's, Greyhound, Firestone, Litton, +and General Foods, among others, each reported annual profits of less than $150 +million. In that same year, the Telephone Company wrote off, as being +uncollectable, debts of $150 million. + In 1974, the Bell System had direct interests in at least 276 organizations, +many of them not related to the telefone industry. Bell also had interlocking +financial arrangements with such corporations as the Chase Manhattan Bank, IBM, +Prudential Insurance, Sears Roebuck, General Motors, U.S. Steel, and Lever +Brothers. Should the need have arisen, the Bell System in 1974 could have +exercised control of 400 billion dollars, fully one-third of that year's gross +national product. + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago Illinois, 1976. ISBN 0-8092-8008-6. + + There are many viewpoints as to the future course of the telefone industry. +The general consensus among most Telco employees is that the children of AT&T +(i.e., the seven regional holding companies into which the Bell System was +divided) will someday be reassembled into the original Bell System, and all +will be well and good in the world of telecommunications again. I tend to +disagree with this. I think that within three decades the entire telefone +industry will be consolidated and nationalized. It will be owned and operated +entirely by the United States Federal Government. This will accomplish several +goals of the government. First, the immense revenue from telefone services +will provide great financial resources for the federal government. Rates for +telefone services will skyrocket far out of the range of affordability, quality +of service will deteriorate to a point of unusability, and meanwhile +politicians will get rich. + Second, once the government controls the telefone system, monitoring the +general public will become infinitely easier. Big Brother will be able to keep +and eye, or rather, an ear on the general population, and giant step forward in + + Page 157 + + + + + The Official Phreaker's Manual + +ultimate government control of peoples' lives will be achieved. Most people +won't know anything about this, and even if they do, they won't give a shit +because by then the fucking government will have already invaded every +remaining private aspect of the individual's life. + To those who find it utterly unthinkable that the federal government would +ever assume control of the telefone industry, I would call attention to the +situation that existed between 1917 and 1919. During this time the government +controlled the phone system of the United States. J. Edward Hyde sums it up +beautifully: + + Between 1917 and 1919, the Federal Government did control the phone +industry. Since then, the most charitable historians have blamed the +subsequent mess on the First World War. Others blame it on the democrats. But +the fact is that it was a fiasco of the bureaucracy's own making, combined with +intracompany sabotage. + Today, in those countries where the phone service is nationally owned, the +service runs from poor to nonexistent. Would you want the government that gave +you the Russian wheat deals, Defense Department overruns, Amtrak, and the +Postal Service handling your phone problems? + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago, Illinois, 1976. ISBN 0-8092-8008-6, p. 170. + +Technical References: + +Notes on the BOC intra-LATA Networks. American Telephone & Telegraph Company, +1983. + +The Phone Book. J. Edward Hyde, 1976. + +Bell System Technical Journal. Volume 58, Number 5. + +Engineering and Operations in the Bell System. American Telephone & Telegraph +Company, 1983. + + +Acknowledgements: Karl Marx, Telenet Bob, and the scores of Telco employees +in Denver, White Plains, Omaha, and North Jersey who were very helpful in +patiently answering my many questions about Equal Access. + +Thanks to Mack the Knife for magnetic transfer of this illustrious file, a +tedious task for which I have no time. + +Thanks to the following printers for their cooperation and professional manner +in helping me with final production of this file: + +Kinko's Print Shop +7155 West Colfax +Lakewood, CO + +Office Products and Printing +5035 S. Kipling Suite B4 +Littleton, CO + +This has been a Mark Tabas Encounter Series production. Questions, comments, +and requests may be addressed to: + +Tabas + + Page 158 + + + + + The Official Phreaker's Manual + +P.O. Box 620401 +Littleton, CO 80162 + +Requests for copies of this or any other Encounter Series file are honored for +free, but please enclose a self-addressed medium sized first class mailing +envelope with 73 cents postage. + +Special thanks to Steve Reger, who was kind enough to shoot my neighbor's dog, +whose incessant barking constantly distracted me as I labored to complete this +file. + +(for Amy) cl/KIABB!/jd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 159 + + + + + The Official Phreaker's Manual + + Equal Access and Modem Autodialers by Shadow 2600 + + Now that AT&T is being divested of its local telephone companies, phone +customers across the nation have to choose their long distance carrier as equal +access is phased in. Advertising campaigns emphasize such aspects as low rates +and operator assistance, but no one mentions a factor that will affect modem +users who use auto dialers for long distance calls. Not all of the alternate +long distance carriers provide called party answering supervision on all calls. +Called party answering supervision basically has the telephone company start +billing only when the called party answers the telephone. However, many of the +alternate long distance companies still operate with the "fixed timeout" basis +for charging. That is, if a call is held for a fixed length of time (usually +30 seconds) the charging starts, whether or not the call was answered. This +could cause modem owners large bills if they use autodialers to make long +distance calls. Modems are usually set up to wait up to one minute when +attempting to make a call, and thus have to timeout through busy signals, long +call setup sequences, extender waits, and similar problems. This could result +in many billed but never answered calls. + + Some of the other carriers provide it on calls to some cities, and others +not support it at all. Only AT&T Communications provides called party +answering supervision on all calls to all points at this time. It is almost +impossible to get information on how a long distance company charges its calls +as as they don't want to reveal how their billing is handled. The alternate +carriers get called party supervision when the destination location goes equal +access. However, there has been no quick action on the part of the alternate +long distance companies to make use of the supervision data as they would have +to get equipment for passing the information back to the billing computer at +the originating point. Thus called party answering supervision information +often ends up being ignored by these carriers even when available. Another +point to remember is that called party answering supervision's availability +depends on whether the destination has equal access, not the originating +location. The lower long distance rates of alternate long distance rates must +be weighed against the time out problem as it affects autodialing modems. One +way to circumvent this is merely to set your modem to a shorter +waiting-for-connect time, but this may not provide enough time for the call to +go through. [For more information on this and other telecommunications topics +call the Private Sector BBS at (201) 366- 4431] + + + + + + + + + + + + + + + + + + + + + + Page 160 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #6 of 9 + + Toward Universal Information Services Via ISDN + ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ ~~~ ~~~~ + by Taran King + + From PROTO newsletter of AT&T Bell Laboratories + ------------------------------------------------------------ +Phase one, the Present. +~~~~~ ~~~~ ~~~ ~~~~~~~~ + The local network of today, although still largely voice-oriented, is already +on the path to Universal Information Services. Lightguide fiber is +dramatically expanding the capacity of local networks, helping to lower the +costs and increase the demand for high-band width, Information Age services. +And public networks are increasingly digital and geared for data and special + services. For example: + +o The AT&T Network Systems 5ESS (TM ) switch, designed by Bell +Laboratories, can serve as the hub of a local deployment of remote modules at +locations up to 100 miles from a host central office. + +o The Integrated Special Services Network (ISSN) is a channel network that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect System (DACS). + +o The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Today's public networks consist of multiple or overlay networks. The public +switched network, or circuit network, mainly for voice, is the base network. +Two kinds of overlay networks provide special services. Channel networks carry +private lines leased by large customers and transmit much of today's data and +image traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internally +to public networks for common channel signaling to set up, route and take down +calls, or to give customers information. "Overlay networks help +telecommunications companies efficiently meet growing demand for digital +transmission and special services," says Stan Johnston, Market Planning +Manager, Network Systems Evolution, in AT&T Network Systems. "Their integration +into a single network, however, would be still more effective." + +Phase two, the Integrated Services Digital Network (ISDN). +~~~~~ ~~~~ ~~~ ~~~~~~~~~~ ~~~~~~~~ ~~~~~~~ ~~~~~~~ ~~~~~~~ + The ISDN is a concept to which AT&T is committed - and it's the foundation +for Universal Information Services. The central idea of ISDN, as AT&T Network +Systems sees it, is to provide an individual user a link to the local central +office of generous band-width - a digital subscriber line that can carry +144,000 bits per second (sure beats 2400 baud!). The band-width is subdivided +into two 64,000-bit channels, which may carry voice or data or both, and one +16,000-bit channel for packetized signaling information or data transport. +Such a link provides convenient "integrated" network access by accommodating +voice, data and signaling over a single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber + + Page 161 + + + + + The Official Phreaker's Manual + +line, which provides 1.5 billion bits per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal, and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make important +progress toward the goal of Universal Information Services. But overlay +networks will continue to divvy up the transport job. And messages needing +less than 144,000 bits per second will not fill their allotted bandwidth, +leaving capacity under utilized. + +Phase three, Universal Information Services. +~~~~~ ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~ + Rooted in the fertile ground of 5ESS switches, ISDN equipment and +technologies such as wideband packet transport, Universal Information Services +will bear fruit during the 1990s. From a single kind of network will hang +services as different as apples, oranges and pears. Just as network access was +integrated in ISDN, transport functions will increasingly be integrated by +powerful new network equipment evolved from equipment developed for the ISDN. +Where customers once got standard-sized ISDN channels, they'll get big +bandwidth for large jobs, little bandwidth for small jobs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 162 + + + + + The Official Phreaker's Manual + + TOWARD UNIVERSAL INFORMATION SERVICES VIA ISDN + +Phase one, the present. The local network of today, although still largely +voice oriented, is already on the path to Universal Information Services. +Lightguide fiber is dramatically expanding the capacity of local networks, +helping to lower the costs and increase the demand for high-bandwidth, +Information Age services. And public networks are increasingly digital and +geared for data and special services. For example: + + * The AT&T Network Systems 5ESS switch, designed by Bell Laboratories, can +serve as the hub of a local digital network through deployment of remote +modules at locations up to 100 miles from a host central office. + + * The Integrated Special Services Network (ISSN) is a channel networks that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect Systems (DACS). + + * The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Todays public networks consist of multiple or overlay networks. The public +switched network, or circuit network, is the base network. Two kinds of +overlay networks provide special services. Channel networks carry private +lines leased by large customers and transmit much of today's data and image +traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internal to +public networks for common channel signaling to set up, route and take down +calls, or to give customers information. + "Overlay networks help telecommunications companies efficiently meet growing +demand for digital transmission and special services," says Stan Johnston, +Market Planning Manager, Network Systems Evolution, in AT&T Network Systems. +"Their integration into a signal network, however, would be still +more effective." + Phase two, the Integrated Services Digital Network (ISDN). The ISDN is a +concept to which AT&T is commited--and it's the foundation for Universal +Information Services. The central idea of ISDN, as AT&T Network Systems sees +it, is to provide an individual user a link to the local central office of +generous bandwidth--a digital subscriber line that can carry 144,000 bits per +second. The bandwidth is subdivided into two 64,000-bit channels, which may +carry voice or data or both, and one 16,000-bit channel for packetized +signaling information or data transport. Such a link provides convenient +"integrated" network access by accommodating voice, data and signaling over a +single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber +line, which provides 1.5 million bit per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make +important progress toward the goal of Universal Information Services. But + + Page 163 + + + + + The Official Phreaker's Manual + +overlay networks will continue to divvy up the transport job. And messages +needing less than 144,000 bits per second will not fill their allotted +bandwidth, leaving capacity underutilized. + Phase three, Universal Information Services. Rooted in the fertile ground +of 5ESS switches, ISDN equipment and technologies such as wideband packet +transport, Universal Information Services will bear fruit during the 1990s. +From a single kind of network will hang services as different as apples, +oranges and pears. Just as network access was integrated in ISDN, transport +functions will increasingly be integrated by powerful new equipment evolved +from equipment developed for the ISDN. Where customers once got standard- +sized ISDN channels, they'll get big bandwidth for large jobs, little bandwidth +for small jobs. + +*** retyped from PROTO, AT&T Bell Laboratories report to executives on new +technologies, without written permission from the editors. (heh, heh.) + +Subscriptions: $15.00 per year, published bi-monthly. Send check payable to +"Bell Laboratories PROTO," to PROTO Circulation Manager, Room 3E-230, 150 John +F. Kennedy Parkway, Short Hills, N.J. 07078. + +:LIQUID:CRYSTAL: +wisdom is safety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 164 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #7 of 9 + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ _ _ _______ @ + @ | \/ | / _____/ @ + @ |_||_|etal / /hop @ + @ __________/ / @ + @ /___________/ @ + @ Headquarters of Phrack Newsletter @ + @ (314) 432-0756 @ + @ Proudly Presents @ + @ MCI Overview @ + @ Written on 11/16/85 @ + @ by @ + @ @ + @ Knight Lightning & Taran King @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +MCI Communications Corporation, headquartered in Washington, D.C., provides a +full range of domestic and international telecommunications services, including +voice and data, telex and cable, paging and mobile telephone, and time +sensitive message delivery. + +Since its founding in 1968, MCI has grown to more than $1.6 billion in annual +sales and serves more than 1.9 million business, residential and government +customers through its four major business units: + +MCI Telecommunications + +MCI Airsignal + +MCI International + +MCI Digital Information Services + + +MCI TELECOMMUNICATIONS + + MCI Telecommunications provides domestic interstate long distance service +throughout all 50 states, plus Puerto Rico, the U.S. Virgin Islands, and major +calling areas of Canada. It is also authorized to provide varying degrees of +intrastate long distance service in some states. + +MCI also is the first long distance carrier other than AT&T to offer direct +dial service overseas. International telephone service is available to all +residential and commercial customers (with the exception of Private Line +customers). In October, 1984 the first international service agreements were +announced with the following countries: Argentina, Belgium, Brazil, East +Germany, Greece, United Arab Emirates, and the United Kingdom. + +Total capital investment in MCI's long distance network is approximately $2 +billion. MCI's network, the second largest in the U.S., employs microwave +optical fiber, satellite and various digital transmission technologies. + +Subscribers - Domestic Long Distance (as of 10/84) + + Page 165 + + + + + The Official Phreaker's Manual + +----------- ---------------------- +Residential 1.4 million +Commercial .3 million + Total 1.7 million + +Operations - (as of 10/84) +Network Miles...20,543 (microwave, optical fiber, satellite) +Circuits.......238,000 +Employees........9,500 (full-time, approx.) + +MCI AIRSIGNAL + +MCI Airsignal provides personal message delivery and car telephone services. +MCI Message Service is offered in more than 50 metropolitan areas. In 1984, +service will commence in New York City, Baltimore-Washington, Los Angeles, and +Chicago. MCI car telephone service is offered in 20 markets. + +Personal Message Delivery Service + +ALPHANUMERIC MESSAGE SERVICE + +Displays up to 40-character message using letters and/or numbers. Memory and +recall ability. Alerts subscriber with a silent visual alert or a soft tone. + +DISPLAY MESSAGE SERVICE + +Displays up to 24-digit message (e.g., phone number, stock quotes, sales +figures, coded messages). Memory and recall capability. Alerts customer to +message with a silent visual alert or a soft tone. + +TONE MESSAGE SERVICE + +Notifies customer of a message with a soft tone. + +VOICE MESSAGE SERVICE + +Receives message in actual voice of caller. + +EXPRESS MESSAGE SERVICE + +Receives and stores messages. Instantly alerts subscriber via pager when a +message is received. + +Car Telephone Service + +Enables customers to place calls to or receive calls from anywhere in the +world, 24 hours a day, as they travel in their cars. With the advent of new +cellular technology, both the quality and the accessibility of car telephone +service will vastly improve. + +MCI has thus far obtained franchises to operate a new kind of mobile phone +service, cellular telephone, in Minneapolis and Pittsburgh, and has received +favorable decisions from FCC administration law judges authorizing service in +Los Angeles, Denver-Boulder, and Kansas City. MCI has applied for licenses to +provide cellular service in 81 metropolitan areas. + +MCI Airsignal Branch Sales Offices + + + Page 166 + + + + + The Official Phreaker's Manual + +Personal Message Service/Conventional Mobile Phone Service + +Birmingham (205) 942-2924 +Sacramento (916) 444-2350 +Memphis (901) 682-9658 +Cleveland (216) 464-7311 +Dallas (214) 788-5111 +Fresno (209) 486-7410 +Las Vegas (702) 382-7461 +Denver (303) 778-7878 +Portland (503) 227-2556 +Philadelphia (215) 677-9845 +Atlanta (404) 252-2114 +West Florida (813) 875-3404 +Minneapolis (612) 544-8175 +Kansas City (913) 648-8090 +Miami (305) 491-0122 +Pittsburgh (412) 343-1611 +Houston (713) 464-2516 +Bakersfield (805) 832-2346 + +Cellular Telephone Offices + + Minneapolis-St. Paul (612) 544-3312 + Los Angeles (714) 527-0385 + Elsewhere in California (800) 344-3455 + Headquarters - Washington, D.C. (202) 429-9660 + + +MCI INTERNATIONAL + +MCI International provides private-line voice service to several overseas +countries, and data and message services, including telex, cablegram, leased +channel, and packet switching communications, to more than 200 overseas points. +MCI has moved into two new areas of service: International direct-dial +telephone service and international electronic mail and hard-copy delivery +services. + +International Record Services + +TELEX SERVICE (domestic and international) permits instantaneous, two-way, +written communications with other subscribers worldwide. Customers can send +messages at any time, even though the receiving terminal may be unattended. MCI +International offers access to its telex service from a variety of terminals +and networks; not only subscribers with telex terminals but also those with +communicating word processors, data terminals or computers that communicate +over telephone lines can take advantage of MCI International telex service. To +subscribers connected to its own telex network, MCI International offers World +Message Services--a package of communications offerings including telex, +cablegram and MCI Mail services. Various service enhancements are available to +save time, improve operating efficiency and simplify records keeping for telex +users. + +CABLEGRAM SERVICE, the traditional means of international written +communications, offers flexibility in delivery and economical rates for shorter +messages. Cablegrams can be delivered to virtually any overseas +point.Subscribers with telex terminals or various other types of equipment can +access and TELUS cablegram switch and take advantage of such service + + Page 167 + + + + + The Official Phreaker's Manual + +enhancements as abbreviated addressing and departmental billing. + +LEASED +CHANNEL SERVICE provides an exclusive line between a U.S. firm and it's +overseas office for private communications 24 hours a day. Each MCI +International leased channel is tailored to meet the needs of a specific +customer for teleprinter, facsimile, voice and/or data traffic. For subscribers +with several offices requiring private communications with each other, MCI +International offers a versatile message-switching service. Voice/data leases +can be configured to meet a whole array of communicating needs; for example, +one channel might carry data traffic from a computer at night, voice +communications during office hours, and simultaneous teleprinter messages at +any time. Data channels can handle requirements for traffic at any speed from +1200 bits per second to 1.544 megabits per second. + +IMPACS SERVICE uses packet-switching technology to provide international +communications service between data terminals and computers. Impacs offers +on-line, real-time connections and enables many types of incompatible systems +to communicate. Impacs service offers virtually error-free transmission +because of the error-detection and retransmission capability of the network. + +INSTALINK SERVICE allows businesses overseas to use regular telex equipment to +access remote computing systems and databases in the U.S. Subscribers can +retrieve data from a computer-based information service or use a computing +system connecting to a packet-switching network in the U.S. + +INTERNATIONAL +FACSIMILE SERVICE enables subscribers to send duplicates of original documents +overseas quickly and efficiently, even when neither the sender or the receiver +has facsimile transmission equipment, or when the sender and receiver have +incompatible equipment. + +DATEL SERVICE provides automatic or voice-coordinated data transmission at +speeds up to 2400 bits per second. Either digital or analog facsimile traffic +can be transmitted via Datel. Datel facilities are conditioned to ensure +high-quality transmission. The MCI International switching center allows +communications between incompatible terminals. + +MARITIME SERVICES provide instant, high--quality contact between ships at sea +or offshore rigs, and between these vessels and land-based subscribers +worldwide. + +International Voice Services + +PRIVATE +LINE SERVICE provides, fast, easy access to a single overseas location at an +economical monthly rate. This technically efficient system maximizes the use +of line capacity by recognizing idle time and assigning a speaker to a +transmission path only when the path is needed. Users can dial a four-digit +extension from a regular business phone to reach a key overseas location. + +International Mail Services + +WORLD +MESSAGE SERVICE subscribers can access the domestic electronic mail and +hard-copy delivery offerings of MCI Mail. In addition, MCI International is +developing fast, low-cost services that will deliver electronic messages and +high-quality printed documents worldwide. + + Page 168 + + + + + The Official Phreaker's Manual + + +Customer Service + +THE CUSTOMER TROUBLE REPORTING ASSISTANCE CENTER at MCI International addresses +customer concerns such as equipment maintenance and service performance +questions. Customer service specialists, on duty 24 hours a day on business +days, answer questions and electronically route service requests to technicians +nationwide. + +MCI DIGITAL INFORMATION SERVICES CORP. + +MCI Digital Information Services, MCI's newest unit, provides high-speed, +low-cost, time-sensitive message delivery (MCI Mail), either electronically or +via hard copy. + +MCI Mail provides time-sensitive document delivery to anyone, anywhere vial +MCI's long-distance telephone network. MCI Mail can reach a recipient +instantly, in four hours or less, or overnight by noon the next day. Prices +are as much as 90 percent lower than comparable time-sensitive mail delivery +services. MCI Mail can be delivered electronically, terminal to terminal, or +laser printed on letterhead stationery with the customer's signature. + +MCI Mail customers can even order gifts and services direct through MCI Mail, +ranging from software and paper for personal computers to investment advisory +services to travel specials. + +There are no sign-up, monthly service charges or "connect time" charges for MCI +Mail. MCI Mail can be used by virtually any personal computer, word processor, +electronic typewriter, data terminal, telex, or other digital communications +device. The service is accessed by a local telephone call or 800 number. + +MCI Mail + +INSTANT delivery to an "electronic" mailbox. + +FOUR-HOUR paper delivery by courier to 17 major metropolitan areas regardless +of point of origin. + +OVERNIGHT paper delivery by courier by noon the next day in 20,000 continental +U.S. cities. + +MCI LETTER transmitted electronically to the MCI digital postal center nearest +its destination, then delivered locally by the U.S. Postal Service. + +TELEX DISPATCH enables MCI Mail subscribers to transmit messages to the more +than 1.6 million telex subscribers worldwide. + +VOLUME MAIL enables customers to send large mailings in a variety of letter +formats, at substantial savings in delivery time and expense. + + ============================================================ + Look for more MCI Files coming to Metal Shop soon! + + This has been a Knight Lightning Presentation + ============================================================ + + + + + Page 169 + + + + + The Official Phreaker's Manual + + Reference Tables + + Just some notes that you will always try to find but can never! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 170 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue One, Phile #5 of 8 + + Using MCI Calling Cards + by + Knight Lightning + of the + 2600 Club! + +How to dial international calls on MCI: + + "Its easy to use MCI for international calling." + +1. Dial your MCI access number and authorization code (code = 14 digit number, +however the first 10 digits are the card holders NPA+PRE+SUFF). + +2. Dial 011 + +3. Dial the country code + +4. Dial the city code and the PRE+SUFF that you want. + +Countries served by MCI: + +Country code|Country code +-------------------------------------|-------------------------------- +Algeria..........................213 |New Zealand..................064 +Argentina........................054 |Northern Ireland.............044 +Australia........................061 |Oman.........................968 +Belgium..........................032 |Papua New Guinea.............675 +Brazil...........................055 |Qatar........................974 +Canada................Use Area Codes |Saudi Arabia.................966 +Cyprus...........................357 |Scotland.....................044 +Denmark..........................045 |Senegal......................221 +Egypt............................020 |South Africa.................027 +England..........................044 |Sri Lanka....................094 +German Democratic Republic |Sweden.......................046 +(East Germany)...................037 |Taiwan.......................886 +Greece...........................030 |Tanzania.....................255 +Jordan...........................962 |Tunisa.......................216 +Kenya............................254 |United Arab Emirates.........971 +Kuwait...........................965 |Wales........................044 +Malawi...........................265 | +====================================================================== + +Thats 33 countries in all. To get the extender for these calls dial 950-1022 or +1-800-624-1022. + +For local calling: + +1. Dial 950-10222 or 1-800-624-1022 + +2. Wait for tone + +3. Dial "0", the area code, the phone number, and the 14 digit authorization +code. You will hear 2 more tones that let you know you are connected. + + - Knight Lightning --> The 2600 Club! + + Page 171 + + + + + The Official Phreaker's Manual + +===================================================================== + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 172 + + + + + The Official Phreaker's Manual + + AT&T INTERNATIONAL DIALING COUNTRY CODES AS OF 2-17-85 + + FILE BY: Lock Lifter + +=========================+ + +*UNITED KINGDOM/IRELAND +------------------------------------ +IRELAND.........................353 +UNITED KINGDOM...................44 + +*EUROPE +------------------------------------ +ANDORRA..........................33 +AUSTRIA..........................43 +BELGIUM..........................32 +CYPRUS..........................357 +CZECHOLSLOVAKIA..................42 +DENMARK..........................45 +FINLAND.........................358 +FRANCE...........................33 +GERMAN DEMOCRATIC REPUBLIC.......37 +GERMANY, FEDERAL REPUBLIC OF.....49 +GIBRALTAR.......................350 +GREECE...........................30 +HUNGARY..........................36 +ICELAND.........................354 +ITALY............................39 +LIECHTENSTEIN....................41 +LUXEMBOURG......................352 +MONACO...........................33 +NETHERLANDS......................31 +NORWAY...........................47 +POLAND...........................48 +PORTUGAL........................351 +ROMANIA..........................40 +SAN MARINO.......................39 +SPAIN............................34 +SWEDEN...........................46 +SWITZERLAND......................41 +TURKEY...........................90 +VATICAN CITY.....................39 +YUGOSLAVIA.......................38 + +*CENTRAL AMERICA +------------------------------------ +BELIZE..........................501 +COSTA RICA......................506 +EL SALVADOR.....................503 +GUATEMALA.......................502 +HONDURAS........................504 +NICARAGUA.......................505 +PANAMA..........................507 + +*AFRICA +------------------------------------ +ALGERIA.........................213 +CAMEROON........................237 +EGYPT............................20 + + Page 173 + + + + + The Official Phreaker's Manual + +ETHIOPIA........................251 +GABON...........................241 +IVORY COAST.....................225 +KENYA...........................254 +LESOTHO.........................266 +LIBERIA.........................231 +LIBYA...........................218 +MALAWI..........................265 +MOROCCO.........................212 +NAMIBIA.........................264 +NIGERIA.........................234 +SENEGAL.........................221 +SOUTH AFRICA.....................27 +SWAZILAND.......................268 +TANZANIA........................255 +TUNISIA.........................216 +UGANDA..........................256 +ZAMBIA..........................260 +ZIMBABWE........................263 + +*PACIFIC +------------------------------------ +AMERICAN SAMOA..................684 +AUSTRAILIA.......................61 +BRUNEI..........................673 +FIJI............................679 +FRENCH POLYNESIA................689 +GUAM............................671 +HONG KONG.......................852 +INDONESIA........................62 +JAPAN............................81 +KOREA, REPUBLIC OF...............82 +MALAYSIA.........................60 +NEW CALEDONIA...................687 +NEW ZEALAND......................64 +PAPUA NEW GUINEA................675 +PHILIPPINES......................63 +SAIPAN..........................670 +SINGAPORE........................65 +TAIWAN..........................886 +THAILAND.........................66 + +*INDIAN OCEAN +------------------------------------ +PAKISTAN.........................92 +SRI LANKA........................94 + +*SOUTH AMERICA +------------------------------------ +ARGENTINA........................54 +BOLIVIA.........................591 +BRAZIL...........................55 +CHILE............................56 +COLOMBIA.........................57 +ECUADOR.........................593 +GUYANA..........................592 +PARAGUAY........................595 +PERU.............................51 + + Page 174 + + + + + The Official Phreaker's Manual + +SURINAME........................597 +URUGUAY.........................598 +VENEZUELA........................58 + +*NEAR EAST +------------------------------------ +BAHRAIN.........................973 +IRAN.............................98 +IRAQ............................964 +ISRAEL..........................972 +JORDAN..........................962 +KUWAIT..........................965 +OMAN............................968 +QATAR...........................974 +SAUDI ARABIA....................966 +UNITED ARAB EMIRATES............971 +YEMEN ARAB REPUBLIC.............967 + +*CARIBBEAN/ATLANTIC +------------------------------------ +FRENCH ANTILLES.................596 +GUANTANAMO BAY (US NAVY BASE)....53 +HAITI...........................509 +NETHERLANDS ANTILLES............599 +ST. PIERRE AND MIQUELON.........508 + +*INDIA +------------------------------------ +INDIA............................91 + +*CANADA +------------------------------------ +TO CALL CANADA, DIAL 1 + AREA CODE + +LOCAL NUMBER. + +*MEXICO +------------------------------------ +TO CALL MEXICO, DIAL 011 + 52 + CITY CODE+ LOCAL NUMBER. + +***NOTES :DO NOT FORGET ABOUT THE TIME DIFFERENCE WHEN CALLING OUTSIDE OF YOUR +TIME ZONE. CALLING CARDS CAN BE USED OVER SEAS TO CALL BACK INTO THE U.S. FOR +FURTHER INFORMATION CALL TOLL-FREE 1-800-874-0000. DIAL '#' AFTER THE COMPLETE +NUMBER TO MAKE THE CALL GO THROUGH FASTER. + + + + + + + + + + + + + + + + + Page 175 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * International Dialing Codes * + * Country + Routing * + * * + * (Typed by The Dagda Mor) * + * (Edited by The Jammer) * + * * + ************************************** + +To dial international calls: + +International Access Code + Country code + Routing code + +Example : + +To call Frankfurt, Germany, you would do the following: + +011 + 49 + 611 + (# wanted) + # sign(octothrope) + +The # sign at the end is to tell Bell that you are done entering in all the +needed info. + +Here is the list of Country Codes, listed next to the country, and the routing +codes listed next to the city. + +Andorra- 33 Argentina- 54 +------- --------- +all points- 078 Buenos Aires- 1 + + +Australia- 61 Austria- 43 +--------- ------- +Melbourne- 3 Innsbruck- 5222 +Sydney- 2 Vienna- 222 + + +Bahrain- 973 Belgium- 32 +------- ------- +no routing needed Antwerp- 31 + Brussels- 2 + + +Belize- 501 Bolivia- 591 +------ ------- +no routing needed La Paz- 2 + + +Brazil- 591 Chile- 56 +------ ----- +Brasilia-61 Santiago- 2 +Rio de Janeiro- 21 Valparaiso- 31 +Sao Paulo- 11 + + +China- 86 Colombia- 56 +----- -------- +Tainan- 62 none needed + + Page 176 + + + + + The Official Phreaker's Manual + +Taipei- 2 + + +Costa Rica- 506 Cyprus- 357 +----- ---- ------ +no routing needed Nicosia- 21 + + +Denmark- 45 Ecuador- 593 +------- ------- +Aalborg- 8 Cuenca- 4 +Copenhagen 1 or 2 Quito- 2 + + +El Salvador- 503 Fiji- 679 +---------- ---- +no routing needed none needed + + +France- 33 Germany- 49 +------ ------- +Bordeaux- 56 Berlin- 30 +Marseille- 91 Bonn- 228 +Nice- 93 Frankfurt- 661 +Paris- 1 Munich- 89 + + +German. Rep- 37 Greece- 30 +------- --- ------ +Berlin- 2 Athens- 1 + Rhodes- 241 + + +Guam- 671 Guatamala- 502 +---- --------- +no routing needed Guatemala City- 2 + + +Guyana- 592 Haiti- 509 +------ ----- +Georgetown- 02 Port Au Prince- 1 + + +Hoduras- 504 Hong Kong- 852 +------- ---- ---- +no routing needed Hong Kong- 5 + Kowloon- 3 + + +Indonesia- 62 Iran- 98 +--------- ---- +Jakarta- 21 Teheran- 21 + + +Iraq- 964 Ireland- 353 +---- ------- +Baghdad- 1 Dublin- 1 + Galway- 91 + + Page 177 + + + + + The Official Phreaker's Manual + + + +Israel- 978 Italy- 39 +------ ----- +Haifa- 4 Florence- 55 +Jerusalem- 2 Naples- 81 +Tel Aviv- 3 Rome- 6 + Venice- 41 + + +Ivory Coast- 225 Japan- 81 +----- ----- ----- +no routing needed Hiroshima- 822 + Tokyo- 3 + Yokohama- 45 + + +Kenya- 254 Korea- 82 +----- ----- +Nairobi- 2 Pusan- 51 + Seoul- 2 + + +Kuwait- 965 Liberia- 231 +------ ------- +no routing needed none needed + + +Libya- 218 Lechtenstein- 4 +----- ------------ +Tripoli- 21 All points- 75 + + +Luxembourg- 352 Malaysia- 60 +---------- -------- +no routing needed Kuala Lumpur- 3 + + +Monaco- 33 Netherlands- 31 +------ ----------- +All points- 93 Amsterdam- 20 + Rotterdam- 10 + The Hague- 70 + + +New Caledonia- 687 New Zealand- 64 +--- --------- --- ------- +no routing needed Auckland- 9 + Wellinton- 4 + + +Nicaragua- 505 Nigeria- 234 +--------- ------- +Managua- 2 Lagos- 1 + + +Norway- 47 Panama- 507 +------ ------ + + Page 178 + + + + + The Official Phreaker's Manual + +Bergen- 5 none needed +Oslo- 2 + + +Papua New Guinea-675 Paraguay- 595 +----- --- ------ -------- +no routing needed Asuncion- 21 + + +Peru- 51 Phillippines- 63 +---- ------------ +Arequipa- 542 Manila- 2 +Lima- 14 + +Portugal- 351 Romania- 40 +-------- ------- +Lisbon- 19 Bucuresti- 0 + + +San Marino- 39 Saudi Arabia- 966 +--- ------ ----- ------ +All points- 541 Riyadh- 1 + + +Senegal- 221 South Africa- 27 +------- ----- ------ +no routing needed Cape Town- 21 + Pretoria- 12 + + +Spain- 34 Sri Lanka- 94 +----- --- ----- +Barcelona- 3 Colombo- 1 +Canary Is.- 28 +Madrid- 1 +Seville- 54 + + +Suriname- 597 Sweden- 46 +-------- ------ +no routing needed Goteborg- 31 + Stockholm- 8 + + +Switzerland- 41 Tahiti- 689 +----------- ------ +Berne- 31 none needed +Geneva- 22 +Lucerne- 41 +Zurich- 1 + + +Thailand- 66 Tunisia- 216 +-------- ------- +Bangkok- 2 Tunis- 1 + + +Turkey- 90 United Arab + + Page 179 + + + + + The Official Phreaker's Manual + +------ Emirates- 971 +Istanbul- 11 -------- + Abu Dhabi- 2 + Ajman- 6 + Al Ain- 3 + Aweir- 49 + Dubai- 4 + Fujairah- 91 + Jebel Dhana- 5 + Sharjah- 6 + Umm-Al-Quwain- 6 + + +United Kingdom- 44 USSR- 7 +------ ------- ---- +Belfast- 232 Kiev- 044 +Cardiff- 222 Leningrad- 812 +Edinburgh- 31 Minsk- 017 +Glasgow- 41 Moscow- 095 +Liverpool- 51 Tallinn- 0142 +London- 1 + +Vatican City- 39 Venezuela- 58 +------- ---- --------- +All points- 6 Caracas- 2 + Maracaibo- 61 + +Yugoslavia- 38 +---------- +Belgrade- 11 +Zagreb- 41 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 180 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * MAX ACCESS PORTS * + * * + * (LEXITEL CORPORATION) * + * * + * WORD PROCESSED BY THE DAGDA MOR * + * * + ************************************** + +ADRIAN,MI............313-263-0191 LIVONIA, MI..........313-261-6970 +AKRON,OH.............216-275-9814 LOS ANGELES, CA......213-624-9041 +ANN ARBOR, MI........313-451-2121 LOUISVILLE, KY.......502-568-6204 +ATLANTA, GA..........404-525-1769 MARION, OH...........614-387-1011 +AVON LAKE, OH........216-933-2823 MCKEESPORT, PA.......412-664-4870 +BADEN, PA............412-869-1360 MENTOR, OH...........216-255-1645 +BALTIMORE, MD........301-444-7280 MIDDLETOWN, OH.......513-423-1066 +BEAVER FALLS, PA.....412-847-3640 MILWAUKEE, WI........414-933-1880 +BIRMINGHAM, MI.......313-649-0730 MINNEAPOLIS, MN......612-375-0280 +BOSTON, MA...........617-267-9134 MONESSEN, PA.........412-684-8710 +BUFFALO, NY..........716-854-0802 MORTON GROVE,IL......312-950-1066 +BUTLER, PA...........412-285-9081 NEWARK, NJ...........201-624-5040 +CANTON, OH...........216-455-1425 NEWARK, OH...........614-349-8754 +CHICAGO, IL..........312-950-1066 NEW CASTLE, PA.......412-656-9420 +CHILLICOTHE, OH......614-772-1066 NEW YORK, NY.........212-950-1066 +CINCINNATI, OH.......513-421-1880 OAK LAWN, IL.........312-950-1066 +CLEVELAND, OH........216-771-6614 PHILADELPHIA, PA.....215-751-9711 +COLUMBUS, OH.........614-950-1066 PITTSBURG, PA........412-391-9532 +DALLAS, TX...........214-653-1047 PLYMOUTH, MI.........313-451-2121 +DAYTON, OH...........513-223-0366 PONTIAC, MI..........313-332-0500 +DETROIT, MI..........313-950-1066 PORT HURON, MI.......313-982-7115 +ELK GROVE, IL........312-950-1066 PHOENIX, AZ..........602-242-0252 +ELYRIA, OH...........419-323-4431 QUEENS, NY...........718-204-7330 +FINDLAY, OH..........419-424-5934 SANDUSKY, OH.........419-625-1289 +GLEENSHAW, PA........412-486-7394 SHARON, PA...........412-983-0100 +GRAND RAPIDS, MI.....616-456-7925 SPRINGFIELD, OH......513-950-1066 +GREENSBURG, PA.......412-836-8110 STEUBENVILLE, OH.....614-283-1756 +HACKENSACK, NJ.......201-342-2815 ST. LOUIS, MO........314-289-9100 +HOUSTON, TX..........713-224-0982 ST. PAUL, WI.........612-375-0280 +INDIANA, PA..........412-349-8760 TOLEDO, OH...........419-255-1316 +INDIANAPOLIS, IN.....317-638-4442 TROY, OH.............513-335-2303 +KALAMAZOO, MI........616-342-0266 TURTLE CREEK, PA.....412-823-1500 +KANSAS CITY, MO......816-474-6193 WASHINGTON, DC.......202-479-4411 +KOKOMO, IN...........317-453-9932 WASHINGTON, PA.......412-225-1800 +LA GRANGE, IL........312-950-1066 WARREN, MI...........313-268-9120 +LANCASTER, OH........614-687-0159 XENIA, OH............513-376-2991 +LANSING, MI..........517-950-1066 YOUNGSTOWN, OH.......216-746-2021 +LAFAYETTE, IN........317-423-5492 ZANESVILLE, OH.......614-454-6815 + + + + + + + + + + + + Page 181 + + + + + The Official Phreaker's Manual + + ******************** METROFONE ACCESS NUMBERS ******************** + +ANAHEIM, CA (714)527-7055 LOS ANGELES, CA (213)992-8282 +ATLANTA, GA (404)223-1000 LOS ANGELES, CA (213)202-6117 +AUSTIN, TX (512)474-6057 MIAMI, FL (305)326-3300 +BALTIMORE, MD (301)659-7700 MILWAUKEE, WI (414)277-1805 +BEAUMONT, TX (713)833-9331 MINNEAPOLIS, MN (612)370-9000 +BOSTON, MA (617)482-3222 NEW ORLEANS, LA (504)566-8500 +BUFFALO, NY (716)852-9200 NEW YORK, NY (212)732-7430 +CHICAGO, IL (312)853-4700 NEWARK, NJ (201)645-9220 +CINCINNATI, OH (513)241-1747 OAKLAND, CA (415)836-6900 +CLEVELAND, OH (216)861-5163 OKLAHOMA CITY, OK (405)232-9011 +COLUMBUS, OH (614)224-0577 OMAHA, NE (402)422-1120 +CULVER CITY, CA (213)410-0078 PHILADELPHIA, PA (215)351-0100 +DALLAS, TX (214)742-4500 PITTSBURGH, PA (412)261-5720 +DAYTON, OH (513)228-1576 RENO, NV (702)329-1025 +DENVER, CO (303)623-5326 RICHMOND, VA (804)225-1920 +DETROIT, MI (313)963-4847 ST. LOUIS, MO (314)342-1130 +EL MONTE, CA (213)350-1028 SACRAMENTO, CA (916)443-6921 +ELK GROVE, IL (312)981-8870 SAN ANTONIO, TX (512)224-9600 +FT. LAUDERDALE, FL (305)462-3530 SAN DIEGO, CA (714)233-0327 +FT. WORTH, TX (817)338-1639 SAN FRANCISCO, CA (415)956-0162 +HACKENSACK, NJ (201)487-3155 SAN JOSE, CA (408)947-7606 +HARTFORD, CT (203)522-0003 SAN MATEO, CA (415)579-6001 +HAWTHORNE, NJ (201)427-1100 SANTA ANA, CA (714)972-9515 +HINSDALE, IL (312)986-0566 SEATTLE, WA (206)382-0910 +HOUSTON, TX (713)224-9417 SKOKIE, IL (312)679-8120 +HUNTINGTON BEACH, CA (714)972-8515 SYRACUSE, NY (315)474-3911 +INDIANAPOLIS, IN (317)635-6284 TOLEDO, OH (419)243-1046 +KANSAS CITY, KS (913)621-3186 WASHINGTON, DC (202)737-2051 +LONG ISLAND, NY (516)443-5402 +LOS ANGELES, CA (213)629-1026 + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 182 + + + + + The Official Phreaker's Manual + + Area Codes In Numerical Order, by The Jammer +______________________________________________________________________ + +201 Newark New Jersey 519 London Ontario +202 Washington D.C (all) 601 Mississippi (all) +203 Connecticut (all) 602 Arizona (all) +205 Alabama (all) 603 New Hampshire (all) +206 Seattle Washington 605 South Dakota (all) +207 Maine (all) 606 Winchester Kentucky +208 Idaho (all) 607 Binghamton New York +212 Bronx Nyc, New York 608 Madison Wisconsin +212 Manhattan Nyc, New York 609 Trenton New Jersey +213 Los Angeles California 612 St. Paul Minnesota +214 Dallas Texas 613 Ottawa Ontario +215 Philadelphia Pennsylvania 614 Columbus Ohio +216 Cleveland Ohio 615 Nashville Tennessee +217 Springfield Illinois 616 Grand Rapids Michigan +218 Duluth Minnesota 617 Boston Massachusetts +219 Gary Indiana 618 Alton Illinois +301 Maryland (all) 619 San Diego California +303 Colorado (all) 700 Teleconference (all) +304 West Virginia (all) 701 North Dakota (all) +305 Miami Florida 702 Nevada (all) +305 Orlando Florida 703 Alexandria Virginia +307 Wyoming (all) 704 Charlotte North Carolina +308 Abott Nebraska 705 North Bay Ontario +309 Peoria Illinois 712 Councilbluffs Iowa +312 Chicago Illinois 713 Houston Texas +313 Detroit Michigan 714 Anaheim California +314 St. Louis Missouri 715 Bay City Wisconsin +315 Syracuse New York 716 Buffalo New York +316 Wichita Kansas 716 Rochester New York +317 Indinapolis Illinois 717 Harrisburg Pennsylvania +318 Lake charles Lousiana 800 Toll Free (all) +319 Davenport Iowa 801 Utah (all) +401 Rhode Island (all) 802 Vermont (all) +402 Omaha Nebraska 803 South Carolina (all) +404 Atlanta Georgia 804 Richmond Virgina +405 Oklahoma City Oklahoma 805 Bakersfield California +406 Montana (all) 806 Amarillo Texas +408 San Jose California 807 Thunder Bay Ontario +412 Pittsburg Pennsylvania 808 Hawaii (all) +413 Springfield Massachusetts 809 Bermuda (all) +414 Milwaukee Wisconsin 809 Bahamas (all) +415 San Francisco California 809 Puerto Rico (all) +416 Toronto Onterio 809 Virgin Islands (all) +417 Joplin Missouri 812 Evansville Indiana +418 Quebec Quebec 812 Dade park Kentucky +419 Toledo Ohio 814 Johnston Pennsylvania +501 Arkansas (all) 815 Rockford Illinois +502 Frankfort Kentucky 816 Independence Missouri +503 Oregon (all) 817 Fort Worth Texas +504 New Orleans Louisiana 818 Burbank California +504 Baton Rouge Louisiana 819 Trois Riv. Quebec +505 New Mexico (all) 900 Dial-it (all) +507 Rochester Minnesota 901 Memphis Tennessee +509 Pullman Washington 904 Talahassee Florida +512 Austin Texas 906 Escanaba Michigan + + Page 183 + + + + + The Official Phreaker's Manual + +513 Cincinnati Ohio 907 Alaska (all) +514 Montreal Quebec 912 Savannah Georgia +515 Des Moines Iowa 913 Kansas City Kansas +516 Hempstead New York 915 El Paso Texas +517 Lansing Michigan 916 Sacramento California +518 Albany New York 918 Tulsa Oklahoma + 919 Raleigh North Carolina + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 184 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #5 of 9 + +Updated from November 26, 1985 +Tac Dialups taken from Arpanet +by Phantom Phreaker + + TAC DIALUPS SORTED BY LOCATION 26-NOV-85 + +State/Country 300 Baud 1200 Baud 1200 Type +------------- --------------- ----------------- --------- + + ALABAMA + Anniston Army Depot [M] + (ANNIS-MIL-TAC) (205) 235-6285 (R4) (205) 235-7650 B/V + (205) 237-5731 (R8) (205) 237-5731 (R8) B/V + (205) 237-5770 (R8) (205) 237-5779 (R8) B/V + (205) 237-5805 (R8) (205) 237-5805 (R8) B/V + + *Please note: When accessing the Anniston TAC you must first enter a + , then enter DDN . After you receive CLASS DDN START, + proceed as normal. + + Gunter AFS [M] + + (GUNTER-TAC) (205) 279-3576 + (205) 279-4682 + + Redstone Arsenal [M] + (MICOM-TAC) [none known] + + ARIZONA + Ft. Huachuca [M] + (HUAC-MIL-TAC) [none known] + + Yuma [M] + (YUMA-TAC) (602) 328-2186 (602) 328-2186 B/V + (602) 328-2187 (602) 328-2187 B/V + (602) 328-2188 (602) 328-2188 B/V + + CALIFORNIA (NORTHERN) + Alameda [M] + (ALAMEDA-MIL-TAC) [none known] + + Menlo Park [M] + (SRI-MIL-TAC) (415) 327-5440 (R3) (415) 327-5440 (R3) B + + (USGS3-TAC) [M] [no dialups] + + Moffett Field [M] + (AMES-TAC) [no dialups; contact NSC for access] + William Jones - (415) 694-6482 + (FTS) 494-6482 + (AV) 359-6482 + + Monterey [M] + (NPS-TAC) [none known] + + + Page 185 + + + + + The Official Phreaker's Manual + + Sacsamento [M] + (MCCLELLAN1-MIL-TAC) [none known] + (MCCLELLAN2-MIL-TAC) [none known] + + Stanford [A] + (SU-TAC) (415) 327-5220 + + CALIFORNIA (SOUTHERN) + China Lake [M] + (NWC-TAC) [none known] + + + Edwards AFB [M] + (EDWARD-MIL-TAC) [none known] + + El Segundo [M] + (AFSC-SD-TAC) (213) 643-9204 (213) 643-9204 B/V + + Los Angeles [A] + (USC-TAC) (213) 749-5436 + + Los Angeles [A] + (USC-ARPA-TAC) [none known] + + San Diego [M] + (ACCAT-TAC) (619) 225-1641 (R4) (619) 225-6903 V + (619) 225-6946 (R3) + (619) 223-2148 V + (619) 226-7884 (R2) + + Santa Monica + (RAND-ARPA-TAC) [A] + (213) 393-9230 + (213) 393-9237 + (213) 393-9238 + (213) 393-9239 + + (RAND2-MIL-TAC) [M] [none known] + + COLORADO + Denver Fed Ctr [M] + (USGS2-TAC) (303) 232-0206 (303) 232-0206 B/V + + Lowry Air Force Base [M] + (LOWRY-MIL-TAC) [none known] + + D.C. + Washington + [Andrews AFB] [M] + (AFSC-HQ-TAC) (301) 967-7930 (R16) (301) 967-7930 (R16) B + (301) 736-2990 (R4) (301) 736-2990 (R4) B + (301) 736-2998 (R2) (301) 736-2998 (R2) B + + (PENTAGON-TAC) (202) 553-0229 (R14) (202) 553-0229 (R14) B + + FLORIDA + Eglin AFB [M] + (AFSC-AD-TAC) (904) 882-8202 (904) 882-8202 B/V + + Page 186 + + + + + The Official Phreaker's Manual + + (904) 882-8201 (904) 882-8201 V + + MacDill AFB [M] + (MACDILL-MIL-TAC) [none known] + + Naval Air Station - Jacksonville [M] + (JAX1-MIL-TAC) [none known] + + Naval Air Station - Orlando [M] + (ORLANDO-MIL-TAC) [none known] + + GEORGIA + Robins AFB [M] + (ROBINS-TAC) (912) 926-2725 (912) 926-2725 B/V + (912) 926-2726 + (912) 926-3231 + (912) 926-3232 + (912) 926-2204 (912) 926-2204 B/V + HAWAII + Camp H.M. Smith [M] + (HAWAII2-TAC) (808) 487-5545 (808) 487-5545 B + + ILLINOIS + Scott AFB [M] + (SCOTT-TAC) [none known] + + (SCOTT2-MIL-TAC) [none known] + + KANSAS + Ft. Leavenworth [M] + (LVN-MIL-TAC) (913) 651-7041 (R8) (913) 651-7041 (R8) B + + LOUISIANA + Navy Regional Data Automation Center [M] + (NORL-MIL-TAC) (504) 944-7940 (504) 944-7940 B + (504) 944-7948 (R2) (504) 944-7948 (R2) B + (504) 944-7951 (R5) (504) 944-7951 (R5) B + (504) 944-8702 (R8) (504) 944-8702 (R8) B + + MARYLAND + Aberdeen Proving Ground [M] + (BRL-TAC) (301) 278-6916 (R4) (301) 278-6916 (R4) B/V + + Bethesda [M] + (DAVID-TAC) (202) 227-3526 (R16) (202) 227-3526 (R16) B/V + + Patuxent River [M] + (PAX-RV-TAC) (301) 863-4815 (301) 863-4815 B/V + (301) 863-4816 (301) 863-4816 B/V + (301) 863-5750 (R6) (301) 863-5750 (R6) B/V + + Silver Spring [M] + (WHITEOAK-MIL-TAC) (301) 572-5960 (R10) (301) 572-5960 (R10) B + (301) 572-5970 (R10) (301) 572-5970 (R10) B + + MASSACHUSETTS + Hanscom AFB [M] + (AFGL-TAC) (617) 861-3000 (R8) (617) 861-3000 (R8) B + + Page 187 + + + + + The Official Phreaker's Manual + + (617) 861-4965 (R8) (617) 861-4965 (R8) + + Cambridge + (BBN-MIL-TAC) [M] [none known] + + (BBN-ARPA-TAC) [A] [no dialup capability] + + (CCA-ARP-TAC) [A] [none known] + + (MIT-TAC) [A] + (617) 491-5669 (617) 258-6224 V + (617) 491-5708 (617) 258-6225 V + (617) 491-5734 (617) 258-6227 V + (617) 491-5819 (617) 258-6248 V + (617) 491-5826 + (617) 491-5841 + (617) 491-5849 + (617) 491-6769 + (617) 491-6772 + (617) 491-6937 + (617) 258-6241 + (617) 258-6242 + (617) 258-6243 + + MICHIGAN + U.S. Army Tank Automotive Command (TACOM) - Warren [M] + (TACOM-TAC) [none known] + + MISSOURI + St. Louis [M] + (STLA-TAC) [none known] + + NEBRASKA + Offutt AFB [M] + (SAC1-MIL-TAC) [none known] + + (SAC2-MIL-TAC) (402) 292-4638 (R10) (402) 292-4638 (R10) B + + (SAC-ARPA-TAC) [A] + (402) 294-2398 (402) 294-2398 B + (402) 291-2018 (402) 291-2018 B + (402) 292-7054 (402) 292-7054 B + + NEW JERSEY + Dover [M] + (ARDC-TAC) (201) 724-6731 (201) 724-6731 B/V + (201) 724-6732 (201) 724-6732 B/V + (201) 724-6733 (201) 724-6733 B/V + (201) 724-6734 (201) 724-6734 B/V + + Fort Monmouth [M] + (FTMONMOUTH1-MIL-TAC) (201) 544-2052 (201) 544-2052 B/V + (201) 544-2062 (201) 544-2062 B/V + (201) 544-2072 (201) 544-2072 B/V + (201) 544-2396 (201) 544-2396 B/V + (201) 544-2430 (201) 544-2430 B/V + + (FTMONMOUTH2-MIL-TAC) (201) 544-4254 (R3) (201) 544-2430 B + + Page 188 + + + + + The Official Phreaker's Manual + + (201) 544-2636 B + (201) 544-2638 B + (201) 544-2777 B + + NEW MEXICO + Albuquerque [M] + (AFWL-TAC) [none known] + + White Sands [M] + (WSMR-TAC) [no dialups; contact NSC for access] + Claude (Skeet) Steffey - (505) 678-1271 + (FTS) 898-1271 + (AV) 258-1271 + + NEW YORK + Griffiss AFB + (RADC-ARPA-TAC) [A] [no dialup capability] + + (RADC-TAC) [M] + (315) 339-4913 (R5) + (315) 337-2004 (315) 337-2004 B/V + (315) 337-2005 (315) 337-2005 B/V + + (315) 330-2294 (315) 330-2294 (FTS) 952 B/V + + (315) 330-3587 (315) 330-3587 (FTS) 952 B/V + + NORTH CAROLINA + Ft. Bragg [A] + (BRAGG-ARPA-TAC) (919) 396-1131 (R10) (919) 396-1426 (R5) B/V + (919) 396-1491 (R8) B/V + Ft. Bragg [M] + (BRAGG-MIL-TAC) [none known] + + OHIO + Wright-Patterson AFB [M] + (WPAFB-TAC) (513) 258-4218 + (513) 258-4219 + (513) 258-4987 + (513) 258-4988 + (513) 258-4989 + (513) 258-4990 + + (WPAFB2-MIL-TAC) (513) 257-2172 (R8) (513) 257-2172 (R8) B + (513) 257-2690 (R8) (513) 257-2690 (R8) B + (513) 257-3625 (R8) (513) 257-3625 (R8) B + + OKLAHOMA + Tinker AFB [M] + (TINKER-MIL-TAC) [none known] + + + PENNSYLVANIA + New Cumberland Army Depot [M] + (NCAD-MIL-TAC) [none known] + + (NCAD2-MIL-TAC) [none known] + + + Page 189 + + + + + The Official Phreaker's Manual + + TEXAS + Brooks AFB [M] + (BROOKS-AFB-TAC) (512) 536-3081 (R6) (512) 536-3081 (R6) B/V + + Richardson [A] + (COLLINS-TAC) (214) 235-2131 (214) 235-2131 B + (214) 235-2143 (214) 235-2143 B + (214) 235-2178 (214) 235-2178 B + (214) 235-2204 (214) 235-2204 B + (214) 235-2251 (214) 235-2251 B + (214) 235-2278 (214) 235-2278 B + + UTAH + Dugway Proving Ground [M] + (DUGWAY-MIL-TAC) [none known] + + Salt Lake City (University of Utah) [A] + (UTAH-TAC) (801) 581-3486 (801) 581-3486 B/V + + VIRGINIA + Alexandria [M] + (DARCOM-TAC) (202) 274-5300 (202) 274-5300 B + (202) 274-5320 (R6) (202) 274-5320 (R6) B + + Arlington + (ARPA1-MIL-TAC) [M] [none known] + + (ARPA2-MIL-TAC) [M] [none known] + + (ARPA3-TAC) [A] [no dialup capability] + + Dahlgren [M] + (NSWC-TAC) (703) 663-2162 (R8) (703) 663-2162 (R8) B + + Langley Air Force Base [M] + (LANGLEY-MIL-TAC) [none known] + + McLean [M] + (DDN-PMO-MIL-TAC) [none known] + + + (MITRE-TAC) [M] + (703) 442-8020 (R15) + (703) 893-0330 (R10) (703) 893-0330 (R10) B/V + + Norfolk [M] + (NORFOLK-MILTAC) (804) 423-0241 (R2) (804) 423-0241 (R2) B + (804) 423-0247 (R2) (804) 423-0247 (R2) B + (804) 423-0346 (R4) (804) 423-0346 (R4) B + (804) 423-0480 (804) 423-0480 B + (804) 423-0486 (R2) (804) 423-0486 (R2) B + (804) 423-0489 (804) 423-0489 B + (804) 423-0570 (804) 423-0570 B + (804) 423-0572 (R2) (804) 423-0572 (R2) B + (804) 423-0577 (R2) (804) 423-0577 (R2) B + (804) 423-0651 (804) 423-0651 B + (804) 423-0654 (R3) (804) 423-0654 (R3) B + (804) 423-0841 (R2) (804) 423-0841 (R2) B + + Page 190 + + + + + The Official Phreaker's Manual + + (804) 423-0845 (804) 423-0845 B + (804) 423-0849 (804) 423-0849 B + (804) 423-0858 (804) 423-0858 B + (804) 423-0950 (804) 423-0950 B + (804) 423-0952 (804) 423-0952 B + (804) 423-0955 (R3) (804) 423-0955 (R3) B + (804) 423-0959 (804) 423-0959 B + + Reston + (DCEC-ARPA-TAC) [A] [no dialups available] + + (DCEC-MIL-TAC) [M] + (703) 437-2892 (R5) (703) 437-2928 B + (703) 437-2925 (703) 437-2929 B + (703) 437-2926 + (703) 437-2927 + + WASHINGTON + Seattle [A] + (WASHINGTON-TAC) [no dialup capability] + + ENGLAND [M] + (CROUGHTON-MIL-TAC) [none known] + + GERMANY [M] + (FRANKFURT-MIL-TAC) + (M) 2311-5641 (R8) B + + (RAMSTEIN2-MIL-TAC) [none known] + + ITALY [M] + (AGNANO-MIL-TAC) + + JAPAN [M] + (BUCKNER-MIL-TAC) + + (ZAMA-MIL-TAC) + + KOREA [M] + (KOREA-TAC) (M) 264-4951 (R8) B + + PHILIPPINES [M] + (CLARK-MIL-TAC) + + SPAIN [M] + (MILNET-TJN-TAC) [none known] + + (ROTA-MIL-TAC) [none known] + + Notes: + + 1. "(R10)" following phone number indicates a rotary with 10 lines. + + 2. For alternate phone numbers, FTS=Federal Telephone System. + 3. (M)=Military DoD Telephone System. + + 4. [M] denotes a MILNET TAC and [A] denotes an ARPANET TAC. + + + Page 191 + + + + + The Official Phreaker's Manual + + 5. "1200 Type" refers to the modem compatibility for 1200 baud only: + B/V = Bell and Vadic + B = Bell 212A only + V = Vadic 3400 only + + 6. This list is contained in the file NETINFO:TAC-PHONES.LIST at + SRI-NIC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 192 + + + + + The Official Phreaker's Manual + + >>==========================<< + >>==> TELCO TEST NUMBERS <==<< + >>====> as of 5/16/85 <=====<< + >>=> compiled and updated <=<< + >>====> by Shadow 2600 <====<< + >>==========================<< + +011-44-61-2468011 : US dial tone then "When this system changes, this is the +new dial tone you hear" (UK is changing dialtone) + +201-226-0709 : alternating tones, then "warble" +201-267-9922 : sweep tone +201-267-9966 : 600 ohm termination +201-232-9924 : (tone 1,2,5-beep, bleep; 9,#- 1200 baud static, beep, bleep; +6-tone, higher tone, bleep) +201-232-9959 : tone 11 sec. silence, repeats... +201-233-9972 : multitude of clicks +201-233-9974 : busy 15 sec. then tone w/ clicks +201-241-9916 : hissing with clicks +201-328-9971 : 1000 hrtz tone +201-376-9907 : "is being checked for trouble. Please try again later" +201-464-9915 : low tone 15 sec, silence +201-464-9916 : low tone 2 sec, silence +201-464-9963 : buzz +201-464-9974 : busy 15 sec, low tone +201-543-9902 : "If you'd like to make a call, hang up and try it again." +201-543-9903 : "We're sorry, your call did not go through." +201-543-9904 : "the number you have dialed requires a .20 cents deposit." +201-655-9900 : "cannot be completed as dialed from the phone you are using" +201-769-0205 : People's Express Reservation system +203-771-4920 : telephone company employee newsline +207-866-4411 : 1000 hrtz tone +212-233-9980 : (tone 1,2,3,*-tone, higher tone, bloop; 5-tone, bloop; 9,#- +static,beep,bloop) +212-369-7003 : "you have reached 212-369-7003 in zone 3" (?) +212-799-5017 : ABC New York feed line +213-621-4141 : telephone employee newsline +213-935-1111 : sweep tone with echo at top of range (?) +215-489-0036 : tone, bloop (1,2,5-tone bloop, 3,6,9-tone, higher tone,tone) +215-489-0040 : "please check your instruction manual or call repair service for +assistance" +215-489-0042 : "if you like to make a call please hang up and try again" +215-489-0043 : "We're sorry, your call did not go through." +215-489-0044 : "The call you have made requires a 25 cent deposit" +215-489-0045 : "You must first dial a 1 when dialing this number." +215-489-0074 : LOUD tone, stops, repeats +215-489-0075 : 600 ohm termination (silence) +215-489-0078 : tone, silence +215-489-0080 : 600 ohm termination +215-489-0097 : tone, (lower pitched than -0078) silence (also at -0098) +215-489-0104 : 1000 hrtz tone +216-861-8300 : tone, then higher tone +301-256-9987 : 1000 hertz +301-546-7777 : "Due to Telephone Company facility trouble your call cannot be +completed at this time" +301-725-9904 : "deposit .20" +305-263-0000 : repeating bloop (keypress 2 : slow reorder w/ bloops, clicks) +305-994-9963 : pay fone instructions + + Page 193 + + + + + The Official Phreaker's Manual + +305-994-9966 : "telephone you are calling from is not in service" +312-222-9948 : tone (keypress 1,2,3,6,7,*-tone, high tone, bleep, +4-tone,bloop,9, #-static,beep,bloop) +312-222-9954 : "Test Center" +312-222-9990 : clicks, ticking like +312-222-9996 : LOUD tone, repeats +312-368-8000 : Illinois Bell Communicator (employee newsline) +312-592-0000 : tone (keypress 2222, then other digits, at re-order type * to +restart) (?) +313-223-7223 : telephone employee newsline +313-333-9981 : LOUD tone, silence +313-333-9989 : high tone (enter touchtones for a while, eventually get +"metallic" echo, then 5-high pitched tone, random re-orders) +313-333-9990 : beep, click repeats, with "winks" +313-333-9994 : tone bloop (keypress in 2-tone,bloop, 3-tone, higher tone,tone, +9-static, beep,bloop) +313-333-9995 : 600 ohm termination (silence) +313-333-9996 : weird siren/sweep tone, multi-frequency +313-430-4300 : beep, beep, beep, then reorder +313-698-9998 : sweep tone +314-247-5511 : Southwestern Bell Telenews (employee newsline) +315-471-9934 : "deposit 5 cents for next five minutes" +408-255-0081 : (any two 2,4,8,0-tone) +408-294-6969 : beep, click, computer voice repeats number +408-395-1110 : (tone 2-bleep,glitch; 3-beep,higher beep;#then number-loud +tone,bleep) +408-738-8190 : (tone 1,3,6,7,*-tone, high tone, tone;2-beep,cluck;9,#- +static,tone,beep) +408-745-6060 : high pitched tone, low tone then repeats +408-994-0044 : tone end of loop +412-633-3333 : telephone company employee newsline +414-628-0001 : continuous tone +414-628-0002 : continuous tone (higher pitched, sounds like muted dial) +414-628-0004 : high pitched tone, bloop, silence +414-628-0006 : brief very high tone (also -0007) (multiple keypresses of +2,5,8,0 tone repeats) +414-628-0010 : loud tone, stops, repeats... +414-628-0011 : loud tone, stops +414-628-0013 : 600 ohm termination (silence) (also -0017, two in an exchange?) +414-628-0014 : continuous tone (sounds like weird dial), eventually stops +414-628-0015 : LOUD tone, repeats +414-628-0028 : "Your call cannot be completed as dialed +414-678-3511 : Wisconsin Bell Newsline +414-781-0004 : high tone, silence (keypress 2,5-beep,bleep, 3,6-beep,longbeep, +bloop, 9-static,bloop) +415-284-1111 : one sweep, then silence +415-327-0046 : sweep tone +415-388-0037 : tone,bloop (keypress 2-tone,bloop, 3-tone,high tone,tone, +9-static,beep,bloop) +415-472-0046 : sweep w/ glitch at top +415-545-8800 : Pacific Bell Newsline +415-467-0097 : fast DTMF tones, keypress to repeat +415-777-0020 : 1000 hrtz tone +415-777-0037 : tone, bloop (keypress 2-beep,bloop, 3,6-tone,higher tone, +9-static,beep,bloop) +415-777-0046 : sweep tone with echo +415-777-0105 : tone,bloop (keypress 2-beep,bleep, 3,6-tone, higher tone, +tone,9-static,beep,bloop + + Page 194 + + + + + The Official Phreaker's Manual + +415-826-0022 : tone, click, tone (sounds like a busy) +415-994-0710 : multitude of clicks +512-472-2181 : "if you would like to make a call, please hang up and try +again" +512-472-4263 : garbled recording (?) +512-472-9833 : "you must first dial a 1 or 0 before calling this number" +512-472-9936 : "please check your instructions or call your business office for +assistance" +512-472-9941 : "insert 25 cents" +516-222-3825 : LOUD tone +516-234-9914 : New York Telephone Newsline +518-471-2272 : New York Telephone Newsline +518-789-3299 : weird busy, multitude of clicks +609-267-9966 : busy with clicks in background +609-267-9967 : 600 ohm termination (silence) +609-267-9968 : 1000 hrtz tone +609-267-9971 : LOUD tone, stops, repeats +609-267-9972 : rings with clicks in background (also -9973 and -9974) +609-877-9924 : high tone (tone in 1,2,5-tone, bloop; 3,6,*-tone, higher tone, +bleep; #-static, beep, bleep) +609-877-9929 : 1000 hrz tone +617-553-9953 : tone end of loop +617-890-9900 : sweep tone +617-955-1111 : telephone company employee newsline +619-748-0002 : tone increases in pitch, silence, repeats in monotone +619-748-0003 : sweep, repeat, hangs up +702-789-6711 : Nevada Bell Newsline +713-354-0000 : touch tone in #, then new #, then 5 - listed, 9 - unlisted) +713-482-3199 : "We're sorry, all circuit are busy now." +713-652-5111 : touch tones echo back "metallic", something about "drivers +licence number" replys in a female recorded voice +717-255-5555 : Bell of Pennsylvania "Inside Line" (employee newsline) +718-429-9900 : "Please slide a valid credit card through the slot now" +800-221-5959 : tone (# makes it ring) +800-228-8466 : Sensaphone (tm) demo (time etc. (EST) (wait 7+ rings)) +800-321-3048 : non-connecting loop with 800-321-3049 +800-321-3052 : loop (don't know where other end is) +800-321-6366 : Centagram's Voice Memo System (extension 100 for demo) +800-323-6321 : tone, stops, bloop repeats +800-327-0000 : "Announcement three, Dallas" (changes sometimes) +800-344-4001 : non-connecting loop with 800-344-4002 +800-524-0000 : "Announcement 1 Atlanta" +800-554-5924 : Cable News Network audio feed +800-824-8274 : "Enter your password service code" +802-955-1111 : telephone company newsline +808-533-4426 : Hawaiian Telephone Newsline +816-391-1122 : recorder (keypress 1-toggle on/off, 3-rewind, 4-stop, 7-play) +907-269-0955 : tone (sounds like extender, doesn't take touch tone (?)) +914-232-9901 : "Daytona, New York DMS-100 verification" +914-268-9901 : "Congers DMS 100 Verification" +914-268-9903 : "your call cannot be completed as dialed" +914-268-9968 : (keypress 2-high tone, 3-high, higher tone, 6,0-click, 7- hangs +up, sometimes 0,#,*-harmony) +914-359-9901 : repeats the number dialed ("914-359-9901") +914-359-9960 : weird tone, stops, clicks, repeats +914-623-9968 : (keypress 2,5-beep glitch, 3,6-tone highertone) +916-480-8000 : Pacific Bell Newsline + + + Page 195 + + + + + The Official Phreaker's Manual + + WHAT A TSPS CONSOLE LOOKS LIKE + +--- NON/COIN ---- ------------- COIN ------------- --------- HOTEL --------- + + ---- ---- ---- ---- ---- ---- ----- --- --- ---- +!VFY ! !OVER! !SCRN! !INWD! !EMER! !STA ! ! 0+ ! !DIAL! !STA ! ! 0+ ! +!DIAL! !POST! !TONE! !STA ! ! 0+ ! !DIAL! !QST ! ! ! ! ! ! ! + ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- + +----- OUTGOING TRUNKS ----- RING RELEASE + + ---- ---- ---- ---- ---- ----- ---- ---- ---- ---- +! DA ! !R&R ! !SWB ! !OGT ! !BACK! ! FWD ! !CALL! !T&C ! !NFY ! !CHG ! + ---- ---- ---- ---- ---- ----- ---- ---- ---- ! DUE! + ---- + --- ---- ---- ---- ---- ---- ---- ---- ---- ---- +!KEY ! !BACK! !FWD ! ! SR ! !MAKE! !MTCE! !POS ! !BACK! ! ! ! ! +!CLG ! ! ! ! ! ! ! !BUSY! !TRFR! ---- ---- ---- ---- + ---- ---- ---- ---- ---- ---- + + ----------------- AMA ----------------- + ---- ---- ---- ---- ---- ---- +STATION -----!PAID! !COL ! !SPL ! !SPL ! !AUTO! !DDD ! + ! ! ! ! !CLG ! !CLD ! !COL ! ! ! + ---- ---- ---- ---- ---- ---- + + ---- ---- ---- ---- ---- +PERSON ----- !PAID! !COL ! !SPL ! !SPL ! ! NO ! + ! ! ! ! !CLG ! !CLD ! !AMA ! + ---- ---- ---- ---- ---- + + ---- ---- ---- + !CLG ! !CLG ! !CLG ! + ! ! ! ! ! ! + ---- ---- ---- + + + + + + + + + + + + + + + + + + + + + + + + + Page 196 + + + + + The Official Phreaker's Manual + + Box Plans + + Hmm... I wonder! This is still under construction (Ha Ha). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 197 + + + + + The Official Phreaker's Manual + + THE INFINITY TRANSMITTER + + TYPED BY THE GHOST WIND + + FROM THE BOOK BUILD YOUR OWN + LASER, PHASER, ION RAY GUN & OTHER WORKING SPACE-AGE PROJECTS + BY ROBERT IANNINI (TAB BOOKS INC) + +Description: Briefly, the Infinity Transmitter is a device which activates a +microphone via a phone call. It is plugged into the phone line, and when the +phone rings, it will immediately intercept the ring and broadcast into the +phone any sound that is in the room. This device was originally made by +Information Unlimited, and had a touch tone decoder to prevent all who did not +know the code from being able to use the phone in its normal way. This +version, however, will activate the microphone for anyone who calls while it is +in operation. +NOTE: It is illegal to use this device to try to bug someone. It is also +pretty stupid because they are fairly noticeable. +Parts List: +Pretend that uF means micro Farad, cap= capacitor + +Part # Description +---- - ----------- +R1,4,8 3 390 k 1/4 watt resistor +R2 1 5.6 M 1/4 watt resistor +R3,5,6 3 6.8 k 1/4 watt resistor +R7/S1 1 5 k pot/switch +R9,16 2 100 k 1/4 watt resistor +R10 1 2.2 k 1/4 watt resistor +R13,18 2 1 k 1/4 watt resistor +R14 1 470 ohm 1/4 watt resistor +R15 1 10 k 1/4 watt resistor +R17 1 1 M 1/4 watt resistor +C1 1 .05 uF/25 V disc cap +C2,3,5,6,7 5 1 uF 50 V electrolytic cap or tant + (preferably non-polarized) +C4,11,12 3 .01 uF/50 V disc cap +C8,10 2 100 uF @ 25 V electrolytic cap +C9 1 5 uF @ 150 V electrolytic cap +C13 1 10 uF @ 25 V electrolytic cap +TM1 1 555 timer dip +A1 1 CA3018 amp array in can +Q1,2 2 PN2222 npn sil transistor +Q3 1 D4OD5 npn pwr tab transistor +D1,2 2 50 V 1 amp react. 1N4002 +T1 1 1.5 k/500 matching transformer +M1 1 lar \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/phukphrd.phk b/textfiles.com/phreak/PHREAKING/phukphrd.phk new file mode 100644 index 00000000..54d26599 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/phukphrd.phk @@ -0,0 +1,138 @@ + + Phuckin' Phield Phreakers Present + In Coalition With The Apostles Of Anarchy Across America + + ------------------------------------------------------------ + + Scaring The Phuck Out Of Your Phriends + (or enemies) + If You're A Phuckin' Phreak + + ------------------------------------------------------------ + + Disclaimer: + + Have a phuckin' k-rad time with the shit in this file, + and we suggest you try this whenever you have spare time and + a beige box in your hands. Why? Cuz we don't give a shit, + and we're not responsible anyway! Haha! + + Intro: + + Yeah, so, you have a beige box and you're sick of it. + Big fat hairy deal. Ok, the only reason I'm writing this + lame text phile is cuz it's Holloween today, and I just + might try this trick on some lamers out there. + + Ok, like I said, you have a beige box. Over the past + few weeks, you have used, abuzed, and phucked with your + beige box. Yeah, big deal, so you called 100 1-900/976 fone + numbers on someone else's bill. But, anyone can do that, + right? But, now you're sick of it, sick of just adding + dollars and cents to your phriend's fone bill. So, whatta ya + do? + + Number one, read this phile, unless you're a lamer, + then burn this phile and go jump off a bridge. + + Ok, if you're still around at this point (and I'm + assuming you're not a lamer, and if you are, I guess you + don't speak or read English!), read on! + + The Trick: + + Ok, ok, ok, so what's the big story here? As a + beginning thought, have you ever wanted to phucking scare + the shit out of someone somewhere? Well, now you can! + Safely! + + What we're gonna teach you ta do is to scare the living + shit out of your phriend (enemy, bystander, etc) and then + get loads of laffs at the same time. Read on: + + What you need: + + 2 Beige Boxes (portable lineman's handsets) + 1 Victim + 1 Phreak Minimum (more phreaks for more phun, but no + phuckin' lamers) + 1 Victim's Green Base (output device, can, etc, where + the victim's fone line connects) + What to do: + + Yeah, simple enuff, you have all the parts together. + Now, go out to the victim's green base, and try to make sure + that the victim or any pass-er-by's don't see you doing + this. + + Open the green base or output device, or whatever, and + using ANI, find the victim's fone number. Ok, you found it, + or you didn't. If you didn't find it, go to another output + device in the nearby area and try again. + + Assuming you found the victim's fone number, attatch + one beige box to the victim's fone line, but keep it on-hook + (the switchook DOWN, so it will ring when called, lets call + this beige box 1) and stick the other beige box on another + pair of terminals different from the victim's terminals. + Let's call this beige box 2. + + Let's hope you have enuff brain power for the next + step: Using beige box 2, call the victim's house. Beige box + 1 should ring, but don't pick it up until the ringing stops, + which means the victim/victim's family has picked the fone + up. Then, pick up beige box 1. OK, now beige box 1 and 2 + both are off-hook. Say something through beige box 2, like + heavy breathing or something like, "Tthhhhhiiiisssss isss + theee Mutilatorrsss.... I'm inn your houssssss.....!" + + Ok, here's another crucial point. At this point, the + victim will either say, "What?", "Bullshit, fuck off!", or + something like that and hang up or stay on-line for a bit. + If they hang up, REMEMBER, you still have beige box 1 + attached... hehe... Through beige box 1, keep threatening + them with maniacal sounds and shit you see in horror movies + all the time. That will "phreak" them out (they will think + someone is calling them from their own house...) See what + I'm getting at? Pretty phun, huh? + + Another method: + + Ok, lets say you have only 1 beige box. But, you also + know the ringback number to your area. Ok, simple, go to the + victim's output device, find his fone number with ANI, + attach your beige box to his fone line, dial ringback, and + wait for the victim to pick the fone up. Whala, read the + above paragraph for what to do from here... hehe, the victim + cannot disconnect you cuz you're just another extension of + the house's fone system... you're scare the shit out of most + people... especially on HOLLOWEEN!!!!!! + + Conclusion: + + Sooo, that's the plan, and if you're smart, you can see + how this would scare the shit out of people. If you can't + see why, go kill yourself. Ok, well, bye bye for now, and be + watching for more phun philes by PPP and AAXA. Other than + that, happy Holloween, and phuckin' phreak your neighborhood + to the ground.... enjoy..... + + ------------------------------------------------------------ + (x) 1989 - PPP - Phuckin' Phield Phreakers + (a) 1989 - AAXA - Apostles Of Anarchy X America + ------------------------------------------------------------ + This phile was written on OCTOBER 31, 1989 - 5:50pm!!! + ------------------------------------------------------------ + PPP are: + + Doctor Dissector, Killer Korean, Phortress Phreak, M.I.T., + White Boy, The Lode Runner, Dark Helmet, Tak/Scan. + + AAXA is a bunch of text phile writers.... heheheheheheh! + ------------------------------------------------------------ + Greets to cDc, Anarchist's Alliance, CHiNA. + ------------------------------------------------------------ + Insidious Infusion.... 619-679-0248 12/24/mnp Login=FUSION + nupw=REACTOR + ------------------------------------------------------------ + diff --git a/textfiles.com/phreak/PHREAKING/pkman.txt b/textfiles.com/phreak/PHREAKING/pkman.txt new file mode 100644 index 00000000..c4423846 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pkman.txt @@ -0,0 +1,13467 @@ + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + The Official Phreaker's Manual V1.1 + Updated 2/14/91 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + The Official Phreaker's Manual + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Table of Contents + + ********************************************************************** + + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Appendixes + + ********************************************************************** + + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 4 + + + + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 5 + + + + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /\<\ /\<\ .. + . \>ad \>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + Page 6 + + + + + The Official Phreaker's Manual + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + Page 7 + + + + + The Official Phreaker's Manual + + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +explanation. Automated versions (ASI) with automatic voiceresponse units are +growing in use. + +Interrupt: The interruption on a phone line to disconnect and connect with +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + Page 8 + + + + + The Official Phreaker's Manual + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 9 + + + + + The Official Phreaker's Manual + + ============================================================ + _ _ _______ + | \/ | / _____/ + |_||_|etal / /hop + __________/ / + /___________/ + (314) 432-0756 + + Proudly Presents + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + Typed by Knight Lightning + + ============================================================ + +- A - + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + + + + + The Official Phreaker's Manual + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + +AUDIBLE RINGING TONE: An audible signal heard by the calling party during the +ringing-interval. + +AUTHORIZATION CODE: An identification number that the caller enters when +placing a call which is used for billing purposes. + +AUTHORIZED USER: A person, firm, organization, corporation or any other entity +authorized by the customer to send or receive communications over a specific +communications network. + +AUTO ANSWER: A machine feature that allows a transmission control unit or +station to automatically respond to a call that it receives. + +AUTOMATIC CALL +DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a +large volume of incoming calls to a group of attendants to the next available +"answering" position. + +AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined +set of dialing digits. + +AUTOMATIC IDENTIFICATION +OF OUTWARD DIALING (AIOD): A computer generated report showing all long +distance calls placed over AT&T's toll network. + +AUTOMATIC NUMBER +IDENTIFICATION (ANI): Automatic equipment at a local dial office used on +customer dialed calls to identify the calling-station. + +AUTOMATIC ROUTE +SELECTION (ARS): Least cost routing via AT&T CENTREX system. + + + +- B - + + + Page 11 + + + + + The Official Phreaker's Manual + +BAND: (1) The range of frequencies between two defined limits. (2) In reference +to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: +BANDWIDTH. + +BANDWIDTH: See BAND. + +BASEBAND: The total frequency band occupied by the aggregate of all the voice +and data signals used to modulate a radio carrier. + +BAUD: A unit of signaling speed. The speed in baud is the number of discrete +conditions conditions or signal elements per second. If each signal event +represents only one bit condition, then Baud is the same as bits per second. +When each signal event represents other than one bit, Baud does not equal bits +per second. + +BELL OPERATING COMPANY +(BOC) /BELL SYSTEMS +OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing +local service. + +BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long +Lines, Western Electric, and Bell Labs. + +BILLING NUMBER: The MCI term for the number which identifies a customer on a +billing location level, assigned to Network Service Customer (by COMS). +Assigned for each unique customer name and billing location. For internal use +only. + +BINARY: A number system that uses only two characters ("0" and "1"). + +BIT: A binary digit. The smallest unit of coded information. + +BITS PER SECOND (BPS): The rate at which data transmission is measured. + +BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to +the central offices are in use; or (2) all connecting connecting paths through +the PBX/switch are in use. + +BLOCKED ANI: ANI prohibited from completing a call over the MCI network. + +BREAK: A means of interrupting transmission, a momentary interruption of a +circuit. + +BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. + +BUS: A heavy conductor, or group of conductors, to which several units of the +same type of equipment may be connected. + +BUSY: The condition in which facilities over which a call is to be connected +are already in use. + +BUSY HOUR: The time of day when phone lines are most in demand. + +BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to +indicate that the terminal point of a call is already in use. + +BYTE: A group of binary digits that are processed by a computer as a unit. + + + Page 12 + + + + + The Official Phreaker's Manual + + + +- C - + + +CARRIER: High frequency current that can be modulated with voice or digital +signals for bulk transmission via cable or radio circuits. + +CARRIER SYSTEM: A system for providing several communications channels over a +single path. + +CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output +from a computer. + +CELLULAR MOBILE RADIO: A system providing exchange telephone service to a +station located in an auto or other mobile vehicle, using radio circuits to a +base radio station which covers a specific geographical area and as the vehicle +moves from one area to another, different base radio stations handle the call. + +CENTRAL OFFICE (CO): A telephone switching center that provides local access to +the public network. Sometimes referred to as: Class 5 office, end office, or +Local Dial Office. + +CENTREX, CO: PBX Service provided by a switch located at the telephone company +central office. + +CENTREX, CU: A variation on Centrex CO provided by a telephone company +maintained "Central Office" type switch located at the customer's premises. + +CENTRAL PROCESSING UNIT +(CPU): The control unit within a computer which handles all the intelligent +functions of the systems. In a telephone switch, directs all potions of the +system to carry out their appropriate functions. Synonym: Common Control. + +CHANNEL: A communication path via a carrier or microwave radio. + +CHARACTER: Any letter, digit, or special symbol. In data transmission would be +represented by a specific code made up of a group of binary digits. + +CIRCUIT: A path for the transmission of electromagnetic signals to include all +conditioning and signaling equipment. Synonym: Facility + +CIRCUIT SWITCHING: A switching system that completes a dedicated transmission +path from sender to receiver at the time of transmission. + +CLASS OF SERVICE/CLASS +MARK (COS): A subgrouping of telephone customers or users for the sake of rate +distinction or limitation of service. + +COAXIAL CABLE: A cable having several coaxial lines under a single protective +sheath. Usually used as a high capacity carrier in urban areas between +interexchange and toll offices. + +CODEC: Coder-Decoder. Used to convert analog signals to digital form for +transmission over a digital median and back again to the original analog form. + +COMMON CARRIER: A government regulated private company that provides the +general public with telecommunications services and facilities. + + Page 13 + + + + + The Official Phreaker's Manual + + +COMMON CHANNEL INTEROFFICE +SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated +Services Digital Network. It uses a separate data line to route interoffice +signals to provide faster call set-up and more efficient use of trunks. + +COMMON CONTROL SWITCHING +ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which +common controlled switching machines are used to route traffic over network +routes and access lines. The switching machine may be shared with other users +and is maintained by the telephone company. + +COMPUTER PORT/TKI PORT: The interface through which the computer connects to +the communications circuit. + +CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to +match transmission levels and impedances and which equalizes transmission and +delay to bring circuit losses, levels, and distortion within established +standards. + +CONFIGURATION: The combination of long-distance services and/or equipment that +make up a communications system. + +CONTROL UNIT (CU): The central processor of a telephone switching device. + +CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on +a corporate level. (Not all MCI customers have this). + +COST COMPONENT: The price of each type of long distance service and/or +equipment that constitutes a configuration. + +COST PER HOUR (CPH): Total cost of different services divided by total holding +time (in minutes). + +CROSS CONNECTION: The wire connections running between terminals on the two +sides of a distribution frame, or between binding posts in a terminal. + +CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit +to another circuit. + +CUSTOMER OWNED AND +MAINTAINED (COAM): Customer provided communications apparatus, and their +associated wiring. + +CUSTOMER +PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located +within the customer's part of a building. + +CUT: To transfer a service from one facility to another. + +CUT THROUGH: The establishment of a complete path for signaling and/or audio +communications. + + +- D - + +DATA: Any representation, such as characters to which a meaning is assigned. + + + Page 14 + + + + + The Official Phreaker's Manual + +DATA COMMUNICATIONS: The movement of coded information by means of electronic +transmission systems. + +DATA SET: A device which converts data into signals suitable for transmission +over communications lines. + +DATA TERMINAL: A station in a system capable of sending and/or receiving data +signals. + +DECIBEL (db): A unit of measurement represented as a ratio of two voltages, +currents or powers and is used to measure transmission loss or gain. + +DELAY DIAL: A dialing configuration whereby local dial equipment will wait +until it receives the entire telephone number before seizing a circuit to +transmit the call. + +DELTA MODULATION (DM): A variant of pulse code modulation whereby a code +representing the difference between the amplitude of a sample and t~he +amplitude of a previous one is sent. Operates well in the presence of noise, +but requires a wide frequency band. + +DEMODULATION: The process of retrieving data from a modulated signal. + +DIAL LEVEL: The selection of stations or services associated with a PBX using a +one to four digit code (e.g., dialing 9 for access to outside dial tone). + +DIAL PULSING: The transmitting of telephone address signals by momentarily +opening a DC circuit a number of times corresponding to the decimal digit which +is dialed. + +DIAL REPEATING TIE LINE/ +DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station +calling without use of the attendant. + +DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is +selected by a prearranged dialing code. + +DIAL TONE: A tone indicating that automatic switching equipment is ready to +receive dial signals. + +DIALING PLAN: A description of the dialing arrangements for customer use on a +networks. + +DIGITAL: Referring to the use of digits to formulate and solve problems, or to +encode information. + +DIMENSION CUSTOM +TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station +sets which use special buttons to access PBX features. + +DIRECT +DISTANCE DIALING (DDD): A toll service that permits customers to dial their own +long distance call without the aid of an operator. + +DIRECT +INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside +the system to directly dial a station within the system. + + + Page 15 + + + + + The Official Phreaker's Manual + +DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to +gain direct access to an exchange network. + +DROP: That direction of a circuit which looks towards the local operator. + +DRY CIRCUIT: A circuit which transmits voice signals and carries no direct +current. + +DUAL TONE +MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which +emits two distinct frequencies for each indicated digit. + +DUPLEX: Simultaneous two-way independent transmission. + +DX SIGNALING: A long-range bidirectional signaling method using paths derived +from transmission cable pairs. It is based on a balanced and symmetrical +circuit that is identical at both ends. This circuit presents an E&M lead +interface to connecting circuits. + + + + ============================================================ + +This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for +more G-philes from The MCI School of Telecommunications Management Reference +Guide coming soon. + + This has been a 2600 Club production + + +Thanx to Taran King + ============================================================ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 16 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ _______________________________ $ + $ | | $ + $ | ELECTRONIC TOLL FRAUD DEVICES | $ + $ |_______________________________| $ + $ $ + $ $ + $ TYPED AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ $ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL +FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT +BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD +DEVICES. (FOR OFFICIAL USE ONLY). + +THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE +GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". +THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. + + + +*BLUE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE +DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE +VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS +APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX +CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES +CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL +(LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE +FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE +BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY +COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE +TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE +DISCUSSED IN MORE DETAIL BELOW. + + TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO +UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE +NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS +IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE +EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY +FOR HIS TELEPHONE NUMBER. + THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING +(AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE +OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL +CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. +THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. + ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE +VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO +PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. + THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL +INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY + + Page 17 + + + + + The Official Phreaker's Manual + +OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX +USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" +CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX +WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE +SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. +THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX +SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING +PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW +OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING +EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES +THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING +CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE +SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY +THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS +RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON +THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS +TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. + ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A +COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY +IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: + +(A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE +SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY +SF" BLUE BOX. + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF +A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE +MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + Page 18 + + + + + The Official Phreaker's Manual + + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + + + + The Official Phreaker's Manual + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + Page 20 + + + + + The Official Phreaker's Manual + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you receive your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + A) SSS: Strowger Switching System. First non-operator system +available. + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + + Beige Box: A simpler produced linesman's handset that allows you to tap +into phone lines and extract by eavesdropping, or crossing wires, etc. + Purple Box: Makes all calls made out from your house seem to be local +calls. + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + Page 21 + + + + + The Official Phreaker's Manual + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. A small list of +dialups: + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : + + Page 22 + + + + + The Official Phreaker's Manual + +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator (hehe) +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + +/-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + + Page 23 + + + + + The Official Phreaker's Manual + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + Page 24 + + + + + The Official Phreaker's Manual + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + +File Level:5 + + /-/ Credits /-/ + + To The Videosmith- for setting me straight on some shit. + To The Linesman- for telling me to upload it to his AE line. + To Modern Mutant- for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------\ + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + \---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler +Zer0-g + + + + + + + Page 25 + + + + + The Official Phreaker's Manual + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + + +HOW TO BE A REAL PHREAK +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + + + + + The Official Phreaker's Manual + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + Page 27 + + + + + The Official Phreaker's Manual + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + Page 28 + + + + + The Official Phreaker's Manual + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--\ | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + + Page 29 + + + + + The Official Phreaker's Manual + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + +TOUCH-TONE & FREE CALLS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + + + Page 30 + + + + + The Official Phreaker's Manual + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. +ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + Page 31 + + + + + The Official Phreaker's Manual + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 32 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + --One Farad Cap, Atlantic Anarchist Guild + + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + Page 33 + + + + + The Official Phreaker's Manual + + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + Page 34 + + + + + The Official Phreaker's Manual + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +He presses the lower left-hand corner button which is marked "KP" on the face +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + Page 35 + + + + + The Official Phreaker's Manual + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ansil Collins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + Page 36 + + + + + The Official Phreaker's Manual + +tells me. + +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's F~5 +and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + Page 37 + + + + + The Official Phreaker's Manual + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays with the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + Page 38 + + + + + The Official Phreaker's Manual + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A. +tandem. The L.A. tandem notices 2600 cycles are coming over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + Page 39 + + + + + The Official Phreaker's Manual + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + ++-- End first file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 40 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + Page 41 + + + + + The Official Phreaker's Manual + + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + Page 42 + + + + + The Official Phreaker's Manual + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +"Yes, sir. Who is this calling?" says the voice. + +"Yes. This is test board here in New York. We're calling to check out the +circuits, see what kind of lines you've got. Everything okay there in +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + Page 43 + + + + + The Official Phreaker's Manual + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + + + + + The Official Phreaker's Manual + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + Page 45 + + + + + The Official Phreaker's Manual + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + Page 46 + + + + + The Official Phreaker's Manual + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + Page 47 + + + + + The Official Phreaker's Manual + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + Page 48 + + + + + The Official Phreaker's Manual + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + ++-- End second file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + Page 49 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two +sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + Page 50 + + + + + The Official Phreaker's Manual + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthrough: + +"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + Page 51 + + + + + The Official Phreaker's Manual + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to live out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + Page 52 + + + + + The Official Phreaker's Manual + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + Page 53 + + + + + The Official Phreaker's Manual + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + + + + + The Official Phreaker's Manual + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + Page 55 + + + + + The Official Phreaker's Manual + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + +"Well yes, I..." + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + + + + + The Official Phreaker's Manual + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + ++-- End third file of four --+ + + + + + + + + + + + + + + + + + + + + Page 57 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + Page 58 + + + + + The Official Phreaker's Manual + + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------\ /------\ /-----\ +!Operator!-- > ! S.A. ! --->! BOS ! +\--------/ \------/ \-----/ + ! + ! + V +/-------------\ +! Group Chief ! +\-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + + + + + + Page 88 + + + + + The Official Phreaker's Manual + + 2600 Magazine's story on the Private Sector Bust + Uploaded by Elric of Imrryr + Lunatic Labs Unlimited + :::::::::::::::::::::::::::::::::::::::::::::::: + +Typed By Shooting Shark : The following article appeared in the August, 1985 +issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. +Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle +Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article +follows. + +SEIZED! +2600 Bulletin Board is Implicated in Raid on Jersey Hackers + + On July 12, 1985, law enforcement officials seized the Private Sector BBS, +the official computer bulletin board of 2600 magazine, for "complicity in +computer theft," under the newly passed, and yet untested, New Jersey Statute +2C:20-25. Police had uncovered in April a credit carding ring operated around +a Middlesex County electronic bulletin board, and from there investigated +other North Jersey bulletin boards. Not understanding subject matter of the +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been particularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the BBS just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 +212-982-9977/9979 +212-986-9977/9979 + + THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS +SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER +SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE +CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT +FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN +ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED +IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE +CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND +THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE +AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL +OTHER LOOPS ARE BUSY. + + 99XX SCANNING: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND +OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 +AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN +YOUR EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268: + +9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) +9936 - VOICE # TO THE TELCO CO +9937 - VOICE # TO THE TELCO CO +9941 - CARRIER +9960 - OSC. TONE (TONE SIDE LOOP) +9963 - TONE (STOPS: MUTED) +9966 - CARRIER +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + + Page 96 + + + + + The Official Phreaker's Manual + + MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL +INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE +REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN +THE EXCHANGE AND THE TELCO OPERATING COMPANY. + + WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES +WHEN YOU FIND ONE: + +1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK +EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE +BUT THE FUCKING CLICK IS SUPER ANNOYING. + +2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. + +3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY +AGAIN IN A MONTH OR SO) + +4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! + + MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. +IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE +SWITCH", IE, TURN OFF THE LOOP. + + SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED +NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE +NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. +268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 +FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 +(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S +DON'T SUPE EITHER. + + IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A +SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP +LINES (AS MENTIONED ABOVE). + IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE +BELOW: + + + NPA-NNX-99XX SCAN + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + _________________________________________________________ + | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | + |_______|____|____|____|____|____|____|____|____|____|____| + | 990 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 991 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 992 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 993 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 994 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 995 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 996 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + Page 97 + + + + + The Official Phreaker's Manual + + | 997 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 998 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 999 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU +SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN +THEM. FOR EXAMPLE: + +B - BUSY (TRY AGAIN AT ANOTHER TIME) +R - RINGS (TRY AGAIN AT ANOTHER TIME) +O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) +R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) +T - TONE ] TONE AT A LOWER # + IGNORE +I - IGNORE ] AT A HIGHER # = LOOP +V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. +C - CARRIER + + THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN +UNDERSTAND. + + NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A +MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF +A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER +EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) +634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. +IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" +NEXT TO EACH OTHER FOR A LOOP. + SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN +THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING +TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE +IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE +#'S! + ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR +EXAMPLE: "(713) 324-1799/1499" IS A LOOP. + +THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: + +1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A +TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS +SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! + +2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & +9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. + +3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. + + FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN +STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. + + +NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER +FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR +OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS + + Page 98 + + + + + The Official Phreaker's Manual + +MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. + + ANI + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT +WILL TELL YOU WHAT # YOU ARE CALLING FROM. + THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T +HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE +LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE +DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. +IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM +AREA TO AREA. + +HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: + +890-751-5191 +202-222-2222 +1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE +TO DIAL 1-990-1111) + + TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX +SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE +NEXT PART), TRY 1-9XX-1111. + ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR +NEIGHBOR WHO WORKS FOR THE FONE COMPANY. + + RING BACK + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL +THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF +THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 +SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL +RING. + IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP +FOR THE FIRST TIME (IE, AT THE FIRST TONE). + + OTHER RINGBACK #'S THAT I HAVE SEEN ARE: + +26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. +THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. + +890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. + +119911/11911/1199911 - GTE + +NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE + + + THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN +SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD +DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE +PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS +USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN +PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN +SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS +AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY + + Page 99 + + + + + The Official Phreaker's Manual + +SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD +THEN RINGBACK. + + TOUCH-TONE TEST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE +FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP +TWICE. +I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 + + COMING SOON: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE +NETWORK. + + + BREAK UP OF BELL: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT +AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED +HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD +"FONE NETWORK" FOR BELL SYSTEM. + + +AU REVOIR, + +*****BIOC +*=$=*AGENT +*****003 + +DECEMBER 8, 1983 + +ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, +& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN +DISTRIBUTING THIS TUTORIAL. + + + + + + + + + + + + + + + + + + + + + + Page 100 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART III * + * * + ************************************************************ + +PREFACE: + + IN PART III, WE WILL DISCUSS THE DIALING PROCEDURES FOR DOMESTIC AS WELL AS +INTERNATIONAL DIALING. WE WILL ALSO TAKE A LOOK AT THE TELEPHONE NUMBERING +PLAN. + +NORTH AMERICAN NUMBERING PLAN +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN NORTH AMERICA, THE TELEPHONE NUMBERING PLAN IS AS FOLLOWS: + +A) A 3 DIGIT NUMBERING PLAN AREA (NPA) CODE, [IE, AREA CODE] + +B) A 7 DIGIT TELEPHONE # CONSISTING OF A 3 DIGIT CENTRAL OFFICE (CO) CODE PLUS +A 4 DIGIT STATION #. + + THESE 10 DIGITS ARE CALLED THE NETWORK ADDRESS OR DESTINATION CODE. IT IS +IN THE FORMAT OF: + +AREA CODE TELEPHONE # +--------- ----------- + N*X NXX-XXXX + +WHERE: N = A DIGIT FROM 2-9 + * = THE DIGIT 0 OR 1 + X = A DIGIT 0-9 + +AREA CODES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CHECK YOUR TELEPHONE BOOK OR THE SEPARATE LISTING OF AREA CODES FOUND ON +MANY BBS'S. HERE ARE THE SPECIAL AREA CODES (SAC'S): + +510 - TWX (USA) +610 - TWX (CANADA) +700 - NEW SERVICE +710 - TWX (USA) +800 - WATS +810 - TWX (USA) +900 - DIAL-IT SERVICES +910 - TWX (USA) + + THE OTHER AREA CODES NEVER CROSS STATE LINES, THEREFORE EACH STATE MUST +HAVE AT LEAST ONE EXCLUSIVE NPA CODE. WHEN A COMMUNITY IS SPLIT BY A STATE +LINE, THE CO #'S ARE OFTEN INTERCHANGEABLE (IE, YOU CAN DIAL THE SAME # FROM 2 +DIFFERENT AREA CODES) + +TWX: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + Page 101 + + + + + The Official Phreaker's Manual + + + TWX (TELEX II) CONSISTS OF 5 TELETYPE-WRITER AREA CODES. THEY ARE OWNED BY +WESTERN UNION. THESE SAC'S MAY ONLY BE REACHED VIA OTHER TWX MACHINES. THESE +RUN AT 110 BAUD. BESIDES THE TWX #'S, THESE MACHINES ARE ROUTED TO NORMAL +TELEPHONE #'S. TWX MACHINES ALWAYS RESPOND WITH AN ANSWERBACK. FOR EXAMPLE, +WU'S FYI TWX # IS (910) 988-5956, THE CORRESPONDING REAL NUMBER TO THIS IS +(201) 279-5956. THE ANSWERBACK FOR THIS SERVICE IS "WU FYI MAWA." + + IF YOU DON'T WANT TO BUY A TWX MACHINE, YOU CAN STILL SEND TWX MESSAGES +USING EASYLINK [800/325-4112 - SEE TUC'S AND MY ARTICLE ENTITLED "HACKING +WESTERN UNION'S EASYLINK] + +700: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT THE TIME OF THIS WRITING, THE 700 EXCHANGE DOES NOT YET EXIST. AT&T +PLANS TO USE IT SOON THOUGH. THEY PLAN TO MAKE IT A TYPE OF FANCY CALL +FORWARDING SERVICE. IT WILL BE TARGETED TOWARDS SALESMEN ON THE RUN. + + TO UNDERSTAND HOW IT WORKS, I'LL EXPLAIN IT WITH AN EXAMPLE. LET'S SAY JOE +Q. SALESPIG WORKS FOR AT&T SECURITY AND HE IS ON THE RUN CHASING A PHREAK +AROUND THE COUNTRY WHO ROYALLY SCREWED UP AN IMPORTANT COSMOS SYSTEM. LET'S +SAY THAT JOE'S 700 # IS (700) 382-5968. EVERY TIME JOE GOES TO A NEW HOTEL, HE +DIALS A SPECIAL 700 #, ENTERS A CODE, AND THE # WHERE HE IS STAYING. NOW, IF +HIS BOSS RECEIVED SOME IMPORTANT INFO, ALL HE WOULD DO IS DIAL (700) 382-5968 +AND IT WOULD RING WHEREVER JOE LAST PROGRAMMED IT TO. NEAT, HUH? + +800: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS SAC IS ONE OF MY FAVORITES SINCE IT ALLOWS FOR TOLL-FREE CALLS. + +INWARD WATS (INWATS): INWARD WIDE AREA TELECOMMUNICATIONS SERVICE IS THE 800 +#'S THAT WE ARE ALL FAMILIAR WITH. 800 #'S ARE SET UP IN SERVICE AREAS OR +BANDS. THERE ARE 6 OF THESE. BAND 6 IS THE LARGEST AND YOU CAN CALL A BAND 6 +# FROM ANYWHERE IN THE US EXCEPT THE STATE WHERE THE CALL IS TERMINATED (THIS +IS WHY MOST COMPANIES HAVE ONE 800 # FOR THE COUNTRY AND THEN ANOTHER FOR JUST +ONE STATE). BAND 5 INCLUDES THE 48 CONTIGUOUS STATES. ALL THE WAY DOWN TO +BAND 1 WHICH INCLUDES ONLY THE STATES CONTIGUOUS TO THAT ONE. THEREFORE, LESS +PEOPLE CAN REACH A BAND 1 INWATS # THAT A BAND 6 #. + +INTRASTATE INWATS #'S (IE, YOU CAN CALL IT FROM ONLY 1 STATE) ALWAYS HAVE A 2 +AS THE LAST DIGIT IN THE EXCHANGE (IE, 800-NX2-XXXX). THE NXX ON 800 #'S +REPRESENT THE AREA WHERE THE BUSINESS IS LOCATED. FOR EXAMPLE, A # BEGINNING +WITH 800-431 WOULD TERMINATE AT A NEW YORK CO. + +800 #'S ALWAYS END UP IN A HUNT SERIES IN A CO. THIS MEANS THAT IT TRIES THE +FIRST # ALLOCATED TO THE COMPANY FOR THEIR 8P0 LINES; IF THIS IS BUSY IT WILL +THEN TRY THE NEXT #, ETC). YOU MUST HAVE A MINIMUM OF TWO LINES PER EACH 800 +#. FOR EXAMPLE, TRAVELNET USES A HUNT SERIES. IF YOU DIAL (800) 521-8400, IT +WILL FIRST TRY THE # ASSOCIATED WITH 8400; IF IT IS BUSY IT WILL GO TO THE NEXT +AVAILABLE PORT, ETC. INWATS CUSTOMERS ARE BILLED BY THE # OF HOURS OF CALLS +THAT ARE MADE TO THEIR #. + +OUTWATS (OUTWARD WATS): OUTWATS ARE FOR MAKING OUTGOING CALLS ONLY. LARGE +COMPANIES USE OUTWATS SINCE THEY RECEIVE BULK-RATE DISCOUNTS. SINCE OUTWATS # +CANNOT HAVE INCOMING CALLS, THEY ARE IN THE FORMAT OF: + + + Page 102 + + + + + The Official Phreaker's Manual + +(800) *XX-XXXX + + WHERE * IS THE DIGIT 0 OR 1 WHICH CANNOT BE DIALED UNLESS YOU BOX THE CALL. +THE *XX IDENTIFIES THE TYPE OF SERVICE AND THE AREAS THAT THE COMPANY CAN +CALL. + +REMEMBER: INWATS + OUTWATS = WATS EXTENDER (SEE PART I) +900: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS DIAL-IT SAC IS A NATIONWIDE DIAL-IT SERVICE. IT IS USED FOR TAKING +TELEVISION POLLS AND OTHER STUFF. THE FIRST MINUTE CURRENTLY COSTS AN +OUTRAGEOUS 50 CENTS AND EACH ADDITIONAL MINUTE COSTS 35 CENTS. BELL TAKES IN +ALOT OF REVENUE IN THIS WAY. + +DIAL (900) 555-1212 TO FIND OUT WHAT IS CURRENTLY ON THE SERVICE. + +CO CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THESE IDENTIFY THE SWITCHING OFFICE WHERE THE CALL IS TO BE ROUTED. + +THE FOLLOWING CO CODES ARE RESERVED NATIONWIDE: + +555 - DIRECTORY ASSISTANCE +844 - TIME ] THESE ARE NOW IN +936 - WEATHER ] THE 976 EXCHANGE +950 - FUTURE SERVICES +958 - PLANT TEST +959 - PLANT TEST +970 - PLANT TEST (TEMPORARY) +976 - DIAL-IT SERVICES + + ALSO, THE 3 DIGIT ANI & RINGBACK #'S ARE REGARDED AS PLANT TEST AND ARE +THUS RESERVED. THESE NUMBERS VARY FROM AREA TO AREA. + +950: [ALSO SEE PART I] +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +HERE ARE THE SERVICES THAT ARE CURRENTLY ON THE 950 EXCHANGE: + +1000 - SPC +1022 - MCI EXECUNET +1033 - US TELEPHONE +1044 - ALLNET +1066 - LEXITEL +1088 - SBS SKYLINE + +THESE SCC'S (SPECIALIZED COMMON CARRIERS) ARE FREE FROM FORTRESSES! + +Publishers note: Most 950's now require the station code (1022, 1000, 1088, +etc.) to be five digits long. MCI 950-10222, US telefone 10333, ALLNET 10444, +etc. Look in "Equal Access and the American Dream" p. for a complete list. +PLANT TESTS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THESE INCLUDE ANI, RINGBACK, AND OTHER VARIOUS TESTS. + + + Page 103 + + + + + The Official Phreaker's Manual + +976: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + DIAL 976-1000 TO SEE WHAT IS CURRENTLY ON THE SERVICE. ALSO, MANY BBS'S +HAVE A LISTING OF THESE #'S. + + +N11 CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL IS TRYING TO PHASE SOME OF THESE OUT, BUT THEY STILL EXIST IN MANY +AREAS. + +011 - INTERNATIONAL DIALING PREFIX +211 - COIN REFUND OPERATOR +411 - DIRECTORY ASSISTANCE +611 - REPAIR SERVICE +811 - BUSINESS OFFICE +911 - EMERGENCY + +INTERNATIONAL DIALING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + WITH INTERNATIONAL DIALING, THE WORLD HAS BEEN DIVIDED INTO 9 NUMBERING +ZONES. + +TO MAKE AN INTERNATIONAL CALL, YOU MUST DIAL: INT. PREFIX + COUNTRY CODE + NAT. +# + + IN NORTH AMERICA, THE INTERNATIONAL DIALING PREFIX IS 011 FOR +STATION-TO-STATION CALLS AND 01 FOR OPERATOR- SERVICED CALLS. IDDD STANDS FOR +INTERNATIONAL DIRECT DISTANCE DIALING. + + THE COUNTRY CODE, WHICH VARIES FROM 1 TO 3 DIGITS, ALWAYS HAS THE WORLD +NUMBERING ZONE AS THE FIRST DIGIT. FOR EXAMPLE, THE COUNTRY CODE FOR THE +UNITED KINGDOM IS 44, THUS IT IS IN WORLD NUMBERING ZONE 4. + + SOME BOARDS MAY CONTAIN A COMPLETE LISTING OF OTHER COUNTRY CODES, BUT HERE +ARE A FEW: + +001 - NORTH AMERICA (US, CANADA,ETC) +020 - EGYPT +258 - MOZAMBIQUE +034 - SPAIN +049 - GERMANY +052 - MEXICO (SOUTHERN PORTION) +061 - AUSTRALIA +007 - USSR +081 - JAPAN +098 - IRAN + + IF YOU CALL FROM AN AREA OTHER THAN NORTH AMERICA, THE FORMAT IS GENERALLY +THE SAME. FOR EXAMPLE, LET'S SAY YOU WANTED TO CALL THE WHITE HOUSE FROM +SWITZERLAND. FIRST YOU WOULD DIAL 00 (THE SWISS INTERNATIONAL DIALING PREFIX), +THEN 1 (THE US COUNTRY CODE), FOLLOWED BY 202-456-1414 (THE NATIONAL # FOR THE +WHITE HOUSE). + + ALSO, COUNTRY CODE 87 IS RESERVED FOR MARITIME MOBILE SERVICE, IE CALLING + + Page 104 + + + + + The Official Phreaker's Manual + +SHIPS: + +871 - MARISAT (ATLANTIC) +872 - MARISAT (PACIFIC) +873 - MARISAT (INDIAN ) + +INTERNATIONAL SWITCHING: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN NORTH AMERICA, THERE ARE CURRENTLY 7 NO. 4 ESS'S THAT PERFORM THE DUTY +OF ISC (INTERNATIONAL SWITCHING CENTERS). ALL INTERNATIONAL CALLS DIALED FROM +NUMBERING ZONE 1 WILL BE ROUTED THROUGH ONE OF THESE "GATEWAY CITIES." THEY +ARE: + +182 - WHITE PLAINS, NY +183 - NEW YORK, NY +184 - PITTSBURGH, PA +185 - ORLANDO, FL +186 - OAKLAND, CA +187 - DENVER, CO +188 - NEW YORK, NY + + THE 18X SERIES ARE OPERATOR ROUTING CODES FOR OVERSEAS ACCESS (TO BE +FURTHER DISCUSSED WITH BLUE BOXES). ALL INTERNATIONAL CALLS USE A SIGNALING +SYSTEM CALLED CCITT. IT IS AN INTERNATIONAL STANDARD FOR SIGNALING. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART IV, WE WILL DISCUSS SWITCHING EQUIPMENT, VARIOUS OPERATORS, CO +TYPES, ETC. + +PHREAKING LIVES IN '84, + +*****BIOC +*=$=*AGENT +*****003 + +<<=-FARGO 4A-=>> +23-FEB-84 + +REFERENCES/ +ACKNOWLEDGEMENTS: NOTES ON THE NETWORK (AT&T), TAP (ROOM 603, 147W 42 ST, +NEW YORK, NY 10036),UNDERSTANDING TELEPHONE ELECTRONICS,AND MANY OTHERS/TUC, +MULCHER... + + + + + + + + + + + + + + + Page 105 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART IV * + * * + ************************************************************ + +PREFACE: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + PART IV WILL DEAL WITH THE VARIOUS TYPES OF OPERATORS, OFFICE HIERARCHY, & +SWITCHING EQUIPMENT. + + +OPERATORS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THERE ARE MANY TYPES OF OPERATORS IN THE NETWORK AND THE MORE COMMON ONES +WILL BE DISCUSSED. + +TSPS OPERATOR: +____________________________________________________________ + + THE TSPS (TRAFFIC SERVICE POSITION SYSTEM) OPERATOR IS PROBABLY THE BITCH +(OR BASTARD FOR THE PHEMALE LIBERATIONISTS) THAT MOST OF US ARE USE TO HAVING +TO DEAL WITH. + +HERE ARE HER RESPONSIBILITIES: + +1) OBTAINING BILLING INFORMATION FOR CALLING CARD OR 3RD NUMBER CALLS. + +2) IDENTIFYING CALLED CUSTOMER ON PERSON-TO-PERSON CALLS. + +3) OBTAINING ACCEPTANCE OF CHARGES ON COLLECT CALLS. + +4) IDENTIFYING CALLING NUMBERS. THIS ONLY HAPPENS WHEN THE CALLING # IS NOT +AUTOMATICALLY RECORDED BY CAMA (CENTRALIZED AUTOMATIC MESSAGE ACCOUNTING) & +FORWARDED FROM THE LOCAL OFFICE. THIS COULD BE CAUSED BY EQUIPMENT FAILURES OR +IF THE OFFICE IS NOT EQUIPPED FOR CAMA (MOST ARE). + + + + YOU SHOULDN'T MESS WITH THE TSPS OPERATOR SINCE SHE KNOWS WHERE YOU ARE +CALLING FROM. SHE ALSO KNOWS WHETHER OR NOT YOU ARE AT A FORTRESS FONE & SHE +CAN TRACE CALLS QUITE READILY. OUT OF ALL THE OPERATORS, SHE IS ONE OF THE +MOST DANGEROUS. + +INWARD OPERATOR: +____________________________________________________________ + + THIS OPERATOR ASSISTS YOUR LOCAL TSPS ("0") OPERATOR IN CONNECTING CALLS. + + Page 106 + + + + + The Official Phreaker's Manual + +SHE WILL NEVER QUESTION A CALL AS LONG AS THE CALL IS WITHIN HER SERVICE AREA. +SHE CAN ONLY BE REACHED VIA OTHER OPERATORS OR BY A BLUE BOX. FROM A BB, YOU +WOULD DIAL KP+NPA+121+ST FOR THE INWARD OPERATOR THAT WILL HELP YOU CONNECT ANY +CALLS WITHIN THAT NPA AREA ONLY. (BLUE BOXING WILL BE DISCUSSED IN A FUTURE +PART OF BASIC TELCOM) + +DIRECTORY ASSISTANCE OPERATOR: +____________________________________________________________ + + THIS IS THE OPERATOR THAT YOU ARE CONNECTED TO WHEN YOU DIAL: 411 OR +NPA-555-1212. SHE DOES NOT READILY KNOW WHERE YOU ARE CALLING FROM. SHE DOES +NOT HAVE ACCESS TO UNLISTED #'S, BUT SHE DOES KNOW IF AN UNLISTED # EXISTS FOR +A CERTAIN LISTING. + + THERE IS ALSO A DIRECTORY ASSISTANCE FOR DEAF PEOPLE WHO USE +TELETYPEWRITERS IF YOU MODEM CAN TRANSFER BAUDOT (THE APPLE CAT CAN), THEN YOU +CAN CALL HER UP AND HAVE AN INTERESTING CONVERSATION WITH HER. THE # +IS:800/855-1155. SHE USES THE STANDARD TELEX ABBREVIATIONS SUCH AS GA FOR GO +AHEAD. THEY TEND TO BE NICER & WILL TALK LONGER THAN YOUR REGULAR OPERATORS. +ALSO, THEY ARE MORE VULNERABLE INTO BEING TALKED OUT OF INFORMATION THROUGH THE +PROCESS OF "SOCIAL ENGINEERING" AS CHESHIRE CATALYST WOULD PUT IT. + +OTHER OPERATORS HAVE ACCESS TO THEIR OWN DA BY DIALING KP+NPA+131+ST (MF). + + THIS IS A LITTLE OUT OF THE SCOPE OF THIS TUTORIAL, BUT MANY TELCO'S ARE +NOW CHARGING FOR CALLS TO DIR. ASST. YOU CAN BEAT THIS BY: + +(1) COUNT HOW MANY CALLS YOU MAKE TO DIRECTORY ASSISTANCE IN A BILLING PERIOD. +GO TO A FORTRESS FONE & DIAL DA. WHEN THE OPERATOR COMES ON, GIVE HER A NAME +THAT YOU KNOW HAS AN UNLISTED # OR ASK FOR A TOWN THAT ISN'T IN THE NPA. SHE +WILL THEN ASK FOR YOUR # SO SHE CAN CREDIT THE CALL TO YOU. GIVE HER YOUR HOME +#, SHE DOESN'T KNOW THAT YOU ARE MAKING A FREE CALL FROM THE FORTRESS. JUST +MAKE SURE THAT YOU DON'T CREDIT YOURSELF FOR MORE CALLS THAN YOU ACTUALLY MADE +OR YOU MIGHT HAVE A FEW PROBLEMS! + +(2) IF YOU HAVE A BAUDOT TERMINAL, USE THE 800 #, IT'S FREE & THERE IS ONE # +FOR ALL REQUESTS. + +C/NA OPERATORS: +____________________________________________________________ + + C/NA OPERATORS ARE OPERATORS THAT DO EXACTLY THE OPPOSITE OF WHAT DIRECTORY +ASSISTANCE OPERATORS ARE FOR. SEE PART II, FOR MORE INFO ON C/NA & #'S. IN MY +EXPERIENCES, THESE OPERATORS KNOW MORE THAN THE DA OP'S DO & THEY ARE MORE +SUSCEPTIBLE TO "SOCIAL ENGINEERING." IT IS POSSIBLE TO BULLSHIT A C/NA +OPERATOR FOR THE NON-PUB DA # (IE, YOU GIVE THEM THE NAME & THEY GIVE YOU THE +UNLISTED #). THIS IS DUE TO THE FACT THAT THEY ASSUME YOUR ARE A PHELLOW +COMPANY EMPLOYEE. + +INTERCEPT OPERATOR: +____________________________________________________________ + + THE INTERCEPT OPERATOR IS THE ONE THAT YOU ARE CONNECTED TO WHEN THERE ARE +NOT ENOUGH RECORDINGS AVAILABLE TO TELL YOU THAT THE # HAS BEEN DISCONNECTED OR +CHANGED. SHE USUALLY SAYS, "WHAT # YOU CALLIN' ? " WITH A FOREIGN ACCENT. +THIS IS THE LOWEST OPERATOR LIFEFORM. EVEN THOUGH THEY DON'T KNOW WHERE YOU +ARE CALLING FROM, IT IS A WASTE OF YOUR TIME TO TRY TO VERBALLY ABUSE THEM +SINCE THEY USUALLY UNDERSTAND VERY LITTLE ENGLISH. + + Page 107 + + + + + The Official Phreaker's Manual + + +OTHER OPERATORS: +____________________________________________________________ + +AND THEN THERE ARE THE: +MOBILE +SHIP-TO-SHORE +CONFERENCE +MARINE VERIFY, "LEAVE WORD & CALL BACK," +ROUT & RATE (KP+NPA+141+ST) & OTHER SPECIAL OPERATORS WHO HAVE ONE PURPOSE OR +ANOTHER IN THE NETWORK. + + PROBLEMS WITH AN OPERATOR? ASK TO SPEAK TO THEIR SUPERVISOR... WHICH IS +THE EQUIVALENT OF THE MADAME IN A WHOREHOUSE (IF YOU WILL EXCUSE THE ANALOGY). + + BY THE WAY, SOME CO'S THAT WILL ALLOW YOU TO DIAL A 1 OR 0 AS THE 4TH +DIGIT, WILL ALSO ALLOW YOU TO CALL SPECIAL OPERATORS WITHOUT A BLUE BOX. THIS +IS VERY RARE THOUGH! FOR EXAMPLE, 212-121-1111 WILL GET YOU A NY INWARD +OPERATOR. + +OFFICE HIERARCHY +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + EVERY SWITCHING OFFICE OFFICE IN NORTH AMERICA (THE NPA SYSTEM), IS +ASSIGNED AN OFFICE NAME & CLASS. THERE ARE FIVE CLASSES OF OFFICES NUMBERED 1 +THROUGH 5. YOUR CO IS MOST LIKELY A CLASS 5 OR END OFFICE. ALL LONG-DISTANCE +(TOLL) CALLS ARE SWITCHED BY A TOLL OFFICE WHICH CAN BE A CLASS 4, 3, 2, OR 1 +OFFICE. THERE IS ALSO A 4X OFFICE CALLED AN INTERMEDIATE POINT. THE 4X OFFICE +IS A DIGITAL ONE THAT CAN HAVE AN UNATTENDED EXCHANGE ATTACHED TO IT (KNOWN AS +A REMOTE SWITCHING UNIT-RSU). + + THE FOLLOWING CHART WILL LIST THE OFFICE #, NAME, & HOW MANY OF THOSE +OFFICES EXISTED IN NORTH AMERICA IN 1981. + +CLASS NAME ABB # EXISTING +----- ---------------- --- ------------ +1 REGIONAL CENTER RC 12 +2 SECTIONAL CENTER SC 67 +3 PRIMARY CENTER PC 230 +4 TOLL CENTER TC 1,30 +4P TOLL POINT TP ? +4X INTERMEDIATE PT IP ? +5 END OFFICE EO 19,000 +R RSU RSU ? + + WHEN CONNECTING A CALL FROM ONE PARTY TO ANOTHER, THE SWITCHING EQUIPMENT +USUALLY TRIES TO FIND THE SHORTEST ROUTE BETWEEN THE CLASS 5 END OFFICE OF THE +CALLER & THE CLASS 5 END OFFICE OF THE CALLED PARTY. IF NO INTER-OFFICE TRUNKS +EXIST BETWEEN THE 2 PARTIES, IT WILL THEN MOVE UPTO THE NEXT HIGHEST OFFICE FOR +SERVICING (CLASS 4). IF THE CLASS 4 OFFICE CANNOT HANDLE THE CALL BY SENDING +IT TO ANOTHER CLASS 4 OR 5 OFFICE, IT WILL BE SENT TO THE NEXT OFFICE IN THE +HIERARCHY (3). THE SWITCHING EQUIPMENT FIRST USES THE HIGH-USAGE INTEROFFICE +TRUNK GROUPS, IF THEY ARE BUSY IT THEN GOES TO THE FINAL TRUNK GROUPS ON THE +NEXT HIGHEST LEVEL. IF THE CALL CANNOT BE CONNECTED THEN, YOU WILL PROBABLY GET +A RE-ORDER (120IPM BUSY SIGNAL) SIGNAL. AT THIS TIME, THE GUYS AT NETWORK +OPERATIONS ARE PROBABLY SHITTING IN THEIR PANTS AND TRYING TO AVOID THE DREADED +NETWORK DREADLOCK (AS SEEN ON TV!). + + + Page 108 + + + + + The Official Phreaker's Manual + + IT IS ALSO INTERESTING TO NOTE THAT 9 CONNECTIONS IN TANDEM IS CALLED +RING-AROUND-THE ROSY AND IT HAS NEVER OCCURRED IN TELEPHONE HISTORY. THIS +WOULD CASE AN ENDLESS LOOP CONNECTION. [ A NEAT WAY TO REALLY SCREW-UP THE +NETWORK]. + + THE 10 REGIONAL CENTERS IN THE US & THE 2 IN CANADA ARE ALL INTERCONNECTED. +THEY FORM THE FOUNDATION OF THE ENTIRE TELEPHONE NETWORK. SINCE THERE ARE ONLY +12 OF THEM, THEY ARE LISTED BELOW: + +CLASS 1 REGIONAL OFFICE LOCATION NPA +---------------------------------- --- +DALLAS 4 ESS 214 +WAYNE, PA 215 +DENVER 4T 303 +REGINA NO.2 SP1-4W [CANADA] 306 +ST. LOUIS 4T 314 +ROCKDALE, GA 404 +PITTSBURGH 4E 412 +MONTREAL NO.1 4AETS [CANADA] 504 +NORWICH, NY 607 +SAN BERNARDINO, CA 714 +NORWAY, IL 815 +WHITE PLAINS 4T, NY 914 + + THE FOLLOWING DIAGRAM DEMONSTRATES HOW THE VARIOUS OFFICES MAY BE +CONNECTED: + + _________________________ + _|_ _|_ _|_ REGIONAL + | | | | | | OFFICES + | 1 | <=--=> | 1 | <=--=> | 1 | <<==------ + |___| |___| |___| + | OTHERS\/ + _________________|_______________________| + _|_ _|_ _|_ _|__ _|_ +| | | | | | | | | | +| 2 | | 3 | | 4 | | 4P | | 5 | +|___| |___| |___| |____| |___| + | | | | + |____ | _|__ | + _|_ _|_ | __|_ _|_ \ +| || || | || | |_____ +| 3 || 4 || | 4X || 5 | _|__ _|_ +|___||___|| |____||___|| || | + | | | 4X || 5 | + __|_ | |____||___| + | ||_____________ + | 5R | _______|_________ + |____| | | | + _|_ _|_ _|_ __|_ + | | | | | | | | + | R | | 4 | | 5 | | 5R | + |___| |___| |___| |____| + +NOTE: THE PRECEDING DIAGRAM USED SPECIAL SYMBOLS FROM AN APPLE //E THAT MAY NOT +BE VIEWED AS I INTENDED THEM IF YOU ARE NOT USING AN APPLE//E OR //C. + +SWITCHING EQUIPMENT + + Page 109 + + + + + The Official Phreaker's Manual + +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NETWORK, THERE ARE 3 MAJOR TYPES OF SWITCHING EQUIPMENT. THEY ARE +KNOWN AS: STEP, CROSSBAR, & ESS. + + +STEP-BY-STEP (SXS) +____________________________________________________________ + + THE STEP-BY-STEP, A/K/A THE STROWGER SWITCH OR TWO-MOTION SWITCH, WAS +INVENTED IN 1889 BY AN UNDERTAKER NAMED ALMON STROWGER. HE INVENTED THIS +MECHANICAL SWITCHING EQUIPMENT BECAUSE HE FELT THAT THE BIASED OPERATOR WAS +ROUTING ALL REQUESTS FOR AN 'UNDERTAKER' TO HER HUSBAND'S BUSINESS. BELL +STARTED USING THIS SYSTEM IN 1918 AS OF 1978, OVER 53% OF THE BELL EXCHANGES +USED THIS METHOD OF SWITCHING. + + STEP-BY-STEP SWITCHING IS CONTROLLED DIRECTLY BY THE DIAL PULSES WHICH MOVE +A SERIES OF SWITCHES (CALLED THE SWITCH TRAIN) IN ORDER. WHEN YOU FIRST PICK UP +THE FONE UNDER SXS, A LINEFINDER ACKNOWLEDGES THE REQUEST (SOONER OR LATER) BY +SENDING A DIAL TONE. IF YOU THEN DIALED 1234, THE EQUIPMENT WOULD FIRST FIND +AN IDLE SELECTOR SWITCH. IT WOULD THEN MOVE VERTICALLY 1 PULSE, IT WOULD THEN +MOVE HORIZONTALLY TO FIND A FREE SECOND SELECTOR, IT WOULD THEN MOVE 2 VERTICAL +PULSES, STEP HORIZONTALLY TO FIND THE NEXT SELECTOR, ETC. THUS THE FIRST +SWITCH IN THE TRAIN TAKES NO DIGITS, THE SECOND SWITCH TAKES 1 DIGIT, THE THIRD +SWITCH TAKES 1 DIGIT, & THE LAST SWITCH IN THE TRAIN (CALLED THE CONNECTOR) +TAKES THE LAST 2 DIGITS & CONNECTS YOUR CALLS. A NORMAL (10,000 LINE) EXCHANGE +REQUIRES 4 DIGITS (0000-9999) TO CONNECT A LOCAL CALL & THUS IT TAKES 4 +SWITCHES TO CONNECT EVERY CALL (LINEFINDER, 1ST & 2ND SELECTORS, & THE +CONNECTOR) . + + WHILE IT WAS THE FIRST, SXS SUCKS FOR THE FOLLOWING REASONS: + +[1] THE SWITCHED OFTEN BECOME JAMMED THUS THE CALLS OFTEN BECOME BLOCKED. + +[2] YOU CAN'T USE DTMF (DUAL-TONE MULTI-FREQUENCY A/K/A TOUCH-TONE) DIRECTLY. +IT IS POSSIBLE THAT THE TELCO MAY HAVE INSTALLED A CONVERSION KIT BUT THEN THE +CALLS WILL GO THROUGH JUST AS SLOW AS PULSE, ANYWAY! + +[3] THEY USE A LOT OF ELECTRICITY & MECHANICAL MAINTENANCE. (BAD FROM TELCO +POINT OF VIEW) + +[4] EVERYTHING IS HARDWIRED. + + THEY CAN STILL HOOK UP PEN REGISTERS & OTHER SHIT ON THE LINE SO IT IS NOT +EXACTLY A PHREAK HAVEN. + +YOU CAN IDENTIFY SXS OFFICES BY: + +(1) LACK OF DTMF OR PULSING DIGITS AFTER DIALING DTMF. + +(2) IF YOU GO NEAR THE CO, IT WILL SOUND LIKE A TYPEWRITER TESTING FACTORY. + +(3) LACK OF SPEED CALLING, CALL FORWARDING, & OTHER CUSTOMER SERVICES. + +(4) FORTRESS FONES THAT WANT YOUR MONEY FIRST (AS OPPOSED TO DIAL TONE FIRST +ONES). + + THE PRECEDING DON'T NECESSARILY IMPLY THAT YOU HAVE SXS BUT THEY SURELY + + Page 110 + + + + + The Official Phreaker's Manual + +GIVE EVIDENCE THAT IT MIGHT BE. ALSO, IF ANY OF THE ABOVE CHARACTERISTICS +EXIST, IT CERTAINLY ISN'T ESS! ALSO, SXS HAVE PRETTY MUCH BEEN ERADICATED FROM +LARGE METROPOLITAN AREAS SUCH AS NYC (212). + +CROSSBAR: +____________________________________________________________ + + THERE ARE 3 MAJOR TYPES OF CROSSBAR SYSTEMS CALLED: NO. 1 CROSSBAR (1XB), +NO. 4 CROSSBAR (4XB), & NO. 5 CROSSBAR (5XB). 5XB HAS BEEN THE PRIMARY END +OFFICE SWITCH OF BELL SINCE THE 60'S AND THUS IT IS IN WIDE-USE. + + CROSSBAR USES A COMMON CONTROL SWITCHING METHOD. WHEN THERE IS AN INCOMING +CALL, A STORED PROGRAM DETERMINES ITS ROUTE THROUGH THE SWITCHING MATRIX. + + IN CROSSBAR, THE BASIC OPERATION PRINCIPLE IS THAT A HORIZONTAL & A +VERTICAL LINE ARE ENERGIZED IN A MATRIX KNOWN AS THE CROSSPOINT MATRIX. THE +POINT WHERE THESE 2 LINES MEET IN THE MATRIX IS THE CONNECTION. + + +ESS +____________________________________________________________ + +ELECTRONIC SWITCHING SYSTEM (ESS) THE PHREAK'S NIGHTMARE COME TRUE (OR ORWELL'S +PROPHECY AS 2600 PUTS IT) + + ESS IS BELL'S MOVE TOWARDS THE AIRSTRIP ONE SOCIETY DEPICTED IN ORWELL'S +1984. WITH ESS, EVERY SINGLE DIGIT THAT YOU DIAL IS RECORDED--EVEN IF IT IS A +MISTAKE. THEY KNOW WHO YOU CALL, WHEN YOU CALL, HOW LONG YOU TALKED FOR, & +PROBABLY WHAT YOU TALKED ABOUT (IN SOME CASES). ESS CAN (AND IS) ALSO +PROGRAMMED TO PRINT OUT #'S OF PEOPLE WHO MAKE EXCESSIVE CALLS TO 800 #'S OR +DIRECTORY ASSISTANCE. THIS IS CALLED THE "800 EXCEPTIONAL CALLING REPORT." ESS +COULD ALSO BE PROGRAMMED TO PRINT OUT LOGS OF WHO CALLS CERTAIN #'S--LIKE A +BOOKIE, A KNOWN COMMUNIST, A BBS, ETC THE THING TO REMEMBER WITH ESS IS THAT IT +IS A SERIES OF PROGRAMS WORKING TOGETHER. THESE PROGRAMS CAN BE VERY EASILY +CHANGED TO DO WHATEVER THEY WANT IT TO DO. ONE PHREAK WHOM I KNOW HAS SOME ESS +SOURCE CODE LISTING WHICH IS INCREDIBLY COMPLEX (AS WELL AS DOCUMENTED--GRACIAS +DIOS). THIS SYSTEM MAKES THE JOB OF BELL SECURITY, THE FBI, NSA, & OTHER +ORGANIZATIONS THAT LIKE TO INVADE PRIVACY INCREDIBLY EASY. + + WITH ESS, TRACING IS DONE IN MICROSECONDS (EINE AUGENBLICK) & THE RESULTS +ARE PRINTED AT THE CONSOLE OF A BELL GESTAPO OFFICER. ESS WILL ALSO PICK UP +ANY "FOREIGN" TONES ON THE LINE SUCH AS 2600 HZ! + + BELL PREDICTS THAT THE COUNTRY WILL BECOME TOTALLY ESS BY THE 1990'S. + + YOU CAN IDENTIFY ESS BY THE FOLLOWING WHICH ARE USUALLY ESS FUNCTIONS: + +[1] DIALING 911 FOR HELP. +[2] DIAL-TONE-FIRST FORTRESSES. +[3] CUSTOM CALLING SERVICES SUCH AS:CALL FORWARDING, SPEED DIALING, & CALL +WAITING. (ASK YOUR BUSINESS OFFICE IF YOU CAN GET THESE.) +[4] ANI (AUTOMATIC NUMBER IDENTIFICATION) ON LD CALLS. + + PHREAKING DOES NOT COME TO A COMPLETE HALT UNDER ESS THOUGH--JUST BE VERY +CAREFUL, THOUGH!!! + + DUE TO THE FACT THAT ESS SENDS A COMPUTER GENERATED "ARTIFICIAL RING," +WHERE THE VOICE IS NOT CONNECTED DIRECTLY TO THE CALLED PARTIES LINE UNTIL HE + + Page 111 + + + + + The Official Phreaker's Manual + +PICKS UP, BLACK BOXES & INFINITY TRANSMITTERS WILL NOT WORK! + +NOTE: ANOTHER INTERESTING WAY TO FIND OUT WHAT TYPE OF EQUIPMENT YOU ARE ON IS +TO RAID THE TRASH CAN OF YOU LOCAL CO--THIS ART WILL DISCUSSED IN A SEPARATE +ARTICLE SOON. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN THE PART V, WE WILL START TO TAKE A LOOK AT TELEPHONE ELECTRONICS. + +FURTHER READING: + +FOR MORE INFORMATION ON THE ABOVE TOPICS, I SUGGEST THE FOLLOWING: + +NOTES ON THE NETWORK, AT&T, 1980. + +UNDERSTANDING TELEPHONE ELECTRONICS,TEXAS INSTRUMENTS, 1983. + +AND SUBSCRIPTIONS TO: + +TAP, ROOM 603, 147 W 42 ST, NEW YORK, NY 10036. SUBSCRIPTIONS ARE +$10/YEAR.#BACK ISSUES ARE $0.75. THE CURRENT ISSUES IS #90 (JAN/FEB 1984) + +2600, BOX 752, MIDDLE ISLAND, NY 11953. SUBSCRIPTIONS ARE $10/YEAR. BACKISSUES +ARE $1 EACH. THE CURRENT ISSUE IS #4 (APRIL 1984). + +THEY ARE BOTH EXCELLENT SOURCES OF ALL SORTS OF INFORMATION (PRIMARILY +PHREAKING/HACKING). + +NOTE: FOR THE MOST PART, I HAVE ASSUMED THAT YOU HAVE READ MY PREVIOUS 3 +COURSES IN THE BASIC TELCOM SERIES. + +HASTA LUEGO, + +*****BIOC +*=$=*AGENT +*****003 + +APRIL 13, 1984 [THE YEAR OF BIG BROTHER] + +<<=-FARGO 4A-=>> + + + + + + + + + + + + + + + + + + Page 112 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART V * + * * + ************************************************************ + + +PREFACE: + + PREVIOUS INSTALLMENTS OF THIS SERIES WERE FOCUSED ON TELEPHONY FROM A +NETWORK POINT-OF-VIEW. PART V WILL DEAL WITH TELEPHONE ELECTRONICS FOCUSING +PRIMARILY ON THE SUBSCRIBER'S TELEPHONE. HERE-IN-AFTER SIMPLY REFERRED TO AS +"FONE." + +WIRING: +____________________________________________________________ + + ASSUMING A STANDARD ONE-LINE FONE, THERE ARE USUALLY 4 WIRES THAT LEAD OUT +OF THE FONE SET. THESE ARE STANDARDLY COLORED RED, GREEN, YELLOW, & BLACK. +THE RED & GREEN SIRES ARE THE TWO THAT ARE ACTUALLY HOOKED UP TO YOUR CO. THE +YELLOW WIRE IS SOMETIMES USED TO RING DIFFERENT FONES ON A PARTY LINE (IE, ONE +#, SEVERAL FAMILIES--FOUND PRIMARILY IN RURAL AREAS WHERE THEY PAY LESS FOR THE +SERVICE AND THEY DON'T USE THE FONE AS MUCH); OTHERWISE, THE YELLOW IS USUALLY +JUST IGNORED. ON SOME TWO-LINE FONES, THE RED & GREEN WIRES ARE USED FOR THE +FIRST FONE # AND THE YELLOW & BLACK ARE USED FOR THE SECOND LINE. IN THIS CASE +THERE MUST BE AN INTERNAL OR EXTERNAL DEVICE THAT SWITCHES BETWEEN THE TWO +LINES AND PROVIDES A HOLD FUNCTION. (SUCH AS RADIO SHACK'S OUTRAGEOUSLY PRICED +2 LINE & HOLD MODULE-9. + + IN TELEPHONY, THE RED & GREEN WIRES ARE OFTEN REFERRED TO AS TIP (T) & RING +(R). THE TIP IS USUALLY THE MORE POSITIVE OF THE TWO WIRES. THIS NAMING GOES +BACK TO THE OLD OPERATOR CORD BOARDS WHERE ONE OF THE WIRES WAS THE TIP OF THE +PLUG AND THE OTHER WAS THE RING (OF THE BARREL). + A ROTARY FONE (AKA DIAL OR PULSE) WILL WORK FINE REGARDLESS WHETHER THE RED +(OR GREEN) WIRE IS CONNECTED THE TIP(+) OR RING(-). A TOUCH-TONE (TM) FONE IS +A DIFFERENT STORY, THOUGH. IT WILL NOT WORK EXCEPT IF THE TIP(+) IS THE GREEN +WIRE. [ALTHOUGH, SOME OF THE MORE EXPENSIVE DTMF FONES DO HAVE A RECTIFIER +BRIDGE WHICH COMPENSATES FOR POLARITY REVERSAL.] THIS I WHY UNDER CERTAIN +(NON-DIGITAL) SWITCHING EQUIPMENT YOU CAN REVERSE THE RED & GREEN WIRES ON A +TOUCH-TONE FONE AND RECEIVE FREE DTMF SERVICE. EVEN THOUGH IT WON'T BREAK DIAL +TONE, REVERSING THE WIRES ON A ROTARY LINE ON A DIGITAL SWITCH WILL CAUSE THE +TONES TO BE GENERATED. + +VOLTAGES, ETC. +____________________________________________________________ + + WHEN YOUR TELEPHONE IS ON-HOOK (IE, HUNG UP) THERE IS APPROXIMATELY 48 +VOLTS OF DC CURRENT (VDC) FLOWING THROUGH THE TIP & RING. WHEN THE HANDSET OF +A FONE IS LIFTED A FEW SWITCHES CLOSE WHICH CAUSE A LOOP TO BE CONNECTED (KNOWN +AS THE "LOCAL LOOP") BETWEEN YOUR FONE & THE CO. ONCE THIS HAPPENS DC CURRENT +IS ABLE TO FLOW THROUGH THE FONE WITH LESS RESISTANCE. THIS CAUSES A RELAY TO +ENERGIZE WHICH CAUSES OTHER CO EQUIPMENT TO REALIZE THAT YOU WANT SERVICE. +EVENTUALLY, YOU SHOULD END UP WITH A DIAL TONE. THIS ALSO CAUSES THE 48 VDC TO +DROP DOWN INTO THE VICINITY OF 13 VOLTS. THE RESISTANCE OF THE LOOP ALSO DROPS +BELOW THE 2500 OHM LEVEL. + + Page 113 + + + + + The Official Phreaker's Manual + + + AS OF NOW, YOU ARE PROBABLY SAYING TO YOURSELF THAT THIS IS ALL NICE AND +TECHNICAL BUT WHAT THE HELL GOOD IS THE INFORMATION. WELL, ALSO CONSIDER THAT +THIS VOLTAGE (& RESISTANCE) DROP IS HOW THE CO DETECTS THAT A FONE WAS TAKEN +OFF HOOK (PICKED UP). IN THIS WAY, THEY KNOW WHEN TO START BILLING THE CALLING +NUMBER. NOW WHAT DO YOU SUPPOSE WOULD HAPPEN IF A DEVICE SUCH AS A RESISTOR OR +A ZENER DIODE WAS PLACED ON THE CALLED PARTIES LINE SO THAT THE VOLTAGE WOULD +DROP JUST ENOUGH TO ALLOW TALKING BUT NOT ENOUGH TO START BILLING? FIRST OFF, +THE CALLING PARTY WOULD NOT BE BILLED FOR THE CALL BUT CONVERSATION COULD BE +PURSUED. SECONDLY, THE CO EQUIPMENT WOULD THINK THAT THE FONE JUST KEPT ON +RINGING. THE TELCO CALLS THIS A "NO-NO" (TOLL FRAUD TO BE MORE SPECIFIC) WHILE +PHONE PHREAKS AFFECTIONATELY CALL THIS MUTE A BLACK BOX. + + THE FOLLOWING ARE INSTRUCTIONS ON HOW TO BUILD A SIMPLE BLACK BOX. OF +COURSE, ANYTHING THAT PREVENTS THE VOLTAGE FROM DROPPING WOULD WORK. +YOU ONE OR TWO PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT RESISTOR. ANY ELECTRONICS STORE SHOULD STOCK THESE PARTS. + + NOW, CUT 2 PIECES OF WIRE (ABOUT 6 INCHES LONG) AND ATTACH ONE END OF EACH +WIRE TO ONE OF THE TERMINALS ON THE SWITCH. NOW TURN YOUR K500 (STANDARD DESK +FONE) UPSIDE DOWN AND TAKE OFF THE COVER. LOCATE THE 2 SCREWS ON THE NETWORK +BOX LABELED >F< AND >RR<. WRAP THE RESISTOR BETWEEN THE 2 SCREWS MAKING SURE +THAT IT DOESN'T TOUCH ANY OTHER TERMINALS!. NOW CONNECT ONE WIRE FROM THE +SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE +(DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE +FONE AND REPLACE THE COVER. + + PUT THE SWITCH IN A POSITION WHERE YOU RECEIVE A DIAL TONE. MARK THIS +POSITION NORMAL. MARK THE OTHER SIDE FREE. + + WHEN YOUR PHRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST A POSSIBLE. THIS WILL STOP THE RINGING (DO IT AGAIN IF IT +DOESN'T) WITH OUT STARTING THE BILLING. IT IS IMPORTANT THAT YOU DO IT QUICKLY +(LESS THAN ONE SECOND THEN PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE +FONE. KEEP ALL CALL SHORT AND PREFERABLY UNDER 15 MINUTES. + +NOTE: IF ANYONE PICKS UP AN EXTENSION IN THE CALLED PARTIES HOUSE AND THAT +FONE IS NOT SET FOR FREE THEN BILLING WILL START. + +NOTE: AN OLD WAY OF SIGNALING A PHRIEND THAT YOU ARE ABOUT TO CALL IS +MAKING A COLLECT CALL TO A NON-EXISTENT PERSON IN THE HOUSE. SINCE YOUR FRIEND +WILL NOT ACCEPT THE CHARGES, HE WILL KNOW THAT YOU ARE ABOUT TO CALL AND THUS +PREPARE THE BLACK BOX (OR VISA VERSA). + +WARNING: THE TELCO CAN DETECT BLACK BOXES IF THEY SUSPECT ONE ON YOUR LINE. +THIS IS DONE DUE TO THE PRESENCE OF AC VOICE SIGNAL AT THE WRONG DC LEVEL! + +PICTORIAL DIAGRAM: (STANDARD ROTARY K500 FONE) +____________________________________________________________ + + _____________________________________ +| | +***BLUE WIRE**>>F< | +| * * | +**WHITE WIRE** * | +| * | +| RESISTOR | +| * | + + Page 114 + + + + + The Official Phreaker's Manual + +| * | +| >RR<*******SWITCH**** | +| * | +****GREEN WIRE********************** | +| | +|_____________________________________| + +NOTE: THE BLACK BOX WILL NOT WORK UNDER ESS OR OTHER SIMILAR DIGITAL +SWITCHES SINCE ESS DOES NOT CONNECT THE VOICE CIRCUITS UNTIL THE FONE IS PICKED +UP (& BILLING STARTS). INSTEAD, ESS USES AN "ARTIFICIAL" COMPUTER GENERATED +RING. + +RINGING: +____________________________________________________________ + + TO INFORM A SUBSCRIBER OF AN INCOMING CALL, THE TELCO SENDS 90 VOLTS (RMS) +OF AC CURRENT DOWN THE LINE (AT AROUND 15 TO 60 HZ) IN STANDARD FONES, THIS +CAUSES A METAL ARMATURE TO BE ATTRACTED ALTERNATELY BETWEEN TWO ELECTRO-MAGNETS +THUS STRIKING 2 BELLS. OF COURSE, THE STANDARD BELL (PATENTED IN 1878 BY TOM +A. WATSON) CAN BE REPLACED BY A MORE MODERN ELECTRONIC BELL OR SIGNALING +DEVICE. + + ALSO, YOU CAN HAVE LIGHTS AND OTHER SIMILAR DEVICES IN LIEU OF (OR IN +CONJUNCTION WITH) THE BELL. A SIMPLE NEON LIGHT (WITH ITS CORRESPONDING +RESISTOR) CAN SIMPLY BE CONNECTED BETWEEN THE RED & GREEN WIRES (USUALLY L1 & +L2 ON THE NETWORK BOX) SO THAT IT LIGHTS UP ON INCOMING CALLS. A REGULAR 60 +WATT LIGHT BULB CAN ALSO BE HOOKED UP USING A SIMPLE (120 VAC) RELAY. + +WARNING: 90 & 120 VAC CAN GIVE QUITE A SHOCK. EXERCISE EXTREME CAUTION IF +YOU WISH TO FURTHER PURSUE THESE TOPICS. + + ALSO INCLUDED IN THE RINGING CIRCUIT IS A CAPACITOR TO PREVENT THE DC +CURRENT FROM INTERFERING WITH THE BELL [A CAPACITOR WILL PASS AC CURRENT WHILE +IT WILL PREVENT DC CURRENT FROM FLOWING (BY STORING IT)]. + ANOTHER REASON THAT THE TELCO HATES BLACK BOXES IS BECAUSE RINGING USES +ALOT OF COMMON-CONTROL EQUIPMENT, IN THE CO, WHICH USE ALOT OF ELECTRICITY. +THUS THE RINGING GENERATORS ARE BEING TIED UP WHILE A FREE CALL IS BEING MADE. +USUALLY CALLS THAT ARE ALLOWED TO RING FOR A LONG PERIOD OF TIME MAY BE +CONSTRUED AS SUSPICIOUS. SOME OFFICES MAY BE SET UP TO DROP A TROUBLE CARD FOR +LONG PERIODS OF RINGING THEN A "NO-NO" DETECTION DEVICE MAY BE PLACED ON THE +LINE. + INCIDENTALLY, THE TERM "RING TRIP" REFERS TO THE CO PROCESS INVOLVED TO +STOP THE AC RINGING SIGNAL WHEN THE CALLING FONE GOES OFF HOOK. + +NOTE: IT IS SUGGESTED THAT YOU ACTUALLY DISSECT FONES TO HELP YOU BETTER +UNDERSTAND THEM. IT WILL ALSO HELP YOU TO BETTER UNDERSTAND THE CONCEPTS HERE +IF YOU ACTUALLY PROVE THEM TO YOURSELF. FOR EXAMPLE, ACTUALLY TAKE THE VOLTAGE +READINGS ON YOUR FONE LINE [ANY SIMPLE MULTI-TESTER (A MUST) WILL DO.] +PHREAKING IS AN INTERACTIVE PROCESS NOT A PASSIVE ONE! + +DIALING: +____________________________________________________________ + + ON A STANDARD FONE, THERE ARE TWO COMMON TYPES OF DIALING: PULSE & DTMF. +OF COURSE, SOME PEOPLE INSIST UPON BEING DIFFERENT AND DON'T USE THE DT THUS +LEAVING THEM WITH MF (MULTI FREQUENCY, AKA OPERATOR, BLUE BOX) TONES. THIS IS +ANOTHER "NO-NO" AND THE TELCO SECURITY GENTLEMEN HAVE A SPECIAL KNACK FOR +DEALING WITH SUCH "PHREAKS" ON THE NETWORK. + + Page 115 + + + + + The Official Phreaker's Manual + + WHEN YOU DIAL ROTARY, YOU ARE ACTUALLY RAPIDLY BREAKING & RECONNECTING +(MAKING) THE LOCAL LOOP ONCE FOR EVERY DIGIT DIALED. SINCE THE PHYSICAL +CONNECTION MUST BE BROKEN, YOU CANNOT DIAL IF ANOTHER EXTENSION (OF THAT #) IS +OFF-HOOK. NEITHER OF THE FONES WILL BE ABLE TO DIAL PULSE UNLESS THE OTHER +HANGS UP. + ANOTHER TERM OFTEN REFERRED TO IN TELEPHONE ELECTRONICS IS THE BREAK RATIO. +IN THE US, THERE ARE 10 PULSES PER SECOND (MAX). WHEN THE CIRCUIT IS OPENED IT +IS CALLED THE BREAK INTERVAL. WHEN IT IS CLOSED IT IS CALLED THE MAKE INTERVAL. +IN THE US, THERE IS A 60 MILLISECOND (MS) BREAK PERIOD AND A 40 MS MAKE PERIOD. +(60+40=100 MS = 1/10 MINUTE). THIS IS REFERRED TO AS A 60% BREAK INTERVAL. +SOME OF THE MORE SOPHISTICATED ELECTRONIC FONES CAN SWITCH BETWEEN A 60% & A +67% BREAK INTERVAL. THIS IS DUE TO THE FACT THAT MANY FOREIGN NATIONS USE A +67% BREAK INTERVAL. + HAVE YOU EVER BEEN IN AN OFFICE OR A SIMILAR FACILITY AND SAW A FONE +WAITING TO BE USED FOR A FREE CALL BUT SOME ASSHOLE PUT A LOCK ON IT TO PREVENT +OUTGOING CALLS? + WELL, DON'T FRET PHELLOW PHREAKS, YOU CAN SIMULATE PULSE DIALING BY RAPIDLY +DEPRESSING THE SWITCHOOK. (IF YOU DEPRESS IT FOR LONGER THAN A SECOND IT WILL +BE CONSTRUED AS A DISCONNECT.) BY RAPIDLY SWITCHOOKING YOU ARE CAUSING THE +LOCAL LOOP TO BE BROKEN & MADE SIMILAR TO ROTARY DIALING! THUS IF YOU CAN +MANAGE TO SWITCHOOK RAPIDLY 10 TIMES YOU CAN REACH AN OPERATOR TO PLACE ANY +CALL YOU WANT! THIS TAKES ALOT OF PRACTICE, THOUGH. YOU MIGHT WANT TO PRACTICE +ON YOUR OWN FONE DIALING A FRIEND'S # OR SOMETHING ELSE. INCIDENTALLY, THIS +METHOD WILL ALSO WORK WITH DTMF FONES SINCE ALL DTMF LINES CAN ALSO HANDLE +ROTARY. + ANOTHER PROBLEM WITH PULSE DIALING IS THAT IT PRODUCES HIGH-VOLTAGE SPIKES +THAT MAKE LOUD NOISES IN THE EARPIECE AND CAUSE THE BELL TO "TINKLE." IF YOU +NEVER NOTICED THIS THEN YOUR FONE HAS A SPECIAL "ANTI-TINKLE" & EARPIECE +SHORTING CIRCUIT (MOST DO). IF YOU HAVE EVER DISSECTED A ROTARY FONE (A MUST +FOR ANY SERIOUS PHREAK) YOU WOULD HAVE NOTICED THAT THERE ARE 2 SETS OF CONTACT +THAT OPEN AND CLOSE DURING PULSING (ON THE BACK OF THE ROTARY DIAL UNDER THE +PLASTIC COVER). ONE OF THESE ACTUALLY OPENS AND +CLOSES THE LOOP WHILE THE OTHER MUTES THE EARPIECE BY SHORTING IT OUT. THE +SECOND CONTACTS ALSO ACTIVATES A SPECIAL ANTI-TINKLE CIRCUIT THAT PUTS A 340 +OHM RESISTOR ACROSS THE RINGING CIRCUIT WHICH PREVENTS THE HIGH VOLTAGE SPIKES +FROM INTERFERING WITH THE BELL. + DUAL TONE MULTI FREQUENCY (DTMF) IS A MODERN DAY IMPROVEMENT ON PULSE +DIALING IN SEVERAL WAYS. FIRST OF ALL, IT IS MORE CONVENIENT FOR THE USER +SINCE IT IS FASTER AND CAN BE USED FOR SIGNALING AFTER THE CALL IS COMPLETED +(IE, SCC'S, COMPUTERS, ETC.). ALSO, IT IS MORE UPTO PAR WITH MODERN DAY +SWITCHING EQUIPMENT (SUCH AS ESS) SINCE PULSE DIALING WAS DESIGNED TO ACTUALLY +MOVE RELAYS BY THE NUMBER OF DIGITS DIALED (IN SXS OFFICES). + + EACH KEY ON A DTMF KEYPAD PRODUCES 2 FREQUENCIES SIMULTANEOUSLY (ONE FROM +THE HIGH GROUP AND ANOTHER FROM THE LOW GROUP). + + _______________________________________________ +LOW GROUP | | | | | + 697 HZ-| Q | ABC | DEF | | + | 1 | 2 | 3 | A | + |___________|___________|___________|___________| + | | | | | + 770 HZ-| GHI | JKL | MNO | | + | 1 | 2 | 3 | B | + |___________|___________|___________|___________| + | | | | | + 852 HZ-| PRS | TUV | WXY | | + | 1 | 2 | 3 | C | + + Page 116 + + + + + The Official Phreaker's Manual + + |___________|___________|___________|___________| + | | OPERATOR | | | + 941 HZ-| | Z | | | + | * | 0 | # | D | + |___________|___________|___________|___________| + | | | | + 1209 HZ 1336 HZ 1477 HZ 1633 HZ + HIGH GROUP + +A PORTABLE DTMF KEYPAD IS KNOWN AS A WHITE BOX. + + THE FOURTH COLUMN (1633 HZ) IS NOT NORMALLY FOUND ON REGULAR FONES BUT IT +DOES HAVE SEVERAL SPECIAL USES. FOR ONE, IT IS USED TO DESIGNATE THE PRIORITY +OF CALLS ON AUTOVON, THE MILITARY FONE NETWORK. THESE KEY ARE CALLED: FLASH, +IMMEDIATE, PRIORITY, & ROUTINE (WITH VARIATIONS) INSTEAD OF ABCD. SECONDLY, +THESE KEYS ARE USED FOR TESTING PURPOSES BY THE TELCO. IN SOME AREA YOU CAN +FIND LOOPS AS WELL AS OTHER NEAT TESTS (SEE PART II) ON THE 555-1212 DIRECTORY +ASSISTANCE EXCHANGE. FOR THIS, YOU WOULD CALL UP AN DA IN CERTAIN AREAS [THAT +HAVE AN AUTOMATIC CALL DISTRIBUTOR (ACD)] AND HOLD DOWN THE "D" KEY WHICH +SHOULD BLOW THE OPERATOR OFF. YOU WILL THEN HEAR A PULSING DIAL TONE WHICH +INDICATES THAT YOU ARE IN THE ACD INTERNAL TESTING MODE. YOU CAN GET ON ONE +SIDE OF A LOOP BY DIALING A 6. THE OTHER SIDE IS 7. SOME PHREAKS CLAIM THAT +IF THE PERSON ON SIDE 6 HANGS UP, OCCASIONALLY THE EQUIPMENT WILL SCREW UP AD +START DIRECTING DIRECTORY ASSISTANCE CALLS TO THE OTHER SIDE OF THE LOOP. +ANOTHER ALLEGED TEST IS CALLED REMOB WHICH ALLOWS YOU TO TAP INTO LINES BY +ENTERING A SPECIAL CODE FOLLOWED BY THE 7 DIGIT NUMBER YOU WANT TO MONITOR. +THEN THERE IS THE POSSIBILITY OF MASS CONFERENCING. + ACD'S ARE BECOME RARE THOUGH. YOU WILL PROBABLY HAVE TO MAKE SEVERAL +NPA-555- 1212 CALLS BEFORE YOU FIND ONE. + YOU CAN MODIFY REGULAR FONES QUITE READILY SO THAT THEY HAVE A SWITCH TO +CHANGE BETWEEN THE 3RD AND 4TH COLUMNS. THIS IS CALLED A SILVER BOX (AKA GREY +BOX) AD PLANS CAN BE FOUND IN TAP AS WELL AS ON MANY BBS'S. + +TRANSMITTER/RECEIVER: +____________________________________________________________ + + WHEN YOU TALK INTO THE TRANSMITTER, THE SOUND WAVES FROM YOUR VOICE CAUSE A +DIAPHRAGM TO VIBRATE AND PRESS AGAINST THE CARBON GRANULES (OR ANOTHER SIMILAR +SUBSTANCE). THIS CAUSES THE CARBON GRANULES TO COMPRESS AND CONTRACT THUS +CHANGING THE RESISTANCE OF THE DC CURRENT FLOWING THROUGH IT. THEREFORE, YOUR +AC VOICE SIGNAL IS SUPERIMPOSED OVER THE DC CURRENT OF THE LOCAL LOOP. THE +RECEIVER WORKS IN A SIMILAR FASHION WHERE THE SIMPLE TYPES UTILIZE A MAGNET, +ARMATURE, & DIAPHRAGM. + +HYBRID/INDUCTION COIL: +____________________________________________________________ + + AS YOU MAY HAVE NOTICED, THERE ARE TWO WIRES FOR THE RECEIVER AND TWO FOR +THE TRANSMITTER IN THE FONE, YET THE LOCAL LOOP CONSISTS OF 2 WIRES INSTEAD OF +4. THIS 4-WIRE TO 2-WIRE CONVERSION IS DONE INSIDE THE FONE BY A DEVICE KNOWN +AS AN INDUCTION COIL WHICH USES COUPLING TRANSFORMERS. + THE REASON 2 SIRES ARE USED ON THE LOCAL LOOPS ARE BECAUSE IT IS ALOT +CHEAPER FOR THE TELCO. ALTHOUGH, ALL OF THE INTER-OFFICE TRUNKS UTILIZE 4 +WIRES. THIS IS NECESSARY FOR FULL DUPLEX (IE, SIMULTANEOUS CONVERSATION ON +BOTH SIDES) AND FOR AMPLIFICATION DEVICES. THERE ARE SIMILAR DEVICES IN THE +CO'S, KNOWN AS A HYBRID, THAT COUPLE THE 4-WIRE TRUNKS TO THE 2-WIRE LOCAL +LOOPS AND VISA-VERSA. + + + Page 117 + + + + + The Official Phreaker's Manual + +MISCELLANEOUS: +____________________________________________________________ + + IN THE TELEPHONE, THERE IS ALSO A BALANCING NETWORK CONSISTING OF A FEW +CAPACITORS & RESISTORS WHICH PROVIDE SIDETONE. SIDETONE ALLOWS THE CALLER TO +HEAR HIS OWN VOLUME IN THE RECEIVER. HE CAN THEN ADJUST HIS VOICE ACCORDINGLY. +THIS PREVENTS PEOPLE FROM SHOUTING OR SPEAKING TOO SOFTLY WITHOUT NOTICING IT. + +HOLD: +____________________________________________________________ + + WHEN A TELEPHONE GOES OFF HOOK, THE RESISTANCE DROPS BELOW 2500 OHMS. AT +THIS POINT, THE TELCO WILL SEND A DIAL TONE. TO PUT SOMEONE ON HOLD YOU MUST +PUT A 1000 OHM RESISTOR (1 WATT) ACROSS THE TIP & RING BEFORE IT REACHES THE +SWITCHOOK. IN THIS WAY, WHEN THE FONE IS HUNG UP (FOR HOLD) THE RESISTANCE +REMAINS BELOW 2500 OHMS WHICH CAUSES THE CO TO BELIEVE THAT YOU ARE STILL +OFF-HOOK. YOU CAN BUILD A SIMPLE HOLD DEVICE USING THE FOLLOWING PICTORIAL +DIAGRAM: + +(RED) O_________________________ + [L1] | | | + | | | + 1000 OHM | \ + | | \ + RESISTOR RINGING | + | CIRCUIT | -SWITCH + | | | HOOK + / | | + / SPST SWITCH | \ + | | \ + | | | + | | | +(GREEN) O__|_____________|______| + [L2] +--> TO REST OF FONE + +CONCLUSION: +____________________________________________________________ + +NOTE: MANY OF THE ELECTRONICS COMPONENTS OF NORMAL FONES (K500) ARE +ENCLOSED IN THE NETWORK BOX (WHICH SHOULDN'T BE OPENED). + + I HAVE ASSUMED THAT THE READER HAS A BASIC KNOWLEDGE OF ELECTRONICS. ALSO, +I HAVE ASSUMED THAT YOU HAVE READ THE 4 PREVIOUS INSTALLMENTS OF THIS SERIES +(AND HOPEFULLY ENJOYED THEM). + + IN PART VI, WE WILL TAKE A LOOK AT FORTRESS FONES. + +SUGGESTED FURTHER READING: +____________________________________________________________ + +ELECTRONICS COURSES A-D, TAP, @ $.75 EACH. + +ELECTRONIC TELEPHONE PROJECTS, A.J. CARISTI, HOWARD SAMS BOOKS. + +EVERYTHING YOU ALWAYS WANTED TO KNOW ABOUT 1633 HZ TONES BUT WERE AFRAID TO +ASK, THE MAGICIAN, TAP, ISSUE #62. + + + Page 118 + + + + + The Official Phreaker's Manual + +FREE BELL PHONE CALLS, TAP, FACT SHEET #2, @ $.50. + +FREE GTE PHONE CALLS, TAP, FACT SHEET #3, @ $.50. + +HOW TO MODIFY YOUR BELL TOUCH TONE FONE TO HAVE 1633 CYCLE TONES, TAP, ISSUE +#63. + +MODIFYING YOUR PHONE FOR 1633 HZ (NEW ELECTRONIC KEYPADS), FRED STEINBECK, TAP, +ISSUE #84. + +NOTES ON THE NETWORK, AT&T. + +THE PHONE BOOK, J. EDGAR HYDE. + +REGULATING THE TELEPHONE COMPANY IN YOUR HOME, RAMAPART MAGAZINE, JUNE 1972. + +REMOBS, TAP #91 (NOT YET PUBLISHED AS OF THIS WRITING). + +UNDERSTANDING TELEPHONE ELECTRONICS, TEXAS INSTRUMENTS. + +& OTHER ASSORTED SOURCES... + +TAP: ROOM 603/147 W 42 ST./NEW YORK, NY 10036. PLEASE SPECIFY BY BACKISSUE +#'S (NOT ARTICLE NAMES). ALL BACK-ISSUES ARE $1 EACH. SUBSCRIPTIONS ARE +$10/YEAR (10 ISSUES). SAY THAT BIOC AGENT 003 SENT YOU. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 119 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VI * + * * + ************************************************************ + +REVISED: 27-OCT-84 + +Preface: + + This article will focus primarily on the standard Western Electric +single-slot coin telephone (aka fortress fone) which can be divided into 3 +types: + +- Dial-Tone First (DTF) + +- Coin-First (CF): (ie, it wants your $ before you receive a dial tone) + +- Dial Post-Pay Service (PP): you pay after the party answers + +Depositing Coins (Slugs): +____________________________________________________________ + + Once you have deposited your slug into a fortress, it is subjected to a +gamut of tests. The first obstacle for a slug is the magnetic trap. This will +stop any light-weight magnetic slugs and coins. If it passes this, the slug is +then classified as a nickel, dime, or quarter. Each slug is then checked for +appropriate size and weight. If these tests are passed, it will then travel +through a nickel, dime, or quarter magnet as appropriate. These magnets set up +an eddy current effect which causes coins of the appropriate characteristics to +slow down so they will follow the correct trajectory. If all goes well, the +coin will follow the correct path (such as bouncing off of the nickel anvil) +where it will hopefully fall into the narrow accepted coin channel. + The rather elaborate tests that are performed as the coin travels down the +coin chute will stop most slugs and other undesirable coins, such as pennies, +which must then be retrieved using the coin release lever. + If the slug miraculously survives the gamut, it will then strike the +appropriate totalizer arm causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). + The totalizer then causes the coin signal oscillator to readout a +dual-frequency signal indicating the value deposited to ACTS (a computer) or +the TSPS operator. These are the same tones used by phreaks in the infamous red +boxes. + For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS). +A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone +at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz. + A relay in the fortress called the "B relay" (yes, there is also an 'A +relay') places a capacitor across the speech circuit during totalizer read-out +to prevent the "customer" from hearing the red box tones. + In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells +for a dime, and one gong (800 Hz) for a quarter are used instead of the modern +dual-frequency tones. + +TSPS & ACTS +____________________________________________________________ + + Page 120 + + + + + The Official Phreaker's Manual + + + While fortresses are connected to the CO of the area, all transactions are +handled via the Traffic Service Position System (TSPS). In areas that do not +have ACTS, all calls that require operator assistance, such as calling card and +collect, are automatically routed to a TSPS operator position. + In an effort to automate fortress service, a computer system known as +Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS +listens to the red box signals from the fones and takes appropriate action. It +is ACTS which says, "Two dollars please (pause) Please deposit two dollars for +the next ten seconds" (and other variations). Also, if you talk for more than +three minutes and then hang-up, ACTS will call back and demand your money. +ACTS is also responsible for Automated Calling Card Service. + ACTS also provide trouble diagnosis for craftspeople (repairmen +specializing in fortresses). For example, there is a coin test which is great +for tuning up red boxes. In many areas this test can be activated by dialing +09591230 at a fortress (thanks to Karl Marx for this information). Once +activated it will request that you deposit various coins. It will then identify +the coin and outpulse the appropriate red box signal. The coins are usually +returned when you hang up. + To make sure that there is actually money in the fone, the CO initiates a +"ground test" at various times to determine if a coin is actually in the fone. +This is why you must deposit at least a nickel in order to use a red box! + +Green Boxes: +____________________________________________________________ + + Paying the initial rate in order to use a red box (on certain fortresses) +left a sour taste in many red boxer's mouths thus the GREEN BOX was invented. +The green box generates useful tones such as COIN COLLECT, COIN RETURN, and +RINGBACK. These are the tones that ACTS or the TSPS operator would send to the +CO when appropriate. Unfortunately, the green box cannot be used at a fortress +station but it must be used by the CALLED party. + +Here are the tones: + +COIN COLLECT 700 + 1100 Hz +COIN RETURN 1100 + 1700 Hz +RINGBACK 700 + 1700 Hz + + Before the called party sends any of these tones, an operator released +signal should be sent to alert the MF detectors at the CO. This can be +accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed +by a 60 ms gap and then the appropriate signal for at least 900 ms. + Also, do not forget that the initial rate is collected shortly before the 3 +minute period is up. + Incidentally, once the above MF tones for collecting and returning coins +reach the CO, they are converted into an appropriate DC pulse (-130 volts for +return & +130 volts for collect). This pulse is then sent down the tip to the +fortress. This causes the coin relay to either return or collect the coins. + The alleged "T-Network" takes advantage of this information. When a pulse +for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded +somewhere. This is usually either the yellow or black wire. Thus, if the wires +are exposed, these wires can be cut to prevent the pulse from being grounded. +When the three minute initial period is almost up, make sure that the black & +yellow wires are severed; then hang up, wait about 15 seconds in case of a +second pulse, reconnect the wires, pick up the fone, hang up again, and if all +goes well it should be "JACKPOT" time. + + + Page 121 + + + + + The Official Phreaker's Manual + +Physical Attack: +____________________________________________________________ + + A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of +this is accounted for in the armor plating. Why all the security? Well, Bell +contributes it to the following: + + "Social changes during the 1960's made the multislot coin station a +prime target for: vandalism, strong arm robbery, fraud, and theft of service. +This brought about the introduction of the more rugged single slot coin station +and a new environment for coin service." + +As for picking the lock, I will quote Mr. Phelps: + + "We often fantasize about 'picking the lock' or 'getting a master +key.' Well, you can forget about it. I don't like to discourage people, but it +will save you from wasting alot of your time--time which can be put to better +use (heh, heh)." + + As for physical attack, the coin plate is secured on all four side by +hardened steel bolts which pass through two slots each. These bolts are in +turn interlocked by the main lock. + One phreak I know did manage to take one of the 'mothers' home (which was +attached to a piece of plywood at a construction site; otherwise, the permanent +ones are a bitch to detach from the wall!). It took him almost ten hours to +open the coin box using a power drill, sledge hammers, and crow bars (which was +empty -- perhaps next time, he will deposit a coin first to hear if it slushes +down nicely or hits the empty bottom with a clunk.) + Taking the fone offers a higher margin of success. Although this may be +difficult often requiring brute force and there has been several cases of back +axles being lost trying to take down a fone! A quick and dirty way to open the +coin box is by using a shotgun. In Detroit, after ecologists cleaned out a +municipal pond, they found 168 coin phones rifled. + In colder areas, such as Canada, some shrewd people tape up the fones using +duct tape, pour in water, and come back the next day when the water will have +froze thus expanding and cracking the fone open.In one case: + + "unauthorized coin collectors" where caught when they brought $6,000 in +change to a bank and the bank became suspicious... + + At any rate, the main lock is an eight level tumbler located on the right +side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since +there are 8 tumblers each with 5 possible positions) thus it is highly pick +resistant! The lock is held in place by 4 screws. If there is sufficient +clearance to the right of the fone, it is conceivable to punch out the screws +using the drilling pattern below (provided by Alexander Mundy in TAP) + + + + + + + + + + + + + + Page 122 + + + + + The Official Phreaker's Manual + + Chapter 5 + + What is covered in these last few articles, is the essence of phreaking, +blue boxing & equal access. These last articles, I hope will be the final +stage of phreak education for now. Basic telecommunications 7 is a brief intro +to the art of blue boxing, while Better Homes & Blue Boxing will cover it in +full. Equal access will be an interesting switch, it is installed in my area +already and I have been investigating it. One thought is to call MCI operators +and box through them, over MCI lines... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 123 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VII * + * * + ************************************************************ + +Preface: + + After most neophyte phreaks overcome their fascination with Metro codes and +WATS extenders, they will usually seek to explore other avenues in the vast +phone network. Often they will come across references such as "simply dial KP ++ 2130801050 + ST for the Alliance teleconferencing system in LA.". Numbers +such as the one above were intended to be used with a blue box; this article +will explain the fundamental principles of the fine art of blue boxing. + +Genesis: +____________________________________________________________ + + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. This is because pulse (aka rotary) digits are created by causing +breaks in the DC current (see Basic Telcom V). Since long distance calls +require routing through various switching equipment and AC voice amplifiers, +pulse dialing cannot be used to send the destination number to the end local +office (CO). + + Eventually, the demand for faster and more efficient long distance (LD) +service caused Bell to make a multi-billion dollar decision. They had to create +a signaling system that could be used on the LD Network. Basically, they had +two options: + +[1] To send all the signaling and supervisory information (ie, ON & OFF +HOOK) over separate data links. This type of signaling is referred to as +out-of-band signaling. + -or- +[2] To send all the signaling information along with the conversation +using tones to represent digits. This type of signaling is referred to as +in-band signaling. + + Being the cheap bastard that they naturally are, Bell chose the latter (and +cheaper) method -- IN-BAND signaling. They eventually regretted this, though +(heh, heh)... + +IN-BAND SIGNALING PRINCIPLES: +____________________________________________________________ + + When a subscriber dials a telephone number, whether in rotary or touch-tone +(aka DTMF), the equipment in the CO interprets the digits and looks for a +convenient trunk line to send the call on its way. In the case of a local +call, it will probably be sent via an inter-office trunk; otherwise, it will be +sent to a toll office (class 4 or higher -- see Telcom IV) to be processed. + + When trunks are not being used there is a 2600 Hz tone on the line; thus, +to find a free trunk, the CO equipment simply checks for the presence of 2600 +Hz. If it doesn't find a free trunk the customer will receive a re-order signal + + Page 124 + + + + + The Official Phreaker's Manual + +(120 IPM busy signal) or the "all circuits are busy..." message. If it does +find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the +called number or a special routing code to the other end or toll office. + + The tones it uses to send this information are called multi-frequency (MF) +tones. An MF tone consists of two tones from a set of six master tones which +are combined to produce 12 separate tones. You can sometimes hear these tones +in the background when you make a call but they are usually filtered out so +your delicate ears cannot hear them. These are NOT the same as touch-tones. + + To notify the equipment at the far end of the trunk that it is about to +receive routing information, the originating end first sends a Key Pulse (KP) +tone. At the end of sending the digits, #he originating end then sends a STart +(ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517 ++ ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to +signify a disconnect to the distant end. + +History: +____________________________________________________________ + + In the November 1960 issue of The Bell System Technical Journal, an article +entitled "Signaling Systems for Control of Telephone Switching" was published. +This journal, which was sent to most university libraries, happened to contain +the actual MF tones used in signaling. They appeared as follows: + +Digit Tones +----- ----- + 1 700 + 900 Hz + 2 700 + 1100 Hz + 3 900 + 1100 Hz + 4 700 + 1300 Hz + 5 900 + 1300 Hz + 6 1100 + 1300 Hz + 7 700 + 1500 Hz + 8 900 + 1500 Hz + 9 1100 + 1500 Hz + 0 1300 + 1500 Hz + KP 1100 + 1700 Hz + ST 1500 + 1700 Hz + 11 (*) 700 + 1700 Hz + 12 (*) 900 + 1700 Hz + KP2 (*) 1300 + 1700 Hz + +(*) Used only on CCITT SYSTEM 5 for special international calling. + + Bell caught wind of blue boxing in 1961 when it caught a Washington state +college student using one. They originally found out about blue boxes through +police raids and informants. In 1964, Bell Labs came up with scanning +equipment, which recorded all suspicious calls, to detect blue box usage. +These units were installed in CO's where major toll fraud existed. AT&T +Security would then listen to the tapes to see if any toll fraud was actually +committed. Over 200 convictions resulted from the project. Surprisingly +enough, blue boxing is not solely limited to the electronics enthusiast; AT&T +has caught businessmen, film stars, doctors, lawyers, college students, high +school students and even a millionaire financier (Bernard Cornfeld) using the +device. AT&T also said that nearly half of those that they catch are +businessmen. + + + Page 125 + + + + + The Official Phreaker's Manual + + Of course, phone phreaks have achieved an almost cult status. They have +also had their fair share of media. In October 1971, Esquire published the +infamous "Secrets of the Little Blue Box" article which featured phreaks such +as Captain Crunch, who took his name from the cereal which one gave away +whistles that produced a perfect 2600 Hz pitch; Joe Engressia, the blind +phreak; and Mark Bernay, one of the nation's first and oldest phreaks. Others +such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had +blue box backgrounds. 1971 also saw the publication of the first issue of YIPL, +the phone phreak newsletter, (now TAP) under the editorship of supreme yippie +Abbie Hoffman. + +Usage: +____________________________________________________________ + + To use a blue box, one would usually make a free call to any 800 number or +distant directory assistance (NPA-555-1212). This, of course, is legitimate. +When the call is answered, one would then swiftly press the button that would +send 2600 Hz down the line. This has the effect of making the distant CO +equipment think that the call was terminated and it leaves the trunk hanging. +Now, the user has about 10 seconds to enter in the telephone number he wished +to dial -- in MF, that is. The CO equipment merely assumes that this came from +another office and it will happily process the call. Since there are no records +(except on toll fraud detection devices!) of these MF tones, the user is not +billed for the call. When the user hangs up, the CO equipment simply records +that he hung up on a free call. + +Detection: +____________________________________________________________ + + Bell has had 20 years to work on detection devices; therefore, in this day +and age, they are rather well refined. Basically, the detection device will +look for the presence of 2600 Hz where it does not belong. It then records the +calling number and all activity after the 2600 Hz. If you happen to be at a +fortress fone, though, and you make the call short, your chances of getting +caught are significantly reduced (see Telcom VI). Incidentally, there have been +rumors of certain test numbers (see Telcom II) that hook directly into trunks +thus avoiding the need for 2600 Hz and detection! + + Another way that Bell catches boxers is to examine the CAMA (Centralized +Automatic Message Accounting) tapes. When you make a call, your number, the +called number, and time of day are all recorded. The same thing happens when +you hang up. This tape is then processed for billing purposes. Normally, all +free calls are ignored. But Bell can program the billing equipment to make note +of lengthy calls to directory assistance. They can then put a pen register +(aka DNR) on the line or an actual full-blown tap. This detection can be +avoided by making short-haul (aka local) calls to box off of. + + It is interesting to note that NPA+555-1212 originally did not return +answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes. +AT&T changed this though for "traffic studies!" + +CCIS: +____________________________________________________________ + + Besides detection devices, Bell has begun to gradually redesign the network +using out-of-band signaling. This is known as Common Channel Inter-office +Signaling (CCIS). Since this signaling method sends all the signaling +information over separate data lines, blue boxing is impossible under it. + + Page 126 + + + + + The Official Phreaker's Manual + + + While being implemented gradually, this multi-billion dollar project is +still strangling the fine art of blue boxing. Of course until the project is +totally complete, boxing will still be possible. It will become progressively +harder to find places to box off of, though. In areas with CCIS, one must find +a directory assistance office that doesn't have CCIS yet. Area codes in Canada +and predominately rural states are the best bets. WATS numbers terminating in +non-CCIS cities are also good prospects. + +Pink Noise: +____________________________________________________________ + + Another way that may help to avoid detection is too add some "pink noise" +to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the +detection equipment must be careful not to misinterpret speech as a disconnect +signal. Thus a virtually pure 2600 Hz tone is required for disconnect. + + Keeping this in mind, the 2600 Hz detection equipment is also probably +looking for pure 2600 Hz or else is would be triggered every time someone hit +that note (highest E on a piano =2637 Hz). This is also the reason that the +2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator +is saying "Hello, hello." It is feasible to send some "pink noise" along with +the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise +won't make it into the toll network (where we want our pure 2600 Hz to hit) but +it should make it past the local CO and thus the fraud detectors. + +Construction: +____________________________________________________________ + + While step-by-step details for the construction of a blue box is beyond the +scope of this tutorial, it is worthwhile to mention some of the details. + + First there are some alternatives but they are not as good as an actual +blue box. Many computers are capable of generating MF tones. Thus, your local +phriendly software pirate should have a program compatible for your computer. + + However, it is highly advisable not to box from home as stated in The Ten +Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86). + +I. Box thou not over thine home telephone wires, for those who doest must +surely bring the full wrath of the Chief Special Agent down upon thy heads. + + Another alternative that has a moderate success rate involves recording the +tones from a phriend with a box or computer onto a cassette tape. They can +then be used at a fortress. + + As for actual construction techniques, TAP has devoted many issues to blue +boxing. Basically, a blue box is merely a device capable of generating two +different tones simultaneously. There are two basic construction methods that I +will outline below for the electronics hobbyist. + + The first involves the use of two 555 timer chips (or a 556 -- i.e., two +555's in one chip). It offers excellent frequency and voltage stability. +Also, it does not need a diode matrix keypad but used double-pole switches +instead. Schematics for this type of box can be found in TAP issue #29. + + The other common box makes use of two Intersil 8038CC Function Generators. +It does require a diode matrix keypad though, potentiometers, an LM-100 voltage + + Page 127 + + + + + The Official Phreaker's Manual + +regulator, a 741 Op-amp, and a handful of other parts. The schematics for this +type of blue box can be found in TAP #26. Both designs draw about 20 ma of +current. + + Also, most blue boxes use telephone earpieces (with the varistor removed) +for speakers. These can be easily liberated from fortress fones with a small +coping saw. + + Usually, the hardest part about building a blue box is the calibration. A +frequency counter is a must and an oscilloscope won't hurt. + + Some boxes also take timing into account. It is feasible on the ESS +systems that they check to see if the digits are of uniform length. If they +aren't, they are probably from a blue box and a trouble card may be dropped. +With this in mind, the Bell standard for MF pulses and interdigit intervals is +around 75 ms. It varies with the equipment used since ESS can handle higher +speeds and doesn't need interdigit intervals. + +Applications: +____________________________________________________________ + + Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes +offer the entire network for exploration. Emergency break-ins, service +monitoring (aka taps), stacking tandems (the art of busying out all trunks +between two points), re-routing calls, conference calls, and much, much more +are all feasible. Although, Bell frequently changes these codes due to +phreaks. Here are some standard ones, though: + +Operator & Other Codes: +____________________________________________________________ + + (an optional NPA may proceed all of the numbers; otherwise, you will reach +the one local for the area where the call is originated) + +001 -- Trunk Access System +009 -- Rate Quote System +101 -- toll office test board +121 -- INWARD Operator + + This operator assists the local "0" operator in completing calls. (S)he +will do virtually anything for you providing it is within her NPA. + +131 -- Operator Directory assistance +141 -- Rout & Rate +141 defunct -- use KP + 800 + 141 +1212 + ST) + + These operators are very useful if you know how to mumble a few cryptic +phrases as compiled below (with thanks to Fred Steinbeck): To find out.....Area +Codes + + For example say , "Miami, Florida, numbers route, please." The R&R +operator will tell you "305 plus," meaning that 305 plus the seven digit number +will get you Miami. + +... Inward Operator City Codes + + Usually, the INWARD operator for an area is simply KP + NPA + 121 + +ST. In some area codes, though, there are several large cities and thus + + Page 128 + + + + + The Official Phreaker's Manual + +several inwards. To find the inward for a specific city, you would say "916 +756, operator route, please" to the R&R operator who will then tell you "916 +plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an +inward for Sacramento, CA (916-756). + +... City names + + If you want to know the city that corresponds to an area code and +exchange, you simply tell the R&R, "Place name, 914 390, please." In this +example, the R&R operator will respond with "White Plains, NY." + +... International Directory Assistance + + If you need a directory route for London, you could say +"International, London, England. TSPS directory route, please." The R&R +operator will respond with "Directory to London, England. Country code 44 plus +1 plus 986 plus 3611." Therefore to get a DA operator in London, you would +route yourself to an international sender and KP + 04419863611 + ST. + +... Country & City codes + + If you need to know the country and city code for an international +number you can say "International, Sydney, Australia, TSPS numbers route, +please" and get "Country code 61 plus 2." + +... International Inwards Routes + + To get routing codes for international inwards say "International, +London, England, TSPS inward route, please." The R&R Operator will respond with +"Country code 44 plus 121." + + Finally, to get language assistance for completing a foreign call you can +tell the foreign inward, "United States calling. Language assistance in +completing a call to (called party) at (called number)." + +151 -- Overseas incoming (212 +& 914+) +160-XX0 -- Various Overseas Operators +161 -- Trouble reporting operator (defunct) +181 -- Coin Refund Operator +18X -- Overseas senders + + To make an international call, one would KP + 011 + 0CC + ST where CC is +the country code. This will route you to the appropriate overseas sender. You +will then receive a 480 Hz dial tone. Here you enter KP + 0CC + city code + +local number + ST and the call is on its way. + + Country codes can be either 1, 2, or 3 digits but they must be padded for +three digits to create a pseudo-country code with extra zero's if necessary. +For example, England, country code 44, becomes 044. + + To see which international sender a certain country (lets use French +Guiana, country code 594, for example) goes through, you can dial KP + 011 + +594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you +will receive a recording saying which ISC (International Switching Center) it +is. For the example it will say, "This is the international switching center +in Pittsburg, PA -- This is a recording - 4121." You can actually route calls +to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to +since it may look suspicious if a call is sent through a sender that it + + Page 129 + + + + + The Official Phreaker's Manual + +shouldn't go through. Here are the senders: + +182 -- White Plains, NY +183 -- New York, NY +184 -- Pittsburg, PA +185 -- Orlando, FL +186 -- Oakland, CA +187 -- Denver, CO +188 -- New York, NY + + Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP, +ST3P, & ST2P keys. While they do exist the blue boxer need not concern himself +with them. The first three are used on CCITT System 5. This is the signaling +system that the International Senders use to send information to other +countries. These codes are usually added automatically just like the language +assistance digit [which distinguishes operator (or blue box) dialed calls from +customer dialed calls]. The STP, ST3P, & ST2P tones are used when equipment is +communicating with the TSPS. These also are automatically added when needed in +most cases. + +[see Telcom III for more on International Switching Centers (ISC)] + +11XXX -- miscellaneous operators +11501 -- universal cordboard operator +11511 -- conference operator +11521 -- mobile operator +11531 -- marine operator +11541 -- LD incoming switchboard +11551 -- leave word for time & charges (neat stuff) +11561 -- same as 11551 but for hotel/motels +11571 -- overseas operators (language assistance) + + The 11XXX series is interesting scanning material. + +Miscellaneous Routing Codes : +____________________________________________________________ + + Alliance Teleconferencing has several numbers, a few of which are listed +below: + +KP + 213 080 XXXX + ST +KP + 305 025 XXXX + ST +KP + 312 001 XXXX + ST +XXXX = 1050, 1100, or a few others + + Also, at KP + 317 009 + ST there is a MF tone checker. After the +beep-kerclunk, dial in KP + 999 1234567 890 + ST and it will repeat the digits +that you pulsed if they are of the right frequency. + +Tandem Scanning: +____________________________________________________________ + + To find all sorts of interesting things, you must look. Begin scanning +three digit codes in your area (i.e., KP + 000 + ST, KP + 001 + ST, etc.). Keep +track of all of your results. Sometimes you must probe things, send additional +digits and see what happens, send touch-tone, send it 2600 Hz, rip it apart. +You never know, you may run into something phun, like a computer that checks CC +numbers. + + Page 130 + + + + + The Official Phreaker's Manual + + + Incidentally, in some exchange you can dial inwards and other box codes +directly! For example, 914-121-1111 will get you a NY inward. The only problem +is that a 0 or 1 as the first digit of the exchange is usually *prohibited in +customer dialing. Somebody may have "accidentally" changed this screening code +on your ESS's computer, though -- you never know and it can't hurt to try. +WATS translation numbers also take up some of the 0XX & 1XX codes. + + Finally, certain tones on the blue box can also be used for other purposes. +An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN. +Thus every blue box is also a green box (see Telcom VI). + +Coming soon: + +Telcom VIII will deal with cordless phones, mobile phones, and other neat +things. + +Be careful and have phun, + +*****BIOC +*=$=*Agent +*****003 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 131 + + + + + The Official Phreaker's Manual + +The Mark Tabas encounter series presents: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + Better Homes and Blue Boxing + + Part I + + Theory of Operation + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To quote Karl Marx, blue boxing has always been the most noble form of +phreaking. As opposed to such things as using an MCI code to make a free fone +call, which is merely mindless pseudo-phreaking, blue boxing is actual +interaction with the Bell System toll network. It is likewise advisable to be +more cautious when blue boxing, but the careful phreak will not be caught, +regardless of what type of switching system he is under. + + In this part, I will explain how and why blue boxing works, as well as where. +In later parts, I will give more practical information for blue boxing and +routing information. + + To begin with, blue boxing is simply communicating with trunks. Trunks must +not be confused with subscriber lines (or "customer loops") which are standard +telefone lines. Trunks are those lines that connect central offices. Now, when +trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied +to them. If they are two-way trunks, there is 2600Hz in both directions. When a +trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the +side that is off-hook. The 2600Hz is therefore known as a supervisory signal, +because it indicates the status of a trunk; on hook (tone) or off-hook (no +tone). Note also that 2600Hz denoted SF (single frequency) signalling and is +"in-band." This is very important. "In-band" means that is is within the band +of frequencies that may be transmitted over normal telefone lines. Other SF +signals, such as 3700Hz are used also. However, they cannot be carried over the +telefone network normally (they are "out-of-band") and are therefore not able +to be taken advantage of as 2600Hz is. + + Back to trunks. Let's take a hypothetical phone call. You pick up your fone +and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll +assume that you are on #5 Crossbar switching and not in the 806 area. Your +central office (CO) would recognize that 806 is a foreign NPA, so it would +route the call to the toll centre that serves you. [For the sake of accuracy +here, and for the more experienced readers, note that the CO in question is a +class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending +on where you are in the country, the call would leave your toll centre (on more +trunks) to another toll centre, or office of higher "rank". Then it would be +routed to central office 806-258 eventually and the call would be completed. +Illustration: + +A---CO1-------TC1------TC2----CO2----B + +A=you +CO1=your central office +TC1=your toll office. +TC2=toll office in Amarillo. +CO2=806-258 central office. +B=your friend (806-258-1234) + + In this situation it would be realistic to say that CO2 uses SF in-band + + Page 132 + + + + + The Official Phreaker's Manual + +(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). +If you don't understand this, don't worry too much. I am pointing this out +merely for the sake of accuracy. The point is that while you are connected to +806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 +central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell +equipment that a call is in progress and the trunks are in use. + + Now let's say you're tired of talking to your friend in Amarillo +(806-258-1234) so you send a 2600Hz down the line. This tone travels down the +line to your friend's central office (CO2) where it is detected. However, that +CO thinks that the 2600Hz is originating from Bell equipment, indicating to it +that you've hung up, and thus the trunks are once again idle (with 2600Hz +present on them). But actually, you have not hung up, you have fooled the +equipment at your friend's CO into thinking you have. Thus,it disconnects him +and resets the equipment to prepare for the next call. All this happens very +quickly (300-800ms for step-by-step equipment and 150-400ms for other +equipment). + + When you stop sending 2600Hz (after about a second), the equipment thinks +that another call is coming towards it (e.g. it thinks the far end has come +"off-hook" since the tone has stopped. It could be thought of as a toggle +switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending +2600Hz, several things happen: + +1) A trunk is seized. + +2) A "wink" is sent to the CALLING end from the CALLED end indicating that the +CALLED end (trunk) is not ready to receive digits yet. + +3) A register is found and attached to the CALLED end of the trunk within about +two seconds (max). + +4) A start-dial signal is sent to the CALLING end from the CALLED end +indicating that the CALLED end is ready to receive digits. + +Now, all of this is pretty much transparent to the blue boxer. All he really +hears when these four things happen is a . So, seizure of a +trunk would go something like this: + +1> Send a 2600Hz +2> Terminate 2600Hz after 1-2 secs. +3> [beep][kerchunk] + + Once this happens, you are connected to a tandem that is ready to obey your +every command. The next step is to send signalling information in order to +place your call. For this you must simulate the signalling used by operators +and automatic toll-dialing equipment for use on trunks. There are mainly two +systems, DP and MF. However, DP went out with the dinosaur , so I'll only +discuss MF signalling. MF (multi-frequency) signalling is the signalling used +by the majority of the inter- and intra-lata network. It is also used in +international dialing known as the CCITT no.5 system. + + MF signalling consists of 7 frequencies, beginning with 700Hz and separated +by 200Hz. A different set of two of the 7 frequencies represent the digits 0 +thru 9, plus an additional 5 special keys. The frequencies and uses are as +follows: + +Frequencies (Hz) Domestic Int'l + + Page 133 + + + + + The Official Phreaker's Manual + +-------------------------------------- + 700+900 1 1 + 700+1100 2 2 + 900+1100 3 3 + 700+1300 4 4 + 900+1300 5 5 +1100+1300 6 6 + 700+1500 7 7 + 900+1500 8 8 +1100+1500 9 9 +1300+1500 0 0 + 700+1700 ST3p Code 11 + 900+1700 STp Code 12 +1100+1700 KP KP1 +1300+1700 ST2p KP2 +1500+1700 ST ST + + The timing of all the MF signals is a nominal 60ms, except for KP, which +should have a duration of 100ms. There should also be a 60ms silent period +between digits. This is very flexible, however, and most Bell equipment will +accept outrageous timings. + + In addition to the standard uses listed above, MF pulsing also has expanded +usages known as "expanded inband signalling" that include such things as coin +collect, coin return, ringback, operator attached, and operator released. KP2, +code 11, and code 12 and the ST_ps (STart "primes") all have special uses which +will be mentioned only briefly here. + + To complete a call using a blue box, once seizure of a trunk has been +accomplished by sending 2600Hz and pausing for the , one must +first send a KP. This readies the register for the digits that follow. For a +standard domestic call, the KP would be followed by either 7 digits (if the +call were in the same NPA as the seized trunk) or 10 digits (if the call were +not in the same NPA as the seized trunk). [Exactly like dialing a normal fone +call]. Following either the KP and 7 or 10 digits, a STart is sent to signify +that no more digits follow. Example of a complete call: + +1> Dial 1-806-258-1234 +2> wait for a call-progress indication (such as ring, busy, recording, etc.) +3> Send 2600Hz for about 1 second. +4> Wait for about 2 seconds while a trunk is seized. +5> Send KP+305+994+9966+ST + + The call will then connect if every-thing was done properly. Note that if a +call to an 806 number were being placed in the same situation, the area code +would be omitted and only KP+ seven digits+ST would be sent. + + Code 11 and code 12 are used in international calling to request certain +types of operators. KP2 is used in international calling to route a call other +than by way of the normal route, whether for economic or equipment reasons. + + STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS +signalling to indicate calling type of call (such as coin-direct dialed). + + This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and +learned from it. If you have any questions, comments, threats or insults, +please fell free to drop me a line. If you have noticed any errors in this text +(yes, it does happen), please let me know and perhaps a correction will be in + + Page 134 + + + + + The Official Phreaker's Manual + +order. Part II will deal mainly with more advanced principles of blue boxing, +as well as routings and operators. + + Note 1: other highly trunkable areas include: 816,305,813,609,205. I +personally have excellent luck boxing off of 609-953-0000. Try that if you have +any trouble. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 135 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part II + + Practical Applications + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood Part I of this series). + + The essential purpose of blue boxing in the beginning was merely to receive +toll services free of charge. Though this can still be done, blue boxing has +essentially outlived its usefulness in this area. Modern day "extenders" and +long distance services provide a safer and easier way to make free fone calls. +However, you can do things with a blue box that just can't be done with +anything else. For ordinary toll-fraud, a blue box is impractical for the +following reasons: + +1. Clumsy equipment required (blue box or equivalent) +2. Most boxed calls must be made through an extender. Not for safety reasons, +but for reasons I'll explain later. +3. Connections are often sacrificed because considerable distances must be +dialed to cross a seizable trunk, in addition to awkward routing. + + As stated in reason #2, boxed calls are usually made through an extender. +This is for billing reasons. If you recall from Part i, 2600Hz is used as a +"supervisory" signal. That is, it signals the status of a trunk--"on-hook" or +"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the +CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook +once again when the 2600Hz is terminated. The CALLED end recognizes that a +call is on the way and attaches a register, which interprets the digits which +are to be sent. Now, understand that even though your end has come off-hook (no +2600Hz present), the other end is still on-hook. You may wonder then, why, if +the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the +other way on the trunk, when there should be. This is correct. 2600Hz *IS* +present on the trunk when you seize it and afterwards, but you cannot hear it +because of a Band Elimination Filter (BEF) at your central office. + + Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed +coming the other way on the trunk because the CALLED end is still on-hook, but +you don't actually hear it because of a filter. However, the Bell equipment +knows it's there (they can "hear" it). The presence of the 2600Hz is telling +the billing equipment that your call has not yet been completed (i.e., the +CALLED end is still on-hook). When finally you do connect with your boxed call, +the 2600Hz from the called end terminates. This tells the billing equipment +that someone picked up the fone at the CALLED end and you should begin to be +billed. So you do start to get billed, but for the call to the trunk, NOT the +boxed call. Your billing equipment thinks that you've connected with the number +you used to seize the trunk. Illustration: + +1. You call 1+806-258-2222 (directly) +2. Status of trunks: + +<-----------------------------------> +(You) 806-258-2222 +No 2600Hz-------> <------------2600Hz + + When you seize a trunk (before the number you called answers) there is no + + Page 136 + + + + + The Official Phreaker's Manual + +affect on your billing equipment. It simply thinks that you're still waiting +for the call to complete (the CALLED end is still on-hook; it is ringing, busy, +going to recorder or intercept operator. + + Now, let's say that you've seized a trunk (806-258-2222) and for example, +KP+314+949+1705+ST. The call is routed from the tandem you seized to: +314-949-1705. Illustration: + +<------------------>O<---------------> +(You) 806 314-949 + tandem +No 2600Hz----------> <----------2600Hz + + Note that the entire path towards the right (the CALLED end) has no 2600Hz +present and is therefore "off-hook." The entire path towards the left (the +CALLING end) does have 2600Hz present on it, indicating that the CALLED end has +not picked up (or come "off-hook"). When 314-949-1705 answers, "answer +supervision" is given and the 2600Hz towards the left (the CALLING end) +terminates. This tells your billing equipment, which thinks that you're still +waiting to be connected with 806-258-2222, that you've finally connected. +Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an +aspiring young phone phreak. + + To avoid this, several actions may be taken. As previously mentioned, one may +avoid being charged for the number called to seize a trunk by using an extender +(in which case the extender will get billed). In some areas, boxing may be +accomplished using an 800 number, generally in the format of 800-858-xxxx (many +Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). +However, boxing off of 800 numbers is impossible in many areas. In my area, +Denver, I am served by #1A ESS and it is impossible for me to box off of any +800 number. + + Years ago, in the early days of blue boxing (before my time), phreaks often +used directory assistance to box off of because they were "free" long distance +calls. However, because of competitive long distance companies, directory +assistance surcharges are now $0.50 in many areas. It is additionally advised +that directory assistance numbers not be used to box from because of the +following: + + Average DA calls last under 2 minutes. When you box a call, chances are that +it will last considerably longer. Thus, the Bell billing equipment will make a +note of calls to directory assistance that last a long time. A call to a +directory assistant lasting for 4 hours and 17 minutes may appear somewhat +suspicious. + + Although the date, time, and length of a DA call do not appear on the bill, +it is recorded on AMA tape and will trip a trouble report if it were to last +too long. This is how most phreaks were discovered in the old days. Also, +sometimes too many calls lasting too long to one 800 number may raise a few +eyebrows at the local security office. + + Assuming you can complete a blue box call, the following are listed routings +for various Bell internal operators. These are in the format of KP+NPA+ +special routing+1X1+ST, which I will explain later. The 1X1 is the actual +operator routing, and NPA and NPA+ special routing are used for out-of-area +code calls and out-of-area code calls requiring special routing, respectively. + +KP+101+ST ...... Toll test board. + + Page 137 + + + + + The Official Phreaker's Manual + +KP+121+ST ...... Inward Operator. +KP+131+ST ...... Directory assistance. +KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few +others. It has been replaced with a universal rate & route number +800+141+1212. +KP+151+ST ...... Overseas completion operator (inbound). Works only in certain +NPAs, such as 303. +KP+181+ST ...... In some areas, toll station for small towns. + + Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you +would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 +trunk, an area code would be required. Thus, you would dial KP+312+121+ST. +Finally, some places in the network require special routing, in addition to an +area code. An example is Franklin Park, Ill. It requires a special routing of +032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward +operator. + + Special routings are in the format of 0XX. They are used primarily for load +balance, so that traffic flow may be evenly distributed. About half of the +exchanges in the network require special routing. Note that special routings +are NEVER EVER EVER used to dial normal telephone numbers, only operators. + + Operator functions: + +TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. +They are not used by operators, only switchmen. + +INWARD- Assists the normal TSPS (0+) operator in completing calls out of the +TSPS's area. Also, inwards perform emergency interrupts when the number to be +interrupted is out of the area code of the original (TSPS) operator. For +example, a 303 operator has a customer that needs an emergency interrupt on +215-647-6969. The 303 operator gets the routing for the inward that covers +215-647, since she cannot do the interrupt herself. The routing is found to be +only 215+ (no special routing required). So, the 303 operator keys +KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is +Denver. I need an emergency interrupt on 215-647-6969. My customer's name is +Mark Tabas." The inward will then do the interrupt (off the line, of course). +If the number to be interrupted had required special routing, such as, say, +312-456-1234 (spec routing 032), then the 303 operator would dial +KP+312+032+121+ST for the inward to do that interrupt. + +DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist +customers with obtaining telefone directory listings. Not much toll-fraud +potential here, except maybe $0.50. + +RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. +They assist normal (TSPS) operators with rates and routings (thus the name). +The only uses I typically have for them are the following: + + 1. Routing- + Information- In the above example, when the 303 operator needed to dial +an inward that served 215-647, she needed to know if any special routing was +required and, if so, what it was. Assuming she would use rate and route, she +would dial them and say nicely, "Operator's route, please, for 215-647." Rate & +route would respond with "215 plus." This means that the operator would dial +KP+215+121+ST to reach the inward that serves 215-647. If there were special +routing required, such as in 312-456, rate & route would respond with "312 plus +032 plus." In that case, the operator would dial KP+312+032+ST for the inward + + Page 138 + + + + + The Official Phreaker's Manual + +that serves 312-456. + + It is good practice to ask for "operator's route" specifically, as there are +also "numbers route" and "directory routes." If you do not specifically ask for +operator's route, rate & route will generally assume that is what you want +anyway. + +"Numbers" route refers to overseas calls. Example, you want to know how to +reach a number in Geneva, Switzerland (and you already have the number). You +would call routing and say "Numbers route, please, Geneva, Switzerland." The +operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark +41+22" has to do with billing, so disregard it. The 011+041 is access to the +overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing +for Geneva from the overseas sender. + +"Directory" routings are for directory assistance overseas. Example: you want a +DA in Rome, Italy. You would call rate & route and say, "Directory routing +please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 +STart." As in the previous example, the 011+039 is access to the overseas +gateway. The 039+1108 is a directory assistant in Rome. + + 2. Nameplace information- Rate & Route will give you the location of an NPA+ +exchange. Example: "Nameplace please, for 215-648." The operator would respond +with "Paoli, Pennsylvania." This isn't especially useful, since you can get the +same information (legally) by dialing 0, but using rate & route is often much +faster and it avoids having to hang up when you are already on a trunk. + +*NOTE* On Rate & Route: As a blue boxer, always ask for "IOTC" routings. +(e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them +that you want cordboard-type routings, not TSPS, because a blue boxer is +actually just a cordboard position (that Bell doesn't know about). + +OVERSEAS COMPLETION +OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of +calls coming in to the United States from overseas. There are KP+151+ST +operators only in a few NPAs in the country (namely 303). To use one, you would +seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for +example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." +[in a broken Indian accent]. She would connect you, and the bill would be sent +to Bangladesh (where I've been billing my KP+151+ST calls for two years). + +Other internal Bell Operators. + +KP+11501+ST ...... universal operator +KP+11511+ST ...... conference op +KP+11521+ST ...... mobile op +KP+11531+ST ...... marine op +KP+11541+ST ...... long distance terminal +KP+11551+ST ...... time & charges op +KP+11561+ST ...... hotel/motel op +KP+11571+ST ...... overseas (outbound) op + + These 115X1 operators are identical in routing to the 1X1 operators listed +previously, with one exception. If special routing is required (0XX), then the +trailing 1 is left off. + +Examples: + + + Page 139 + + + + + The Official Phreaker's Manual + +A 312 universal op ... KP+312+11501+ST +A Franklin Park (312-456) universal op (special routing 032 required)........ +KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. + +Purposes of 115X1 operators. + +UNIVERSAL- Used for collect/callback calls to coin stations. + +CONFERENCE- This is a cordboard conference operator who will set up a +conference for a customer on a manual operation basis. + +MOBILE- Assists in completion of calls to mobile (IMTS) type telefones. + +MARINE- Assists in completion of calls to ocean going vessels. + +LONG DISTANCE TERMINAL- Now obsolete.Was used for completion of long distance +calls. + +TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform +customer of exactly how much it cost. + +HOTEL/MOTEL- Handles calls to/from hotels and motels. + +OVERSEAS +COMPLETION (outbound)- assists in completion of calls to overseas points. Only +works in some, if any NPAs, because overseas assistance has been centralized to +IOCC (covered in Part III). + + Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that +you are a TSPS or cordboard operator assisting a customer with a call. DO NOT +DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these +operators! Find out what to do first. + + This concludes Part II. There is one final part in which I will explain +overseas dialing, IOCC (International Overseas Completion Centre), RQS +(Rate/Quote System), and some basic scanning. + + + + + + + + + + + + + + + + + + + + + + + + Page 140 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part III + + Advanced Signalling +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood parts i & ii before +proceeding to this part). + + In Parts I & II, I covered basic theory and domestic signalling and +operators. In this part I will explain overseas direct boxing, the IOCC, the +RQS, and some basic scanning methods. + +Overseas Direct Boxing. + + Calling outside of the United States and Canada is accomplished by using an +"overseas gateway." There are 7 over-seas gateways in the Bell System, and each +one is designated to serve a certain region of the world. To initiate an +overseas call, one must first access the gateway that the call is to be sent +on. To do this automatically, decide which country you are calling and find its +country code. Then, pad it to the left with zeros as required so it is three +digits. [Add 1, 2, or 3 zeros as required]. + +Examples: + +Luxembourg (352) is 352 (stays the same) +Spain (34) becomes 034 (1 zero added) +U.S.S.R. (7) becomes 007 (2 zeros added) + + Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit +padded country code that you just determined by the above method. [For +Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ +007+ST]. This is done to route you to the appropriate overseas gateway that +handles the country you are dialing. Even though every gateway will allow you +to dial every dialable country, it is good practice to use the gateway that is +designated for the country you are calling. + + After dialing KP+011+CC+ST (as CC is defined above) you should be connected +to an overseas gateway. It will acknowledge by sending a wink (which is audible +as a and a dial tone. Once you receive international dial +tone, you may route your call one of two ways: a) as an operator-originated +call, or b) as a customer-originated call. To go as a operator-originated call, +key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will +then be connected, providing the country you are calling can receive +direct-dialed calls. The U.S.S.R. is an example of a country that cannot. + +Example of a boxed int'l call: + +To make a call to the Pope (Rome, Italy), first obtain the country code, which +is 39. Pad it with zeros so that it is 039. Seize a trunk and dial +KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is +the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To +go as an operator-originated call, simply place a zero in front of the country +code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at +sender dial tone. Routing your call as operator-originated does not affect much +unless you are dialing an operator in a foreign country + + Page 141 + + + + + The Official Phreaker's Manual + + + To dial an operator in a foreign country, you must first obtain the operator +routing from rate & route for that country. Dial rate & route and if you're +trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, +please, for Yugoslavia." [In larger countries it may be necessary to specify a +city]. Rate & route will respond with, "38 plus 11029". So, dial your overseas +gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+11029+ST. +You should then get an operator in Yugoslavia. Note that you must prefix the +country code on the sender with a 0 because presumably only an operator here +can dial an operator in a foreign country. + + When you dial KP+011+CC+ST for an overseas gateway, it is translated to a +3-digit sender code of the format 18X, depending on which sender is designated +to handle the country you are dialing. The overseas gateways and their 3-digit +codes are listed below. + +182 ..... White Plains, NY +183 ..... New York, NY +184 ..... Pittsburg, PA +185 ..... Orlando, FL +186 ..... Oakland, CA +187 ..... Denver, CO +188 ..... New York, NY + + Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST +would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as +previously mentioned). To find out what sender you were routed to after dialing +KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. + + If you have difficulty in reaching a sender, call rate and route and ask for +a numbers route for the country you're dialing. Sometimes, KP+011+ padded +country code+ST will not work. I have found this in many 3-digit country +codes. Luxembourg, country code 352, for example, should be KP+011+352+ST +theoretically. But it is not. In this case, dial KP+011+ 003+ST for the +overseas gateway. If you have trouble, try dialing KP+00+ first digit of +country code+ST, or call rate The IOCC. + + Sometimes when you call rate and route and ask for an "IOTC numbers route" or +"IOTC operators route" for a foreign country, you will get something like +"160+700" (as in the case of the Soviet Union). This means that the country is +not dialable directly and must be handled through the International Overseas +Completion Centre (IOCC). For an IOCC routing, pad the country code to the +RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded +country code, plus ST. Examples: + +The U.S.S.R. (7) ...... KP+160+700+ST +Japan (81) ............ KP+160+810+ST +Uraguay (598) ......... KP+160+598+ST + + You will then be routed to the IOCC in Pittsburg, PA, who will ask for +country, city, and number being dialed. Many times they will ask for a +ringback [thanks to Telenet Bob] so have a loop ready. They will then place the +call and call you back (or sometimes put you through directly). Some calls, +such as to Moscow, take several hours. + +The Rate Quote System (RQS). + + The RQS is the operator's rate/quote system. It is a computer used by TSPS + + Page 142 + + + + + The Official Phreaker's Manual + +(0+) operators to get rate and route information without having to dial the +rate and route operator. In Part ii, I discussed getting an inward routing for +dialing-assistance and emergency interrupts from the rate and route operators +(KP+800+141+1212+ST). The same information is available from RQS. Say you want +the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to +access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with +RQS, you need to dial an NPA that is equipped with RQS first, such as 303. +Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink +() and then RQS dial tone. At RQS dial tone, for an inward +routing for 305-994 you would dial KP+06+305+994+ST. That is, +KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means +you would dial KP+305+033+121+ST for an inward that services 305-994. If no +special routing were required, RQS would have responded with "305 plus" and you +would simply dial: KP+305+121+ST for an inward. + + Another RQS feature is the echo feature. You can use it to test your blue +box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond +with voice identification of the digits it recognized, between the KP+07 and +ST. + + RQS can also be used for rates and directory routings, but those are seldom +needed, so they have been omitted here. + +Simple Scanning. + + If you're interested in scanning, try dialing on a trunk, routings in the +format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of +interesting things to be found there, as Doctor Who (413 area) can tell you. +Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan +area code 212, dial KP+212+ 11XX1+ST. + + There, now you know as much about blue boxing as most phreaks. If you read +and understand the material, and put aside preconceived ideas of what blue +boxing is that you may have acquired from inexperienced people or other +bulletin boards, you should be well on you way to an enlightening career in +blue boxing. If you follow the guidelines in Part I to box, you should have no +problem with the fone company. Comments made by "phreaks" on bulletin boards +that proclaim "tracing" of blue boxers are nonsense and should be ignored +(except for a passing chuckle). + +NOTE 1: CCIS and the downfall of blue boxing. + +CCIS stands for Common Channel Inter-office Signalling. It is a signalling +method used between electronic switching systems that eminiates the use of +2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places +cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will +not respond to any tones that you generate on the line. Eventually, all +existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In +this case, we'll all be boxing with microwave dishes. Until then (about 1995 by +current BOC/AT&T estimates), have fun! + +If you have ANY questions about this text, please feel free to drop me a line. +I will respond to all mail, messages, etc. Insults are also welcomed. And if +you discover anything interesting scanning, be sure to let me know. + +Mark Tabas +$LOD$ + + + Page 143 + + + + + The Official Phreaker's Manual + +This text was prepared in full by Mark Tabas for: + +K.A.O.S. +Philadelphia, PA. +[215-465-3593]. + +Any sysop may freely download this text and use it on his/her BBS, provided +that none of it be altered in any way. + +Technical acknowledgements: + +Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor +Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. + +References: + +1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. +2. Notes on the Network Bell System publication, 1983. +3. Engineering and Operations in the Bell System Bell System publication, +1983. +4. Notes on Distance Dialing Bell System publication, 1968. +5. Early Medieval Architecture. +....................................... +(c) February 6, 1900 Mark Tabas +....................................... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 144 + + + + + The Official Phreaker's Manual + + BY FRED STEINBECK (TAP #88) + + IT SEEMS THAT FEWER AND FEWER PEOPLE HAVE BLUE BOXES THESE DAYS, AND +THAT IS REALLY TOO BAD. BLUE BOXES, WHILE NOT ALL THAT GREAT FOR MAKING FREE +CALLS (SINCE THE TPC CAN TELL WHEN THE CALL WAS MADE, AS WELL AS WHERE IT WAS +TOO AND FROM), ARE REALLY A LOT OF FUN TO PLAY WITH. SHORT OF BECOMING A REAL +LIVE TSPS OPERATOR, THEY ARE ABOUT THE ONLY WAY YOU CAN REALLY PLAY WITH THE +NETWORK. + FOR THE FEW OF YOU WITH BLUE BOXES, HERE ARE SOME PHRASES WHICH MAY +MAKE LIFE EASIER WHEN DEALING WITH THE RATE & ROUTE (R&R) OPERATORS. TO GET +THE R&R OP, YOU SEND A KP + 141 + ST. IN SOME AREAS YOU MAY NEED TO PUT +ANOTHER NPA BEFORE THE 141 (I.E., KP + 213 + 141 + ST), IF YOU HAVE NO LOCAL +R&R OPS. + THE R&R OPERATOR HAS A MYRIAD OF INFORMATION, AND ALL IT TAKES TO GET +THIS DATA IS MUMBLING CRYPTIC PHRASES. THERE ARE BASICALLY FOUR SPECIAL +PHRASES TO GIVE THE R&R OPS. THEY ARE NUMBERS ROUTE, DIRECTORY ROUTE, OPERATOR +ROUTE, AND PLACE NAME. + YOU GET AN R&R AN AREA CODE FOR A CITY, ONE CAN CALL THE R&R OPERATOR +AND ASK FOR THE NUMBERS ROUTE. FOR EXAMPLE, TO FIND THE AREA CODE FOR CARSON +CITY, NEVADA, WE'D ASK THE R&R OP FOR "CARSON CITY, NEVADA, NUMBERS ROUTE, +PLEASE." AND GET THE ANSWER, "RIGHT... 702 PLUS." MEANING THAT 702 PLUS 7 +DIGITS GETS US THERE. + SOMETIMES DIRECTORY ASSISTANCE ISN'T JUST NPA + 131. THE WAY TO GET +THESE ROUTINGS IS TO CALL R&R AND ASK FOR "ANAHEIM, CALIFORNIA, DIRECTORY +ROUTE, PLEASE." OF COURSE, SHE'D TELL US IT WAS 714 PLUS, WHICH MEANS 714 + 131 +GETS US THE D.A. OP THERE. THIS IS SORT OF POINTLESS EXAMPLE, BUT I COULDN'T +COME UP WITH A BETTER ONE ON SHORT NOTICE. + LET'S SAY YOU WANTED TO FIND OUT HOW TO GET TO THE INWARD OPERATOR FOR +SACRAMENTO, CALIFORNIA. THE FIRST SIX DIGITS OF A NUMBER IN THAT CITY WILL BE +REQUIRED (THE NPA AND AN NXX). FOR EXAMPLE, LET US USEM 916 756. WE WOULD CALL +R&R, AND WHEN THE OPERATOR ANSWERED, SAY, "916 756, OPERATOR ROUTE, PLEASE." +THE OPERATOR WOULD SAY, "916 PLUS 001 PLUS." THIS MEANS THAT 916 + 001 + 121 +WILL GET YOU THE INWARD OPERATOR FOR SACRAMENTO. + DO YOU KNOW THE CITY WHICH CORRESPONDS TO 503-640? THE R&R OPERATOR +DOES, AND WILL TELL YOU THAT IT IS HILLSBORO, OREGON, IF YOU SWEETLY ASK FOR +"PLACE NAME, 503 640, PLEASE." + FOR EXAMPLE, LET'S SAY YOU NEED THE DIRECTORY ROUTE FOR SVEG, SWEDEN. +SIMPLY CALL R&R, AND ASK FOR, "INTERNATIONAL, BADEN, SWITZERLAND. TSPS +DIRECTORY ROUTE, PLEASE." IN RESPONSE TO THIS, YOU'D GET, "RIGHT... DIRECTORY +TO SVEG, SWEDEN. COUNTRY CODE 46 PLUS 1170." SO YOU'D ROUTE YOURSELF TO AN +INTERNATIONAL SENDER, AND SEND 46 + 1170 TO GET THE D.A. OPERATOR IN SWEDEN. + INWARD OPERATOR ROUTINGS TO VARIOUS COUNTRIES ARE OBTAINED THE SAME WAY +"INTERNATIONAL, LONDON, ENGLAND, TSPS INWARD ROUTE, PLEASE." AND GET "COUNTRY +CODE 44 PLUS 121." THEREFORE, 44 PLUS 121 GETS YOU INWARD FOR LONDON. + INWARDS CAN GET YOU LANGUAGE ASSISTANCE IF YOU DON'T SPEAK THE +LANGUAGE. TELL THE FOREIGN INWARD, "UNITED STATES CALLING. LANGUAGE ASSISTANCE +IN COMPLETING A CALL TO (CALLED PARTY) AT (CALLED NUMBER)." + R&R OPERATORS ARE PEOPLE ARE PEOPLE TOO, Y'KNOW. SO ALWAYS BE POLITE, +MAKE SURE USE OF 'EM, AND DIAL WITH CARE. + +NOTE: AS A RESULT OF THE BREAK-UP, R&R IS NOW KP+800+141+1212+ST + + + + + + + + + Page 145 + + + + + The Official Phreaker's Manual + + Verification + By Fred Steinbeck + +From TAP issue # 88 10-83 + + There has been a great deal of controversy in the realm of phreakdom over a +mysterious subject known under a number of different names, including +"Verification", "Autoverification", "Verify", "Autoverify", "Verify Busy", and +even "VFY BY". All of these names basically mean the same thing: the ability +to listen to another person's telephone line from any telephone in the +direct-dialable world. + Needless to say, Bell System is very tight lipped about knowledge regarding +verification. Indeed, the infamous book 'Notes on long distance dialing' ('68 +edition) says, "Care must be taken to insure that the customer never gains +verification capabilities." With a printed policy like that, you can imagine +what their real-world policy is like! Even their own rate and route operators +will not give verification on routing codes (at least in my experience), one +even responding, "What?! You must be crazy! We don't give those out!" Before +you get too far into this article, I will state simply: I don't know how to +verify. However, I have been fooling with various things related to it, and +collecting information on it for some time now. Therefore, while I can't do it +(yet), I may be able to point some other bright TAPer on the right track, and +perhaps he or she will show us all how. If you have knowledge not covered in +this article, but don't want to write an article on your own, please send your +ideas, comments, or information to Project Verify, C/O TAP Verify has also +been called "Autoverify", and I have no idea why. This is not, to my +knowledge, a Bell System term (at least I've never seen it in any manuals) As +far as I know, there is verify, which means being able to listen to speech +(kind of; see below) on a line, and there is the "Emergency Interrupt which +allows you to take part in the conversation taking place on the line in +question. It has been suggested that "Autoverify" is the same as an emergency +interrupt , but I tend to disagree with this idea. It should be noted that the +verification circuitry does not actually let an operator listen to a +conversation without making a beep on the line every so often. Instead, she +will hear encrypted speech. However, I believe with the proper methods, verify +can be converted to an emergency interrupt. + Verification is normally done either by your normal "0" (TSPS) operator, if +the call is in your home NPA (HNPA), or by an inward operator (IO). If the +call is outside your HNPA, your normal operator will call the IO for the +NPA,and say, "Verify Busy" or "Emergency Interrupt" please, 555 1212." The IO +will perform whatever magic he or she must, and then report back. If the call +is in your HNPA, though, the "0" operator can do the verification herself by +using the "VFY BY" key on her keyshelf. However, in some areas, the operator +uses a routing code to accomplish verification, and this the is loop hole we +shall attack. + It follows that if a IO or "0" operator can do it, so can we, with a blue box +Now, courtesy of Robert Allen (who brought it to my attention) and Susan +Thunder (who apparently discovered it), here is what used to work for getting +operators to hook you into conversations with other people (i.e.,let you listen +to them till you hung up): You'd call the operator and say "Operator, TSPS +Maintenance Engineer Calling. Ring forward to 001 + NPA + 7d, ring back to my +number, hit ring forward, no AMA, and then position release. + This creates some problems, and you must be familiar with the TSPS +console(by dialing "0"), you are on the "back", or incoming part of a loop. +When she places a call for you, the call goes out on the "forward", or outgoing +part of the loop. If an operator wants to make a call, she punches KP FWD +(keypulse forward), the number, and ST. Ring FWD puts a 90 volt ringing signal +across the forward part of the line (and may dial the number as well). The + + Page 146 + + + + + The Official Phreaker's Manual + +problem arises from the fact that I don't know if Ring FWD will actually dial a +call, and if there is some other subtle difference between it an KP FWD. + Let us assume ringing forward makes a call from the TSPS console to whatever +number is given. Ring back causes your phone to ring (it is assumed you hung +up after giving her your instructions; if you didn't you'd hear an annoying 90 +volts across the earpiece...) "No AMA" means "no automatic message accounting", +so nobody gets billed for the call, although it will show up on a tape +somewhere. "Position Release" removes the operator from the circuit, and +allows her to receive other calls. This leaves an unaccounted-for ring +forward. + The verification circuit, as you know, likes to encrypt conversation, which +is something we don't want. Well, the second Ring FWD sends another 90 volts +crashing against the verify circuitry, which Juda Gerad thinks removes the +voice encryption from the line, puts the operator (and you) in circuit, and +puts a beep tone on the line every five seconds. This seems to make sense, and +I am inclined to agree with him. + The bit about "....001 + NPA + 7D" causes the thought "MF routing code" to +spring immediately to mind. Now, the above trick was supposed to work in the +213 NPA. I have tried both "KP+001+213+7D+ST", and some other area codes. I +generally get nothing, a reorder signal, or a tandem recording. + Here's some food for thought: On an official Telco sheet I have, labeled " +213 NPA MF Routing Codes", 001 is listed as "VFY BY", or verify busy for the +213 NPA. 002 is listed for the 805 NPA. Ma Bell likes to have standardized +routing codes, such logical, then, that 001 would be a sort of "standard" +verify code, and other prefixes would be tacked on at 002,003, etc. However, I +have heard from a retired operator that verification codes are different from +area to area, and are not always nice numbers like 001, 002. Ah, well, a guy +can hope, can't he? + Some suggestions for future attacks on this dilemma: Everyone call your +operators and subtly ask questions. I have found the tend to give information +out easier if you ask for something that you would ordinarily have to be a +company employee to know about, such as rate steps, operator routings, etc. + Casually let slip that you used to be (or still are) an operator, or that +you work for company security. Also, you might want to blue box some codes +like 001 followed by your NPA and the last 7D of a busy number. If you get a +sort of "whispery noise", try blasting the line with a ringing signal (you +might piggyback another line onto yours and call the piggyback to generate the +90 volts) and see if that does anything. + + + + + + + + + + + + + + + + + + + + + + Page 147 + + + + + The Official Phreaker's Manual + + =================================== + EQUAL ACCESS AND THE AMERICAN DREAM + =================================== + + +by + +Mark Tabas +P.O. Box 620401 +Littleton, CO 80162 + +July 7, 1985 + + + + The American Dream means many things to many people. To the small, typical +businessman, it means building a good, strong business based on hard work and +perseverance; indeed, with nothing limiting his potential but he amount of work +he is willing to put into his business. To a large businessman, the American +Dream means living and working in a country where a single corporation can have +a profit exceeding the gross national product of an entire third world nation. + To the individual, the American Dream is the right to choose -- everything +from one's breakfast cereal to a long-distance service, as well as the formal +right outlined by our founding fathers: those of life, liberty, and the pursuit +of happiness. + To the phone phreak, I think the American Dream is, in a sort of twisted way, +the uninhibited pursuit of knowledge. This quest could scarcely remain +unchecked in many other countries. Analogous to this quest is the thriving of +the Bell System, which until January 1, 1984 consisted of the American +Telephone and Telegraph Company, the largest corporation in the history of the +world. Did the American Dream die on January first or did the divestiture of +AT&T cause a giant step forward for competition and free enterprise in the +United States? I do not know. I do know that the other nations of the world +were amazed that the United States would dissolve the entity that brought the +finest and most universal telephone system in the world, and did so at a time +when the majority of the rest of the world was still using two dixie cups and a +string. + The unfairness of the situation is that AT&T built the telephone system of +this nation and is now being bound and gagged and having its possessions +distributed to others, whom AT&T also wrought. All in the name of fairness, +free competition, and "equal access". Where was was MCI during the century +that AT&T built he communications system of this nation? Well, I believe in +Equal Access, Wholly. And, since I believe in equal access and its +implications for equality for all so strongly, I feel that MCI, Sprint, and +others should take the same amount of time to build their respective toll +networks: 100 years. Therefore, if the United States Justice Department were +truly the fair and just administrator that it portrays itself to be, MCI would +not have a hand in the long-distance cache until about 2080. That's only +fair. + There is no doubt that MCI is a sub-standard organization. They consist of +incompetent employees, inferior equipment, and an inferior marketing strategy. +They are mockingly imitative of AT&T, except in the quality of their service, +which is practically unusable. It is also interesting that with less than 2% +market share, MCI calls itself "the nation's long-distance company." The point +to this diatribe is this. It's time for these long-distance companies such as +MCI and Sprint to grow up. With Equal Access, they are going to become real +long-distance companies, not the joke organizations they are now, and I think +it may just take them one hundred years to do so. + + Page 148 + + + + + The Official Phreaker's Manual + + + ============ + Equal Access + ============ + + Equal Access, as it applies to the telecommunications industry, is "the +requirement that each Bell Operating Company provide exchange access to all +long-distance carriers that is equal in type and quality to that provided AT&T +communications." This is the official provision set forth by the United States +Justice Department in the Modification of the Final Judgment, August 24, 1982. +All this means is that each long-distance-distance company will have "equal +access" to all of the same types of services that AT&T currently enjoys. There +are four types of long-distance carrier services, divided into "feature +groups." They follow. + +FG A: "line side access." This is the standard 7-digit dialup+code (for +billing purposes) +destination telephone number. It is currently in use by +most long-distance carriers. + +FG B: "trunk side access." These are the 950 exchange numbers. They also +utilize an authorization code for billing. As with FG A, automatic number +identification (ANI) (i.e. calling number) is not provided to the carrier, but +will be in the future. + +FG C: "1+ dialing." Currently, only AT&T is able to get this type of +service. It is 1/0+7 of 10 digit direct long distance dialing. ANI (for +billing) is provided. + +FG D: "equal access." This will allow for 1/0+7 or 10 digit direct +long-distance dialing (presubscription carrier) and 10xxx+1/0+7 or 10 digit +long-distance dialing (alternate carrier). ANI for billing is provided at the +long-distance carrier's option. Billing may also be handled by the individual +long distance company or the local Bell Operating Company. + + Feature groups C and D are mutually exclusive (i.e. both cannot exist in a +particular area at the same time). Areas which have Feature Group C (AT&T +long-distance only) are non-Equal Access, and areas which have Feature Group D +(multiple long distance carriers) are Equal Access regions. + Feature Group B, the 950 exchange numbers will be used in areas in which it +is not feasible to provide with Equal Access, such as step-by-step offices +(yes, they CAN have 950 numbers), some crossbar offices, and some independent +telcos, which are not bound by the provisions of Equal Access and may provide +to their customers any type of long-distance service(s) they wish. The 950 +exchange is now active in many areas. It is mainly used as a universal +"roaming" access port for many long-distance carriers, but when an office is +converted to Equal Access, the 950 capability is removed. Thus, in an Equal +Access region, one cannot complete a call to a 950 telephone number. + I personally am looking very forward to Equal Access. My area is not +scheduled for full implementation of it until late 1985 or early 1986, and by +this time many of the alternate long distance carriers' networks will be in +place (or well under way). Think about what Equal Access means. Equality for +all long distance carriers. Access to common facilities, such as: busy-line +verification lines, Bell System information, signalling specifications. etc. +After full implementation of Equal Access, one will be able to take advantage +of and manipulate the services of more than just one carrier. It will no +longer be phreaks vs. AT&T. + When your area is ready to initiate Equal Access, you will receive a notice +in the mail informing you of some of the details of Equal Access, and will ask + + Page 149 + + + + + The Official Phreaker's Manual + +you to specify your choice of "primary carrier." In some cases you will need to +specify both inter-LATA carrier (IC), which handles calls out of your LATA +(Local Access and Transport Area), and an international carrier (INC), which +will handle calls destined for other countries. Recent market studies have +shown that between 80 and 90 per cent of residential customers will continue to +be served by AT&T for their long-distance service after Equal Access. So much +for competition. + You will probably be faced with many long-distance companies to choose from, +including but not limited to: AT&T, MCI, Sprint, ITT, Western Union, Dial U.S., +Call America, TMC, and U.S. Telephone. Whichever you choose will become your +"primary carrier." Your primary carrier will handle your call each time you +pick up you fone and dial 1+7 or 10 digits or 0+7 or 10 digits, inter-LATA +only. That is, if you dial a toll call that is within your LATA, it will be +handled by your local telephone company (Bell), not by your primary carrier, +even though it is a toll call. Let's use an example. The state of Colorado +consists of two LATAs. For this example, I will use three cities in Colorado: +Denver (in LATA1), Sterling (LATA1 also), and Colorado Springs (in LATA2). +Note here that even though Denver ad Sterling are in the same LATA, and Denver +and Colorado Springs are not, Sterling is actually much farther away from +Denver than Colorado Springs. This is because LATA boundaries were designed +giving consideration to high toll-traffic regions, to bring in revenue. Toll +traffic between Denver and Colorado Springs is very high, so the two cities +were placed in separate LATAs (or, more correctly, they were separated by a +LATA boundary). Toll traffic between Denver and Sterling is very low, of the +two cities were allowed to remain in the same LATA. Now, if everyone in +Colorado Springs were to pack up and move to Sterling (though who knows what +the hell for), the LATA boundaries in Colorado would be changed so that Denver +and Sterling were in different LATAs. The primary factor in determining LATAs +is money. + If I made a call to Sterling from my home in Denver, the call would be routed +entirely via Mountain Bell long-distance facilities. No long distance carrier +would be involved because Denver and Sterling are in LATA1. If I made a call +to Kelley, the blonde babe in Colorado Springs, the call would be handled by a +long distance carrier (in this case, AT&T) because Denver is in LATA1 and +Colorado Springs is in LATA2. Here is a table to simplify this: + +Customer dials LATA Carrier +----------------------------------------------------------------- +7 digits same Bell +1+7 digits same Bell +1+7 digits diff LD carrier (currently AT&T) +1+10 digits diff LD carrier (currently AT&T) +----------------------------------------------------------------- + + Note several things here. First, not all areas need to dial a 1 when dialing +any number, local or long distance, but the central offices will still discern +whether the call is in the same LATA as the customer or a different one and +handle the call appropriately. Secondly, some step-by-step offices require a +1+NPA to be dialed for calls within the same LATA and, in fact, all numbers +outside of the office itself. But, for the most part, the above table is +standard for common switching networks. + + ================== + Alternate Carriers + ================== + + Your normal long distance carrier will handle all your toll calls which cross +over LATA boundaries when you dial directly, 1+. If you wish to place your + + Page 150 + + + + + The Official Phreaker's Manual + +call via another carrier's network, whether for cost, quality, or circuit +availability reasons, you may do so in Equal Access regions. To access an +alternate long distance carrier after Equal Access, a customer dials +10xxx+1/0+7 or 10 digit telefone number. Note that xxx is the "carrier access +code (CAC)." A few CACs currently in use are listed below. + +220 ........ Western Union 666 ........ Lexitel +222 ........ MCI 777 ........ Sprint +333 ........ US Telefone 888 ........ SBS +444 ........ Allnet + + Thus, in an Equal Access region, to dial Fred in Orlando, a customer would +dial 1+305+994+9966 to place his call on his primary carrier, or to place it on +another network, he could dial: 10222+1+305+994+9966, and the call would go +over MCI facilities (in this case). Eventually, after many more long distance +services get into the act, there will be a directory of the various long +distance companies and their CACs, and deciding which carrier to use for any +particular call to get the bet rate will be beyond the ability of everyone +except phone phreaks. + + ================ + The 950 Exchange + ================ + + As discussed, the 950 central office exchange is currently a "roaming" access +port for various long distance carriers. In areas that have 950, the access to +carriers is standardized. Thus, someone travelling to several different areas +need only know the 950 number of the carrier he uses to access it from any area +(provided that it have 950 active). Originally, the 950 exchange was designed +to correspond with the 10xx carrier access code used for Equal Access. For +example, 950-1022 would be the same carrier as 1022 (+telephone number). +However, it was later found that the 100 codes available for use as 10xx CACs +would be insufficient to handle he number of long distance carriers. So, the +common carrier access code was increased by one digit, to 10xxx, thus +increasing the number of possible CACs to 1000. To keep the 950 exchange +consistent with the non CAC, the Bell Operating Companies have opted to change +the 950-10xx to 950-0xxx. The xxx in the 950-0xxx remains the same as the xxx +in the 10xxx carrier access code. The new modified 950 numbering pan is now +active in Philadelphia (Bell Atlantic) among other areas. + After Equal Access is well under way, the 950 exchange will be used in +certain areas that cannot be equipped for the standard Equal Access dialing +plans. This includes step-by-step, #1 crossbar, #5 crossbar, #2ESS, and #3ESS +offices. Customers in areas served by these types of switching equipment will +dial 950-0xxx, wait for acknowledgement tone from the carrier, and then dial a +"personal identification number" and destination telefone number,and the call +will be completed on the selected carrier's facilities. Initially, billing +will be handled by the carrier itself, and supervisory information and ANI will +not be provided by the local Bell Operating Company. + There are three main advantages to the 950 central office exchange and +protocol. They are: a) universal access for all areas, b) 950-exchange numbers +are "trunk side access." This means that the long distance carrier has direct +trunks going to it from a Bell toll office or local central office. These +trunks are interoffice lines, not customer type (POTS) lines, and supposedly +insure higher quality of connection. And, c) 950-exchange numbers are toll and +message unit free. On metered-usage (i.e., not "flat rate") customer lines, +they cost nothing. In most areas they are free from coin stations, with +Colorado as one notable exception. + + + Page 151 + + + + + The Official Phreaker's Manual + + ===== + Costs + ===== + + Each long-distance carrier must choose the type(s) of service it wishes to +provide to its customers. These different types of service were outlined +earlier as "Feature Groups." The costs of these Feature Groups vary directly +with the complexity and quality of the service itself. The following table +outlines the cost to the carrier of each available Feature Group. It is based +on the monthly rate per line for 9000 minutes of circuit use, and assumes the +carrier and Bell switch are 15 miles apart. + +FG non-Equal Access Equal Access +-------------------------------------------------------- +A $329.94 $709.20 +B 329.94 721.80 +C 752.40 ** N/A ** +D ** N/A ** 752.40 +-------------------------------------------------------- + + These figures are a lot more significant than they might appear. They +indicate that after Equal Access, in order to compete with the giants such as +AT&T, MCI, etc., smaller long distance companies will use Feature Group A or B +type service in order to provide significantly lower rates to their customers +than companies subscribing to Feature Group D service (like AT&T, MCI, etc). +This will cause a unique type of equilibrium to form. Customers willing to +dial an access number, authorization code, and destination number and put up +with lower quality service will be able to save a lot of money. This seems +faintly reminiscent of pre-Equal Access times.... + + ==================== + Directory Assistance + ==================== + + Each Bell Operating Company will be responsible for providing intra-LATA +operator services. When a customer dials (1)+411 or (1)+555+1212 for local +directory assistance, he will reach a Bell operator who will service requests +for listed numbers within the customer's LATA. Requests for numbers in LATAs +other than the calling customer's may be handled at the discretion of the local +operating company. Initially, the Bell Operating Companies will meet the +responsibility for providing directory assistance services by contracting it to +a long distance carrier or carriers (currently AT&T). All inter-LATA directory +assistance services will be provided by the inter-LATA carrier (IC). ICs may +also provide 800 Enterprise service or other toll free type directory +assistance services. See table. + +================================================================= +Intra-LATA: +================================================================= + HNPA 411/555-1212 BOC + *FNPA NPA+555-1212 BOC + HNPA 10xxx+555-1212 intra-LATA carrier + *FNPA 10xxx+NPA+555-1212 intra-LATA carrier + +================================================================= +Inter-LATA: +================================================================= + HNPA (10xxx)+1+555-1212 IC + + Page 152 + + + + + The Official Phreaker's Manual + + FNPA (10xxx)+1+NPA+555-1212 IC +================================================================= +* When LATA boundaries cross NPA boundaries (rare). +FNPA = Foreign Numbering Plan Area (area code). +HNPA = Home Numbering Plan Area (area code). + + At first glance, the above table appears somewhat complex. But, if you +understand the concept of LATAs and carriers, it is easily understood. +Essentially, all local Bell Operating Companies will maintain their own +directory assistance services. When a customer dials 411 or 555-1212, he will +reach a BOC directory assistant. Additionally, each long distance carrier that +wishes to provide directory assistance to its customers will also have DA +facilities. And, when a customer dials a directory assistant (NPA+555-1212) on +a carrier, he will reach an operator of that particular long distance carrier. +The key here is LATAs. If a customer wants to find a number that is within his +LATA, no long distance carrier is involved. It is handled strictly by the +Local Bell Operating Company. If a customer is seeking a number that is not +within his LATA, he must use the services of an inter-LATA (long-distance) +carrier. + + ====================== + TSPS Operator Services + ====================== + + Traffic Service Position System (TSPS) operator services will be handled much +in the same fashion as directory assistance services, with a few differences. +As with DAs, each Bell Operating Company and each inter-LATA carrier will +maintain its own TSPS operator facilities (or cordboard I suppose, if they +cannot afford TSPS). When a customer dials simply 0 (operator), he will reach +a BOC TSPS operator. The BOC TSPS will be able to handle all types of +intra-LATA operator-assisted traffic including (but not limited to): collect, +third party billing, Bell credit card, coin, verification and emergency +interrupt, and requests for emergency aid. BOC TSPS will be unable to complete +calls for customers outside of the customer's LATA. Thus, inter-LATA operator +assistance will be handled by an inter-LATA carrier TSPS (IC TSPS). An IC TSPS +will handle all previously mentioned types of calls that require inter-LATA +transport (i.e., the call originates and terminates in different LATAs). When +a customer dials 0+NXX-XXXXX or 0+NPA+NXX-XXXX, the central office will +determine if the call is destined for another LATA. If it is not, the call +will be sent to the Bell TSPS for appropriate handling. If the call is bound +for another LATA (and his determination is made based on the NXX or NPA+NXX), +then the call will be sent off to the customer's primary long-distance carrier +(since only 0+ was dialed). If the customer wishes to use a different +carrier's operator services, he would dial 10xxx+0+number, and the carrier +specified by the 10xxx carrier access code would receive the call. Note: if a +customer dials 10xxx+0+number, and the call is an intra-LATA call, he will get +a recording, "We're sorry, the number you dialed cannot be reached with the +carrier access code you dialed. Please check the code and try again or call +your carrier for assistance." (Western Electric KS-22550 central office tape +list no. 46.) Until the Bell Operating Companies can install their own TSPS +facilities and networks, they will (continue to) lease capacity from AT&T TSPS. +That is, AT&T will handle the intra-LATA traffic for the BOCs on a contract +basis. In the meantime, AT&T will continue to handle its own long-distance +operator services while the other inter-LATA carriers will have to implement +their own operator networks from scratch. My estimation is that you won't be +able to dial 10222+0 for an MCI TSPS operator until sometime around the year +2590. And even then they will probably be cordboard. + In addition to the changes in TSPS described above, there will be certain + + Page 153 + + + + + The Official Phreaker's Manual + +modifications to the software and hardware involved in the TSPS operator +system. Most critical, and of paramount importance to the telecommunications +enthusiast is changes in circuit associated signalling (CAS). This is +signalling to and from the TSPS facility. When a customer dials 0 (operator) or +10xxx+0 (IC operator), a succession of events occurs. First, the end office +seizes a trunk to the appropriate operator facility (this assumes that no +access tandem is involved). The operator service facility responds with a wink +(proceed signal) and the end office outpulses the CALLED number (or KP+ST if 0 +only dialed). The operator service (OS) facility will then come off-hook to +signal that it is ready to receive ANI information. The end office outpulses +the ANI information in the format of KP+II+7 digits+ST (or ST'). If there is +ANI failure, a KP+02+ST (or ST') will be sent. "ST'" stands for STart "prime", +and is indicative of a coin call (i.e., dial 0 from a coin station). A normal +ST terminating the ANI sequence means that the call is originating from a +noncoin station. See table for ultimate description. + +Inter-LATA calls MF-pulsed + +type of call customer dials cld num ANI +============================================================ +noncoin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST + +============================================================ +coin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST + operator assist 10xxx+0 KP+ST' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST + +============================================================================= +Intra-LATA calls +============================================================================= +noncoin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST' + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST' + +============================================================================= +coin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST' + operator assist 10xxx+0 KP+ST' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST' +============================================================================= +Note: ST=Start, ST'=STart prime, ST''=Start double prime, ST'''=STart triple +prime. + + Once again, the above table appears somewhat intimidating in its complexity. +All these STs, ST primes, etc. Actually, the only purpose of the starts is to +distinguish to the TSPS machine exactly what type of call the customer is +placing and from what type of telefone he is calling. "Special toll" calls are +collect, credit card, and third-party billing type calls. Here is an example +of a complete dialing and outpulsing sequence for an operator service call: + + Page 154 + + + + + The Official Phreaker's Manual + +from a coin fone, a customer dials 0+ (or 10xxx+) 303+979-9997. The central +office would seize a trunk to the operator service facility and outpulse: +KP+303+979-9997+ST'. This indicates to the operator service facility that the +call is a special toll call originating from a coin telephone. The OS facility +comes off-hook and the central office would then outpulse KP+00+232+9969+ST. +This is he ANI information, and the ST indicates that the call is inter-LATA +(if it were intra-LATA, the sequence would be terminated with ST' instead). + Perhaps now I should explain screening. Certain telefones are "screened" +against placing certain types of calls. A screening code is a two digit +information carrier. For instance, 00 is "identified line" (no special +treatment), 01 is multiparty ONI (operator number identification), 02 is ANI +failure, 06 is hotel/motel, 07 is coinless (hospital/inmate fone), 08 is +inter-LATA restricted, 68 is hotel inter-LATA restricted, 78 is coinless +(hospital inmate) inter-LATA restricted, etc. A 98 is an AT&T Charge-A-Call +fone (those blue fuckers). More screening codes are allocated as they are +needed. Note that the original TSPS screening design only allowed for single +digit information digits. They were later found to be insufficient. + I believe that the operator services have been adequately covered, so I will +now move on to other aspects of Equal Access. + + ============= + Routing Codes + ============= + + The TTC (terminating toll centre) and special routing codes will continue to +be used in inter-LATA networks. These 0xx and 1xx type codes, which sometimes +precede operator routing codes, will be assigned to various ICs on an +individual basis. When 0xx and 1xx codes serve as pseudo-central office code, +they will be coordinated such that it will avoid IC conflicts. The +Numbering/Dialing Planning Group of the Central Services Organization (sounds +like some sort of Communist governing body) will provide assistance where the +assignment of coordinated codes is necessary. + + ================== + Special Area Codes + ================== + + Special area codes, also called Service Area Codes (SACs) presented the +designers of Equal Access with an interesting problem. SACs are N00 type area +codes, such as 700, 800, and 900. They are used for special services and +unlike normal area codes, are not associated with a particular state or region. +Each long distance carrier will be allocated its own exchanges in each service +area code. Thus, when a customer places a call to a number in a service area +code, the central office will examine the exchange of the telefone number and +route the call over the proper carrier's facilities. The customer will be +totally oblivious to this process. Current SACs include 700 (teleconferencing), +800 (toll free services), and 900 (dial-it services). There are currently +plans under way to implement the 600 area code, although its exact uses are not +yet clear. + + ================ + Signalling to IC + ================ + + Each long distance carrier that wishes to serve a particular LATA must +establish a point of presence (POP) in that LATA. A carrier's POP is a toll +office that receives toll traffic destined for another LATA. A POP is a centre +for inter-LATA transport of toll traffic. This traffic will be directed to it + + Page 155 + + + + + The Official Phreaker's Manual + +from a Bell central office, either an end office or an access tandem (AT). An +access tandem is simply a Bell office which directs long distance traffic from +a number of local end offices to a number of different inter-LATA carriers. To +pass call details (such as called and calling numbers) from the Bell local +office to the inter-LATA carrier, a signalling system was designed that employs +current multifrequency (MF) signalling protocol. When a customer dials +10xxx+(1/0)+(NPA)+NXX+, the end office will seize a trunk to the appropriate IC +as determined by the 10xxx CAC (or primary carrier if no CAC is dialed). Note: +this happens as soon as the customer finishes dialing the exchange, even though +he may still be dialing the last four digits of he telefone number. After the +end office has seized a trunk to the IC, the IC will return a wink, which is +the signal to proceed. Then, the end office will send ANI information, in the +format of: KP+II+10 digit ANI+ST. If the carrier is not to receive ANI +information from the Bell Operating Company (i.e., they are not paying for it), +then only KP+ST is sent. Presumably, by now the customer has completed dialing +the last four digits of the destination telefone number, so the end office will +send: KP+7 or 10 digit CALLED number+ST. Note several things here: 1) The IC +does not send a wink when it is ready to receive CALLED number information. 2) +ANI information is ten digits, plus a two-digit screening code, and 3) The +central office's outpulsing to the IC overlaps the customer's dialing. + Some ANI screening codes include: 00 (identified POTS), 01 (ONI multiparty), +02 (ANI failure), 06 (hotel without room identification), 07 (coinless, +hospital, inmate, etc.), 08 (inter-LATA restriction), 10 (test call), 20 (AIOD +calls, listed DN sent), 27 (coin call), and 95 (test call). These are the same +or similar as the screening codes used in operator service signalling. + In addition to the domestic signalling design outlined above, a new +international signalling system has been designed for use with Equal Access. +It also uses two-stage, overlapping outpulsing. After a customer has completed +dialing (10xxx)+011+CC (CC is country code), the Bell end office will seize a +trunk to he appropriate IC (or international carrier, if direct routing is +available). The IC/INC will respond with a wink, and the end office will +outpulse: KP+1NX+YXX+CCC+ST. Each of these three groups of routing information +indicate something different abut the international call being placed. The 1NX +is the "international system routing code, one for each type of call routing." +I have absolutely no idea what that means, and no one I have talked to at Bell, +AT&T, MCI, CCITT, ITT, the CSO and FCC have any idea either. Next, the YXX is +the carrier routing code. It is actually XXX, Which is the three digits of the +10xxx CAC for the particular carrier being accessed. Finally, CCC is the +country code, padded with a zero if necessary. + One may wonder why the CAC is signalled forward when a trunk is seized +directly to the carrier itself. The reason for this is that in some cases a +direct trunk to the carrier is not available and the call must be routed +through an access tandem, which is responsible for routing calls to a variety +of different long distance carriers. + + ==================== + Switch Compatibility + ==================== + + Full-feature Equal Access will become available first for Western Electric +#1ESS switching systems. It will be available first in generic 1E8 (1AE8 for +#1A ESS). Later, generic 5E2 for #5ESS, generic 2B4 for #2B ESS, generic +BCS-16 for Northern Telecom DMS-100, and generics 209 and 302 for DMS-10 will +provide full-feature Equal Access capabilities in those types of end office +switching equipment. The Western Electric #4ESS, #1 and 1A ESS, #5ESS, and the +Northern Telecom DMS-200 machines which serve as toll offices or access tandems +will be capable of receiving the new Equal Access signalling format, after +required generic development. Other switches (such as all crossbar offices) + + Page 156 + + + + + The Official Phreaker's Manual + +will not be able to handle the new signalling format. + + ===== + LATAs + ===== + + LATAs, Local Access and Transport Areas, are the entire key to the +administration of Equal Access. They can be thought of as miniature area +codes. A telefone call can never cross a LATA boundary except on an inter-LATA +carrier. However, there are certain exceptions to this. For example, in the +state of Colorado, which consists of two LATAs, the local Bell Operating +Company (Mountain Bell), which serves as the intra-LATA (i.e., calls to/from +the same LATA) carrier, may also serve as inter-LATA (to/from different LATAs) +carrier within Colorado. + There are also exceptions in the corridor region of the New York/New +Jersey/Pennsylvania area. + The forty-eight continental United States consist of 161 LATAs. Some states, +such as Deleware, consist of only one LATA, while others, such as Illinois, can +have up to 14 or more. Each LATA is given a name. For instance, Pennsylvania +consists of six LATAs: Philadelphia, Capital, Northeast, Altoona, Pittsburgh, +and Erie (independent telco). + + ============== + A Few Thoughts + ============== + + In 1973, Chrysler, A&P, RCA, Phillips Petroleum, S.S. Kresge, Boeing +Aircraft, International Harvester, Woolworth's, Greyhound, Firestone, Litton, +and General Foods, among others, each reported annual profits of less than $150 +million. In that same year, the Telephone Company wrote off, as being +uncollectable, debts of $150 million. + In 1974, the Bell System had direct interests in at least 276 organizations, +many of them not related to the telefone industry. Bell also had interlocking +financial arrangements with such corporations as the Chase Manhattan Bank, IBM, +Prudential Insurance, Sears Roebuck, General Motors, U.S. Steel, and Lever +Brothers. Should the need have arisen, the Bell System in 1974 could have +exercised control of 400 billion dollars, fully one-third of that year's gross +national product. + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago Illinois, 1976. ISBN 0-8092-8008-6. + + There are many viewpoints as to the future course of the telefone industry. +The general consensus among most Telco employees is that the children of AT&T +(i.e., the seven regional holding companies into which the Bell System was +divided) will someday be reassembled into the original Bell System, and all +will be well and good in the world of telecommunications again. I tend to +disagree with this. I think that within three decades the entire telefone +industry will be consolidated and nationalized. It will be owned and operated +entirely by the United States Federal Government. This will accomplish several +goals of the government. First, the immense revenue from telefone services +will provide great financial resources for the federal government. Rates for +telefone services will skyrocket far out of the range of affordability, quality +of service will deteriorate to a point of unusability, and meanwhile +politicians will get rich. + Second, once the government controls the telefone system, monitoring the +general public will become infinitely easier. Big Brother will be able to keep +and eye, or rather, an ear on the general population, and giant step forward in + + Page 157 + + + + + The Official Phreaker's Manual + +ultimate government control of peoples' lives will be achieved. Most people +won't know anything about this, and even if they do, they won't give a shit +because by then the fucking government will have already invaded every +remaining private aspect of the individual's life. + To those who find it utterly unthinkable that the federal government would +ever assume control of the telefone industry, I would call attention to the +situation that existed between 1917 and 1919. During this time the government +controlled the phone system of the United States. J. Edward Hyde sums it up +beautifully: + + Between 1917 and 1919, the Federal Government did control the phone +industry. Since then, the most charitable historians have blamed the +subsequent mess on the First World War. Others blame it on the democrats. But +the fact is that it was a fiasco of the bureaucracy's own making, combined with +intracompany sabotage. + Today, in those countries where the phone service is nationally owned, the +service runs from poor to nonexistent. Would you want the government that gave +you the Russian wheat deals, Defense Department overruns, Amtrak, and the +Postal Service handling your phone problems? + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago, Illinois, 1976. ISBN 0-8092-8008-6, p. 170. + +Technical References: + +Notes on the BOC intra-LATA Networks. American Telephone & Telegraph Company, +1983. + +The Phone Book. J. Edward Hyde, 1976. + +Bell System Technical Journal. Volume 58, Number 5. + +Engineering and Operations in the Bell System. American Telephone & Telegraph +Company, 1983. + + +Acknowledgements: Karl Marx, Telenet Bob, and the scores of Telco employees +in Denver, White Plains, Omaha, and North Jersey who were very helpful in +patiently answering my many questions about Equal Access. + +Thanks to Mack the Knife for magnetic transfer of this illustrious file, a +tedious task for which I have no time. + +Thanks to the following printers for their cooperation and professional manner +in helping me with final production of this file: + +Kinko's Print Shop +7155 West Colfax +Lakewood, CO + +Office Products and Printing +5035 S. Kipling Suite B4 +Littleton, CO + +This has been a Mark Tabas Encounter Series production. Questions, comments, +and requests may be addressed to: + +Tabas + + Page 158 + + + + + The Official Phreaker's Manual + +P.O. Box 620401 +Littleton, CO 80162 + +Requests for copies of this or any other Encounter Series file are honored for +free, but please enclose a self-addressed medium sized first class mailing +envelope with 73 cents postage. + +Special thanks to Steve Reger, who was kind enough to shoot my neighbor's dog, +whose incessant barking constantly distracted me as I labored to complete this +file. + +(for Amy) cl/KIABB!/jd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 159 + + + + + The Official Phreaker's Manual + + Equal Access and Modem Autodialers by Shadow 2600 + + Now that AT&T is being divested of its local telephone companies, phone +customers across the nation have to choose their long distance carrier as equal +access is phased in. Advertising campaigns emphasize such aspects as low rates +and operator assistance, but no one mentions a factor that will affect modem +users who use auto dialers for long distance calls. Not all of the alternate +long distance carriers provide called party answering supervision on all calls. +Called party answering supervision basically has the telephone company start +billing only when the called party answers the telephone. However, many of the +alternate long distance companies still operate with the "fixed timeout" basis +for charging. That is, if a call is held for a fixed length of time (usually +30 seconds) the charging starts, whether or not the call was answered. This +could cause modem owners large bills if they use autodialers to make long +distance calls. Modems are usually set up to wait up to one minute when +attempting to make a call, and thus have to timeout through busy signals, long +call setup sequences, extender waits, and similar problems. This could result +in many billed but never answered calls. + + Some of the other carriers provide it on calls to some cities, and others +not support it at all. Only AT&T Communications provides called party +answering supervision on all calls to all points at this time. It is almost +impossible to get information on how a long distance company charges its calls +as as they don't want to reveal how their billing is handled. The alternate +carriers get called party supervision when the destination location goes equal +access. However, there has been no quick action on the part of the alternate +long distance companies to make use of the supervision data as they would have +to get equipment for passing the information back to the billing computer at +the originating point. Thus called party answering supervision information +often ends up being ignored by these carriers even when available. Another +point to remember is that called party answering supervision's availability +depends on whether the destination has equal access, not the originating +location. The lower long distance rates of alternate long distance rates must +be weighed against the time out problem as it affects autodialing modems. One +way to circumvent this is merely to set your modem to a shorter +waiting-for-connect time, but this may not provide enough time for the call to +go through. [For more information on this and other telecommunications topics +call the Private Sector BBS at (201) 366- 4431] + + + + + + + + + + + + + + + + + + + + + + Page 160 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #6 of 9 + + Toward Universal Information Services Via ISDN + ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ ~~~ ~~~~ + by Taran King + + From PROTO newsletter of AT&T Bell Laboratories + ------------------------------------------------------------ +Phase one, the Present. +~~~~~ ~~~~ ~~~ ~~~~~~~~ + The local network of today, although still largely voice-oriented, is already +on the path to Universal Information Services. Lightguide fiber is +dramatically expanding the capacity of local networks, helping to lower the +costs and increase the demand for high-band width, Information Age services. +And public networks are increasingly digital and geared for data and special + services. For example: + +o The AT&T Network Systems 5ESS (TM ) switch, designed by Bell +Laboratories, can serve as the hub of a local deployment of remote modules at +locations up to 100 miles from a host central office. + +o The Integrated Special Services Network (ISSN) is a channel network that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect System (DACS). + +o The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Today's public networks consist of multiple or overlay networks. The public +switched network, or circuit network, mainly for voice, is the base network. +Two kinds of overlay networks provide special services. Channel networks carry +private lines leased by large customers and transmit much of today's data and +image traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internally +to public networks for common channel signaling to set up, route and take down +calls, or to give customers information. "Overlay networks help +telecommunications companies efficiently meet growing demand for digital +transmission and special services," says Stan Johnston, Market Planning +Manager, Network Systems Evolution, in AT&T Network Systems. "Their integration +into a single network, however, would be still more effective." + +Phase two, the Integrated Services Digital Network (ISDN). +~~~~~ ~~~~ ~~~ ~~~~~~~~~~ ~~~~~~~~ ~~~~~~~ ~~~~~~~ ~~~~~~~ + The ISDN is a concept to which AT&T is committed - and it's the foundation +for Universal Information Services. The central idea of ISDN, as AT&T Network +Systems sees it, is to provide an individual user a link to the local central +office of generous band-width - a digital subscriber line that can carry +144,000 bits per second (sure beats 2400 baud!). The band-width is subdivided +into two 64,000-bit channels, which may carry voice or data or both, and one +16,000-bit channel for packetized signaling information or data transport. +Such a link provides convenient "integrated" network access by accommodating +voice, data and signaling over a single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber + + Page 161 + + + + + The Official Phreaker's Manual + +line, which provides 1.5 billion bits per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal, and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make important +progress toward the goal of Universal Information Services. But overlay +networks will continue to divvy up the transport job. And messages needing +less than 144,000 bits per second will not fill their allotted bandwidth, +leaving capacity under utilized. + +Phase three, Universal Information Services. +~~~~~ ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~ + Rooted in the fertile ground of 5ESS switches, ISDN equipment and +technologies such as wideband packet transport, Universal Information Services +will bear fruit during the 1990s. From a single kind of network will hang +services as different as apples, oranges and pears. Just as network access was +integrated in ISDN, transport functions will increasingly be integrated by +powerful new network equipment evolved from equipment developed for the ISDN. +Where customers once got standard-sized ISDN channels, they'll get big +bandwidth for large jobs, little bandwidth for small jobs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 162 + + + + + The Official Phreaker's Manual + + TOWARD UNIVERSAL INFORMATION SERVICES VIA ISDN + +Phase one, the present. The local network of today, although still largely +voice oriented, is already on the path to Universal Information Services. +Lightguide fiber is dramatically expanding the capacity of local networks, +helping to lower the costs and increase the demand for high-bandwidth, +Information Age services. And public networks are increasingly digital and +geared for data and special services. For example: + + * The AT&T Network Systems 5ESS switch, designed by Bell Laboratories, can +serve as the hub of a local digital network through deployment of remote +modules at locations up to 100 miles from a host central office. + + * The Integrated Special Services Network (ISSN) is a channel networks that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect Systems (DACS). + + * The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Todays public networks consist of multiple or overlay networks. The public +switched network, or circuit network, is the base network. Two kinds of +overlay networks provide special services. Channel networks carry private +lines leased by large customers and transmit much of today's data and image +traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internal to +public networks for common channel signaling to set up, route and take down +calls, or to give customers information. + "Overlay networks help telecommunications companies efficiently meet growing +demand for digital transmission and special services," says Stan Johnston, +Market Planning Manager, Network Systems Evolution, in AT&T Network Systems. +"Their integration into a signal network, however, would be still +more effective." + Phase two, the Integrated Services Digital Network (ISDN). The ISDN is a +concept to which AT&T is commited--and it's the foundation for Universal +Information Services. The central idea of ISDN, as AT&T Network Systems sees +it, is to provide an individual user a link to the local central office of +generous bandwidth--a digital subscriber line that can carry 144,000 bits per +second. The bandwidth is subdivided into two 64,000-bit channels, which may +carry voice or data or both, and one 16,000-bit channel for packetized +signaling information or data transport. Such a link provides convenient +"integrated" network access by accommodating voice, data and signaling over a +single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber +line, which provides 1.5 million bit per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make +important progress toward the goal of Universal Information Services. But + + Page 163 + + + + + The Official Phreaker's Manual + +overlay networks will continue to divvy up the transport job. And messages +needing less than 144,000 bits per second will not fill their allotted +bandwidth, leaving capacity underutilized. + Phase three, Universal Information Services. Rooted in the fertile ground +of 5ESS switches, ISDN equipment and technologies such as wideband packet +transport, Universal Information Services will bear fruit during the 1990s. +From a single kind of network will hang services as different as apples, +oranges and pears. Just as network access was integrated in ISDN, transport +functions will increasingly be integrated by powerful new equipment evolved +from equipment developed for the ISDN. Where customers once got standard- +sized ISDN channels, they'll get big bandwidth for large jobs, little bandwidth +for small jobs. + +*** retyped from PROTO, AT&T Bell Laboratories report to executives on new +technologies, without written permission from the editors. (heh, heh.) + +Subscriptions: $15.00 per year, published bi-monthly. Send check payable to +"Bell Laboratories PROTO," to PROTO Circulation Manager, Room 3E-230, 150 John +F. Kennedy Parkway, Short Hills, N.J. 07078. + +:LIQUID:CRYSTAL: +wisdom is safety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 164 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #7 of 9 + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ _ _ _______ @ + @ | \/ | / _____/ @ + @ |_||_|etal / /hop @ + @ __________/ / @ + @ /___________/ @ + @ Headquarters of Phrack Newsletter @ + @ (314) 432-0756 @ + @ Proudly Presents @ + @ MCI Overview @ + @ Written on 11/16/85 @ + @ by @ + @ @ + @ Knight Lightning & Taran King @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +MCI Communications Corporation, headquartered in Washington, D.C., provides a +full range of domestic and international telecommunications services, including +voice and data, telex and cable, paging and mobile telephone, and time +sensitive message delivery. + +Since its founding in 1968, MCI has grown to more than $1.6 billion in annual +sales and serves more than 1.9 million business, residential and government +customers through its four major business units: + +MCI Telecommunications + +MCI Airsignal + +MCI International + +MCI Digital Information Services + + +MCI TELECOMMUNICATIONS + + MCI Telecommunications provides domestic interstate long distance service +throughout all 50 states, plus Puerto Rico, the U.S. Virgin Islands, and major +calling areas of Canada. It is also authorized to provide varying degrees of +intrastate long distance service in some states. + +MCI also is the first long distance carrier other than AT&T to offer direct +dial service overseas. International telephone service is available to all +residential and commercial customers (with the exception of Private Line +customers). In October, 1984 the first international service agreements were +announced with the following countries: Argentina, Belgium, Brazil, East +Germany, Greece, United Arab Emirates, and the United Kingdom. + +Total capital investment in MCI's long distance network is approximately $2 +billion. MCI's network, the second largest in the U.S., employs microwave +optical fiber, satellite and various digital transmission technologies. + +Subscribers - Domestic Long Distance (as of 10/84) + + Page 165 + + + + + The Official Phreaker's Manual + +----------- ---------------------- +Residential 1.4 million +Commercial .3 million + Total 1.7 million + +Operations - (as of 10/84) +Network Miles...20,543 (microwave, optical fiber, satellite) +Circuits.......238,000 +Employees........9,500 (full-time, approx.) + +MCI AIRSIGNAL + +MCI Airsignal provides personal message delivery and car telephone services. +MCI Message Service is offered in more than 50 metropolitan areas. In 1984, +service will commence in New York City, Baltimore-Washington, Los Angeles, and +Chicago. MCI car telephone service is offered in 20 markets. + +Personal Message Delivery Service + +ALPHANUMERIC MESSAGE SERVICE + +Displays up to 40-character message using letters and/or numbers. Memory and +recall ability. Alerts subscriber with a silent visual alert or a soft tone. + +DISPLAY MESSAGE SERVICE + +Displays up to 24-digit message (e.g., phone number, stock quotes, sales +figures, coded messages). Memory and recall capability. Alerts customer to +message with a silent visual alert or a soft tone. + +TONE MESSAGE SERVICE + +Notifies customer of a message with a soft tone. + +VOICE MESSAGE SERVICE + +Receives message in actual voice of caller. + +EXPRESS MESSAGE SERVICE + +Receives and stores messages. Instantly alerts subscriber via pager when a +message is received. + +Car Telephone Service + +Enables customers to place calls to or receive calls from anywhere in the +world, 24 hours a day, as they travel in their cars. With the advent of new +cellular technology, both the quality and the accessibility of car telephone +service will vastly improve. + +MCI has thus far obtained franchises to operate a new kind of mobile phone +service, cellular telephone, in Minneapolis and Pittsburgh, and has received +favorable decisions from FCC administration law judges authorizing service in +Los Angeles, Denver-Boulder, and Kansas City. MCI has applied for licenses to +provide cellular service in 81 metropolitan areas. + +MCI Airsignal Branch Sales Offices + + + Page 166 + + + + + The Official Phreaker's Manual + +Personal Message Service/Conventional Mobile Phone Service + +Birmingham (205) 942-2924 +Sacramento (916) 444-2350 +Memphis (901) 682-9658 +Cleveland (216) 464-7311 +Dallas (214) 788-5111 +Fresno (209) 486-7410 +Las Vegas (702) 382-7461 +Denver (303) 778-7878 +Portland (503) 227-2556 +Philadelphia (215) 677-9845 +Atlanta (404) 252-2114 +West Florida (813) 875-3404 +Minneapolis (612) 544-8175 +Kansas City (913) 648-8090 +Miami (305) 491-0122 +Pittsburgh (412) 343-1611 +Houston (713) 464-2516 +Bakersfield (805) 832-2346 + +Cellular Telephone Offices + + Minneapolis-St. Paul (612) 544-3312 + Los Angeles (714) 527-0385 + Elsewhere in California (800) 344-3455 + Headquarters - Washington, D.C. (202) 429-9660 + + +MCI INTERNATIONAL + +MCI International provides private-line voice service to several overseas +countries, and data and message services, including telex, cablegram, leased +channel, and packet switching communications, to more than 200 overseas points. +MCI has moved into two new areas of service: International direct-dial +telephone service and international electronic mail and hard-copy delivery +services. + +International Record Services + +TELEX SERVICE (domestic and international) permits instantaneous, two-way, +written communications with other subscribers worldwide. Customers can send +messages at any time, even though the receiving terminal may be unattended. MCI +International offers access to its telex service from a variety of terminals +and networks; not only subscribers with telex terminals but also those with +communicating word processors, data terminals or computers that communicate +over telephone lines can take advantage of MCI International telex service. To +subscribers connected to its own telex network, MCI International offers World +Message Services--a package of communications offerings including telex, +cablegram and MCI Mail services. Various service enhancements are available to +save time, improve operating efficiency and simplify records keeping for telex +users. + +CABLEGRAM SERVICE, the traditional means of international written +communications, offers flexibility in delivery and economical rates for shorter +messages. Cablegrams can be delivered to virtually any overseas +point.Subscribers with telex terminals or various other types of equipment can +access and TELUS cablegram switch and take advantage of such service + + Page 167 + + + + + The Official Phreaker's Manual + +enhancements as abbreviated addressing and departmental billing. + +LEASED +CHANNEL SERVICE provides an exclusive line between a U.S. firm and it's +overseas office for private communications 24 hours a day. Each MCI +International leased channel is tailored to meet the needs of a specific +customer for teleprinter, facsimile, voice and/or data traffic. For subscribers +with several offices requiring private communications with each other, MCI +International offers a versatile message-switching service. Voice/data leases +can be configured to meet a whole array of communicating needs; for example, +one channel might carry data traffic from a computer at night, voice +communications during office hours, and simultaneous teleprinter messages at +any time. Data channels can handle requirements for traffic at any speed from +1200 bits per second to 1.544 megabits per second. + +IMPACS SERVICE uses packet-switching technology to provide international +communications service between data terminals and computers. Impacs offers +on-line, real-time connections and enables many types of incompatible systems +to communicate. Impacs service offers virtually error-free transmission +because of the error-detection and retransmission capability of the network. + +INSTALINK SERVICE allows businesses overseas to use regular telex equipment to +access remote computing systems and databases in the U.S. Subscribers can +retrieve data from a computer-based information service or use a computing +system connecting to a packet-switching network in the U.S. + +INTERNATIONAL +FACSIMILE SERVICE enables subscribers to send duplicates of original documents +overseas quickly and efficiently, even when neither the sender or the receiver +has facsimile transmission equipment, or when the sender and receiver have +incompatible equipment. + +DATEL SERVICE provides automatic or voice-coordinated data transmission at +speeds up to 2400 bits per second. Either digital or analog facsimile traffic +can be transmitted via Datel. Datel facilities are conditioned to ensure +high-quality transmission. The MCI International switching center allows +communications between incompatible terminals. + +MARITIME SERVICES provide instant, high--quality contact between ships at sea +or offshore rigs, and between these vessels and land-based subscribers +worldwide. + +International Voice Services + +PRIVATE +LINE SERVICE provides, fast, easy access to a single overseas location at an +economical monthly rate. This technically efficient system maximizes the use +of line capacity by recognizing idle time and assigning a speaker to a +transmission path only when the path is needed. Users can dial a four-digit +extension from a regular business phone to reach a key overseas location. + +International Mail Services + +WORLD +MESSAGE SERVICE subscribers can access the domestic electronic mail and +hard-copy delivery offerings of MCI Mail. In addition, MCI International is +developing fast, low-cost services that will deliver electronic messages and +high-quality printed documents worldwide. + + Page 168 + + + + + The Official Phreaker's Manual + + +Customer Service + +THE CUSTOMER TROUBLE REPORTING ASSISTANCE CENTER at MCI International addresses +customer concerns such as equipment maintenance and service performance +questions. Customer service specialists, on duty 24 hours a day on business +days, answer questions and electronically route service requests to technicians +nationwide. + +MCI DIGITAL INFORMATION SERVICES CORP. + +MCI Digital Information Services, MCI's newest unit, provides high-speed, +low-cost, time-sensitive message delivery (MCI Mail), either electronically or +via hard copy. + +MCI Mail provides time-sensitive document delivery to anyone, anywhere vial +MCI's long-distance telephone network. MCI Mail can reach a recipient +instantly, in four hours or less, or overnight by noon the next day. Prices +are as much as 90 percent lower than comparable time-sensitive mail delivery +services. MCI Mail can be delivered electronically, terminal to terminal, or +laser printed on letterhead stationery with the customer's signature. + +MCI Mail customers can even order gifts and services direct through MCI Mail, +ranging from software and paper for personal computers to investment advisory +services to travel specials. + +There are no sign-up, monthly service charges or "connect time" charges for MCI +Mail. MCI Mail can be used by virtually any personal computer, word processor, +electronic typewriter, data terminal, telex, or other digital communications +device. The service is accessed by a local telephone call or 800 number. + +MCI Mail + +INSTANT delivery to an "electronic" mailbox. + +FOUR-HOUR paper delivery by courier to 17 major metropolitan areas regardless +of point of origin. + +OVERNIGHT paper delivery by courier by noon the next day in 20,000 continental +U.S. cities. + +MCI LETTER transmitted electronically to the MCI digital postal center nearest +its destination, then delivered locally by the U.S. Postal Service. + +TELEX DISPATCH enables MCI Mail subscribers to transmit messages to the more +than 1.6 million telex subscribers worldwide. + +VOLUME MAIL enables customers to send large mailings in a variety of letter +formats, at substantial savings in delivery time and expense. + + ============================================================ + Look for more MCI Files coming to Metal Shop soon! + + This has been a Knight Lightning Presentation + ============================================================ + + + + + Page 169 + + + + + The Official Phreaker's Manual + + Reference Tables + + Just some notes that you will always try to find but can never! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 170 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue One, Phile #5 of 8 + + Using MCI Calling Cards + by + Knight Lightning + of the + 2600 Club! + +How to dial international calls on MCI: + + "Its easy to use MCI for international calling." + +1. Dial your MCI access number and authorization code (code = 14 digit number, +however the first 10 digits are the card holders NPA+PRE+SUFF). + +2. Dial 011 + +3. Dial the country code + +4. Dial the city code and the PRE+SUFF that you want. + +Countries served by MCI: + +Country code|Country code +-------------------------------------|-------------------------------- +Algeria..........................213 |New Zealand..................064 +Argentina........................054 |Northern Ireland.............044 +Australia........................061 |Oman.........................968 +Belgium..........................032 |Papua New Guinea.............675 +Brazil...........................055 |Qatar........................974 +Canada................Use Area Codes |Saudi Arabia.................966 +Cyprus...........................357 |Scotland.....................044 +Denmark..........................045 |Senegal......................221 +Egypt............................020 |South Africa.................027 +England..........................044 |Sri Lanka....................094 +German Democratic Republic |Sweden.......................046 +(East Germany)...................037 |Taiwan.......................886 +Greece...........................030 |Tanzania.....................255 +Jordan...........................962 |Tunisa.......................216 +Kenya............................254 |United Arab Emirates.........971 +Kuwait...........................965 |Wales........................044 +Malawi...........................265 | +====================================================================== + +Thats 33 countries in all. To get the extender for these calls dial 950-1022 or +1-800-624-1022. + +For local calling: + +1. Dial 950-10222 or 1-800-624-1022 + +2. Wait for tone + +3. Dial "0", the area code, the phone number, and the 14 digit authorization +code. You will hear 2 more tones that let you know you are connected. + + - Knight Lightning --> The 2600 Club! + + Page 171 + + + + + The Official Phreaker's Manual + +===================================================================== + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 172 + + + + + The Official Phreaker's Manual + + AT&T INTERNATIONAL DIALING COUNTRY CODES AS OF 2-17-85 + + FILE BY: Lock Lifter + +=========================+ + +*UNITED KINGDOM/IRELAND +------------------------------------ +IRELAND.........................353 +UNITED KINGDOM...................44 + +*EUROPE +------------------------------------ +ANDORRA..........................33 +AUSTRIA..........................43 +BELGIUM..........................32 +CYPRUS..........................357 +CZECHOLSLOVAKIA..................42 +DENMARK..........................45 +FINLAND.........................358 +FRANCE...........................33 +GERMAN DEMOCRATIC REPUBLIC.......37 +GERMANY, FEDERAL REPUBLIC OF.....49 +GIBRALTAR.......................350 +GREECE...........................30 +HUNGARY..........................36 +ICELAND.........................354 +ITALY............................39 +LIECHTENSTEIN....................41 +LUXEMBOURG......................352 +MONACO...........................33 +NETHERLANDS......................31 +NORWAY...........................47 +POLAND...........................48 +PORTUGAL........................351 +ROMANIA..........................40 +SAN MARINO.......................39 +SPAIN............................34 +SWEDEN...........................46 +SWITZERLAND......................41 +TURKEY...........................90 +VATICAN CITY.....................39 +YUGOSLAVIA.......................38 + +*CENTRAL AMERICA +------------------------------------ +BELIZE..........................501 +COSTA RICA......................506 +EL SALVADOR.....................503 +GUATEMALA.......................502 +HONDURAS........................504 +NICARAGUA.......................505 +PANAMA..........................507 + +*AFRICA +------------------------------------ +ALGERIA.........................213 +CAMEROON........................237 +EGYPT............................20 + + Page 173 + + + + + The Official Phreaker's Manual + +ETHIOPIA........................251 +GABON...........................241 +IVORY COAST.....................225 +KENYA...........................254 +LESOTHO.........................266 +LIBERIA.........................231 +LIBYA...........................218 +MALAWI..........................265 +MOROCCO.........................212 +NAMIBIA.........................264 +NIGERIA.........................234 +SENEGAL.........................221 +SOUTH AFRICA.....................27 +SWAZILAND.......................268 +TANZANIA........................255 +TUNISIA.........................216 +UGANDA..........................256 +ZAMBIA..........................260 +ZIMBABWE........................263 + +*PACIFIC +------------------------------------ +AMERICAN SAMOA..................684 +AUSTRAILIA.......................61 +BRUNEI..........................673 +FIJI............................679 +FRENCH POLYNESIA................689 +GUAM............................671 +HONG KONG.......................852 +INDONESIA........................62 +JAPAN............................81 +KOREA, REPUBLIC OF...............82 +MALAYSIA.........................60 +NEW CALEDONIA...................687 +NEW ZEALAND......................64 +PAPUA NEW GUINEA................675 +PHILIPPINES......................63 +SAIPAN..........................670 +SINGAPORE........................65 +TAIWAN..........................886 +THAILAND.........................66 + +*INDIAN OCEAN +------------------------------------ +PAKISTAN.........................92 +SRI LANKA........................94 + +*SOUTH AMERICA +------------------------------------ +ARGENTINA........................54 +BOLIVIA.........................591 +BRAZIL...........................55 +CHILE............................56 +COLOMBIA.........................57 +ECUADOR.........................593 +GUYANA..........................592 +PARAGUAY........................595 +PERU.............................51 + + Page 174 + + + + + The Official Phreaker's Manual + +SURINAME........................597 +URUGUAY.........................598 +VENEZUELA........................58 + +*NEAR EAST +------------------------------------ +BAHRAIN.........................973 +IRAN.............................98 +IRAQ............................964 +ISRAEL..........................972 +JORDAN..........................962 +KUWAIT..........................965 +OMAN............................968 +QATAR...........................974 +SAUDI ARABIA....................966 +UNITED ARAB EMIRATES............971 +YEMEN ARAB REPUBLIC.............967 + +*CARIBBEAN/ATLANTIC +------------------------------------ +FRENCH ANTILLES.................596 +GUANTANAMO BAY (US NAVY BASE)....53 +HAITI...........................509 +NETHERLANDS ANTILLES............599 +ST. PIERRE AND MIQUELON.........508 + +*INDIA +------------------------------------ +INDIA............................91 + +*CANADA +------------------------------------ +TO CALL CANADA, DIAL 1 + AREA CODE + +LOCAL NUMBER. + +*MEXICO +------------------------------------ +TO CALL MEXICO, DIAL 011 + 52 + CITY CODE+ LOCAL NUMBER. + +***NOTES :DO NOT FORGET ABOUT THE TIME DIFFERENCE WHEN CALLING OUTSIDE OF YOUR +TIME ZONE. CALLING CARDS CAN BE USED OVER SEAS TO CALL BACK INTO THE U.S. FOR +FURTHER INFORMATION CALL TOLL-FREE 1-800-874-0000. DIAL '#' AFTER THE COMPLETE +NUMBER TO MAKE THE CALL GO THROUGH FASTER. + + + + + + + + + + + + + + + + + Page 175 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * International Dialing Codes * + * Country + Routing * + * * + * (Typed by The Dagda Mor) * + * (Edited by The Jammer) * + * * + ************************************** + +To dial international calls: + +International Access Code + Country code + Routing code + +Example : + +To call Frankfurt, Germany, you would do the following: + +011 + 49 + 611 + (# wanted) + # sign(octothrope) + +The # sign at the end is to tell Bell that you are done entering in all the +needed info. + +Here is the list of Country Codes, listed next to the country, and the routing +codes listed next to the city. + +Andorra- 33 Argentina- 54 +------- --------- +all points- 078 Buenos Aires- 1 + + +Australia- 61 Austria- 43 +--------- ------- +Melbourne- 3 Innsbruck- 5222 +Sydney- 2 Vienna- 222 + + +Bahrain- 973 Belgium- 32 +------- ------- +no routing needed Antwerp- 31 + Brussels- 2 + + +Belize- 501 Bolivia- 591 +------ ------- +no routing needed La Paz- 2 + + +Brazil- 591 Chile- 56 +------ ----- +Brasilia-61 Santiago- 2 +Rio de Janeiro- 21 Valparaiso- 31 +Sao Paulo- 11 + + +China- 86 Colombia- 56 +----- -------- +Tainan- 62 none needed + + Page 176 + + + + + The Official Phreaker's Manual + +Taipei- 2 + + +Costa Rica- 506 Cyprus- 357 +----- ---- ------ +no routing needed Nicosia- 21 + + +Denmark- 45 Ecuador- 593 +------- ------- +Aalborg- 8 Cuenca- 4 +Copenhagen 1 or 2 Quito- 2 + + +El Salvador- 503 Fiji- 679 +---------- ---- +no routing needed none needed + + +France- 33 Germany- 49 +------ ------- +Bordeaux- 56 Berlin- 30 +Marseille- 91 Bonn- 228 +Nice- 93 Frankfurt- 661 +Paris- 1 Munich- 89 + + +German. Rep- 37 Greece- 30 +------- --- ------ +Berlin- 2 Athens- 1 + Rhodes- 241 + + +Guam- 671 Guatamala- 502 +---- --------- +no routing needed Guatemala City- 2 + + +Guyana- 592 Haiti- 509 +------ ----- +Georgetown- 02 Port Au Prince- 1 + + +Hoduras- 504 Hong Kong- 852 +------- ---- ---- +no routing needed Hong Kong- 5 + Kowloon- 3 + + +Indonesia- 62 Iran- 98 +--------- ---- +Jakarta- 21 Teheran- 21 + + +Iraq- 964 Ireland- 353 +---- ------- +Baghdad- 1 Dublin- 1 + Galway- 91 + + Page 177 + + + + + The Official Phreaker's Manual + + + +Israel- 978 Italy- 39 +------ ----- +Haifa- 4 Florence- 55 +Jerusalem- 2 Naples- 81 +Tel Aviv- 3 Rome- 6 + Venice- 41 + + +Ivory Coast- 225 Japan- 81 +----- ----- ----- +no routing needed Hiroshima- 822 + Tokyo- 3 + Yokohama- 45 + + +Kenya- 254 Korea- 82 +----- ----- +Nairobi- 2 Pusan- 51 + Seoul- 2 + + +Kuwait- 965 Liberia- 231 +------ ------- +no routing needed none needed + + +Libya- 218 Lechtenstein- 4 +----- ------------ +Tripoli- 21 All points- 75 + + +Luxembourg- 352 Malaysia- 60 +---------- -------- +no routing needed Kuala Lumpur- 3 + + +Monaco- 33 Netherlands- 31 +------ ----------- +All points- 93 Amsterdam- 20 + Rotterdam- 10 + The Hague- 70 + + +New Caledonia- 687 New Zealand- 64 +--- --------- --- ------- +no routing needed Auckland- 9 + Wellinton- 4 + + +Nicaragua- 505 Nigeria- 234 +--------- ------- +Managua- 2 Lagos- 1 + + +Norway- 47 Panama- 507 +------ ------ + + Page 178 + + + + + The Official Phreaker's Manual + +Bergen- 5 none needed +Oslo- 2 + + +Papua New Guinea-675 Paraguay- 595 +----- --- ------ -------- +no routing needed Asuncion- 21 + + +Peru- 51 Phillippines- 63 +---- ------------ +Arequipa- 542 Manila- 2 +Lima- 14 + +Portugal- 351 Romania- 40 +-------- ------- +Lisbon- 19 Bucuresti- 0 + + +San Marino- 39 Saudi Arabia- 966 +--- ------ ----- ------ +All points- 541 Riyadh- 1 + + +Senegal- 221 South Africa- 27 +------- ----- ------ +no routing needed Cape Town- 21 + Pretoria- 12 + + +Spain- 34 Sri Lanka- 94 +----- --- ----- +Barcelona- 3 Colombo- 1 +Canary Is.- 28 +Madrid- 1 +Seville- 54 + + +Suriname- 597 Sweden- 46 +-------- ------ +no routing needed Goteborg- 31 + Stockholm- 8 + + +Switzerland- 41 Tahiti- 689 +----------- ------ +Berne- 31 none needed +Geneva- 22 +Lucerne- 41 +Zurich- 1 + + +Thailand- 66 Tunisia- 216 +-------- ------- +Bangkok- 2 Tunis- 1 + + +Turkey- 90 United Arab + + Page 179 + + + + + The Official Phreaker's Manual + +------ Emirates- 971 +Istanbul- 11 -------- + Abu Dhabi- 2 + Ajman- 6 + Al Ain- 3 + Aweir- 49 + Dubai- 4 + Fujairah- 91 + Jebel Dhana- 5 + Sharjah- 6 + Umm-Al-Quwain- 6 + + +United Kingdom- 44 USSR- 7 +------ ------- ---- +Belfast- 232 Kiev- 044 +Cardiff- 222 Leningrad- 812 +Edinburgh- 31 Minsk- 017 +Glasgow- 41 Moscow- 095 +Liverpool- 51 Tallinn- 0142 +London- 1 + +Vatican City- 39 Venezuela- 58 +------- ---- --------- +All points- 6 Caracas- 2 + Maracaibo- 61 + +Yugoslavia- 38 +---------- +Belgrade- 11 +Zagreb- 41 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 180 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * MAX ACCESS PORTS * + * * + * (LEXITEL CORPORATION) * + * * + * WORD PROCESSED BY THE DAGDA MOR * + * * + ************************************** + +ADRIAN,MI............313-263-0191 LIVONIA, MI..........313-261-6970 +AKRON,OH.............216-275-9814 LOS ANGELES, CA......213-624-9041 +ANN ARBOR, MI........313-451-2121 LOUISVILLE, KY.......502-568-6204 +ATLANTA, GA..........404-525-1769 MARION, OH...........614-387-1011 +AVON LAKE, OH........216-933-2823 MCKEESPORT, PA.......412-664-4870 +BADEN, PA............412-869-1360 MENTOR, OH...........216-255-1645 +BALTIMORE, MD........301-444-7280 MIDDLETOWN, OH.......513-423-1066 +BEAVER FALLS, PA.....412-847-3640 MILWAUKEE, WI........414-933-1880 +BIRMINGHAM, MI.......313-649-0730 MINNEAPOLIS, MN......612-375-0280 +BOSTON, MA...........617-267-9134 MONESSEN, PA.........412-684-8710 +BUFFALO, NY..........716-854-0802 MORTON GROVE,IL......312-950-1066 +BUTLER, PA...........412-285-9081 NEWARK, NJ...........201-624-5040 +CANTON, OH...........216-455-1425 NEWARK, OH...........614-349-8754 +CHICAGO, IL..........312-950-1066 NEW CASTLE, PA.......412-656-9420 +CHILLICOTHE, OH......614-772-1066 NEW YORK, NY.........212-950-1066 +CINCINNATI, OH.......513-421-1880 OAK LAWN, IL.........312-950-1066 +CLEVELAND, OH........216-771-6614 PHILADELPHIA, PA.....215-751-9711 +COLUMBUS, OH.........614-950-1066 PITTSBURG, PA........412-391-9532 +DALLAS, TX...........214-653-1047 PLYMOUTH, MI.........313-451-2121 +DAYTON, OH...........513-223-0366 PONTIAC, MI..........313-332-0500 +DETROIT, MI..........313-950-1066 PORT HURON, MI.......313-982-7115 +ELK GROVE, IL........312-950-1066 PHOENIX, AZ..........602-242-0252 +ELYRIA, OH...........419-323-4431 QUEENS, NY...........718-204-7330 +FINDLAY, OH..........419-424-5934 SANDUSKY, OH.........419-625-1289 +GLEENSHAW, PA........412-486-7394 SHARON, PA...........412-983-0100 +GRAND RAPIDS, MI.....616-456-7925 SPRINGFIELD, OH......513-950-1066 +GREENSBURG, PA.......412-836-8110 STEUBENVILLE, OH.....614-283-1756 +HACKENSACK, NJ.......201-342-2815 ST. LOUIS, MO........314-289-9100 +HOUSTON, TX..........713-224-0982 ST. PAUL, WI.........612-375-0280 +INDIANA, PA..........412-349-8760 TOLEDO, OH...........419-255-1316 +INDIANAPOLIS, IN.....317-638-4442 TROY, OH.............513-335-2303 +KALAMAZOO, MI........616-342-0266 TURTLE CREEK, PA.....412-823-1500 +KANSAS CITY, MO......816-474-6193 WASHINGTON, DC.......202-479-4411 +KOKOMO, IN...........317-453-9932 WASHINGTON, PA.......412-225-1800 +LA GRANGE, IL........312-950-1066 WARREN, MI...........313-268-9120 +LANCASTER, OH........614-687-0159 XENIA, OH............513-376-2991 +LANSING, MI..........517-950-1066 YOUNGSTOWN, OH.......216-746-2021 +LAFAYETTE, IN........317-423-5492 ZANESVILLE, OH.......614-454-6815 + + + + + + + + + + + + Page 181 + + + + + The Official Phreaker's Manual + + ******************** METROFONE ACCESS NUMBERS ******************** + +ANAHEIM, CA (714)527-7055 LOS ANGELES, CA (213)992-8282 +ATLANTA, GA (404)223-1000 LOS ANGELES, CA (213)202-6117 +AUSTIN, TX (512)474-6057 MIAMI, FL (305)326-3300 +BALTIMORE, MD (301)659-7700 MILWAUKEE, WI (414)277-1805 +BEAUMONT, TX (713)833-9331 MINNEAPOLIS, MN (612)370-9000 +BOSTON, MA (617)482-3222 NEW ORLEANS, LA (504)566-8500 +BUFFALO, NY (716)852-9200 NEW YORK, NY (212)732-7430 +CHICAGO, IL (312)853-4700 NEWARK, NJ (201)645-9220 +CINCINNATI, OH (513)241-1747 OAKLAND, CA (415)836-6900 +CLEVELAND, OH (216)861-5163 OKLAHOMA CITY, OK (405)232-9011 +COLUMBUS, OH (614)224-0577 OMAHA, NE (402)422-1120 +CULVER CITY, CA (213)410-0078 PHILADELPHIA, PA (215)351-0100 +DALLAS, TX (214)742-4500 PITTSBURGH, PA (412)261-5720 +DAYTON, OH (513)228-1576 RENO, NV (702)329-1025 +DENVER, CO (303)623-5326 RICHMOND, VA (804)225-1920 +DETROIT, MI (313)963-4847 ST. LOUIS, MO (314)342-1130 +EL MONTE, CA (213)350-1028 SACRAMENTO, CA (916)443-6921 +ELK GROVE, IL (312)981-8870 SAN ANTONIO, TX (512)224-9600 +FT. LAUDERDALE, FL (305)462-3530 SAN DIEGO, CA (714)233-0327 +FT. WORTH, TX (817)338-1639 SAN FRANCISCO, CA (415)956-0162 +HACKENSACK, NJ (201)487-3155 SAN JOSE, CA (408)947-7606 +HARTFORD, CT (203)522-0003 SAN MATEO, CA (415)579-6001 +HAWTHORNE, NJ (201)427-1100 SANTA ANA, CA (714)972-9515 +HINSDALE, IL (312)986-0566 SEATTLE, WA (206)382-0910 +HOUSTON, TX (713)224-9417 SKOKIE, IL (312)679-8120 +HUNTINGTON BEACH, CA (714)972-8515 SYRACUSE, NY (315)474-3911 +INDIANAPOLIS, IN (317)635-6284 TOLEDO, OH (419)243-1046 +KANSAS CITY, KS (913)621-3186 WASHINGTON, DC (202)737-2051 +LONG ISLAND, NY (516)443-5402 +LOS ANGELES, CA (213)629-1026 + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 182 + + + + + The Official Phreaker's Manual + + Area Codes In Numerical Order, by The Jammer +______________________________________________________________________ + +201 Newark New Jersey 519 London Ontario +202 Washington D.C (all) 601 Mississippi (all) +203 Connecticut (all) 602 Arizona (all) +205 Alabama (all) 603 New Hampshire (all) +206 Seattle Washington 605 South Dakota (all) +207 Maine (all) 606 Winchester Kentucky +208 Idaho (all) 607 Binghamton New York +212 Bronx Nyc, New York 608 Madison Wisconsin +212 Manhattan Nyc, New York 609 Trenton New Jersey +213 Los Angeles California 612 St. Paul Minnesota +214 Dallas Texas 613 Ottawa Ontario +215 Philadelphia Pennsylvania 614 Columbus Ohio +216 Cleveland Ohio 615 Nashville Tennessee +217 Springfield Illinois 616 Grand Rapids Michigan +218 Duluth Minnesota 617 Boston Massachusetts +219 Gary Indiana 618 Alton Illinois +301 Maryland (all) 619 San Diego California +303 Colorado (all) 700 Teleconference (all) +304 West Virginia (all) 701 North Dakota (all) +305 Miami Florida 702 Nevada (all) +305 Orlando Florida 703 Alexandria Virginia +307 Wyoming (all) 704 Charlotte North Carolina +308 Abott Nebraska 705 North Bay Ontario +309 Peoria Illinois 712 Councilbluffs Iowa +312 Chicago Illinois 713 Houston Texas +313 Detroit Michigan 714 Anaheim California +314 St. Louis Missouri 715 Bay City Wisconsin +315 Syracuse New York 716 Buffalo New York +316 Wichita Kansas 716 Rochester New York +317 Indinapolis Illinois 717 Harrisburg Pennsylvania +318 Lake charles Lousiana 800 Toll Free (all) +319 Davenport Iowa 801 Utah (all) +401 Rhode Island (all) 802 Vermont (all) +402 Omaha Nebraska 803 South Carolina (all) +404 Atlanta Georgia 804 Richmond Virgina +405 Oklahoma City Oklahoma 805 Bakersfield California +406 Montana (all) 806 Amarillo Texas +408 San Jose California 807 Thunder Bay Ontario +412 Pittsburg Pennsylvania 808 Hawaii (all) +413 Springfield Massachusetts 809 Bermuda (all) +414 Milwaukee Wisconsin 809 Bahamas (all) +415 San Francisco California 809 Puerto Rico (all) +416 Toronto Onterio 809 Virgin Islands (all) +417 Joplin Missouri 812 Evansville Indiana +418 Quebec Quebec 812 Dade park Kentucky +419 Toledo Ohio 814 Johnston Pennsylvania +501 Arkansas (all) 815 Rockford Illinois +502 Frankfort Kentucky 816 Independence Missouri +503 Oregon (all) 817 Fort Worth Texas +504 New Orleans Louisiana 818 Burbank California +504 Baton Rouge Louisiana 819 Trois Riv. Quebec +505 New Mexico (all) 900 Dial-it (all) +507 Rochester Minnesota 901 Memphis Tennessee +509 Pullman Washington 904 Talahassee Florida +512 Austin Texas 906 Escanaba Michigan + + Page 183 + + + + + The Official Phreaker's Manual + +513 Cincinnati Ohio 907 Alaska (all) +514 Montreal Quebec 912 Savannah Georgia +515 Des Moines Iowa 913 Kansas City Kansas +516 Hempstead New York 915 El Paso Texas +517 Lansing Michigan 916 Sacramento California +518 Albany New York 918 Tulsa Oklahoma + 919 Raleigh North Carolina + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 184 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #5 of 9 + +Updated from November 26, 1985 +Tac Dialups taken from Arpanet +by Phantom Phreaker + + TAC DIALUPS SORTED BY LOCATION 26-NOV-85 + +State/Country 300 Baud 1200 Baud 1200 Type +------------- --------------- ----------------- --------- + + ALABAMA + Anniston Army Depot [M] + (ANNIS-MIL-TAC) (205) 235-6285 (R4) (205) 235-7650 B/V + (205) 237-5731 (R8) (205) 237-5731 (R8) B/V + (205) 237-5770 (R8) (205) 237-5779 (R8) B/V + (205) 237-5805 (R8) (205) 237-5805 (R8) B/V + + *Please note: When accessing the Anniston TAC you must first enter a + , then enter DDN . After you receive CLASS DDN START, + proceed as normal. + + Gunter AFS [M] + + (GUNTER-TAC) (205) 279-3576 + (205) 279-4682 + + Redstone Arsenal [M] + (MICOM-TAC) [none known] + + ARIZONA + Ft. Huachuca [M] + (HUAC-MIL-TAC) [none known] + + Yuma [M] + (YUMA-TAC) (602) 328-2186 (602) 328-2186 B/V + (602) 328-2187 (602) 328-2187 B/V + (602) 328-2188 (602) 328-2188 B/V + + CALIFORNIA (NORTHERN) + Alameda [M] + (ALAMEDA-MIL-TAC) [none known] + + Menlo Park [M] + (SRI-MIL-TAC) (415) 327-5440 (R3) (415) 327-5440 (R3) B + + (USGS3-TAC) [M] [no dialups] + + Moffett Field [M] + (AMES-TAC) [no dialups; contact NSC for access] + William Jones - (415) 694-6482 + (FTS) 494-6482 + (AV) 359-6482 + + Monterey [M] + (NPS-TAC) [none known] + + + Page 185 + + + + + The Official Phreaker's Manual + + Sacsamento [M] + (MCCLELLAN1-MIL-TAC) [none known] + (MCCLELLAN2-MIL-TAC) [none known] + + Stanford [A] + (SU-TAC) (415) 327-5220 + + CALIFORNIA (SOUTHERN) + China Lake [M] + (NWC-TAC) [none known] + + + Edwards AFB [M] + (EDWARD-MIL-TAC) [none known] + + El Segundo [M] + (AFSC-SD-TAC) (213) 643-9204 (213) 643-9204 B/V + + Los Angeles [A] + (USC-TAC) (213) 749-5436 + + Los Angeles [A] + (USC-ARPA-TAC) [none known] + + San Diego [M] + (ACCAT-TAC) (619) 225-1641 (R4) (619) 225-6903 V + (619) 225-6946 (R3) + (619) 223-2148 V + (619) 226-7884 (R2) + + Santa Monica + (RAND-ARPA-TAC) [A] + (213) 393-9230 + (213) 393-9237 + (213) 393-9238 + (213) 393-9239 + + (RAND2-MIL-TAC) [M] [none known] + + COLORADO + Denver Fed Ctr [M] + (USGS2-TAC) (303) 232-0206 (303) 232-0206 B/V + + Lowry Air Force Base [M] + (LOWRY-MIL-TAC) [none known] + + D.C. + Washington + [Andrews AFB] [M] + (AFSC-HQ-TAC) (301) 967-7930 (R16) (301) 967-7930 (R16) B + (301) 736-2990 (R4) (301) 736-2990 (R4) B + (301) 736-2998 (R2) (301) 736-2998 (R2) B + + (PENTAGON-TAC) (202) 553-0229 (R14) (202) 553-0229 (R14) B + + FLORIDA + Eglin AFB [M] + (AFSC-AD-TAC) (904) 882-8202 (904) 882-8202 B/V + + Page 186 + + + + + The Official Phreaker's Manual + + (904) 882-8201 (904) 882-8201 V + + MacDill AFB [M] + (MACDILL-MIL-TAC) [none known] + + Naval Air Station - Jacksonville [M] + (JAX1-MIL-TAC) [none known] + + Naval Air Station - Orlando [M] + (ORLANDO-MIL-TAC) [none known] + + GEORGIA + Robins AFB [M] + (ROBINS-TAC) (912) 926-2725 (912) 926-2725 B/V + (912) 926-2726 + (912) 926-3231 + (912) 926-3232 + (912) 926-2204 (912) 926-2204 B/V + HAWAII + Camp H.M. Smith [M] + (HAWAII2-TAC) (808) 487-5545 (808) 487-5545 B + + ILLINOIS + Scott AFB [M] + (SCOTT-TAC) [none known] + + (SCOTT2-MIL-TAC) [none known] + + KANSAS + Ft. Leavenworth [M] + (LVN-MIL-TAC) (913) 651-7041 (R8) (913) 651-7041 (R8) B + + LOUISIANA + Navy Regional Data Automation Center [M] + (NORL-MIL-TAC) (504) 944-7940 (504) 944-7940 B + (504) 944-7948 (R2) (504) 944-7948 (R2) B + (504) 944-7951 (R5) (504) 944-7951 (R5) B + (504) 944-8702 (R8) (504) 944-8702 (R8) B + + MARYLAND + Aberdeen Proving Ground [M] + (BRL-TAC) (301) 278-6916 (R4) (301) 278-6916 (R4) B/V + + Bethesda [M] + (DAVID-TAC) (202) 227-3526 (R16) (202) 227-3526 (R16) B/V + + Patuxent River [M] + (PAX-RV-TAC) (301) 863-4815 (301) 863-4815 B/V + (301) 863-4816 (301) 863-4816 B/V + (301) 863-5750 (R6) (301) 863-5750 (R6) B/V + + Silver Spring [M] + (WHITEOAK-MIL-TAC) (301) 572-5960 (R10) (301) 572-5960 (R10) B + (301) 572-5970 (R10) (301) 572-5970 (R10) B + + MASSACHUSETTS + Hanscom AFB [M] + (AFGL-TAC) (617) 861-3000 (R8) (617) 861-3000 (R8) B + + Page 187 + + + + + The Official Phreaker's Manual + + (617) 861-4965 (R8) (617) 861-4965 (R8) + + Cambridge + (BBN-MIL-TAC) [M] [none known] + + (BBN-ARPA-TAC) [A] [no dialup capability] + + (CCA-ARP-TAC) [A] [none known] + + (MIT-TAC) [A] + (617) 491-5669 (617) 258-6224 V + (617) 491-5708 (617) 258-6225 V + (617) 491-5734 (617) 258-6227 V + (617) 491-5819 (617) 258-6248 V + (617) 491-5826 + (617) 491-5841 + (617) 491-5849 + (617) 491-6769 + (617) 491-6772 + (617) 491-6937 + (617) 258-6241 + (617) 258-6242 + (617) 258-6243 + + MICHIGAN + U.S. Army Tank Automotive Command (TACOM) - Warren [M] + (TACOM-TAC) [none known] + + MISSOURI + St. Louis [M] + (STLA-TAC) [none known] + + NEBRASKA + Offutt AFB [M] + (SAC1-MIL-TAC) [none known] + + (SAC2-MIL-TAC) (402) 292-4638 (R10) (402) 292-4638 (R10) B + + (SAC-ARPA-TAC) [A] + (402) 294-2398 (402) 294-2398 B + (402) 291-2018 (402) 291-2018 B + (402) 292-7054 (402) 292-7054 B + + NEW JERSEY + Dover [M] + (ARDC-TAC) (201) 724-6731 (201) 724-6731 B/V + (201) 724-6732 (201) 724-6732 B/V + (201) 724-6733 (201) 724-6733 B/V + (201) 724-6734 (201) 724-6734 B/V + + Fort Monmouth [M] + (FTMONMOUTH1-MIL-TAC) (201) 544-2052 (201) 544-2052 B/V + (201) 544-2062 (201) 544-2062 B/V + (201) 544-2072 (201) 544-2072 B/V + (201) 544-2396 (201) 544-2396 B/V + (201) 544-2430 (201) 544-2430 B/V + + (FTMONMOUTH2-MIL-TAC) (201) 544-4254 (R3) (201) 544-2430 B + + Page 188 + + + + + The Official Phreaker's Manual + + (201) 544-2636 B + (201) 544-2638 B + (201) 544-2777 B + + NEW MEXICO + Albuquerque [M] + (AFWL-TAC) [none known] + + White Sands [M] + (WSMR-TAC) [no dialups; contact NSC for access] + Claude (Skeet) Steffey - (505) 678-1271 + (FTS) 898-1271 + (AV) 258-1271 + + NEW YORK + Griffiss AFB + (RADC-ARPA-TAC) [A] [no dialup capability] + + (RADC-TAC) [M] + (315) 339-4913 (R5) + (315) 337-2004 (315) 337-2004 B/V + (315) 337-2005 (315) 337-2005 B/V + + (315) 330-2294 (315) 330-2294 (FTS) 952 B/V + + (315) 330-3587 (315) 330-3587 (FTS) 952 B/V + + NORTH CAROLINA + Ft. Bragg [A] + (BRAGG-ARPA-TAC) (919) 396-1131 (R10) (919) 396-1426 (R5) B/V + (919) 396-1491 (R8) B/V + Ft. Bragg [M] + (BRAGG-MIL-TAC) [none known] + + OHIO + Wright-Patterson AFB [M] + (WPAFB-TAC) (513) 258-4218 + (513) 258-4219 + (513) 258-4987 + (513) 258-4988 + (513) 258-4989 + (513) 258-4990 + + (WPAFB2-MIL-TAC) (513) 257-2172 (R8) (513) 257-2172 (R8) B + (513) 257-2690 (R8) (513) 257-2690 (R8) B + (513) 257-3625 (R8) (513) 257-3625 (R8) B + + OKLAHOMA + Tinker AFB [M] + (TINKER-MIL-TAC) [none known] + + + PENNSYLVANIA + New Cumberland Army Depot [M] + (NCAD-MIL-TAC) [none known] + + (NCAD2-MIL-TAC) [none known] + + + Page 189 + + + + + The Official Phreaker's Manual + + TEXAS + Brooks AFB [M] + (BROOKS-AFB-TAC) (512) 536-3081 (R6) (512) 536-3081 (R6) B/V + + Richardson [A] + (COLLINS-TAC) (214) 235-2131 (214) 235-2131 B + (214) 235-2143 (214) 235-2143 B + (214) 235-2178 (214) 235-2178 B + (214) 235-2204 (214) 235-2204 B + (214) 235-2251 (214) 235-2251 B + (214) 235-2278 (214) 235-2278 B + + UTAH + Dugway Proving Ground [M] + (DUGWAY-MIL-TAC) [none known] + + Salt Lake City (University of Utah) [A] + (UTAH-TAC) (801) 581-3486 (801) 581-3486 B/V + + VIRGINIA + Alexandria [M] + (DARCOM-TAC) (202) 274-5300 (202) 274-5300 B + (202) 274-5320 (R6) (202) 274-5320 (R6) B + + Arlington + (ARPA1-MIL-TAC) [M] [none known] + + (ARPA2-MIL-TAC) [M] [none known] + + (ARPA3-TAC) [A] [no dialup capability] + + Dahlgren [M] + (NSWC-TAC) (703) 663-2162 (R8) (703) 663-2162 (R8) B + + Langley Air Force Base [M] + (LANGLEY-MIL-TAC) [none known] + + McLean [M] + (DDN-PMO-MIL-TAC) [none known] + + + (MITRE-TAC) [M] + (703) 442-8020 (R15) + (703) 893-0330 (R10) (703) 893-0330 (R10) B/V + + Norfolk [M] + (NORFOLK-MILTAC) (804) 423-0241 (R2) (804) 423-0241 (R2) B + (804) 423-0247 (R2) (804) 423-0247 (R2) B + (804) 423-0346 (R4) (804) 423-0346 (R4) B + (804) 423-0480 (804) 423-0480 B + (804) 423-0486 (R2) (804) 423-0486 (R2) B + (804) 423-0489 (804) 423-0489 B + (804) 423-0570 (804) 423-0570 B + (804) 423-0572 (R2) (804) 423-0572 (R2) B + (804) 423-0577 (R2) (804) 423-0577 (R2) B + (804) 423-0651 (804) 423-0651 B + (804) 423-0654 (R3) (804) 423-0654 (R3) B + (804) 423-0841 (R2) (804) 423-0841 (R2) B + + Page 190 + + + + + The Official Phreaker's Manual + + (804) 423-0845 (804) 423-0845 B + (804) 423-0849 (804) 423-0849 B + (804) 423-0858 (804) 423-0858 B + (804) 423-0950 (804) 423-0950 B + (804) 423-0952 (804) 423-0952 B + (804) 423-0955 (R3) (804) 423-0955 (R3) B + (804) 423-0959 (804) 423-0959 B + + Reston + (DCEC-ARPA-TAC) [A] [no dialups available] + + (DCEC-MIL-TAC) [M] + (703) 437-2892 (R5) (703) 437-2928 B + (703) 437-2925 (703) 437-2929 B + (703) 437-2926 + (703) 437-2927 + + WASHINGTON + Seattle [A] + (WASHINGTON-TAC) [no dialup capability] + + ENGLAND [M] + (CROUGHTON-MIL-TAC) [none known] + + GERMANY [M] + (FRANKFURT-MIL-TAC) + (M) 2311-5641 (R8) B + + (RAMSTEIN2-MIL-TAC) [none known] + + ITALY [M] + (AGNANO-MIL-TAC) + + JAPAN [M] + (BUCKNER-MIL-TAC) + + (ZAMA-MIL-TAC) + + KOREA [M] + (KOREA-TAC) (M) 264-4951 (R8) B + + PHILIPPINES [M] + (CLARK-MIL-TAC) + + SPAIN [M] + (MILNET-TJN-TAC) [none known] + + (ROTA-MIL-TAC) [none known] + + Notes: + + 1. "(R10)" following phone number indicates a rotary with 10 lines. + + 2. For alternate phone numbers, FTS=Federal Telephone System. + 3. (M)=Military DoD Telephone System. + + 4. [M] denotes a MILNET TAC and [A] denotes an ARPANET TAC. + + + Page 191 + + + + + The Official Phreaker's Manual + + 5. "1200 Type" refers to the modem compatibility for 1200 baud only: + B/V = Bell and Vadic + B = Bell 212A only + V = Vadic 3400 only + + 6. This list is contained in the file NETINFO:TAC-PHONES.LIST at + SRI-NIC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 192 + + + + + The Official Phreaker's Manual + + >>==========================<< + >>==> TELCO TEST NUMBERS <==<< + >>====> as of 5/16/85 <=====<< + >>=> compiled and updated <=<< + >>====> by Shadow 2600 <====<< + >>==========================<< + +011-44-61-2468011 : US dial tone then "When this system changes, this is the +new dial tone you hear" (UK is changing dialtone) + +201-226-0709 : alternating tones, then "warble" +201-267-9922 : sweep tone +201-267-9966 : 600 ohm termination +201-232-9924 : (tone 1,2,5-beep, bleep; 9,#- 1200 baud static, beep, bleep; +6-tone, higher tone, bleep) +201-232-9959 : tone 11 sec. silence, repeats... +201-233-9972 : multitude of clicks +201-233-9974 : busy 15 sec. then tone w/ clicks +201-241-9916 : hissing with clicks +201-328-9971 : 1000 hrtz tone +201-376-9907 : "is being checked for trouble. Please try again later" +201-464-9915 : low tone 15 sec, silence +201-464-9916 : low tone 2 sec, silence +201-464-9963 : buzz +201-464-9974 : busy 15 sec, low tone +201-543-9902 : "If you'd like to make a call, hang up and try it again." +201-543-9903 : "We're sorry, your call did not go through." +201-543-9904 : "the number you have dialed requires a .20 cents deposit." +201-655-9900 : "cannot be completed as dialed from the phone you are using" +201-769-0205 : People's Express Reservation system +203-771-4920 : telephone company employee newsline +207-866-4411 : 1000 hrtz tone +212-233-9980 : (tone 1,2,3,*-tone, higher tone, bloop; 5-tone, bloop; 9,#- +static,beep,bloop) +212-369-7003 : "you have reached 212-369-7003 in zone 3" (?) +212-799-5017 : ABC New York feed line +213-621-4141 : telephone employee newsline +213-935-1111 : sweep tone with echo at top of range (?) +215-489-0036 : tone, bloop (1,2,5-tone bloop, 3,6,9-tone, higher tone,tone) +215-489-0040 : "please check your instruction manual or call repair service for +assistance" +215-489-0042 : "if you like to make a call please hang up and try again" +215-489-0043 : "We're sorry, your call did not go through." +215-489-0044 : "The call you have made requires a 25 cent deposit" +215-489-0045 : "You must first dial a 1 when dialing this number." +215-489-0074 : LOUD tone, stops, repeats +215-489-0075 : 600 ohm termination (silence) +215-489-0078 : tone, silence +215-489-0080 : 600 ohm termination +215-489-0097 : tone, (lower pitched than -0078) silence (also at -0098) +215-489-0104 : 1000 hrtz tone +216-861-8300 : tone, then higher tone +301-256-9987 : 1000 hertz +301-546-7777 : "Due to Telephone Company facility trouble your call cannot be +completed at this time" +301-725-9904 : "deposit .20" +305-263-0000 : repeating bloop (keypress 2 : slow reorder w/ bloops, clicks) +305-994-9963 : pay fone instructions + + Page 193 + + + + + The Official Phreaker's Manual + +305-994-9966 : "telephone you are calling from is not in service" +312-222-9948 : tone (keypress 1,2,3,6,7,*-tone, high tone, bleep, +4-tone,bloop,9, #-static,beep,bloop) +312-222-9954 : "Test Center" +312-222-9990 : clicks, ticking like +312-222-9996 : LOUD tone, repeats +312-368-8000 : Illinois Bell Communicator (employee newsline) +312-592-0000 : tone (keypress 2222, then other digits, at re-order type * to +restart) (?) +313-223-7223 : telephone employee newsline +313-333-9981 : LOUD tone, silence +313-333-9989 : high tone (enter touchtones for a while, eventually get +"metallic" echo, then 5-high pitched tone, random re-orders) +313-333-9990 : beep, click repeats, with "winks" +313-333-9994 : tone bloop (keypress in 2-tone,bloop, 3-tone, higher tone,tone, +9-static, beep,bloop) +313-333-9995 : 600 ohm termination (silence) +313-333-9996 : weird siren/sweep tone, multi-frequency +313-430-4300 : beep, beep, beep, then reorder +313-698-9998 : sweep tone +314-247-5511 : Southwestern Bell Telenews (employee newsline) +315-471-9934 : "deposit 5 cents for next five minutes" +408-255-0081 : (any two 2,4,8,0-tone) +408-294-6969 : beep, click, computer voice repeats number +408-395-1110 : (tone 2-bleep,glitch; 3-beep,higher beep;#then number-loud +tone,bleep) +408-738-8190 : (tone 1,3,6,7,*-tone, high tone, tone;2-beep,cluck;9,#- +static,tone,beep) +408-745-6060 : high pitched tone, low tone then repeats +408-994-0044 : tone end of loop +412-633-3333 : telephone company employee newsline +414-628-0001 : continuous tone +414-628-0002 : continuous tone (higher pitched, sounds like muted dial) +414-628-0004 : high pitched tone, bloop, silence +414-628-0006 : brief very high tone (also -0007) (multiple keypresses of +2,5,8,0 tone repeats) +414-628-0010 : loud tone, stops, repeats... +414-628-0011 : loud tone, stops +414-628-0013 : 600 ohm termination (silence) (also -0017, two in an exchange?) +414-628-0014 : continuous tone (sounds like weird dial), eventually stops +414-628-0015 : LOUD tone, repeats +414-628-0028 : "Your call cannot be completed as dialed +414-678-3511 : Wisconsin Bell Newsline +414-781-0004 : high tone, silence (keypress 2,5-beep,bleep, 3,6-beep,longbeep, +bloop, 9-static,bloop) +415-284-1111 : one sweep, then silence +415-327-0046 : sweep tone +415-388-0037 : tone,bloop (keypress 2-tone,bloop, 3-tone,high tone,tone, +9-static,beep,bloop) +415-472-0046 : sweep w/ glitch at top +415-545-8800 : Pacific Bell Newsline +415-467-0097 : fast DTMF tones, keypress to repeat +415-777-0020 : 1000 hrtz tone +415-777-0037 : tone, bloop (keypress 2-beep,bloop, 3,6-tone,higher tone, +9-static,beep,bloop) +415-777-0046 : sweep tone with echo +415-777-0105 : tone,bloop (keypress 2-beep,bleep, 3,6-tone, higher tone, +tone,9-static,beep,bloop + + Page 194 + + + + + The Official Phreaker's Manual + +415-826-0022 : tone, click, tone (sounds like a busy) +415-994-0710 : multitude of clicks +512-472-2181 : "if you would like to make a call, please hang up and try +again" +512-472-4263 : garbled recording (?) +512-472-9833 : "you must first dial a 1 or 0 before calling this number" +512-472-9936 : "please check your instructions or call your business office for +assistance" +512-472-9941 : "insert 25 cents" +516-222-3825 : LOUD tone +516-234-9914 : New York Telephone Newsline +518-471-2272 : New York Telephone Newsline +518-789-3299 : weird busy, multitude of clicks +609-267-9966 : busy with clicks in background +609-267-9967 : 600 ohm termination (silence) +609-267-9968 : 1000 hrtz tone +609-267-9971 : LOUD tone, stops, repeats +609-267-9972 : rings with clicks in background (also -9973 and -9974) +609-877-9924 : high tone (tone in 1,2,5-tone, bloop; 3,6,*-tone, higher tone, +bleep; #-static, beep, bleep) +609-877-9929 : 1000 hrz tone +617-553-9953 : tone end of loop +617-890-9900 : sweep tone +617-955-1111 : telephone company employee newsline +619-748-0002 : tone increases in pitch, silence, repeats in monotone +619-748-0003 : sweep, repeat, hangs up +702-789-6711 : Nevada Bell Newsline +713-354-0000 : touch tone in #, then new #, then 5 - listed, 9 - unlisted) +713-482-3199 : "We're sorry, all circuit are busy now." +713-652-5111 : touch tones echo back "metallic", something about "drivers +licence number" replys in a female recorded voice +717-255-5555 : Bell of Pennsylvania "Inside Line" (employee newsline) +718-429-9900 : "Please slide a valid credit card through the slot now" +800-221-5959 : tone (# makes it ring) +800-228-8466 : Sensaphone (tm) demo (time etc. (EST) (wait 7+ rings)) +800-321-3048 : non-connecting loop with 800-321-3049 +800-321-3052 : loop (don't know where other end is) +800-321-6366 : Centagram's Voice Memo System (extension 100 for demo) +800-323-6321 : tone, stops, bloop repeats +800-327-0000 : "Announcement three, Dallas" (changes sometimes) +800-344-4001 : non-connecting loop with 800-344-4002 +800-524-0000 : "Announcement 1 Atlanta" +800-554-5924 : Cable News Network audio feed +800-824-8274 : "Enter your password service code" +802-955-1111 : telephone company newsline +808-533-4426 : Hawaiian Telephone Newsline +816-391-1122 : recorder (keypress 1-toggle on/off, 3-rewind, 4-stop, 7-play) +907-269-0955 : tone (sounds like extender, doesn't take touch tone (?)) +914-232-9901 : "Daytona, New York DMS-100 verification" +914-268-9901 : "Congers DMS 100 Verification" +914-268-9903 : "your call cannot be completed as dialed" +914-268-9968 : (keypress 2-high tone, 3-high, higher tone, 6,0-click, 7- hangs +up, sometimes 0,#,*-harmony) +914-359-9901 : repeats the number dialed ("914-359-9901") +914-359-9960 : weird tone, stops, clicks, repeats +914-623-9968 : (keypress 2,5-beep glitch, 3,6-tone highertone) +916-480-8000 : Pacific Bell Newsline + + + Page 195 + + + + + The Official Phreaker's Manual + + WHAT A TSPS CONSOLE LOOKS LIKE + +--- NON/COIN ---- ------------- COIN ------------- --------- HOTEL --------- + + ---- ---- ---- ---- ---- ---- ----- --- --- ---- +!VFY ! !OVER! !SCRN! !INWD! !EMER! !STA ! ! 0+ ! !DIAL! !STA ! ! 0+ ! +!DIAL! !POST! !TONE! !STA ! ! 0+ ! !DIAL! !QST ! ! ! ! ! ! ! + ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- + +----- OUTGOING TRUNKS ----- RING RELEASE + + ---- ---- ---- ---- ---- ----- ---- ---- ---- ---- +! DA ! !R&R ! !SWB ! !OGT ! !BACK! ! FWD ! !CALL! !T&C ! !NFY ! !CHG ! + ---- ---- ---- ---- ---- ----- ---- ---- ---- ! DUE! + ---- + --- ---- ---- ---- ---- ---- ---- ---- ---- ---- +!KEY ! !BACK! !FWD ! ! SR ! !MAKE! !MTCE! !POS ! !BACK! ! ! ! ! +!CLG ! ! ! ! ! ! ! !BUSY! !TRFR! ---- ---- ---- ---- + ---- ---- ---- ---- ---- ---- + + ----------------- AMA ----------------- + ---- ---- ---- ---- ---- ---- +STATION -----!PAID! !COL ! !SPL ! !SPL ! !AUTO! !DDD ! + ! ! ! ! !CLG ! !CLD ! !COL ! ! ! + ---- ---- ---- ---- ---- ---- + + ---- ---- ---- ---- ---- +PERSON ----- !PAID! !COL ! !SPL ! !SPL ! ! NO ! + ! ! ! ! !CLG ! !CLD ! !AMA ! + ---- ---- ---- ---- ---- + + ---- ---- ---- + !CLG ! !CLG ! !CLG ! + ! ! ! ! ! ! + ---- ---- ---- + + + + + + + + + + + + + + + + + + + + + + + + + Page 196 + + + + + The Official Phreaker's Manual + + Box Plans + + Hmm... I wonder! This is still under construction (Ha Ha). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 197 + + + + + The Official Phreaker's Manual + + THE INFINITY TRANSMITTER + + TYPED BY THE GHOST WIND + + FROM THE BOOK BUILD YOUR OWN + LASER, PHASER, ION RAY GUN & OTHER WORKING SPACE-AGE PROJECTS + BY ROBERT IANNINI (TAB BOOKS INC) + +Description: Briefly, the Infinity Transmitter is a device which activates a +microphone via a phone call. It is plugged into the phone line, and when the +phone rings, it will immediately intercept the ring and broadcast into the +phone any sound that is in the room. This device was originally made by +Information Unlimited, and had a touch tone decoder to prevent all who did not +know the code from being able to use the phone in its normal way. This +version, however, will activate the microphone for anyone who calls while it is +in operation. +NOTE: It is illegal to use this device to try to bug someone. It is also +pretty stupid because they are fairly noticeable. +Parts List: +Pretend that uF means micro Farad, cap= capacitor + +Part # Description +---- - ----------- +R1,4,8 3 390 k 1/4 watt resistor +R2 1 5.6 M 1/4 watt resistor +R3,5,6 3 6.8 k 1/4 watt resistor +R7/S1 1 5 k pot/switch +R9,16 2 100 k 1/4 watt resistor +R10 1 2.2 k 1/4 watt resistor +R13,18 2 1 k 1/4 watt resistor +R14 1 470 ohm 1/4 watt resistor +R15 1 10 k 1/4 watt resistor +R17 1 1 M 1/4 watt resistor +C1 1 .05 uF/25 V disc cap +C2,3,5,6,7 5 1 uF 50 V electrolytic cap or tant + (preferably non-polarized) +C4,11,12 3 .01 uF/50 V disc cap +C8,10 2 100 uF @ 25 V electrolytic cap +C9 1 5 uF @ 150 V electrolytic cap +C13 1 10 uF @ 25 V electrolytic cap +TM1 1 555 timer dip +A1 1 CA3018 amp array in can +Q1,2 2 PN2222 npn sil transistor +Q3 1 D4OD5 npn pwr tab transistor +D1,2 2 50 V 1 amp react. 1N4002 +T1 1 1.5 k/500 matching transformer +M1 1 large crystal microphone +J1 1 Phono jack optional for sense output +WR3 (24") #24 red and black hook up wire +WR4 (24") #24 black hook up wire +CL3,4 2 Alligator clips +CL1,2 2 6" battery snap clips +PB1 1 1 3/4x4 1/2x.1 perfboard +CA1 1 5 1/4x3x2 1/8 grey enclosure fab +WR15 (12") #24 buss wire +KN1 1 small plastic knob +BU1 1 small clamp bushing +B1,2 2 9 volt transistor battery or 9V ni-cad + + Page 198 + + + + + The Official Phreaker's Manual + + +Circuit Operation: Not being the most technical guy in the world, and not being +very good at electronics (yet), I'm just repeating what Mr. Iannini's said +about the circuit operation. The Transmitter consists of a high grain +amplifier fed into the telephone lines via transformer. The circuit is +initiated by the action of a voltage transient pulse occurring across the +phone line at the instant the telephone circuit is made (the ring, in other +words). This transient immediately triggers a timer whose output pin 3 goes +positive, turning on transistors Q2 and Q3. Timer TM1 now remains in this +state for a period depending on the values of R17 and C13 (usually about 10 +seconds for the values shown). When Q3 is turned on by the timer, a simulated +"off hook" condition is created by the switching action of Q3 connecting the +500 ohm winding of the transformer directly across the phone lines. +Simultaneously, Q2 clamps the ground of A1, amplifier, and Q1, output +transistor, to the negative return of B1,B2, therefore enabling this amplifier +section. Note that B2 is always required by supplying quiescent power to TM1 +during normal conditions. System is off/on controlled by S1 (switch). + A crystal mike picks up the sounds that are fed to the first two +transistors of the A1 array connected as an emitter follower driving the +remaining two transistors as cascaded common emitters. Output of the +array now drives Q1 capacitively coupled to the 1500 ohm winding of T1. +R7 controls the pick up sensitivity of the system. + Diode D1 is forward biased at the instant of connection and essentially +applies a negative pulse at pin 2 of TM1, initiating the cycle. D2 clamps +any high positive pulses. C9 dc-isolates and desensitizes the circuit. The +system described should operate when any incoming call is made without ringing +the phone. + +Schematic Diagram: Because this is text, this doesn't look too hot. Please +use a little imagination! I will hopefully get a graphics drawing of this +out as soon as I can on a Fontrix graffile. + +To be able to see what everything is, this character: | should appear as a +horizontal bar. I did this on a ][e using a ][e 80 column card, so I'm sorry if +it looks kinda weird to you. + +Symbols: + resistor: -/\/\/- switch: _/ _ + battery: -|!|!- capacitor (electrolytic): -|(- + capacitor (disc): -||- _ _ + transistor:(c) > (e) Transformer: )||( + \_/ )||( + |(b) _)||(_ + diode: |< + chip: ._____. + !_____! (chips are easy to recognize!) + + Dots imply a connection between wires. NO DOT, NO CONNECTION. +ie.: _!_ means a connection while _|_ means no connection. +---------------------------------------------------------------------------- + +.________________________to GREEN wire phone line +| +| .______________________to RED wire phone line +| | +| | ._________(M1)______________. +| | | | +| | | R1 | + + Page 199 + + + + + The Official Phreaker's Manual + +| | !__________/\/\/____________! +| | | _!_ C1 +| | |this wire is the amp ___ +| | |<=ground | R2 +| | | !___________________/\/\/_____________. +| | | ._______!_______. | +| | !___________________!4 9 11!_____________________________! +| | | | | | +| | !___________________!7 12._____________________________! +| | | | A1 | R3 | +| | !___________________!10 ____*8!_______.____/\/\/____________! ^ +| | | | / | | | | +| | | C4 | / | \ |2ma +| | !____||______. | / | /R4 B1 + +| | | || | | / | \ |!|! +| | | R7 | C2 | / | / | +| | !____/\/\/___!__)|__!8*_/ | | S1 | +| | | ^ | 6!_______! neg<__/.__! +| | | | C3 | | | C5 return | +| | | !_____|(___.__!3 | '-|(-| | +| | | | | 5 1!____________! | +| | | \ !_______._______! | B2|!|! +| | !________. R8 / | | + +| | | \ | | R6 |3ma +| | | !__________!____________________|_____/\/\/______! | +| | | R5 | | | v +| | !__/\/\/___________|____________________! | +| | | | | +| | | | | +| | | C6 | | +| | | |-)|-' R9 | +| | | !_________________/\/\/_______. | +| | | | | | +| | | Q1 _!_ | R10 | +| | !____________/ \____________________________!__/\/\/_____! +| | | | | +| | | | | +| | | C8 | | +| | !__________)|_______________________________|____________! +| | ! | | +| | / | | +| | -----| | | +| | | \ | | +| | | > | | +| | | | | | +| | | | | | +| | | !_____________. | | +| | | | | | +| | !__________. | | | +| | | | | | +| !________. | | ._____! | +| | | | | | +| | | | | | +| | | | | C7 | +| | | | '-|(-| | +| |_________|_________!_______.T1._________________| | +| | | 1500 )||( 500 | +| | | ohm )||( ohm | + + Page 200 + + + + + The Official Phreaker's Manual + +| | !______.)||(.__. | +| | | | | +| | | | | +| | | > | +| | | |/ | +| | | +----| Q3 | +| | | | |\ | +!____________________|_________|_______|______!__. D1 C9 | + | | | '-|<---|(------| | + .______________! | | | | + | | | | | + | .________________! | | | + | | | | | + \ | .________________! C11 | | + / | | .___||____________! | + R13 \ | | | || | | + / | | | | | + \ !___.___|_______________________! | | + | | | | | R16 | R15 | + | v | | !___/\/\/\________!___/\/\/_! + | neg | | | D2 | | + | return | | !_____|<__________! | + | B1,B2 | \ | | | + | | / | .____________!_. | + | | \R14 |C12 | TM1 2 | | + | | / !_||_!5 4!_______! + | | \ | || | | | + | | | !____!1 8!_______! + | | | | | 7 6 3 | | + | | | | !_____._.____._! | + | | | | | | | | + | | | | C13 | | | R17 | + | | | !___)|_____!_!____|__/\/\/__! + | | | | | | + !___________|___!_______________________|_________________! | + | | | | + | \ | C10 | + | /R18 !__________)|_______________! + | \ + | / + | | + !___O J1 + sense output + +Construction notes: Because the damned book just gave a picture instead of step +by step instructions, and I'll try to give you as much help as possible. Note +that all the parts that you will be using are clearly labeled in the schematic. +The perfboard, knobs, 'gator clips, etc are optional. I do strongly suggest +that you do use the board!!! It will make wiring the components up much much +easier than if you don't use it. + The knob you can use to control the pot (R7). R7 is used to tune the IT so +that is sounds ok over the phone. (You get to determine what sounds good) By +changing the value of C13, you can change the amount of time that the circuit +will stay open (it cannot detect a hang up, so it works on a timer.) A value of +100 micro Farads will increase the time by about 10 times. + The switch (S1) determines whether or not the unit is operational. Closed is +on. Open is off. The negative return is the negative terminals of the battery!! +The batteries will look something like this when hooked up: + + Page 201 + + + + + The Official Phreaker's Manual + + <-v_____. .______. ._____. .____-> + | | | | | | + __!___!__ | | __!___!__ + | + - | !_/ _! | + - | + | | switch ^ | | + | 9volts| | | 9volts| + !_______! neg return !_______! + + To hook this up to the phone line, there are three ways, depending upon what +type of jack you have. If it is the old type (non modular) then you can just +open up the wall plate and connect the wires from the transmitter directly to +the terminals of the phone. + If you have a modular jack with four prongs, attach the red to the negative +prong (don't ask me which is which! I don't have that type of jack... I've only +seen them in stores), and the green to the positive prong, and plug in. Try not +to shock yourself... + If you have the clip-in type jack, get double male extension cord (one with a +clip on each end), and chop off one clip. Get a sharp knife and splice off the +grey protective material. You should see four wires, including one green and +one red. You attach the appropriate wires from the IT to these two, and plug +the other end into the wall. + +Getting the IT to work: If you happen to have a problem, you should attempt to +do the following (these are common sense rules!!) Make sure that you have the +polarity of all the capacitors right (if you used polarized capacitors, that +is). Make sure that all the soldering is done well and has not short circuited +something accidently (like if you have a glob touching two wires which should +not be touching.) Check for other short circuits. Check to see if the battery +is in right. Check to make sure the switch is closed. + If it still doesn't work, drop me a line on one of the Maryland or Virginia +BBSs and I'll try to help you out. + +The sense output: Somehow or other, it is possible to hook something else up to +this and activate it by phone (like an alarm, flashing lights, etc.) + +As of this writing, I have not tried to make one of these, but I will. If you +actually get it working, leave me a note somewhere. + +I sure hope all you people appreciate this. + + +<<< the Ghost Wind >>> + + + + + + + + + + + + + + + + + + Page 202 + + + + + The Official Phreaker's Manual + + :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + : : + : SILVER BOX: AN ALTERNATE METHOD OF CONSTRUCTION : + : : + : BY: THE LOCK LIFTER--1/25/85 : + : : + :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + +PARTS & EQUIPMENT: +(1) POCKET TONE DIALER (RADIO SHACK CAT. NO. 43-138) +(2) SINGLE POLE DOUBLE THROW SWITCH (TOGGLE, THE SMALLER THE BETTER) +(3) SOLDERING IRON + + THIS MODIFICATION WILL ALLOW THE PRODUCTION OF A,B,C,&D TONES. WHEN YOU +FLIP THE SWITCH THE 3,6,9,&# KEYS WILL BECOME A,B,C,&D RESPECTIVELY. THE IC +INSIDE THE DIALER IS CAPABLE OF MAKING THESE TONES ALREADY, ALL WE MUST DO IS +CONNECT IT FULLY. THIS MOD CAN ALSO BE MADE TO MANY ELECTRONIC FONES THAT +CONTAIN A DTMF TONE ENCODING IC. THIS CHIP CAN BE IDENTIFIED BY THE NUMBER 5089 +OR S2559 OR MK5380 OR TCM5087N. PIN 9 OF THESE CHIPS IS THE FOURTH COLUMN +KEYPAD INPUT WHILE PIN 5 IS THE THIRD COLUMN. NOW ON WITH THE CONSTRUCTION. + +1) REMOVE THE BATTERY COVER, BATTERIES, AND THE SMALL SCREW. THE CASE SHOULD +NOW POP OPEN WITH A LITTLE PRESSURE. +2) OPEN THE CASE SO THAT THE HALF CONTAINING THE SPEAKER AND THE BATTERIES +IS ON YOUR LEFT WITH THE BATTERIES ON THE BOTTOM. YOU SHOULD NOW BE LOOKING AT +THE BACK OF 2 PRINTED CIRCUIT BOARDS. +3) FIND THE TWO ROWS OF SOLDER BEADS WHERE THE IC IS CONNECTED. THE UPPER +LEFT PIN OF THE 2 ROWS SHOULD HAVE NO SOLDER ON IT. THIS IS PIN 9 OF THE IC. +4) ATTACH A SHORT WIRE TO PIN 9. +5) SEE THE 8 GOLD WIRES GOING TO THE KEY PAD? UNSOLDER THE ONE 4TH FROM THE +LEFT AND CONNECT IT TO A SHORT WIRE. +6) SOLDER A SHORT WIRE INTO THE NOW VACANT HOLE IN THE KEYPAD PCB. +7) MELT OR DRILL A ROUND HOLE IN THE PLASTIC CASE FOR THE SWITCH. THE BEST +PLACE FOR THIS IS OPPOSITE THE SMALL PCB CONTAINING THE L.E.D. +8) INSERT THE SWITCH AND SCREW IT IN PLACE. +9) ATTACH THE WIRE FROM THE KEYPAD PCB TO THE CENTER OF THE SWITCH. ATTACH THE +OTHER TWO WIRES TO THE OTHER TWO POLES OF THE SWITCH. JUST CLOSE THE CASE, PUT +BACK IN THE SCREW AND BATTERIES. + +THE SWITCH WILL NOW ALLOW THE 3RD COLUMN KEYS TO PRODUCE BOTH 3RD AND FOURTH +COLUMN TONES. HAVE PHUN + + + + + + + + + + + + + + + + + + + Page 203 + + + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Well, this is just a page to protect the other pages. + I hope you enjoyed the book! + + + + + + + + + + + + + + + + + + + + + + + + + Page 204 + + + + + * DANSE MACABRE * (713) 324-2139 * C.A.B.A.L W.H.Q * diff --git a/textfiles.com/phreak/PHREAKING/pkmanual1.phk b/textfiles.com/phreak/PHREAKING/pkmanual1.phk new file mode 100644 index 00000000..a0f59979 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pkmanual1.phk @@ -0,0 +1,2299 @@ + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + The Official Phreaker's Manual V1.1 + Updated 2/14/87 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + The Official Phreaker's Manual + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Table of Contents + + ********************************************************************** + + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Appendixes + + ********************************************************************** + + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 4 + + + + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 5 + + + + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /\<\ /\<\ .. + . \>ad \>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + Page 6 + + + + + The Official Phreaker's Manual + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + Page 7 + + + + + The Official Phreaker's Manual + + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +explanation. Automated versions (ASI) with automatic voiceresponse units are +growing in use. + +Interrupt: The interruption on a phone line to disconnect and connect with +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + Page 8 + + + + + The Official Phreaker's Manual + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 9 + + + + + The Official Phreaker's Manual + + ============================================================ + _ _ _______ + | \/ | / _____/ + |_||_|etal / /hop + __________/ / + /___________/ + (314) 432-0756 + + Proudly Presents + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + Typed by Knight Lightning + + ============================================================ + +- A - + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + + + + + The Official Phreaker's Manual + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + +AUDIBLE RINGING TONE: An audible signal heard by the calling party during the +ringing-interval. + +AUTHORIZATION CODE: An identification number that the caller enters when +placing a call which is used for billing purposes. + +AUTHORIZED USER: A person, firm, organization, corporation or any other entity +authorized by the customer to send or receive communications over a specific +communications network. + +AUTO ANSWER: A machine feature that allows a transmission control unit or +station to automatically respond to a call that it receives. + +AUTOMATIC CALL +DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a +large volume of incoming calls to a group of attendants to the next available +"answering" position. + +AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined +set of dialing digits. + +AUTOMATIC IDENTIFICATION +OF OUTWARD DIALING (AIOD): A computer generated report showing all long +distance calls placed over AT&T's toll network. + +AUTOMATIC NUMBER +IDENTIFICATION (ANI): Automatic equipment at a local dial office used on +customer dialed calls to identify the calling-station. + +AUTOMATIC ROUTE +SELECTION (ARS): Least cost routing via AT&T CENTREX system. + + + +- B - + + + Page 11 + + + + + The Official Phreaker's Manual + +BAND: (1) The range of frequencies between two defined limits. (2) In reference +to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: +BANDWIDTH. + +BANDWIDTH: See BAND. + +BASEBAND: The total frequency band occupied by the aggregate of all the voice +and data signals used to modulate a radio carrier. + +BAUD: A unit of signaling speed. The speed in baud is the number of discrete +conditions conditions or signal elements per second. If each signal event +represents only one bit condition, then Baud is the same as bits per second. +When each signal event represents other than one bit, Baud does not equal bits +per second. + +BELL OPERATING COMPANY +(BOC) /BELL SYSTEMS +OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing +local service. + +BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long +Lines, Western Electric, and Bell Labs. + +BILLING NUMBER: The MCI term for the number which identifies a customer on a +billing location level, assigned to Network Service Customer (by COMS). +Assigned for each unique customer name and billing location. For internal use +only. + +BINARY: A number system that uses only two characters ("0" and "1"). + +BIT: A binary digit. The smallest unit of coded information. + +BITS PER SECOND (BPS): The rate at which data transmission is measured. + +BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to +the central offices are in use; or (2) all connecting connecting paths through +the PBX/switch are in use. + +BLOCKED ANI: ANI prohibited from completing a call over the MCI network. + +BREAK: A means of interrupting transmission, a momentary interruption of a +circuit. + +BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. + +BUS: A heavy conductor, or group of conductors, to which several units of the +same type of equipment may be connected. + +BUSY: The condition in which facilities over which a call is to be connected +are already in use. + +BUSY HOUR: The time of day when phone lines are most in demand. + +BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to +indicate that the terminal point of a call is already in use. + +BYTE: A group of binary digits that are processed by a computer as a unit. + + + Page 12 + + + + + The Official Phreaker's Manual + + + +- C - + + +CARRIER: High frequency current that can be modulated with voice or digital +signals for bulk transmission via cable or radio circuits. + +CARRIER SYSTEM: A system for providing several communications channels over a +single path. + +CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output +from a computer. + +CELLULAR MOBILE RADIO: A system providing exchange telephone service to a +station located in an auto or other mobile vehicle, using radio circuits to a +base radio station which covers a specific geographical area and as the vehicle +moves from one area to another, different base radio stations handle the call. + +CENTRAL OFFICE (CO): A telephone switching center that provides local access to +the public network. Sometimes referred to as: Class 5 office, end office, or +Local Dial Office. + +CENTREX, CO: PBX Service provided by a switch located at the telephone company +central office. + +CENTREX, CU: A variation on Centrex CO provided by a telephone company +maintained "Central Office" type switch located at the customer's premises. + +CENTRAL PROCESSING UNIT +(CPU): The control unit within a computer which handles all the intelligent +functions of the systems. In a telephone switch, directs all potions of the +system to carry out their appropriate functions. Synonym: Common Control. + +CHANNEL: A communication path via a carrier or microwave radio. + +CHARACTER: Any letter, digit, or special symbol. In data transmission would be +represented by a specific code made up of a group of binary digits. + +CIRCUIT: A path for the transmission of electromagnetic signals to include all +conditioning and signaling equipment. Synonym: Facility + +CIRCUIT SWITCHING: A switching system that completes a dedicated transmission +path from sender to receiver at the time of transmission. + +CLASS OF SERVICE/CLASS +MARK (COS): A subgrouping of telephone customers or users for the sake of rate +distinction or limitation of service. + +COAXIAL CABLE: A cable having several coaxial lines under a single protective +sheath. Usually used as a high capacity carrier in urban areas between +interexchange and toll offices. + +CODEC: Coder-Decoder. Used to convert analog signals to digital form for +transmission over a digital median and back again to the original analog form. + +COMMON CARRIER: A government regulated private company that provides the +general public with telecommunications services and facilities. + + Page 13 + + + + + The Official Phreaker's Manual + + +COMMON CHANNEL INTEROFFICE +SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated +Services Digital Network. It uses a separate data line to route interoffice +signals to provide faster call set-up and more efficient use of trunks. + +COMMON CONTROL SWITCHING +ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which +common controlled switching machines are used to route traffic over network +routes and access lines. The switching machine may be shared with other users +and is maintained by the telephone company. + +COMPUTER PORT/TKI PORT: The interface through which the computer connects to +the communications circuit. + +CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to +match transmission levels and impedances and which equalizes transmission and +delay to bring circuit losses, levels, and distortion within established +standards. + +CONFIGURATION: The combination of long-distance services and/or equipment that +make up a communications system. + +CONTROL UNIT (CU): The central processor of a telephone switching device. + +CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on +a corporate level. (Not all MCI customers have this). + +COST COMPONENT: The price of each type of long distance service and/or +equipment that constitutes a configuration. + +COST PER HOUR (CPH): Total cost of different services divided by total holding +time (in minutes). + +CROSS CONNECTION: The wire connections running between terminals on the two +sides of a distribution frame, or between binding posts in a terminal. + +CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit +to another circuit. + +CUSTOMER OWNED AND +MAINTAINED (COAM): Customer provided communications apparatus, and their +associated wiring. + +CUSTOMER +PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located +within the customer's part of a building. + +CUT: To transfer a service from one facility to another. + +CUT THROUGH: The establishment of a complete path for signaling and/or audio +communications. + + +- D - + +DATA: Any representation, such as characters to which a meaning is assigned. + + + Page 14 + + + + + The Official Phreaker's Manual + +DATA COMMUNICATIONS: The movement of coded information by means of electronic +transmission systems. + +DATA SET: A device which converts data into signals suitable for transmission +over communications lines. + +DATA TERMINAL: A station in a system capable of sending and/or receiving data +signals. + +DECIBEL (db): A unit of measurement represented as a ratio of two voltages, +currents or powers and is used to measure transmission loss or gain. + +DELAY DIAL: A dialing configuration whereby local dial equipment will wait +until it receives the entire telephone number before seizing a circuit to +transmit the call. + +DELTA MODULATION (DM): A variant of pulse code modulation whereby a code +representing the difference between the amplitude of a sample and t~he +amplitude of a previous one is sent. Operates well in the presence of noise, +but requires a wide frequency band. + +DEMODULATION: The process of retrieving data from a modulated signal. + +DIAL LEVEL: The selection of stations or services associated with a PBX using a +one to four digit code (e.g., dialing 9 for access to outside dial tone). + +DIAL PULSING: The transmitting of telephone address signals by momentarily +opening a DC circuit a number of times corresponding to the decimal digit which +is dialed. + +DIAL REPEATING TIE LINE/ +DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station +calling without use of the attendant. + +DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is +selected by a prearranged dialing code. + +DIAL TONE: A tone indicating that automatic switching equipment is ready to +receive dial signals. + +DIALING PLAN: A description of the dialing arrangements for customer use on a +networks. + +DIGITAL: Referring to the use of digits to formulate and solve problems, or to +encode information. + +DIMENSION CUSTOM +TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station +sets which use special buttons to access PBX features. + +DIRECT +DISTANCE DIALING (DDD): A toll service that permits customers to dial their own +long distance call without the aid of an operator. + +DIRECT +INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside +the system to directly dial a station within the system. + + + Page 15 + + + + + The Official Phreaker's Manual + +DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to +gain direct access to an exchange network. + +DROP: That direction of a circuit which looks towards the local operator. + +DRY CIRCUIT: A circuit which transmits voice signals and carries no direct +current. + +DUAL TONE +MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which +emits two distinct frequencies for each indicated digit. + +DUPLEX: Simultaneous two-way independent transmission. + +DX SIGNALING: A long-range bidirectional signaling method using paths derived +from transmission cable pairs. It is based on a balanced and symmetrical +circuit that is identical at both ends. This circuit presents an E&M lead +interface to connecting circuits. + + + + ============================================================ + +This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for +more G-philes from The MCI School of Telecommunications Management Reference +Guide coming soon. + + This has been a 2600 Club production + + +Thanx to Taran King + ============================================================ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 16 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ _______________________________ $ + $ | | $ + $ | ELECTRONIC TOLL FRAUD DEVICES | $ + $ |_______________________________| $ + $ $ + $ $ + $ TYPED AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ $ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL +FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT +BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD +DEVICES. (FOR OFFICIAL USE ONLY). + +THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE +GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". +THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. + + + +*BLUE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE +DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE +VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS +APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX +CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES +CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL +(LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE +FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE +BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY +COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE +TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE +DISCUSSED IN MORE DETAIL BELOW. + + TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO +UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE +NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS +IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE +EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY +FOR HIS TELEPHONE NUMBER. + THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING +(AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE +OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL +CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. +THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. + ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE +VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO +PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. + THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL +INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY + + Page 17 + + + + + The Official Phreaker's Manual + +OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX +USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" +CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX +WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE +SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. +THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX +SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING +PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW +OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING +EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES +THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING +CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE +SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY +THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS +RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON +THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS +TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. + ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A +COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY +IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: + +(A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE +SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY +SF" BLUE BOX. + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF +A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE +MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + Page 18 + + + + + The Official Phreaker's Manual + + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + + + + The Official Phreaker's Manual + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + Page 20 + + + + + The Official Phreaker's Manual + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you receive your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + A) SSS: Strowger Switching System. First non-operator system +available. + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + + Beige Box: A simpler produced linesman's handset that allows you to tap +into phone lines and extract by eavesdropping, or crossing wires, etc. + Purple Box: Makes all calls made out from your house seem to be local +calls. + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + Page 21 + + + + + The Official Phreaker's Manual + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. A small list of +dialups: + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : + + Page 22 + + + + + The Official Phreaker's Manual + +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator (hehe) +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + +/-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + + Page 23 + + + + + The Official Phreaker's Manual + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + Page 24 + + + + + The Official Phreaker's Manual + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + +File Level:5 + + /-/ Credits /-/ + + To The Videosmith- for setting me straight on some shit. + To The Linesman- for telling me to upload it to his AE line. + To Modern Mutant- for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------\ + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + \---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler +Zer0-g + + + + + + + Page 25 + + + + + The Official Phreaker's Manual + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + + +HOW TO BE A REAL PHREAK +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + + + + + The Official Phreaker's Manual + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + Page 27 + + + + + The Official Phreaker's Manual + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + Page 28 + + + + + The Official Phreaker's Manual + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--\ | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + + Page 29 + + + + + The Official Phreaker's Manual + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + +TOUCH-TONE & FREE CALLS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + + + Page 30 + + + + + The Official Phreaker's Manual + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. +ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + Page 31 + + + + + The Official Phreaker's Manual + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 32 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + --One Farad Cap, Atlantic Anarchist Guild + + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + Page 33 + + + + + The Official Phreaker's Manual + + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + Page 34 + + + + + The Official Phreaker's Manual + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +He presses the lower left-hand corner button which is marked "KP" on the face +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/pkmanual2.phk b/textfiles.com/phreak/PHREAKING/pkmanual2.phk new file mode 100644 index 00000000..bb4cd8c8 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pkmanual2.phk @@ -0,0 +1,1779 @@ + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + Page 35 + + + + + The Official Phreaker's Manual + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ansil Collins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + Page 36 + + + + + The Official Phreaker's Manual + +tells me. + +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's F~5 +and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + Page 37 + + + + + The Official Phreaker's Manual + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays with the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + Page 38 + + + + + The Official Phreaker's Manual + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A. +tandem. The L.A. tandem notices 2600 cycles are coming over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + Page 39 + + + + + The Official Phreaker's Manual + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + ++-- End first file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 40 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + Page 41 + + + + + The Official Phreaker's Manual + + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + Page 42 + + + + + The Official Phreaker's Manual + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +"Yes, sir. Who is this calling?" says the voice. + +"Yes. This is test board here in New York. We're calling to check out the +circuits, see what kind of lines you've got. Everything okay there in +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + Page 43 + + + + + The Official Phreaker's Manual + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + + + + + The Official Phreaker's Manual + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + Page 45 + + + + + The Official Phreaker's Manual + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + Page 46 + + + + + The Official Phreaker's Manual + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + Page 47 + + + + + The Official Phreaker's Manual + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + Page 48 + + + + + The Official Phreaker's Manual + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + ++-- End second file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + Page 49 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two +sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + Page 50 + + + + + The Official Phreaker's Manual + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthrough: + +"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + Page 51 + + + + + The Official Phreaker's Manual + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to live out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + Page 52 + + + + + The Official Phreaker's Manual + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + Page 53 + + + + + The Official Phreaker's Manual + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + + + + + The Official Phreaker's Manual + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + Page 55 + + + + + The Official Phreaker's Manual + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + +"Well yes, I..." + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + + + + + The Official Phreaker's Manual + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + ++-- End third file of four --+ + + + + + + + + + + + + + + + + + + + + Page 57 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + Page 58 + + + + + The Official Phreaker's Manual + + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/pkmanual3.phk b/textfiles.com/phreak/PHREAKING/pkmanual3.phk new file mode 100644 index 00000000..77a65ae1 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pkmanual3.phk @@ -0,0 +1,2361 @@ +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------\ /------\ /-----\ +!Operator!-- > ! S.A. ! --->! BOS ! +\--------/ \------/ \-----/ + ! + ! + V +/-------------\ +! Group Chief ! +\-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + + + + + + Page 88 + + + + + The Official Phreaker's Manual + + 2600 Magazine's story on the Private Sector Bust + Uploaded by Elric of Imrryr + Lunatic Labs Unlimited + :::::::::::::::::::::::::::::::::::::::::::::::: + +Typed By Shooting Shark : The following article appeared in the August, 1985 +issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. +Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle +Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article +follows. + +SEIZED! +2600 Bulletin Board is Implicated in Raid on Jersey Hackers + + On July 12, 1985, law enforcement officials seized the Private Sector BBS, +the official computer bulletin board of 2600 magazine, for "complicity in +computer theft," under the newly passed, and yet untested, New Jersey Statute +2C:20-25. Police had uncovered in April a credit carding ring operated around +a Middlesex County electronic bulletin board, and from there investigated +other North Jersey bulletin boards. Not understanding subject matter of the +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been particularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the BBS just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 +212-982-9977/9979 +212-986-9977/9979 + + THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS +SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER +SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE +CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT +FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN +ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED +IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE +CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND +THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE +AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL +OTHER LOOPS ARE BUSY. + + 99XX SCANNING: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND +OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 +AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN +YOUR EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268: + +9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) +9936 - VOICE # TO THE TELCO CO +9937 - VOICE # TO THE TELCO CO +9941 - CARRIER +9960 - OSC. TONE (TONE SIDE LOOP) +9963 - TONE (STOPS: MUTED) +9966 - CARRIER +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + + Page 96 + + + + + The Official Phreaker's Manual + + MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL +INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE +REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN +THE EXCHANGE AND THE TELCO OPERATING COMPANY. + + WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES +WHEN YOU FIND ONE: + +1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK +EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE +BUT THE FUCKING CLICK IS SUPER ANNOYING. + +2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. + +3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY +AGAIN IN A MONTH OR SO) + +4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! + + MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. +IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE +SWITCH", IE, TURN OFF THE LOOP. + + SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED +NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE +NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. +268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 +FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 +(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S +DON'T SUPE EITHER. + + IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A +SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP +LINES (AS MENTIONED ABOVE). + IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE +BELOW: + + + NPA-NNX-99XX SCAN + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + _________________________________________________________ + | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | + |_______|____|____|____|____|____|____|____|____|____|____| + | 990 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 991 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 992 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 993 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 994 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 995 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 996 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + Page 97 + + + + + The Official Phreaker's Manual + + | 997 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 998 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 999 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU +SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN +THEM. FOR EXAMPLE: + +B - BUSY (TRY AGAIN AT ANOTHER TIME) +R - RINGS (TRY AGAIN AT ANOTHER TIME) +O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) +R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) +T - TONE ] TONE AT A LOWER # + IGNORE +I - IGNORE ] AT A HIGHER # = LOOP +V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. +C - CARRIER + + THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN +UNDERSTAND. + + NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/pkmanual4.phk b/textfiles.com/phreak/PHREAKING/pkmanual4.phk new file mode 100644 index 00000000..1c02e78e --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pkmanual4.phk @@ -0,0 +1,2276 @@ +MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF +A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER +EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) +634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. +IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" +NEXT TO EACH OTHER FOR A LOOP. + SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN +THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING +TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE +IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE +#'S! + ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR +EXAMPLE: "(713) 324-1799/1499" IS A LOOP. + +THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: + +1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A +TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS +SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! + +2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & +9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. + +3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. + + FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN +STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. + + +NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER +FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR +OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS + + Page 98 + + + + + The Official Phreaker's Manual + +MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. + + ANI + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT +WILL TELL YOU WHAT # YOU ARE CALLING FROM. + THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T +HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE +LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE +DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. +IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM +AREA TO AREA. + +HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: + +890-751-5191 +202-222-2222 +1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE +TO DIAL 1-990-1111) + + TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX +SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE +NEXT PART), TRY 1-9XX-1111. + ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR +NEIGHBOR WHO WORKS FOR THE FONE COMPANY. + + RING BACK + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL +THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF +THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 +SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL +RING. + IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP +FOR THE FIRST TIME (IE, AT THE FIRST TONE). + + OTHER RINGBACK #'S THAT I HAVE SEEN ARE: + +26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. +THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. + +890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. + +119911/11911/1199911 - GTE + +NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE + + + THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN +SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD +DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE +PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS +USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN +PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN +SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS +AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY + + Page 99 + + + + + The Official Phreaker's Manual + +SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD +THEN RINGBACK. + + TOUCH-TONE TEST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE +FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP +TWICE. +I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 + + COMING SOON: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE +NETWORK. + + + BREAK UP OF BELL: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT +AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED +HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD +"FONE NETWORK" FOR BELL SYSTEM. + + +AU REVOIR, + +*****BIOC +*=$=*AGENT +*****003 + +DECEMBER 8, 1983 + +ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, +& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN +DISTRIBUTING THIS TUTORIAL. + + + + + + + + + + + + + + + + + + + + + + Page 100 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART III * + * * + ************************************************************ + +PREFACE: + + IN PART III, WE WILL DISCUSS THE DIALING PROCEDURES FOR DOMESTIC AS WELL AS +INTERNATIONAL DIALING. WE WILL ALSO TAKE A LOOK AT THE TELEPHONE NUMBERING +PLAN. + +NORTH AMERICAN NUMBERING PLAN +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN NORTH AMERICA, THE TELEPHONE NUMBERING PLAN IS AS FOLLOWS: + +A) A 3 DIGIT NUMBERING PLAN AREA (NPA) CODE, [IE, AREA CODE] + +B) A 7 DIGIT TELEPHONE # CONSISTING OF A 3 DIGIT CENTRAL OFFICE (CO) CODE PLUS +A 4 DIGIT STATION #. + + THESE 10 DIGITS ARE CALLED THE NETWORK ADDRESS OR DESTINATION CODE. IT IS +IN THE FORMAT OF: + +AREA CODE TELEPHONE # +--------- ----------- + N*X NXX-XXXX + +WHERE: N = A DIGIT FROM 2-9 + * = THE DIGIT 0 OR 1 + X = A DIGIT 0-9 + +AREA CODES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CHECK YOUR TELEPHONE BOOK OR THE SEPARATE LISTING OF AREA CODES FOUND ON +MANY BBS'S. HERE ARE THE SPECIAL AREA CODES (SAC'S): + +510 - TWX (USA) +610 - TWX (CANADA) +700 - NEW SERVICE +710 - TWX (USA) +800 - WATS +810 - TWX (USA) +900 - DIAL-IT SERVICES +910 - TWX (USA) + + THE OTHER AREA CODES NEVER CROSS STATE LINES, THEREFORE EACH STATE MUST +HAVE AT LEAST ONE EXCLUSIVE NPA CODE. WHEN A COMMUNITY IS SPLIT BY A STATE +LINE, THE CO #'S ARE OFTEN INTERCHANGEABLE (IE, YOU CAN DIAL THE SAME # FROM 2 +DIFFERENT AREA CODES) + +TWX: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + Page 101 + + + + + The Official Phreaker's Manual + + + TWX (TELEX II) CONSISTS OF 5 TELETYPE-WRITER AREA CODES. THEY ARE OWNED BY +WESTERN UNION. THESE SAC'S MAY ONLY BE REACHED VIA OTHER TWX MACHINES. THESE +RUN AT 110 BAUD. BESIDES THE TWX #'S, THESE MACHINES ARE ROUTED TO NORMAL +TELEPHONE #'S. TWX MACHINES ALWAYS RESPOND WITH AN ANSWERBACK. FOR EXAMPLE, +WU'S FYI TWX # IS (910) 988-5956, THE CORRESPONDING REAL NUMBER TO THIS IS +(201) 279-5956. THE ANSWERBACK FOR THIS SERVICE IS "WU FYI MAWA." + + IF YOU DON'T WANT TO BUY A TWX MACHINE, YOU CAN STILL SEND TWX MESSAGES +USING EASYLINK [800/325-4112 - SEE TUC'S AND MY ARTICLE ENTITLED "HACKING +WESTERN UNION'S EASYLINK] + +700: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT THE TIME OF THIS WRITING, THE 700 EXCHANGE DOES NOT YET EXIST. AT&T +PLANS TO USE IT SOON THOUGH. THEY PLAN TO MAKE IT A TYPE OF FANCY CALL +FORWARDING SERVICE. IT WILL BE TARGETED TOWARDS SALESMEN ON THE RUN. + + TO UNDERSTAND HOW IT WORKS, I'LL EXPLAIN IT WITH AN EXAMPLE. LET'S SAY JOE +Q. SALESPIG WORKS FOR AT&T SECURITY AND HE IS ON THE RUN CHASING A PHREAK +AROUND THE COUNTRY WHO ROYALLY SCREWED UP AN IMPORTANT COSMOS SYSTEM. LET'S +SAY THAT JOE'S 700 # IS (700) 382-5968. EVERY TIME JOE GOES TO A NEW HOTEL, HE +DIALS A SPECIAL 700 #, ENTERS A CODE, AND THE # WHERE HE IS STAYING. NOW, IF +HIS BOSS RECEIVED SOME IMPORTANT INFO, ALL HE WOULD DO IS DIAL (700) 382-5968 +AND IT WOULD RING WHEREVER JOE LAST PROGRAMMED IT TO. NEAT, HUH? + +800: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS SAC IS ONE OF MY FAVORITES SINCE IT ALLOWS FOR TOLL-FREE CALLS. + +INWARD WATS (INWATS): INWARD WIDE AREA TELECOMMUNICATIONS SERVICE IS THE 800 +#'S THAT WE ARE ALL FAMILIAR WITH. 800 #'S ARE SET UP IN SERVICE AREAS OR +BANDS. THERE ARE 6 OF THESE. BAND 6 IS THE LARGEST AND YOU CAN CALL A BAND 6 +# FROM ANYWHERE IN THE US EXCEPT THE STATE WHERE THE CALL IS TERMINATED (THIS +IS WHY MOST COMPANIES HAVE ONE 800 # FOR THE COUNTRY AND THEN ANOTHER FOR JUST +ONE STATE). BAND 5 INCLUDES THE 48 CONTIGUOUS STATES. ALL THE WAY DOWN TO +BAND 1 WHICH INCLUDES ONLY THE STATES CONTIGUOUS TO THAT ONE. THEREFORE, LESS +PEOPLE CAN REACH A BAND 1 INWATS # THAT A BAND 6 #. + +INTRASTATE INWATS #'S (IE, YOU CAN CALL IT FROM ONLY 1 STATE) ALWAYS HAVE A 2 +AS THE LAST DIGIT IN THE EXCHANGE (IE, 800-NX2-XXXX). THE NXX ON 800 #'S +REPRESENT THE AREA WHERE THE BUSINESS IS LOCATED. FOR EXAMPLE, A # BEGINNING +WITH 800-431 WOULD TERMINATE AT A NEW YORK CO. + +800 #'S ALWAYS END UP IN A HUNT SERIES IN A CO. THIS MEANS THAT IT TRIES THE +FIRST # ALLOCATED TO THE COMPANY FOR THEIR 8P0 LINES; IF THIS IS BUSY IT WILL +THEN TRY THE NEXT #, ETC). YOU MUST HAVE A MINIMUM OF TWO LINES PER EACH 800 +#. FOR EXAMPLE, TRAVELNET USES A HUNT SERIES. IF YOU DIAL (800) 521-8400, IT +WILL FIRST TRY THE # ASSOCIATED WITH 8400; IF IT IS BUSY IT WILL GO TO THE NEXT +AVAILABLE PORT, ETC. INWATS CUSTOMERS ARE BILLED BY THE # OF HOURS OF CALLS +THAT ARE MADE TO THEIR #. + +OUTWATS (OUTWARD WATS): OUTWATS ARE FOR MAKING OUTGOING CALLS ONLY. LARGE +COMPANIES USE OUTWATS SINCE THEY RECEIVE BULK-RATE DISCOUNTS. SINCE OUTWATS # +CANNOT HAVE INCOMING CALLS, THEY ARE IN THE FORMAT OF: + + + Page 102 + + + + + The Official Phreaker's Manual + +(800) *XX-XXXX + + WHERE * IS THE DIGIT 0 OR 1 WHICH CANNOT BE DIALED UNLESS YOU BOX THE CALL. +THE *XX IDENTIFIES THE TYPE OF SERVICE AND THE AREAS THAT THE COMPANY CAN +CALL. + +REMEMBER: INWATS + OUTWATS = WATS EXTENDER (SEE PART I) +900: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS DIAL-IT SAC IS A NATIONWIDE DIAL-IT SERVICE. IT IS USED FOR TAKING +TELEVISION POLLS AND OTHER STUFF. THE FIRST MINUTE CURRENTLY COSTS AN +OUTRAGEOUS 50 CENTS AND EACH ADDITIONAL MINUTE COSTS 35 CENTS. BELL TAKES IN +ALOT OF REVENUE IN THIS WAY. + +DIAL (900) 555-1212 TO FIND OUT WHAT IS CURRENTLY ON THE SERVICE. + +CO CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THESE IDENTIFY THE SWITCHING OFFICE WHERE THE CALL IS TO BE ROUTED. + +THE FOLLOWING CO CODES ARE RESERVED NATIONWIDE: + +555 - DIRECTORY ASSISTANCE +844 - TIME ] THESE ARE NOW IN +936 - WEATHER ] THE 976 EXCHANGE +950 - FUTURE SERVICES +958 - PLANT TEST +959 - PLANT TEST +970 - PLANT TEST (TEMPORARY) +976 - DIAL-IT SERVICES + + ALSO, THE 3 DIGIT ANI & RINGBACK #'S ARE REGARDED AS PLANT TEST AND ARE +THUS RESERVED. THESE NUMBERS VARY FROM AREA TO AREA. + +950: [ALSO SEE PART I] +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +HERE ARE THE SERVICES THAT ARE CURRENTLY ON THE 950 EXCHANGE: + +1000 - SPC +1022 - MCI EXECUNET +1033 - US TELEPHONE +1044 - ALLNET +1066 - LEXITEL +1088 - SBS SKYLINE + +THESE SCC'S (SPECIALIZED COMMON CARRIERS) ARE FREE FROM FORTRESSES! + +Publishers note: Most 950's now require the station code (1022, 1000, 1088, +etc.) to be five digits long. MCI 950-10222, US telefone 10333, ALLNET 10444, +etc. Look in "Equal Access and the American Dream" p. for a complete list. +PLANT TESTS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THESE INCLUDE ANI, RINGBACK, AND OTHER VARIOUS TESTS. + + + Page 103 + + + + + The Official Phreaker's Manual + +976: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + DIAL 976-1000 TO SEE WHAT IS CURRENTLY ON THE SERVICE. ALSO, MANY BBS'S +HAVE A LISTING OF THESE #'S. + + +N11 CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL IS TRYING TO PHASE SOME OF THESE OUT, BUT THEY STILL EXIST IN MANY +AREAS. + +011 - INTERNATIONAL DIALING PREFIX +211 - COIN REFUND OPERATOR +411 - DIRECTORY ASSISTANCE +611 - REPAIR SERVICE +811 - BUSINESS OFFICE +911 - EMERGENCY + +INTERNATIONAL DIALING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + WITH INTERNATIONAL DIALING, THE WORLD HAS BEEN DIVIDED INTO 9 NUMBERING +ZONES. + +TO MAKE AN INTERNATIONAL CALL, YOU MUST DIAL: INT. PREFIX + COUNTRY CODE + NAT. +# + + IN NORTH AMERICA, THE INTERNATIONAL DIALING PREFIX IS 011 FOR +STATION-TO-STATION CALLS AND 01 FOR OPERATOR- SERVICED CALLS. IDDD STANDS FOR +INTERNATIONAL DIRECT DISTANCE DIALING. + + THE COUNTRY CODE, WHICH VARIES FROM 1 TO 3 DIGITS, ALWAYS HAS THE WORLD +NUMBERING ZONE AS THE FIRST DIGIT. FOR EXAMPLE, THE COUNTRY CODE FOR THE +UNITED KINGDOM IS 44, THUS IT IS IN WORLD NUMBERING ZONE 4. + + SOME BOARDS MAY CONTAIN A COMPLETE LISTING OF OTHER COUNTRY CODES, BUT HERE +ARE A FEW: + +001 - NORTH AMERICA (US, CANADA,ETC) +020 - EGYPT +258 - MOZAMBIQUE +034 - SPAIN +049 - GERMANY +052 - MEXICO (SOUTHERN PORTION) +061 - AUSTRALIA +007 - USSR +081 - JAPAN +098 - IRAN + + IF YOU CALL FROM AN AREA OTHER THAN NORTH AMERICA, THE FORMAT IS GENERALLY +THE SAME. FOR EXAMPLE, LET'S SAY YOU WANTED TO CALL THE WHITE HOUSE FROM +SWITZERLAND. FIRST YOU WOULD DIAL 00 (THE SWISS INTERNATIONAL DIALING PREFIX), +THEN 1 (THE US COUNTRY CODE), FOLLOWED BY 202-456-1414 (THE NATIONAL # FOR THE +WHITE HOUSE). + + ALSO, COUNTRY CODE 87 IS RESERVED FOR MARITIME MOBILE SERVICE, IE CALLING + + Page 104 + + + + + The Official Phreaker's Manual + +SHIPS: + +871 - MARISAT (ATLANTIC) +872 - MARISAT (PACIFIC) +873 - MARISAT (INDIAN ) + +INTERNATIONAL SWITCHING: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN NORTH AMERICA, THERE ARE CURRENTLY 7 NO. 4 ESS'S THAT PERFORM THE DUTY +OF ISC (INTERNATIONAL SWITCHING CENTERS). ALL INTERNATIONAL CALLS DIALED FROM +NUMBERING ZONE 1 WILL BE ROUTED THROUGH ONE OF THESE "GATEWAY CITIES." THEY +ARE: + +182 - WHITE PLAINS, NY +183 - NEW YORK, NY +184 - PITTSBURGH, PA +185 - ORLANDO, FL +186 - OAKLAND, CA +187 - DENVER, CO +188 - NEW YORK, NY + + THE 18X SERIES ARE OPERATOR ROUTING CODES FOR OVERSEAS ACCESS (TO BE +FURTHER DISCUSSED WITH BLUE BOXES). ALL INTERNATIONAL CALLS USE A SIGNALING +SYSTEM CALLED CCITT. IT IS AN INTERNATIONAL STANDARD FOR SIGNALING. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART IV, WE WILL DISCUSS SWITCHING EQUIPMENT, VARIOUS OPERATORS, CO +TYPES, ETC. + +PHREAKING LIVES IN '84, + +*****BIOC +*=$=*AGENT +*****003 + +<<=-FARGO 4A-=>> +23-FEB-84 + +REFERENCES/ +ACKNOWLEDGEMENTS: NOTES ON THE NETWORK (AT&T), TAP (ROOM 603, 147W 42 ST, +NEW YORK, NY 10036),UNDERSTANDING TELEPHONE ELECTRONICS,AND MANY OTHERS/TUC, +MULCHER... + + + + + + + + + + + + + + + Page 105 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART IV * + * * + ************************************************************ + +PREFACE: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + PART IV WILL DEAL WITH THE VARIOUS TYPES OF OPERATORS, OFFICE HIERARCHY, & +SWITCHING EQUIPMENT. + + +OPERATORS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THERE ARE MANY TYPES OF OPERATORS IN THE NETWORK AND THE MORE COMMON ONES +WILL BE DISCUSSED. + +TSPS OPERATOR: +____________________________________________________________ + + THE TSPS (TRAFFIC SERVICE POSITION SYSTEM) OPERATOR IS PROBABLY THE BITCH +(OR BASTARD FOR THE PHEMALE LIBERATIONISTS) THAT MOST OF US ARE USE TO HAVING +TO DEAL WITH. + +HERE ARE HER RESPONSIBILITIES: + +1) OBTAINING BILLING INFORMATION FOR CALLING CARD OR 3RD NUMBER CALLS. + +2) IDENTIFYING CALLED CUSTOMER ON PERSON-TO-PERSON CALLS. + +3) OBTAINING ACCEPTANCE OF CHARGES ON COLLECT CALLS. + +4) IDENTIFYING CALLING NUMBERS. THIS ONLY HAPPENS WHEN THE CALLING # IS NOT +AUTOMATICALLY RECORDED BY CAMA (CENTRALIZED AUTOMATIC MESSAGE ACCOUNTING) & +FORWARDED FROM THE LOCAL OFFICE. THIS COULD BE CAUSED BY EQUIPMENT FAILURES OR +IF THE OFFICE IS NOT EQUIPPED FOR CAMA (MOST ARE). + + + + YOU SHOULDN'T MESS WITH THE TSPS OPERATOR SINCE SHE KNOWS WHERE YOU ARE +CALLING FROM. SHE ALSO KNOWS WHETHER OR NOT YOU ARE AT A FORTRESS FONE & SHE +CAN TRACE CALLS QUITE READILY. OUT OF ALL THE OPERATORS, SHE IS ONE OF THE +MOST DANGEROUS. + +INWARD OPERATOR: +____________________________________________________________ + + THIS OPERATOR ASSISTS YOUR LOCAL TSPS ("0") OPERATOR IN CONNECTING CALLS. + + Page 106 + + + + + The Official Phreaker's Manual + +SHE WILL NEVER QUESTION A CALL AS LONG AS THE CALL IS WITHIN HER SERVICE AREA. +SHE CAN ONLY BE REACHED VIA OTHER OPERATORS OR BY A BLUE BOX. FROM A BB, YOU +WOULD DIAL KP+NPA+121+ST FOR THE INWARD OPERATOR THAT WILL HELP YOU CONNECT ANY +CALLS WITHIN THAT NPA AREA ONLY. (BLUE BOXING WILL BE DISCUSSED IN A FUTURE +PART OF BASIC TELCOM) + +DIRECTORY ASSISTANCE OPERATOR: +____________________________________________________________ + + THIS IS THE OPERATOR THAT YOU ARE CONNECTED TO WHEN YOU DIAL: 411 OR +NPA-555-1212. SHE DOES NOT READILY KNOW WHERE YOU ARE CALLING FROM. SHE DOES +NOT HAVE ACCESS TO UNLISTED #'S, BUT SHE DOES KNOW IF AN UNLISTED # EXISTS FOR +A CERTAIN LISTING. + + THERE IS ALSO A DIRECTORY ASSISTANCE FOR DEAF PEOPLE WHO USE +TELETYPEWRITERS IF YOU MODEM CAN TRANSFER BAUDOT (THE APPLE CAT CAN), THEN YOU +CAN CALL HER UP AND HAVE AN INTERESTING CONVERSATION WITH HER. THE # +IS:800/855-1155. SHE USES THE STANDARD TELEX ABBREVIATIONS SUCH AS GA FOR GO +AHEAD. THEY TEND TO BE NICER & WILL TALK LONGER THAN YOUR REGULAR OPERATORS. +ALSO, THEY ARE MORE VULNERABLE INTO BEING TALKED OUT OF INFORMATION THROUGH THE +PROCESS OF "SOCIAL ENGINEERING" AS CHESHIRE CATALYST WOULD PUT IT. + +OTHER OPERATORS HAVE ACCESS TO THEIR OWN DA BY DIALING KP+NPA+131+ST (MF). + + THIS IS A LITTLE OUT OF THE SCOPE OF THIS TUTORIAL, BUT MANY TELCO'S ARE +NOW CHARGING FOR CALLS TO DIR. ASST. YOU CAN BEAT THIS BY: + +(1) COUNT HOW MANY CALLS YOU MAKE TO DIRECTORY ASSISTANCE IN A BILLING PERIOD. +GO TO A FORTRESS FONE & DIAL DA. WHEN THE OPERATOR COMES ON, GIVE HER A NAME +THAT YOU KNOW HAS AN UNLISTED # OR ASK FOR A TOWN THAT ISN'T IN THE NPA. SHE +WILL THEN ASK FOR YOUR # SO SHE CAN CREDIT THE CALL TO YOU. GIVE HER YOUR HOME +#, SHE DOESN'T KNOW THAT YOU ARE MAKING A FREE CALL FROM THE FORTRESS. JUST +MAKE SURE THAT YOU DON'T CREDIT YOURSELF FOR MORE CALLS THAN YOU ACTUALLY MADE +OR YOU MIGHT HAVE A FEW PROBLEMS! + +(2) IF YOU HAVE A BAUDOT TERMINAL, USE THE 800 #, IT'S FREE & THERE IS ONE # +FOR ALL REQUESTS. + +C/NA OPERATORS: +____________________________________________________________ + + C/NA OPERATORS ARE OPERATORS THAT DO EXACTLY THE OPPOSITE OF WHAT DIRECTORY +ASSISTANCE OPERATORS ARE FOR. SEE PART II, FOR MORE INFO ON C/NA & #'S. IN MY +EXPERIENCES, THESE OPERATORS KNOW MORE THAN THE DA OP'S DO & THEY ARE MORE +SUSCEPTIBLE TO "SOCIAL ENGINEERING." IT IS POSSIBLE TO BULLSHIT A C/NA +OPERATOR FOR THE NON-PUB DA # (IE, YOU GIVE THEM THE NAME & THEY GIVE YOU THE +UNLISTED #). THIS IS DUE TO THE FACT THAT THEY ASSUME YOUR ARE A PHELLOW +COMPANY EMPLOYEE. + +INTERCEPT OPERATOR: +____________________________________________________________ + + THE INTERCEPT OPERATOR IS THE ONE THAT YOU ARE CONNECTED TO WHEN THERE ARE +NOT ENOUGH RECORDINGS AVAILABLE TO TELL YOU THAT THE # HAS BEEN DISCONNECTED OR +CHANGED. SHE USUALLY SAYS, "WHAT # YOU CALLIN' ? " WITH A FOREIGN ACCENT. +THIS IS THE LOWEST OPERATOR LIFEFORM. EVEN THOUGH THEY DON'T KNOW WHERE YOU +ARE CALLING FROM, IT IS A WASTE OF YOUR TIME TO TRY TO VERBALLY ABUSE THEM +SINCE THEY USUALLY UNDERSTAND VERY LITTLE ENGLISH. + + Page 107 + + + + + The Official Phreaker's Manual + + +OTHER OPERATORS: +____________________________________________________________ + +AND THEN THERE ARE THE: +MOBILE +SHIP-TO-SHORE +CONFERENCE +MARINE VERIFY, "LEAVE WORD & CALL BACK," +ROUT & RATE (KP+NPA+141+ST) & OTHER SPECIAL OPERATORS WHO HAVE ONE PURPOSE OR +ANOTHER IN THE NETWORK. + + PROBLEMS WITH AN OPERATOR? ASK TO SPEAK TO THEIR SUPERVISOR... WHICH IS +THE EQUIVALENT OF THE MADAME IN A WHOREHOUSE (IF YOU WILL EXCUSE THE ANALOGY). + + BY THE WAY, SOME CO'S THAT WILL ALLOW YOU TO DIAL A 1 OR 0 AS THE 4TH +DIGIT, WILL ALSO ALLOW YOU TO CALL SPECIAL OPERATORS WITHOUT A BLUE BOX. THIS +IS VERY RARE THOUGH! FOR EXAMPLE, 212-121-1111 WILL GET YOU A NY INWARD +OPERATOR. + +OFFICE HIERARCHY +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + EVERY SWITCHING OFFICE OFFICE IN NORTH AMERICA (THE NPA SYSTEM), IS +ASSIGNED AN OFFICE NAME & CLASS. THERE ARE FIVE CLASSES OF OFFICES NUMBERED 1 +THROUGH 5. YOUR CO IS MOST LIKELY A CLASS 5 OR END OFFICE. ALL LONG-DISTANCE +(TOLL) CALLS ARE SWITCHED BY A TOLL OFFICE WHICH CAN BE A CLASS 4, 3, 2, OR 1 +OFFICE. THERE IS ALSO A 4X OFFICE CALLED AN INTERMEDIATE POINT. THE 4X OFFICE +IS A DIGITAL ONE THAT CAN HAVE AN UNATTENDED EXCHANGE ATTACHED TO IT (KNOWN AS +A REMOTE SWITCHING UNIT-RSU). + + THE FOLLOWING CHART WILL LIST THE OFFICE #, NAME, & HOW MANY OF THOSE +OFFICES EXISTED IN NORTH AMERICA IN 1981. + +CLASS NAME ABB # EXISTING +----- ---------------- --- ------------ +1 REGIONAL CENTER RC 12 +2 SECTIONAL CENTER SC 67 +3 PRIMARY CENTER PC 230 +4 TOLL CENTER TC 1,30 +4P TOLL POINT TP ? +4X INTERMEDIATE PT IP ? +5 END OFFICE EO 19,000 +R RSU RSU ? + + WHEN CONNECTING A CALL FROM ONE PARTY TO ANOTHER, THE SWITCHING EQUIPMENT +USUALLY TRIES TO FIND THE SHORTEST ROUTE BETWEEN THE CLASS 5 END OFFICE OF THE +CALLER & THE CLASS 5 END OFFICE OF THE CALLED PARTY. IF NO INTER-OFFICE TRUNKS +EXIST BETWEEN THE 2 PARTIES, IT WILL THEN MOVE UPTO THE NEXT HIGHEST OFFICE FOR +SERVICING (CLASS 4). IF THE CLASS 4 OFFICE CANNOT HANDLE THE CALL BY SENDING +IT TO ANOTHER CLASS 4 OR 5 OFFICE, IT WILL BE SENT TO THE NEXT OFFICE IN THE +HIERARCHY (3). THE SWITCHING EQUIPMENT FIRST USES THE HIGH-USAGE INTEROFFICE +TRUNK GROUPS, IF THEY ARE BUSY IT THEN GOES TO THE FINAL TRUNK GROUPS ON THE +NEXT HIGHEST LEVEL. IF THE CALL CANNOT BE CONNECTED THEN, YOU WILL PROBABLY GET +A RE-ORDER (120IPM BUSY SIGNAL) SIGNAL. AT THIS TIME, THE GUYS AT NETWORK +OPERATIONS ARE PROBABLY SHITTING IN THEIR PANTS AND TRYING TO AVOID THE DREADED +NETWORK DREADLOCK (AS SEEN ON TV!). + + + Page 108 + + + + + The Official Phreaker's Manual + + IT IS ALSO INTERESTING TO NOTE THAT 9 CONNECTIONS IN TANDEM IS CALLED +RING-AROUND-THE ROSY AND IT HAS NEVER OCCURRED IN TELEPHONE HISTORY. THIS +WOULD CASE AN ENDLESS LOOP CONNECTION. [ A NEAT WAY TO REALLY SCREW-UP THE +NETWORK]. + + THE 10 REGIONAL CENTERS IN THE US & THE 2 IN CANADA ARE ALL INTERCONNECTED. +THEY FORM THE FOUNDATION OF THE ENTIRE TELEPHONE NETWORK. SINCE THERE ARE ONLY +12 OF THEM, THEY ARE LISTED BELOW: + +CLASS 1 REGIONAL OFFICE LOCATION NPA +---------------------------------- --- +DALLAS 4 ESS 214 +WAYNE, PA 215 +DENVER 4T 303 +REGINA NO.2 SP1-4W [CANADA] 306 +ST. LOUIS 4T 314 +ROCKDALE, GA 404 +PITTSBURGH 4E 412 +MONTREAL NO.1 4AETS [CANADA] 504 +NORWICH, NY 607 +SAN BERNARDINO, CA 714 +NORWAY, IL 815 +WHITE PLAINS 4T, NY 914 + + THE FOLLOWING DIAGRAM DEMONSTRATES HOW THE VARIOUS OFFICES MAY BE +CONNECTED: + + _________________________ + _|_ _|_ _|_ REGIONAL + | | | | | | OFFICES + | 1 | <=--=> | 1 | <=--=> | 1 | <<==------ + |___| |___| |___| + | OTHERS\/ + _________________|_______________________| + _|_ _|_ _|_ _|__ _|_ +| | | | | | | | | | +| 2 | | 3 | | 4 | | 4P | | 5 | +|___| |___| |___| |____| |___| + | | | | + |____ | _|__ | + _|_ _|_ | __|_ _|_ \ +| || || | || | |_____ +| 3 || 4 || | 4X || 5 | _|__ _|_ +|___||___|| |____||___|| || | + | | | 4X || 5 | + __|_ | |____||___| + | ||_____________ + | 5R | _______|_________ + |____| | | | + _|_ _|_ _|_ __|_ + | | | | | | | | + | R | | 4 | | 5 | | 5R | + |___| |___| |___| |____| + +NOTE: THE PRECEDING DIAGRAM USED SPECIAL SYMBOLS FROM AN APPLE //E THAT MAY NOT +BE VIEWED AS I INTENDED THEM IF YOU ARE NOT USING AN APPLE//E OR //C. + +SWITCHING EQUIPMENT + + Page 109 + + + + + The Official Phreaker's Manual + +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NETWORK, THERE ARE 3 MAJOR TYPES OF SWITCHING EQUIPMENT. THEY ARE +KNOWN AS: STEP, CROSSBAR, & ESS. + + +STEP-BY-STEP (SXS) +____________________________________________________________ + + THE STEP-BY-STEP, A/K/A THE STROWGER SWITCH OR TWO-MOTION SWITCH, WAS +INVENTED IN 1889 BY AN UNDERTAKER NAMED ALMON STROWGER. HE INVENTED THIS +MECHANICAL SWITCHING EQUIPMENT BECAUSE HE FELT THAT THE BIASED OPERATOR WAS +ROUTING ALL REQUESTS FOR AN 'UNDERTAKER' TO HER HUSBAND'S BUSINESS. BELL +STARTED USING THIS SYSTEM IN 1918 AS OF 1978, OVER 53% OF THE BELL EXCHANGES +USED THIS METHOD OF SWITCHING. + + STEP-BY-STEP SWITCHING IS CONTROLLED DIRECTLY BY THE DIAL PULSES WHICH MOVE +A SERIES OF SWITCHES (CALLED THE SWITCH TRAIN) IN ORDER. WHEN YOU FIRST PICK UP +THE FONE UNDER SXS, A LINEFINDER ACKNOWLEDGES THE REQUEST (SOONER OR LATER) BY +SENDING A DIAL TONE. IF YOU THEN DIALED 1234, THE EQUIPMENT WOULD FIRST FIND +AN IDLE SELECTOR SWITCH. IT WOULD THEN MOVE VERTICALLY 1 PULSE, IT WOULD THEN +MOVE HORIZONTALLY TO FIND A FREE SECOND SELECTOR, IT WOULD THEN MOVE 2 VERTICAL +PULSES, STEP HORIZONTALLY TO FIND THE NEXT SELECTOR, ETC. THUS THE FIRST +SWITCH IN THE TRAIN TAKES NO DIGITS, THE SECOND SWITCH TAKES 1 DIGIT, THE THIRD +SWITCH TAKES 1 DIGIT, & THE LAST SWITCH IN THE TRAIN (CALLED THE CONNECTOR) +TAKES THE LAST 2 DIGITS & CONNECTS YOUR CALLS. A NORMAL (10,000 LINE) EXCHANGE +REQUIRES 4 DIGITS (0000-9999) TO CONNECT A LOCAL CALL & THUS IT TAKES 4 +SWITCHES TO CONNECT EVERY CALL (LINEFINDER, 1ST & 2ND SELECTORS, & THE +CONNECTOR) . + + WHILE IT WAS THE FIRST, SXS SUCKS FOR THE FOLLOWING REASONS: + +[1] THE SWITCHED OFTEN BECOME JAMMED THUS THE CALLS OFTEN BECOME BLOCKED. + +[2] YOU CAN'T USE DTMF (DUAL-TONE MULTI-FREQUENCY A/K/A TOUCH-TONE) DIRECTLY. +IT IS POSSIBLE THAT THE TELCO MAY HAVE INSTALLED A CONVERSION KIT BUT THEN THE +CALLS WILL GO THROUGH JUST AS SLOW AS PULSE, ANYWAY! + +[3] THEY USE A LOT OF ELECTRICITY & MECHANICAL MAINTENANCE. (BAD FROM TELCO +POINT OF VIEW) + +[4] EVERYTHING IS HARDWIRED. + + THEY CAN STILL HOOK UP PEN REGISTERS & OTHER SHIT ON THE LINE SO IT IS NOT +EXACTLY A PHREAK HAVEN. + +YOU CAN IDENTIFY SXS OFFICES BY: + +(1) LACK OF DTMF OR PULSING DIGITS AFTER DIALING DTMF. + +(2) IF YOU GO NEAR THE CO, IT WILL SOUND LIKE A TYPEWRITER TESTING FACTORY. + +(3) LACK OF SPEED CALLING, CALL FORWARDING, & OTHER CUSTOMER SERVICES. + +(4) FORTRESS FONES THAT WANT YOUR MONEY FIRST (AS OPPOSED TO DIAL TONE FIRST +ONES). + + THE PRECEDING DON'T NECESSARILY IMPLY THAT YOU HAVE SXS BUT THEY SURELY + + Page 110 + + + + + The Official Phreaker's Manual + +GIVE EVIDENCE THAT IT MIGHT BE. ALSO, IF ANY OF THE ABOVE CHARACTERISTICS +EXIST, IT CERTAINLY ISN'T ESS! ALSO, SXS HAVE PRETTY MUCH BEEN ERADICATED FROM +LARGE METROPOLITAN AREAS SUCH AS NYC (212). + +CROSSBAR: +____________________________________________________________ + + THERE ARE 3 MAJOR TYPES OF CROSSBAR SYSTEMS CALLED: NO. 1 CROSSBAR (1XB), +NO. 4 CROSSBAR (4XB), & NO. 5 CROSSBAR (5XB). 5XB HAS BEEN THE PRIMARY END +OFFICE SWITCH OF BELL SINCE THE 60'S AND THUS IT IS IN WIDE-USE. + + CROSSBAR USES A COMMON CONTROL SWITCHING METHOD. WHEN THERE IS AN INCOMING +CALL, A STORED PROGRAM DETERMINES ITS ROUTE THROUGH THE SWITCHING MATRIX. + + IN CROSSBAR, THE BASIC OPERATION PRINCIPLE IS THAT A HORIZONTAL & A +VERTICAL LINE ARE ENERGIZED IN A MATRIX KNOWN AS THE CROSSPOINT MATRIX. THE +POINT WHERE THESE 2 LINES MEET IN THE MATRIX IS THE CONNECTION. + + +ESS +____________________________________________________________ + +ELECTRONIC SWITCHING SYSTEM (ESS) THE PHREAK'S NIGHTMARE COME TRUE (OR ORWELL'S +PROPHECY AS 2600 PUTS IT) + + ESS IS BELL'S MOVE TOWARDS THE AIRSTRIP ONE SOCIETY DEPICTED IN ORWELL'S +1984. WITH ESS, EVERY SINGLE DIGIT THAT YOU DIAL IS RECORDED--EVEN IF IT IS A +MISTAKE. THEY KNOW WHO YOU CALL, WHEN YOU CALL, HOW LONG YOU TALKED FOR, & +PROBABLY WHAT YOU TALKED ABOUT (IN SOME CASES). ESS CAN (AND IS) ALSO +PROGRAMMED TO PRINT OUT #'S OF PEOPLE WHO MAKE EXCESSIVE CALLS TO 800 #'S OR +DIRECTORY ASSISTANCE. THIS IS CALLED THE "800 EXCEPTIONAL CALLING REPORT." ESS +COULD ALSO BE PROGRAMMED TO PRINT OUT LOGS OF WHO CALLS CERTAIN #'S--LIKE A +BOOKIE, A KNOWN COMMUNIST, A BBS, ETC THE THING TO REMEMBER WITH ESS IS THAT IT +IS A SERIES OF PROGRAMS WORKING TOGETHER. THESE PROGRAMS CAN BE VERY EASILY +CHANGED TO DO WHATEVER THEY WANT IT TO DO. ONE PHREAK WHOM I KNOW HAS SOME ESS +SOURCE CODE LISTING WHICH IS INCREDIBLY COMPLEX (AS WELL AS DOCUMENTED--GRACIAS +DIOS). THIS SYSTEM MAKES THE JOB OF BELL SECURITY, THE FBI, NSA, & OTHER +ORGANIZATIONS THAT LIKE TO INVADE PRIVACY INCREDIBLY EASY. + + WITH ESS, TRACING IS DONE IN MICROSECONDS (EINE AUGENBLICK) & THE RESULTS +ARE PRINTED AT THE CONSOLE OF A BELL GESTAPO OFFICER. ESS WILL ALSO PICK UP +ANY "FOREIGN" TONES ON THE LINE SUCH AS 2600 HZ! + + BELL PREDICTS THAT THE COUNTRY WILL BECOME TOTALLY ESS BY THE 1990'S. + + YOU CAN IDENTIFY ESS BY THE FOLLOWING WHICH ARE USUALLY ESS FUNCTIONS: + +[1] DIALING 911 FOR HELP. +[2] DIAL-TONE-FIRST FORTRESSES. +[3] CUSTOM CALLING SERVICES SUCH AS:CALL FORWARDING, SPEED DIALING, & CALL +WAITING. (ASK YOUR BUSINESS OFFICE IF YOU CAN GET THESE.) +[4] ANI (AUTOMATIC NUMBER IDENTIFICATION) ON LD CALLS. + + PHREAKING DOES NOT COME TO A COMPLETE HALT UNDER ESS THOUGH--JUST BE VERY +CAREFUL, THOUGH!!! + + DUE TO THE FACT THAT ESS SENDS A COMPUTER GENERATED "ARTIFICIAL RING," +WHERE THE VOICE IS NOT CONNECTED DIRECTLY TO THE CALLED PARTIES LINE UNTIL HE + + Page 111 + + + + + The Official Phreaker's Manual + +PICKS UP, BLACK BOXES & INFINITY TRANSMITTERS WILL NOT WORK! + +NOTE: ANOTHER INTERESTING WAY TO FIND OUT WHAT TYPE OF EQUIPMENT YOU ARE ON IS +TO RAID THE TRASH CAN OF YOU LOCAL CO--THIS ART WILL DISCUSSED IN A SEPARATE +ARTICLE SOON. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN THE PART V, WE WILL START TO TAKE A LOOK AT TELEPHONE ELECTRONICS. + +FURTHER READING: + +FOR MORE INFORMATION ON THE ABOVE TOPICS, I SUGGEST THE FOLLOWING: + +NOTES ON THE NETWORK, AT&T, 1980. + +UNDERSTANDING TELEPHONE ELECTRONICS,TEXAS INSTRUMENTS, 1983. + +AND SUBSCRIPTIONS TO: + +TAP, ROOM 603, 147 W 42 ST, NEW YORK, NY 10036. SUBSCRIPTIONS ARE +$10/YEAR.#BACK ISSUES ARE $0.75. THE CURRENT ISSUES IS #90 (JAN/FEB 1984) + +2600, BOX 752, MIDDLE ISLAND, NY 11953. SUBSCRIPTIONS ARE $10/YEAR. BACKISSUES +ARE $1 EACH. THE CURRENT ISSUE IS #4 (APRIL 1984). + +THEY ARE BOTH EXCELLENT SOURCES OF ALL SORTS OF INFORMATION (PRIMARILY +PHREAKING/HACKING). + +NOTE: FOR THE MOST PART, I HAVE ASSUMED THAT YOU HAVE READ MY PREVIOUS 3 +COURSES IN THE BASIC TELCOM SERIES. + +HASTA LUEGO, + +*****BIOC +*=$=*AGENT +*****003 + +APRIL 13, 1984 [THE YEAR OF BIG BROTHER] + +<<=-FARGO 4A-=>> + + + + + + + + + + + + + + + + + + Page 112 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART V * + * * + ************************************************************ + + +PREFACE: + + PREVIOUS INSTALLMENTS OF THIS SERIES WERE FOCUSED ON TELEPHONY FROM A +NETWORK POINT-OF-VIEW. PART V WILL DEAL WITH TELEPHONE ELECTRONICS FOCUSING +PRIMARILY ON THE SUBSCRIBER'S TELEPHONE. HERE-IN-AFTER SIMPLY REFERRED TO AS +"FONE." + +WIRING: +____________________________________________________________ + + ASSUMING A STANDARD ONE-LINE FONE, THERE ARE USUALLY 4 WIRES THAT LEAD OUT +OF THE FONE SET. THESE ARE STANDARDLY COLORED RED, GREEN, YELLOW, & BLACK. +THE RED & GREEN SIRES ARE THE TWO THAT ARE ACTUALLY HOOKED UP TO YOUR CO. THE +YELLOW WIRE IS SOMETIMES USED TO RING DIFFERENT FONES ON A PARTY LINE (IE, ONE +#, SEVERAL FAMILIES--FOUND PRIMARILY IN RURAL AREAS WHERE THEY PAY LESS FOR THE +SERVICE AND THEY DON'T USE THE FONE AS MUCH); OTHERWISE, THE YELLOW IS USUALLY +JUST IGNORED. ON SOME TWO-LINE FONES, THE RED & GREEN WIRES ARE USED FOR THE +FIRST FONE # AND THE YELLOW & BLACK ARE USED FOR THE SECOND LINE. IN THIS CASE +THERE MUST BE AN INTERNAL OR EXTERNAL DEVICE THAT SWITCHES BETWEEN THE TWO +LINES AND PROVIDES A HOLD FUNCTION. (SUCH AS RADIO SHACK'S OUTRAGEOUSLY PRICED +2 LINE & HOLD MODULE-9. + + IN TELEPHONY, THE RED & GREEN WIRES ARE OFTEN REFERRED TO AS TIP (T) & RING +(R). THE TIP IS USUALLY THE MORE POSITIVE OF THE TWO WIRES. THIS NAMING GOES +BACK TO THE OLD OPERATOR CORD BOARDS WHERE ONE OF THE WIRES WAS THE TIP OF THE +PLUG AND THE OTHER WAS THE RING (OF THE BARREL). + A ROTARY FONE (AKA DIAL OR PULSE) WILL WORK FINE REGARDLESS WHETHER THE RED +(OR GREEN) WIRE IS CONNECTED THE TIP(+) OR RING(-). A TOUCH-TONE (TM) FONE IS +A DIFFERENT STORY, THOUGH. IT WILL NOT WORK EXCEPT IF THE TIP(+) IS THE GREEN +WIRE. [ALTHOUGH, SOME OF THE MORE EXPENSIVE DTMF FONES DO HAVE A RECTIFIER +BRIDGE WHICH COMPENSATES FOR POLARITY REVERSAL.] THIS I WHY UNDER CERTAIN +(NON-DIGITAL) SWITCHING EQUIPMENT YOU CAN REVERSE THE RED & GREEN WIRES ON A +TOUCH-TONE FONE AND RECEIVE FREE DTMF SERVICE. EVEN THOUGH IT WON'T BREAK DIAL +TONE, REVERSING THE WIRES ON A ROTARY LINE ON A DIGITAL SWITCH WILL CAUSE THE +TONES TO BE GENERATED. + +VOLTAGES, ETC. +____________________________________________________________ + + WHEN YOUR TELEPHONE IS ON-HOOK (IE, HUNG UP) THERE IS APPROXIMATELY 48 +VOLTS OF DC CURRENT (VDC) FLOWING THROUGH THE TIP & RING. WHEN THE HANDSET OF +A FONE IS LIFTED A FEW SWITCHES CLOSE WHICH CAUSE A LOOP TO BE CONNECTED (KNOWN +AS THE "LOCAL LOOP") BETWEEN YOUR FONE & THE CO. ONCE THIS HAPPENS DC CURRENT +IS ABLE TO FLOW THROUGH THE FONE WITH LESS RESISTANCE. THIS CAUSES A RELAY TO +ENERGIZE WHICH CAUSES OTHER CO EQUIPMENT TO REALIZE THAT YOU WANT SERVICE. +EVENTUALLY, YOU SHOULD END UP WITH A DIAL TONE. THIS ALSO CAUSES THE 48 VDC TO +DROP DOWN INTO THE VICINITY OF 13 VOLTS. THE RESISTANCE OF THE LOOP ALSO DROPS +BELOW THE 2500 OHM LEVEL. + + Page 113 + + + + + The Official Phreaker's Manual + + + AS OF NOW, YOU ARE PROBABLY SAYING TO YOURSELF THAT THIS IS ALL NICE AND +TECHNICAL BUT WHAT THE HELL GOOD IS THE INFORMATION. WELL, ALSO CONSIDER THAT +THIS VOLTAGE (& RESISTANCE) DROP IS HOW THE CO DETECTS THAT A FONE WAS TAKEN +OFF HOOK (PICKED UP). IN THIS WAY, THEY KNOW WHEN TO START BILLING THE CALLING +NUMBER. NOW WHAT DO YOU SUPPOSE WOULD HAPPEN IF A DEVICE SUCH AS A RESISTOR OR +A ZENER DIODE WAS PLACED ON THE CALLED PARTIES LINE SO THAT THE VOLTAGE WOULD +DROP JUST ENOUGH TO ALLOW TALKING BUT NOT ENOUGH TO START BILLING? FIRST OFF, +THE CALLING PARTY WOULD NOT BE BILLED FOR THE CALL BUT CONVERSATION COULD BE +PURSUED. SECONDLY, THE CO EQUIPMENT WOULD THINK THAT THE FONE JUST KEPT ON +RINGING. THE TELCO CALLS THIS A "NO-NO" (TOLL FRAUD TO BE MORE SPECIFIC) WHILE +PHONE PHREAKS AFFECTIONATELY CALL THIS MUTE A BLACK BOX. + + THE FOLLOWING ARE INSTRUCTIONS ON HOW TO BUILD A SIMPLE BLACK BOX. OF +COURSE, ANYTHING THAT PREVENTS THE VOLTAGE FROM DROPPING WOULD WORK. +YOU ONE OR TWO PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 +WATT RESISTOR. ANY ELECTRONICS STORE SHOULD STOCK THESE PARTS. + + NOW, CUT 2 PIECES OF WIRE (ABOUT 6 INCHES LONG) AND ATTACH ONE END OF EACH +WIRE TO ONE OF THE TERMINALS ON THE SWITCH. NOW TURN YOUR K500 (STANDARD DESK +FONE) UPSIDE DOWN AND TAKE OFF THE COVER. LOCATE THE 2 SCREWS ON THE NETWORK +BOX LABELED >F< AND >RR<. WRAP THE RESISTOR BETWEEN THE 2 SCREWS MAKING SURE +THAT IT DOESN'T TOUCH ANY OTHER TERMINALS!. NOW CONNECT ONE WIRE FROM THE +SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE +(DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE +FONE AND REPLACE THE COVER. + + PUT THE SWITCH IN A POSITION WHERE YOU RECEIVE A DIAL TONE. MARK THIS +POSITION NORMAL. MARK THE OTHER SIDE FREE. + + WHEN YOUR PHRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST A POSSIBLE. THIS WILL STOP THE RINGING (DO IT AGAIN IF IT +DOESN'T) WITH OUT STARTING THE BILLING. IT IS IMPORTANT THAT YOU DO IT QUICKLY +(LESS THAN ONE SECOND THEN PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE +FONE. KEEP ALL CALL SHORT AND PREFERABLY UNDER 15 MINUTES. + +NOTE: IF ANYONE PICKS UP AN EXTENSION IN THE CALLED PARTIES HOUSE AND THAT +FONE IS NOT SET FOR FREE THEN BILLING WILL START. + +NOTE: AN OLD WAY OF SIGNALING A PHRIEND THAT YOU ARE ABOUT TO CALL IS +MAKING A COLLECT CALL TO A NON-EXISTENT PERSON IN THE HOUSE. SINCE YOUR FRIEND +WILL NOT ACCEPT THE CHARGES, HE WILL KNOW THAT YOU ARE ABOUT TO CALL AND THUS +PREPARE THE BLACK BOX (OR VISA VERSA). + +WARNING: THE TELCO CAN DETECT BLACK BOXES IF THEY SUSPECT ONE ON YOUR LINE. +THIS IS DONE DUE TO THE PRESENCE OF AC VOICE SIGNAL AT THE WRONG DC LEVEL! + +PICTORIAL DIAGRAM: (STANDARD ROTARY K500 FONE) +____________________________________________________________ + + _____________________________________ +| | +***BLUE WIRE**>>F< | +| * * | +**WHITE WIRE** * | +| * | +| RESISTOR | +| * | + + Page 114 + + + + + The Official Phreaker's Manual + +| * | +| >RR<*******SWITCH**** | +| * | +****GREEN WIRE********************** | +| | +|_____________________________________| + +NOTE: THE BLACK BOX WILL NOT WORK UNDER ESS OR OTHER SIMILAR DIGITAL +SWITCHES SINCE ESS DOES NOT CONNECT THE VOICE CIRCUITS UNTIL THE FONE IS PICKED +UP (& BILLING STARTS). INSTEAD, ESS USES AN "ARTIFICIAL" COMPUTER GENERATED +RING. + +RINGING: +____________________________________________________________ + + TO INFORM A SUBSCRIBER OF AN INCOMING CALL, THE TELCO SENDS 90 VOLTS (RMS) +OF AC CURRENT DOWN THE LINE (AT AROUND 15 TO 60 HZ) IN STANDARD FONES, THIS +CAUSES A METAL ARMATURE TO BE ATTRACTED ALTERNATELY BETWEEN TWO ELECTRO-MAGNETS +THUS STRIKING 2 BELLS. OF COURSE, THE STANDARD BELL (PATENTED IN 1878 BY TOM +A. WATSON) CAN BE REPLACED BY A MORE MODERN ELECTRONIC BELL OR SIGNALING +DEVICE. + + ALSO, YOU CAN HAVE LIGHTS AND OTHER SIMILAR DEVICES IN LIEU OF (OR IN +CONJUNCTION WITH) THE BELL. A SIMPLE NEON LIGHT (WITH ITS CORRESPONDING +RESISTOR) CAN SIMPLY BE CONNECTED BETWEEN THE RED & GREEN WIRES (USUALLY L1 & +L2 ON THE NETWORK BOX) SO THAT IT LIGHTS UP ON INCOMING CALLS. A REGULAR 60 +WATT LIGHT BULB CAN ALSO BE HOOKED UP USING A SIMPLE (120 VAC) RELAY. + +WARNING: 90 & 120 VAC CAN GIVE QUITE A SHOCK. EXERCISE EXTREME CAUTION IF +YOU WISH TO FURTHER PURSUE THESE TOPICS. + + ALSO INCLUDED IN THE RINGING CIRCUIT IS A CAPACITOR TO PREVENT THE DC +CURRENT FROM INTERFERING WITH THE BELL [A CAPACITOR WILL PASS AC CURRENT WHILE +IT WILL PREVENT DC CURRENT FROM FLOWING (BY STORING IT)]. + ANOTHER REASON THAT THE TELCO HATES BLACK BOXES IS BECAUSE RINGING USES +ALOT OF COMMON-CONTROL EQUIPMENT, IN THE CO, WHICH USE ALOT OF ELECTRICITY. +THUS THE RINGING GENERATORS ARE BEING TIED UP WHILE A FREE CALL IS BEING MADE. +USUALLY CALLS THAT ARE ALLOWED TO RING FOR A LONG PERIOD OF TIME MAY BE +CONSTRUED AS SUSPICIOUS. SOME OFFICES MAY BE SET UP TO DROP A TROUBLE CARD FOR +LONG PERIODS OF RINGING THEN A "NO-NO" DETECTION DEVICE MAY BE PLACED ON THE +LINE. + INCIDENTALLY, THE TERM "RING TRIP" REFERS TO THE CO PROCESS INVOLVED TO +STOP THE AC RINGING SIGNAL WHEN THE CALLING FONE GOES OFF HOOK. + +NOTE: IT IS SUGGESTED THAT YOU ACTUALLY DISSECT FONES TO HELP YOU BETTER +UNDERSTAND THEM. IT WILL ALSO HELP YOU TO BETTER UNDERSTAND THE CONCEPTS HERE +IF YOU ACTUALLY PROVE THEM TO YOURSELF. FOR EXAMPLE, ACTUALLY TAKE THE VOLTAGE +READINGS ON YOUR FONE LINE [ANY SIMPLE MULTI-TESTER (A MUST) WILL DO.] +PHREAKING IS AN INTERACTIVE PROCESS NOT A PASSIVE ONE! + +DIALING: +____________________________________________________________ + + ON A STANDARD FONE, THERE ARE TWO COMMON TYPES OF DIALING: PULSE & DTMF. +OF COURSE, SOME PEOPLE INSIST UPON BEING DIFFERENT AND DON'T USE THE DT THUS +LEAVING THEM WITH MF (MULTI FREQUENCY, AKA OPERATOR, BLUE BOX) TONES. THIS IS +ANOTHER "NO-NO" AND THE TELCO SECURITY GENTLEMEN HAVE A SPECIAL KNACK FOR +DEALING WITH SUCH "PHREAKS" ON THE NETWORK. + + Page 115 + + + + + The Official Phreaker's Manual + + WHEN YOU DIAL ROTARY, YOU ARE ACTUALLY RAPIDLY BREAKING & RECONNECTING +(MAKING) THE LOCAL LOOP ONCE FOR EVERY DIGIT DIALED. SINCE THE PHYSICAL +CONNECTION MUST BE BROKEN, YOU CANNOT DIAL IF ANOTHER EXTENSION (OF THAT #) IS +OFF-HOOK. NEITHER OF THE FONES WILL BE ABLE TO DIAL PULSE UNLESS THE OTHER +HANGS UP. + ANOTHER TERM OFTEN REFERRED TO IN TELEPHONE ELECTRONICS IS THE BREAK RATIO. +IN THE US, THERE ARE 10 PULSES PER SECOND (MAX). WHEN THE CIRCUIT IS OPENED IT +IS CALLED THE BREAK INTERVAL. WHEN IT IS CLOSED IT IS CALLED THE MAKE INTERVAL. +IN THE US, THERE IS A 60 MILLISECOND (MS) BREAK PERIOD AND A 40 MS MAKE PERIOD. +(60+40=100 MS = 1/10 MINUTE). THIS IS REFERRED TO AS A 60% BREAK INTERVAL. +SOME OF THE MORE SOPHISTICATED ELECTRONIC FONES CAN SWITCH BETWEEN A 60% & A +67% BREAK INTERVAL. THIS IS DUE TO THE FACT THAT MANY FOREIGN NATIONS USE A +67% BREAK INTERVAL. + HAVE YOU EVER BEEN IN AN OFFICE OR A SIMILAR FACILITY AND SAW A FONE +WAITING TO BE USED FOR A FREE CALL BUT SOME ASSHOLE PUT A LOCK ON IT TO PREVENT +OUTGOING CALLS? + WELL, DON'T FRET PHELLOW PHREAKS, YOU CAN SIMULATE PULSE DIALING BY RAPIDLY +DEPRESSING THE SWITCHOOK. (IF YOU DEPRESS IT FOR LONGER THAN A SECOND IT WILL +BE CONSTRUED AS A DISCONNECT.) BY RAPIDLY SWITCHOOKING YOU ARE CAUSING THE +LOCAL LOOP TO BE BROKEN & MADE SIMILAR TO ROTARY DIALING! THUS IF YOU CAN +MANAGE TO SWITCHOOK RAPIDLY 10 TIMES YOU CAN REACH AN OPERATOR TO PLACE ANY +CALL YOU WANT! THIS TAKES ALOT OF PRACTICE, THOUGH. YOU MIGHT WANT TO PRACTICE +ON YOUR OWN FONE DIALING A FRIEND'S # OR SOMETHING ELSE. INCIDENTALLY, THIS +METHOD WILL ALSO WORK WITH DTMF FONES SINCE ALL DTMF LINES CAN ALSO HANDLE +ROTARY. + ANOTHER PROBLEM WITH PULSE DIALING IS THAT IT PRODUCES HIGH-VOLTAGE SPIKES +THAT MAKE LOUD NOISES IN THE EARPIECE AND CAUSE THE BELL TO "TINKLE." IF YOU +NEVER NOTICED THIS THEN YOUR FONE HAS A SPECIAL "ANTI-TINKLE" & EARPIECE +SHORTING CIRCUIT (MOST DO). IF YOU HAVE EVER DISSECTED A ROTARY FONE (A MUST +FOR ANY SERIOUS PHREAK) YOU WOULD HAVE NOTICED THAT THERE ARE 2 SETS OF CONTACT +THAT OPEN AND CLOSE DURING PULSING (ON THE BACK OF THE ROTARY DIAL UNDER THE +PLASTIC COVER). ONE OF THESE ACTUALLY OPENS AND +CLOSES THE LOOP WHILE THE OTHER MUTES THE EARPIECE BY SHORTING IT OUT. THE +SECOND CONTACTS ALSO ACTIVATES A SPECIAL ANTI-TINKLE CIRCUIT THAT PUTS A 340 +OHM RESISTOR ACROSS THE RINGING CIRCUIT WHICH PREVENTS THE HIGH VOLTAGE SPIKES +FROM INTERFERING WITH THE BELL. + DUAL TONE MULTI FREQUENCY (DTMF) IS A MODERN DAY IMPROVEMENT ON PULSE +DIALING IN SEVERAL WAYS. FIRST OF ALL, IT IS MORE CONVENIENT FOR THE USER +SINCE IT IS FASTER AND CAN BE USED FOR SIGNALING AFTER THE CALL IS COMPLETED +(IE, SCC'S, COMPUTERS, ETC.). ALSO, IT IS MORE UPTO PAR WITH MODERN DAY +SWITCHING EQUIPMENT (SUCH AS ESS) SINCE PULSE DIALING WAS DESIGNED TO ACTUALLY +MOVE RELAYS BY THE NUMBER OF DIGITS DIALED (IN SXS OFFICES). + + EACH KEY ON A DTMF KEYPAD PRODUCES 2 FREQUENCIES SIMULTANEOUSLY (ONE FROM +THE HIGH GROUP AND ANOTHER FROM THE LOW GROUP). + + _______________________________________________ +LOW GROUP | | | | | + 697 HZ-| Q | ABC | DEF | | + | 1 | 2 | 3 | A | + |___________|___________|___________|___________| + | | | | | + 770 HZ-| GHI | JKL | MNO | | + | 1 | 2 | 3 | B | + |___________|___________|___________|___________| + | | | | | + 852 HZ-| PRS | TUV | WXY | | + | 1 | 2 | 3 | C | + + Page 116 + + + + + The Official Phreaker's Manual + + |___________|___________|___________|___________| + | | OPERATOR | | | + 941 HZ-| | Z | | | + | * | 0 | # | D | + |___________|___________|___________|___________| + | | | | + 1209 HZ 1336 HZ 1477 HZ 1633 HZ + HIGH GROUP + +A PORTABLE DTMF KEYPAD IS KNOWN AS A WHITE BOX. + + THE FOURTH COLUMN (1633 HZ) IS NOT NORMALLY FOUND ON REGULAR FONES BUT IT +DOES HAVE SEVERAL SPECIAL USES. FOR ONE, IT IS USED TO DESIGNATE THE PRIORITY +OF CALLS ON AUTOVON, THE MILITARY FONE NETWORK. THESE KEY ARE CALLED: FLASH, +IMMEDIATE, PRIORITY, & ROUTINE (WITH VARIATIONS) INSTEAD OF ABCD. SECONDLY, +THESE KEYS ARE USED FOR TESTING PURPOSES BY THE TELCO. IN SOME AREA YOU CAN +FIND LOOPS AS WELL AS OTHER NEAT TESTS (SEE PART II) ON THE 555-1212 DIRECTORY +ASSISTANCE EXCHANGE. FOR THIS, YOU WOULD CALL UP AN DA IN CERTAIN AREAS [THAT +HAVE AN AUTOMATIC CALL DISTRIBUTOR (ACD)] AND HOLD DOWN THE "D" KEY WHICH +SHOULD BLOW THE OPERATOR OFF. YOU WILL THEN HEAR A PULSING DIAL TONE WHICH +INDICATES THAT YOU ARE IN THE ACD INTERNAL TESTING MODE. YOU CAN GET ON ONE +SIDE OF A LOOP BY DIALING A 6. THE OTHER SIDE IS 7. SOME PHREAKS CLAIM THAT +IF THE PERSON ON SIDE 6 HANGS UP, OCCASIONALLY THE EQUIPMENT WILL SCREW UP AD +START DIRECTING DIRECTORY ASSISTANCE CALLS TO THE OTHER SIDE OF THE LOOP. +ANOTHER ALLEGED TEST IS CALLED REMOB WHICH ALLOWS YOU TO TAP INTO LINES BY +ENTERING A SPECIAL CODE FOLLOWED BY THE 7 DIGIT NUMBER YOU WANT TO MONITOR. +THEN THERE IS THE POSSIBILITY OF MASS CONFERENCING. + ACD'S ARE BECOME RARE THOUGH. YOU WILL PROBABLY HAVE TO MAKE SEVERAL +NPA-555- 1212 CALLS BEFORE YOU FIND ONE. + YOU CAN MODIFY REGULAR FONES QUITE READILY SO THAT THEY HAVE A SWITCH TO +CHANGE BETWEEN THE 3RD AND 4TH COLUMNS. THIS IS CALLED A SILVER BOX (AKA GREY +BOX) AD PLANS CAN BE FOUND IN TAP AS WELL AS ON MANY BBS'S. + +TRANSMITTER/RECEIVER: +____________________________________________________________ + + WHEN YOU TALK INTO THE TRANSMITTER, THE SOUND WAVES FROM YOUR VOICE CAUSE A +DIAPHRAGM TO VIBRATE AND PRESS AGAINST THE CARBON GRANULES (OR ANOTHER SIMILAR +SUBSTANCE). THIS CAUSES THE CARBON GRANULES TO COMPRESS AND CONTRACT THUS +CHANGING THE RESISTANCE OF THE DC CURRENT FLOWING THROUGH IT. THEREFORE, YOUR +AC VOICE SIGNAL IS SUPERIMPOSED OVER THE DC CURRENT OF THE LOCAL LOOP. THE +RECEIVER WORKS IN A SIMILAR FASHION WHERE THE SIMPLE TYPES UTILIZE A MAGNET, +ARMATURE, & DIAPHRAGM. + +HYBRID/INDUCTION COIL: +____________________________________________________________ + + AS YOU MAY HAVE NOTICED, THERE ARE TWO WIRES FOR THE RECEIVER AND TWO FOR +THE TRANSMITTER IN THE FONE, YET THE LOCAL LOOP CONSISTS OF 2 WIRES INSTEAD OF +4. THIS 4-WIRE TO 2-WIRE CONVERSION IS DONE INSIDE THE FONE BY A DEVICE KNOWN +AS AN INDUCTION COIL WHICH USES COUPLING TRANSFORMERS. + THE REASON 2 SIRES ARE USED ON THE LOCAL LOOPS ARE BECAUSE IT IS ALOT +CHEAPER FOR THE TELCO. ALTHOUGH, ALL OF THE INTER-OFFICE TRUNKS UTILIZE 4 +WIRES. THIS IS NECESSARY FOR FULL DUPLEX (IE, SIMULTANEOUS CONVERSATION ON +BOTH SIDES) AND FOR AMPLIFICATION DEVICES. THERE ARE SIMILAR DEVICES IN THE +CO'S, KNOWN AS A HYBRID, THAT COUPLE THE 4-WIRE TRUNKS TO THE 2-WIRE LOCAL +LOOPS AND VISA-VERSA. + + + Page 117 + + + + + The Official Phreaker's Manual + +MISCELLANEOUS: +____________________________________________________________ + + IN THE TELEPHONE, THERE IS ALSO A BALANCING NETWORK CONSISTING OF A FEW +CAPACITORS & RESISTORS WHICH PROVIDE SIDETONE. SIDETONE ALLOWS THE CALLER TO +HEAR HIS OWN VOLUME IN THE RECEIVER. HE CAN THEN ADJUST HIS VOICE ACCORDINGLY. +THIS PREVENTS PEOPLE FROM SHOUTING OR SPEAKING TOO SOFTLY WITHOUT NOTICING IT. + +HOLD: +____________________________________________________________ + + WHEN A TELEPHONE GOES OFF HOOK, THE RESISTANCE DROPS BELOW 2500 OHMS. AT +THIS POINT, THE TELCO WILL SEND A DIAL TONE. TO PUT SOMEONE ON HOLD YOU MUST +PUT A 1000 OHM RESISTOR (1 WATT) ACROSS THE TIP & RING BEFORE IT REACHES THE +SWITCHOOK. IN THIS WAY, WHEN THE FONE IS HUNG UP (FOR HOLD) THE RESISTANCE +REMAINS BELOW 2500 OHMS WHICH CAUSES THE CO TO BELIEVE THAT YOU ARE STILL +OFF-HOOK. YOU CAN BUILD A SIMPLE HOLD DEVICE USING THE FOLLOWING PICTORIAL +DIAGRAM: + +(RED) O_________________________ + [L1] | | | + | | | + 1000 OHM | \ + | | \ + RESISTOR RINGING | + | CIRCUIT | -SWITCH + | | | HOOK + / | | + / SPST SWITCH | \ + | | \ + | | | + | | | +(GREEN) O__|_____________|______| + [L2] +--> TO REST OF FONE + +CONCLUSION: +____________________________________________________________ + +NOTE: MANY OF THE ELECTRONICS COMPONENTS OF NORMAL FONES (K500) ARE +ENCLOSED IN THE NETWORK BOX (WHICH SHOULDN'T BE OPENED). + + I HAVE ASSUMED THAT THE READER HAS A BASIC KNOWLEDGE OF ELECTRONICS. ALSO, +I HAVE ASSUMED THAT YOU HAVE READ THE 4 PREVIOUS INSTALLMENTS OF THIS SERIES +(AND HOPEFULLY ENJOYED THEM). + + IN PART VI, WE WILL TAKE A LOOK AT FORTRESS FONES. + +SUGGESTED FURTHER READING: +____________________________________________________________ + +ELECTRONICS COURSES A-D, TAP, @ $.75 EACH. + +ELECTRONIC TELEPHONE PROJECTS, A.J. CARISTI, HOWARD SAMS BOOKS. + +EVERYTHING YOU ALWAYS WANTED TO KNOW ABOUT 1633 HZ TONES BUT WERE AFRAID TO +ASK, THE MAGICIAN, TAP, ISSUE #62. + + + Page 118 + + + + + The Official Phreaker's Manual + +FREE BELL PHONE CALLS, TAP, FACT SHEET #2, @ $.50. + +FREE GTE PHONE CALLS, TAP, FACT SHEET #3, @ $.50. + +HOW TO MODIFY YOUR BELL TOUCH TONE FONE TO HAVE 1633 CYCLE TONES, TAP, ISSUE +#63. + +MODIFYING YOUR PHONE FOR 1633 HZ (NEW ELECTRONIC KEYPADS), FRED STEINBECK, TAP, +ISSUE #84. + +NOTES ON THE NETWORK, AT&T. + +THE PHONE BOOK, J. EDGAR HYDE. + +REGULATING THE TELEPHONE COMPANY IN YOUR HOME, RAMAPART MAGAZINE, JUNE 1972. + +REMOBS, TAP #91 (NOT YET PUBLISHED AS OF THIS WRITING). + +UNDERSTANDING TELEPHONE ELECTRONICS, TEXAS INSTRUMENTS. + +& OTHER ASSORTED SOURCES... + +TAP: ROOM 603/147 W 42 ST./NEW YORK, NY 10036. PLEASE SPECIFY BY BACKISSUE +#'S (NOT ARTICLE NAMES). ALL BACK-ISSUES ARE $1 EACH. SUBSCRIPTIONS ARE +$10/YEAR (10 ISSUES). SAY THAT BIOC AGENT 003 SENT YOU. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 119 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VI * + * * + ************************************************************ + +REVISED: 27-OCT-84 + +Preface: + + This article will focus primarily on the standard Western Electric +single-slot coin telephone (aka fortress fone) which can be divided into 3 +types: + +- Dial-Tone First (DTF) + +- Coin-First (CF): (ie, it wants your $ before you receive a dial tone) + +- Dial Post-Pay Service (PP): you pay after the party answers + +Depositing Coins (Slugs): +____________________________________________________________ + + Once you have deposited your slug into a fortress, it is subjected to a +gamut of tests. The first obstacle for a slug is the magnetic trap. This will +stop any light-weight magnetic slugs and coins. If it passes this, the slug is +then classified as a nickel, dime, or quarter. Each slug is then checked for +appropriate size and weight. If these tests are passed, it will then travel +through a nickel, dime, or quarter magnet as appropriate. These magnets set up +an eddy current effect which causes coins of the appropriate characteristics to +slow down so they will follow the correct trajectory. If all goes well, the +coin will follow the correct path (such as bouncing off of the nickel anvil) +where it will hopefully fall into the narrow accepted coin channel. + The rather elaborate tests that are performed as the coin travels down the +coin chute will stop most slugs and other undesirable coins, such as pennies, +which must then be retrieved using the coin release lever. + If the slug miraculously survives the gamut, it will then strike the +appropriate totalizer arm causing a ratchet wheel to rotate once for every +5-cent increment (eg, a quarter will cause it to rotate 5 times). + The totalizer then causes the coin signal oscillator to readout a +dual-frequency signal indicating the value deposited to ACTS (a computer) or +the TSPS operator. These are the same tones used by phreaks in the infamous red +boxes. + For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS). +A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone +at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz. + A relay in the fortress called the "B relay" (yes, there is also an 'A +relay') places a capacitor across the speech circuit during totalizer read-out +to prevent the "customer" from hearing the red box tones. + In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells +for a dime, and one gong (800 Hz) for a quarter are used instead of the modern +dual-frequency tones. + +TSPS & ACTS +____________________________________________________________ + + Page 120 + + + + + The Official Phreaker's Manual + + + While fortresses are connected to the CO of the area, all transactions are +handled via the Traffic Service Position System (TSPS). In areas that do not +have ACTS, all calls that require operator assistance, such as calling card and +collect, are automatically routed to a TSPS operator position. + In an effort to automate fortress service, a computer system known as +Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS +listens to the red box signals from the fones and takes appropriate action. It +is ACTS which says, "Two dollars please (pause) Please deposit two dollars for +the next ten seconds" (and other variations). Also, if you talk for more than +three minutes and then hang-up, ACTS will call back and demand your money. +ACTS is also responsible for Automated Calling Card Service. + ACTS also provide trouble diagnosis for craftspeople (repairmen +specializing in fortresses). For example, there is a coin test which is great +for tuning up red boxes. In many areas this test can be activated by dialing +09591230 at a fortress (thanks to Karl Marx for this information). Once +activated it will request that you deposit various coins. It will then identify +the coin and outpulse the appropriate red box signal. The coins are usually +returned when you hang up. + To make sure that there is actually money in the fone, the CO initiates a +"ground test" at various times to determine if a coin is actually in the fone. +This is why you must deposit at least a nickel in order to use a red box! + +Green Boxes: +____________________________________________________________ + + Paying the initial rate in order to use a red box (on certain fortresses) +left a sour taste in many red boxer's mouths thus the GREEN BOX was invented. +The green box generates useful tones such as COIN COLLECT, COIN RETURN, and +RINGBACK. These are the tones that ACTS or the TSPS operator would send to the +CO when appropriate. Unfortunately, the green box cannot be used at a fortress +station but it must be used by the CALLED party. + +Here are the tones: + +COIN COLLECT 700 + 1100 Hz +COIN RETURN 1100 + 1700 Hz +RINGBACK 700 + 1700 Hz + + Before the called party sends any of these tones, an operator released +signal should be sent to alert the MF detectors at the CO. This can be +accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed +by a 60 ms gap and then the appropriate signal for at least 900 ms. + Also, do not forget that the initial rate is collected shortly before the 3 +minute period is up. + Incidentally, once the above MF tones for collecting and returning coins +reach the CO, they are converted into an appropriate DC pulse (-130 volts for +return & +130 volts for collect). This pulse is then sent down the tip to the +fortress. This causes the coin relay to either return or collect the coins. + The alleged "T-Network" takes advantage of this information. When a pulse +for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded +somewhere. This is usually either the yellow or black wire. Thus, if the wires +are exposed, these wires can be cut to prevent the pulse from being grounded. +When the three minute initial period is almost up, make sure that the black & +yellow wires are severed; then hang up, wait about 15 seconds in case of a +second pulse, reconnect the wires, pick up the fone, hang up again, and if all +goes well it should be "JACKPOT" time. + + + Page 121 + + + + + The Official Phreaker's Manual + +Physical Attack: +____________________________________________________________ + + A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of +this is accounted for in the armor plating. Why all the security? Well, Bell +contributes it to the following: + + "Social changes during the 1960's made the multislot coin station a +prime target for: vandalism, strong arm robbery, fraud, and theft of service. +This brought about the introduction of the more rugged single slot coin station +and a new environment for coin service." + +As for picking the lock, I will quote Mr. Phelps: + + "We often fantasize about 'picking the lock' or 'getting a master +key.' Well, you can forget about it. I don't like to discourage people, but it +will save you from wasting alot of your time--time which can be put to better +use (heh, heh)." + + As for physical attack, the coin plate is secured on all four side by +hardened steel bolts which pass through two slots each. These bolts are in +turn interlocked by the main lock. + One phreak I know did manage to take one of the 'mothers' home (which was +attached to a piece of plywood at a construction site; otherwise, the permanent +ones are a bitch to detach from the wall!). It took him almost ten hours to +open the coin box using a power drill, sledge hammers, and crow bars (which was +empty -- perhaps next time, he will deposit a coin first to hear if it slushes +down nicely or hits the empty bottom with a clunk.) + Taking the fone offers a higher margin of success. Although this may be +difficult often requiring brute force and there has been several cases of back +axles being lost trying to take down a fone! A quick and dirty way to open the +coin box is by using a shotgun. In Detroit, after ecologists cleaned out a +municipal pond, they found 168 coin phones rifled. + In colder areas, such as Canada, some shrewd people tape up the fones using +duct tape, pour in water, and come back the next day when the water will have +froze thus expanding and cracking the fone open.In one case: + + "unauthorized coin collectors" where caught when they brought $6,000 in +change to a bank and the bank became suspicious... + + At any rate, the main lock is an eight level tumbler located on the right +side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since +there are 8 tumblers each with 5 possible positions) thus it is highly pick +resistant! The lock is held in place by 4 screws. If there is sufficient +clearance to the right of the fone, it is conceivable to punch out the screws +using the drilling pattern below (provided by Alexander Mundy in TAP) + + + + + + + + + + + + + + Page 122 + + + + + The Official Phreaker's Manual + + Chapter 5 + + What is covered in these last few articles, is the essence of phreaking, +blue boxing & equal access. These last articles, I hope will be the final +stage of phreak education for now. Basic telecommunications 7 is a brief intro +to the art of blue boxing, while Better Homes & Blue Boxing will cover it in +full. Equal access will be an interesting switch, it is installed in my area +already and I have been investigating it. One thought is to call MCI operators +and box through them, over MCI lines... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 123 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART VII * + * * + ************************************************************ + +Preface: + + After most neophyte phreaks overcome their fascination with Metro codes and +WATS extenders, they will usually seek to explore other avenues in the vast +phone network. Often they will come across references such as "simply dial KP ++ 2130801050 + ST for the Alliance teleconferencing system in LA.". Numbers +such as the one above were intended to be used with a blue box; this article +will explain the fundamental principles of the fine art of blue boxing. + +Genesis: +____________________________________________________________ + + In the beginning, all long distance calls were connected manually by +operators who passed on the called number verbally to other operators in +series. This is because pulse (aka rotary) digits are created by causing +breaks in the DC current (see Basic Telcom V). Since long distance calls +require routing through various switching equipment and AC voice amplifiers, +pulse dialing cannot be used to send the destination number to the end local +office (CO). + + Eventually, the demand for faster and more efficient long distance (LD) +service caused Bell to make a multi-billion dollar decision. They had to create +a signaling system that could be used on the LD Network. Basically, they had +two options: + +[1] To send all the signaling and supervisory information (ie, ON & OFF +HOOK) over separate data links. This type of signaling is referred to as +out-of-band signaling. + -or- +[2] To send all the signaling information along with the conversation +using tones to represent digits. This type of signaling is referred to as +in-band signaling. + + Being the cheap bastard that they naturally are, Bell chose the latter (and +cheaper) method -- IN-BAND signaling. They eventually regretted this, though +(heh, heh)... + +IN-BAND SIGNALING PRINCIPLES: +____________________________________________________________ + + When a subscriber dials a telephone number, whether in rotary or touch-tone +(aka DTMF), the equipment in the CO interprets the digits and looks for a +convenient trunk line to send the call on its way. In the case of a local +call, it will probably be sent via an inter-office trunk; otherwise, it will be +sent to a toll office (class 4 or higher -- see Telcom IV) to be processed. + + When trunks are not being used there is a 2600 Hz tone on the line; thus, +to find a free trunk, the CO equipment simply checks for the presence of 2600 +Hz. If it doesn't find a free trunk the customer will receive a re-order signal + + Page 124 + + + + + The Official Phreaker's Manual + +(120 IPM busy signal) or the "all circuits are busy..." message. If it does +find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the +called number or a special routing code to the other end or toll office. + + The tones it uses to send this information are called multi-frequency (MF) +tones. An MF tone consists of two tones from a set of six master tones which +are combined to produce 12 separate tones. You can sometimes hear these tones +in the background when you make a call but they are usually filtered out so +your delicate ears cannot hear them. These are NOT the same as touch-tones. + + To notify the equipment at the far end of the trunk that it is about to +receive routing information, the originating end first sends a Key Pulse (KP) +tone. At the end of sending the digits, #he originating end then sends a STart +(ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517 ++ ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to +signify a disconnect to the distant end. + +History: +____________________________________________________________ + + In the November 1960 issue of The Bell System Technical Journal, an article +entitled "Signaling Systems for Control of Telephone Switching" was published. +This journal, which was sent to most university libraries, happened to contain +the actual MF tones used in signaling. They appeared as follows: + +Digit Tones +----- ----- + 1 700 + 900 Hz + 2 700 + 1100 Hz + 3 900 + 1100 Hz + 4 700 + 1300 Hz + 5 900 + 1300 Hz + 6 1100 + 1300 Hz + 7 700 + 1500 Hz + 8 900 + 1500 Hz + 9 1100 + 1500 Hz + 0 1300 + 1500 Hz + KP 1100 + 1700 Hz + ST 1500 + 1700 Hz + 11 (*) 700 + 1700 Hz + 12 (*) 900 + 1700 Hz + KP2 (*) 1300 + 1700 Hz + +(*) Used only on CCITT SYSTEM 5 for special international calling. + + Bell caught wind of blue boxing in 1961 when it caught a Washington state +college student using one. They originally found out about blue boxes through +police raids and informants. In 1964, Bell Labs came up with scanning +equipment, which recorded all suspicious calls, to detect blue box usage. +These units were installed in CO's where major toll fraud existed. AT&T +Security would then listen to the tapes to see if any toll fraud was actually +committed. Over 200 convictions resulted from the project. Surprisingly +enough, blue boxing is not solely limited to the electronics enthusiast; AT&T +has caught businessmen, film stars, doctors, lawyers, college students, high +school students and even a millionaire financier (Bernard Cornfeld) using the +device. AT&T also said that nearly half of those that they catch are +businessmen. + + + Page 125 + + + + + The Official Phreaker's Manual + + Of course, phone phreaks have achieved an almost cult status. They have +also had their fair share of media. In October 1971, Esquire published the +infamous "Secrets of the Little Blue Box" article which featured phreaks such +as Captain Crunch, who took his name from the cereal which one gave away +whistles that produced a perfect 2600 Hz pitch; Joe Engressia, the blind +phreak; and Mark Bernay, one of the nation's first and oldest phreaks. Others +such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had +blue box backgrounds. 1971 also saw the publication of the first issue of YIPL, +the phone phreak newsletter, (now TAP) under the editorship of supreme yippie +Abbie Hoffman. + +Usage: +____________________________________________________________ + + To use a blue box, one would usually make a free call to any 800 number or +distant directory assistance (NPA-555-1212). This, of course, is legitimate. +When the call is answered, one would then swiftly press the button that would +send 2600 Hz down the line. This has the effect of making the distant CO +equipment think that the call was terminated and it leaves the trunk hanging. +Now, the user has about 10 seconds to enter in the telephone number he wished +to dial -- in MF, that is. The CO equipment merely assumes that this came from +another office and it will happily process the call. Since there are no records +(except on toll fraud detection devices!) of these MF tones, the user is not +billed for the call. When the user hangs up, the CO equipment simply records +that he hung up on a free call. + +Detection: +____________________________________________________________ + + Bell has had 20 years to work on detection devices; therefore, in this day +and age, they are rather well refined. Basically, the detection device will +look for the presence of 2600 Hz where it does not belong. It then records the +calling number and all activity after the 2600 Hz. If you happen to be at a +fortress fone, though, and you make the call short, your chances of getting +caught are significantly reduced (see Telcom VI). Incidentally, there have been +rumors of certain test numbers (see Telcom II) that hook directly into trunks +thus avoiding the need for 2600 Hz and detection! + + Another way that Bell catches boxers is to examine the CAMA (Centralized +Automatic Message Accounting) tapes. When you make a call, your number, the +called number, and time of day are all recorded. The same thing happens when +you hang up. This tape is then processed for billing purposes. Normally, all +free calls are ignored. But Bell can program the billing equipment to make note +of lengthy calls to directory assistance. They can then put a pen register +(aka DNR) on the line or an actual full-blown tap. This detection can be +avoided by making short-haul (aka local) calls to box off of. + + It is interesting to note that NPA+555-1212 originally did not return +answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes. +AT&T changed this though for "traffic studies!" + +CCIS: +____________________________________________________________ + + Besides detection devices, Bell has begun to gradually redesign the network +using out-of-band signaling. This is known as Common Channel Inter-office +Signaling (CCIS). Since this signaling method sends all the signaling +information over separate data lines, blue boxing is impossible under it. + + Page 126 + + + + + The Official Phreaker's Manual + + + While being implemented gradually, this multi-billion dollar project is +still strangling the fine art of blue boxing. Of course until the project is +totally complete, boxing will still be possible. It will become progressively +harder to find places to box off of, though. In areas with CCIS, one must find +a directory assistance office that doesn't have CCIS yet. Area codes in Canada +and predominately rural states are the best bets. WATS numbers terminating in +non-CCIS cities are also good prospects. + +Pink Noise: +____________________________________________________________ + + Another way that may help to avoid detection is too add some "pink noise" +to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the +detection equipment must be careful not to misinterpret speech as a disconnect +signal. Thus a virtually pure 2600 Hz tone is required for disconnect. + + Keeping this in mind, the 2600 Hz detection equipment is also probably +looking for pure 2600 Hz or else is would be triggered every time someone hit +that note (highest E on a piano =2637 Hz). This is also the reason that the +2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator +is saying "Hello, hello." It is feasible to send some "pink noise" along with +the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise +won't make it into the toll network (where we want our pure 2600 Hz to hit) but +it should make it past the local CO and thus the fraud detectors. + +Construction: +____________________________________________________________ + + While step-by-step details for the construction of a blue box is beyond the +scope of this tutorial, it is worthwhile to mention some of the details. + + First there are some alternatives but they are not as good as an actual +blue box. Many computers are capable of generating MF tones. Thus, your local +phriendly software pirate should have a program compatible for your computer. + + However, it is highly advisable not to box from home as stated in The Ten +Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86). + +I. Box thou not over thine home telephone wires, for those who doest must +surely bring the full wrath of the Chief Special Agent down upon thy heads. + + Another alternative that has a moderate success rate involves recording the +tones from a phriend with a box or computer onto a cassette tape. They can +then be used at a fortress. + + As for actual construction techniques, TAP has devoted many issues to blue +boxing. Basically, a blue box is merely a device capable of generating two +different tones simultaneously. There are two basic construction methods that I +will outline below for the electronics hobbyist. + + The first involves the use of two 555 timer chips (or a 556 -- i.e., two +555's in one chip). It offers excellent frequency and voltage stability. +Also, it does not need a diode matrix keypad but used double-pole switches +instead. Schematics for this type of box can be found in TAP issue #29. + + The other common box makes use of two Intersil 8038CC Function Generators. +It does require a diode matrix keypad though, potentiometers, an LM-100 voltage + + Page 127 + + + + + The Official Phreaker's Manual + +regulator, a 741 Op-amp, and a handful of other parts. The schematics for this +type of blue box can be found in TAP #26. Both designs draw about 20 ma of +current. + + Also, most blue boxes use telephone earpieces (with the varistor removed) +for speakers. These can be easily liberated from fortress fones with a small +coping saw. + + Usually, the hardest part about building a blue box is the calibration. A +frequency counter is a must and an oscilloscope won't hurt. + + Some boxes also take timing into account. It is feasible on the ESS +systems that they check to see if the digits are of uniform length. If they +aren't, they are probably from a blue box and a trouble card may be dropped. +With this in mind, the Bell standard for MF pulses and interdigit intervals is +around 75 ms. It varies with the equipment used since ESS can handle higher +speeds and doesn't need interdigit intervals. + +Applications: +____________________________________________________________ + + Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes +offer the entire network for exploration. Emergency break-ins, service +monitoring (aka taps), stacking tandems (the art of busying out all trunks +between two points), re-routing calls, conference calls, and much, much more +are all feasible. Although, Bell frequently changes these codes due to +phreaks. Here are some standard ones, though: + +Operator & Other Codes: +____________________________________________________________ + + (an optional NPA may proceed all of the numbers; otherwise, you will reach +the one local for the area where the call is originated) + +001 -- Trunk Access System +009 -- Rate Quote System +101 -- toll office test board +121 -- INWARD Operator + + This operator assists the local "0" operator in completing calls. (S)he +will do virtually anything for you providing it is within her NPA. + +131 -- Operator Directory assistance +141 -- Rout & Rate +141 defunct -- use KP + 800 + 141 +1212 + ST) + + These operators are very useful if you know how to mumble a few cryptic +phrases as compiled below (with thanks to Fred Steinbeck): To find out.....Area +Codes + + For example say , "Miami, Florida, numbers route, please." The R&R +operator will tell you "305 plus," meaning that 305 plus the seven digit number +will get you Miami. + +... Inward Operator City Codes + + Usually, the INWARD operator for an area is simply KP + NPA + 121 + +ST. In some area codes, though, there are several large cities and thus + + Page 128 + + + + + The Official Phreaker's Manual + +several inwards. To find the inward for a specific city, you would say "916 +756, operator route, please" to the R&R operator who will then tell you "916 +plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an +inward for Sacramento, CA (916-756). + +... City names + + If you want to know the city that corresponds to an area code and +exchange, you simply tell the R&R, "Place name, 914 390, please." In this +example, the R&R operator will respond with "White Plains, NY." + +... International Directory Assistance + + If you need a directory route for London, you could say +"International, London, England. TSPS directory route, please." The R&R +operator will respond with "Directory to London, England. Country code 44 plus +1 plus 986 plus 3611." Therefore to get a DA operator in London, you would +route yourself to an international sender and KP + 04419863611 + ST. + +... Country & City codes + + If you need to know the country and city code for an international +number you can say "International, Sydney, Australia, TSPS numbers route, +please" and get "Country code 61 plus 2." + +... International Inwards Routes + + To get routing codes for international inwards say "International, +London, England, TSPS inward route, please." The R&R Operator will respond with +"Country code 44 plus 121." + + Finally, to get language assistance for completing a foreign call you can +tell the foreign inward, "United States calling. Language assistance in +completing a call to (called party) at (called number)." + +151 -- Overseas incoming (212 +& 914+) +160-XX0 -- Various Overseas Operators +161 -- Trouble reporting operator (defunct) +181 -- Coin Refund Operator +18X -- Overseas senders + + To make an international call, one would KP + 011 + 0CC + ST where CC is +the country code. This will route you to the appropriate overseas sender. You +will then receive a 480 Hz dial tone. Here you enter KP + 0CC + city code + +local number + ST and the call is on its way. + + Country codes can be either 1, 2, or 3 digits but they must be padded for +three digits to create a pseudo-country code with extra zero's if necessary. +For example, England, country code 44, becomes 044. + + To see which international sender a certain country (lets use French +Guiana, country code 594, for example) goes through, you can dial KP + 011 + +594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you +will receive a recording saying which ISC (International Switching Center) it +is. For the example it will say, "This is the international switching center +in Pittsburg, PA -- This is a recording - 4121." You can actually route calls +to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to +since it may look suspicious if a call is sent through a sender that it + + Page 129 + + + + + The Official Phreaker's Manual + +shouldn't go through. Here are the senders: + +182 -- White Plains, NY +183 -- New York, NY +184 -- Pittsburg, PA +185 -- Orlando, FL +186 -- Oakland, CA +187 -- Denver, CO +188 -- New York, NY + + Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP, +ST3P, & ST2P keys. While they do exist the blue boxer need not concern himself +with them. The first three are used on CCITT System 5. This is the signaling +system that the International Senders use to send information to other +countries. These codes are usually added automatically just like the language +assistance digit [which distinguishes operator (or blue box) dialed calls from +customer dialed calls]. The STP, ST3P, & ST2P tones are used when equipment is +communicating with the TSPS. These also are automatically added when needed in +most cases. + +[see Telcom III for more on International Switching Centers (ISC)] + +11XXX -- miscellaneous operators +11501 -- universal cordboard operator +11511 -- conference operator +11521 -- mobile operator +11531 -- marine operator +11541 -- LD incoming switchboard +11551 -- leave word for time & charges (neat stuff) +11561 -- same as 11551 but for hotel/motels +11571 -- overseas operators (language assistance) + + The 11XXX series is interesting scanning material. + +Miscellaneous Routing Codes : +____________________________________________________________ + + Alliance Teleconferencing has several numbers, a few of which are listed +below: + +KP + 213 080 XXXX + ST +KP + 305 025 XXXX + ST +KP + 312 001 XXXX + ST +XXXX = 1050, 1100, or a few others + + Also, at KP + 317 009 + ST there is a MF tone checker. After the +beep-kerclunk, dial in KP + 999 1234567 890 + ST and it will repeat the digits +that you pulsed if they are of the right frequency. + +Tandem Scanning: +____________________________________________________________ + + To find all sorts of interesting things, you must look. Begin scanning +three digit codes in your area (i.e., KP + 000 + ST, KP + 001 + ST, etc.). Keep +track of all of your results. Sometimes you must probe things, send additional +digits and see what happens, send touch-tone, send it 2600 Hz, rip it apart. +You never know, you may run into something phun, like a computer that checks CC +numbers. + + Page 130 + + + + + The Official Phreaker's Manual + + + Incidentally, in some exchange you can dial inwards and other box codes +directly! For example, 914-121-1111 will get you a NY inward. The only problem +is that a 0 or 1 as the first digit of the exchange is usually *prohibited in +customer dialing. Somebody may have "accidentally" changed this screening code +on your ESS's computer, though -- you never know and it can't hurt to try. +WATS translation numbers also take up some of the 0XX & 1XX codes. + + Finally, certain tones on the blue box can also be used for other purposes. +An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN. +Thus every blue box is also a green box (see Telcom VI). + +Coming soon: + +Telcom VIII will deal with cordless phones, mobile phones, and other neat +things. + +Be careful and have phun, + +*****BIOC +*=$=*Agent +*****003 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 131 + + + + + The Official Phreaker's Manual + +The Mark Tabas encounter series presents: + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + Better Homes and Blue Boxing + + Part I + + Theory of Operation + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To quote Karl Marx, blue boxing has always been the most noble form of +phreaking. As opposed to such things as using an MCI code to make a free fone +call, which is merely mindless pseudo-phreaking, blue boxing is actual +interaction with the Bell System toll network. It is likewise advisable to be +more cautious when blue boxing, but the careful phreak will not be caught, +regardless of what type of switching system he is under. + + In this part, I will explain how and why blue boxing works, as well as where. +In later parts, I will give more practical information for blue boxing and +routing information. + + To begin with, blue boxing is simply communicating with trunks. Trunks must +not be confused with subscriber lines (or "customer loops") which are standard +telefone lines. Trunks are those lines that connect central offices. Now, when +trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied +to them. If they are two-way trunks, there is 2600Hz in both directions. When a +trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the +side that is off-hook. The 2600Hz is therefore known as a supervisory signal, +because it indicates the status of a trunk; on hook (tone) or off-hook (no +tone). Note also that 2600Hz denoted SF (single frequency) signalling and is +"in-band." This is very important. "In-band" means that is is within the band +of frequencies that may be transmitted over normal telefone lines. Other SF +signals, such as 3700Hz are used also. However, they cannot be carried over the +telefone network normally (they are "out-of-band") and are therefore not able +to be taken advantage of as 2600Hz is. + + Back to trunks. Let's take a hypothetical phone call. You pick up your fone +and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll +assume that you are on #5 Crossbar switching and not in the 806 area. Your +central office (CO) would recognize that 806 is a foreign NPA, so it would +route the call to the toll centre that serves you. [For the sake of accuracy +here, and for the more experienced readers, note that the CO in question is a +class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending +on where you are in the country, the call would leave your toll centre (on more +trunks) to another toll centre, or office of higher "rank". Then it would be +routed to central office 806-258 eventually and the call would be completed. +Illustration: + +A---CO1-------TC1------TC2----CO2----B + +A=you +CO1=your central office +TC1=your toll office. +TC2=toll office in Amarillo. +CO2=806-258 central office. +B=your friend (806-258-1234) + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/pkmanual5.phk b/textfiles.com/phreak/PHREAKING/pkmanual5.phk new file mode 100644 index 00000000..8d0d6656 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pkmanual5.phk @@ -0,0 +1,1981 @@ + + In this situation it would be realistic to say that CO2 uses SF in-band + + Page 132 + + + + + The Official Phreaker's Manual + +(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). +If you don't understand this, don't worry too much. I am pointing this out +merely for the sake of accuracy. The point is that while you are connected to +806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 +central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell +equipment that a call is in progress and the trunks are in use. + + Now let's say you're tired of talking to your friend in Amarillo +(806-258-1234) so you send a 2600Hz down the line. This tone travels down the +line to your friend's central office (CO2) where it is detected. However, that +CO thinks that the 2600Hz is originating from Bell equipment, indicating to it +that you've hung up, and thus the trunks are once again idle (with 2600Hz +present on them). But actually, you have not hung up, you have fooled the +equipment at your friend's CO into thinking you have. Thus,it disconnects him +and resets the equipment to prepare for the next call. All this happens very +quickly (300-800ms for step-by-step equipment and 150-400ms for other +equipment). + + When you stop sending 2600Hz (after about a second), the equipment thinks +that another call is coming towards it (e.g. it thinks the far end has come +"off-hook" since the tone has stopped. It could be thought of as a toggle +switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending +2600Hz, several things happen: + +1) A trunk is seized. + +2) A "wink" is sent to the CALLING end from the CALLED end indicating that the +CALLED end (trunk) is not ready to receive digits yet. + +3) A register is found and attached to the CALLED end of the trunk within about +two seconds (max). + +4) A start-dial signal is sent to the CALLING end from the CALLED end +indicating that the CALLED end is ready to receive digits. + +Now, all of this is pretty much transparent to the blue boxer. All he really +hears when these four things happen is a . So, seizure of a +trunk would go something like this: + +1> Send a 2600Hz +2> Terminate 2600Hz after 1-2 secs. +3> [beep][kerchunk] + + Once this happens, you are connected to a tandem that is ready to obey your +every command. The next step is to send signalling information in order to +place your call. For this you must simulate the signalling used by operators +and automatic toll-dialing equipment for use on trunks. There are mainly two +systems, DP and MF. However, DP went out with the dinosaur , so I'll only +discuss MF signalling. MF (multi-frequency) signalling is the signalling used +by the majority of the inter- and intra-lata network. It is also used in +international dialing known as the CCITT no.5 system. + + MF signalling consists of 7 frequencies, beginning with 700Hz and separated +by 200Hz. A different set of two of the 7 frequencies represent the digits 0 +thru 9, plus an additional 5 special keys. The frequencies and uses are as +follows: + +Frequencies (Hz) Domestic Int'l + + Page 133 + + + + + The Official Phreaker's Manual + +-------------------------------------- + 700+900 1 1 + 700+1100 2 2 + 900+1100 3 3 + 700+1300 4 4 + 900+1300 5 5 +1100+1300 6 6 + 700+1500 7 7 + 900+1500 8 8 +1100+1500 9 9 +1300+1500 0 0 + 700+1700 ST3p Code 11 + 900+1700 STp Code 12 +1100+1700 KP KP1 +1300+1700 ST2p KP2 +1500+1700 ST ST + + The timing of all the MF signals is a nominal 60ms, except for KP, which +should have a duration of 100ms. There should also be a 60ms silent period +between digits. This is very flexible, however, and most Bell equipment will +accept outrageous timings. + + In addition to the standard uses listed above, MF pulsing also has expanded +usages known as "expanded inband signalling" that include such things as coin +collect, coin return, ringback, operator attached, and operator released. KP2, +code 11, and code 12 and the ST_ps (STart "primes") all have special uses which +will be mentioned only briefly here. + + To complete a call using a blue box, once seizure of a trunk has been +accomplished by sending 2600Hz and pausing for the , one must +first send a KP. This readies the register for the digits that follow. For a +standard domestic call, the KP would be followed by either 7 digits (if the +call were in the same NPA as the seized trunk) or 10 digits (if the call were +not in the same NPA as the seized trunk). [Exactly like dialing a normal fone +call]. Following either the KP and 7 or 10 digits, a STart is sent to signify +that no more digits follow. Example of a complete call: + +1> Dial 1-806-258-1234 +2> wait for a call-progress indication (such as ring, busy, recording, etc.) +3> Send 2600Hz for about 1 second. +4> Wait for about 2 seconds while a trunk is seized. +5> Send KP+305+994+9966+ST + + The call will then connect if every-thing was done properly. Note that if a +call to an 806 number were being placed in the same situation, the area code +would be omitted and only KP+ seven digits+ST would be sent. + + Code 11 and code 12 are used in international calling to request certain +types of operators. KP2 is used in international calling to route a call other +than by way of the normal route, whether for economic or equipment reasons. + + STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS +signalling to indicate calling type of call (such as coin-direct dialed). + + This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and +learned from it. If you have any questions, comments, threats or insults, +please fell free to drop me a line. If you have noticed any errors in this text +(yes, it does happen), please let me know and perhaps a correction will be in + + Page 134 + + + + + The Official Phreaker's Manual + +order. Part II will deal mainly with more advanced principles of blue boxing, +as well as routings and operators. + + Note 1: other highly trunkable areas include: 816,305,813,609,205. I +personally have excellent luck boxing off of 609-953-0000. Try that if you have +any trouble. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 135 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part II + + Practical Applications + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood Part I of this series). + + The essential purpose of blue boxing in the beginning was merely to receive +toll services free of charge. Though this can still be done, blue boxing has +essentially outlived its usefulness in this area. Modern day "extenders" and +long distance services provide a safer and easier way to make free fone calls. +However, you can do things with a blue box that just can't be done with +anything else. For ordinary toll-fraud, a blue box is impractical for the +following reasons: + +1. Clumsy equipment required (blue box or equivalent) +2. Most boxed calls must be made through an extender. Not for safety reasons, +but for reasons I'll explain later. +3. Connections are often sacrificed because considerable distances must be +dialed to cross a seizable trunk, in addition to awkward routing. + + As stated in reason #2, boxed calls are usually made through an extender. +This is for billing reasons. If you recall from Part i, 2600Hz is used as a +"supervisory" signal. That is, it signals the status of a trunk--"on-hook" or +"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the +CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook +once again when the 2600Hz is terminated. The CALLED end recognizes that a +call is on the way and attaches a register, which interprets the digits which +are to be sent. Now, understand that even though your end has come off-hook (no +2600Hz present), the other end is still on-hook. You may wonder then, why, if +the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the +other way on the trunk, when there should be. This is correct. 2600Hz *IS* +present on the trunk when you seize it and afterwards, but you cannot hear it +because of a Band Elimination Filter (BEF) at your central office. + + Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed +coming the other way on the trunk because the CALLED end is still on-hook, but +you don't actually hear it because of a filter. However, the Bell equipment +knows it's there (they can "hear" it). The presence of the 2600Hz is telling +the billing equipment that your call has not yet been completed (i.e., the +CALLED end is still on-hook). When finally you do connect with your boxed call, +the 2600Hz from the called end terminates. This tells the billing equipment +that someone picked up the fone at the CALLED end and you should begin to be +billed. So you do start to get billed, but for the call to the trunk, NOT the +boxed call. Your billing equipment thinks that you've connected with the number +you used to seize the trunk. Illustration: + +1. You call 1+806-258-2222 (directly) +2. Status of trunks: + +<-----------------------------------> +(You) 806-258-2222 +No 2600Hz-------> <------------2600Hz + + When you seize a trunk (before the number you called answers) there is no + + Page 136 + + + + + The Official Phreaker's Manual + +affect on your billing equipment. It simply thinks that you're still waiting +for the call to complete (the CALLED end is still on-hook; it is ringing, busy, +going to recorder or intercept operator. + + Now, let's say that you've seized a trunk (806-258-2222) and for example, +KP+314+949+1705+ST. The call is routed from the tandem you seized to: +314-949-1705. Illustration: + +<------------------>O<---------------> +(You) 806 314-949 + tandem +No 2600Hz----------> <----------2600Hz + + Note that the entire path towards the right (the CALLED end) has no 2600Hz +present and is therefore "off-hook." The entire path towards the left (the +CALLING end) does have 2600Hz present on it, indicating that the CALLED end has +not picked up (or come "off-hook"). When 314-949-1705 answers, "answer +supervision" is given and the 2600Hz towards the left (the CALLING end) +terminates. This tells your billing equipment, which thinks that you're still +waiting to be connected with 806-258-2222, that you've finally connected. +Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an +aspiring young phone phreak. + + To avoid this, several actions may be taken. As previously mentioned, one may +avoid being charged for the number called to seize a trunk by using an extender +(in which case the extender will get billed). In some areas, boxing may be +accomplished using an 800 number, generally in the format of 800-858-xxxx (many +Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). +However, boxing off of 800 numbers is impossible in many areas. In my area, +Denver, I am served by #1A ESS and it is impossible for me to box off of any +800 number. + + Years ago, in the early days of blue boxing (before my time), phreaks often +used directory assistance to box off of because they were "free" long distance +calls. However, because of competitive long distance companies, directory +assistance surcharges are now $0.50 in many areas. It is additionally advised +that directory assistance numbers not be used to box from because of the +following: + + Average DA calls last under 2 minutes. When you box a call, chances are that +it will last considerably longer. Thus, the Bell billing equipment will make a +note of calls to directory assistance that last a long time. A call to a +directory assistant lasting for 4 hours and 17 minutes may appear somewhat +suspicious. + + Although the date, time, and length of a DA call do not appear on the bill, +it is recorded on AMA tape and will trip a trouble report if it were to last +too long. This is how most phreaks were discovered in the old days. Also, +sometimes too many calls lasting too long to one 800 number may raise a few +eyebrows at the local security office. + + Assuming you can complete a blue box call, the following are listed routings +for various Bell internal operators. These are in the format of KP+NPA+ +special routing+1X1+ST, which I will explain later. The 1X1 is the actual +operator routing, and NPA and NPA+ special routing are used for out-of-area +code calls and out-of-area code calls requiring special routing, respectively. + +KP+101+ST ...... Toll test board. + + Page 137 + + + + + The Official Phreaker's Manual + +KP+121+ST ...... Inward Operator. +KP+131+ST ...... Directory assistance. +KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few +others. It has been replaced with a universal rate & route number +800+141+1212. +KP+151+ST ...... Overseas completion operator (inbound). Works only in certain +NPAs, such as 303. +KP+181+ST ...... In some areas, toll station for small towns. + + Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you +would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 +trunk, an area code would be required. Thus, you would dial KP+312+121+ST. +Finally, some places in the network require special routing, in addition to an +area code. An example is Franklin Park, Ill. It requires a special routing of +032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward +operator. + + Special routings are in the format of 0XX. They are used primarily for load +balance, so that traffic flow may be evenly distributed. About half of the +exchanges in the network require special routing. Note that special routings +are NEVER EVER EVER used to dial normal telephone numbers, only operators. + + Operator functions: + +TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. +They are not used by operators, only switchmen. + +INWARD- Assists the normal TSPS (0+) operator in completing calls out of the +TSPS's area. Also, inwards perform emergency interrupts when the number to be +interrupted is out of the area code of the original (TSPS) operator. For +example, a 303 operator has a customer that needs an emergency interrupt on +215-647-6969. The 303 operator gets the routing for the inward that covers +215-647, since she cannot do the interrupt herself. The routing is found to be +only 215+ (no special routing required). So, the 303 operator keys +KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is +Denver. I need an emergency interrupt on 215-647-6969. My customer's name is +Mark Tabas." The inward will then do the interrupt (off the line, of course). +If the number to be interrupted had required special routing, such as, say, +312-456-1234 (spec routing 032), then the 303 operator would dial +KP+312+032+121+ST for the inward to do that interrupt. + +DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist +customers with obtaining telefone directory listings. Not much toll-fraud +potential here, except maybe $0.50. + +RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. +They assist normal (TSPS) operators with rates and routings (thus the name). +The only uses I typically have for them are the following: + + 1. Routing- + Information- In the above example, when the 303 operator needed to dial +an inward that served 215-647, she needed to know if any special routing was +required and, if so, what it was. Assuming she would use rate and route, she +would dial them and say nicely, "Operator's route, please, for 215-647." Rate & +route would respond with "215 plus." This means that the operator would dial +KP+215+121+ST to reach the inward that serves 215-647. If there were special +routing required, such as in 312-456, rate & route would respond with "312 plus +032 plus." In that case, the operator would dial KP+312+032+ST for the inward + + Page 138 + + + + + The Official Phreaker's Manual + +that serves 312-456. + + It is good practice to ask for "operator's route" specifically, as there are +also "numbers route" and "directory routes." If you do not specifically ask for +operator's route, rate & route will generally assume that is what you want +anyway. + +"Numbers" route refers to overseas calls. Example, you want to know how to +reach a number in Geneva, Switzerland (and you already have the number). You +would call routing and say "Numbers route, please, Geneva, Switzerland." The +operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark +41+22" has to do with billing, so disregard it. The 011+041 is access to the +overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing +for Geneva from the overseas sender. + +"Directory" routings are for directory assistance overseas. Example: you want a +DA in Rome, Italy. You would call rate & route and say, "Directory routing +please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 +STart." As in the previous example, the 011+039 is access to the overseas +gateway. The 039+1108 is a directory assistant in Rome. + + 2. Nameplace information- Rate & Route will give you the location of an NPA+ +exchange. Example: "Nameplace please, for 215-648." The operator would respond +with "Paoli, Pennsylvania." This isn't especially useful, since you can get the +same information (legally) by dialing 0, but using rate & route is often much +faster and it avoids having to hang up when you are already on a trunk. + +*NOTE* On Rate & Route: As a blue boxer, always ask for "IOTC" routings. +(e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them +that you want cordboard-type routings, not TSPS, because a blue boxer is +actually just a cordboard position (that Bell doesn't know about). + +OVERSEAS COMPLETION +OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of +calls coming in to the United States from overseas. There are KP+151+ST +operators only in a few NPAs in the country (namely 303). To use one, you would +seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for +example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." +[in a broken Indian accent]. She would connect you, and the bill would be sent +to Bangladesh (where I've been billing my KP+151+ST calls for two years). + +Other internal Bell Operators. + +KP+11501+ST ...... universal operator +KP+11511+ST ...... conference op +KP+11521+ST ...... mobile op +KP+11531+ST ...... marine op +KP+11541+ST ...... long distance terminal +KP+11551+ST ...... time & charges op +KP+11561+ST ...... hotel/motel op +KP+11571+ST ...... overseas (outbound) op + + These 115X1 operators are identical in routing to the 1X1 operators listed +previously, with one exception. If special routing is required (0XX), then the +trailing 1 is left off. + +Examples: + + + Page 139 + + + + + The Official Phreaker's Manual + +A 312 universal op ... KP+312+11501+ST +A Franklin Park (312-456) universal op (special routing 032 required)........ +KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. + +Purposes of 115X1 operators. + +UNIVERSAL- Used for collect/callback calls to coin stations. + +CONFERENCE- This is a cordboard conference operator who will set up a +conference for a customer on a manual operation basis. + +MOBILE- Assists in completion of calls to mobile (IMTS) type telefones. + +MARINE- Assists in completion of calls to ocean going vessels. + +LONG DISTANCE TERMINAL- Now obsolete.Was used for completion of long distance +calls. + +TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform +customer of exactly how much it cost. + +HOTEL/MOTEL- Handles calls to/from hotels and motels. + +OVERSEAS +COMPLETION (outbound)- assists in completion of calls to overseas points. Only +works in some, if any NPAs, because overseas assistance has been centralized to +IOCC (covered in Part III). + + Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that +you are a TSPS or cordboard operator assisting a customer with a call. DO NOT +DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these +operators! Find out what to do first. + + This concludes Part II. There is one final part in which I will explain +overseas dialing, IOCC (International Overseas Completion Centre), RQS +(Rate/Quote System), and some basic scanning. + + + + + + + + + + + + + + + + + + + + + + + + Page 140 + + + + + The Official Phreaker's Manual + + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Better Homes and Blue Boxing + + Part III + + Advanced Signalling +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +(It is assumed that the reader has read and understood parts i & ii before +proceeding to this part). + + In Parts I & II, I covered basic theory and domestic signalling and +operators. In this part I will explain overseas direct boxing, the IOCC, the +RQS, and some basic scanning methods. + +Overseas Direct Boxing. + + Calling outside of the United States and Canada is accomplished by using an +"overseas gateway." There are 7 over-seas gateways in the Bell System, and each +one is designated to serve a certain region of the world. To initiate an +overseas call, one must first access the gateway that the call is to be sent +on. To do this automatically, decide which country you are calling and find its +country code. Then, pad it to the left with zeros as required so it is three +digits. [Add 1, 2, or 3 zeros as required]. + +Examples: + +Luxembourg (352) is 352 (stays the same) +Spain (34) becomes 034 (1 zero added) +U.S.S.R. (7) becomes 007 (2 zeros added) + + Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit +padded country code that you just determined by the above method. [For +Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ +007+ST]. This is done to route you to the appropriate overseas gateway that +handles the country you are dialing. Even though every gateway will allow you +to dial every dialable country, it is good practice to use the gateway that is +designated for the country you are calling. + + After dialing KP+011+CC+ST (as CC is defined above) you should be connected +to an overseas gateway. It will acknowledge by sending a wink (which is audible +as a and a dial tone. Once you receive international dial +tone, you may route your call one of two ways: a) as an operator-originated +call, or b) as a customer-originated call. To go as a operator-originated call, +key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will +then be connected, providing the country you are calling can receive +direct-dialed calls. The U.S.S.R. is an example of a country that cannot. + +Example of a boxed int'l call: + +To make a call to the Pope (Rome, Italy), first obtain the country code, which +is 39. Pad it with zeros so that it is 039. Seize a trunk and dial +KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is +the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To +go as an operator-originated call, simply place a zero in front of the country +code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at +sender dial tone. Routing your call as operator-originated does not affect much +unless you are dialing an operator in a foreign country + + Page 141 + + + + + The Official Phreaker's Manual + + + To dial an operator in a foreign country, you must first obtain the operator +routing from rate & route for that country. Dial rate & route and if you're +trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, +please, for Yugoslavia." [In larger countries it may be necessary to specify a +city]. Rate & route will respond with, "38 plus 11029". So, dial your overseas +gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+11029+ST. +You should then get an operator in Yugoslavia. Note that you must prefix the +country code on the sender with a 0 because presumably only an operator here +can dial an operator in a foreign country. + + When you dial KP+011+CC+ST for an overseas gateway, it is translated to a +3-digit sender code of the format 18X, depending on which sender is designated +to handle the country you are dialing. The overseas gateways and their 3-digit +codes are listed below. + +182 ..... White Plains, NY +183 ..... New York, NY +184 ..... Pittsburg, PA +185 ..... Orlando, FL +186 ..... Oakland, CA +187 ..... Denver, CO +188 ..... New York, NY + + Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST +would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as +previously mentioned). To find out what sender you were routed to after dialing +KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. + + If you have difficulty in reaching a sender, call rate and route and ask for +a numbers route for the country you're dialing. Sometimes, KP+011+ padded +country code+ST will not work. I have found this in many 3-digit country +codes. Luxembourg, country code 352, for example, should be KP+011+352+ST +theoretically. But it is not. In this case, dial KP+011+ 003+ST for the +overseas gateway. If you have trouble, try dialing KP+00+ first digit of +country code+ST, or call rate The IOCC. + + Sometimes when you call rate and route and ask for an "IOTC numbers route" or +"IOTC operators route" for a foreign country, you will get something like +"160+700" (as in the case of the Soviet Union). This means that the country is +not dialable directly and must be handled through the International Overseas +Completion Centre (IOCC). For an IOCC routing, pad the country code to the +RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded +country code, plus ST. Examples: + +The U.S.S.R. (7) ...... KP+160+700+ST +Japan (81) ............ KP+160+810+ST +Uraguay (598) ......... KP+160+598+ST + + You will then be routed to the IOCC in Pittsburg, PA, who will ask for +country, city, and number being dialed. Many times they will ask for a +ringback [thanks to Telenet Bob] so have a loop ready. They will then place the +call and call you back (or sometimes put you through directly). Some calls, +such as to Moscow, take several hours. + +The Rate Quote System (RQS). + + The RQS is the operator's rate/quote system. It is a computer used by TSPS + + Page 142 + + + + + The Official Phreaker's Manual + +(0+) operators to get rate and route information without having to dial the +rate and route operator. In Part ii, I discussed getting an inward routing for +dialing-assistance and emergency interrupts from the rate and route operators +(KP+800+141+1212+ST). The same information is available from RQS. Say you want +the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to +access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with +RQS, you need to dial an NPA that is equipped with RQS first, such as 303. +Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink +() and then RQS dial tone. At RQS dial tone, for an inward +routing for 305-994 you would dial KP+06+305+994+ST. That is, +KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means +you would dial KP+305+033+121+ST for an inward that services 305-994. If no +special routing were required, RQS would have responded with "305 plus" and you +would simply dial: KP+305+121+ST for an inward. + + Another RQS feature is the echo feature. You can use it to test your blue +box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond +with voice identification of the digits it recognized, between the KP+07 and +ST. + + RQS can also be used for rates and directory routings, but those are seldom +needed, so they have been omitted here. + +Simple Scanning. + + If you're interested in scanning, try dialing on a trunk, routings in the +format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of +interesting things to be found there, as Doctor Who (413 area) can tell you. +Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan +area code 212, dial KP+212+ 11XX1+ST. + + There, now you know as much about blue boxing as most phreaks. If you read +and understand the material, and put aside preconceived ideas of what blue +boxing is that you may have acquired from inexperienced people or other +bulletin boards, you should be well on you way to an enlightening career in +blue boxing. If you follow the guidelines in Part I to box, you should have no +problem with the fone company. Comments made by "phreaks" on bulletin boards +that proclaim "tracing" of blue boxers are nonsense and should be ignored +(except for a passing chuckle). + +NOTE 1: CCIS and the downfall of blue boxing. + +CCIS stands for Common Channel Inter-office Signalling. It is a signalling +method used between electronic switching systems that eminiates the use of +2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places +cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will +not respond to any tones that you generate on the line. Eventually, all +existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In +this case, we'll all be boxing with microwave dishes. Until then (about 1995 by +current BOC/AT&T estimates), have fun! + +If you have ANY questions about this text, please feel free to drop me a line. +I will respond to all mail, messages, etc. Insults are also welcomed. And if +you discover anything interesting scanning, be sure to let me know. + +Mark Tabas +$LOD$ + + + Page 143 + + + + + The Official Phreaker's Manual + +This text was prepared in full by Mark Tabas for: + +K.A.O.S. +Philadelphia, PA. +[215-465-3593]. + +Any sysop may freely download this text and use it on his/her BBS, provided +that none of it be altered in any way. + +Technical acknowledgements: + +Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor +Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. + +References: + +1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. +2. Notes on the Network Bell System publication, 1983. +3. Engineering and Operations in the Bell System Bell System publication, +1983. +4. Notes on Distance Dialing Bell System publication, 1968. +5. Early Medieval Architecture. +....................................... +(c) February 6, 1900 Mark Tabas +....................................... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 144 + + + + + The Official Phreaker's Manual + + BY FRED STEINBECK (TAP #88) + + IT SEEMS THAT FEWER AND FEWER PEOPLE HAVE BLUE BOXES THESE DAYS, AND +THAT IS REALLY TOO BAD. BLUE BOXES, WHILE NOT ALL THAT GREAT FOR MAKING FREE +CALLS (SINCE THE TPC CAN TELL WHEN THE CALL WAS MADE, AS WELL AS WHERE IT WAS +TOO AND FROM), ARE REALLY A LOT OF FUN TO PLAY WITH. SHORT OF BECOMING A REAL +LIVE TSPS OPERATOR, THEY ARE ABOUT THE ONLY WAY YOU CAN REALLY PLAY WITH THE +NETWORK. + FOR THE FEW OF YOU WITH BLUE BOXES, HERE ARE SOME PHRASES WHICH MAY +MAKE LIFE EASIER WHEN DEALING WITH THE RATE & ROUTE (R&R) OPERATORS. TO GET +THE R&R OP, YOU SEND A KP + 141 + ST. IN SOME AREAS YOU MAY NEED TO PUT +ANOTHER NPA BEFORE THE 141 (I.E., KP + 213 + 141 + ST), IF YOU HAVE NO LOCAL +R&R OPS. + THE R&R OPERATOR HAS A MYRIAD OF INFORMATION, AND ALL IT TAKES TO GET +THIS DATA IS MUMBLING CRYPTIC PHRASES. THERE ARE BASICALLY FOUR SPECIAL +PHRASES TO GIVE THE R&R OPS. THEY ARE NUMBERS ROUTE, DIRECTORY ROUTE, OPERATOR +ROUTE, AND PLACE NAME. + YOU GET AN R&R AN AREA CODE FOR A CITY, ONE CAN CALL THE R&R OPERATOR +AND ASK FOR THE NUMBERS ROUTE. FOR EXAMPLE, TO FIND THE AREA CODE FOR CARSON +CITY, NEVADA, WE'D ASK THE R&R OP FOR "CARSON CITY, NEVADA, NUMBERS ROUTE, +PLEASE." AND GET THE ANSWER, "RIGHT... 702 PLUS." MEANING THAT 702 PLUS 7 +DIGITS GETS US THERE. + SOMETIMES DIRECTORY ASSISTANCE ISN'T JUST NPA + 131. THE WAY TO GET +THESE ROUTINGS IS TO CALL R&R AND ASK FOR "ANAHEIM, CALIFORNIA, DIRECTORY +ROUTE, PLEASE." OF COURSE, SHE'D TELL US IT WAS 714 PLUS, WHICH MEANS 714 + 131 +GETS US THE D.A. OP THERE. THIS IS SORT OF POINTLESS EXAMPLE, BUT I COULDN'T +COME UP WITH A BETTER ONE ON SHORT NOTICE. + LET'S SAY YOU WANTED TO FIND OUT HOW TO GET TO THE INWARD OPERATOR FOR +SACRAMENTO, CALIFORNIA. THE FIRST SIX DIGITS OF A NUMBER IN THAT CITY WILL BE +REQUIRED (THE NPA AND AN NXX). FOR EXAMPLE, LET US USEM 916 756. WE WOULD CALL +R&R, AND WHEN THE OPERATOR ANSWERED, SAY, "916 756, OPERATOR ROUTE, PLEASE." +THE OPERATOR WOULD SAY, "916 PLUS 001 PLUS." THIS MEANS THAT 916 + 001 + 121 +WILL GET YOU THE INWARD OPERATOR FOR SACRAMENTO. + DO YOU KNOW THE CITY WHICH CORRESPONDS TO 503-640? THE R&R OPERATOR +DOES, AND WILL TELL YOU THAT IT IS HILLSBORO, OREGON, IF YOU SWEETLY ASK FOR +"PLACE NAME, 503 640, PLEASE." + FOR EXAMPLE, LET'S SAY YOU NEED THE DIRECTORY ROUTE FOR SVEG, SWEDEN. +SIMPLY CALL R&R, AND ASK FOR, "INTERNATIONAL, BADEN, SWITZERLAND. TSPS +DIRECTORY ROUTE, PLEASE." IN RESPONSE TO THIS, YOU'D GET, "RIGHT... DIRECTORY +TO SVEG, SWEDEN. COUNTRY CODE 46 PLUS 1170." SO YOU'D ROUTE YOURSELF TO AN +INTERNATIONAL SENDER, AND SEND 46 + 1170 TO GET THE D.A. OPERATOR IN SWEDEN. + INWARD OPERATOR ROUTINGS TO VARIOUS COUNTRIES ARE OBTAINED THE SAME WAY +"INTERNATIONAL, LONDON, ENGLAND, TSPS INWARD ROUTE, PLEASE." AND GET "COUNTRY +CODE 44 PLUS 121." THEREFORE, 44 PLUS 121 GETS YOU INWARD FOR LONDON. + INWARDS CAN GET YOU LANGUAGE ASSISTANCE IF YOU DON'T SPEAK THE +LANGUAGE. TELL THE FOREIGN INWARD, "UNITED STATES CALLING. LANGUAGE ASSISTANCE +IN COMPLETING A CALL TO (CALLED PARTY) AT (CALLED NUMBER)." + R&R OPERATORS ARE PEOPLE ARE PEOPLE TOO, Y'KNOW. SO ALWAYS BE POLITE, +MAKE SURE USE OF 'EM, AND DIAL WITH CARE. + +NOTE: AS A RESULT OF THE BREAK-UP, R&R IS NOW KP+800+141+1212+ST + + + + + + + + + Page 145 + + + + + The Official Phreaker's Manual + + Verification + By Fred Steinbeck + +From TAP issue # 88 10-83 + + There has been a great deal of controversy in the realm of phreakdom over a +mysterious subject known under a number of different names, including +"Verification", "Autoverification", "Verify", "Autoverify", "Verify Busy", and +even "VFY BY". All of these names basically mean the same thing: the ability +to listen to another person's telephone line from any telephone in the +direct-dialable world. + Needless to say, Bell System is very tight lipped about knowledge regarding +verification. Indeed, the infamous book 'Notes on long distance dialing' ('68 +edition) says, "Care must be taken to insure that the customer never gains +verification capabilities." With a printed policy like that, you can imagine +what their real-world policy is like! Even their own rate and route operators +will not give verification on routing codes (at least in my experience), one +even responding, "What?! You must be crazy! We don't give those out!" Before +you get too far into this article, I will state simply: I don't know how to +verify. However, I have been fooling with various things related to it, and +collecting information on it for some time now. Therefore, while I can't do it +(yet), I may be able to point some other bright TAPer on the right track, and +perhaps he or she will show us all how. If you have knowledge not covered in +this article, but don't want to write an article on your own, please send your +ideas, comments, or information to Project Verify, C/O TAP Verify has also +been called "Autoverify", and I have no idea why. This is not, to my +knowledge, a Bell System term (at least I've never seen it in any manuals) As +far as I know, there is verify, which means being able to listen to speech +(kind of; see below) on a line, and there is the "Emergency Interrupt which +allows you to take part in the conversation taking place on the line in +question. It has been suggested that "Autoverify" is the same as an emergency +interrupt , but I tend to disagree with this idea. It should be noted that the +verification circuitry does not actually let an operator listen to a +conversation without making a beep on the line every so often. Instead, she +will hear encrypted speech. However, I believe with the proper methods, verify +can be converted to an emergency interrupt. + Verification is normally done either by your normal "0" (TSPS) operator, if +the call is in your home NPA (HNPA), or by an inward operator (IO). If the +call is outside your HNPA, your normal operator will call the IO for the +NPA,and say, "Verify Busy" or "Emergency Interrupt" please, 555 1212." The IO +will perform whatever magic he or she must, and then report back. If the call +is in your HNPA, though, the "0" operator can do the verification herself by +using the "VFY BY" key on her keyshelf. However, in some areas, the operator +uses a routing code to accomplish verification, and this the is loop hole we +shall attack. + It follows that if a IO or "0" operator can do it, so can we, with a blue box +Now, courtesy of Robert Allen (who brought it to my attention) and Susan +Thunder (who apparently discovered it), here is what used to work for getting +operators to hook you into conversations with other people (i.e.,let you listen +to them till you hung up): You'd call the operator and say "Operator, TSPS +Maintenance Engineer Calling. Ring forward to 001 + NPA + 7d, ring back to my +number, hit ring forward, no AMA, and then position release. + This creates some problems, and you must be familiar with the TSPS +console(by dialing "0"), you are on the "back", or incoming part of a loop. +When she places a call for you, the call goes out on the "forward", or outgoing +part of the loop. If an operator wants to make a call, she punches KP FWD +(keypulse forward), the number, and ST. Ring FWD puts a 90 volt ringing signal +across the forward part of the line (and may dial the number as well). The + + Page 146 + + + + + The Official Phreaker's Manual + +problem arises from the fact that I don't know if Ring FWD will actually dial a +call, and if there is some other subtle difference between it an KP FWD. + Let us assume ringing forward makes a call from the TSPS console to whatever +number is given. Ring back causes your phone to ring (it is assumed you hung +up after giving her your instructions; if you didn't you'd hear an annoying 90 +volts across the earpiece...) "No AMA" means "no automatic message accounting", +so nobody gets billed for the call, although it will show up on a tape +somewhere. "Position Release" removes the operator from the circuit, and +allows her to receive other calls. This leaves an unaccounted-for ring +forward. + The verification circuit, as you know, likes to encrypt conversation, which +is something we don't want. Well, the second Ring FWD sends another 90 volts +crashing against the verify circuitry, which Juda Gerad thinks removes the +voice encryption from the line, puts the operator (and you) in circuit, and +puts a beep tone on the line every five seconds. This seems to make sense, and +I am inclined to agree with him. + The bit about "....001 + NPA + 7D" causes the thought "MF routing code" to +spring immediately to mind. Now, the above trick was supposed to work in the +213 NPA. I have tried both "KP+001+213+7D+ST", and some other area codes. I +generally get nothing, a reorder signal, or a tandem recording. + Here's some food for thought: On an official Telco sheet I have, labeled " +213 NPA MF Routing Codes", 001 is listed as "VFY BY", or verify busy for the +213 NPA. 002 is listed for the 805 NPA. Ma Bell likes to have standardized +routing codes, such logical, then, that 001 would be a sort of "standard" +verify code, and other prefixes would be tacked on at 002,003, etc. However, I +have heard from a retired operator that verification codes are different from +area to area, and are not always nice numbers like 001, 002. Ah, well, a guy +can hope, can't he? + Some suggestions for future attacks on this dilemma: Everyone call your +operators and subtly ask questions. I have found the tend to give information +out easier if you ask for something that you would ordinarily have to be a +company employee to know about, such as rate steps, operator routings, etc. + Casually let slip that you used to be (or still are) an operator, or that +you work for company security. Also, you might want to blue box some codes +like 001 followed by your NPA and the last 7D of a busy number. If you get a +sort of "whispery noise", try blasting the line with a ringing signal (you +might piggyback another line onto yours and call the piggyback to generate the +90 volts) and see if that does anything. + + + + + + + + + + + + + + + + + + + + + + Page 147 + + + + + The Official Phreaker's Manual + + =================================== + EQUAL ACCESS AND THE AMERICAN DREAM + =================================== + + +by + +Mark Tabas +P.O. Box 620401 +Littleton, CO 80162 + +July 7, 1985 + + + + The American Dream means many things to many people. To the small, typical +businessman, it means building a good, strong business based on hard work and +perseverance; indeed, with nothing limiting his potential but he amount of work +he is willing to put into his business. To a large businessman, the American +Dream means living and working in a country where a single corporation can have +a profit exceeding the gross national product of an entire third world nation. + To the individual, the American Dream is the right to choose -- everything +from one's breakfast cereal to a long-distance service, as well as the formal +right outlined by our founding fathers: those of life, liberty, and the pursuit +of happiness. + To the phone phreak, I think the American Dream is, in a sort of twisted way, +the uninhibited pursuit of knowledge. This quest could scarcely remain +unchecked in many other countries. Analogous to this quest is the thriving of +the Bell System, which until January 1, 1984 consisted of the American +Telephone and Telegraph Company, the largest corporation in the history of the +world. Did the American Dream die on January first or did the divestiture of +AT&T cause a giant step forward for competition and free enterprise in the +United States? I do not know. I do know that the other nations of the world +were amazed that the United States would dissolve the entity that brought the +finest and most universal telephone system in the world, and did so at a time +when the majority of the rest of the world was still using two dixie cups and a +string. + The unfairness of the situation is that AT&T built the telephone system of +this nation and is now being bound and gagged and having its possessions +distributed to others, whom AT&T also wrought. All in the name of fairness, +free competition, and "equal access". Where was was MCI during the century +that AT&T built he communications system of this nation? Well, I believe in +Equal Access, Wholly. And, since I believe in equal access and its +implications for equality for all so strongly, I feel that MCI, Sprint, and +others should take the same amount of time to build their respective toll +networks: 100 years. Therefore, if the United States Justice Department were +truly the fair and just administrator that it portrays itself to be, MCI would +not have a hand in the long-distance cache until about 2080. That's only +fair. + There is no doubt that MCI is a sub-standard organization. They consist of +incompetent employees, inferior equipment, and an inferior marketing strategy. +They are mockingly imitative of AT&T, except in the quality of their service, +which is practically unusable. It is also interesting that with less than 2% +market share, MCI calls itself "the nation's long-distance company." The point +to this diatribe is this. It's time for these long-distance companies such as +MCI and Sprint to grow up. With Equal Access, they are going to become real +long-distance companies, not the joke organizations they are now, and I think +it may just take them one hundred years to do so. + + Page 148 + + + + + The Official Phreaker's Manual + + + ============ + Equal Access + ============ + + Equal Access, as it applies to the telecommunications industry, is "the +requirement that each Bell Operating Company provide exchange access to all +long-distance carriers that is equal in type and quality to that provided AT&T +communications." This is the official provision set forth by the United States +Justice Department in the Modification of the Final Judgment, August 24, 1982. +All this means is that each long-distance-distance company will have "equal +access" to all of the same types of services that AT&T currently enjoys. There +are four types of long-distance carrier services, divided into "feature +groups." They follow. + +FG A: "line side access." This is the standard 7-digit dialup+code (for +billing purposes) +destination telephone number. It is currently in use by +most long-distance carriers. + +FG B: "trunk side access." These are the 950 exchange numbers. They also +utilize an authorization code for billing. As with FG A, automatic number +identification (ANI) (i.e. calling number) is not provided to the carrier, but +will be in the future. + +FG C: "1+ dialing." Currently, only AT&T is able to get this type of +service. It is 1/0+7 of 10 digit direct long distance dialing. ANI (for +billing) is provided. + +FG D: "equal access." This will allow for 1/0+7 or 10 digit direct +long-distance dialing (presubscription carrier) and 10xxx+1/0+7 or 10 digit +long-distance dialing (alternate carrier). ANI for billing is provided at the +long-distance carrier's option. Billing may also be handled by the individual +long distance company or the local Bell Operating Company. + + Feature groups C and D are mutually exclusive (i.e. both cannot exist in a +particular area at the same time). Areas which have Feature Group C (AT&T +long-distance only) are non-Equal Access, and areas which have Feature Group D +(multiple long distance carriers) are Equal Access regions. + Feature Group B, the 950 exchange numbers will be used in areas in which it +is not feasible to provide with Equal Access, such as step-by-step offices +(yes, they CAN have 950 numbers), some crossbar offices, and some independent +telcos, which are not bound by the provisions of Equal Access and may provide +to their customers any type of long-distance service(s) they wish. The 950 +exchange is now active in many areas. It is mainly used as a universal +"roaming" access port for many long-distance carriers, but when an office is +converted to Equal Access, the 950 capability is removed. Thus, in an Equal +Access region, one cannot complete a call to a 950 telephone number. + I personally am looking very forward to Equal Access. My area is not +scheduled for full implementation of it until late 1985 or early 1986, and by +this time many of the alternate long distance carriers' networks will be in +place (or well under way). Think about what Equal Access means. Equality for +all long distance carriers. Access to common facilities, such as: busy-line +verification lines, Bell System information, signalling specifications. etc. +After full implementation of Equal Access, one will be able to take advantage +of and manipulate the services of more than just one carrier. It will no +longer be phreaks vs. AT&T. + When your area is ready to initiate Equal Access, you will receive a notice +in the mail informing you of some of the details of Equal Access, and will ask + + Page 149 + + + + + The Official Phreaker's Manual + +you to specify your choice of "primary carrier." In some cases you will need to +specify both inter-LATA carrier (IC), which handles calls out of your LATA +(Local Access and Transport Area), and an international carrier (INC), which +will handle calls destined for other countries. Recent market studies have +shown that between 80 and 90 per cent of residential customers will continue to +be served by AT&T for their long-distance service after Equal Access. So much +for competition. + You will probably be faced with many long-distance companies to choose from, +including but not limited to: AT&T, MCI, Sprint, ITT, Western Union, Dial U.S., +Call America, TMC, and U.S. Telephone. Whichever you choose will become your +"primary carrier." Your primary carrier will handle your call each time you +pick up you fone and dial 1+7 or 10 digits or 0+7 or 10 digits, inter-LATA +only. That is, if you dial a toll call that is within your LATA, it will be +handled by your local telephone company (Bell), not by your primary carrier, +even though it is a toll call. Let's use an example. The state of Colorado +consists of two LATAs. For this example, I will use three cities in Colorado: +Denver (in LATA1), Sterling (LATA1 also), and Colorado Springs (in LATA2). +Note here that even though Denver ad Sterling are in the same LATA, and Denver +and Colorado Springs are not, Sterling is actually much farther away from +Denver than Colorado Springs. This is because LATA boundaries were designed +giving consideration to high toll-traffic regions, to bring in revenue. Toll +traffic between Denver and Colorado Springs is very high, so the two cities +were placed in separate LATAs (or, more correctly, they were separated by a +LATA boundary). Toll traffic between Denver and Sterling is very low, of the +two cities were allowed to remain in the same LATA. Now, if everyone in +Colorado Springs were to pack up and move to Sterling (though who knows what +the hell for), the LATA boundaries in Colorado would be changed so that Denver +and Sterling were in different LATAs. The primary factor in determining LATAs +is money. + If I made a call to Sterling from my home in Denver, the call would be routed +entirely via Mountain Bell long-distance facilities. No long distance carrier +would be involved because Denver and Sterling are in LATA1. If I made a call +to Kelley, the blonde babe in Colorado Springs, the call would be handled by a +long distance carrier (in this case, AT&T) because Denver is in LATA1 and +Colorado Springs is in LATA2. Here is a table to simplify this: + +Customer dials LATA Carrier +----------------------------------------------------------------- +7 digits same Bell +1+7 digits same Bell +1+7 digits diff LD carrier (currently AT&T) +1+10 digits diff LD carrier (currently AT&T) +----------------------------------------------------------------- + + Note several things here. First, not all areas need to dial a 1 when dialing +any number, local or long distance, but the central offices will still discern +whether the call is in the same LATA as the customer or a different one and +handle the call appropriately. Secondly, some step-by-step offices require a +1+NPA to be dialed for calls within the same LATA and, in fact, all numbers +outside of the office itself. But, for the most part, the above table is +standard for common switching networks. + + ================== + Alternate Carriers + ================== + + Your normal long distance carrier will handle all your toll calls which cross +over LATA boundaries when you dial directly, 1+. If you wish to place your + + Page 150 + + + + + The Official Phreaker's Manual + +call via another carrier's network, whether for cost, quality, or circuit +availability reasons, you may do so in Equal Access regions. To access an +alternate long distance carrier after Equal Access, a customer dials +10xxx+1/0+7 or 10 digit telefone number. Note that xxx is the "carrier access +code (CAC)." A few CACs currently in use are listed below. + +220 ........ Western Union 666 ........ Lexitel +222 ........ MCI 777 ........ Sprint +333 ........ US Telefone 888 ........ SBS +444 ........ Allnet + + Thus, in an Equal Access region, to dial Fred in Orlando, a customer would +dial 1+305+994+9966 to place his call on his primary carrier, or to place it on +another network, he could dial: 10222+1+305+994+9966, and the call would go +over MCI facilities (in this case). Eventually, after many more long distance +services get into the act, there will be a directory of the various long +distance companies and their CACs, and deciding which carrier to use for any +particular call to get the bet rate will be beyond the ability of everyone +except phone phreaks. + + ================ + The 950 Exchange + ================ + + As discussed, the 950 central office exchange is currently a "roaming" access +port for various long distance carriers. In areas that have 950, the access to +carriers is standardized. Thus, someone travelling to several different areas +need only know the 950 number of the carrier he uses to access it from any area +(provided that it have 950 active). Originally, the 950 exchange was designed +to correspond with the 10xx carrier access code used for Equal Access. For +example, 950-1022 would be the same carrier as 1022 (+telephone number). +However, it was later found that the 100 codes available for use as 10xx CACs +would be insufficient to handle he number of long distance carriers. So, the +common carrier access code was increased by one digit, to 10xxx, thus +increasing the number of possible CACs to 1000. To keep the 950 exchange +consistent with the non CAC, the Bell Operating Companies have opted to change +the 950-10xx to 950-0xxx. The xxx in the 950-0xxx remains the same as the xxx +in the 10xxx carrier access code. The new modified 950 numbering pan is now +active in Philadelphia (Bell Atlantic) among other areas. + After Equal Access is well under way, the 950 exchange will be used in +certain areas that cannot be equipped for the standard Equal Access dialing +plans. This includes step-by-step, #1 crossbar, #5 crossbar, #2ESS, and #3ESS +offices. Customers in areas served by these types of switching equipment will +dial 950-0xxx, wait for acknowledgement tone from the carrier, and then dial a +"personal identification number" and destination telefone number,and the call +will be completed on the selected carrier's facilities. Initially, billing +will be handled by the carrier itself, and supervisory information and ANI will +not be provided by the local Bell Operating Company. + There are three main advantages to the 950 central office exchange and +protocol. They are: a) universal access for all areas, b) 950-exchange numbers +are "trunk side access." This means that the long distance carrier has direct +trunks going to it from a Bell toll office or local central office. These +trunks are interoffice lines, not customer type (POTS) lines, and supposedly +insure higher quality of connection. And, c) 950-exchange numbers are toll and +message unit free. On metered-usage (i.e., not "flat rate") customer lines, +they cost nothing. In most areas they are free from coin stations, with +Colorado as one notable exception. + + + Page 151 + + + + + The Official Phreaker's Manual + + ===== + Costs + ===== + + Each long-distance carrier must choose the type(s) of service it wishes to +provide to its customers. These different types of service were outlined +earlier as "Feature Groups." The costs of these Feature Groups vary directly +with the complexity and quality of the service itself. The following table +outlines the cost to the carrier of each available Feature Group. It is based +on the monthly rate per line for 9000 minutes of circuit use, and assumes the +carrier and Bell switch are 15 miles apart. + +FG non-Equal Access Equal Access +-------------------------------------------------------- +A $329.94 $709.20 +B 329.94 721.80 +C 752.40 ** N/A ** +D ** N/A ** 752.40 +-------------------------------------------------------- + + These figures are a lot more significant than they might appear. They +indicate that after Equal Access, in order to compete with the giants such as +AT&T, MCI, etc., smaller long distance companies will use Feature Group A or B +type service in order to provide significantly lower rates to their customers +than companies subscribing to Feature Group D service (like AT&T, MCI, etc). +This will cause a unique type of equilibrium to form. Customers willing to +dial an access number, authorization code, and destination number and put up +with lower quality service will be able to save a lot of money. This seems +faintly reminiscent of pre-Equal Access times.... + + ==================== + Directory Assistance + ==================== + + Each Bell Operating Company will be responsible for providing intra-LATA +operator services. When a customer dials (1)+411 or (1)+555+1212 for local +directory assistance, he will reach a Bell operator who will service requests +for listed numbers within the customer's LATA. Requests for numbers in LATAs +other than the calling customer's may be handled at the discretion of the local +operating company. Initially, the Bell Operating Companies will meet the +responsibility for providing directory assistance services by contracting it to +a long distance carrier or carriers (currently AT&T). All inter-LATA directory +assistance services will be provided by the inter-LATA carrier (IC). ICs may +also provide 800 Enterprise service or other toll free type directory +assistance services. See table. + +================================================================= +Intra-LATA: +================================================================= + HNPA 411/555-1212 BOC + *FNPA NPA+555-1212 BOC + HNPA 10xxx+555-1212 intra-LATA carrier + *FNPA 10xxx+NPA+555-1212 intra-LATA carrier + +================================================================= +Inter-LATA: +================================================================= + HNPA (10xxx)+1+555-1212 IC + + Page 152 + + + + + The Official Phreaker's Manual + + FNPA (10xxx)+1+NPA+555-1212 IC +================================================================= +* When LATA boundaries cross NPA boundaries (rare). +FNPA = Foreign Numbering Plan Area (area code). +HNPA = Home Numbering Plan Area (area code). + + At first glance, the above table appears somewhat complex. But, if you +understand the concept of LATAs and carriers, it is easily understood. +Essentially, all local Bell Operating Companies will maintain their own +directory assistance services. When a customer dials 411 or 555-1212, he will +reach a BOC directory assistant. Additionally, each long distance carrier that +wishes to provide directory assistance to its customers will also have DA +facilities. And, when a customer dials a directory assistant (NPA+555-1212) on +a carrier, he will reach an operator of that particular long distance carrier. +The key here is LATAs. If a customer wants to find a number that is within his +LATA, no long distance carrier is involved. It is handled strictly by the +Local Bell Operating Company. If a customer is seeking a number that is not +within his LATA, he must use the services of an inter-LATA (long-distance) +carrier. + + ====================== + TSPS Operator Services + ====================== + + Traffic Service Position System (TSPS) operator services will be handled much +in the same fashion as directory assistance services, with a few differences. +As with DAs, each Bell Operating Company and each inter-LATA carrier will +maintain its own TSPS operator facilities (or cordboard I suppose, if they +cannot afford TSPS). When a customer dials simply 0 (operator), he will reach +a BOC TSPS operator. The BOC TSPS will be able to handle all types of +intra-LATA operator-assisted traffic including (but not limited to): collect, +third party billing, Bell credit card, coin, verification and emergency +interrupt, and requests for emergency aid. BOC TSPS will be unable to complete +calls for customers outside of the customer's LATA. Thus, inter-LATA operator +assistance will be handled by an inter-LATA carrier TSPS (IC TSPS). An IC TSPS +will handle all previously mentioned types of calls that require inter-LATA +transport (i.e., the call originates and terminates in different LATAs). When +a customer dials 0+NXX-XXXXX or 0+NPA+NXX-XXXX, the central office will +determine if the call is destined for another LATA. If it is not, the call +will be sent to the Bell TSPS for appropriate handling. If the call is bound +for another LATA (and his determination is made based on the NXX or NPA+NXX), +then the call will be sent off to the customer's primary long-distance carrier +(since only 0+ was dialed). If the customer wishes to use a different +carrier's operator services, he would dial 10xxx+0+number, and the carrier +specified by the 10xxx carrier access code would receive the call. Note: if a +customer dials 10xxx+0+number, and the call is an intra-LATA call, he will get +a recording, "We're sorry, the number you dialed cannot be reached with the +carrier access code you dialed. Please check the code and try again or call +your carrier for assistance." (Western Electric KS-22550 central office tape +list no. 46.) Until the Bell Operating Companies can install their own TSPS +facilities and networks, they will (continue to) lease capacity from AT&T TSPS. +That is, AT&T will handle the intra-LATA traffic for the BOCs on a contract +basis. In the meantime, AT&T will continue to handle its own long-distance +operator services while the other inter-LATA carriers will have to implement +their own operator networks from scratch. My estimation is that you won't be +able to dial 10222+0 for an MCI TSPS operator until sometime around the year +2590. And even then they will probably be cordboard. + In addition to the changes in TSPS described above, there will be certain + + Page 153 + + + + + The Official Phreaker's Manual + +modifications to the software and hardware involved in the TSPS operator +system. Most critical, and of paramount importance to the telecommunications +enthusiast is changes in circuit associated signalling (CAS). This is +signalling to and from the TSPS facility. When a customer dials 0 (operator) or +10xxx+0 (IC operator), a succession of events occurs. First, the end office +seizes a trunk to the appropriate operator facility (this assumes that no +access tandem is involved). The operator service facility responds with a wink +(proceed signal) and the end office outpulses the CALLED number (or KP+ST if 0 +only dialed). The operator service (OS) facility will then come off-hook to +signal that it is ready to receive ANI information. The end office outpulses +the ANI information in the format of KP+II+7 digits+ST (or ST'). If there is +ANI failure, a KP+02+ST (or ST') will be sent. "ST'" stands for STart "prime", +and is indicative of a coin call (i.e., dial 0 from a coin station). A normal +ST terminating the ANI sequence means that the call is originating from a +noncoin station. See table for ultimate description. + +Inter-LATA calls MF-pulsed + +type of call customer dials cld num ANI +============================================================ +noncoin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST + +============================================================ +coin: +============================================================ + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST + operator assist 10xxx+0 KP+ST' KP+II+7d+ST + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST + +============================================================================= +Intra-LATA calls +============================================================================= +noncoin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST' + operator assist 10xxx+0 KP+ST''' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST' + +============================================================================= +coin: +============================================================================= + direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST' + operator assist 10xxx+0 KP+ST' KP+II+7d+ST' + special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST' +============================================================================= +Note: ST=Start, ST'=STart prime, ST''=Start double prime, ST'''=STart triple +prime. + + Once again, the above table appears somewhat intimidating in its complexity. +All these STs, ST primes, etc. Actually, the only purpose of the starts is to +distinguish to the TSPS machine exactly what type of call the customer is +placing and from what type of telefone he is calling. "Special toll" calls are +collect, credit card, and third-party billing type calls. Here is an example +of a complete dialing and outpulsing sequence for an operator service call: + + Page 154 + + + + + The Official Phreaker's Manual + +from a coin fone, a customer dials 0+ (or 10xxx+) 303+979-9997. The central +office would seize a trunk to the operator service facility and outpulse: +KP+303+979-9997+ST'. This indicates to the operator service facility that the +call is a special toll call originating from a coin telephone. The OS facility +comes off-hook and the central office would then outpulse KP+00+232+9969+ST. +This is he ANI information, and the ST indicates that the call is inter-LATA +(if it were intra-LATA, the sequence would be terminated with ST' instead). + Perhaps now I should explain screening. Certain telefones are "screened" +against placing certain types of calls. A screening code is a two digit +information carrier. For instance, 00 is "identified line" (no special +treatment), 01 is multiparty ONI (operator number identification), 02 is ANI +failure, 06 is hotel/motel, 07 is coinless (hospital/inmate fone), 08 is +inter-LATA restricted, 68 is hotel inter-LATA restricted, 78 is coinless +(hospital inmate) inter-LATA restricted, etc. A 98 is an AT&T Charge-A-Call +fone (those blue fuckers). More screening codes are allocated as they are +needed. Note that the original TSPS screening design only allowed for single +digit information digits. They were later found to be insufficient. + I believe that the operator services have been adequately covered, so I will +now move on to other aspects of Equal Access. + + ============= + Routing Codes + ============= + + The TTC (terminating toll centre) and special routing codes will continue to +be used in inter-LATA networks. These 0xx and 1xx type codes, which sometimes +precede operator routing codes, will be assigned to various ICs on an +individual basis. When 0xx and 1xx codes serve as pseudo-central office code, +they will be coordinated such that it will avoid IC conflicts. The +Numbering/Dialing Planning Group of the Central Services Organization (sounds +like some sort of Communist governing body) will provide assistance where the +assignment of coordinated codes is necessary. + + ================== + Special Area Codes + ================== + + Special area codes, also called Service Area Codes (SACs) presented the +designers of Equal Access with an interesting problem. SACs are N00 type area +codes, such as 700, 800, and 900. They are used for special services and +unlike normal area codes, are not associated with a particular state or region. +Each long distance carrier will be allocated its own exchanges in each service +area code. Thus, when a customer places a call to a number in a service area +code, the central office will examine the exchange of the telefone number and +route the call over the proper carrier's facilities. The customer will be +totally oblivious to this process. Current SACs include 700 (teleconferencing), +800 (toll free services), and 900 (dial-it services). There are currently +plans under way to implement the 600 area code, although its exact uses are not +yet clear. + + ================ + Signalling to IC + ================ + + Each long distance carrier that wishes to serve a particular LATA must +establish a point of presence (POP) in that LATA. A carrier's POP is a toll +office that receives toll traffic destined for another LATA. A POP is a centre +for inter-LATA transport of toll traffic. This traffic will be directed to it + + Page 155 + + + + + The Official Phreaker's Manual + +from a Bell central office, either an end office or an access tandem (AT). An +access tandem is simply a Bell office which directs long distance traffic from +a number of local end offices to a number of different inter-LATA carriers. To +pass call details (such as called and calling numbers) from the Bell local +office to the inter-LATA carrier, a signalling system was designed that employs +current multifrequency (MF) signalling protocol. When a customer dials +10xxx+(1/0)+(NPA)+NXX+, the end office will seize a trunk to the appropriate IC +as determined by the 10xxx CAC (or primary carrier if no CAC is dialed). Note: +this happens as soon as the customer finishes dialing the exchange, even though +he may still be dialing the last four digits of he telefone number. After the +end office has seized a trunk to the IC, the IC will return a wink, which is +the signal to proceed. Then, the end office will send ANI information, in the +format of: KP+II+10 digit ANI+ST. If the carrier is not to receive ANI +information from the Bell Operating Company (i.e., they are not paying for it), +then only KP+ST is sent. Presumably, by now the customer has completed dialing +the last four digits of the destination telefone number, so the end office will +send: KP+7 or 10 digit CALLED number+ST. Note several things here: 1) The IC +does not send a wink when it is ready to receive CALLED number information. 2) +ANI information is ten digits, plus a two-digit screening code, and 3) The +central office's outpulsing to the IC overlaps the customer's dialing. + Some ANI screening codes include: 00 (identified POTS), 01 (ONI multiparty), +02 (ANI failure), 06 (hotel without room identification), 07 (coinless, +hospital, inmate, etc.), 08 (inter-LATA restriction), 10 (test call), 20 (AIOD +calls, listed DN sent), 27 (coin call), and 95 (test call). These are the same +or similar as the screening codes used in operator service signalling. + In addition to the domestic signalling design outlined above, a new +international signalling system has been designed for use with Equal Access. +It also uses two-stage, overlapping outpulsing. After a customer has completed +dialing (10xxx)+011+CC (CC is country code), the Bell end office will seize a +trunk to he appropriate IC (or international carrier, if direct routing is +available). The IC/INC will respond with a wink, and the end office will +outpulse: KP+1NX+YXX+CCC+ST. Each of these three groups of routing information +indicate something different abut the international call being placed. The 1NX +is the "international system routing code, one for each type of call routing." +I have absolutely no idea what that means, and no one I have talked to at Bell, +AT&T, MCI, CCITT, ITT, the CSO and FCC have any idea either. Next, the YXX is +the carrier routing code. It is actually XXX, Which is the three digits of the +10xxx CAC for the particular carrier being accessed. Finally, CCC is the +country code, padded with a zero if necessary. + One may wonder why the CAC is signalled forward when a trunk is seized +directly to the carrier itself. The reason for this is that in some cases a +direct trunk to the carrier is not available and the call must be routed +through an access tandem, which is responsible for routing calls to a variety +of different long distance carriers. + + ==================== + Switch Compatibility + ==================== + + Full-feature Equal Access will become available first for Western Electric +#1ESS switching systems. It will be available first in generic 1E8 (1AE8 for +#1A ESS). Later, generic 5E2 for #5ESS, generic 2B4 for #2B ESS, generic +BCS-16 for Northern Telecom DMS-100, and generics 209 and 302 for DMS-10 will +provide full-feature Equal Access capabilities in those types of end office +switching equipment. The Western Electric #4ESS, #1 and 1A ESS, #5ESS, and the +Northern Telecom DMS-200 machines which serve as toll offices or access tandems +will be capable of receiving the new Equal Access signalling format, after +required generic development. Other switches (such as all crossbar offices) + + Page 156 + + + + + The Official Phreaker's Manual + +will not be able to handle the new signalling format. + + ===== + LATAs + ===== + + LATAs, Local Access and Transport Areas, are the entire key to the +administration of Equal Access. They can be thought of as miniature area +codes. A telefone call can never cross a LATA boundary except on an inter-LATA +carrier. However, there are certain exceptions to this. For example, in the +state of Colorado, which consists of two LATAs, the local Bell Operating +Company (Mountain Bell), which serves as the intra-LATA (i.e., calls to/from +the same LATA) carrier, may also serve as inter-LATA (to/from different LATAs) +carrier within Colorado. + There are also exceptions in the corridor region of the New York/New +Jersey/Pennsylvania area. + The forty-eight continental United States consist of 161 LATAs. Some states, +such as Deleware, consist of only one LATA, while others, such as Illinois, can +have up to 14 or more. Each LATA is given a name. For instance, Pennsylvania +consists of six LATAs: Philadelphia, Capital, Northeast, Altoona, Pittsburgh, +and Erie (independent telco). + + ============== + A Few Thoughts + ============== + + In 1973, Chrysler, A&P, RCA, Phillips Petroleum, S.S. Kresge, Boeing +Aircraft, International Harvester, Woolworth's, Greyhound, Firestone, Litton, +and General Foods, among others, each reported annual profits of less than $150 +million. In that same year, the Telephone Company wrote off, as being +uncollectable, debts of $150 million. + In 1974, the Bell System had direct interests in at least 276 organizations, +many of them not related to the telefone industry. Bell also had interlocking +financial arrangements with such corporations as the Chase Manhattan Bank, IBM, +Prudential Insurance, Sears Roebuck, General Motors, U.S. Steel, and Lever +Brothers. Should the need have arisen, the Bell System in 1974 could have +exercised control of 400 billion dollars, fully one-third of that year's gross +national product. + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago Illinois, 1976. ISBN 0-8092-8008-6. + + There are many viewpoints as to the future course of the telefone industry. +The general consensus among most Telco employees is that the children of AT&T +(i.e., the seven regional holding companies into which the Bell System was +divided) will someday be reassembled into the original Bell System, and all +will be well and good in the world of telecommunications again. I tend to +disagree with this. I think that within three decades the entire telefone +industry will be consolidated and nationalized. It will be owned and operated +entirely by the United States Federal Government. This will accomplish several +goals of the government. First, the immense revenue from telefone services +will provide great financial resources for the federal government. Rates for +telefone services will skyrocket far out of the range of affordability, quality +of service will deteriorate to a point of unusability, and meanwhile +politicians will get rich. + Second, once the government controls the telefone system, monitoring the +general public will become infinitely easier. Big Brother will be able to keep +and eye, or rather, an ear on the general population, and giant step forward in + + Page 157 + + + + + The Official Phreaker's Manual + +ultimate government control of peoples' lives will be achieved. Most people +won't know anything about this, and even if they do, they won't give a shit +because by then the fucking government will have already invaded every +remaining private aspect of the individual's life. + To those who find it utterly unthinkable that the federal government would +ever assume control of the telefone industry, I would call attention to the +situation that existed between 1917 and 1919. During this time the government +controlled the phone system of the United States. J. Edward Hyde sums it up +beautifully: + + Between 1917 and 1919, the Federal Government did control the phone +industry. Since then, the most charitable historians have blamed the +subsequent mess on the First World War. Others blame it on the democrats. But +the fact is that it was a fiasco of the bureaucracy's own making, combined with +intracompany sabotage. + Today, in those countries where the phone service is nationally owned, the +service runs from poor to nonexistent. Would you want the government that gave +you the Russian wheat deals, Defense Department overruns, Amtrak, and the +Postal Service handling your phone problems? + +From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, +Chicago, Illinois, 1976. ISBN 0-8092-8008-6, p. 170. + +Technical References: + +Notes on the BOC intra-LATA Networks. American Telephone & Telegraph Company, +1983. + +The Phone Book. J. Edward Hyde, 1976. + +Bell System Technical Journal. Volume 58, Number 5. + +Engineering and Operations in the Bell System. American Telephone & Telegraph +Company, 1983. + + +Acknowledgements: Karl Marx, Telenet Bob, and the scores of Telco employees +in Denver, White Plains, Omaha, and North Jersey who were very helpful in +patiently answering my many questions about Equal Access. + +Thanks to Mack the Knife for magnetic transfer of this illustrious file, a +tedious task for which I have no time. + +Thanks to the following printers for their cooperation and professional manner +in helping me with final production of this file: + +Kinko's Print Shop +7155 West Colfax +Lakewood, CO + +Office Products and Printing +5035 S. Kipling Suite B4 +Littleton, CO + +This has been a Mark Tabas Encounter Series production. Questions, comments, +and requests may be addressed to: + +Tabas + + Page 158 + + + + + The Official Phreaker's Manual + +P.O. Box 620401 +Littleton, CO 80162 + +Requests for copies of this or any other Encounter Series file are honored for +free, but please enclose a self-addressed medium sized first class mailing +envelope with 73 cents postage. + +Special thanks to Steve Reger, who was kind enough to shoot my neighbor's dog, +whose incessant barking constantly distracted me as I labored to complete this +file. + +(for Amy) cl/KIABB!/jd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 159 + + + + + The Official Phreaker's Manual + + Equal Access and Modem Autodialers by Shadow 2600 + + Now that AT&T is being divested of its local telephone companies, phone +customers across the nation have to choose their long distance carrier as equal +access is phased in. Advertising campaigns emphasize such aspects as low rates +and operator assistance, but no one mentions a factor that will affect modem +users who use auto dialers for long distance calls. Not all of the alternate +long distance carriers provide called party answering supervision on all calls. +Called party answering supervision basically has the telephone company start +billing only when the called party answers the telephone. However, many of the +alternate long distance companies still operate with the "fixed timeout" basis +for charging. That is, if a call is held for a fixed length of time (usually +30 seconds) the charging starts, whether or not the call was answered. This +could cause modem owners large bills if they use autodialers to make long +distance calls. Modems are usually set up to wait up to one minute when +attempting to make a call, and thus have to timeout through busy signals, long +call setup sequences, extender waits, and similar problems. This could result +in many billed but never answered calls. + + Some of the other carriers provide it on calls to some cities, and others +not support it at all. Only AT&T Communications provides called party +answering supervision on all calls to all points at this time. It is almost +impossible to get information on how a long distance company charges its calls +as as they don't want to reveal how their billing is handled. The alternate +carriers get called party supervision when the destination location goes equal +access. However, there has been no quick action on the part of the alternate +long distance companies to make use of the supervision data as they would have +to get equipment for passing the information back to the billing computer at +the originating point. Thus called party answering supervision information +often ends up being ignored by these carriers even when available. Another +point to remember is that called party answering supervision's availability +depends on whether the destination has equal access, not the originating +location. The lower long distance rates of alternate long distance rates must +be weighed against the time out problem as it affects autodialing modems. One +way to circumvent this is merely to set your modem to a shorter +waiting-for-connect time, but this may not provide enough time for the call to +go through. [For more information on this and other telecommunications topics +call the Private Sector BBS at (201) 366- 4431] + + + + + + + + + + + + + + + + + + + + + + Page 160 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #6 of 9 + + Toward Universal Information Services Via ISDN + ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ ~~~ ~~~~ + by Taran King + + From PROTO newsletter of AT&T Bell Laboratories + ------------------------------------------------------------ +Phase one, the Present. +~~~~~ ~~~~ ~~~ ~~~~~~~~ + The local network of today, although still largely voice-oriented, is already +on the path to Universal Information Services. Lightguide fiber is +dramatically expanding the capacity of local networks, helping to lower the +costs and increase the demand for high-band width, Information Age services. +And public networks are increasingly digital and geared for data and special + services. For example: + +o The AT&T Network Systems 5ESS (TM ) switch, designed by Bell +Laboratories, can serve as the hub of a local deployment of remote modules at +locations up to 100 miles from a host central office. + +o The Integrated Special Services Network (ISSN) is a channel network that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect System (DACS). + +o The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Today's public networks consist of multiple or overlay networks. The public +switched network, or circuit network, mainly for voice, is the base network. +Two kinds of overlay networks provide special services. Channel networks carry +private lines leased by large customers and transmit much of today's data and +image traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internally +to public networks for common channel signaling to set up, route and take down +calls, or to give customers information. "Overlay networks help +telecommunications companies efficiently meet growing demand for digital +transmission and special services," says Stan Johnston, Market Planning +Manager, Network Systems Evolution, in AT&T Network Systems. "Their integration +into a single network, however, would be still more effective." + +Phase two, the Integrated Services Digital Network (ISDN). +~~~~~ ~~~~ ~~~ ~~~~~~~~~~ ~~~~~~~~ ~~~~~~~ ~~~~~~~ ~~~~~~~ + The ISDN is a concept to which AT&T is committed - and it's the foundation +for Universal Information Services. The central idea of ISDN, as AT&T Network +Systems sees it, is to provide an individual user a link to the local central +office of generous band-width - a digital subscriber line that can carry +144,000 bits per second (sure beats 2400 baud!). The band-width is subdivided +into two 64,000-bit channels, which may carry voice or data or both, and one +16,000-bit channel for packetized signaling information or data transport. +Such a link provides convenient "integrated" network access by accommodating +voice, data and signaling over a single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber + + Page 161 + + + + + The Official Phreaker's Manual + +line, which provides 1.5 billion bits per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal, and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make important +progress toward the goal of Universal Information Services. But overlay +networks will continue to divvy up the transport job. And messages needing +less than 144,000 bits per second will not fill their allotted bandwidth, +leaving capacity under utilized. + +Phase three, Universal Information Services. +~~~~~ ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~ + Rooted in the fertile ground of 5ESS switches, ISDN equipment and +technologies such as wideband packet transport, Universal Information Services +will bear fruit during the 1990s. From a single kind of network will hang +services as different as apples, oranges and pears. Just as network access was +integrated in ISDN, transport functions will increasingly be integrated by +powerful new network equipment evolved from equipment developed for the ISDN. +Where customers once got standard-sized ISDN channels, they'll get big +bandwidth for large jobs, little bandwidth for small jobs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/pkmanual6.phk b/textfiles.com/phreak/PHREAKING/pkmanual6.phk new file mode 100644 index 00000000..1053578a --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pkmanual6.phk @@ -0,0 +1,2781 @@ + + + + + Page 162 + + + + + The Official Phreaker's Manual + + TOWARD UNIVERSAL INFORMATION SERVICES VIA ISDN + +Phase one, the present. The local network of today, although still largely +voice oriented, is already on the path to Universal Information Services. +Lightguide fiber is dramatically expanding the capacity of local networks, +helping to lower the costs and increase the demand for high-bandwidth, +Information Age services. And public networks are increasingly digital and +geared for data and special services. For example: + + * The AT&T Network Systems 5ESS switch, designed by Bell Laboratories, can +serve as the hub of a local digital network through deployment of remote +modules at locations up to 100 miles from a host central office. + + * The Integrated Special Services Network (ISSN) is a channel networks that +provides special services, customer control options and digital private lines +rearrangeable under software control. The ISSN incorporates digital carrier +terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System +and Digital Access and Cross-connect Systems (DACS). + + * The New Centrex is bringing greater levels of customer control, improved +services and a broad range of data capabilities to the business customer. + + Todays public networks consist of multiple or overlay networks. The public +switched network, or circuit network, is the base network. Two kinds of +overlay networks provide special services. Channel networks carry private +lines leased by large customers and transmit much of today's data and image +traffic; they also handle traffic for network operations support. Packet +networks carry data communications, while packet switching is used internal to +public networks for common channel signaling to set up, route and take down +calls, or to give customers information. + "Overlay networks help telecommunications companies efficiently meet growing +demand for digital transmission and special services," says Stan Johnston, +Market Planning Manager, Network Systems Evolution, in AT&T Network Systems. +"Their integration into a signal network, however, would be still +more effective." + Phase two, the Integrated Services Digital Network (ISDN). The ISDN is a +concept to which AT&T is commited--and it's the foundation for Universal +Information Services. The central idea of ISDN, as AT&T Network Systems sees +it, is to provide an individual user a link to the local central office of +generous bandwidth--a digital subscriber line that can carry 144,000 bits per +second. The bandwidth is subdivided into two 64,000-bit channels, which may +carry voice or data or both, and one 16,000-bit channel for packetized +signaling information or data transport. Such a link provides convenient +"integrated" network access by accommodating voice, data and signaling over a +single line. + The ISDN will make it easier for a customer to get varied services from +public and private networks. More bandwidth for big customers will be +available through another ISDN access standard, the extended digital subscriber +line, which provides 1.5 million bit per second as 24 channels of 64,000 bits +each. + In 1986, new software from Bell Labs will enable the 5ESS switch to +accommodate ISDN-sized 144,000-bit channels that standardize and simplify +subscribers' use of local networks. AT&T is committed to future products that +will also be ISDN-compatible. Other vendors, too, some of whom already plan to +build premises, terminal and other equipment to ISDN standards, will make ISDN +a cooperative effort. + By providing integrated digital access to networks, ISDN will make +important progress toward the goal of Universal Information Services. But + + Page 163 + + + + + The Official Phreaker's Manual + +overlay networks will continue to divvy up the transport job. And messages +needing less than 144,000 bits per second will not fill their allotted +bandwidth, leaving capacity underutilized. + Phase three, Universal Information Services. Rooted in the fertile ground +of 5ESS switches, ISDN equipment and technologies such as wideband packet +transport, Universal Information Services will bear fruit during the 1990s. +From a single kind of network will hang services as different as apples, +oranges and pears. Just as network access was integrated in ISDN, transport +functions will increasingly be integrated by powerful new equipment evolved +from equipment developed for the ISDN. Where customers once got standard- +sized ISDN channels, they'll get big bandwidth for large jobs, little bandwidth +for small jobs. + +*** retyped from PROTO, AT&T Bell Laboratories report to executives on new +technologies, without written permission from the editors. (heh, heh.) + +Subscriptions: $15.00 per year, published bi-monthly. Send check payable to +"Bell Laboratories PROTO," to PROTO Circulation Manager, Room 3E-230, 150 John +F. Kennedy Parkway, Short Hills, N.J. 07078. + +:LIQUID:CRYSTAL: +wisdom is safety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 164 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #7 of 9 + + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ @ + @ _ _ _______ @ + @ | \/ | / _____/ @ + @ |_||_|etal / /hop @ + @ __________/ / @ + @ /___________/ @ + @ Headquarters of Phrack Newsletter @ + @ (314) 432-0756 @ + @ Proudly Presents @ + @ MCI Overview @ + @ Written on 11/16/85 @ + @ by @ + @ @ + @ Knight Lightning & Taran King @ + @ @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +MCI Communications Corporation, headquartered in Washington, D.C., provides a +full range of domestic and international telecommunications services, including +voice and data, telex and cable, paging and mobile telephone, and time +sensitive message delivery. + +Since its founding in 1968, MCI has grown to more than $1.6 billion in annual +sales and serves more than 1.9 million business, residential and government +customers through its four major business units: + +MCI Telecommunications + +MCI Airsignal + +MCI International + +MCI Digital Information Services + + +MCI TELECOMMUNICATIONS + + MCI Telecommunications provides domestic interstate long distance service +throughout all 50 states, plus Puerto Rico, the U.S. Virgin Islands, and major +calling areas of Canada. It is also authorized to provide varying degrees of +intrastate long distance service in some states. + +MCI also is the first long distance carrier other than AT&T to offer direct +dial service overseas. International telephone service is available to all +residential and commercial customers (with the exception of Private Line +customers). In October, 1984 the first international service agreements were +announced with the following countries: Argentina, Belgium, Brazil, East +Germany, Greece, United Arab Emirates, and the United Kingdom. + +Total capital investment in MCI's long distance network is approximately $2 +billion. MCI's network, the second largest in the U.S., employs microwave +optical fiber, satellite and various digital transmission technologies. + +Subscribers - Domestic Long Distance (as of 10/84) + + Page 165 + + + + + The Official Phreaker's Manual + +----------- ---------------------- +Residential 1.4 million +Commercial .3 million + Total 1.7 million + +Operations - (as of 10/84) +Network Miles...20,543 (microwave, optical fiber, satellite) +Circuits.......238,000 +Employees........9,500 (full-time, approx.) + +MCI AIRSIGNAL + +MCI Airsignal provides personal message delivery and car telephone services. +MCI Message Service is offered in more than 50 metropolitan areas. In 1984, +service will commence in New York City, Baltimore-Washington, Los Angeles, and +Chicago. MCI car telephone service is offered in 20 markets. + +Personal Message Delivery Service + +ALPHANUMERIC MESSAGE SERVICE + +Displays up to 40-character message using letters and/or numbers. Memory and +recall ability. Alerts subscriber with a silent visual alert or a soft tone. + +DISPLAY MESSAGE SERVICE + +Displays up to 24-digit message (e.g., phone number, stock quotes, sales +figures, coded messages). Memory and recall capability. Alerts customer to +message with a silent visual alert or a soft tone. + +TONE MESSAGE SERVICE + +Notifies customer of a message with a soft tone. + +VOICE MESSAGE SERVICE + +Receives message in actual voice of caller. + +EXPRESS MESSAGE SERVICE + +Receives and stores messages. Instantly alerts subscriber via pager when a +message is received. + +Car Telephone Service + +Enables customers to place calls to or receive calls from anywhere in the +world, 24 hours a day, as they travel in their cars. With the advent of new +cellular technology, both the quality and the accessibility of car telephone +service will vastly improve. + +MCI has thus far obtained franchises to operate a new kind of mobile phone +service, cellular telephone, in Minneapolis and Pittsburgh, and has received +favorable decisions from FCC administration law judges authorizing service in +Los Angeles, Denver-Boulder, and Kansas City. MCI has applied for licenses to +provide cellular service in 81 metropolitan areas. + +MCI Airsignal Branch Sales Offices + + + Page 166 + + + + + The Official Phreaker's Manual + +Personal Message Service/Conventional Mobile Phone Service + +Birmingham (205) 942-2924 +Sacramento (916) 444-2350 +Memphis (901) 682-9658 +Cleveland (216) 464-7311 +Dallas (214) 788-5111 +Fresno (209) 486-7410 +Las Vegas (702) 382-7461 +Denver (303) 778-7878 +Portland (503) 227-2556 +Philadelphia (215) 677-9845 +Atlanta (404) 252-2114 +West Florida (813) 875-3404 +Minneapolis (612) 544-8175 +Kansas City (913) 648-8090 +Miami (305) 491-0122 +Pittsburgh (412) 343-1611 +Houston (713) 464-2516 +Bakersfield (805) 832-2346 + +Cellular Telephone Offices + + Minneapolis-St. Paul (612) 544-3312 + Los Angeles (714) 527-0385 + Elsewhere in California (800) 344-3455 + Headquarters - Washington, D.C. (202) 429-9660 + + +MCI INTERNATIONAL + +MCI International provides private-line voice service to several overseas +countries, and data and message services, including telex, cablegram, leased +channel, and packet switching communications, to more than 200 overseas points. +MCI has moved into two new areas of service: International direct-dial +telephone service and international electronic mail and hard-copy delivery +services. + +International Record Services + +TELEX SERVICE (domestic and international) permits instantaneous, two-way, +written communications with other subscribers worldwide. Customers can send +messages at any time, even though the receiving terminal may be unattended. MCI +International offers access to its telex service from a variety of terminals +and networks; not only subscribers with telex terminals but also those with +communicating word processors, data terminals or computers that communicate +over telephone lines can take advantage of MCI International telex service. To +subscribers connected to its own telex network, MCI International offers World +Message Services--a package of communications offerings including telex, +cablegram and MCI Mail services. Various service enhancements are available to +save time, improve operating efficiency and simplify records keeping for telex +users. + +CABLEGRAM SERVICE, the traditional means of international written +communications, offers flexibility in delivery and economical rates for shorter +messages. Cablegrams can be delivered to virtually any overseas +point.Subscribers with telex terminals or various other types of equipment can +access and TELUS cablegram switch and take advantage of such service + + Page 167 + + + + + The Official Phreaker's Manual + +enhancements as abbreviated addressing and departmental billing. + +LEASED +CHANNEL SERVICE provides an exclusive line between a U.S. firm and it's +overseas office for private communications 24 hours a day. Each MCI +International leased channel is tailored to meet the needs of a specific +customer for teleprinter, facsimile, voice and/or data traffic. For subscribers +with several offices requiring private communications with each other, MCI +International offers a versatile message-switching service. Voice/data leases +can be configured to meet a whole array of communicating needs; for example, +one channel might carry data traffic from a computer at night, voice +communications during office hours, and simultaneous teleprinter messages at +any time. Data channels can handle requirements for traffic at any speed from +1200 bits per second to 1.544 megabits per second. + +IMPACS SERVICE uses packet-switching technology to provide international +communications service between data terminals and computers. Impacs offers +on-line, real-time connections and enables many types of incompatible systems +to communicate. Impacs service offers virtually error-free transmission +because of the error-detection and retransmission capability of the network. + +INSTALINK SERVICE allows businesses overseas to use regular telex equipment to +access remote computing systems and databases in the U.S. Subscribers can +retrieve data from a computer-based information service or use a computing +system connecting to a packet-switching network in the U.S. + +INTERNATIONAL +FACSIMILE SERVICE enables subscribers to send duplicates of original documents +overseas quickly and efficiently, even when neither the sender or the receiver +has facsimile transmission equipment, or when the sender and receiver have +incompatible equipment. + +DATEL SERVICE provides automatic or voice-coordinated data transmission at +speeds up to 2400 bits per second. Either digital or analog facsimile traffic +can be transmitted via Datel. Datel facilities are conditioned to ensure +high-quality transmission. The MCI International switching center allows +communications between incompatible terminals. + +MARITIME SERVICES provide instant, high--quality contact between ships at sea +or offshore rigs, and between these vessels and land-based subscribers +worldwide. + +International Voice Services + +PRIVATE +LINE SERVICE provides, fast, easy access to a single overseas location at an +economical monthly rate. This technically efficient system maximizes the use +of line capacity by recognizing idle time and assigning a speaker to a +transmission path only when the path is needed. Users can dial a four-digit +extension from a regular business phone to reach a key overseas location. + +International Mail Services + +WORLD +MESSAGE SERVICE subscribers can access the domestic electronic mail and +hard-copy delivery offerings of MCI Mail. In addition, MCI International is +developing fast, low-cost services that will deliver electronic messages and +high-quality printed documents worldwide. + + Page 168 + + + + + The Official Phreaker's Manual + + +Customer Service + +THE CUSTOMER TROUBLE REPORTING ASSISTANCE CENTER at MCI International addresses +customer concerns such as equipment maintenance and service performance +questions. Customer service specialists, on duty 24 hours a day on business +days, answer questions and electronically route service requests to technicians +nationwide. + +MCI DIGITAL INFORMATION SERVICES CORP. + +MCI Digital Information Services, MCI's newest unit, provides high-speed, +low-cost, time-sensitive message delivery (MCI Mail), either electronically or +via hard copy. + +MCI Mail provides time-sensitive document delivery to anyone, anywhere vial +MCI's long-distance telephone network. MCI Mail can reach a recipient +instantly, in four hours or less, or overnight by noon the next day. Prices +are as much as 90 percent lower than comparable time-sensitive mail delivery +services. MCI Mail can be delivered electronically, terminal to terminal, or +laser printed on letterhead stationery with the customer's signature. + +MCI Mail customers can even order gifts and services direct through MCI Mail, +ranging from software and paper for personal computers to investment advisory +services to travel specials. + +There are no sign-up, monthly service charges or "connect time" charges for MCI +Mail. MCI Mail can be used by virtually any personal computer, word processor, +electronic typewriter, data terminal, telex, or other digital communications +device. The service is accessed by a local telephone call or 800 number. + +MCI Mail + +INSTANT delivery to an "electronic" mailbox. + +FOUR-HOUR paper delivery by courier to 17 major metropolitan areas regardless +of point of origin. + +OVERNIGHT paper delivery by courier by noon the next day in 20,000 continental +U.S. cities. + +MCI LETTER transmitted electronically to the MCI digital postal center nearest +its destination, then delivered locally by the U.S. Postal Service. + +TELEX DISPATCH enables MCI Mail subscribers to transmit messages to the more +than 1.6 million telex subscribers worldwide. + +VOLUME MAIL enables customers to send large mailings in a variety of letter +formats, at substantial savings in delivery time and expense. + + ============================================================ + Look for more MCI Files coming to Metal Shop soon! + + This has been a Knight Lightning Presentation + ============================================================ + + + + + Page 169 + + + + + The Official Phreaker's Manual + + Reference Tables + + Just some notes that you will always try to find but can never! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 170 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue One, Phile #5 of 8 + + Using MCI Calling Cards + by + Knight Lightning + of the + 2600 Club! + +How to dial international calls on MCI: + + "Its easy to use MCI for international calling." + +1. Dial your MCI access number and authorization code (code = 14 digit number, +however the first 10 digits are the card holders NPA+PRE+SUFF). + +2. Dial 011 + +3. Dial the country code + +4. Dial the city code and the PRE+SUFF that you want. + +Countries served by MCI: + +Country code|Country code +-------------------------------------|-------------------------------- +Algeria..........................213 |New Zealand..................064 +Argentina........................054 |Northern Ireland.............044 +Australia........................061 |Oman.........................968 +Belgium..........................032 |Papua New Guinea.............675 +Brazil...........................055 |Qatar........................974 +Canada................Use Area Codes |Saudi Arabia.................966 +Cyprus...........................357 |Scotland.....................044 +Denmark..........................045 |Senegal......................221 +Egypt............................020 |South Africa.................027 +England..........................044 |Sri Lanka....................094 +German Democratic Republic |Sweden.......................046 +(East Germany)...................037 |Taiwan.......................886 +Greece...........................030 |Tanzania.....................255 +Jordan...........................962 |Tunisa.......................216 +Kenya............................254 |United Arab Emirates.........971 +Kuwait...........................965 |Wales........................044 +Malawi...........................265 | +====================================================================== + +Thats 33 countries in all. To get the extender for these calls dial 950-1022 or +1-800-624-1022. + +For local calling: + +1. Dial 950-10222 or 1-800-624-1022 + +2. Wait for tone + +3. Dial "0", the area code, the phone number, and the 14 digit authorization +code. You will hear 2 more tones that let you know you are connected. + + - Knight Lightning --> The 2600 Club! + + Page 171 + + + + + The Official Phreaker's Manual + +===================================================================== + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 172 + + + + + The Official Phreaker's Manual + + AT&T INTERNATIONAL DIALING COUNTRY CODES AS OF 2-17-85 + + FILE BY: Lock Lifter + +=========================+ + +*UNITED KINGDOM/IRELAND +------------------------------------ +IRELAND.........................353 +UNITED KINGDOM...................44 + +*EUROPE +------------------------------------ +ANDORRA..........................33 +AUSTRIA..........................43 +BELGIUM..........................32 +CYPRUS..........................357 +CZECHOLSLOVAKIA..................42 +DENMARK..........................45 +FINLAND.........................358 +FRANCE...........................33 +GERMAN DEMOCRATIC REPUBLIC.......37 +GERMANY, FEDERAL REPUBLIC OF.....49 +GIBRALTAR.......................350 +GREECE...........................30 +HUNGARY..........................36 +ICELAND.........................354 +ITALY............................39 +LIECHTENSTEIN....................41 +LUXEMBOURG......................352 +MONACO...........................33 +NETHERLANDS......................31 +NORWAY...........................47 +POLAND...........................48 +PORTUGAL........................351 +ROMANIA..........................40 +SAN MARINO.......................39 +SPAIN............................34 +SWEDEN...........................46 +SWITZERLAND......................41 +TURKEY...........................90 +VATICAN CITY.....................39 +YUGOSLAVIA.......................38 + +*CENTRAL AMERICA +------------------------------------ +BELIZE..........................501 +COSTA RICA......................506 +EL SALVADOR.....................503 +GUATEMALA.......................502 +HONDURAS........................504 +NICARAGUA.......................505 +PANAMA..........................507 + +*AFRICA +------------------------------------ +ALGERIA.........................213 +CAMEROON........................237 +EGYPT............................20 + + Page 173 + + + + + The Official Phreaker's Manual + +ETHIOPIA........................251 +GABON...........................241 +IVORY COAST.....................225 +KENYA...........................254 +LESOTHO.........................266 +LIBERIA.........................231 +LIBYA...........................218 +MALAWI..........................265 +MOROCCO.........................212 +NAMIBIA.........................264 +NIGERIA.........................234 +SENEGAL.........................221 +SOUTH AFRICA.....................27 +SWAZILAND.......................268 +TANZANIA........................255 +TUNISIA.........................216 +UGANDA..........................256 +ZAMBIA..........................260 +ZIMBABWE........................263 + +*PACIFIC +------------------------------------ +AMERICAN SAMOA..................684 +AUSTRAILIA.......................61 +BRUNEI..........................673 +FIJI............................679 +FRENCH POLYNESIA................689 +GUAM............................671 +HONG KONG.......................852 +INDONESIA........................62 +JAPAN............................81 +KOREA, REPUBLIC OF...............82 +MALAYSIA.........................60 +NEW CALEDONIA...................687 +NEW ZEALAND......................64 +PAPUA NEW GUINEA................675 +PHILIPPINES......................63 +SAIPAN..........................670 +SINGAPORE........................65 +TAIWAN..........................886 +THAILAND.........................66 + +*INDIAN OCEAN +------------------------------------ +PAKISTAN.........................92 +SRI LANKA........................94 + +*SOUTH AMERICA +------------------------------------ +ARGENTINA........................54 +BOLIVIA.........................591 +BRAZIL...........................55 +CHILE............................56 +COLOMBIA.........................57 +ECUADOR.........................593 +GUYANA..........................592 +PARAGUAY........................595 +PERU.............................51 + + Page 174 + + + + + The Official Phreaker's Manual + +SURINAME........................597 +URUGUAY.........................598 +VENEZUELA........................58 + +*NEAR EAST +------------------------------------ +BAHRAIN.........................973 +IRAN.............................98 +IRAQ............................964 +ISRAEL..........................972 +JORDAN..........................962 +KUWAIT..........................965 +OMAN............................968 +QATAR...........................974 +SAUDI ARABIA....................966 +UNITED ARAB EMIRATES............971 +YEMEN ARAB REPUBLIC.............967 + +*CARIBBEAN/ATLANTIC +------------------------------------ +FRENCH ANTILLES.................596 +GUANTANAMO BAY (US NAVY BASE)....53 +HAITI...........................509 +NETHERLANDS ANTILLES............599 +ST. PIERRE AND MIQUELON.........508 + +*INDIA +------------------------------------ +INDIA............................91 + +*CANADA +------------------------------------ +TO CALL CANADA, DIAL 1 + AREA CODE + +LOCAL NUMBER. + +*MEXICO +------------------------------------ +TO CALL MEXICO, DIAL 011 + 52 + CITY CODE+ LOCAL NUMBER. + +***NOTES :DO NOT FORGET ABOUT THE TIME DIFFERENCE WHEN CALLING OUTSIDE OF YOUR +TIME ZONE. CALLING CARDS CAN BE USED OVER SEAS TO CALL BACK INTO THE U.S. FOR +FURTHER INFORMATION CALL TOLL-FREE 1-800-874-0000. DIAL '#' AFTER THE COMPLETE +NUMBER TO MAKE THE CALL GO THROUGH FASTER. + + + + + + + + + + + + + + + + + Page 175 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * International Dialing Codes * + * Country + Routing * + * * + * (Typed by The Dagda Mor) * + * (Edited by The Jammer) * + * * + ************************************** + +To dial international calls: + +International Access Code + Country code + Routing code + +Example : + +To call Frankfurt, Germany, you would do the following: + +011 + 49 + 611 + (# wanted) + # sign(octothrope) + +The # sign at the end is to tell Bell that you are done entering in all the +needed info. + +Here is the list of Country Codes, listed next to the country, and the routing +codes listed next to the city. + +Andorra- 33 Argentina- 54 +------- --------- +all points- 078 Buenos Aires- 1 + + +Australia- 61 Austria- 43 +--------- ------- +Melbourne- 3 Innsbruck- 5222 +Sydney- 2 Vienna- 222 + + +Bahrain- 973 Belgium- 32 +------- ------- +no routing needed Antwerp- 31 + Brussels- 2 + + +Belize- 501 Bolivia- 591 +------ ------- +no routing needed La Paz- 2 + + +Brazil- 591 Chile- 56 +------ ----- +Brasilia-61 Santiago- 2 +Rio de Janeiro- 21 Valparaiso- 31 +Sao Paulo- 11 + + +China- 86 Colombia- 56 +----- -------- +Tainan- 62 none needed + + Page 176 + + + + + The Official Phreaker's Manual + +Taipei- 2 + + +Costa Rica- 506 Cyprus- 357 +----- ---- ------ +no routing needed Nicosia- 21 + + +Denmark- 45 Ecuador- 593 +------- ------- +Aalborg- 8 Cuenca- 4 +Copenhagen 1 or 2 Quito- 2 + + +El Salvador- 503 Fiji- 679 +---------- ---- +no routing needed none needed + + +France- 33 Germany- 49 +------ ------- +Bordeaux- 56 Berlin- 30 +Marseille- 91 Bonn- 228 +Nice- 93 Frankfurt- 661 +Paris- 1 Munich- 89 + + +German. Rep- 37 Greece- 30 +------- --- ------ +Berlin- 2 Athens- 1 + Rhodes- 241 + + +Guam- 671 Guatamala- 502 +---- --------- +no routing needed Guatemala City- 2 + + +Guyana- 592 Haiti- 509 +------ ----- +Georgetown- 02 Port Au Prince- 1 + + +Hoduras- 504 Hong Kong- 852 +------- ---- ---- +no routing needed Hong Kong- 5 + Kowloon- 3 + + +Indonesia- 62 Iran- 98 +--------- ---- +Jakarta- 21 Teheran- 21 + + +Iraq- 964 Ireland- 353 +---- ------- +Baghdad- 1 Dublin- 1 + Galway- 91 + + Page 177 + + + + + The Official Phreaker's Manual + + + +Israel- 978 Italy- 39 +------ ----- +Haifa- 4 Florence- 55 +Jerusalem- 2 Naples- 81 +Tel Aviv- 3 Rome- 6 + Venice- 41 + + +Ivory Coast- 225 Japan- 81 +----- ----- ----- +no routing needed Hiroshima- 822 + Tokyo- 3 + Yokohama- 45 + + +Kenya- 254 Korea- 82 +----- ----- +Nairobi- 2 Pusan- 51 + Seoul- 2 + + +Kuwait- 965 Liberia- 231 +------ ------- +no routing needed none needed + + +Libya- 218 Lechtenstein- 4 +----- ------------ +Tripoli- 21 All points- 75 + + +Luxembourg- 352 Malaysia- 60 +---------- -------- +no routing needed Kuala Lumpur- 3 + + +Monaco- 33 Netherlands- 31 +------ ----------- +All points- 93 Amsterdam- 20 + Rotterdam- 10 + The Hague- 70 + + +New Caledonia- 687 New Zealand- 64 +--- --------- --- ------- +no routing needed Auckland- 9 + Wellinton- 4 + + +Nicaragua- 505 Nigeria- 234 +--------- ------- +Managua- 2 Lagos- 1 + + +Norway- 47 Panama- 507 +------ ------ + + Page 178 + + + + + The Official Phreaker's Manual + +Bergen- 5 none needed +Oslo- 2 + + +Papua New Guinea-675 Paraguay- 595 +----- --- ------ -------- +no routing needed Asuncion- 21 + + +Peru- 51 Phillippines- 63 +---- ------------ +Arequipa- 542 Manila- 2 +Lima- 14 + +Portugal- 351 Romania- 40 +-------- ------- +Lisbon- 19 Bucuresti- 0 + + +San Marino- 39 Saudi Arabia- 966 +--- ------ ----- ------ +All points- 541 Riyadh- 1 + + +Senegal- 221 South Africa- 27 +------- ----- ------ +no routing needed Cape Town- 21 + Pretoria- 12 + + +Spain- 34 Sri Lanka- 94 +----- --- ----- +Barcelona- 3 Colombo- 1 +Canary Is.- 28 +Madrid- 1 +Seville- 54 + + +Suriname- 597 Sweden- 46 +-------- ------ +no routing needed Goteborg- 31 + Stockholm- 8 + + +Switzerland- 41 Tahiti- 689 +----------- ------ +Berne- 31 none needed +Geneva- 22 +Lucerne- 41 +Zurich- 1 + + +Thailand- 66 Tunisia- 216 +-------- ------- +Bangkok- 2 Tunis- 1 + + +Turkey- 90 United Arab + + Page 179 + + + + + The Official Phreaker's Manual + +------ Emirates- 971 +Istanbul- 11 -------- + Abu Dhabi- 2 + Ajman- 6 + Al Ain- 3 + Aweir- 49 + Dubai- 4 + Fujairah- 91 + Jebel Dhana- 5 + Sharjah- 6 + Umm-Al-Quwain- 6 + + +United Kingdom- 44 USSR- 7 +------ ------- ---- +Belfast- 232 Kiev- 044 +Cardiff- 222 Leningrad- 812 +Edinburgh- 31 Minsk- 017 +Glasgow- 41 Moscow- 095 +Liverpool- 51 Tallinn- 0142 +London- 1 + +Vatican City- 39 Venezuela- 58 +------- ---- --------- +All points- 6 Caracas- 2 + Maracaibo- 61 + +Yugoslavia- 38 +---------- +Belgrade- 11 +Zagreb- 41 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 180 + + + + + The Official Phreaker's Manual + + ************************************** + * * + * MAX ACCESS PORTS * + * * + * (LEXITEL CORPORATION) * + * * + * WORD PROCESSED BY THE DAGDA MOR * + * * + ************************************** + +ADRIAN,MI............313-263-0191 LIVONIA, MI..........313-261-6970 +AKRON,OH.............216-275-9814 LOS ANGELES, CA......213-624-9041 +ANN ARBOR, MI........313-451-2121 LOUISVILLE, KY.......502-568-6204 +ATLANTA, GA..........404-525-1769 MARION, OH...........614-387-1011 +AVON LAKE, OH........216-933-2823 MCKEESPORT, PA.......412-664-4870 +BADEN, PA............412-869-1360 MENTOR, OH...........216-255-1645 +BALTIMORE, MD........301-444-7280 MIDDLETOWN, OH.......513-423-1066 +BEAVER FALLS, PA.....412-847-3640 MILWAUKEE, WI........414-933-1880 +BIRMINGHAM, MI.......313-649-0730 MINNEAPOLIS, MN......612-375-0280 +BOSTON, MA...........617-267-9134 MONESSEN, PA.........412-684-8710 +BUFFALO, NY..........716-854-0802 MORTON GROVE,IL......312-950-1066 +BUTLER, PA...........412-285-9081 NEWARK, NJ...........201-624-5040 +CANTON, OH...........216-455-1425 NEWARK, OH...........614-349-8754 +CHICAGO, IL..........312-950-1066 NEW CASTLE, PA.......412-656-9420 +CHILLICOTHE, OH......614-772-1066 NEW YORK, NY.........212-950-1066 +CINCINNATI, OH.......513-421-1880 OAK LAWN, IL.........312-950-1066 +CLEVELAND, OH........216-771-6614 PHILADELPHIA, PA.....215-751-9711 +COLUMBUS, OH.........614-950-1066 PITTSBURG, PA........412-391-9532 +DALLAS, TX...........214-653-1047 PLYMOUTH, MI.........313-451-2121 +DAYTON, OH...........513-223-0366 PONTIAC, MI..........313-332-0500 +DETROIT, MI..........313-950-1066 PORT HURON, MI.......313-982-7115 +ELK GROVE, IL........312-950-1066 PHOENIX, AZ..........602-242-0252 +ELYRIA, OH...........419-323-4431 QUEENS, NY...........718-204-7330 +FINDLAY, OH..........419-424-5934 SANDUSKY, OH.........419-625-1289 +GLEENSHAW, PA........412-486-7394 SHARON, PA...........412-983-0100 +GRAND RAPIDS, MI.....616-456-7925 SPRINGFIELD, OH......513-950-1066 +GREENSBURG, PA.......412-836-8110 STEUBENVILLE, OH.....614-283-1756 +HACKENSACK, NJ.......201-342-2815 ST. LOUIS, MO........314-289-9100 +HOUSTON, TX..........713-224-0982 ST. PAUL, WI.........612-375-0280 +INDIANA, PA..........412-349-8760 TOLEDO, OH...........419-255-1316 +INDIANAPOLIS, IN.....317-638-4442 TROY, OH.............513-335-2303 +KALAMAZOO, MI........616-342-0266 TURTLE CREEK, PA.....412-823-1500 +KANSAS CITY, MO......816-474-6193 WASHINGTON, DC.......202-479-4411 +KOKOMO, IN...........317-453-9932 WASHINGTON, PA.......412-225-1800 +LA GRANGE, IL........312-950-1066 WARREN, MI...........313-268-9120 +LANCASTER, OH........614-687-0159 XENIA, OH............513-376-2991 +LANSING, MI..........517-950-1066 YOUNGSTOWN, OH.......216-746-2021 +LAFAYETTE, IN........317-423-5492 ZANESVILLE, OH.......614-454-6815 + + + + + + + + + + + + Page 181 + + + + + The Official Phreaker's Manual + + ******************** METROFONE ACCESS NUMBERS ******************** + +ANAHEIM, CA (714)527-7055 LOS ANGELES, CA (213)992-8282 +ATLANTA, GA (404)223-1000 LOS ANGELES, CA (213)202-6117 +AUSTIN, TX (512)474-6057 MIAMI, FL (305)326-3300 +BALTIMORE, MD (301)659-7700 MILWAUKEE, WI (414)277-1805 +BEAUMONT, TX (713)833-9331 MINNEAPOLIS, MN (612)370-9000 +BOSTON, MA (617)482-3222 NEW ORLEANS, LA (504)566-8500 +BUFFALO, NY (716)852-9200 NEW YORK, NY (212)732-7430 +CHICAGO, IL (312)853-4700 NEWARK, NJ (201)645-9220 +CINCINNATI, OH (513)241-1747 OAKLAND, CA (415)836-6900 +CLEVELAND, OH (216)861-5163 OKLAHOMA CITY, OK (405)232-9011 +COLUMBUS, OH (614)224-0577 OMAHA, NE (402)422-1120 +CULVER CITY, CA (213)410-0078 PHILADELPHIA, PA (215)351-0100 +DALLAS, TX (214)742-4500 PITTSBURGH, PA (412)261-5720 +DAYTON, OH (513)228-1576 RENO, NV (702)329-1025 +DENVER, CO (303)623-5326 RICHMOND, VA (804)225-1920 +DETROIT, MI (313)963-4847 ST. LOUIS, MO (314)342-1130 +EL MONTE, CA (213)350-1028 SACRAMENTO, CA (916)443-6921 +ELK GROVE, IL (312)981-8870 SAN ANTONIO, TX (512)224-9600 +FT. LAUDERDALE, FL (305)462-3530 SAN DIEGO, CA (714)233-0327 +FT. WORTH, TX (817)338-1639 SAN FRANCISCO, CA (415)956-0162 +HACKENSACK, NJ (201)487-3155 SAN JOSE, CA (408)947-7606 +HARTFORD, CT (203)522-0003 SAN MATEO, CA (415)579-6001 +HAWTHORNE, NJ (201)427-1100 SANTA ANA, CA (714)972-9515 +HINSDALE, IL (312)986-0566 SEATTLE, WA (206)382-0910 +HOUSTON, TX (713)224-9417 SKOKIE, IL (312)679-8120 +HUNTINGTON BEACH, CA (714)972-8515 SYRACUSE, NY (315)474-3911 +INDIANAPOLIS, IN (317)635-6284 TOLEDO, OH (419)243-1046 +KANSAS CITY, KS (913)621-3186 WASHINGTON, DC (202)737-2051 +LONG ISLAND, NY (516)443-5402 +LOS ANGELES, CA (213)629-1026 + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 182 + + + + + The Official Phreaker's Manual + + Area Codes In Numerical Order, by The Jammer +______________________________________________________________________ + +201 Newark New Jersey 519 London Ontario +202 Washington D.C (all) 601 Mississippi (all) +203 Connecticut (all) 602 Arizona (all) +205 Alabama (all) 603 New Hampshire (all) +206 Seattle Washington 605 South Dakota (all) +207 Maine (all) 606 Winchester Kentucky +208 Idaho (all) 607 Binghamton New York +212 Bronx Nyc, New York 608 Madison Wisconsin +212 Manhattan Nyc, New York 609 Trenton New Jersey +213 Los Angeles California 612 St. Paul Minnesota +214 Dallas Texas 613 Ottawa Ontario +215 Philadelphia Pennsylvania 614 Columbus Ohio +216 Cleveland Ohio 615 Nashville Tennessee +217 Springfield Illinois 616 Grand Rapids Michigan +218 Duluth Minnesota 617 Boston Massachusetts +219 Gary Indiana 618 Alton Illinois +301 Maryland (all) 619 San Diego California +303 Colorado (all) 700 Teleconference (all) +304 West Virginia (all) 701 North Dakota (all) +305 Miami Florida 702 Nevada (all) +305 Orlando Florida 703 Alexandria Virginia +307 Wyoming (all) 704 Charlotte North Carolina +308 Abott Nebraska 705 North Bay Ontario +309 Peoria Illinois 712 Councilbluffs Iowa +312 Chicago Illinois 713 Houston Texas +313 Detroit Michigan 714 Anaheim California +314 St. Louis Missouri 715 Bay City Wisconsin +315 Syracuse New York 716 Buffalo New York +316 Wichita Kansas 716 Rochester New York +317 Indinapolis Illinois 717 Harrisburg Pennsylvania +318 Lake charles Lousiana 800 Toll Free (all) +319 Davenport Iowa 801 Utah (all) +401 Rhode Island (all) 802 Vermont (all) +402 Omaha Nebraska 803 South Carolina (all) +404 Atlanta Georgia 804 Richmond Virgina +405 Oklahoma City Oklahoma 805 Bakersfield California +406 Montana (all) 806 Amarillo Texas +408 San Jose California 807 Thunder Bay Ontario +412 Pittsburg Pennsylvania 808 Hawaii (all) +413 Springfield Massachusetts 809 Bermuda (all) +414 Milwaukee Wisconsin 809 Bahamas (all) +415 San Francisco California 809 Puerto Rico (all) +416 Toronto Onterio 809 Virgin Islands (all) +417 Joplin Missouri 812 Evansville Indiana +418 Quebec Quebec 812 Dade park Kentucky +419 Toledo Ohio 814 Johnston Pennsylvania +501 Arkansas (all) 815 Rockford Illinois +502 Frankfort Kentucky 816 Independence Missouri +503 Oregon (all) 817 Fort Worth Texas +504 New Orleans Louisiana 818 Burbank California +504 Baton Rouge Louisiana 819 Trois Riv. Quebec +505 New Mexico (all) 900 Dial-it (all) +507 Rochester Minnesota 901 Memphis Tennessee +509 Pullman Washington 904 Talahassee Florida +512 Austin Texas 906 Escanaba Michigan + + Page 183 + + + + + The Official Phreaker's Manual + +513 Cincinnati Ohio 907 Alaska (all) +514 Montreal Quebec 912 Savannah Georgia +515 Des Moines Iowa 913 Kansas City Kansas +516 Hempstead New York 915 El Paso Texas +517 Lansing Michigan 916 Sacramento California +518 Albany New York 918 Tulsa Oklahoma + 919 Raleigh North Carolina + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 184 + + + + + The Official Phreaker's Manual + +==Phrack Inc.== +Volume One, Issue Two, Phile #5 of 9 + +Updated from November 26, 1985 +Tac Dialups taken from Arpanet +by Phantom Phreaker + + TAC DIALUPS SORTED BY LOCATION 26-NOV-85 + +State/Country 300 Baud 1200 Baud 1200 Type +------------- --------------- ----------------- --------- + + ALABAMA + Anniston Army Depot [M] + (ANNIS-MIL-TAC) (205) 235-6285 (R4) (205) 235-7650 B/V + (205) 237-5731 (R8) (205) 237-5731 (R8) B/V + (205) 237-5770 (R8) (205) 237-5779 (R8) B/V + (205) 237-5805 (R8) (205) 237-5805 (R8) B/V + + *Please note: When accessing the Anniston TAC you must first enter a + , then enter DDN . After you receive CLASS DDN START, + proceed as normal. + + Gunter AFS [M] + + (GUNTER-TAC) (205) 279-3576 + (205) 279-4682 + + Redstone Arsenal [M] + (MICOM-TAC) [none known] + + ARIZONA + Ft. Huachuca [M] + (HUAC-MIL-TAC) [none known] + + Yuma [M] + (YUMA-TAC) (602) 328-2186 (602) 328-2186 B/V + (602) 328-2187 (602) 328-2187 B/V + (602) 328-2188 (602) 328-2188 B/V + + CALIFORNIA (NORTHERN) + Alameda [M] + (ALAMEDA-MIL-TAC) [none known] + + Menlo Park [M] + (SRI-MIL-TAC) (415) 327-5440 (R3) (415) 327-5440 (R3) B + + (USGS3-TAC) [M] [no dialups] + + Moffett Field [M] + (AMES-TAC) [no dialups; contact NSC for access] + William Jones - (415) 694-6482 + (FTS) 494-6482 + (AV) 359-6482 + + Monterey [M] + (NPS-TAC) [none known] + + + Page 185 + + + + + The Official Phreaker's Manual + + Sacsamento [M] + (MCCLELLAN1-MIL-TAC) [none known] + (MCCLELLAN2-MIL-TAC) [none known] + + Stanford [A] + (SU-TAC) (415) 327-5220 + + CALIFORNIA (SOUTHERN) + China Lake [M] + (NWC-TAC) [none known] + + + Edwards AFB [M] + (EDWARD-MIL-TAC) [none known] + + El Segundo [M] + (AFSC-SD-TAC) (213) 643-9204 (213) 643-9204 B/V + + Los Angeles [A] + (USC-TAC) (213) 749-5436 + + Los Angeles [A] + (USC-ARPA-TAC) [none known] + + San Diego [M] + (ACCAT-TAC) (619) 225-1641 (R4) (619) 225-6903 V + (619) 225-6946 (R3) + (619) 223-2148 V + (619) 226-7884 (R2) + + Santa Monica + (RAND-ARPA-TAC) [A] + (213) 393-9230 + (213) 393-9237 + (213) 393-9238 + (213) 393-9239 + + (RAND2-MIL-TAC) [M] [none known] + + COLORADO + Denver Fed Ctr [M] + (USGS2-TAC) (303) 232-0206 (303) 232-0206 B/V + + Lowry Air Force Base [M] + (LOWRY-MIL-TAC) [none known] + + D.C. + Washington + [Andrews AFB] [M] + (AFSC-HQ-TAC) (301) 967-7930 (R16) (301) 967-7930 (R16) B + (301) 736-2990 (R4) (301) 736-2990 (R4) B + (301) 736-2998 (R2) (301) 736-2998 (R2) B + + (PENTAGON-TAC) (202) 553-0229 (R14) (202) 553-0229 (R14) B + + FLORIDA + Eglin AFB [M] + (AFSC-AD-TAC) (904) 882-8202 (904) 882-8202 B/V + + Page 186 + + + + + The Official Phreaker's Manual + + (904) 882-8201 (904) 882-8201 V + + MacDill AFB [M] + (MACDILL-MIL-TAC) [none known] + + Naval Air Station - Jacksonville [M] + (JAX1-MIL-TAC) [none known] + + Naval Air Station - Orlando [M] + (ORLANDO-MIL-TAC) [none known] + + GEORGIA + Robins AFB [M] + (ROBINS-TAC) (912) 926-2725 (912) 926-2725 B/V + (912) 926-2726 + (912) 926-3231 + (912) 926-3232 + (912) 926-2204 (912) 926-2204 B/V + HAWAII + Camp H.M. Smith [M] + (HAWAII2-TAC) (808) 487-5545 (808) 487-5545 B + + ILLINOIS + Scott AFB [M] + (SCOTT-TAC) [none known] + + (SCOTT2-MIL-TAC) [none known] + + KANSAS + Ft. Leavenworth [M] + (LVN-MIL-TAC) (913) 651-7041 (R8) (913) 651-7041 (R8) B + + LOUISIANA + Navy Regional Data Automation Center [M] + (NORL-MIL-TAC) (504) 944-7940 (504) 944-7940 B + (504) 944-7948 (R2) (504) 944-7948 (R2) B + (504) 944-7951 (R5) (504) 944-7951 (R5) B + (504) 944-8702 (R8) (504) 944-8702 (R8) B + + MARYLAND + Aberdeen Proving Ground [M] + (BRL-TAC) (301) 278-6916 (R4) (301) 278-6916 (R4) B/V + + Bethesda [M] + (DAVID-TAC) (202) 227-3526 (R16) (202) 227-3526 (R16) B/V + + Patuxent River [M] + (PAX-RV-TAC) (301) 863-4815 (301) 863-4815 B/V + (301) 863-4816 (301) 863-4816 B/V + (301) 863-5750 (R6) (301) 863-5750 (R6) B/V + + Silver Spring [M] + (WHITEOAK-MIL-TAC) (301) 572-5960 (R10) (301) 572-5960 (R10) B + (301) 572-5970 (R10) (301) 572-5970 (R10) B + + MASSACHUSETTS + Hanscom AFB [M] + (AFGL-TAC) (617) 861-3000 (R8) (617) 861-3000 (R8) B + + Page 187 + + + + + The Official Phreaker's Manual + + (617) 861-4965 (R8) (617) 861-4965 (R8) + + Cambridge + (BBN-MIL-TAC) [M] [none known] + + (BBN-ARPA-TAC) [A] [no dialup capability] + + (CCA-ARP-TAC) [A] [none known] + + (MIT-TAC) [A] + (617) 491-5669 (617) 258-6224 V + (617) 491-5708 (617) 258-6225 V + (617) 491-5734 (617) 258-6227 V + (617) 491-5819 (617) 258-6248 V + (617) 491-5826 + (617) 491-5841 + (617) 491-5849 + (617) 491-6769 + (617) 491-6772 + (617) 491-6937 + (617) 258-6241 + (617) 258-6242 + (617) 258-6243 + + MICHIGAN + U.S. Army Tank Automotive Command (TACOM) - Warren [M] + (TACOM-TAC) [none known] + + MISSOURI + St. Louis [M] + (STLA-TAC) [none known] + + NEBRASKA + Offutt AFB [M] + (SAC1-MIL-TAC) [none known] + + (SAC2-MIL-TAC) (402) 292-4638 (R10) (402) 292-4638 (R10) B + + (SAC-ARPA-TAC) [A] + (402) 294-2398 (402) 294-2398 B + (402) 291-2018 (402) 291-2018 B + (402) 292-7054 (402) 292-7054 B + + NEW JERSEY + Dover [M] + (ARDC-TAC) (201) 724-6731 (201) 724-6731 B/V + (201) 724-6732 (201) 724-6732 B/V + (201) 724-6733 (201) 724-6733 B/V + (201) 724-6734 (201) 724-6734 B/V + + Fort Monmouth [M] + (FTMONMOUTH1-MIL-TAC) (201) 544-2052 (201) 544-2052 B/V + (201) 544-2062 (201) 544-2062 B/V + (201) 544-2072 (201) 544-2072 B/V + (201) 544-2396 (201) 544-2396 B/V + (201) 544-2430 (201) 544-2430 B/V + + (FTMONMOUTH2-MIL-TAC) (201) 544-4254 (R3) (201) 544-2430 B + + Page 188 + + + + + The Official Phreaker's Manual + + (201) 544-2636 B + (201) 544-2638 B + (201) 544-2777 B + + NEW MEXICO + Albuquerque [M] + (AFWL-TAC) [none known] + + White Sands [M] + (WSMR-TAC) [no dialups; contact NSC for access] + Claude (Skeet) Steffey - (505) 678-1271 + (FTS) 898-1271 + (AV) 258-1271 + + NEW YORK + Griffiss AFB + (RADC-ARPA-TAC) [A] [no dialup capability] + + (RADC-TAC) [M] + (315) 339-4913 (R5) + (315) 337-2004 (315) 337-2004 B/V + (315) 337-2005 (315) 337-2005 B/V + + (315) 330-2294 (315) 330-2294 (FTS) 952 B/V + + (315) 330-3587 (315) 330-3587 (FTS) 952 B/V + + NORTH CAROLINA + Ft. Bragg [A] + (BRAGG-ARPA-TAC) (919) 396-1131 (R10) (919) 396-1426 (R5) B/V + (919) 396-1491 (R8) B/V + Ft. Bragg [M] + (BRAGG-MIL-TAC) [none known] + + OHIO + Wright-Patterson AFB [M] + (WPAFB-TAC) (513) 258-4218 + (513) 258-4219 + (513) 258-4987 + (513) 258-4988 + (513) 258-4989 + (513) 258-4990 + + (WPAFB2-MIL-TAC) (513) 257-2172 (R8) (513) 257-2172 (R8) B + (513) 257-2690 (R8) (513) 257-2690 (R8) B + (513) 257-3625 (R8) (513) 257-3625 (R8) B + + OKLAHOMA + Tinker AFB [M] + (TINKER-MIL-TAC) [none known] + + + PENNSYLVANIA + New Cumberland Army Depot [M] + (NCAD-MIL-TAC) [none known] + + (NCAD2-MIL-TAC) [none known] + + + Page 189 + + + + + The Official Phreaker's Manual + + TEXAS + Brooks AFB [M] + (BROOKS-AFB-TAC) (512) 536-3081 (R6) (512) 536-3081 (R6) B/V + + Richardson [A] + (COLLINS-TAC) (214) 235-2131 (214) 235-2131 B + (214) 235-2143 (214) 235-2143 B + (214) 235-2178 (214) 235-2178 B + (214) 235-2204 (214) 235-2204 B + (214) 235-2251 (214) 235-2251 B + (214) 235-2278 (214) 235-2278 B + + UTAH + Dugway Proving Ground [M] + (DUGWAY-MIL-TAC) [none known] + + Salt Lake City (University of Utah) [A] + (UTAH-TAC) (801) 581-3486 (801) 581-3486 B/V + + VIRGINIA + Alexandria [M] + (DARCOM-TAC) (202) 274-5300 (202) 274-5300 B + (202) 274-5320 (R6) (202) 274-5320 (R6) B + + Arlington + (ARPA1-MIL-TAC) [M] [none known] + + (ARPA2-MIL-TAC) [M] [none known] + + (ARPA3-TAC) [A] [no dialup capability] + + Dahlgren [M] + (NSWC-TAC) (703) 663-2162 (R8) (703) 663-2162 (R8) B + + Langley Air Force Base [M] + (LANGLEY-MIL-TAC) [none known] + + McLean [M] + (DDN-PMO-MIL-TAC) [none known] + + + (MITRE-TAC) [M] + (703) 442-8020 (R15) + (703) 893-0330 (R10) (703) 893-0330 (R10) B/V + + Norfolk [M] + (NORFOLK-MILTAC) (804) 423-0241 (R2) (804) 423-0241 (R2) B + (804) 423-0247 (R2) (804) 423-0247 (R2) B + (804) 423-0346 (R4) (804) 423-0346 (R4) B + (804) 423-0480 (804) 423-0480 B + (804) 423-0486 (R2) (804) 423-0486 (R2) B + (804) 423-0489 (804) 423-0489 B + (804) 423-0570 (804) 423-0570 B + (804) 423-0572 (R2) (804) 423-0572 (R2) B + (804) 423-0577 (R2) (804) 423-0577 (R2) B + (804) 423-0651 (804) 423-0651 B + (804) 423-0654 (R3) (804) 423-0654 (R3) B + (804) 423-0841 (R2) (804) 423-0841 (R2) B + + Page 190 + + + + + The Official Phreaker's Manual + + (804) 423-0845 (804) 423-0845 B + (804) 423-0849 (804) 423-0849 B + (804) 423-0858 (804) 423-0858 B + (804) 423-0950 (804) 423-0950 B + (804) 423-0952 (804) 423-0952 B + (804) 423-0955 (R3) (804) 423-0955 (R3) B + (804) 423-0959 (804) 423-0959 B + + Reston + (DCEC-ARPA-TAC) [A] [no dialups available] + + (DCEC-MIL-TAC) [M] + (703) 437-2892 (R5) (703) 437-2928 B + (703) 437-2925 (703) 437-2929 B + (703) 437-2926 + (703) 437-2927 + + WASHINGTON + Seattle [A] + (WASHINGTON-TAC) [no dialup capability] + + ENGLAND [M] + (CROUGHTON-MIL-TAC) [none known] + + GERMANY [M] + (FRANKFURT-MIL-TAC) + (M) 2311-5641 (R8) B + + (RAMSTEIN2-MIL-TAC) [none known] + + ITALY [M] + (AGNANO-MIL-TAC) + + JAPAN [M] + (BUCKNER-MIL-TAC) + + (ZAMA-MIL-TAC) + + KOREA [M] + (KOREA-TAC) (M) 264-4951 (R8) B + + PHILIPPINES [M] + (CLARK-MIL-TAC) + + SPAIN [M] + (MILNET-TJN-TAC) [none known] + + (ROTA-MIL-TAC) [none known] + + Notes: + + 1. "(R10)" following phone number indicates a rotary with 10 lines. + + 2. For alternate phone numbers, FTS=Federal Telephone System. + 3. (M)=Military DoD Telephone System. + + 4. [M] denotes a MILNET TAC and [A] denotes an ARPANET TAC. + + + Page 191 + + + + + The Official Phreaker's Manual + + 5. "1200 Type" refers to the modem compatibility for 1200 baud only: + B/V = Bell and Vadic + B = Bell 212A only + V = Vadic 3400 only + + 6. This list is contained in the file NETINFO:TAC-PHONES.LIST at + SRI-NIC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 192 + + + + + The Official Phreaker's Manual + + >>==========================<< + >>==> TELCO TEST NUMBERS <==<< + >>====> as of 5/16/85 <=====<< + >>=> compiled and updated <=<< + >>====> by Shadow 2600 <====<< + >>==========================<< + +011-44-61-2468011 : US dial tone then "When this system changes, this is the +new dial tone you hear" (UK is changing dialtone) + +201-226-0709 : alternating tones, then "warble" +201-267-9922 : sweep tone +201-267-9966 : 600 ohm termination +201-232-9924 : (tone 1,2,5-beep, bleep; 9,#- 1200 baud static, beep, bleep; +6-tone, higher tone, bleep) +201-232-9959 : tone 11 sec. silence, repeats... +201-233-9972 : multitude of clicks +201-233-9974 : busy 15 sec. then tone w/ clicks +201-241-9916 : hissing with clicks +201-328-9971 : 1000 hrtz tone +201-376-9907 : "is being checked for trouble. Please try again later" +201-464-9915 : low tone 15 sec, silence +201-464-9916 : low tone 2 sec, silence +201-464-9963 : buzz +201-464-9974 : busy 15 sec, low tone +201-543-9902 : "If you'd like to make a call, hang up and try it again." +201-543-9903 : "We're sorry, your call did not go through." +201-543-9904 : "the number you have dialed requires a .20 cents deposit." +201-655-9900 : "cannot be completed as dialed from the phone you are using" +201-769-0205 : People's Express Reservation system +203-771-4920 : telephone company employee newsline +207-866-4411 : 1000 hrtz tone +212-233-9980 : (tone 1,2,3,*-tone, higher tone, bloop; 5-tone, bloop; 9,#- +static,beep,bloop) +212-369-7003 : "you have reached 212-369-7003 in zone 3" (?) +212-799-5017 : ABC New York feed line +213-621-4141 : telephone employee newsline +213-935-1111 : sweep tone with echo at top of range (?) +215-489-0036 : tone, bloop (1,2,5-tone bloop, 3,6,9-tone, higher tone,tone) +215-489-0040 : "please check your instruction manual or call repair service for +assistance" +215-489-0042 : "if you like to make a call please hang up and try again" +215-489-0043 : "We're sorry, your call did not go through." +215-489-0044 : "The call you have made requires a 25 cent deposit" +215-489-0045 : "You must first dial a 1 when dialing this number." +215-489-0074 : LOUD tone, stops, repeats +215-489-0075 : 600 ohm termination (silence) +215-489-0078 : tone, silence +215-489-0080 : 600 ohm termination +215-489-0097 : tone, (lower pitched than -0078) silence (also at -0098) +215-489-0104 : 1000 hrtz tone +216-861-8300 : tone, then higher tone +301-256-9987 : 1000 hertz +301-546-7777 : "Due to Telephone Company facility trouble your call cannot be +completed at this time" +301-725-9904 : "deposit .20" +305-263-0000 : repeating bloop (keypress 2 : slow reorder w/ bloops, clicks) +305-994-9963 : pay fone instructions + + Page 193 + + + + + The Official Phreaker's Manual + +305-994-9966 : "telephone you are calling from is not in service" +312-222-9948 : tone (keypress 1,2,3,6,7,*-tone, high tone, bleep, +4-tone,bloop,9, #-static,beep,bloop) +312-222-9954 : "Test Center" +312-222-9990 : clicks, ticking like +312-222-9996 : LOUD tone, repeats +312-368-8000 : Illinois Bell Communicator (employee newsline) +312-592-0000 : tone (keypress 2222, then other digits, at re-order type * to +restart) (?) +313-223-7223 : telephone employee newsline +313-333-9981 : LOUD tone, silence +313-333-9989 : high tone (enter touchtones for a while, eventually get +"metallic" echo, then 5-high pitched tone, random re-orders) +313-333-9990 : beep, click repeats, with "winks" +313-333-9994 : tone bloop (keypress in 2-tone,bloop, 3-tone, higher tone,tone, +9-static, beep,bloop) +313-333-9995 : 600 ohm termination (silence) +313-333-9996 : weird siren/sweep tone, multi-frequency +313-430-4300 : beep, beep, beep, then reorder +313-698-9998 : sweep tone +314-247-5511 : Southwestern Bell Telenews (employee newsline) +315-471-9934 : "deposit 5 cents for next five minutes" +408-255-0081 : (any two 2,4,8,0-tone) +408-294-6969 : beep, click, computer voice repeats number +408-395-1110 : (tone 2-bleep,glitch; 3-beep,higher beep;#then number-loud +tone,bleep) +408-738-8190 : (tone 1,3,6,7,*-tone, high tone, tone;2-beep,cluck;9,#- +static,tone,beep) +408-745-6060 : high pitched tone, low tone then repeats +408-994-0044 : tone end of loop +412-633-3333 : telephone company employee newsline +414-628-0001 : continuous tone +414-628-0002 : continuous tone (higher pitched, sounds like muted dial) +414-628-0004 : high pitched tone, bloop, silence +414-628-0006 : brief very high tone (also -0007) (multiple keypresses of +2,5,8,0 tone repeats) +414-628-0010 : loud tone, stops, repeats... +414-628-0011 : loud tone, stops +414-628-0013 : 600 ohm termination (silence) (also -0017, two in an exchange?) +414-628-0014 : continuous tone (sounds like weird dial), eventually stops +414-628-0015 : LOUD tone, repeats +414-628-0028 : "Your call cannot be completed as dialed +414-678-3511 : Wisconsin Bell Newsline +414-781-0004 : high tone, silence (keypress 2,5-beep,bleep, 3,6-beep,longbeep, +bloop, 9-static,bloop) +415-284-1111 : one sweep, then silence +415-327-0046 : sweep tone +415-388-0037 : tone,bloop (keypress 2-tone,bloop, 3-tone,high tone,tone, +9-static,beep,bloop) +415-472-0046 : sweep w/ glitch at top +415-545-8800 : Pacific Bell Newsline +415-467-0097 : fast DTMF tones, keypress to repeat +415-777-0020 : 1000 hrtz tone +415-777-0037 : tone, bloop (keypress 2-beep,bloop, 3,6-tone,higher tone, +9-static,beep,bloop) +415-777-0046 : sweep tone with echo +415-777-0105 : tone,bloop (keypress 2-beep,bleep, 3,6-tone, higher tone, +tone,9-static,beep,bloop + + Page 194 + + + + + The Official Phreaker's Manual + +415-826-0022 : tone, click, tone (sounds like a busy) +415-994-0710 : multitude of clicks +512-472-2181 : "if you would like to make a call, please hang up and try +again" +512-472-4263 : garbled recording (?) +512-472-9833 : "you must first dial a 1 or 0 before calling this number" +512-472-9936 : "please check your instructions or call your business office for +assistance" +512-472-9941 : "insert 25 cents" +516-222-3825 : LOUD tone +516-234-9914 : New York Telephone Newsline +518-471-2272 : New York Telephone Newsline +518-789-3299 : weird busy, multitude of clicks +609-267-9966 : busy with clicks in background +609-267-9967 : 600 ohm termination (silence) +609-267-9968 : 1000 hrtz tone +609-267-9971 : LOUD tone, stops, repeats +609-267-9972 : rings with clicks in background (also -9973 and -9974) +609-877-9924 : high tone (tone in 1,2,5-tone, bloop; 3,6,*-tone, higher tone, +bleep; #-static, beep, bleep) +609-877-9929 : 1000 hrz tone +617-553-9953 : tone end of loop +617-890-9900 : sweep tone +617-955-1111 : telephone company employee newsline +619-748-0002 : tone increases in pitch, silence, repeats in monotone +619-748-0003 : sweep, repeat, hangs up +702-789-6711 : Nevada Bell Newsline +713-354-0000 : touch tone in #, then new #, then 5 - listed, 9 - unlisted) +713-482-3199 : "We're sorry, all circuit are busy now." +713-652-5111 : touch tones echo back "metallic", something about "drivers +licence number" replys in a female recorded voice +717-255-5555 : Bell of Pennsylvania "Inside Line" (employee newsline) +718-429-9900 : "Please slide a valid credit card through the slot now" +800-221-5959 : tone (# makes it ring) +800-228-8466 : Sensaphone (tm) demo (time etc. (EST) (wait 7+ rings)) +800-321-3048 : non-connecting loop with 800-321-3049 +800-321-3052 : loop (don't know where other end is) +800-321-6366 : Centagram's Voice Memo System (extension 100 for demo) +800-323-6321 : tone, stops, bloop repeats +800-327-0000 : "Announcement three, Dallas" (changes sometimes) +800-344-4001 : non-connecting loop with 800-344-4002 +800-524-0000 : "Announcement 1 Atlanta" +800-554-5924 : Cable News Network audio feed +800-824-8274 : "Enter your password service code" +802-955-1111 : telephone company newsline +808-533-4426 : Hawaiian Telephone Newsline +816-391-1122 : recorder (keypress 1-toggle on/off, 3-rewind, 4-stop, 7-play) +907-269-0955 : tone (sounds like extender, doesn't take touch tone (?)) +914-232-9901 : "Daytona, New York DMS-100 verification" +914-268-9901 : "Congers DMS 100 Verification" +914-268-9903 : "your call cannot be completed as dialed" +914-268-9968 : (keypress 2-high tone, 3-high, higher tone, 6,0-click, 7- hangs +up, sometimes 0,#,*-harmony) +914-359-9901 : repeats the number dialed ("914-359-9901") +914-359-9960 : weird tone, stops, clicks, repeats +914-623-9968 : (keypress 2,5-beep glitch, 3,6-tone highertone) +916-480-8000 : Pacific Bell Newsline + + + Page 195 + + + + + The Official Phreaker's Manual + + WHAT A TSPS CONSOLE LOOKS LIKE + +--- NON/COIN ---- ------------- COIN ------------- --------- HOTEL --------- + + ---- ---- ---- ---- ---- ---- ----- --- --- ---- +!VFY ! !OVER! !SCRN! !INWD! !EMER! !STA ! ! 0+ ! !DIAL! !STA ! ! 0+ ! +!DIAL! !POST! !TONE! !STA ! ! 0+ ! !DIAL! !QST ! ! ! ! ! ! ! + ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- + +----- OUTGOING TRUNKS ----- RING RELEASE + + ---- ---- ---- ---- ---- ----- ---- ---- ---- ---- +! DA ! !R&R ! !SWB ! !OGT ! !BACK! ! FWD ! !CALL! !T&C ! !NFY ! !CHG ! + ---- ---- ---- ---- ---- ----- ---- ---- ---- ! DUE! + ---- + --- ---- ---- ---- ---- ---- ---- ---- ---- ---- +!KEY ! !BACK! !FWD ! ! SR ! !MAKE! !MTCE! !POS ! !BACK! ! ! ! ! +!CLG ! ! ! ! ! ! ! !BUSY! !TRFR! ---- ---- ---- ---- + ---- ---- ---- ---- ---- ---- + + ----------------- AMA ----------------- + ---- ---- ---- ---- ---- ---- +STATION -----!PAID! !COL ! !SPL ! !SPL ! !AUTO! !DDD ! + ! ! ! ! !CLG ! !CLD ! !COL ! ! ! + ---- ---- ---- ---- ---- ---- + + ---- ---- ---- ---- ---- +PERSON ----- !PAID! !COL ! !SPL ! !SPL ! ! NO ! + ! ! ! ! !CLG ! !CLD ! !AMA ! + ---- ---- ---- ---- ---- + + ---- ---- ---- + !CLG ! !CLG ! !CLG ! + ! ! ! ! ! ! + ---- ---- ---- + + + + + + + + + + + + + + + + + + + + + + + + + Page 196 + + + + + The Official Phreaker's Manual + + Box Plans + + Hmm... I wonder! This is still under construction (Ha Ha). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 197 + + + + + The Official Phreaker's Manual + + THE INFINITY TRANSMITTER + + TYPED BY THE GHOST WIND + + FROM THE BOOK BUILD YOUR OWN + LASER, PHASER, ION RAY GUN & OTHER WORKING SPACE-AGE PROJECTS + BY ROBERT IANNINI (TAB BOOKS INC) + +Description: Briefly, the Infinity Transmitter is a device which activates a +microphone via a phone call. It is plugged into the phone line, and when the +phone rings, it will immediately intercept the ring and broadcast into the +phone any sound that is in the room. This device was originally made by +Information Unlimited, and had a touch tone decoder to prevent all who did not +know the code from being able to use the phone in its normal way. This +version, however, will activate the microphone for anyone who calls while it is +in operation. +NOTE: It is illegal to use this device to try to bug someone. It is also +pretty stupid because they are fairly noticeable. +Parts List: +Pretend that uF means micro Farad, cap= capacitor + +Part # Description +---- - ----------- +R1,4,8 3 390 k 1/4 watt resistor +R2 1 5.6 M 1/4 watt resistor +R3,5,6 3 6.8 k 1/4 watt resistor +R7/S1 1 5 k pot/switch +R9,16 2 100 k 1/4 watt resistor +R10 1 2.2 k 1/4 watt resistor +R13,18 2 1 k 1/4 watt resistor +R14 1 470 ohm 1/4 watt resistor +R15 1 10 k 1/4 watt resistor +R17 1 1 M 1/4 watt resistor +C1 1 .05 uF/25 V disc cap +C2,3,5,6,7 5 1 uF 50 V electrolytic cap or tant + (preferably non-polarized) +C4,11,12 3 .01 uF/50 V disc cap +C8,10 2 100 uF @ 25 V electrolytic cap +C9 1 5 uF @ 150 V electrolytic cap +C13 1 10 uF @ 25 V electrolytic cap +TM1 1 555 timer dip +A1 1 CA3018 amp array in can +Q1,2 2 PN2222 npn sil transistor +Q3 1 D4OD5 npn pwr tab transistor +D1,2 2 50 V 1 amp react. 1N4002 +T1 1 1.5 k/500 matching transformer +M1 1 large crystal microphone +J1 1 Phono jack optional for sense output +WR3 (24") #24 red and black hook up wire +WR4 (24") #24 black hook up wire +CL3,4 2 Alligator clips +CL1,2 2 6" battery snap clips +PB1 1 1 3/4x4 1/2x.1 perfboard +CA1 1 5 1/4x3x2 1/8 grey enclosure fab +WR15 (12") #24 buss wire +KN1 1 small plastic knob +BU1 1 small clamp bushing +B1,2 2 9 volt transistor battery or 9V ni-cad + + Page 198 + + + + + The Official Phreaker's Manual + + +Circuit Operation: Not being the most technical guy in the world, and not being +very good at electronics (yet), I'm just repeating what Mr. Iannini's said +about the circuit operation. The Transmitter consists of a high grain +amplifier fed into the telephone lines via transformer. The circuit is +initiated by the action of a voltage transient pulse occurring across the +phone line at the instant the telephone circuit is made (the ring, in other +words). This transient immediately triggers a timer whose output pin 3 goes +positive, turning on transistors Q2 and Q3. Timer TM1 now remains in this +state for a period depending on the values of R17 and C13 (usually about 10 +seconds for the values shown). When Q3 is turned on by the timer, a simulated +"off hook" condition is created by the switching action of Q3 connecting the +500 ohm winding of the transformer directly across the phone lines. +Simultaneously, Q2 clamps the ground of A1, amplifier, and Q1, output +transistor, to the negative return of B1,B2, therefore enabling this amplifier +section. Note that B2 is always required by supplying quiescent power to TM1 +during normal conditions. System is off/on controlled by S1 (switch). + A crystal mike picks up the sounds that are fed to the first two +transistors of the A1 array connected as an emitter follower driving the +remaining two transistors as cascaded common emitters. Output of the +array now drives Q1 capacitively coupled to the 1500 ohm winding of T1. +R7 controls the pick up sensitivity of the system. + Diode D1 is forward biased at the instant of connection and essentially +applies a negative pulse at pin 2 of TM1, initiating the cycle. D2 clamps +any high positive pulses. C9 dc-isolates and desensitizes the circuit. The +system described should operate when any incoming call is made without ringing +the phone. + +Schematic Diagram: Because this is text, this doesn't look too hot. Please +use a little imagination! I will hopefully get a graphics drawing of this +out as soon as I can on a Fontrix graffile. + +To be able to see what everything is, this character: | should appear as a +horizontal bar. I did this on a ][e using a ][e 80 column card, so I'm sorry if +it looks kinda weird to you. + +Symbols: + resistor: -/\/\/- switch: _/ _ + battery: -|!|!- capacitor (electrolytic): -|(- + capacitor (disc): -||- _ _ + transistor:(c) > (e) Transformer: )||( + \_/ )||( + |(b) _)||(_ + diode: |< + chip: ._____. + !_____! (chips are easy to recognize!) + + Dots imply a connection between wires. NO DOT, NO CONNECTION. +ie.: _!_ means a connection while _|_ means no connection. +---------------------------------------------------------------------------- + +.________________________to GREEN wire phone line +| +| .______________________to RED wire phone line +| | +| | ._________(M1)______________. +| | | | +| | | R1 | + + Page 199 + + + + + The Official Phreaker's Manual + +| | !__________/\/\/____________! +| | | _!_ C1 +| | |this wire is the amp ___ +| | |<=ground | R2 +| | | !___________________/\/\/_____________. +| | | ._______!_______. | +| | !___________________!4 9 11!_____________________________! +| | | | | | +| | !___________________!7 12._____________________________! +| | | | A1 | R3 | +| | !___________________!10 ____*8!_______.____/\/\/____________! ^ +| | | | / | | | | +| | | C4 | / | \ |2ma +| | !____||______. | / | /R4 B1 + +| | | || | | / | \ |!|! +| | | R7 | C2 | / | / | +| | !____/\/\/___!__)|__!8*_/ | | S1 | +| | | ^ | 6!_______! neg<__/.__! +| | | | C3 | | | C5 return | +| | | !_____|(___.__!3 | '-|(-| | +| | | | | 5 1!____________! | +| | | \ !_______._______! | B2|!|! +| | !________. R8 / | | + +| | | \ | | R6 |3ma +| | | !__________!____________________|_____/\/\/______! | +| | | R5 | | | v +| | !__/\/\/___________|____________________! | +| | | | | +| | | | | +| | | C6 | | +| | | |-)|-' R9 | +| | | !_________________/\/\/_______. | +| | | | | | +| | | Q1 _!_ | R10 | +| | !____________/ \____________________________!__/\/\/_____! +| | | | | +| | | | | +| | | C8 | | +| | !__________)|_______________________________|____________! +| | ! | | +| | / | | +| | -----| | | +| | | \ | | +| | | > | | +| | | | | | +| | | | | | +| | | !_____________. | | +| | | | | | +| | !__________. | | | +| | | | | | +| !________. | | ._____! | +| | | | | | +| | | | | | +| | | | | C7 | +| | | | '-|(-| | +| |_________|_________!_______.T1._________________| | +| | | 1500 )||( 500 | +| | | ohm )||( ohm | + + Page 200 + + + + + The Official Phreaker's Manual + +| | !______.)||(.__. | +| | | | | +| | | | | +| | | > | +| | | |/ | +| | | +----| Q3 | +| | | | |\ | +!____________________|_________|_______|______!__. D1 C9 | + | | | '-|<---|(------| | + .______________! | | | | + | | | | | + | .________________! | | | + | | | | | + \ | .________________! C11 | | + / | | .___||____________! | + R13 \ | | | || | | + / | | | | | + \ !___.___|_______________________! | | + | | | | | R16 | R15 | + | v | | !___/\/\/\________!___/\/\/_! + | neg | | | D2 | | + | return | | !_____|<__________! | + | B1,B2 | \ | | | + | | / | .____________!_. | + | | \R14 |C12 | TM1 2 | | + | | / !_||_!5 4!_______! + | | \ | || | | | + | | | !____!1 8!_______! + | | | | | 7 6 3 | | + | | | | !_____._.____._! | + | | | | | | | | + | | | | C13 | | | R17 | + | | | !___)|_____!_!____|__/\/\/__! + | | | | | | + !___________|___!_______________________|_________________! | + | | | | + | \ | C10 | + | /R18 !__________)|_______________! + | \ + | / + | | + !___O J1 + sense output + +Construction notes: Because the damned book just gave a picture instead of step +by step instructions, and I'll try to give you as much help as possible. Note +that all the parts that you will be using are clearly labeled in the schematic. +The perfboard, knobs, 'gator clips, etc are optional. I do strongly suggest +that you do use the board!!! It will make wiring the components up much much +easier than if you don't use it. + The knob you can use to control the pot (R7). R7 is used to tune the IT so +that is sounds ok over the phone. (You get to determine what sounds good) By +changing the value of C13, you can change the amount of time that the circuit +will stay open (it cannot detect a hang up, so it works on a timer.) A value of +100 micro Farads will increase the time by about 10 times. + The switch (S1) determines whether or not the unit is operational. Closed is +on. Open is off. The negative return is the negative terminals of the battery!! +The batteries will look something like this when hooked up: + + Page 201 + + + + + The Official Phreaker's Manual + + <-v_____. .______. ._____. .____-> + | | | | | | + __!___!__ | | __!___!__ + | + - | !_/ _! | + - | + | | switch ^ | | + | 9volts| | | 9volts| + !_______! neg return !_______! + + To hook this up to the phone line, there are three ways, depending upon what +type of jack you have. If it is the old type (non modular) then you can just +open up the wall plate and connect the wires from the transmitter directly to +the terminals of the phone. + If you have a modular jack with four prongs, attach the red to the negative +prong (don't ask me which is which! I don't have that type of jack... I've only +seen them in stores), and the green to the positive prong, and plug in. Try not +to shock yourself... + If you have the clip-in type jack, get double male extension cord (one with a +clip on each end), and chop off one clip. Get a sharp knife and splice off the +grey protective material. You should see four wires, including one green and +one red. You attach the appropriate wires from the IT to these two, and plug +the other end into the wall. + +Getting the IT to work: If you happen to have a problem, you should attempt to +do the following (these are common sense rules!!) Make sure that you have the +polarity of all the capacitors right (if you used polarized capacitors, that +is). Make sure that all the soldering is done well and has not short circuited +something accidently (like if you have a glob touching two wires which should +not be touching.) Check for other short circuits. Check to see if the battery +is in right. Check to make sure the switch is closed. + If it still doesn't work, drop me a line on one of the Maryland or Virginia +BBSs and I'll try to help you out. + +The sense output: Somehow or other, it is possible to hook something else up to +this and activate it by phone (like an alarm, flashing lights, etc.) + +As of this writing, I have not tried to make one of these, but I will. If you +actually get it working, leave me a note somewhere. + +I sure hope all you people appreciate this. + + +<<< the Ghost Wind >>> + + + + + + + + + + + + + + + + + + Page 202 + + + + + The Official Phreaker's Manual + + :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + : : + : SILVER BOX: AN ALTERNATE METHOD OF CONSTRUCTION : + : : + : BY: THE LOCK LIFTER--1/25/85 : + : : + :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + +PARTS & EQUIPMENT: +(1) POCKET TONE DIALER (RADIO SHACK CAT. NO. 43-138) +(2) SINGLE POLE DOUBLE THROW SWITCH (TOGGLE, THE SMALLER THE BETTER) +(3) SOLDERING IRON + + THIS MODIFICATION WILL ALLOW THE PRODUCTION OF A,B,C,&D TONES. WHEN YOU +FLIP THE SWITCH THE 3,6,9,&# KEYS WILL BECOME A,B,C,&D RESPECTIVELY. THE IC +INSIDE THE DIALER IS CAPABLE OF MAKING THESE TONES ALREADY, ALL WE MUST DO IS +CONNECT IT FULLY. THIS MOD CAN ALSO BE MADE TO MANY ELECTRONIC FONES THAT +CONTAIN A DTMF TONE ENCODING IC. THIS CHIP CAN BE IDENTIFIED BY THE NUMBER 5089 +OR S2559 OR MK5380 OR TCM5087N. PIN 9 OF THESE CHIPS IS THE FOURTH COLUMN +KEYPAD INPUT WHILE PIN 5 IS THE THIRD COLUMN. NOW ON WITH THE CONSTRUCTION. + +1) REMOVE THE BATTERY COVER, BATTERIES, AND THE SMALL SCREW. THE CASE SHOULD +NOW POP OPEN WITH A LITTLE PRESSURE. +2) OPEN THE CASE SO THAT THE HALF CONTAINING THE SPEAKER AND THE BATTERIES +IS ON YOUR LEFT WITH THE BATTERIES ON THE BOTTOM. YOU SHOULD NOW BE LOOKING AT +THE BACK OF 2 PRINTED CIRCUIT BOARDS. +3) FIND THE TWO ROWS OF SOLDER BEADS WHERE THE IC IS CONNECTED. THE UPPER +LEFT PIN OF THE 2 ROWS SHOULD HAVE NO SOLDER ON IT. THIS IS PIN 9 OF THE IC. +4) ATTACH A SHORT WIRE TO PIN 9. +5) SEE THE 8 GOLD WIRES GOING TO THE KEY PAD? UNSOLDER THE ONE 4TH FROM THE +LEFT AND CONNECT IT TO A SHORT WIRE. +6) SOLDER A SHORT WIRE INTO THE NOW VACANT HOLE IN THE KEYPAD PCB. +7) MELT OR DRILL A ROUND HOLE IN THE PLASTIC CASE FOR THE SWITCH. THE BEST +PLACE FOR THIS IS OPPOSITE THE SMALL PCB CONTAINING THE L.E.D. +8) INSERT THE SWITCH AND SCREW IT IN PLACE. +9) ATTACH THE WIRE FROM THE KEYPAD PCB TO THE CENTER OF THE SWITCH. ATTACH THE +OTHER TWO WIRES TO THE OTHER TWO POLES OF THE SWITCH. JUST CLOSE THE CASE, PUT +BACK IN THE SCREW AND BATTERIES. + +THE SWITCH WILL NOW ALLOW THE 3RD COLUMN KEYS TO PRODUCE BOTH 3RD AND FOURTH +COLUMN TONES. HAVE PHUN + + + + + + + + + + + + + + + + + + + Page 203 + + + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Well, this is just a page to protect the other pages. + I hope you enjoyed the book! + + + + + + + + + + + + + + + + + + + + + + + + + Page 204 + + + +Downloaded From P-80 International Information Systems 304-744-2253 diff --git a/textfiles.com/phreak/PHREAKING/pmanual1.txt b/textfiles.com/phreak/PHREAKING/pmanual1.txt new file mode 100644 index 00000000..850d4879 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pmanual1.txt @@ -0,0 +1,6993 @@ + + + The Official Phreaker's Manual + + + + + + + + + + + + + + + + + + + + + + The Official Phreaker's Manual V1.1 + Updated 2/14/91 + Compiled, Wordprocessed, and Distributed by: + The Jammer + and + Jack the Ripper + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + The Official Phreaker's Manual + + Introduction + + What precedes this introduction is what I have termed "The Official +Phreakers Manual", while it may not be. Many times I have been on a BBS, which +has files claiming to have summed up all the ways to phreak in the U.S. and +abroad, well those were pretty lame and a couple pages long. Now after many +relentless hours of work, I have done it. This is an informative file and the +authors of this and the authors from which I have gathered information, take +absolutely NO responsibility and are not liable for, under any circumstances +for damage, direct, indirect, incidental, or consequential. + + Warning: Use of this material may shorten your life in the free world! + + Ok enough of the bullshit, I readily admit that this is mainly a compilation +of available phreak material and public resources. What I have done is to +gather it all together and edit, compile, check for errors, put in a readable +form, and finally to write what I know without echoing what others have said. +I have set this up that it is good for all levels of phreaks, going from novice +to advanced, and references and tables for easy reference in the back. + This manual is constantly being updated! If you have any contributions or +corrections or comments, please leave messages to me (Jack the Ripper) on any +BBS's I am on (probably where you got it). Thanks! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Table of Contents + + ********************************************************************** + + +I....... 005 Chapter 1 +I.1..... 006 Glossary of Phreaking terms +I.2..... 010 Glossary of Phreaking terms cont. +I.3..... 017 Boxes and Electronic Toll Fraud +I.4..... 020 How to be a Real Phreak +I.5..... 026 Basic Telecommunications I, A Phreaks guide + +II...... 031 Chapter 2 +II.1.... 033 Secrets of the Little Blue Box. Part 1 +II.2.... 041 Secrets of the Little Blue Box. Part 2 +II.3.... 050 Secrets of the Little Blue Box. Part 3 +II.4.... 058 Secrets of the Little Blue Box. Part 4 +II.5.... 062 The History of ESS +II.6.... 064 History of British Phreaking +II.7.... 067 Bad as Shit, an adventure story + +III..... 069 Chapter 3 +III.1... 070 Phreaking Cosmos +III.2... 072 Cosmos Revamped +III.3... 073 Telenet +III.4... 075 Phreaking AT&T Cards +III.5... 076 AT&T Forgery +III.6... 078 Dealing with Operators +III.7... 079 How to set up a Conference Call +III.8... 081 Fone tapping +III.9... 083 Fone tapping cont. +III.10.. 085 Tracing, how dangerous is it +III.11.. 086 How to avenge yourself +III.12.. 088 Interesting things to do on Step lines +III.13.. 089 Busted, An account of the Private Sector bust + +IV...... 092 Chapter 4 +IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani +IV.2.... 101 Basic Telecommunications III, Direct Dialing, International +IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy +IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics +IV.5.... 120 Basic Telecommunications VI, Fortress fones + +V....... 123 Chapter 5 +V.1..... 124 Basic Telecommunications VII, Blue Boxing +V.2..... 132 Better Homes & Blue Boxing, Part 1 +V.3..... 136 Better Homes & Blue Boxing, Part 2 +V.4..... 141 Better Homes & Blue Boxing, Part 3 +V.5..... 145 More on Blue Boxing by Fred Stienbeck +V.6..... 146 Verification, Remob, etc., Is it possible? +V.7..... 148 Equal Access and the American Dream, Another great article +V.8..... 160 Equal access and Autodialing Modems +V.9..... 161 ISDN, it will change telecommunications for ever +V.10.... 163 ISDN, an article from Proto +V.11.... 165 MCI Services what they are and how they are useful + + + Page 3 + + + + + The Official Phreaker's Manual + + ********************************************************************** + + Appendixes + + ********************************************************************** + + +Appendix I...... 170 Reference tables and access lists +Appendix I.1.... 171 Country Codes +Appendix I.2.... 173 Country Codes cont. +Appendix I.3.... 176 Country Codes cont. +Appendix I.4.... 181 Max Access ports (Dialups) +Appendix I.5.... 182 Metro Fone Access ports +Appendix I.6.... 183 Area Codes +Appendix I.7.... 185 Tac Dialups around the country +Appendix I.8.... 193 Test numbers around the country +Appendix I.9.... 196 What a TSPS operators console looks like + +Appendix II..... 197 Box plans +Appendix II.1... 198 How to make an Infinity transmitter +Appendix II.2... 203 How to make a silver box + + 204 Protection Page + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 4 + + + + + The Official Phreaker's Manual + + Chapter 1 + + Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly +long list, though not totally complete. After the vocab, will be some of the +general rules for phreaking. Most of the rules are protection from the police +and AT&T, but others are grammatical rules. These are not as important to your +freedom, but many a phreak will think you are a twelve year old if you start +talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some +soft/docs. Checkul8r". Well you get the point, here's your vocab list... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 5 + + + + + The Official Phreaker's Manual + + ...................................................................... + ...................................................................... + . The Bell Glossary - .. + . by .. + . /\<\ /\<\ .. + . \>ad \>arvin .. + ...................................................................... + ...................................................................... + +ACD: Automatic Call Distributor - A system that automatically distributes calls +to operator pools (providing services such as intercept and directory +assistance), to airline ticket agents, etc. + +Administration: The tasks of record-keeping, monitoring, rearranging, +prediction need for growth, etc. + +AIS: Automatic Intercept System - A system employing an audio-response unit +under control of a processor to automatically provide pertinent info to callers +routed to intercept. + +Alert: To indicate the existence of an incoming call, (ringing). + +ANI: Automatic Number Identification - Often pronounced "Annie," a facility for +automatically identify the number of the calling party for charging purposes. + +Appearance: A connection upon a network terminal, as in "the line has two +network appearances." + +Attend: The operation of monitoring a line or an incoming trunk for off-hook or +seizure, respectively. + +Audible: The subdued "image" of ringing transmitted to the calling party during +ringing; not derived from the actual ringing signal in later systems. + +Backbone Route: The route made up of final-group trunks between end offices in +different regional center areas. + +BHC: Busy Hour Calls - The number of calls placed in the busy hour. + +Blocking: The ratio of unsuccessful to total attempts to use a facility; +expresses as a probability when computed a priority. + +Blocking Network: A network that, under certain conditions, may be unable to +form a transmission path from one end of the network to the other. In general, +all networks used within the Bell Systems are of the blocking type. + +Blue Box: Equipment used fraudulently to synthesize signals, gaining access to +the toll network for the placement of calls without charge. + +BORSCHT Circuit: A name for the line circuit in the central office. It +functions as a mnemonic for the functions that must be performed by the +circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and +Testing. + +Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, +comprises 480hz and 620hz interrupted at 60IPM. + +Bylink: A special high-speed means used in crossbar equipment for routing calls + + Page 6 + + + + + The Official Phreaker's Manual + +incoming from a step-by-step office. Trunks from such offices are often +referred to as "bylink" trunks even when incoming to noncrossbar offices; they +are more properly referred to as "dc incoming trunks." Such high-speed means +are necessary to assure that the first incoming pulse is not lost. + +Cable Vault: The point which phone cable enters the Central Office building. + +CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. + +CCIS: Common Channel Interoffice Signaling - Signaling information for trunk +connections over a separate, nonspeech data link rather that over the trunks +themselves. + +CCITT: International Telegraph and Telephone Consultative Committee- An +International committee that formulates plans and sets standards for +intercountry communication means. + +CDO: Community Dial Office - A small usually rural office typically served by +step-by-step equipment. + +CO: Central Office - Comprises a switching network and its control and support +equipment. Occasionally improperly used to mean "office code." + +Centrex: A service comparable in features to PBX service but implemented with +some (Centrex CU) or all (Centrex CO) of the control in the central office. In +the later case, each station's loop connects to the central office. + +Customer Loop: The wire pair connecting a customer's station to the central +office. + +DDD: Direct Distance Dialing - Dialing without operator assistance over the +nationwide intertoll network. + +Direct Trunk Group: A trunk group that is a direct connection between a given +originating and a given terminating office. + +EOTT: End Office Toll Trunking - Trunking between end offices in different toll +center areas. + +ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" +emergency calls are routed. + +ESS: Electronic Switching System - A generic term used to identify as a class, +stored-program switching systems such as the Bell System's No.1 No.2, No.3, +No.4, or No.5. + +ETS: Electronic Translation Systems - An electronic replacement for the card +translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. + +False Start: An aborted dialing attempt. + +Fast Busy: (often called reorder) - An audible busy signal interrupted at twice +the rate of the normal busy signal; sent to the originating station to indicate +that the call blocked due to busy equipment. + +Final Trunk Group: The trunk group to which calls are routed when available +high-usage trunks overflow; these groups generally "home" on an office next +highest in the hierarchy. + + Page 7 + + + + + The Official Phreaker's Manual + + +Full Group: A trunk group that does not permit rerouting off-contingent foreign +traffic; there are seven such offices. + +Glare: The situation that occurs when a two-way trunk is seized more or less +simultaneously at both ends. + +High Usage Trunk Group: The appellation for a trunk group that has alternate +routes via other similar groups, and ultimately via a final trunk group to a +higher ranking office. + +Intercept: The agency (usually an operator) to which calls are routed when made +to a line recently removed from a service, or in some other category requiring +explanation. Automated versions (ASI) with automatic voiceresponse units are +growing in use. + +Interrupt: The interruption on a phone line to disconnect and connect with +another station, such as an Emergence Interrupt. + +Junctor: A wire or circuit connection between networks in the same office. The +functional equivalent to an intraoffice trunk. + +MF: Multifrequency - The method of signaling over a trunk making use of the +simultaneous application of two out of six possible frequencies. + +NPA: Numbering Plan Area. + +ONI: Operator Number Identification - The use of an operator in a CAMA office +to verbally obtain the calling number of a call originating in an office not +equipped with ANI. + +PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An +telephone office serving a private customer, Typically , access to the outside +telephone network is provided. + +Permanent Signal: A sustained off-hook condition without activity (no dialing +or ringing or completed connection); such a condition tends to tie up +equipment, especially in earlier systems. Usually accidental, but sometimes +used intentionally by customers in high-crime-rate areas to thwart off +burglars. + +POTS: Plain Old Telephone Service - Basic service with no extra "frills". + +ROTL: Remote Office Test Line - A means for remotely testing trunks. + +RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its +services to be provided up to 200 miles from the TSPS site. + +SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon +idle trunks. + +Supervise: To monitor the status of a call. + +SxS: (Step-by-Step or Strowger switch) - An electromechanical office type +utilizing a gross-motion stepping switch as a combination network and +distributed control. + +Talkoff: The phenomenon of accidental synthesis of a machine-intelligible + + Page 8 + + + + + The Official Phreaker's Manual + +signal by human voice causing an unintended response. "whistling a tone". + +Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire +for intertoll. + +TSPS: Traffic Service Position System - A system that provides, under stored- +program control, efficient operator assistance for toll calls. It does not +switch the customer, but provides a bridge connection to the operator. + +X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" +coordinate switch and a multiplicity of central controls (called markers). +There are four varieties: + No.1 Crossbar: Used in large urban office application; (1938) + No 3 Crossbar: A small system started in (1974). + No.4A/4M Crossbar: A 4-wire toll machine; (1943). + No.5 Crossbar: A machine originally intended for relatively small +suburban applications; (1948) + Crossbar Tandem: A machine used for interlocal office switching. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 9 + + + + + The Official Phreaker's Manual + + ============================================================ + _ _ _______ + | \/ | / _____/ + |_||_|etal / /hop + __________/ / + /___________/ + (314) 432-0756 + + Proudly Presents + + The MCI Telecommunications Glossary + + Part I Volume I (A - D) + + Typed by Knight Lightning + + ============================================================ + +- A - + +A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire +pairs comprising a 4-wire circuit. + +ABBREVIATED DIALING: The ability of a telephone user to reach frequently called +numbers by using less than seven digits. Synonym: Speed Dialing + +ACCESS CHARGE: A fee paid for the use of local lines. + +ACCESS CODE: A digit or number of digits required to be connected to a private +line arranged for dial access. + +ACCESS LINE: A telephone circuit which connects a customer location to a +network switching center. + +AIRLINE MILEAGE: Calculated point-to-point mileage between terminal +facilities. + +ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per +minute) rate to indicate all lines or trunks in a routing group are busy. + +ALTERNATE ROUTE: A secondary communications path used to reach a destination if +the primary path is unavailable. + +ALTERNATE USE: The ability to switch communications facilities from one type of +service to another, i.e., voice to data, etc. + +ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used +for either voice or data. + +AMERICAN STANDARD CODE +FOR INFORMATION INTERCHANGE +(ASCII): An 8 level code developed for the interchange of information between +data processing and communications systems. + +ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, +e.g., voltage which reflects variations in some quantity, e.g., loudness in the +human voice. + + + Page 10 + + + + + The Official Phreaker's Manual + +ANNUNICATOR: An audible intercept device that states the condition or +restrictions associated with circuits or procedures. + +ANSWER BACK: An electrical and/or visual indication to the calling or sending +end that the called or received station is on the line. + +ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a +switched connection when the called party answers. + +AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying +more than 150 geographic areas of the United States and Canada which permits +direct distance dialing on the telephone system. A similar global numbering +plan has been established for international subscriber dialing. + +ATTENDANT POSITION: A telephone switchboard operator's position. It provides +either automatic (cordless) or manual (plug and jack) operator controls for +incoming and/or outgoing telephone calls. + +ATTENUATION: A general term used to denote the decrease in power between that +transmitted and that received due to loss through equipment, lines, or other +transmission devices. It is usually expressed as a ration in db (decibel). + +AUDIBLE RINGING TONE: An audible signal heard by the calling party during the +ringing-interval. + +AUTHORIZATION CODE: An identification number that the caller enters when +placing a call which is used for billing purposes. + +AUTHORIZED USER: A person, firm, organization, corporation or any other entity +authorized by the customer to send or receive communications over a specific +communications network. + +AUTO ANSWER: A machine feature that allows a transmission control unit or +station to automatically respond to a call that it receives. + +AUTOMATIC CALL +DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a +large volume of incoming calls to a group of attendants to the next available +"answering" position. + +AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined +set of dialing digits. + +AUTOMATIC IDENTIFICATION +OF OUTWARD DIALING (AIOD): A computer generated report showing all long +distance calls placed over AT&T's toll network. + +AUTOMATIC NUMBER +IDENTIFICATION (ANI): Automatic equipment at a local dial office used on +customer dialed calls to identify the calling-station. + +AUTOMATIC ROUTE +SELECTION (ARS): Least cost routing via AT&T CENTREX system. + + + +- B - + + + Page 11 + + + + + The Official Phreaker's Manual + +BAND: (1) The range of frequencies between two defined limits. (2) In reference +to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: +BANDWIDTH. + +BANDWIDTH: See BAND. + +BASEBAND: The total frequency band occupied by the aggregate of all the voice +and data signals used to modulate a radio carrier. + +BAUD: A unit of signaling speed. The speed in baud is the number of discrete +conditions conditions or signal elements per second. If each signal event +represents only one bit condition, then Baud is the same as bits per second. +When each signal event represents other than one bit, Baud does not equal bits +per second. + +BELL OPERATING COMPANY +(BOC) /BELL SYSTEMS +OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing +local service. + +BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long +Lines, Western Electric, and Bell Labs. + +BILLING NUMBER: The MCI term for the number which identifies a customer on a +billing location level, assigned to Network Service Customer (by COMS). +Assigned for each unique customer name and billing location. For internal use +only. + +BINARY: A number system that uses only two characters ("0" and "1"). + +BIT: A binary digit. The smallest unit of coded information. + +BITS PER SECOND (BPS): The rate at which data transmission is measured. + +BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to +the central offices are in use; or (2) all connecting connecting paths through +the PBX/switch are in use. + +BLOCKED ANI: ANI prohibited from completing a call over the MCI network. + +BREAK: A means of interrupting transmission, a momentary interruption of a +circuit. + +BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. + +BUS: A heavy conductor, or group of conductors, to which several units of the +same type of equipment may be connected. + +BUSY: The condition in which facilities over which a call is to be connected +are already in use. + +BUSY HOUR: The time of day when phone lines are most in demand. + +BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to +indicate that the terminal point of a call is already in use. + +BYTE: A group of binary digits that are processed by a computer as a unit. + + + Page 12 + + + + + The Official Phreaker's Manual + + + +- C - + + +CARRIER: High frequency current that can be modulated with voice or digital +signals for bulk transmission via cable or radio circuits. + +CARRIER SYSTEM: A system for providing several communications channels over a +single path. + +CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output +from a computer. + +CELLULAR MOBILE RADIO: A system providing exchange telephone service to a +station located in an auto or other mobile vehicle, using radio circuits to a +base radio station which covers a specific geographical area and as the vehicle +moves from one area to another, different base radio stations handle the call. + +CENTRAL OFFICE (CO): A telephone switching center that provides local access to +the public network. Sometimes referred to as: Class 5 office, end office, or +Local Dial Office. + +CENTREX, CO: PBX Service provided by a switch located at the telephone company +central office. + +CENTREX, CU: A variation on Centrex CO provided by a telephone company +maintained "Central Office" type switch located at the customer's premises. + +CENTRAL PROCESSING UNIT +(CPU): The control unit within a computer which handles all the intelligent +functions of the systems. In a telephone switch, directs all potions of the +system to carry out their appropriate functions. Synonym: Common Control. + +CHANNEL: A communication path via a carrier or microwave radio. + +CHARACTER: Any letter, digit, or special symbol. In data transmission would be +represented by a specific code made up of a group of binary digits. + +CIRCUIT: A path for the transmission of electromagnetic signals to include all +conditioning and signaling equipment. Synonym: Facility + +CIRCUIT SWITCHING: A switching system that completes a dedicated transmission +path from sender to receiver at the time of transmission. + +CLASS OF SERVICE/CLASS +MARK (COS): A subgrouping of telephone customers or users for the sake of rate +distinction or limitation of service. + +COAXIAL CABLE: A cable having several coaxial lines under a single protective +sheath. Usually used as a high capacity carrier in urban areas between +interexchange and toll offices. + +CODEC: Coder-Decoder. Used to convert analog signals to digital form for +transmission over a digital median and back again to the original analog form. + +COMMON CARRIER: A government regulated private company that provides the +general public with telecommunications services and facilities. + + Page 13 + + + + + The Official Phreaker's Manual + + +COMMON CHANNEL INTEROFFICE +SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated +Services Digital Network. It uses a separate data line to route interoffice +signals to provide faster call set-up and more efficient use of trunks. + +COMMON CONTROL SWITCHING +ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which +common controlled switching machines are used to route traffic over network +routes and access lines. The switching machine may be shared with other users +and is maintained by the telephone company. + +COMPUTER PORT/TKI PORT: The interface through which the computer connects to +the communications circuit. + +CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to +match transmission levels and impedances and which equalizes transmission and +delay to bring circuit losses, levels, and distortion within established +standards. + +CONFIGURATION: The combination of long-distance services and/or equipment that +make up a communications system. + +CONTROL UNIT (CU): The central processor of a telephone switching device. + +CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on +a corporate level. (Not all MCI customers have this). + +COST COMPONENT: The price of each type of long distance service and/or +equipment that constitutes a configuration. + +COST PER HOUR (CPH): Total cost of different services divided by total holding +time (in minutes). + +CROSS CONNECTION: The wire connections running between terminals on the two +sides of a distribution frame, or between binding posts in a terminal. + +CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit +to another circuit. + +CUSTOMER OWNED AND +MAINTAINED (COAM): Customer provided communications apparatus, and their +associated wiring. + +CUSTOMER +PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located +within the customer's part of a building. + +CUT: To transfer a service from one facility to another. + +CUT THROUGH: The establishment of a complete path for signaling and/or audio +communications. + + +- D - + +DATA: Any representation, such as characters to which a meaning is assigned. + + + Page 14 + + + + + The Official Phreaker's Manual + +DATA COMMUNICATIONS: The movement of coded information by means of electronic +transmission systems. + +DATA SET: A device which converts data into signals suitable for transmission +over communications lines. + +DATA TERMINAL: A station in a system capable of sending and/or receiving data +signals. + +DECIBEL (db): A unit of measurement represented as a ratio of two voltages, +currents or powers and is used to measure transmission loss or gain. + +DELAY DIAL: A dialing configuration whereby local dial equipment will wait +until it receives the entire telephone number before seizing a circuit to +transmit the call. + +DELTA MODULATION (DM): A variant of pulse code modulation whereby a code +representing the difference between the amplitude of a sample and t~he +amplitude of a previous one is sent. Operates well in the presence of noise, +but requires a wide frequency band. + +DEMODULATION: The process of retrieving data from a modulated signal. + +DIAL LEVEL: The selection of stations or services associated with a PBX using a +one to four digit code (e.g., dialing 9 for access to outside dial tone). + +DIAL PULSING: The transmitting of telephone address signals by momentarily +opening a DC circuit a number of times corresponding to the decimal digit which +is dialed. + +DIAL REPEATING TIE LINE/ +DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station +calling without use of the attendant. + +DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is +selected by a prearranged dialing code. + +DIAL TONE: A tone indicating that automatic switching equipment is ready to +receive dial signals. + +DIALING PLAN: A description of the dialing arrangements for customer use on a +networks. + +DIGITAL: Referring to the use of digits to formulate and solve problems, or to +encode information. + +DIMENSION CUSTOM +TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station +sets which use special buttons to access PBX features. + +DIRECT +DISTANCE DIALING (DDD): A toll service that permits customers to dial their own +long distance call without the aid of an operator. + +DIRECT +INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside +the system to directly dial a station within the system. + + + Page 15 + + + + + The Official Phreaker's Manual + +DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to +gain direct access to an exchange network. + +DROP: That direction of a circuit which looks towards the local operator. + +DRY CIRCUIT: A circuit which transmits voice signals and carries no direct +current. + +DUAL TONE +MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which +emits two distinct frequencies for each indicated digit. + +DUPLEX: Simultaneous two-way independent transmission. + +DX SIGNALING: A long-range bidirectional signaling method using paths derived +from transmission cable pairs. It is based on a balanced and symmetrical +circuit that is identical at both ends. This circuit presents an E&M lead +interface to connecting circuits. + + + + ============================================================ + +This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for +more G-philes from The MCI School of Telecommunications Management Reference +Guide coming soon. + + This has been a 2600 Club production + + +Thanx to Taran King + ============================================================ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 16 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ _______________________________ $ + $ | | $ + $ | ELECTRONIC TOLL FRAUD DEVICES | $ + $ |_______________________________| $ + $ $ + $ $ + $ TYPED AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ $ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL +FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT +BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD +DEVICES. (FOR OFFICIAL USE ONLY). + +THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE +GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". +THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. + + + +*BLUE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE +DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE +VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS +APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX +CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES +CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL +(LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE +FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE +BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY +COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE +TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE +DISCUSSED IN MORE DETAIL BELOW. + + TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO +UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE +NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS +IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE +EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY +FOR HIS TELEPHONE NUMBER. + THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING +(AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE +OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL +CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. +THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. + ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE +VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO +PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. + THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL +INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY + + Page 17 + + + + + The Official Phreaker's Manual + +OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX +USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" +CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX +WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE +SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. +THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX +SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING +PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW +OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING +EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES +THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING +CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE +SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY +THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS +RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON +THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS +TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. + ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A +COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY +IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: + +(A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE +SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY +SF" BLUE BOX. + +(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY +OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN +THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. + +(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" +CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER +AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE +BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE +FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 +MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED +BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A +3 MINUTE CALL. + +(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED +TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE +PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. + +(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES +REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN +LIEU OF +A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE +MAGNETIC TAPE. + + ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE +THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: + +(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE +IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, +AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. + +(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE +MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING +TO THE CALLED PHONE #. + + Page 18 + + + + + The Official Phreaker's Manual + + +(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO +TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS +REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED +BY A COMBINATION OF 700HZ AND 1100HZ. + +(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 +TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT +AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. + + THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A +SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. + +*BLACK BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. +IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO +THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING +*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT +THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE +DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE +RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS +RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. + +*CHEESE BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND +THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR +BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE +INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT +THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE +LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED +APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME +REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS +BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE +BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A +CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT +WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE +RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION +OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE +IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED +THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE +PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN +IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE +BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T +HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. +I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) + +*RED BOX* +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A +SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES +EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED +WITHOUT THE ACTUAL DEPOSIT OF COINS. + + + Page 19 + + + + + The Official Phreaker's Manual + + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Phreaker's /-/ + /-/ PhunHouse /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ By: /-/ + /-/ The Traveler /-/ + /-/ /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + /-/ /-/ + /-/ Call: /-/ + /-/ Brainstorm BBS /-/ + /-/ 612/345-2815 (300/1200) /-/ + /-/ /-/ + /-/ Little America /-/ + /-/ 507/289-8211 (300) /-/ + /-/ /-/ + /-/ Tell 'em Traveler sent ya /-/ + /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ + + The long awaited prequil to Phreaker's Guide has finally arrived. Conceived +from the boredom and loneliness that could only be derived from: The Traveler! +But now, he has returned in full strength (after a small vacation) and is here +to 'World Premiere' the new files everywhere. + Stay cool. This is the prequil to the first one, so just relax. This is not +made to be an exclusive ultra elite file, so kinda calm down and watch in the +background if you are too cool for it... + +/-/ Phreak Dictionary /-/ + + Here you will find some of the basic but necessary terms that should be known +by any phreak who wants to be respected at all... + + Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways +in order to not pay for some sort of telecommunications bill, order, transfer, +or other service. It often involves usage of highly illegal boxes and machines +in order to defeat the security that is set up to avoid this sort of +happening. + [fr'eaking]. v. 2. A person who uses the above methods of destruction and +chaos in order to make a better life for all. A true phreaker will not not go +against his fellows or narc on people who have ragged on him or do anything +termed to be dishonorable to phreaks. + [fr'eek]. n. 3. A certain code or dialup useful in the action of being a +phreak. (Example: "I hacked a new metro phreak last night.") + + Switching System + [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed +in the US, and a few other systems will be mentioned as background. +A) SxS: This system was invented in 1918 and was employed in over half of the +country until 1978. It is a very basic system that is a general waste of energy +and hard work on the linesman. A good way to identify this is that it requires +a coin in the phone booth before it will give you a dial tone, or that no call +waiting, call forwarding, or any other such service is available. Stands for: +Step by Step + +B) XB: This switching system was first employed in 1978 in order to take care +of most of the faults of SxS switching. Not only is it more efficient, but it + + Page 20 + + + + + The Official Phreaker's Manual + +also can support different services in various forms. XB1 is Crossbar Version +1. That is very limited and is hard to distinguish from SxS except by direct +view of the wiring involved. Next up was XB4, Crossbar Version 4. With this +system, some of the basic things like DTMF that were not available with SxS can +be accomplished. For the final stroke of XB, XB5 was created. This is a service +that can allow DTMF plus most 800 type services (which were not always +available...) Stands for: Crossbar. +C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to +have to stand up to. It is quite simple to identify. Dialing 911 for +emergencies, and ANI [see ANI below] are the most common facets of the dread +system. ESS has the capability to list in a person's caller log what number was +called, how long the call took, and even the status of the conversation (modem +or otherwise.) Since ESS has been employed, which has been very recently, it +has gone through many kinds of revisions. The latest system to date is ESS 11a, +that is employed in Washington D.C. for security reasons. ESS is truly trouble +for any phreak, because it is 'smarter' than the other systems. For instance, +if on your caller log they saw 50 calls to 1-800-421-9438, they would be able +to do a CN/A [see Loopholes below] on your number and determine whether you are +subscribed to that service or not. This makes most calls a hazard, because +although 800 numbers appear to be free, they are recorded on your caller log +and then right before you receive your bill it deletes the billings for them. +But before that they are open to inspection, which is one reason why extended +use of any code is dangerous under ESS. Some of the boxes [see Boxing below] +are unable to function in ESS. It is generally a menace to the true phreak. +Stands For: Electronic Switching System. because they could appear on a filter +somewhere or maybe it is just nice to know them any ways. + A) SSS: Strowger Switching System. First non-operator system +available. + B) WES: Western Electronics Switching. Used about 40 years ago +with some minor places out west. + Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or +cancel electronical impulses that allow simpler acting while phreaking. Through +the use of separate boxes, you can accomplish most feats possible with or +without the control of an operator. + 2) Some boxes and their functions are listed below. Ones +marked with '*' indicate that they are not operatable in ESS. + *Black Box: Makes it seem to the phone company that the phone was never +picked up. + + Blue Box: Emits a 2600hz tone that allows you to do such things as stack +a trunk line, kick the operator off line, and others. + + Red Box: Simulates the noise of a quarter, nickel, or dime being +dropped into a payphone. + + Cheese Box: Turns your home phone into a pay phone to throw off traces (a +red box is usually needed in order to call out.) + + *Clear Box: Gives you a dial tone on some of the old SxS payphones without +putting in a coin. + + Beige Box: A simpler produced linesman's handset that allows you to tap +into phone lines and extract by eavesdropping, or crossing wires, etc. + Purple Box: Makes all calls made out from your house seem to be local +calls. + ANI [ANI]: 1) Automatic Number Identification. A service available on ESS +that allows a phone service [see Dialups below] to record the number that any +certain code was dialed from along with the number that was called and print + + Page 21 + + + + + The Official Phreaker's Manual + +both of these on the customer bill. 950 dialups [see Dialups below] are all +designed just to use ANI. Some of the services do not have the proper equipment +to read the ANI impulses yet, but it is impossible to see which is which +without being busted or not busted first. + Dialups + [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to +any service such as MCI, Sprint, or AT&T that from there can be used by +handpicking or using a program to reveal other peoples codes which can then be +used moderately until they find out about it and you must switch to another +code (preferably before they find out about it.) + 2) Dialups are extremely common on both senses. Some dialups +reveal the company that operates them as soon as you hear the tone. Others are +much harder and some you may never be able to identify. A small list of +dialups: + 1-800-421-9438 (5 digit codes) + 1-800-547-6754 (6 digit codes) + 1-800-345-0008 (6 digit codes) + 1-800-734-3478 (6 digit codes) + 1-800-222-2255 (5 digit codes) + 3) Codes: Codes are very easily accessed procedures when you call +a dialup. They will give you some sort of tone. If the tone does not end in 3 +seconds, then punch in the code and immediately following the code, the number +you are dialing but strike the '1' in the beginning out first. If the tone does +end, then punch in the code when the tone ends. Then, it will give you another +tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and +the tone stops, then you messed up a little. If you punch in a tone and the +tone continues, then simply dial then number you are calling without the '1'. + 4) All codes are not universal. The only type that I know of that +is truly universal is Metrophone. Almost every major city has a local Metro +dialup (for Philadelphia, (215)351-0100/0126) and since the codes are +universal, almost every phreak has used them once or twice. They do not employ +ANI in any outlets that I know of, so feel free to check through your books and +call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use +your own code. That way, if they check up on you due to your caller log, they +can usually find out that you are subscribed. Not only that but you could set a +phreak hacker around that area and just let it hack away, since they usually +group them, and, as a bonus, you will have their local dialup. + 5) 950's. They seem like a perfectly cool phreakers dream. They +are free from your house, from payphones, from everywhere, and they host all of +the major long distance companies (950-1044 , 950-1077 , 950-1088 +, 950-1033 .) Well, they aren't. They were designed for +ANI. That is the point, end of discussion. + + A phreak dictionary. If you remember all of the things contained on that file +up there, you may have a better chance of doing whatever it is you do. This +next section is maybe a little more interesting... + +Blue Box Plans: +--------------- + + These are some blue box plans, but first, be warned, there have been 2600hz +tone detectors out on operator trunk lines since XB4. The idea behind it is to +use a 2600hz tone for a few very naughty functions that can really make your +day lighten up. But first, here are the plans, or the heart of the file: + +============================================== +700 : 1 : 2 : 4 : 7 : 11 : +900 : + : 3 : 5 : 8 : 12 : + + Page 22 + + + + + The Official Phreaker's Manual + +1100 : + : + : 6 : 9 : KP : +1300 : + : + : + : 10 : KP2 : +1500 : + : + : + : + : ST : + : 700 : 900 :1100 :1300 :1500 : +============================================== + + Stop! Before you diehard users start piecing those little tone tidbits +together, there is a simpler method. If you have an Apple-Cat with a program +like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, +the KP tone, the KP2 tone, and the ST tone through the dial section. So if you +have that I will assume you can boot it up and it works, and I'll do you the +favor of telling you and the other users what to do with the blue box now that +you have somehow constructed it. + The connection to an operator is one of the most well known and used ways of +having fun with your blue box. You simply dial a TSPS (Traffic Service +Positioning Station, or the operator you get when you dial '0') and blow a +2600hz tone through the line. Watch out! Do not dial this direct! After you +have done that, it is quite simple to have fun with it. Blow a KP tone to start +a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have +connected to it, here are some fun numbers to call with it: + +0-700-456-1000 Teleconference (free, because you are the operator!) +(Area code)-101 Toll Switching +(Area code)-121 Local Operator (hehe) +(Area code)-131 Information +(Area code)-141 Rate & Route +(Area code)-181 Coin Refund Operator +(Area code)-11511 Conference operator (when you dial 800-544-6363) + + Well, those were the tone matrix controllers for the blue box and some other +helpful stuff to help you to start out with. But those are only the functions +with the operator. There are other k-fun things you can do with it... + More advanced Blue Box Stuff: + Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone +pair out for up to 1/10 of a second with another 1/10 second for silence +between the digits. KP tones should be sent for 2/10 of a second. One way to +confuse the 2600hz traps is to send pink noise over the channel (for all of you +that have decent BSR equalizers, there is major pink noise in there...) +Using the operator functions is the use of the 'inward' trunk line. That is +working it from the inside. From the 'outward' trunk, you can do such things as +make emergency breakthrough calls, tap into lines, busy all of the lines in any +trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a +systems you can even re-route calls to anywhere. + + All right. The one thing that every complete phreak guide should not be +without is blue box plans, since they were once a vital part of phreaking. +Another thing that every complete file needs is a complete listing of all of +the 800 numbers around so you can have some more fun. + +/-/ 800 Dialup Listings /-/ + +1-800-345-0008 (6) 1-800-547-6754 (6) +1-800-245-4890 (4) 1-800-327-9136 (4) +1-800-526-5305 (8) 1-800-858-9000 (3) +1-800-437-9895 (7) 1-800-245-7508 (5) +1-800-343-1844 (4) 1-800-322-1415 (6) +1-800-437-3478 (6) 1-800-325-7222 (6) + + + Page 23 + + + + + The Official Phreaker's Manual + + All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That +is enough with 800 codes, by the time this gets around to you I dunno what +state those codes will be in, but try them all out anyways and see what you +get. On some 800 services now, they have an operator who will answer and ask +you for your code, and then your name. Some will switch back and forth between +voice and tone verification, you can never be quite sure which you will be up +against. + Armed with this knowledge you should be having a pretty good time phreaking +now. But class isn't over yet, there are still a couple important rules that +you should know. If you hear continual clicking on the line, then you should +assume that an operator is messing with something, maybe even listening in on +you. It is a good idea to call someone back when the phone starts doing that. +If you were using a code, use a different code and/or service to call him +back. + A good way to detect if a code has gone bad or not is to listen when the +number has been dialed. If the code is bad you will probably hear the phone +ringing more clearly and more quickly than if you were using a different code. +If someone answers voice to it then you can immediately assume that it is an +operative for whatever company you are using. The famed '311311' code for Metro +is one of those. You would have to be quite stupid to actually respond, because +whoever you ask for the operator will always say 'He's not in right now, can I +have him call you back?' and then they will ask for your name and phone number. +Some of the more sophisticated companies will actually give you a carrier on a +line that is supposed to give you a carrier and then just have garbage flow +across the screen like it would with a bad connection. That is a feeble effort +to make you think that the code is still working and maybe get you to dial +someone's voice... a good test for the carrier trick is to dial a number that +will give you a carrier that you have never dialed with that code before, that +will allow you to determine whether the code is good or not. + For our next section, a lighter look at some of the things that a phreak +should not be without. A vocabulary. A few months ago, it was a quite strange +world for the modem people out there. But now, a phreaker's vocabulary is +essential if you wanna make a good impression on people when you post what you +know about certain subjects. + +/-/ Vocabulary /-/ + + - Do not misspell except certain exceptions: + phone -> fone + freak -> phreak + - Never substitute 'z's for 's's. (i.e. codez -> codes) + - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) + - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) + - Do not abbreviate. (I got lotsa wares w/ docs) + - Never substitute '0' for 'o' (r0dent, l0zer). + - Forget about ye old upper case, it looks ruggyish. + + All right, that was to relieve the tension of what is being drilled into your +minds at the moment.. now, however, back to the teaching course. Here are some +things you should know about phones and billings for phones, etc. + + LATA: Local Access Transference Area. Some people who live in large cities or +areas may be plagued by this problem. For instance, let's say you live in the +215 area code under the 542 prefix (Ambler, Fort Washington). If you went to +dial in a basic Metro code from that area, for instance, 351-0100, that might +not be counted under unlimited local calling because it is out of your LATA. +For some LATA's, you have to dial a '1' without the area code before you can +dial the phone number. That could prove a hassle for us all if you didn't + + Page 24 + + + + + The Official Phreaker's Manual + +realize you would be billed for that sort of call. In that way, sometimes, it +is better to be safe than sorry and phreak. + The Caller Log: In ESS regions, for every household around, the phone company +has something on you called a Caller Log. This shows every single number that +you dialed, and things can be arranged so it showed every number that was +calling to you. That's one main disadvantage of ESS, it is mostly computerized +so a number scan could be done like that quite easily. Using a dialup is an +easy way to screw that, and is something worth remembering. Anyways, with the +caller log, they check up and see what you dialed. Hmm... you dialed 15 +different 800 numbers that month. Soon they find that you are subscribed to +none of those companies. But that is not the only thing. Most people would +imagine "But wait! 800 numbers don't show up on my phone bill!". To those +people, it is a nice thought, but 800 numbers are picked up on the caller log +until right before they are sent off to you. So they can check right up on you +before they send it away and can note the fact that you fucked up slightly and +called one too many 800 lines. + +Right now, after all of that, you should have a pretty good idea of how to grow +up as a good phreak. Follow these guidelines, don't show off, and don't take +unnecessary risks when phreaking or hacking. + +File Level:5 + + /-/ Credits /-/ + + To The Videosmith- for setting me straight on some shit. + To The Linesman- for telling me to upload it to his AE line. + To Modern Mutant- for making me into a phreaking freak. + To Jack the Nibbler- for the basis of the blue box plans. + + By using your new k-koool (hehe) phreaking knowledge, call a couple of these +BBS's around the country: + + /---------------------------------\ + | Bulletin Board List | + | --------------------- | + | 215/844-8836 | + | 7 Cities of Gold (3/12) 10megs | + | 307/382-4006 | + | Brainstorm BBS (3/12) | + | 612/345-2815 | + | Metal Shop (3/12) | + | 314/432-0756 | + \---------------------------------/ + + Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be +a nice BBS that Ace of Spades and I will run. You will be the first to find out +about it, trust me... + +Later, + +The Traveler +Zer0-g + + + + + + + Page 25 + + + + + The Official Phreaker's Manual + + ************ << BIOC AGENT 003'S COURSE IN >> ************ + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART I * + * * + ********************************************************** + + +HOW TO BE A REAL PHREAK +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO +BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: + + "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR +ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE +SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE +PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, +PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND +A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE +CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS +ACTIVITIES." + +THE PHONE PHREAK'S TEN COMMANDMENTS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD +YOU ABOUT IT.) + + +I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST +SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + +II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, +FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + +III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY +THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + +IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO +USE THINE OWN SELF AS A SACRIFICIAL LAMB. + +V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE +AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + +VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH +THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. + +VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO +ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG +FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS +NOTICEABLE THOU ART, THE BETTER. + + + Page 26 + + + + + The Official Phreaker's Manual + +IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER +THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES +WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + +X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK +WILL BE FAR MORE LIMITED. + +CN/A NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." + + THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT +SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR +WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE +IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR +SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY +THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + + THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE +IT!!!!!!! + +AT&T NEWSLINES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL +TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED +REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + + SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + +ANI NUMBERS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS +USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND +OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT +DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU +JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF + + Page 27 + + + + + The Official Phreaker's Manual + +ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' +IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + +PHREAK NEWSLETTER +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL +(ARTICLES), MONEY, AND VOLUNTEERS. + +TAP +ROOM 603 +147 WEST 42ND STREET +NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + +BLACK BOX +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE +THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO +SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. +LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN +THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! +NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE +REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING +THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A +POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE +FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. + + WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU +ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT +FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE +VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE +MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT +IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE + + Page 28 + + + + + The Official Phreaker's Manual + +FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND +SWITCH TO FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + + _____________________________________ +| | +---BLUE WIRE-->>F< | +| | | | +--WHITE WIRE---/ | | +| | | +| RESISTOR | +| | | +| | | +| >RR<-------SWITCH--\ | +| | | +----GREEN WIRE--------------------/ | +| | +|_____________________________________| + +DIAL LOCKS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET +NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + + THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE +THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES +ADVANTAGE OF TELEPHONE ELECTRONICS. + + TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A +CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN +YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO +YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. +FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) +>>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL +634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A +LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # +SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE +A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR +MORE THAN A SECOND OR IT'LL HANG-UP! + + FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE +ASSHOLE WHO PUT THE LOCK ON IT! + +EXCHANGE SCANNING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" +SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND +9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR +EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + + + + Page 29 + + + + + The Official Phreaker's Manual + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, +PLEASE?" OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + +TOUCH-TONE & FREE CALLS +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + +1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) +521-8400. AS OF WRITING THIS, A CODE WAS 00717865. + + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." +THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY +GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS +CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND +ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER +SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING +TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + +2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM +THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. +THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING +ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE +WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. +(NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU +CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE +CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE +IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE +FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). + +5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR +DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY +PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST +FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. + + + + + Page 30 + + + + + The Official Phreaker's Manual + + Chapter 2 + + Well now we know a little vocabulary, and now its into history, Phreak +history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, +who was extremely interested in the telephone. Before entering MIT, he had +built autodialers, cheese boxes, and many more gadgets. But when he came to +MIT he became even more interested in "fone-hacking" as they called it. After +a little while he naturally started using the PDP-1, the schools computer at +that time, and from there he decided that it would be interesting to see +whether the computer could generate the frequencies required for blue boxing. +The hackers at MIT were not interested in ripping off Ma Bell, but just +exploring the telephone network. Stew (as he was called) wrote a program to +generate all the tones and set off into the vast network. + Now there were more people phreaking than the ones at MIT. Most people have +heard of Captain Crunch (No not the cereal), he also discovered how to take +rides through the fone system, with the aid of a small whistle found in a +cereal box (can we guess which one?). By blowing this whistle, he generated +the magical 2600hz and into the mouthpiece it sailed, giving him complete +control over the system. I have heard rumors that at one time he made about +1/4 of the calls coming out of San Francisco. He got famous fast. He made the +cover of people magazine and was interviewed several times (as you'll soon +see). Well he finally got caught after a long adventurous career. After he +was caught he was put in jail and was beaten up quite badly because he would +not teach other inmates how to box calls. After getting out, he joined Apple +computer and is still out there somewhere. + Then there was Joe the Whistler, blind form the day he was born. He could +whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune +their boxes. + Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly +done by college students, businessmen and anyone who knew enough about +electronics and the fone company to make a 555 Ic to generate those magic +tones. Businessmen and a few college students mainly just blue box to get free +calls. The others were still there, exploring 800#'s and the new ESS systems. +ESS posed a big problem for phreaks then and even a bigger one now. ESS was +not widespread, but where it was, blue boxing was next to impossible except for +the most experienced phreak. Today ESS is installed in almost all major cities +and blue boxing is getting harder and harder. + 1978 marked a change in phreaking, the Apple ][, now a computer that was +affordable, could be programmed, and could save all that precious work on a +cassette. Then just a short while later came the Apple Cat modem. With this +modem, generating all blue box tones was easy as writing a program to count +form one to ten (a little exaggerated). Pretty soon programs that could +imitate an operator just as good as the real thing were hitting the community, +TSPS and Cat's Meow, are the standard now and are the best. + 1982-1986: LD services were starting to appear in mass numbers. People now +had programs to hack LD services, telephone exchanges, and even passwords. By +now many phreaks were getting extremely good and BBS's started to spring up +everywhere, each having many documentations on phreaking for the novice. Then +it happened, the movie War Games was released and mass numbers of sixth grade +to all ages flocked to see it. The problem wasn't that the movie was bad, it +was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such +mass numbers, that bulletin boards started to be busy 24 hours a day. To this +day, they still have not recovered. Other problems started to occur, novices +guessed easy passwords on large government computers and started to play +around... Well it wasn't long before they were caught, I think that many +people remember the 414-hackers. They were so stupid as to say "yes" when the +computer asked them whether they'd like to play games. Well at least it takes +the heat off the real phreaks/hacker/krackers. + + Page 31 + + + + + The Official Phreaker's Manual + + After a little history, how about a little thrill? I don't know if this +story is true but it sure is as bad as shit! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 32 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (First of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Dudes... These four files contain the story, "Secrets of the Little Blue Box", +by Ron Rosenbaum. + +-A story so incredible it may even make you feel sorry for the phone company- + +Printed in the October 1971 issue of Esquire Magazine. If you happen to be in +a library and come across a collection of Esquire magazines, the October 1971 +issue is the first issue printed in the smaller format. The story begins on +page 116 with a picture of a blue box. + --One Farad Cap, Atlantic Anarchist Guild + + +The Blue Box Is Introduced: Its Qualities Are Remarked + +I am in the expensively furnished living room of Al Gilbertson (His real name +has been changed.), the creator of the "blue box." Gilbertson is holding one of +his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, +pointing out the thirteen little red push buttons sticking up from the console. +He is dancing his fingers over the buttons, tapping out discordant beeping +electronic jingles. He is trying to explain to me how his little blue box does +nothing less than place the entire telephone system of the world, satellites, +cables and all, at the service of the blue-box operator, free of charge. + +"That's what it does. Essentially it gives you the power of a super operator. +You seize a tandem with this top button," he presses the top button with his +index finger and the blue box emits a high-pitched cheep, "and like that" -- +cheep goes the blue box again -- "you control the phone company's long-distance +switching systems from your cute little Princes phone or any old pay phone. +And you've got anonymity. An operator has to operate from a definite location: +the phone company knows where she is and what she's doing. But with your +beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) +number, they don't know where you are, or where you're coming from, they don't +know how you slipped into their lines and popped up in that 800 number. They +don't even know anything illegal is going on. And you can obscure your origins +through as many levels as you like. You can call next door by way of White +Plains, then over to Liverpool by cable, and then back here by satellite. You +can call yourself from one pay phone all the way around the world to a pay +phone next to you. And you get your dime back too." + +"And they can't trace the calls? They can't charge you?" + + Page 33 + + + + + The Official Phreaker's Manual + + +"Not if you do it the right way. But you'll find that the free-call thing +isn't really as exciting at first as the feeling of power you get from having +one of these babies in your hand. I've watched people when they first get hold +of one of these things and start using it, and discover they can make +connections, set up crisscross and zigzag switching patterns back and forth +across the world. They hardly talk to the people they finally reach. They say +hello and start thinking of what kind of call to make next. They go a little +crazy." He looks down at the neat little package in his palm. His fingers are +still dancing, tapping out beeper patterns. + +"I think it's something to do with how small my models are. There are lots of +blue boxes around, but mine are the smallest and most sophisticated +electronically. I wish I could show you the prototype we made for our big +syndicate order." + +He sighs. "We had this order for a thousand beeper boxes from a syndicate +front man in Las Vegas. They use them to place bets coast to coast, keep lines +open for hours, all of which can get expensive if you have to pay. The deal +was a thousand blue boxes for $300 apiece. Before then we retailed them for +$1500 apiece, but $300,000 in one lump was hard to turn down. We had a +manufacturing deal worked out in the Philippines. Everything ready to go. +Anyway, the model I had ready for limited mass production was small enough to +fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, +rather than these unsightly buttons, sticking out. Looked just like a tiny +portable radio. In fact, I had designed it with a tiny transistor receiver to +get one AM channel, so in case the law became suspicious the owner could switch +on the radio part, start snapping his fingers, and no one could tell anything +illegal was going on. I thought of everything for this model -- I had it lined +with a band of thermite which could be ignited by radio signal from a tiny +button transmitter on your belt, so it could be burned to ashes instantly in +case of a bust. It was beautiful. A beautiful little machine. You should +have seen the faces on these syndicate guys when they came back after trying it +out. They'd hold it in their palm like they never wanted to let it go, and +they'd say, 'I can't believe it. I can't believe it.' You probably won't +believe it until you try it." + +The Blue Box Is Tested: Certain Connections Are Made + +About eleven o'clock two nights later Fraser Lucey has a blue box in the palm +of his left hand and a phone in the palm of his right. He is standing inside a +phone booth next to an isolated shut-down motel off Highway 1. I am standing +outside the phone booth. + +Fraser likes to show off his blue box for people. Until a few weeks ago when +Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring +his blue box (This particular blue box, like most blue boxes, is not blue. +Blue boxes have come to be called "blue boxes" either because 1) The first blue +box ever confiscated by phone-company security men happened to be blue, or 2) +To distinguish them from "black boxes." Black boxes are devices, usually a +resistor in series, which, when attached to home phones, allow all incoming +calls to be made without charge to one's caller.) to parties. It never failed: +a few cheeps from his device and Fraser became the center of attention at the +very hippest of gatherings, playing phone tricks and doing request numbers for +hours. He began to take orders for his manufacturer in Mexico. He became a +dealer. + +Fraser is cautious now about where he shows off his blue box. But he never + + Page 34 + + + + + The Official Phreaker's Manual + +gets tired of playing with it. "It's like the first time every time," he tells +me. + +Fraser puts a dime in the slot. He listens for a tone and holds the receiver +up to my ear. I hear the tone. Fraser begins describing, with a certain +practiced air, what he does while he does it. "I'm dialing an 800 number now. +Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he +names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, +you hear it? Now watch." He places the blue box over the mouthpiece of the +phone so that the one silver and twelve black push buttons are facing up toward +me. He presses the silver button -- the one at the top -- and I hear that +high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. +"Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. +The line gives a slight hiccough, there is a sharp buzz, and then nothing but +soft white noise. + +"We're home free now," Lucey tells me, taking back the phone and applying the +blue box to its mouthpiece once again. "We're up on a tandem, into a +long-lines trunk. Once you're up on a tandem, you can send yourself anywhere +you want to go." He decides to check out London first. He chooses a certain +pay phone located in Waterloo Station. This particular pay phone is popular +with the phone-phreaks network because there are usually people walking by at +all hours who will pick it up and talk for a while. + +He presses the lower left-hand corner button which is marked "KP" on the face +of the box. "That's Key Pulse. It tells the tandem we're ready to give it +instructions. First I'll punch out KP 182 START, which will slide us into the +overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll +head over to England by satellite. Cable is actually faster and the connection +is somewhat better, but I like going by satellite. So I just punch out KP Zero +44. The Zero is supposed to guarantee a satellite connection and 44 is the +country code for England. Okay... we're there. In Liverpool actually. Now +all I have to do is punch out the London area code which is 1, and dial up the +pay phone. Here, listen, I've got a ring now." + +I hear the soft quick purr-purr of a London ring. Then someone picks up the +phone. + +"Hello," says the London voice. + +"Hello. Who's this?" Fraser asks. + +"Hello. There's actually nobody here. I just picked this up while I was +passing by. This is a public phone. There's no one here to answer actually." + +"Hello. Don't hang up. I'm calling from the United States." + +"Oh. What is the purpose of the call? This is a public phone you know." + +"Oh. You know. To check out, uh, to find out what's going on in London. How +is it there?" + +"Its five o'clock in the morning. It's raining now." + +"Oh. Who are you?" + +The London passerby turns out to be an R.A.F. enlistee on his way back to the +base in Lincolnshire, with a terrible hangover after a thirty-six-hour pass. + + Page 35 + + + + + The Official Phreaker's Manual + +He and Fraser talk about the rain. They agree that it's nicer when it's not +raining. They say good-bye and Fraser hangs up. His dime returns with a nice +clink. + +"Isn't that far out," he says grinning at me. "London, like that." + +Fraser squeezes the little blue box affectionately in his palm. "I told ya +this thing is for real. Listen, if you don't mind I'm gonna try this girl I +know in Paris. I usually give her a call around this time. It freaks her out. +This time I'll use the ------ (a different rent-a-car company) 800 number and +we'll go by overseas cable, 133; 33 is the country code for France, the 1 sends +you by cable. Okay, here we go.... Oh damn. Busy. Who could she be talking +to at this time?" + +A state police car cruises slowly by the motel. The car does not stop, but +Fraser gets nervous. We hop back into his car and drive ten miles in the +opposite direction until we reach a Texaco station locked up for the night. We +pull up to a phone booth by the tire pump. Fraser dashes inside and tries the +Paris number. It is busy again. + +"I don't understand who she could be talking to. The circuits may be busy. +It's too bad I haven't learned how to tap into lines overseas with this thing +yet." + +Fraser begins to phreak around, as the phone phreaks say. He dials a leading +nationwide charge card's 800 number and punches out the tones that bring him +the time recording in Sydney, Australia. He beeps up the weather recording in +Rome, in Italian of course. He calls a friend in Boston and talks about a +certain over-the-counter stock they are into heavily. He finds the Paris +number busy again. He calls up "Dial a Disc" in London, and we listen to +Double Barrel by David and Ansil Collins, the number-one hit of the week in +London. He calls up a dealer of another sort and talks in code. He calls up +Joe Engressia, the original blind phone-phreak genius, and pays his respects. +There are other calls. Finally Fraser gets through to his young lady in +Paris. + +They both agree the circuits must have been busy, and criticize the Paris +telephone system. At two-thirty in the morning Fraser hangs up, pockets his +dime, and drives off, steering with one hand, holding what he calls his "lovely +little blue box" in the other. + +You Can Call Long Distance For Less Than You Think + +"You see, a few years ago the phone company made one big mistake," Gilbertson +explains two days later in his apartment. "They were careless enough to let +some technical journal publish the actual frequencies used to create all their +multi-frequency tones. Just a theoretical article some Bell Telephone +Laboratories engineer was doing about switching theory, and he listed the tones +in passing. At ----- (a well-known technical school) I had been fooling around +with phones for several years before I came across a copy of the journal in the +engineering library. I ran back to the lab and it took maybe twelve hours from +the time I saw that article to put together the first working blue box. It was +bigger and clumsier than this little baby, but it worked." + +It's all there on public record in that technical journal written mainly by +Bell Lab people for other telephone engineers. Or at least it was public. +"Just try and get a copy of that issue at some engineering-school library now. +Bell has had them all red-tagged and withdrawn from circulation," Gilbertson + + Page 36 + + + + + The Official Phreaker's Manual + +tells me. + +"But it's too late. It's all public now. And once they became public the +technology needed to create your own beeper device is within the range of any +twelve-year-old kid, any twelve-year-old blind kid as a matter of fact. And he +can do it in less than the twelve hours it took us. Blind kids do it all the +time. They can't build anything as precise and compact as my beeper box, but +theirs can do anything mine can do." + +"How?" + +"Okay. About twenty years ago A.T.&T. made a multi-billion-dollar decision to +operate its entire long-distance switching system on twelve electronically +generated combinations of twelve master tones. Those are the tones you +sometimes hear in the background after you've dialed a long-distance number. +They decided to use some very simple tones -- the tone for each number is just +two fixed single-frequency tones played simultaneously to create a certain beat +frequency. Like 1300 cycles per second and 900 cycles per second played +together give you the tone for digit 5. Now, what some of these phone phreaks +have done is get themselves access to an electric organ. Any cheap family +home-entertainment organ. Since the frequencies are public knowledge now -- +one blind phone phreak has even had them recorded in one of the talking books +for the blind -- they just have to find the musical notes on the organ which +correspond to the phone tones. Then they tape them. For instance, to get Ma +Bell's tone for the number 1, you press down organ keys F~5 and A~5 (900 and +700 cycles per second) at the same time. To produce the tone for 2 it's F~5 +and C~6 (1100 and 700 c.p.s). The phone phreaks circulate the whole list of +notes so there's no trial and error anymore." + +He shows me a list of the rest of the phone numbers and the two electric organ +keys that produce them. + +"Actually, you have to record these notes at 3 3/4 inches-per-second tape speed +and double it to 7 1/2 inches-per-second when you play them back, to get the +proper tones," he adds. + +"So once you have all the tones recorded, how do you plug them into the phone +system?" + +"Well, they take their organ and their cassette recorder, and start banging out +entire phone numbers in tones on the organ, including country codes, routing +instructions, 'KP' and 'Start' tones. Or, if they don't have an organ, someone +in the phone-phreak network sends them a cassette with all the tones recorded, +with a voice saying 'Number one,' then you have the tone, 'Number two,' then +the tone and so on. So with two cassette recorders they can put together a +series of phone numbers by switching back and forth from number to number. Any +idiot in the country with a cheap cassette recorder can make all the free calls +he wants." + +"You mean you just hold the cassette recorder up the mouthpiece and switch in a +series of beeps you've recorded? The phone thinks that anything that makes +these tones must be its own equipment?" + +"Right. As long as you get the frequency within thirty cycles per second of +the phone company's tones, the phone equipment thinks it hears its own voice +talking to it. The original granddaddy phone phreak was this blind kid with +perfect pitch, Joe Engressia, who used to whistle into the phone. An operator +could tell the difference between his whistle and the phone company's + + Page 37 + + + + + The Official Phreaker's Manual + +electronic tone generator, but the phone company's switching circuit can't tell +them apart. The bigger the phone company gets and the further away from human +operators it gets, the more vulnerable it becomes to all sorts of phone +phreaking." + +A Guide for the Perplexed + +"But wait a minute," I stop Gilbertson. "If everything you do sounds like +phone-company equipment, why doesn't the phone company charge you for the call +the way it charges its own equipment?" + +"Okay. That's where the 2600-cycle tone comes in. I better start from the +beginning." + +The beginning he describes for me is a vision of the phone system of the +continent as thousands of webs, of long-line trunks radiating from each of the +hundreds of toll switching offices to the other toll switching offices. Each +toll switching office is a hive compacted of thousands of long-distance tandems +constantly whistling and beeping to tandems in far-off toll switching offices. + +The tandem is the key to the whole system. Each tandem is a line with some +relays with the capability of signalling any other tandem in any other toll +switching office on the continent, either directly one-to-one or by programming +a roundabout route through several other tandems if all the direct routes are +busy. For instance, if you want to call from New York to Los Angeles and +traffic is heavy on all direct trunks between the two cities, your tandem in +New York is programmed to try the next best route, which may send you down to a +tandem in New Orleans, then up to San Francisco, or down to a New Orleans +tandem, back to an Atlanta tandem, over to an Albuquerque tandem and finally up +to Los Angeles. + +When a tandem is not being used, when it's sitting there waiting for someone to +make a long-distance call, it whistles. One side of the tandem, the side +"facing" your home phone, whistles at 2600 cycles per second toward all the +home phones serviced by the exchange, telling them it is at their service, +should they be interested in making a long-distance call. The other side of +the tandem is whistling 2600 c.p.s. into one or more long-distance trunk lines, +telling the rest of the phone system that it is neither sending nor receiving a +call through that trunk at the moment, that it has no use for that trunk at the +moment. + +"When you dial a long-distance number the first thing that happens is that you +are hooked into a tandem. A register comes up to the side of the tandem facing +away from you and presents that side with the number you dialed. This sending +side of the tandem stops whistling 2600 into its trunk line. When a tandem +stops the 2600 tone it has been sending through a trunk, the trunk is said to +be "seized," and is now ready to carry the number you have dialed -- converted +into multi-frequency beep tones -- to a tandem in the area code and central +office you want. + +Now when a blue-box operator wants to make a call from New Orleans to New York +he starts by dialing the 800 number of a company which might happen to have its +headquarters in Los Angeles. The sending side of the New Orleans tandem stops +sending 2600 out over the trunk to the central office in Los Angeles, thereby +seizing the trunk. Your New Orleans tandem begins sending beep tones to a +tandem it has discovered idly whistling 2600 cycles in Los Angeles. The +receiving end of that L.A. tandem is seized, stops whistling 2600, listens to +the beep tones which tell it which L.A. phone to ring, and starts ringing the + + Page 38 + + + + + The Official Phreaker's Manual + +800 number. Meanwhile a mark made in the New Orleans office accounting tape +notes that a call from your New Orleans phone to the 800 number in L.A. has +been initiated and gives the call a code number. Everything is routine so far. + +But then the phone phreak presses his blue box to the mouthpiece and pushes the +2600-cycle button, sending 2600 out from the New Orleans tandem to the L.A. +tandem. The L.A. tandem notices 2600 cycles are coming over the line again and +assumes that New Orleans has hung up because the trunk is whistling as if idle. +The L.A. tandem immediately ceases ringing the L.A. 800 number. But as soon as +the phreak takes his finger off the 2600 button, the L.A. tandem assumes the +trunk is once again being used because the 2600 is gone, so it listens for a +new series of digit tones - to find out where it must send the call. + +Thus the blue-box operator in New Orleans now is in touch with a tandem in L.A. +which is waiting like an obedient genie to be told what to do next. The +blue-box owner then beeps out the ten digits of the New York number which tell +the L.A. tandem to relay a call to New York City. Which it promptly does. As +soon as your party picks up the phone in New York, the side of the New Orleans +tandem facing you stops sending 2600 cycles to you and stars carrying his voice +to you by way of the L.A. tandem. A notation is made on the accounting tape +that the connection has been made on the 800 call which had been initiated and +noted earlier. When you stop talking to New York a notation is made that the +800 call has ended. + +At three the next morning, when the phone company's accounting computer starts +reading back over the master accounting tape for the past day, it records that +a call of a certain length of time was made from your New Orleans home to an +L.A. 800 number and, of course, the accounting computer has been trained to +ignore those toll-free 800 calls when compiling your monthly bill. + +"All they can prove is that you made an 800 toll-free call," Gilbertson the +inventor concludes. "Of course, if you're foolish enough to talk for two hours +on an 800 call, and they've installed one of their special anti-fraud computer +programs to watch out for such things, they may spot you and ask why you took +two hours talking to Army Recruiting's 800 number when you're 4-F. + +But if you do it from a pay phone, they may discover something peculiar the +next day -- if they've got a blue-box hunting program in their computer -- but +you'll be a long time gone from the pay phone by then. Using a pay phone is +almost guaranteed safe." + +"What about the recent series of blue-box arrests all across the country -- New +York, Cleveland, and so on?" I asked. "How were they caught so easily?" + +"From what I can tell, they made one big mistake: they were seizing trunks +using an area code plus 555-1212 instead of an 800 number. Using 555 is easy to +detect because when you send multi-frequency beep tones of 555 you get a charge +for it on your tape and the accounting computer knows there's something wrong +when it tries to bill you for a two-hour call to Akron, Ohio, information, and +it drops a trouble card which goes right into the hands of the security agent +if they're looking for blue-box user. + +"Whoever sold those guys their blue boxes didn't tell them how to use them +properly, which is fairly irresponsible. And they were fairly stupid to use +them at home all the time. + +"But what those arrests really mean is than an awful lot of blue boxes are +flooding into the country and that people are finding them so easy to make that + + Page 39 + + + + + The Official Phreaker's Manual + +they know how to make them before they know how to use them. Ma Bell is in +trouble." + +And if a blue-box operator or a cassette-recorder phone phreak sticks to pay +phones and 800 numbers, the phone company can't stop them? + +"Not unless they change their entire nationwide long-lines technology, which +will take them a few billion dollars and twenty years. Right now they can't do +a thing. They're screwed." + ++-- End first file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 40 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Second of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +Captain Crunch Demonstrates His Famous Unit + +There is an underground telephone network in this country. Gilbertson +discovered it the very day news of his activities hit the papers. That evening +his phone began ringing. Phone phreaks from Seattle, from Florida, from New +York, from San Jose, and from Los Angeles began calling him and telling him +about the phone-phreak network. He'd get a call from a phone phreak who'd say +nothing but, "Hang up and call this number." + +When he dialed the number he'd find himself tied into a conference of a dozen +phone phreaks arranged through a quirky switching station in British Columbia. +They identified themselves as phone phreaks, they demonstrated their homemade +blue boxes which they called "M-Fers" (for "multi-frequency," among other +things) for him, they talked shop about phone-phreak devices. They let him in +on their secrets on the theory that if the phone company was after him he must +be trustworthy. And, Gilbertson recalls, they stunned him with their technical +sophistication. + +I ask him how to get in touch with the phone-phreak network. He digs around +through a file of old schematics and comes up with about a dozen numbers in +three widely separated area codes. + +"Those are the centers," he tells me. Alongside some of the numbers he writes +in first names or nicknames: names like Captain Crunch, Dr. No, Frank Carson +(also a code word for a free call), Marty Freeman (code word for M-F device), +Peter Perpendicular Pimple, Alefnull, and The Cheshire Cat. He makes checks +alongside the names of those among these top twelve who are blind. There are +five checks. + +I ask him who this Captain Crunch person is. + +"Oh. The Captain. He's probably the most legendary phone phreak. He calls +himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle." +(Several years ago, Gilbertson explains, the makers of Cap'n Crunch breakfast +cereal offered a toy-whistle prize in every box as a treat for the Cap'n Crunch +set. Somehow a phone phreak discovered that the toy whistle just happened to +produce a perfect 2600-cycle tone. When the man who calls himself Captain +Crunch was transferred overseas to England with his Air Force unit, he would +receive scores of calls from his friends and "mute" them -- make them free of +charge to them -- by blowing his Cap'n Crunch whistle into his end.) + + Page 41 + + + + + The Official Phreaker's Manual + + +"Captain Crunch is one of the older phone phreaks," Gilbertson tells me. "He's +an engineer who once got in a little trouble for fooling around with the phone, +but he can't stop. Well, they guy drives across country in a Volkswagen van +with an entire switchboard and a computerized super-sophisticated M-F-er in the +back. He'll pull up to a phone booth on a lonely highway somewhere, snake a +cable out of his bus, hook it onto the phone and sit for hours, days sometimes, +sending calls zipping back and forth across the country, all over the +world...." + +Back at my motel, I dialed the number he gave me for "Captain Crunch" and asked +for G---- T-----, his real name, or at least the name he uses when he's not +dashing into a phone booth beeping out M-F tones faster than a speeding bullet +and zipping phantomlike through the phone company's long-distance lines. + +When G---- T----- answered the phone and I told him I was preparing a story for +Esquire about phone phreaks, he became very indignant. + +"I don't do that. I don't do that anymore at all. And if I do it, I do it for +one reason and one reason only. I'm learning about a system. The phone +company is a System. A computer is a System, do you understand? If I do what +I do, it is only to explore a system. Computers, systems, that's my bag. The +phone company is nothing but a computer." + +A tone of tightly restrained excitement enters the Captain's voice when he +starts talking about systems. He begins to pronounce each syllable with the +hushed deliberation of an obscene caller. + +"Ma Bell is a system I want to explore. It's a beautiful system, you know, but +Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful system, +but she screwed up. I learned how she screwed up from a couple of blind kids +who wanted me to build a device. A certain device. They said it could make +free calls. I wasn't interested in free calls. But when these blind kids told +me I could make calls into a computer, my eyes lit up. I wanted to learn about +computers. I wanted to learn about Ma Bell's computers. So I build the little +device, but I built it wrong and Ma Bell found out. Ma Bell can detect things +like that. Ma Bell knows. So I'm strictly rid of it now. I don't do it. +Except for learning purposes." He pauses. "So you want to write an article. +Are you paying for this call? Hang up and call this number." He gives me a +number in a area code a thousand miles away of his own. I dial the number. + +"Hello again. This is Captain Crunch. You are speaking to me on a toll-free +loop-around in Portland, Oregon. Do you know what a toll-free loop around is? +I'll tell you. + +He explains to me that almost every exchange in the country has open test +numbers which allow other exchanges to test their connections with it. Most of +these numbers occur in consecutive pairs, such as 302 956-0041 and 302 +956-0042. Well, certain phone phreaks discovered that if two people from +anywhere in the country dial the two consecutive numbers they can talk together +just as if one had called the other's number, with no charge to either of them, +of course. + +"Now our voice is looping around in a 4A switching machine up there in Canada, +zipping back down to me," the Captain tells me. "My voice is looping around up +there and back down to you. And it can't ever cost anyone money. The phone +phreaks and I have compiled a list of many many of these numbers. You would be +surprised if you saw the list. I could show it to you. But I won't. I'm out + + Page 42 + + + + + The Official Phreaker's Manual + +of that now. I'm not out to screw Ma Bell. I know better. If I do anything +it's for the pure knowledge of the System. You can learn to do fantastic +things. Have you ever heard eight tandems stacked up? Do you know the sound +of tandems stacking and unstacking? Give me your phone number. Okay. Hang up +now and wait a minute." + +Slightly less than a minute later the phone rang and the Captain was on the +line, his voice sounding far more excited, almost aroused. + +"I wanted to show you what it's like to stack up tandems. To stack up +tandems." (Whenever the Captain says "stack up" it sounds as if he is licking +his lips.) + +"How do you like the connection you're on now?" the Captain asks me. "It's a +raw tandem. A raw tandem. Ain't nothin' up to it but a tandem. Now I'm going +to show you what it's like to stack up. Blow off. Land in a far away place. +To stack that tandem up, whip back and forth across the country a few times, +then shoot on up to Moscow. + +"Listen," Captain Crunch continues. "Listen. I've got line tie on my +switchboard here, and I'm gonna let you hear me stack and unstack tandems. +Listen to this. It's gonna blow your mind." + +First I hear a super rapid-fire pulsing of the flutelike phone tones, then a +pause, then another popping burst of tones, then another, then another. Each +burst is followed by a beep-kachink sound. + +"We have now stacked up four tandems," said Captain Crunch, sounding somewhat +remote. "That's four tandems stacked up. Do you know what that means? That +means I'm whipping back and forth, back and forth twice, across the country, +before coming to you. I've been known to stack up twenty tandems at a time. +Now, just like I said, I'm going to shoot up to Moscow." + +There is a new, longer series of beeper pulses over the line, a brief silence, +then a ring. + +"Hello," answers a far-off voice. + +"Hello. Is this the American Embassy Moscow?" + +"Yes, sir. Who is this calling?" says the voice. + +"Yes. This is test board here in New York. We're calling to check out the +circuits, see what kind of lines you've got. Everything okay there in +Moscow?" + +"Okay?" + +"Well, yes, how are things there?" + +"Oh. Well, everything okay, I guess." + +"Okay. Thank you." + +They hang up, leaving a confused series of beep-kachink sounds hanging in +mid-ether in the wake of the call before dissolving away. + +The Captain is pleased. "You believe me now, don't you? Do you know what I'd + + Page 43 + + + + + The Official Phreaker's Manual + +like to do? I'd just like to call up your editor at Esquire and show him just +what it sounds like to stack and unstack tandems. I'll give him a show that +will blow his mind. What's his number? + +I ask the Captain what kind of device he was using to accomplish all his feats. +The Captain is pleased at the question. + +"You could tell it was special, couldn't you?" Ten pulses per second. That's +faster than the phone company's equipment. Believe me, this unit is the most +famous unit in the country. There is no other unit like it. Believe me." + +"Yes, I've heard about it. Some other phone phreaks have told me about it." + +"They have been referring to my, ahem, unit? What is it they said? Just out of +curiosity, did they tell you it was a highly sophisticated computer-operated +unit, with acoustical coupling for receiving outputs and a switch-board with +multiple-line-tie capability? Did they tell you that the frequency tolerance +is guaranteed to be not more than .05 percent? The amplitude tolerance less +than .01 decibel? Those pulses you heard were perfect. They just come faster +than the phone company. Those were high-precision op-amps. Op-amps are +instrumentation amplifiers designed for ultra-stable amplification, super-low +distortion and accurate frequency response. Did they tell you it can operate +in temperatures from -55 degrees C to +125 degrees C?" + +I admit that they did not tell me all that. + +"I built it myself," the Captain goes on. "If you were to go out and buy the +components from an industrial wholesaler it would cost you at least $1500. I +once worked for a semiconductor company and all this didn't cost me a cent. Do +you know what I mean? Did they tell you about how I put a call completely +around the world? I'll tell you how I did it. I M-Fed Tokyo inward, who +connected me to India, India connected me to Greece, Greece connected me to +Pretoria, South Africa, South Africa connected me to South America, I went from +South America to London, I had a London operator connect me to a New York +operator, I had New York connect me to a California operator who rang the phone +next to me. Needless to say I had to shout to hear myself. But the echo was +far out. Fantastic. Delayed. It was delayed twenty seconds, but I could hear +myself talk to myself." + +"You mean you were speaking into the mouthpiece of one phone sending your voice +around the world into your ear through a phone on the other side of your head?" +I asked the Captain. I had a vision of something vaguely autoerotic going on, +in a complex electronic way. + +"That's right," said the Captain. "I've also sent my voice around the world +one way, going east on one phone, and going west on the other, going through +cable one way, satellite the other, coming back together at the same time, +ringing the two phones simultaneously and picking them up and whipping my +voice both ways around the world back to me. Wow. That was a mind blower." + +"You mean you sit there with both phones on your ear and talk to yourself +around the world," I said incredulously. + +"Yeah. Um hum. That's what I do. I connect the phone together and sit there +and talk." + +"What do you say? What do you say to yourself when you're connected?" + + + Page 44 + + + + + The Official Phreaker's Manual + +"Oh, you know. Hello test one two three," he says in a low-pitched voice. + +"Hello test one two three," he replied to himself in a high-pitched voice. + +"Hello test one two three," he repeats again, low-pitched. + +"Hello test one two three," he replies, high-pitched. + +"I sometimes do this: Hello Hello Hello Hello, Hello, hello," he trails off and +breaks into laughter. + +Why Captain Crunch Hardly Ever Taps Phones Anymore + +Using internal phone-company codes, phone phreaks have learned a simple method +for tapping phones. Phone-company operators have in front of them a board that +holds verification jacks. It allows them to plug into conversations in case of +emergency, to listen in to a line to determine if the line is busy or the +circuits are busy. Phone phreaks have learned to beep out the codes which lead +them to a verification operator, tell the verification operator they are +switchmen from some other area code testing out verification trunks. Once the +operator hooks them into the verification trunk, they disappear into the board +for all practical purposes, slip unnoticed into any one of the 10,000 to +100,000 numbers in that central office without the verification operator +knowing what they're doing, and of course without the two parties to the +connection knowing there is a phantom listener present on their line. + +Toward the end of my hour-long first conversation with him, I asked the Captain +if he ever tapped phones. + +"Oh no. I don't do that. I don't think it's right," he told me firmly. "I +have the power to do it but I don't... Well one time, just one time, I have to +admit that I did. There was this girl, Linda, and I wanted to find out... you +know. I tried to call her up for a date. I had a date with her the last +weekend and I thought she liked me. I called her up, man, and her line was +busy, and I kept calling and it was still busy. Well, I had just learned about +this system of jumping into lines and I said to myself, 'Hmmm. Why not just +see if it works. It'll surprise her if all of a sudden I should pop up on her +line. It'll impress her, if anything.' So I went ahead and did it. I M-Fed +into the line. My M-F-er is powerful enough when patched directly into the +mouthpiece to trigger a verification trunk without using an operator the way +the other phone phreaks have to. + +"I slipped into the line and there she was talking to another boyfriend. +Making sweet talk to him. I didn't make a sound because I was so disgusted. +So I waited there for her to hang up, listening to her making sweet talk to the +other guy. You know. So as soon as she hung up I instantly M-F-ed her up and +all I said was, 'Linda, we're through.' And I hung up. And it blew her head +off. She couldn't figure out what the hell happened. + +"But that was the only time. I did it thinking I would surprise her, impress +her. Those were all my intentions were, and well, it really kind of hurt me +pretty badly, and... and ever since then I don't go into verification trunks." + +Moments later my first conversation with the Captain comes to a close. + +"Listen," he says, his spirits somewhat cheered, "listen. What you are going +to hear when I hang up is the sound of tandems unstacking. Layer after layer of +tandems unstacking until there's nothing left of the stack, until it melts away + + Page 45 + + + + + The Official Phreaker's Manual + +into nothing. Cheep, cheep, cheep, cheep," he concludes, his voice descending +to a whisper with each cheep. + +He hangs up. The phone suddenly goes into four spasms: kachink cheep. Kachink +cheep kachink cheep kachink cheep, and the complex connection has wiped itself +out like the Cheshire cat's smile. + +The MF Boogie Blues + +The next number I choose from the select list of phone-phreak alumni, prepared +for me by the blue-box inventor, is a Memphis number. It is the number of Joe +Engressia, the first and still perhaps the most accomplished blind phone +phreak. + +Three years ago Engressia was a nine-day wonder in newspapers and magazines all +over America because he had been discovered whistling free long-distance +connections for fellow students at the University of South Florida. Engressia +was born with perfect pitch: he could whistle phone tones better than the +phone-company's equipment. + +Engressia might have gone on whistling in the dark for a few friends for the +rest of his life if the phone company hadn't decided to expose him. He was +warned, disciplined by the college, and the whole case became public. In the +months following media reports of his talent, Engressia began receiving strange +calls. There were calls from a group of kids in Los Angeles who could do some +very strange things with the quirky General Telephone and Electronics circuitry +in L.A. suburbs. There were calls from a group of mostly blind kids in ----, +California, who had been doing some interesting experiments with Cap'n Crunch +whistles and test loops. There was a group in Seattle, a group in Cambridge, +Massachusetts, a few from New York, a few scattered across the country. Some +of them had already equipped themselves with cassette and electronic M-F +devices. For some of these groups, it was the first time they knew of the +others. + +The exposure of Engressia was the catalyst that linked the separate +phone-phreak centers together. They all called Engressia. They talked to him +about what he was doing and what they were doing. And then he told them -- the +scattered regional centers and lonely independent phone phreakers -- about each +other, gave them each other's numbers to call, and within a year the scattered +phone-phreak centers had grown into a nationwide underground. + +Joe Engressia is only twenty-two years old now, but along the phone-phreak +network he is "the old man," accorded by phone phreaks something of the +reverence the phone company bestows on Alexander Graham Bell. He seldom needs +to make calls anymore. The phone phreaks all call him and let him know what +new tricks, new codes, new techniques they have learned. Every night he sits +like a sightless spider in his little apartment receiving messages from every +tendril of his web. It is almost a point of pride with Joe that they call +him. + +But when I reached him in his Memphis apartment that night, Joe Engressia was +lonely, jumpy and upset. + +"God, I'm glad somebody called. I don't know why tonight of all nights I don't +get any calls. This guy around here got drunk again tonight and propositioned +me again. I keep telling him we'll never see eye to eye on this subject, if +you know what I mean. I try to make light of it, you know, but he doesn't get +it. I can head him out there getting drunker and I don't know what he'll do + + Page 46 + + + + + The Official Phreaker's Manual + +next. It's just that I'm really all alone here, just moved to Memphis, it's +the first time I'm living on my own, and I'd hate for it to all collapse now. +But I won't go to bed with him. I'm just not very interested in sex and even +if I can't see him I know he's ugly. + +"Did you hear that? That's him banging a bottle against the wall outside. +He's nice. Well forget about it. You're doing a story on phone phreaks? +Listen to this. It's the MF Boogie Blues. + +Sure enough, a jumpy version of Muskrat Ramble boogies its way over the line, +each note one of those long-distance phone tones. The music stops. A huge +roaring voice blasts the phone off my ear: "AND THE QUESTION IS..." roars the +voice, "CAN A BLIND PERSON HOOK UP AN AMPLIFIER ON HIS OWN?" + +The roar ceases. A high-pitched operator-type voice replaces it. "This is +Southern Braille Tel. & Tel. Have tone, will phone." + +This is succeeded by a quick series of M-F tones, a swift "kachink" and a deep +reassuring voice: "If you need home care, call the visiting-nurses association. +First National time in Honolulu is 4:32 p.m." + +Joe back in his Joe voice again: "Are we seeing eye to eye? 'Si, si,' said the +blind Mexican. Ahem. Yes. Would you like to know the weather in Tokyo?" + +This swift manic sequence of phone-phreak vaudeville stunts and blind-boy jokes +manages to keep Joe's mind off his tormentor only as long as it lasts. + +"The reason I'm in Memphis, the reason I have to depend on that homosexual guy, +is that this is the first time I've been able to live on my own and make phone +trips on my own. I've been banned from all central offices around home in +Florida, they knew me too well, and at the University some of my fellow +scholars were always harassing me because I was on the dorm pay phone all the +time and making fun of me because of my fat ass, which of course I do have, +it's my physical fatness program, but I don't like to hear it every day, and if +I can't phone trip and I can't phone phreak, I can't imagine what I'd do, I've +been devoting three quarters of my life to it. + +"I moved to Memphis because I wanted to be on my own as well as because it has +a Number 5 crossbar switching system and some interesting little independent +phone-company districts nearby and so far they don't seem to know who I am so I +can go on phone tripping, and for me phone tripping is just as important as +phone phreaking." + +Phone tripping, Joe explains, begins with calling up a central-office switch +room. He tells the switchman in a polite earnest voice that he's a blind +college student interested in telephones, and could he perhaps have a guided +tour of the switching station? Each step of the tour Joe likes to touch and +feel relays, caress switching circuits, switchboards, crossbar arrangements. + +So when Joe Engressia phone phreaks he feels his way through the circuitry of +the country garden of forking paths, he feels switches shift, relays shunt, +crossbars swivel, tandems engage and disengage even as he hears -- with perfect +pitch -- his M-F pulses make the entire Bell system dance to his tune. + +Just one month ago Joe took all his savings out of his bank and left home, over +the emotional protests of his mother. "I ran away from home almost," he likes +to say. Joe found a small apartment house on Union Avenue and began making +phone trips. He'd take a bus a hundred miles south in Mississippi to see some + + Page 47 + + + + + The Official Phreaker's Manual + +old-fashioned Bell equipment still in use in several states, which had been +puzzling. He'd take a bus three hundred miles to Charlotte, North Carolina, to +look at some brand-new experimental equipment. He hired a taxi to drive him +twelve miles to a suburb to tour the office of a small phone company with some +interesting idiosyncrasies in its routing system. He was having the time of +his life, he said, the most freedom and pleasure he had known. + +In that month he had done very little long-distance phone phreaking from his +own phone. He had begun to apply for a job with the phone company, he told me, +and he wanted to stay away from anything illegal. + +"Any kind of job will do, anything as menial as the most lowly operator. +That's probably all they'd give me because I'm blind. Even though I probably +know more than most switchmen. But that's okay. I want to work for Ma Bell. +I don't hate Ma Bell the way Gilbertson and some phone phreaks do. I don't +want to screw Ma Bell. With me it's the pleasure of pure knowledge. There's +something beautiful about the system when you know it intimately the way I do. +But I don't know how much they know about me here. I have a very intuitive +feel for the condition of the line I'm on, and I think they're monitoring me +off and on lately, but I haven't been doing much illegal. I have to make a few +calls to switchmen once in a while which aren't strictly legal, and once I took +an acid trip and was having these auditory hallucinations as if I were trapped +and these planes were dive-bombing me, and all of sudden I had to phone phreak +out of there. For some reason I had to call Kansas City, but that's all." + +A Warning Is Delivered + +At this point -- one o'clock in my time zone -- a loud knock on my motel-room +door interrupts our conversation. Outside the door I find a uniformed security +guard who informs me that there has been an "emergency phone call" for me while +I have been on the line and that the front desk has sent him up to let me +know. + +Two seconds after I say good-bye to Joe and hang up, the phone rings. + +"Who were you talking to?" the agitated voice demands. The voice belongs to +Captain Crunch. "I called because I decided to warn you of something. I +decided to warn you to be careful. I don't want this information you get to +get to the radical underground. I don't want it to get into the wrong hands. +What would you say if I told you it's possible for three phone phreaks to +saturate the phone system of the nation. Saturate it. Busy it out. All of +it. I know how to do this. I'm not gonna tell. A friend of mine has already +saturated the trunks between Seattle and New York. He did it with a +computerized M-F-er hitched into a special Manitoba exchange. But there are +other, easier ways to do it." + +Just three people? I ask. How is that possible? + +"Have you ever heard of the long-lines guard frequency? Do you know about +stacking tandems with 17 and 2600? Well, I'd advise you to find out about it. +I'm not gonna tell you. But whatever you do, don't let this get into the hands +of the radical underground." + +(Later Gilbertson, the inventor, confessed that while he had always been +skeptical about the Captain's claim of the sabotage potential of trunk-tying +phone phreaks, he had recently heard certain demonstrations which convinced him +the Captain was not speaking idly. "I think it might take more than three +people, depending on how many machines like Captain Crunch's were available. + + Page 48 + + + + + The Official Phreaker's Manual + +But even though the Captain sounds a little weird, he generally turns out to +know what he's talking about.") + +"You know," Captain Crunch continues in his admonitory tone, "you know the +younger phone phreaks call Moscow all the time. Suppose everybody were to call +Moscow. I'm no right-winger. But I value my life. I don't want the Commies +coming over and dropping a bomb on my head. That's why I say you've got to be +careful about who gets this information." + +The Captain suddenly shifts into a diatribe against those phone phreaks who +don't like the phone company. + +"They don't understand, but Ma Bell knows everything they do. Ma Bell knows. +Listen, is this line hot? I just heard someone tap in. I'm not paranoid, but +I can detect things like that. Well, even if it is, they know that I know that +they know that I have a bulk eraser. I'm very clean." The Captain pauses, +evidently torn between wanting to prove to the phone-company monitors that he +does nothing illegal, and the desire to impress Ma Bell with his prowess. "Ma +Bell knows how good I am. And I am quite good. I can detect reversals, tandem +switching, everything that goes on on a line. I have relative pitch now. Do +you know what that means? My ears are a $20,000 piece of equipment. With my +ears I can detect things they can't hear with their equipment. I've had +employment problems. I've lost jobs. But I want to show Ma Bell how good I +am. I don't want to screw her, I want to work for her. I want to do good for +her. I want to help her get rid of her flaws and become perfect. That's my +number-one goal in life now." The Captain concludes his warnings and tells me +he has to be going. "I've got a little action lined up for tonight," he +explains and hangs up. + +Before I hang up for the night, I call Joe Engressia back. He reports that his +tormentor has finally gone to sleep -- "He's not blind drunk, that's the way I +get, ahem, yes; but you might say he's in a drunken stupor." I make a date to +visit Joe in Memphis in two days. + ++-- End second file of four --+ + + + + + + + + + + + + + + + + + + + + + + + + + Page 49 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Third of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +A Phone Phreak Call Takes Care of Business + +The next morning I attend a gathering of four phone phreaks in ----- (a +California suburb). The gathering takes place in a comfortable split-level +home in an upper-middle-class subdivision. Heaped on the kitchen table are the +portable cassette recorders, M-F cassettes, phone patches, and line ties of the +four phone phreaks present. On the kitchen counter next to the telephone is a +shoe-box-size blue box with thirteen large toggle switches for the tones. The +parents of the host phone phreak, Ralph, who is blind, stay in the living room +with their sighted children. They are not sure exactly what Ralph and his +friends do with the phone or if it's strictly legal, but he is blind and they +are pleased he has a hobby which keeps him busy. + +The group has been working at reestablishing the historic "2111" conference, +reopening some toll-free loops, and trying to discover the dimensions of what +seem to be new initiatives against phone phreaks by phone-company security +agents. + +It is not long before I get a chance to see, to hear, Randy at work. Randy is +known among the phone phreaks as perhaps the finest con man in the game. Randy +is blind. He is pale, soft and pear-shaped, he wears baggy pants and a wrinkly +nylon white sport shirt, pushes his head forward from hunched shoulders +somewhat like a turtle inching out of its shell. His eyes wander, crossing and +recrossing, and his forehead is somewhat pimply. He is only sixteen years +old. + +But when Randy starts speaking into a telephone mouthpiece his voice becomes so +stunningly authoritative it is necessary to look again to convince yourself it +comes from a chubby adolescent Randy. Imagine the voice of a crack oil-rig +foreman, a tough, sharp, weather-beaten Marlboro man of forty. Imagine the +voice of a brilliant performance-fund gunslinger explaining how he beats the +Dow Jones by thirty percent. Then imagine a voice that could make those two +sound like Stepin Fetchit. That is sixteen-year-old Randy's voice. + +He is speaking to a switchman in Detroit. The phone company in Detroit had +closed up two toll-free loop pairs for no apparent reason, although heavy use +by phone phreaks all over the country may have been detected. Randy is telling +the switchman how to open up the loop and make it free again: + +"How are you, buddy. Yeah. I'm on the board in here in Tulsa, Oklahoma, and + + Page 50 + + + + + The Official Phreaker's Manual + +we've been trying to run some tests on your loop-arounds and we find'em busied +out on both sides.... Yeah, we've been getting a 'BY' on them, what d'ya say, +can you drop cards on 'em? Do you have 08 on your number group? Oh that's +okay, we've had this trouble before, we may have to go after the circuit. Here +lemme give 'em to you: your frame is 05, vertical group 03, horizontal 5, +vertical file 3. Yeah, we'll hang on here.... Okay, found it? Good. Right, +yeah, we'd like to clear that busy out. Right. All you have to do is look for +your key on the mounting plate, it's in your miscellaneous trunk frame. Okay? +Right. Now pull your key from NOR over the LCT. Yeah. I don't know why that +happened, but we've been having trouble with that one. Okay. Thanks a lot +fella. Be seein' ya." + +Randy hangs up, reports that the switchman was a little inexperienced with the +loop-around circuits on the miscellaneous trunk frame, but that the loop has +been returned to its free-call status. + +Delighted, phone phreak Ed returns the pair of numbers to the active-status +column in his directory. Ed is a superb and painstaking researcher. With +almost Talmudic thoroughness he will trace tendrils of hints through soft-wired +mazes of intervening phone-company circuitry back through complex linkages of +switching relays to find the location and identity of just one toll-free loop. +He spends hours and hours, every day, doing this sort of thing. He has somehow +compiled a directory of eight hundred "Band-six in-WATS numbers" located in +over forty states. Band-six in-WATS numbers are the big 800 numbers -- the +ones that can be dialed into free from anywhere in the country. + +Ed the researcher, a nineteen-year-old engineering student, is also a superb +technician. He put together his own working blue box from scratch at age +seventeen. (He is sighted.) This evening after distributing the latest issue +of his in-WATS directory (which has been typed into Braille for the blind phone +phreaks), he announces he has made a major new breakthrough: + +"I finally tested it and it works, perfectly. I've got this switching matrix +which converts any touch-tone phone into an M-F-er." + +The tones you hear in touch-tone phones are not the M-F tones that operate the +long-distance switching system. Phone phreaks believe A.T.&T. had deliberately +equipped touch tones with a different set of frequencies to avoid putting the +six master M-F tones in the hands of every touch-tone owner. Ed's complex +switching matrix puts the six master tones, in effect put a blue box, in the +hands of every touch-tone owner. + +Ed shows me pages of schematics, specifications and parts lists. "It's not easy +to build, but everything here is in the Heathkit catalog." + +Ed asks Ralph what progress he has made in his attempts to reestablish a +long-term open conference line for phone phreaks. The last big conference -- +the historic "2111" conference -- had been arranged through an unused Telex +test-board trunk somewhere in the innards of a 4A switching machine in +Vancouver, Canada. For months phone phreaks could M-F their way into +Vancouver, beep out 604 (the Vancouver area code) and then beep out 2111 (the +internal phone-company code for Telex testing), and find themselves at any +time, day or night, on an open wire talking with an array of phone phreaks from +coast to coast, operators from Bermuda, Tokyo and London who are phone-phreak +sympathizers, and miscellaneous guests and technical experts. The conference +was a massive exchange of information. Phone phreaks picked each other's +brains clean, then developed new ways to pick the phone company's brains clean. +Ralph gave M F Boogies concerts with his home-entertainment-type electric + + Page 51 + + + + + The Official Phreaker's Manual + +organ, Captain Crunch demonstrated his round-the-world prowess with his +notorious computerized unit and dropped leering hints of the "action" he was +getting with his girl friends. (The Captain lives out or pretends to live out +several kinds of fantasies to the gossipy delight of the blind phone phreaks +who urge him on to further triumphs on behalf of all of them.) The somewhat +rowdy Northwest phone-phreak crowd let their bitter internal feud spill over +into the peaceable conference line, escalating shortly into guerrilla warfare; +Carl the East Coast international tone relations expert demonstrated newly +opened direct M-F routes to central offices on the island of Bahrein in the +Persian Gulf, introduced a new phone-phreak friend of his in Pretoria, and +explained the technical operation of the new Oakland-to Vietnam linkages. +(Many phone phreaks pick up spending money by M-F-ing calls from relatives to +Vietnam G.I.'s, charging $5 for a whole hour of trans-Pacific conversation.) + +Day and night the conference line was never dead. Blind phone phreaks all over +the country, lonely and isolated in homes filled with active sighted brothers +and sisters, or trapped with slow and unimaginative blind kids in straitjacket +schools for the blind, knew that no matter how late it got they could dial up +the conference and find instant electronic communion with two or three other +blind kids awake over on the other side of America. Talking together on a +phone hookup, the blind phone phreaks say, is not much different from being +there together. Physically, there was nothing more than a two-inch-square wafer +of titanium inside a vast machine on Vancouver Island. For the blind kids +>there< meant an exhilarating feeling of being in touch, through a kind of +skill and magic which was peculiarly their own. + +Last April 1, however, the long Vancouver Conference was shut off. The phone +phreaks knew it was coming. Vancouver was in the process of converting from a +step-by-step system to a 4A machine and the 2111 Telex circuit was to be wiped +out in the process. The phone phreaks learned the actual day on which the +conference would be erased about a week ahead of time over the phone company's +internal-news-and-shop-talk recording. + +For the next frantic seven days every phone phreak in America was on and off +the 2111 conference twenty-four hours a day. Phone phreaks who were just +learning the game or didn't have M-F capability were boosted up to the +conference by more experienced phreaks so they could get a glimpse of what it +was like before it disappeared. Top phone phreaks searched distant area codes +for new conference possibilities without success. Finally in the early morning +of April 1, the end came. + +"I could feel it coming a couple hours before midnight," Ralph remembers. "You +could feel something going on in the lines. Some static began showing up, then +some whistling wheezing sound. Then there were breaks. Some people got cut +off and called right back in, but after a while some people were finding they +were cut off and couldn't get back in at all. It was terrible. I lost it +about one a.m., but managed to slip in again and stay on until the thing +died... I think it was about four in the morning. There were four of us still +hanging on when the conference disappeared into nowhere for good. We all tried +to M-F up to it again of course, but we got silent termination. There was +nothing there." + +The Legendary Mark Bernay Turns Out To Be "The Midnight Skulker" + +Mark Bernay. I had come across that name before. It was on Gilbertson's +select list of phone phreaks. The California phone phreaks had spoken of a +mysterious Mark Bernay as perhaps the first and oldest phone phreak on the West +Coast. And in fact almost every phone phreak in the West can trace his origins + + Page 52 + + + + + The Official Phreaker's Manual + +either directly to Mark Bernay or to a disciple of Mark Bernay. + +It seems that five years ago this Mark Bernay (a pseudonym he chose for +himself) began traveling up and down the West Coast pasting tiny stickers in +phone books all along his way. The stickers read something like "Want to hear +an interesting tape recording? Call these numbers." The numbers that followed +were toll-free loop-around pairs. When one of the curious called one of the +numbers he would hear a tape recording pre-hooked into the loop by Bernay which +explained the use of loop-around pairs, gave the numbers of several more, and +ended by telling the caller, "At six o'clock tonight this recording will stop +and you and your friends can try it out. Have fun." + +"I was disappointed by the response at first," Bernay told me, when I finally +reached him at one of his many numbers and he had dispensed with the usual "I +never do anything illegal" formalities which experienced phone phreaks open +most conversations. + +"I went all over the coast with these stickers not only on pay phones, but I'd +throw them in front of high schools in the middle of the night, I'd leave them +unobtrusively in candy stores, scatter them on main streets of small towns. At +first hardly anyone bothered to try it out. I would listen in for hours and +hours after six o'clock and no one came on. I couldn't figure out why people +wouldn't be interested. Finally these two girls in Oregon tried it out and +told all their friends and suddenly it began to spread." + +Before his Johny Appleseed trip Bernay had already gathered a sizable group of +early pre-blue-box phone phreaks together on loop-arounds in Los Angeles. +Bernay does not claim credit for the original discovery of the loop-around +numbers. He attributes the discovery to an eighteen-year-old reform school kid +in Long Beach whose name he forgets and who, he says, "just disappeared one +day." When Bernay himself discovered loop-arounds independently, from clues in +his readings in old issues of the Automatic Electric Technical Journal, he +found dozens of the reform-school kid's friends already using them. However, it +was one of Bernay's disciples in Seattle that introduced phone phreaking to +blind kids. The Seattle kid who learned about loops through Bernay's recording +told a blind friend, the blind kid taught the secret to his friends at a winter +camp for blind kids in Los Angeles. When the camp session was over these kids +took the secret back to towns all over the West. This is how the original +blind kids became phone phreaks. For them, for most phone phreaks in general, +it was the discovery of the possibilities of loop-arounds which led them on to +far more serious and sophisticated phone-phreak methods, and which gave them a +medium for sharing their discoveries. + +A year later a blind kid who moved back east brought the technique to a blind +kids' summer camp in Vermont, which spread it along the East Coast. All from a +Mark Bernay sticker. + +Bernay, who is nearly thirty years old now, got his start when he was fifteen +and his family moved into an L.A. suburb serviced by General Telephone and +Electronics equipment. He became fascinated with the differences between Bell +and G.T.&E. equipment. He learned he could make interesting things happen by +carefully timed clicks with the disengage button. He learned to interpret +subtle differences in the array of clicks, whirrs and kachinks he could hear on +his lines. He learned he could shift himself around the switching relays of +the L.A. area code in a not-too-predictable fashion by interspersing his own +hook-switch clicks with the clicks within the line. (Independent phone +companies -- there are nineteen hundred of them still left, most of them tiny +island principalities in Ma Bell's vast empire -- have always been favorites + + Page 53 + + + + + The Official Phreaker's Manual + +with phone phreaks, first as learning tools, then as Archimedes platforms from +which to manipulate the huge Bell system. A phone phreak in Bell territory +will often M-F himself into an independent's switching system, with switching +idiosyncrasies which can give him marvelous leverage over the Bell System. + +"I have a real affection for Automatic Electric Equipment," Bernay told me. +"There are a lot of things you can play with. Things break down in interesting +ways." + +Shortly after Bernay graduated from college (with a double major in chemistry +and philosophy), he graduated from phreaking around with G.T.&E. to the Bell +System itself, and made his legendary sticker-pasting journey north along the +coast, settling finally in Northwest Pacific Bell territory. He discovered +that if Bell does not break down as interestingly as G.T.&E., it nevertheless +offers a lot of "things to play with." + +Bernay learned to play with blue boxes. He established his own personal +switchboard and phone-phreak research laboratory complex. He continued his +phone-phreak evangelism with ongoing sticker campaigns. He set up two recording +numbers, one with instructions for beginning phone phreaks, the other with +latest news and technical developments (along with some advanced instruction) +gathered from sources all over the country. + +These days, Bernay told me, he had gone beyond phone-phreaking itself. "Lately +I've been enjoying playing with computers more than playing with phones. My +personal thing in computers is just like with phones, I guess -- the kick is in +finding out how to beat the system, how to get at things I'm not supposed to +know about, how to do things with the system that I'm not supposed to be able +to do." + +As a matter of fact, Bernay told me, he had just been fired from his +computer-programming job for doing things he was not supposed to be able to do. +he had been working with a huge time-sharing computer owned by a large +corporation but shared by many others. Access to the computer was limited to +those programmers and corporations that had been assigned certain passwords. +And each password restricted its user to access to only the one section of the +computer cordoned off from its own information storager. The password system +prevented companies and individuals from stealing each other's information. + +"I figured out how to write a program that would let me read everyone else's +password," Bernay reports. "I began playing around with passwords. I began +letting the people who used the computer know, in subtle ways, that I knew +their passwords. I began dropping notes to the computer supervisors with hints +that I knew what I know. I signed them 'The Midnight Skulker.' I kept getting +cleverer and cleverer with my messages and devising ways of showing them what I +could do. I'm sure they couldn't imagine I could do the things I was showing +them. But they never responded to me. Every once in a while they'd change the +passwords, but I found out how to discover what the new ones were, and I let +them know. But they never responded directly to the Midnight Skulker. I even +finally designed a program which they could use to prevent my program from +finding out what it did. In effect I told them how to wipe me out, The +Midnight Skulker. It was a very clever program. I started leaving clues about +myself. I wanted them to try and use it and then try to come up with something +to get around that and reappear again. But they wouldn't play. I wanted to +get caught. I mean I didn't want to get caught personally, but I wanted them +to notice me and admit that they noticed me. I wanted them to attempt to +respond, maybe in some interesting way." + + + Page 54 + + + + + The Official Phreaker's Manual + +Finally the computer managers became concerned enough about the threat of +information-stealing to respond. However, instead of using The Midnight +Skulker's own elegant self-destruct program, they called in their security +personnel, interrogated everyone, found an informer to identify Bernay as The +Midnight Skulker, and fired him. + +"At first the security people advised the company to hire me full-time to +search out other flaws and discover other computer freaks. I might have liked +that. But I probably would have turned into a double double agent rather than +the double agent they wanted. I might have resurrected The Midnight Skulker +and tried to catch myself. Who knows? Anyway, the higher-ups turned the whole +idea down." + +You Can Tap the F.B.I.'s Crime Control Computer in the Comfort of Your Own +Home, Perhaps + +Computer freaking may be the wave of the future. It suits the phone-phreak +sensibility perfectly. Gilbertson, the blue-box inventor and a lifelong phone +phreak, has also gone on from phone-phreaking to computer-freaking. Before he +got into the blue-box business Gilbertson, who is a highly skilled programmer, +devised programs for international currency arbitrage. + +But he began playing with computers in earnest when he learned he could use his +blue box in tandem with the computer terminal installed in his apartment by the +instrumentation firm he worked for. The print-out terminal and keyboard was +equipped with acoustical coupling, so that by coupling his little ivory +Princess phone to the terminal and then coupling his blue box on that, he could +M-F his way into other computers with complete anonymity, and without charge; +program and re-program them at will; feed them false or misleading information; +tap and steal from them. He explained to me that he taps computers by busying +out all the lines, then going into a verification trunk, listening into the +passwords and instructions one of the time sharers uses, and them M-F-ing in +and imitating them. He believes it would not be impossible to creep into the +F.B.I's crime control computer through a local police computer terminal and +phreak around with the F.B.I.'s memory banks. He claims he has succeeded in +re-programming a certain huge institutional computer in such a way that it has +cordoned off an entire section of its circuitry for his personal use, and at +the same time conceals that arrangement from anyone else's notice. I have been +unable to verify this claim. + +Like Captain Crunch, like Alexander Graham Bell (pseudonym of a +disgruntled-looking East Coast engineer who claims to have invented the black +box and now sells black and blue boxes to gamblers and radical heavies), like +most phone phreaks, Gilbertson began his career trying to rip off pay phones as +a teenager. Figure them out, then rip them off. Getting his dime back from +the pay phone is the phone phreak's first thrilling rite of passage. After +learning the usual eighteen different ways of getting his dime back, Gilbertson +learned how to make master keys to coin-phone cash boxes, and get everyone +else's dimes back. He stole some phone-company equipment and put together his +own home switchboard with it. He learned to make a simple "bread-box" device, +of the kind used by bookies in the Thirties (bookie gives a number to his +betting clients; the phone with that number is installed in some widow lady's +apartment, but is rigged to ring in the bookie's shop across town, cops trace +big betting number and find nothing but the widow). + +Not long after that afternoon in 1968 when, deep in the stacks of an +engineering library, he came across a technical journal with the phone tone +frequencies and rushed off to make his first blue box, not long after that + + Page 55 + + + + + The Official Phreaker's Manual + +Gilbertson abandoned a very promising career in physical chemistry and began +selling blue boxes for $1,500 apiece. + +"I had to leave physical chemistry. I just ran out of interesting things to +learn," he told me one evening. We had been talking in the apartment of the +man who served as the link between Gilbertson and the syndicate in arranging +the big $300,000 blue-box deal which fell through because of legal trouble. +There has been some smoking. + +"No more interesting things to learn," he continues. "Physical chemistry turns +out to be a sick subject when you take it to its highest level. I don't know. +I don't think I could explain to you how it's sick. You have to be there. But +you get, I don't know, a false feeling of omnipotence. I suppose it's like +phone-phreaking that way. This huge thing is there. This whole system. And +there are holes in it and you slip into them like Alice and you're pretending +you're doing something you're actually not, or at least it's no longer you +that's doing what you thought you were doing. It's all Lewis Carroll. +Physical chemistry and phone-phreaking. That's why you have these phone-phreak +pseudonyms like The Cheshire Cat, the Red King, and The Snark. But there's +something about phone-phreaking that you don't find in physical chemistry." He +looks up at me: + +"Did you ever steal anything?" + +"Well yes, I..." + +"Then you know! You know the rush you get. It's not just knowledge, like +physical chemistry. It's forbidden knowledge. You know. You can learn about +anything under the sun and be bored to death with it. But the idea that it's +illegal. Look: you can be small and mobile and smart and you're ripping off +somebody large and powerful and very dangerous." + +People like Gilbertson and Alexander Graham Bell are always talking about +ripping off the phone company and screwing Ma Bell. But if they were shown a +single button and told that by pushing it they could turn the entire circuitry +of A.T.&T. into molten puddles, they probably wouldn't push it. The +disgruntled-inventor phone phreak needs the phone system the way the lapsed +Catholic needs the Church, the way Satan needs a God, the way The Midnight +Skulker needed, more than anything else, response. + +Later that evening Gilbertson finished telling me how delighted he was at the +flood of blue boxes spreading throughout the country, how delighted he was to +know that "this time they're really screwed." He suddenly shifted gears. + +"Of course. I do have this love/hate thing about Ma Bell. In a way I almost +like the phone company. I guess I'd be very sad if they were to disintegrate. +In a way it's just that after having been so good they turn out to have these +things wrong with them. It's those flaws that allow me to get in and mess with +them, but I don't know. There's something about it that gets to you and makes +you want to get to it, you know." + +I ask him what happens when he runs out of interesting, forbidden things to +learn about the phone system. + +"I don't know, maybe I'd go to work for them for a while." + +"In security even?" + + + Page 56 + + + + + The Official Phreaker's Manual + +"I'd do it, sure. I just as soon play -- I'd just as soon work on either +side." + +"Even figuring out how to trap phone phreaks? I said, recalling Mark Bernay's +game." + +"Yes, that might be interesting. Yes, I could figure out how to outwit the +phone phreaks. Of course if I got too good at it, it might become boring +again. Then I'd have to hope the phone phreaks got much better and outsmarted +me for a while. That would move the quality of the game up one level. I might +even have to help them out, you know, 'Well, kids, I wouldn't want this to get +around but did you ever think of -- ?' I could keep it going at higher and +higher levels forever." + +The dealer speaks up for the first time. He has been staring at the soft +blinking patterns of light and colors on the translucent tiled wall facing him. +(Actually there are no patterns: the color and illumination of every tile is +determined by a computerized random-number generator designed by Gilbertson +which insures that there can be no meaning to any sequence of events in the +tiles.) + +"Those are nice games you're talking about," says the dealer to his friend. +"But I wouldn't mind seeing them screwed. A telephone isn't private anymore. +You can't say anything you really want to say on a telephone or you have to go +through that paranoid bullshit. 'Is it cool to talk on the phone?' I mean, +even if it is cool, if you have to ask 'Is it cool,' then it isn't cool. You +know. 'Is it cool,' then it isn't cool. You know. Like those blind kids, +people are going to start putting together their own private telephone +companies if they want to really talk. And you know what else. You don't hear +silences on the phone anymore. They've got this time-sharing thing on +long-distance lines where you make a pause and they snip out that piece of time +and use it to carry part of somebody else's conversation. Instead of a pause, +where somebody's maybe breathing or sighing, you get this blank hole and you +only start hearing again when someone says a word and even the beginning of the +word is clipped off. Silences don't count -- you're paying for them, but they +take them away from you. It's not cool to talk and you can't hear someone when +they don't talk. What the hell good is the phone? I wouldn't mind seeing them +totally screwed." + ++-- End third file of four --+ + + + + + + + + + + + + + + + + + + + + Page 57 + + + + + The Official Phreaker's Manual + + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + * * + * +----------------------------------------------+ * + * * + * Secrets of the Little Blue Box * + * * + * by Ron Rosenbaum * + * Typed by One Farad Cap/AAG * + * * + * -A story so incredible it may even make you * + * feel sorry for the phone company- * + * * + * (Fourth of four files) * + * * + * +----------------------------------------------+ * + * * + ***** The AAG Proudly Presents The AAG Proudly Presents ***** + +The Big Memphis Bust + +Joe Engressia never wanted to screw Ma Bell. His dream had always been to work +for her. + +The day I visited Joe in his small apartment on Union Avenue in Memphis, he was +upset about another setback in his application for a telephone job. + +"They're stalling on it. I got a letter today telling me they'd have to +postpone the interview I requested again. My landlord read it for me. They +gave me some runaround about wanting papers on my rehabilitation status but I +think there's something else going on." + +When I switched on the 40-watt bulb in Joe's room -- he sometimes forgets when +he has guests -- it looked as if there was enough telephone hardware to start a +small phone company of his own. + +There is one phone on top of his desk, one phone sitting in an open drawer +beneath the desk top. Next to the desk-top phone is a cigar-box-size M-F +device with big toggle switches, and next to that is some kind of switching and +coupling device with jacks and alligator plugs hanging loose. Next to that is +a Braille typewriter. On the floor next to the desk, lying upside down like a +dead tortoise, is the half-gutted body of an old black standard phone. Across +the room on a torn and dusty couch are two more phones, one of them a +touch-tone model; two tape recorders; a heap of phone patches and cassettes, +and a life-size toy telephone. + +Our conversation is interrupted every ten minutes by phone phreaks from all +over the country ringing Joe on just about every piece of equipment but the toy +phone and the Braille typewriter. One fourteen-year-old blind kid from +Connecticut calls up and tells Joe he's got a girl friend. He wants to talk to +Joe about girl friends. Joe says they'll talk later in the evening when they +can be alone on the line. Joe draws a deep breath, whistles him off the air +with an earsplitting 2600-cycle whistle. Joe is pleased to get the calls but he +looked worried and preoccupied that evening, his brow constantly furrowed over +his dark wandering eyes. In addition to the phone-company stall, he has just +learned that his apartment house is due to be demolished in sixty days for +urban renewal. For all its shabbiness, the Union Avenue apartment house has +been Joe's first home-of-his-own and he's worried that he may not find another +before this one is demolished. + + Page 58 + + + + + The Official Phreaker's Manual + + +But what really bothers Joe is that switchmen haven't been listening to him. +"I've been doing some checking on 800 numbers lately, and I've discovered that +certain 800 numbers in New Hampshire couldn't be reached from Missouri and +Kansas. Now it may sound like a small thing, but I don't like to see sloppy +work; it makes me feel bad about the lines. So I've been calling up switching +offices and reporting it, but they haven't corrected it. I called them up for +the third time today and instead of checking they just got mad. Well, that +gets me mad. I mean, I do try to help them. There's something about them I +can't understand -- you want to help them and they just try to say you're +defrauding them." + +It is Sunday evening and Joe invites me to join him for dinner at a Holiday +Inn. Frequently on Sunday evening Joe takes some of his welfare money, calls a +cab, and treats himself to a steak dinner at one of Memphis' thirteen Holiday +Inns. (Memphis is the headquarters of Holiday Inn. Holiday Inns have been a +favorite for Joe ever since he made his first solo phone trip to a Bell +switching office in Jacksonville, Florida, and stayed in the Holiday Inn there. +He likes to stay at Holiday Inns, he explains, because they represent freedom +to him and because the rooms are arranged the same all over the country so he +knows that any Holiday Inn room is familiar territory to him. Just like any +telephone.) + +Over steaks in the Pinnacle Restaurant of the Holiday Inn Medical Center on +Madison Avenue in Memphis, Joe tells me the highlights of his life as a phone +phreak. + +At age seven, Joe learned his first phone trick. A mean baby-sitter, tired of +listening to little Joe play with the phone as he always did, constantly, put a +lock on the phone dial. "I got so mad. When there's a phone sitting there and +I can't use it... so I started getting mad and banging the receiver up and +down. I noticed I banged it once and it dialed one. Well, then I tried +banging it twice...." In a few minutes Joe learned how to dial by pressing the +hook switch at the right time. "I was so excited I remember going 'whoo whoo' +and beat a box down on the floor." + +At age eight Joe learned about whistling. "I was listening to some intercept +non working-number recording in L.A.- I was calling L.A. as far back as that, +but I'd mainly dial non working numbers because there was no charge, and I'd +listen to these recordings all day. Well, I was whistling 'cause listening to +these recordings can be boring after a while even if they are from L.A., and +all of a sudden, in the middle of whistling, the recording clicked off. I +fiddled around whistling some more, and the same thing happened. So I called +up the switch room and said, 'I'm Joe. I'm eight years old and I want to know +why when I whistle this tune the line clicks off.' He tried to explain it to +me, but it was a little too technical at the time. I went on learning. That +was a thing nobody was going to stop me from doing. The phones were my life, +and I was going to pay any price to keep on learning. I knew I could go to +jail. But I had to do what I had to do to keep on learning." + +The phone is ringing when we walk back into Joe's apartment on Union Avenue. +It is Captain Crunch. The Captain has been following me around by phone, +calling up everywhere I go with additional bits of advice and explanation for +me and whatever phone phreak I happen to be visiting. This time the Captain +reports he is calling from what he describes as "my hideaway high up in the +Sierra Nevada." He pulses out lusty salvos of M-F and tells Joe he is about to +"go out and get a little action tonight. Do some phreaking of another kind, if +you know what I mean." Joe chuckles. + + Page 59 + + + + + The Official Phreaker's Manual + + +The Captain then tells me to make sure I understand that what he told me about +tying up the nation's phone lines was true, but that he and the phone phreaks +he knew never used the technique for sabotage. They only learned the technique +to help the phone company. + +"We do a lot of troubleshooting for them. Like this New Hampshire/Missouri +WATS-line flaw I've been screaming about. We help them more than they know." + +After we say good-bye to the Captain and Joe whistles him off the line, Joe +tells me about a disturbing dream he had the night before: "I had been caught +and they were taking me to a prison. It was a long trip. They were taking me +to a prison a long long way away. And we stopped at a Holiday Inn and it was +my last night ever using the phone and I was crying and crying, and the lady at +the Holiday Inn said, 'Gosh, honey, you should never be sad at a Holiday Inn. +You should always be happy here. Especially since it's your last night.' And +that just made it worse and I was sobbing so much I couldn't stand it." + +Two weeks after I left Joe Engressia's apartment, phone-company security agents +and Memphis police broke into it. Armed with a warrant, which they left pinned +to a wall, they confiscated every piece of equipment in the room, including his +toy telephone. Joe was placed under arrest and taken to the city jail where he +was forced to spend the night since he had no money and knew no one in Memphis +to call. + +It is not clear who told Joe what that night, but someone told him that the +phone company had an open-and-shut case against him because of revelations of +illegal activity he had made to a phone-company undercover agent. + +By morning Joe had become convinced that the reporter from Esquire, with whom +he had spoken two weeks ago, was the undercover agent. He probably had ugly +thoughts about someone he couldn't see gaining his confidence, listening to him +talk about his personal obsessions and dreams, while planning all the while to +lock him up. + +"I really thought he was a reporter," Engressia told the Memphis Press-Seminar. +"I told him everything...." Feeling betrayed, Joe proceeded to confess +everything to the press and police. + +As it turns out, the phone company did use an undercover agent to trap Joe, +although it was not the Esquire reporter. + +Ironically, security agents were alerted and began to compile a case against +Joe because of one of his acts of love for the system: Joe had called an +internal service department to report that he had located a group of defective +long-distance trunks, and to complain again about the New Hampshire/Missouri +WATS problem. Joe always liked Ma Bell's lines to be clean and responsive. A +suspicious switchman reported Joe to the security agents who discovered that +Joe had never had a long-distance call charged to his name. + +Then the security agents learned that Joe was planning one of his phone trips +to a local switching office. The security people planted one of their agents +in the switching office. He posed as a student switchman and followed Joe +around on a tour. He was extremely friendly and helpful to Joe, leading him +around the office by the arm. When the tour was over he offered Joe a ride back +to his apartment house. On the way he asked Joe -- one tech man to another -- +about "those blue boxers" he'd heard about. Joe talked about them freely, +talked about his blue box freely, and about all the other things he could do + + Page 60 + + + + + The Official Phreaker's Manual + +with the phones. + +The next day the phone-company security agents slapped a monitoring tape on +Joe's line, which eventually picked up an illegal call. Then they applied for +the search warrant and broke in. + +In court Joe pleaded not guilty to possession of a blue box and theft of +service. A sympathetic judge reduced the charges to malicious mischief and +found him guilty on that count, sentenced him to two thirty-day sentences to be +served concurrently and then suspended the sentence on condition that Joe +promise never to play with phones again. Joe promised, but the phone company +refused to restore his service. For two weeks after the trial Joe could not be +reached except through the pay phone at his apartment house, and the landlord +screened all calls for him. + +Phone-phreak Carl managed to get through to Joe after the trial, and reported +that Joe sounded crushed by the whole affair. + +"What I'm worried about," Carl told me, "is that Joe means it this time. The +promise. That he'll never phone-phreak again. That's what he told me, that +he's given up phone-phreaking for good. I mean his entire life. He says he +knows they're going to be watching him so closely for the rest of his life +he'll never be able to make a move without going straight to jail. He sounded +very broken up by the whole experience of being in jail. It was awful to hear +him talk that way. I don't know. I hope maybe he had to sound that way. Over +the phone, you know." + +He reports that the entire phone-phreak underground is up in arms over the +phone company's treatment of Joe. "All the while Joe had his hopes pinned on +his application for a phone-company job, they were stringing him along getting +ready to bust him. That gets me mad. Joe spent most of his time helping them +out. The bastards. They think they can use him as an example. All of sudden +they're harassing us on the coast. Agents are jumping up on our lines. They +just busted ------'s mute yesterday and ripped out his lines. But no matter +what Joe does, I don't think we're going to take this lying down." + +Two weeks later my phone rings and about eight phone phreaks in succession say +hello from about eight different places in the country, among them Carl, Ed, +and Captain Crunch. A nationwide phone-phreak conference line has been +reestablished through a switching machine in --------, with the cooperation of +a disgruntled switchman. + +"We have a special guest with us today," Carl tells me. + +The next voice I hear is Joe's. He reports happily that he has just moved to a +place called Millington, Tennessee, fifteen miles outside of Memphis, where he +has been hired as a telephone-set repairman by a small independent phone +company. Someday he hopes to be an equipment troubleshooter. + +"It's the kind of job I dreamed about. They found out about me from the +publicity surrounding the trial. Maybe Ma Bell did me a favor busting me. +I'll have telephones in my hands all day long." + +"You know the expression, 'Don't get mad, get even'?" phone-phreak Carl asked +me. "Well, I think they're going to be very sorry about what they did to Joe +and what they're trying to do to us." + ++-- End fourth file of four --+ + + Page 61 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF ESS $ + $ --- ------- -- --- $ + $ $ + $ $ + $ Another original phile by: $ + $ $ + $ $ + $$$$$$$$$$$$-=>Lex Luthor<=-$$$$$$$$$$$ + $ $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + + Of all the new 1960s wonders of telephone technology - satellites, ultra +modern Traffic Service Positions (TSPS) for operators, the picturephone, and so +on - the one that gave Bell Labs the most trouble, and unexpectedly became the +greatest development effort in Bell System's history, was the perfection of an +electronic switching system, or ESS. + + It may be recalled that such a system was the specific end in view when the +project that had culminated in the invention of the transistor had been +launched back in the 1930s. After successful accomplishment of that planned +miracle in 1947-48, further delays were brought about by financial stringency +and the need for further development of the transistor itself. In the early +1950s, a Labs team began serious work on electronic switching. As early as +1955, Western Electric became involved when five engineers from the Hawthorne +works were assigned to collaborate with the Labs on the project. The president +of AT&T in 1956, wrote confidently, "At Bell Labs, development of the new +electronic switching system is going full speed ahead. We are sure this will +lead to many improvements in service and also to greater efficiency. The first +service trial will start in Morris, Ill., in 1959." Shortly thereafter, Kappel +said that the cost of the whole project would probably be $45 million. + + But it gradually became apparent that the development of a commercially +usable electronic switching system -in effect, a computerized telephone +exchange - presented vastly greater technical problems than had been +anticipated, and that, accordingly, Bell Labs had vastly underestimated both +the time and the investment needed to do the job. The year 1959 passed without +the promised first trial at Morris, Illinois; it was finally made in November +1960, and quickly showed how much more work remained to be done. As time +dragged on and costs mounted, there was a concern at AT&T and some-thing +approaching panic at Bell Labs. But the project had to go forward; by this +time the investment was too great to be sacrificed, and in any case, forward +projections of increased demand for telephone service indicated that within a +phew years a time would come when, without the quantum leap in speed and +flexibility that electronic switching would provide, the national network would +be unable to meet the demand. In November 1963, an all-electronic switching +system went into use at the Brown Engineering Company at Cocoa Beach, Florida. +But this was a small installation, essentially another test installation, +serving only a single company. Kappel's tone on the subject in the 1964 annual +report was, for him, an almost apologetic: "Electronic switching equipment must +be manufactured in volume to unprecedented standards of reliability.... To turn +out the equipment economically and with good speed, mass production methods +must be developed; but, at the same time, there can be no loss of precision..." +Another year and millions of dollars later, on May 30, 1965, the first +commercial electric central office was put into service at Succasunna, New +Jersey. + + Page 62 + + + + + The Official Phreaker's Manual + + + Even at Succasunna, only 200 of the town's 4,300 subscribers initially had +the benefit of electronic switching's added speed and additional services, such +as provision for three party conversations and automatic transfer of incoming +calls. But after that, ESS was on its way. In January 1966, the second +commercial installation, this one serving 2,900 telephones, went into service +in Chase, Maryland. By the end of 1967 there were additional ESS offices in +California, Connecticut, Minnesota, Georgia, New York, Florida, and +Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million +customers; and by 1974 there were 475 offices serving 5.6 million customers. + + The difference between conventional switching and electronic switching is +the difference between "hardware" and "software"; in the former case, +maintenance is done on the spot, with screwdriver and pliers, while in the case +of electronic switching, it can be done remotely, by computer, from a central +point, making it possible to have only one or two technicians on duty at a time +at each switching center. + + The development program, when the final figures were added up, was found to +have required a staggering four thousand man-years of work at Bell Labs and to +have cost not $45 million but $500 million! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 63 + + + + + The Official Phreaker's Manual + + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + $ $ + $ THE HISTORY OF BRITISH PHREAKING $ + $ -=- -=-=-=- -- -=-=-=- -=-=-=-=- $ + $ $ + $ THE SECOND IN A SERIES OF $ + $ THE HISTORY OF.....PHILES $ + $ $ + $ WRITTEN AND UPLOADED BY: $ + $ $ + $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ + $ AND $ + $ THE LEGION OF DOOM! $ + $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ + + NOTE: THE BRITISH POST OFFICE, IS THE U.S. EQUIVALENT OF MA BELL. + + IN BRITAIN, PHREAKING GOES BACK TO THE EARLY FIFTIES, WHEN THE TECHNIQUE OF +'TOLL A DROP BACK' WAS DISCOVERED. TOLL A WAS AN EXCHANGE NEAR ST. PAULS +WHICH ROUTED CALLS BETWEEN LONDON AND NEARBY NON-LONDON EXCHANGES. THE TRICK +WAS TO DIAL AN UNALLOCATED NUMBER, AND THEN DEPRESS THE RECEIVER-REST FOR 1/2 +SECOND. THIS FLASHING INITIATED THE 'CLEAR FORWARD' SIGNAL, LEAVING THE CALLER +WITH AN OPEN LINE INTO THE TOLL A EXCHANGE.THE COULD THEN DIAL 018, WHICH +FORWARDED HIM TO THE TRUNK EXCHANGE AT THAT TIME, THE FIRST LONG DISTANCE +EXCHANGE IN BRITAIN AND FOLLOW IT WITH THE CODE FOR THE DISTANT EXCHANGE TO +WHICH HE WOULD BE CONNECTED AT NO EXTRA CHARGE. + + THE SIGNALS NEEDED TO CONTROL THE UK NETWORK TODAY WERE PUBLISHED IN THE +"INSTITUTION OF POST OFFICE ENGINEERS JOURNAL" AND REPRINTED IN THE SUNDAY +TIMES (15 OCT. 1972). + + THE SIGNALLING SYSTEM THEY USE: SIGNALLING SYSTEM NO. 3 USES PAIRS OF +FREQUENCIES SELECTED FROM 6 TONES SEPARATED BY 120HZ. WITH THAT INFO, THE +PHREAKS MADE "BLEEPERS" OR AS THEY ARE CALLED HERE IN THE U.S. "BLUE BOX", BUT +THEY DO UTILIZE DIFFERENT MF TONES THEN THE U.S., THUS, YOUR U.S. BLUE BOX +THAT YOU SMUGGLED INTO THE UK WILL NOT WORK, UNLESS YOU CHANGE THE +FREQUENCIES. + + IN THE EARLY SEVENTIES, A SIMPLER SYSTEM BASED ON DIFFERENT NUMBERS OF PULSES +WITH THE SAME FREQUENCY (2280HZ) WAS USED. FOR MORE INFO ON THAT, TRY TO GET A +HOLD OF: ATKINSON'S "TELEPHONY AND SYSTEMS TECHNOLOGY". + + IN THE EARLY DAYS OF BRITISH PHREAKING, THE CAMBRIDGE UNIVERSITY TITAN +COMPUTER WAS USED TO RECORD AND CIRCULATE NUMBERS FOUND BY THE EXHAUSTIVE +DIALING OF LOCAL NETWORKS. THESE NUMBERS WERE USED TO CREATE A CHAIN OF LINKS +FROM LOCAL EXCHANGE TO LOCAL EXCHANGE ACROSS THE COUNTRY, BYPASSING THE TRUNK +CIRCUITS. BECAUSE THE INTERNAL ROUTING CODES IN THE UK NETWORK ARE NOT THE +SAME AS THOSE DIALED BY THE CALLER, THE PHREAKS HAD TO DISCOVER THEM BY 'PROBE +AND LISTEN' TECHNIQUES OR MORE COMMONLY KNOWN IN THE U.S.-- SCANNING. WHAT +THEY DID WAS PUT IN LIKELY SIGNALS AND LISTENED TO FIND OUT IF THEY SUCCEEDED. +THE RESULTS OF SCANNING WERE CIRCULATED TO OTHER PHREAKS. DISCOVERING EACH +OTHER TOOK TIME AT FIRST, BUT EVENTUALLY THE PHREAKS BECAME ORGANIZED. THE +"TAP" OF BRITAIN WAS CALLED "UNDERCURRENTS" WHICH ENABLED BRITISH PHREAKS TO +SHARE THE INFO ON NEW NUMBERS, EQUIPMENT ETC. + + TO UNDERSTAND WHAT THE BRITISH BRITISH PHREAKS DID, THINK OF THE PHONE +NETWORK IN THREE LAYERS OF LINES: LOCAL, TRUNK, AND INTERNATIONAL.#IN THE UK, +SUBSCRIBER TRUNK DIALING (STD), IS THE MECHANISM WHICH TAKES A CALL FROM THE + + Page 64 + + + + + The Official Phreaker's Manual + +LOCAL LINES AND (LEGITIMATELY) ELEVATES IT TO A TRUNK OR INTERNATIONAL +LEVEL.#THE UK PHREAKS FIGURED THAT A CALL AT TRUNK LEVEL CAN BE ROUTED THROUGH +ANY NUMBER OF EXCHANGES, PROVIDED THAT THE RIGHT ROUTING CODES WERE FOUND AND +USED CORRECTLY. THEY ALSO HAD TO DISCOVER HOW TO GET FROM LOCAL TO TRUNK LEVEL +EITHER WITHOUT BEING CHARGED (WHICH THEY DID WITH A BLEEPER BOX) OR WITHOUT +USING (STD). CHAINING HAS ALREADY BEEN MENTIONED BUT IT REQUIRES LONG STRINGS +OF DIGITS AND SPEECH GETS MORE AND MORE FAINT AS THE CHAIN GROWS, JUST LIKE IT +DOES WHEN YOU STACK TRUNKS BACK AND FORTH ACROSS THE U.S.#THE WAY THE SECURITY +REPS SNAGGED THE PHREAKS WAS TO PUT A SIMPLE 'PRINTERMETER' OR AS WE CALL IT: +A PEN REGISTER ON THE SUSPECTS LINE, WHICH SHOWS EVERY DIGIT DIALED FROM THE +SUBSCRIBERS LINE. + + THE BRITISH PREFER TO GET ONTO THE TRUNKS RATHER THAN CHAINING. ONE WAY WAS +TO DISCOVER WHERE LOCAL CALLS USE THE TRUNKS BETWEEN NEIGHBORING EXCHANGES, +START A CALL AND STAY ON THE TRUNK INSTEAD OF RETURNING TO THE LOCAL LEVEL ON +REACHING THE DISTANT SWITCH. THIS AGAIN REQUIRED EXHAUSTIVE DIALING AND MADE +MORE WORK FOR TITAN; IT ALSO REVEALED 'FIDDLES', WHICH WERE INSERTED BY POST +OFFICE ENGINEERS. + + WHAT FIDDLING MEANS IS THAT THE ENGINEERS REWIRED THE EXCHANGES FOR THEIR OWN +BENEFIT. THE EQUIPMENT IS MODIFIED TO GIVE ACCESS TO A TRUNK WITH OUT BEING +CHARGED, AN OPERATION WHICH IS PRETTY EASY IN STEP BY STEP (SXS) +ELECTROMECHANICAL EXCHANGES, WHICH WERE INSTALLED IN BRITAIN EVEN IN THE 1970S +(NOTE: I KNOW OF A BACK DOOR INTO THE CANADIAN SYSTEM ON A 4A CO., SO IF YOU +ARE ON SXS OR A 4A, TRY SCANNING 3 DIGIT EXCHANGES, IE: DIAL 999,998,997 +ETC.#AND LISTEN FOR THE BEEP-KERCHINK, IF THERE ARE NO 3 DIGIT CODES WHICH +ALLOW DIRECT ACCESS TO A TANDEM IN YOUR LOCAL EXCHANGE AND BYPASSES THE AMA SO +YOU WON'T BE BILLED, NOT HAVE TO BLAST 2600 EVERY TIME YOU WISH TO BOX A CALL. + + A FAMOUS BRITISH 'FIDDLER' REVEALED IN THE EARLY 1970S WORKED BY DIALING 173. +THE CALLER THEN ADDED THE TRUNK CODE OF 1 AND THE SUBSCRIBERS LOCAL NUMBER. AT +THAT TIME, MOST ENGINEERING TEST SERVICES BEGAN WITH 17X, SO THE ENGINEERS +COULD HIDE THEIR FIDDLES IN THE NEST OF SERVICE WIRES. WHEN SECURITY REPS +STARTED SEARCHING, THE FIDDLES WERE CONCEALED BY TONES SIGNALLING: 'NUMBER +UNOBTAINALBE' OR 'EQUIPMENT ENGAGED' WHICH SWITCHED OFF AFTER A DELAY. THE +NECESSARY RELAYS ARE SMALL AND EASILY HIDDEN. + + THERE WAS ANOTHER SIDE TO PHREAKING IN THE UK IN THE SIXTIES. BEFORE STD WAS +WIDESPREAD, MANY 'ORDINARY' PEOPLE WERE DRIVEN TO. + +OCCASIONAL PHREAKING FROM SHEER FRUSTRATION AT THE INEFFICIENT OPERATOR +CONTROLLED TRUNK SYSTEM. THIS CAME TO A HEAD DURING A STRIKE ABOUT 1961 WHEN +OPERATORS COULD NOT BE REACHED. NOTHING COMPLICATED WAS NEEDED. MANY +OPERATORS HAD BEEN IN THE HABIT OF REPEATING THE CODES AS THEY DIALLED THE +REQUESTED NUMBERS SO PEOPLE SOON LEARNT THE NUMBERS THEY CALLED FREQUENTLY. +THE ONLY 'TRICK' WAS TO KNOW WHICH EXCHANGES COULD BE DIALLED THROUGH TO PASS +ON THE TRUNK NUMBER.CALLERS ALSO NEEDED A PRETTY QUIET PLACE TO DO IT, SINCE +TIMING RELATIVE TO CLICKS WAS IMPORTANT THE MOST FAMOUS TRIAL OF BRITISH +PHREAKS WAS CALLED THE OLD BAILY TRIAL.#WHICH STARTED ON 3 OCT. 1973.#WHAT +THEY PHREAKS DID WAS TO DIAL A SPARE NUMBER AT A LOCAL CALL RATE BUT INVOLVING +A TRUNK TO ANOTHER EXCHANGE THEN THEY SEND A 'CLEAR FORWARD' TO THEIR LOCAL +EXCHANGE, INDICATING TO IT THAT THE CALL IS FINISHED;BUT THE DISTANT EXCHANGE +DOESN'T REALIZE BECAUSE THE CALLER'S PHONE IS STILL OFF THE HOOK. THEY NOW +HAVE AN OPEN LINE INTO THE DISTANT TRUNK EXCHANGE AND SENDS TO IT A 'SEIZE' +SIGNAL: '1' WHICH PUTS HIM ONTO ITS OUTGOING LINES NOW, IF THEY KNOW THE +CODES, THE WORLD IS OPEN TO THEM. ALL OTHER EXCHANGES TRUST HIS LOCAL EXCHANGE +TO HANDLE THE BILLING; THEY JUST INTERPRET THE TONES THEY HEAR. MEAN WHILE, +THE LOCAL EXCHANGE COLLECTS ONLY FOR A LOCAL CALL. THE INVESTIGATORS + + Page 65 + + + + + The Official Phreaker's Manual + +DISCOVERED THE PHREAKS HOLDING A CONFERENCE SOMEWHERE IN ENGLAND SURROUNDED BY +VARIOUS PHONE EQUIPMENT AND BLEEPER BOXES, ALSO PRINTOUTS LISTING 'SECRET' POST +OFFICE CODES. (THEY PROBABLY GOT THEM FROM TRASHING?) THE JUDGE SAID: "SOME +TAKE TO HEROIN, SOME TAKE TO TELEPHONES" FOR THEM PHONE PHREAKING WAS NOT A +CRIME BUT A HOBBY TO BE SHARED WITH PHELLOW ENTHUSIASTS AND DISCUSSED WITH THE +POST OFFICE OPENLY OVER DINNER AND BY MAIL. THEIR APPROACH AND ATTITUDE TO THE +WORLDS LARGEST COMPUTER, THE GLOBAL TELEPHONE SYSTEM, WAS THAT OF SCIENTISTS +CONDUCTING EXPERIMENTS OR PROGRAMMERS AND ENGINEERS TESTING PROGRAMS AND +SYSTEMS. THE JUDGE APPEARED TO AGREE, AND EVEN ASKED THEM FOR PHREAKING CODES +TO USE FROM HIS LOCAL EXCHANGE!!! + +# $-THE END-$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 66 + + + + + The Official Phreaker's Manual + + Bad as Shit + + Recently, a telephone fanatic in the northwest made an interesting +discovery. He was exploring the 804 area code (Virginia) and found out that +the 840 exchange did something strange. + In the vast majority of cases, in fact in all of the cases except one, he +would get a recording as if the exchange didn't exist. However, if he dialed +804-840 and four rather predictable numbers, he got a ring! + + After one or two rings, somebody picked up. Being experienced at this kind +of thing, he could tell that the call didn't "supe", that is, no charges were +being incurred for calling this number. + (Calls that get you to an error message, or a special operator, generally +don't supervise.) A female voice, with a hint of a Southern accent said, +"Operator, can I help you?" + + "Yes," he said, "What number have I reached?" + + "What number did you dial, sir?" + + He made up a number that was similar. + + "I'm sorry that is not the number you reached." Click. + + He was fascinated. What in the world was this? He knew he was going to +call back, but before he did, he tried some more experiments. He tried the 840 +exchange in several other area codes. In some, it came up as a valid exchange. +In others, exactly the same thing happened -- the same last four digits, the +same Southern belle. Oddly enough, he later noticed, the areas worked in +seemed to travel in a beeline from Washington DC to Pittsburgh, PA. + + He called back from a payphone. "Operator, can I help you?" + + "Yes, this is the phone company. I'm testing this line and we don't seem to +have an identification on your circuit. What office is this, please?" + + "What number are you trying to reach?" + + "I'm not trying to reach any number. I'm trying to identify this circuit." + + "I'm sorry, I can't help you." + + "Ma'am, if I don't get an ID on this line, I'll have to disconnect it. We +show no record of it here." + + "Hold on a moment, sir." + + After about a minute, she came back. "Sir, I can have someone speak to you. +Would you give me your number, please?" + + He had anticipated this and he had the payphone number ready. After he gave +it, she said, "Mr. XXX will get right back to you." + + "Thanks." He hung up the phone. It rang. INSTANTLY! "Oh my God," he +thought, "They weren't asking for my number -- they were confirming it!" + + "Hello," he said, trying to sound authoritative. + + + Page 67 + + + + + The Official Phreaker's Manual + + "This is Mr. XXX. Did you just make an inquiry to my office concerning a +phone number?" + + "Yes. I need an identi--" + + "What you need is advice. Don't ever call that number again. Forget you +ever knew it." + + At this point our friend got so nervous he just hung up. He expected to +hear the phone ring again but it didn't. + + Over the next few days he racked his brains trying to figure out what the +number was. He knew it was something big -- that was pretty certain at this +point. It was so big that the number was programmed into every central office +in the country. He knew this because if he tried to dial any other number in +that exchange, he'd get a local error message from his CO, as if the exchange +didn't exist. + + It finally came to him. He had an uncle who worked in a federal agency. He +had a feeling that this was government related and if it was, his uncle could +probably find out what it was. He asked the next day and his uncle promised to +look into the matter. + + The next time he saw his uncle, he noticed a big change in his manner. He +was trembling. "Where did you get that number?!" he shouted. "Do you know I +almost got fired for asking about it?!? They kept wanting to know where I got +it." + + Our friend couldn't contain his excitement. "What is it?" he pleaded. +"What's the number?!" + +"IT'S THE PRESIDENT'S BOMB SHELTER!" + + He never called the number after that. He knew that he could probably cause +quite a bit of excitement by calling the number and saying something like, "The +weather's not good in Washington. We're coming over for a visit." But our +friend was smart. he knew that there were some things that were better off +unsaid and undone. <> + + + + + + + + + + + + + + + + + + + + + + Page 68 + + + + + The Official Phreaker's Manual + + Chapter 3 + + This chapter is really just a bunch of FACS (pun intended). Here is where +random facts that really have something to do with everything else but nothing +to do with anything else, are presented. They cover various topics such as: +Conferencing, Tracing, Pen registers, Calling cards, and some basic FMF (Fool +the Mother Fuckers). The aspects covered here are very brief and could easily +be covered much more thoroughly, but it is no problem since they are not very +important topics. Something that would make a very nice gift is covered in the +article AT&T forgery. Just make up stationary with AT&T letter head and give +it as a present to your phriends who would appreciate it. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 69 + + + + + The Official Phreaker's Manual + + Phreaking COSMOS + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS is Bell's computer for handling information on customer lines, +special services on lines, and orders to change line equipment, disconnect +lines, etc. COSMOS stands for Computerized System for Mainframe Operations. It +is based on the UNIX operating system and, depending upon the COSMOS and upon +your access, has some, many, or no UNIX standard commands. COSMOS is powerful, +but there is no reason to be afraid of it. This article will give some of the +basic, pertinent info on how users get in, account format, and a few other +goodies. + + Password Identification + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + To get onto COSMOS you need a dialup, account, password, and wire center +(WC). Wire centers are two letter codes that tell what section of the COSMOS +you are in. There are different WC's f or different areas and groups of +exchanges. Examples are PB, SR, LK, et c. Sometimes there are accounts that +have no password; obviously such accounts are the easiest to hack. + + Checking It Out + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Let's suppose you have a COSMOS number which you obtained one way or +another. The first thing to do would be to make sure it is really a COSMOS +system, not some other Bell or AT&T computer. To do this, you would call it +and connect your modem,, then hit some returns until you got a response. It +should say: + + ';LOGIN:' or 'NAME:'. + If you enter some garbage it should say: +'PASSWORD:'. + If you hit a return and it says 'WC?', it is a COSMOS system. If it says +something like 'TA%' then you're in business. If it doesn't do any of the +above, then it is either some other kind of system, or, if you're not getting +anything at all, the dialup has probably gone bad. + + Getting In + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + COSMOS has certain accounts that are usually on the system, one of which +might not have a password. They consist of ROOT (most powerful and almost +always on the system), SYS (second most powerful, still many privileges), BIN +(a little less power), PREOP (a little less), and COSMOS (hardly any +privileges, like a normal user). The way to tell if they have passwords is by +entering accounts at the ';LOGIN:' or ' NAME:' prompt, and if it jumps straight +to 'WC?', all you need is a WC to get in. But suppose all of the accounts have +passwords? You have two choices. You can try to hack the password and WC to +one of the above accounts. I won't deal with this method, as is +self-explanatory. Or you can do something I find much easier...call the +COSMOS during business hours and hope that someone forgot to log off. Keep +calling until when you connect and hit return until you get a 'WC%' prompt. +'WC' is the WC that the account you found is currently in. You are now in! + + What to Do while on-line + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Page 70 + + + + + The Official Phreaker's Manual + + The first thing you want to do is write down the WC you are in. Only on our +first login it is a good idea to print everything or dump everything to a +buffer. + + Commands + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +'WCFLDS'(!) : Should list all WC's. +'WHO' : Should print everyone currently logged on the system, giving +some accounts. +'TTY' : Tells what terminal port you are on. +'WHERE' : Should tell the location of the COSMOS installation. +'WHAT' : Tells what version of COSNIX, COSMOS's operating system, it +is. +'LS *' : Prints all the files you have access to. +'CD /dir' : Connects you to the directory '/dir'. +'CAT filename ' : Prints the file 'filename'. +'Q' : Quits the editor. +CTRL- Y. : Logs off +'TAT' : Sometimes prints a little help file. +'ISH' : Check someone's telefone #, type 'ISH' at the COSMOS 'WC%' +prompt. Then type. +'HTN XXX-XXXX' : (Hunt Telephone Number) to tell you about the local number +you are interested in. + +'CAT /ETC/PASSWD': Prints out the password file, if you have access. The +passwords are almost always encrypted, but you get a list of all the accounts. +If you are lucky, one of the lines will have two colons after the account name. +This means there is no prompt from the ';LOGIN:' or 'NAME:' prompts when you +enter that account. + +To run a file just type the name followed by a return. + + When the system gives you a '-', you type a '.', and it will type all kinds +of info on the phone number you entered (in Bell abbreviations, of course). If +it is not a good exchange, it will say something to that effect. You type a +period to end the ISH. + If you wish to learn more information about COSMOS, find yourself a COSMOS +manual or look at future issues of 2600. A UNIX manual would also be helpful +for standard UNIX commands. + + + + + + + + + + + + + + + + + + + + + Page 71 + + + + + The Official Phreaker's Manual + + FACS FACTS + A LOOK AT THE NEW FACS SYSTEMS + BY SHARP RAZOR + + + BELL ATLANTIC (AND PROBABLY THE REST OF THE U.S. SOON ENOUGH) IS REVAMPING +COSMOS. THE PROJECT IS CALLED FACS (FACILITATED ASSIGNMENT AND CONTROL +SYSTEM).FACS IS COMPOSED OF 5 MODULES WHICH ARE DESIGNED TO FUNCTION AS A +UNIFIED SYSTEM. THE PREMIS AND THE COSMOS SYSTEMS CAN FUNCTION AS ST AND-ALONE +SYSTEMS.THE FIVE PARTS OF FACS ARE PREMIS,SOAC, LFACS,COSMOS,AND THE WM. + + THE PREMIS (PREMISES INFORMATION SYSTEM) SUPPORTS BOTH RESIDENCE AND +BUSINESS ACCOUNTS. PREMIS IS USED FOR VARIOUS INQUIRIES FOR THE STREET ADDRESS +GUIDE(SAG),IE::PHONE NUMBERS,BILLING CHARGES,CREDIT,ETC. + + THE SECOND PART OF FACS IS THE SOAC(SERVICE ORDER ANALYSIS AND CONTROL). +THIS IS PRIMARILY USED TO INPUT SERVICE ORDER DATA INTO FACS, AND TO GET THE +APPROPRIATE OUTPUT. SOAC INTERPRETS, VALIDATES,AND DECOMPOSES ALL INPUTED DATA +AND SENDS THE INFO TO THE COSMOS AND THE LFACS SYSTEMS. + + THE THIRD PART OF THE SYSTEM IS LFACS(LOOP FACILITIES AND CONTROL SYSTEM). +THIS IS THE COMPONENT OF FACS THAT IS RESPONSIBLE FOR MAINTAINING THE +INVENTORY,DOING THE ASSIGNMENTS, ADMINISTRATING INQUIRIES AND REPORTS, AND IS +THE INVENTORY TRANSFORMATION CENTER. THIS PART OF FACS WILL BE MOSTLY USED FOR +AIDING THE AT&T LINEMEN. + + THE COSMOS SYSTEM(COMPUTER SYSTEM FOR MAINFRAME OPERATIONS) COMPRISES THE +FOURTH PART OF THE FACS SYSTEM. COSMOS IS THE COMPONENT OF FACS THAT IS +RESPONSIBLE FOR MAINTAINING THE MECHANIZED INVENTORY OF MDF FACILITIES,STORING +CUSTOM CALL FEATURES(IE:SPEED DIALING NUMBERS),AND OTHER MISC. INFO. + + THE FIFTH AND LAST PIECE OF THE FACS SYSTEM IS THE WORK MANAGER (WM). HIS +COMPONENT SERVES AS THE FRONT-END PROCESSOR FOR COSMOS. IT ENABLES A NUMBER OF +COSMOS COMPUTERS TO RELIABLY COMMUNICATE WITH THE OTHER FACS COMPONENTS. WM +SERVES AS THE MESSAGES SWITCHING SYSTEM FOR THE FACS PIECES, AND GENERALLY IS +THE "MESSENGER AND STABILIZER" OF THE SYSTEM. + + THE HARDWARE THAT WILL RUN THIS FACS SYSTEM IS: + COSMOS: 22-WECO. 3B-20S MINI COMPS. + WM: 6-WECO. 3B-20S MINI COMPS. + SOAC-LFACS-PREMIS: TWO SPERRY UNIVAC 1100/92 MAINFRAMES. + BANCS 2 THP CYBER 1000 PROCESSORS. + + THE FACS SYSTEM IS STARTING UP AT THIS VERY MOMENT. THIS IS BASICALLY A +BROAD VIEW OF THE FACS SYSTEM. AT&T SEEMS TO THINK THAT FACS WILL BE MORE +EFFICIENT,SAVE THEM MONEY IN THE LONG RUN, AND SAVE THEM WORKERS(HERE COME SOME +MASSIVE LAYOFFS!) WHAT THIS MEANS TO PHREAKERS AND HACKERS IS THAT YOU WILL NOW +HAVE AT LEAST FIVE DIAL-UPS IN AN AREA CODE WITH WHICH YOU CAN PHUCK WITH +AT&T! + + ..LATER.. + ..SHARP RAZOR>> + THE LEGION OF DOOM! +(NOTE: THE FACS SYSTEM HAS RECENTLY BEEN PUT INTO OPERATION(SUMMER 84) IN +ST.LOUIS MISSOURI) + + + + + Page 72 + + + + + The Official Phreaker's Manual + + Telenet + + It seems that not many of you know that Telenet is connected to about 80 +computer-networks in the world. No, I don't mean 80 nodes, but 80 networks with +thousands of unprotected computers. When you call your local Telenet- gateway, +you can only call those computers which accept reverse-charging- calls. + If you want to call computers in foreign countries or computers in USA which +do not accept R-calls, you need a Telenet-ID. Did you ever notice that you can +type ID XXXX when being connected to Telenet? You are then asked for the +password. If you have such a NUI (Network-User-ID) you can call nearly every +host connected to any computer-network in the world. Here are some examples: + +026245400090184 :Is a VAX in Germany (Username: DATEXP and leave mail for +CHRIS !!!) +0311050500061 :Is the Los Alamos Integrated computing network (One of the +hosts connected to it is the DNA (Defense Nuclear Agency)!!!) +0530197000016 :Is a BBS in New Zealand +024050256 :Is the S-E-Bank in Stockholm, Sweden (Login as GAMES !!!) +02284681140541 :CERN in Geneva in Switzerland (one of the biggest nuclear +research centers in the world) Login as GUEST +0234212301161 :A Videotex-standard system. Type OPTEL to get in and use the +ID 999_ with the password 9_ +0242211000001 :University of Oslo in Norway (Type LOGIN 17,17 to play the +Multi-User-Dungeon !) +0425130000215 :Something like ITT Dialcom, but this one is in Israel ! ID +HELP with password HELP works fine with security level 3 +0310600584401 :Is the Washington Post News Service via Tymnet (Yes, Tymnet is +connected to Telenet, too !) ID and Password is: PETER You can read the news +of the next day ! + +The prefixes are as follows: +02624 is Datex-P in Germany +02342 is PSS in England +03110 is Telenet in USA +03106 is Tymnet in USA +02405 is Telepak in Sweden +04251 is Isranet in Israel +02080 is Transpac in France +02284 is Telepac in Switzerland +02724 is Eirpac in Ireland +02704 is Luxpac in Luxembourg +05252 is Telepac in Singapore +04408 is Venus-P in Japan +...and so on... Some of the countries have more than one +packet-switching-network (USA has 11, Canada has 3, etc). + +OK. That should be enough for the moment. As you see most of the passwords are +very simple. This is because they must not have any fear of hackers. Only a few +German hackers use these networks. Most of the computers are absolutely easy to +hack !!! So, try to find out some Telenet-ID's and leave them here. If you need +more numbers, leave e-mail. +I'm calling from Germany via the German Datex-P network, which is similar to +Telenet. We have a lot of those NUI's for the German network, but none for a +special Tymnet-outdial-computer in USA, which connects me to any phone #. + +CUL8R, Mad Max + +PS: Call 026245621040000 and type ID INF300 with password DATACOM to get more + + Page 73 + + + + + The Official Phreaker's Manual + +Informations on packet-switching-networks ! + +PS2: The new password for the Washington Post is KING !!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 74 + + + + + The Official Phreaker's Manual + + Phreaking AT&T Cards + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + My topic will deal with using an AT&T calling card for automated calls. Ok +to place a call with an AT&T card, lift the handset (PAY PHONE) hit (0) and the +desired area code and the number to call. Also when calling the same number +that the card is being billed to you enter the phone number and at the tone +only enter the last four digits on the card. But we don't want to do that now, +do we. If additional calls are wanted all you do is hit the (#) and you will +get a new dial tone! After you hit (#) you do not have to re-enter the calling +card number simply enter your desired number and it will connect you. + If the number you called is busy just keep hitting (#) and the number to be +called until you connect! Ok to calL the U.S. of a from another country, you +use the exact same format as described above! + Ok now I will describe the procedure for placing calls to a foreign +country, such as CANADA,RUSSIA,SOUTH AMERICA, etc.. Ok first lift the handset +then enter (01) + the country code + the city code + the local telephone +number. Ok after you get the tone enter the AT&T calling card number. Ok if you +can not dial operator assisted calls from your area don't worry just jingle the +operator and she will handle your call, don't worry she can't see you! + The international number on the AT&T calling card is used for calling the +US of A from places like RUSSIA, CHINA you never know when you might get stuck +in a country like those and you have no money to make a call! The international +operator will be able to tell you if they honor the AT&T calling card. + Well I hope that this has straightened out some of your problems on the use +of an AT&T calling card! All you have to remember is that weather you are +placing the call or the operator, be careful and never use the calling card +from your home phone!! That is a BIG NO NO.. + + Also AT&T has came out with a new thing called (NEW CARD CALLER SERVICE) +they say that it was designed to meet the public's needs! These phones will be +popping up in many place such as airport terminals, hotels, etc... What the new +card caller service is, is a new type of phone that has a (CRT) screen that +will talk to you in a language of your choice. The service works something +like this, when you find a (NEW CARD CALLER PHONE), all you do is follow the +instructions on the (CRT) screen, then you insert the (NEW CARD CALLER CARD) +and there is a strip of magnetic tape on the card which reads the number, thus +no one can hear you saying your number or if there were a bug in the phone,no +touch tones will be heard!! You can also bill the call to a third party. that +is one that I am not totally clear on yet! The phone is supposed to tell you +how it can be done. That is after you have inserted your card and lifted the +receiver! + + + + + + + + + + + + + + + + + + Page 75 + + + + + The Official Phreaker's Manual + + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + :% %: + :% AT&T FORGERY %: + :% Written by The Blue Buccaneer %: + :% %: + :% CALL THE EVERLASTING SPEED DEMON BBS AT (415) 522-3074 %: + :% Uploaded by Elric of Imrryr of Lunatic Labs UnLtd %: + :%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + +Here is a very simple way to either: + +[1] Play an incredibly cruel and realistic joke on a phreaking friend. + -OR- +[2] Provide yourself with everything you ever wanted to be an AT&T person. + + All you need to do is get your hands on some AT&T paper and/or business +cards. To do this you can either go down to your local business office and +swipe a few or call up somewhere like WATTS INFORMATION and ask them to send +you their information package. They will send you: +1. A nice letter (with the AT&T logo letterhead) saying "Here is the info." +2. A business card (again with AT&T) saying who the sales representative is. +3. A very nice color booklet telling you all about WATTS lines. +4. Various billing information. (Discard as it is very worthless) + + Now take the piece of AT&T paper and the AT&T business card down to your +local print/copy shop. Tell them to run you off several copies of each, but to +leave out whatever else is printed on the business card/letter. If they refuse +or ask why, take your precious business elsewhere. +(This should only cost you around $2.00 total) + + Now take the copies home and either with your typewriter, MAC, or Fontrix, +add whatever name, address, telephone number, etc. you like. (I would recommend +just changing the name on the card and using whatever information was on there +earlier) + + And there you have official AT&T letters and business cards. As mentioned +earlier, you can use them in several ways. Mail a nice letter to someone you +hate (on AT&T paper..hehehe) saying that AT&T is onto them or something like +that. (Be sure to use correct English and spelling) (Also do not hand write +the letter! Use a typewriter! - Not Fontrix as AT&T doesn't use OLD ENGLISH or +ASCII BOLD when they type letters. Any IBM typewriter will do perfectly) + + Another possible use (of many, I guess) is (if you are old enough to look +the part) to use the business card as some sort of fake id. + + The last example of uses for the fake AT&T letters & b.cards is mentioned in +my textfile, BASIC RADIO CALLING. Briefly, send the station a letter that +reads: + WCAT - FM202: (Like my examples? Haha!) +(As you probably know, radio stations give away things by accepting the 'x' +call. (ie: The tenth caller through wins a pair of Van Halen tickets) Sometimes +they may ask a trivia question, but that's your problem. Anyway, the letter +continues:) + (You basically say that they have become so popular that they are getting too +many calls at once from listeners trying to win tickets. By asking them to +call all at the same time is overloading our systems. We do, of course, have +means of handling these sort of matters, but it would require you sending us a + + Page 76 + + + + + The Official Phreaker's Manual + +schedule of when you will be asking your listeners to call in. That way we +would be able to set our systems to handle the amount of callers you get at +peak times..(etc..etc..more BS..But you get the idea, right?) + +Joseph Hakimout +AT&T Telecommunications +East Bumblefuck, Nowheresville 55555 + + + Ok, so it probably won't work (DJs just aren't that dumb, unless you really +do live in Nowheresville), but using AT&T paper and a business card might up +your chances some. + + :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 77 + + + + + The Official Phreaker's Manual + + =><---------------------------------><= + => A little something about <= + => Your phone company <= + =><---------------------------------><= + => By Col. Hogan <= + ======================================== + + Ever get an operator who gave you a hard time, and you didn't know +what to do? Well if the operator hears you use a little Bell jargon, she might +wise up. Here is a little diagram (excuse the artwork) of the structure of +operators + +/--------\ /------\ /-----\ +!Operator!-- > ! S.A. ! --->! BOS ! +\--------/ \------/ \-----/ + ! + ! + V +/-------------\ +! Group Chief ! +\-------------/ + + Now most of the operators are not bugged, so they can curse at you, if they +do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not +report to her (95% of them are hers) but they will solve most of your problems. +She MUST give you her name as she connects & all of these calls are bugged. If +the SA gives you a rough time get her BOS (Business Office Supervisor) on the +line. S/He will almost always back her girls up, but sometimes the SA will get +tarred and feathered. The operator reports to the Group Chief, and S/He will +solve 100% of your problems, but the chances of getting S/He on the line are +nill. + If a lineman (the guy who works out on the poles) or an installation man +gives you the works ask to speak to the Installation Foreman, that works +wonders. + Here is some other bell jargon, that might come in handy if you are having +trouble with the line. Or they can be used to lie your way out of +situations.... + + An Erling is a line busy for 1 hour, used mostly in traffic studies A +Permanent Signal is that terrible howling you get if you disconnect, but don't +hang up. + Everyone knows what a busy signal is, but some idiots think that is the +*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is +ringing, wouldn't bet on this though, it can (and does) get out of sync. + When you get a busy signal that is 2 times as fast as the normal one, the +person you are trying to reach isn't really on the phone, (he might be), it is +actually the signal that a trunk line somewhere is busy and they haven't or +can't reroute your call. Sometimes you will get a Recording, or if you get +nothing at all (Left High & Dry in fone terms) all the recordings are being +used and the system is really overused, will probably go down in a little +while. This happened when Kennedy was shot, the system just couldn't handle the +calls. By the way this is called the "reorder signal" and the trunk line is +"blocked". + One more thing, if an overseas call isn't completed and doesn't generate +any money for AT&T, is is called an "Air & Water Call". + + + + + Page 78 + + + + + The Official Phreaker's Manual + + [ESSENCE OF TELEPHONE CONFERENCING] + [WRITTEN BY:] + [FOREST RANGER] + + TELEPHONE CONFERENCING IS AN EASY WAY OF GETTING MANY FRIENDS TOGETHER AT +ONCE. THIS CAN BE ACCOMPLISHED EASILY WITH LITTLE OR NO TROUBLE WHAT SO EVER. +THE TECHNIQUES THAT I WILL TEACH YOU DO NOT REQUIRE A BLUE BOX OR A TOUCH TONE +PHONE LINE. THE ONLY PREREQUISITE IS THAT YOU HAVE A PHONE THAT HAS A TONE +SWITCH ON IT OR HAVE A HOOKABLE TOUCH TONE KEYPAD. NOW, IF YOU ARE THE PARANOID +TYPE OF PERSON AND REFUSE TO USE YOUR OWN PHONE OUT OF YOUR HOUSE THEN HERE ARE +SOME SIMPLE WAYS OF GETTING CONFERENCES STARTED FROM ANOTHER PHONE. GO TO A +MALL OR A PLACE WHERE YOU KNOW THE PHONE IS BEING PAYED FOR BY THE BUSINESS IT +IS IN. + NOW THERE ARE TWO TO CALL THE CONFERENCE OPERATOR; DIAL "0" TO GET YOUR +LOCAL OPERATOR SO SHE CAN PUT YOU THROUGH TO THE CONFERENCE OPERATOR OR DIAL +THE CONFERENCE OPERATOR DIRECTLY IF YOU HAVE THE NUMBER HANDY. THE SYSTEM YOU +WILL BE LINKED UP TO IS CALLED THE "ALLIANCE" SYSTEM. THERE ARE THREE BRANCHES; +1000,2000,3000. + NOW ONCE YOU HAVE GOTTEN THE CONFERENCE OPERATOR YOU TELL HER YOU WOULD +LIKE TO START A CONFERENCE AND YOU WOULD LIKE TO MAINTAIN CONTROL OF IT. SHE +WILL THEN PROCEED TO ASK YOU FOR YOUR NAME AND NUMBER. YOU WILL THEN GIVE HER A +FAKE NAME AND THE NUMBER OF THE PAY PHONE. SHE WILL HANG UP AND CALL YOU BACK +ONCE SHE HAS CHECKED THE NUMBER. THEY USUALLY DON'T REALIZE IT IS A PAYPHONE SO +DON'T THINK IT WON'T WORK! NOW ONCE THE OPERATOR HAS GIVEN YOU CONTROL YOU WILL +THEN PROCEED TO HACK MY VOICE PHONE AND PUT ME ON THE CONFERENCE. + NOW, THE OTHER WAY OF STARTING A CONFERENCE IN WHICH YOU DON'T GET A LIVE +OPERATOR IS A "PBX". WITH THIS YOU WILL CALL A PBX NUMBER AND YOU WILL THEN +RECEIVE A RECORDING OF A BUSINESS OR OFFICE CO. THEN WHEN THE RECORDING IS OVER +YOU WILL HERE A BEEP...THEN AFTER ABOUT 10-30 SECONDS AFTER THE BEEP YOU WILL +GET A DIAL TONE ON THE ON THE END OF THE PBX. YOU WILL THEN TYPE THE PBX CODE +WHICH WILL THEN RESPOND WITH A RECORDING WELCOMING YOU TO THE CONFERENCING +NETWORK (WHICH WILL IN MOST IF NOT ALL BE THE "ALLIANCE" SYSTEM). + IT WILL BE SELF EXPLANATORY FROM THERE. NOW IF YOU DON'T WISH TO CALL THE +CONFERENCE OPERATOR EITHER WAY ALREADY EXPLAINED THEN THERE IS A WAS OF GETTING +YOUR FRIENDS IN CONFERENCE. THIS IS DONE OVER A LOOP EXTENSION. NO ONE WILL +HAVE CONTROL, BUT YOU WILL STILL BE ON CONFERENCE. THIS IS CALLED THE SEVEN +LINE LOOP EXTENSION. THIS MEANS YOU CAN HAVE UP TO SEVEN MEMBERS, BUT THAT IS +IT! THE NUMBER IS IN LA, CA. 213-206-2820. THE LAST WAY I WILL EXPLAIN TO YOU +IF YOU ARE IN DESPERATE NEED OF A CONFERENCE IS TO GO TO PAY PHONE LIKE I +MENTIONED BEFORE ANY MAKE SURE SOME BUSINESS PAYS THE BILL FOR IT THEN CALL THE +CONFERENCE OPERATOR IN THE FASHIONS MENTIONED AND ASK THE CONFERENCE OPERATOR +TO PLACE CONFERENCE CALLS. + THE WILL THEN ASK FOR THE NUMBERS OF THE PEOPLE TO PUT ON CONFERENCE, YOU +GIVE HER THE NUMBERS AND SHE WILL PUT YOU ALL ON CONFERENCE. WHEN YOU ARE DONE +YOU WILL HANG UP ON HER SO THERE WILL BE NO ONE IN CONTROL.THAT MEANS THE +CONFERENCE WILL BE BILLED TO THE PAYPHONE AND NO ONE CAN BE BLAMED FOR THE +CONFERENCE DUE TO NO ONE BEING IN CONTROL! ***NOTE*** THE CONFERENCE OPERATOR +WILL NOT BE ON WHILE YOU ARE ALL TALKING! REMEMBER THAT CONFERENCES ARE NOT +HARD AND IT IS VERY HARD TO GET ARRESTED ON ONE DUE TO WHAT I HAVE MENTIONED. + + REMEMBER:REACH OUT AND PHREAK SOMEONE! + + + +[TELEPHONE CONFERENCE CONTROLS] + + # - CONTROL MODE + # - 6 PASSES CONTROL + + Page 79 + + + + + The Official Phreaker's Manual + + # - 1 + AREA CODE & NUMBER ADDS + # - 9 SILENT MODE + # - 7 GETS CONFERENCE OPERATOR + * - ENDS CONFERENCE + + + THE "#" IS THE CONTROL KEY ON YOUR CONFERENCES. WHEN YOU PASS CONTROL TO +SOMEONE ELSE HIT THE "#" THEN "6". WAIT FOR THE RECORDING TO SAY ENTER # OF +PERSON TO PASS CONTROL TO, THEN ENTER THE NUMBER OF THE PERSON YOU ARE GOING TO +GIVE CONTROL TO. + TO ADD A PERSON ON TO THE CONFERENCE HIT "#" THEN "1","AREA CODE","NUMBER". +THEN WHEN THE PERSON ANSWERS WAIT FIVE SECONDS THEN HIT THE "#" TO ADD. IF YOU +ARE IN CONTROL OF THE CONFERENCE AND YOU WANT TO HEAR EVERYONE ELSE, BUT YOU DO +NOT WANT TO BE HEARD IT "#" THEN "9" THEN THE "#" TO REJOIN THE CONFERENCE. +REMEMBER AFTER ADDING SOMEONE ON OR PASSING CONTROL TO SOMEONE YOU MUST ALWAYS +HIT THE "#" TO REJOIN THE OTHERS ON CONFERENCE: PASSING CONTROL: "#","6", WAIT +FOR RECORDING TO SAY ENTER NUMBER OF PARTY TO GIVE CONTROL TO THEN ENTER NUMBER +AND HIT "#" TO REJOIN YOUR CONFERENCE.IF YOU EVER WANT TO GET A CONFERENCE +OPERATOR FOR SOME STRANGE REASON THEN HIT "#","7" AND WAIT FOR A CONFERENCE +OPERATOR TO CLICK ON. TO END A CONFERENCE HIT "*". + + WITH HELP FROM: SILICON FALCON, SILVER CONDOR, AND THE ELIMINATOR. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 80 + + + + + The Official Phreaker's Manual + + Phone Tapping + + HERE IS SOME INFO ON PHONE TAPS. I HAVE ENCLOSED A SCHEMATIC FOR A SIMPLE +WIRETAP & INSTRUCTIONS FOR HOOKING UP A TAPE RECORDER CONTROL RELAY TO THE +PHONE LINE. + FIRST I'LL DISCUSS TAPS A LITTLE. THERE ARE MANY DIFFERENT TYPES OF TAPS. +THERE ARE TRANSMITTERS, WIRED TAPS AND INDUCTION TAPS TO NAME A FEW. WIRED AND +WIRELESS TRANSMITTERS MUST BE PHYSICALLY CONNECTED TO THE LINE BEFORE THEY'LL +DO ANY GOOD. ONCE A WIRELESS TAP IS CONNECTED TO THE LINE, IT CAN TRANSMIT ALL +CONVERSATIONS OVER A LIMITED RANGE. THE PHONES IN THE HOUSE CAN EVEN BE +MODIFIED TO PICK UP CONVERSATIONS IN THE ROOM & TRANSMIT THEM TOO! THESE TAPS +ARE USUALLY POWERED OFF THE PHONE LINE, BUT CAN HAVE AN EXTERNAL POWER SOURCE. + WIRED TAPS, ON THE OTHER HAND, NEED NO POWER SOURCE, BUT A WIRE MUST BE +RUN FROM THE LINE TO THE LISTENER OR TO A TRANSMITTER. THERE ARE OBVIOUS +ADVANTAGES OF WIRELESS TAPS OVER WIRED ONES. THERE IS ONE TYPE OF WIRELESS TAP +THAT LOOKS LIKE A NORMAL TELEPHONE MIKE. ALL YOU HAVE TO DO IS REPLACE THE +ORIGINAL MIKE WITH THIS & IT'LL TRANSMIT ALL CONVERSATIONS! + THERE IS AN EXOTIC TYPE OF WIRED TAP KNOWN AS THE 'INFINITY TRANSMITTER' OR +'HARMONICA BUG'. IN ORDER TO HOOK UP ONE OF THESE, YOU NEED ACCESS TO THE +TARGET TELEPHONE. IT HAS A TONE DECODER & SWITCH INSIDE. WHEN IT IS +INSTALLED, SOMEONE CALLS THE TAPPED PHONE & *BEFORE* IT RINGS, BLOWS A WHISTLE +OVER THE LINE. THE X-MITTER RECEIVES THE TONE & PICKS UP THE PHONE VIA A +RELAY. THE MIKE ON THE PHONE IS ACTIVATED SO THE CALLER CAN HEAR ALL +CONVERSATIONS IN THE ROOM. + THERE IS A SWEEP TONE TEST AT 415/BUG-1111 WHICH CAN BE USED TO DETECT ON +OF THESE TAPS. IF ONE OF THESE IS ON YOUR LINE & THE TEST # SENDS THE CORRECT +TONE, YOU'LL HEAR A CLICK. + INDUCTION TAPS HAVE ONE BIG ADVANTAGE OVER TAPS THAT MUST BE PHYSICALLY +WIRED TO THE PHONE. THEY DON'T HAVE TO BE TOUCHING THE PHONE IN ORDER TO PICK +UP THE CONVERSATION. THEY WORK ON THE SAME PRINCIPLE AS THE LITTLE SUCTION-CUP +TAPE RECORDER MIKES YOU CAN GET AT RADIO SHACK. INDUCTION MIKES CAN BE HOOKED +UP TO A TRANSMITTER OR BE WIRED. HERE IS AN EXAMPLE OF INDUSTRIAL ESPIONAGE +USING THE PHONE: + A SALESMAN WALKS INTO AN OFFICE & MAKES A FONE CALL. HE FAKES THE +CONVERSATION, BUT WHEN HE HANGS UP HE SLIPS SOME FOAM-RUBBER CUBES UNDER THE +HANDSET, SO THE FONE IS STILL OFF THE HOOK. THE CALLED PARTY CAN STILL HEAR +ALL CONVERSATIONS IN THE ROOM. WHEN SOMEONE PICKS UP THE FONE, THE CUBES FALL +AWAY UNNOTICED. + I USE A TAP ON MY LINE TO MONITOR WHAT AE-PRO IS DOING WHEN IT AUTO-DIALS, +SINCE IT DOESN'T TAKE ADVANTAGE OF THE HANDSET ON THE APPLE CAT II. I CAN ALSO +HOOK UP THE TAP TO A CASSETTE RECORDER OR AMPLIFIER. HERE IS THE SCHEMATIC: + +-------)!----)!(-------------> + )!( + CAP ^ )!( + )!( + )!( + )!( + ^^^^^---)!(-------------> + ^ 100K + ! + ! THE HITCHHINKERS <%=- + BRING YOUR TOWEL + + + + + + + + + + + + + + + + + + + + + Page 88 + + + + + The Official Phreaker's Manual + + 2600 Magazine's story on the Private Sector Bust + Uploaded by Elric of Imrryr + Lunatic Labs Unlimited + :::::::::::::::::::::::::::::::::::::::::::::::: + +Typed By Shooting Shark : The following article appeared in the August, 1985 +issue of 2600 Magazine. Subscriptions to 2600 are $12 a year for individuals. +Make checks payable to 2600 Enterprises, Inc. Write to: 2600, Box 752, Middle +Island, NY 11953-0752. Their phone number is 516-751-2600. Text of article +follows. + +SEIZED! +2600 Bulletin Board is Implicated in Raid on Jersey Hackers + + On July 12, 1985, law enforcement officials seized the Private Sector BBS, +the official computer bulletin board of 2600 magazine, for "complicity in +computer theft," under the newly passed, and yet untested, New Jersey Statute +2C:20-25. Police had uncovered in April a credit carding ring operated around +a Middlesex County electronic bulletin board, and from there investigated +other North Jersey bulletin boards. Not understanding subject matter of the +Private Sector BBS, police assumed that the sysop was involved in illegal +activities. Six other computers were also seized in this investigation, +including those of Store Manager [perhaps they mean Swap Shop Manager? - +Shark] who ran a BBS of his own, Beowolf, Red Barchetta, the Vampire, NJ Hack +Shack, sysop of the NJ Hack Shack BBS, and that of the sysop of the Treasure +Chest BBS. + + Immediately after this action, members of 2600 contacted the media, who +were completely unaware of any of the raids. They began to bombard the +Middlesex County Prosecutor's Office with questions and a press conference was +announced for July 16. The system operator of the Private Sector BBS attempted +to attend along with reporters from 2600. They were effectively thrown off +the premises. Threats were made to charge them with trespassing and other +crimes. An officer who had at first received them civilly was threatened with +the loss of his job if he didn't get them removed promptly. Then the car was +chased out of the parking lot. Perhaps prosecutor Alan Rockoff was afraid that +he presence of some technically literate reporters would ruin the effect of his +press release on the public. As it happens, he didn't need our help. + + The next day the details of the press conference were reported to the +public by the press. As Rockoff intended, paranoia about hackers ran rampant. +Headlines got as ridiculous as hackers ordering tank parts by telephone from +TRW and moving satellites with their home computers in order to make free phone +calls. These and even more exotic stories were reported by otherwise +respectable media sources. The news conference understandably made the front +page of most of the major newspapers in the US, and was a major news item as +far away as Australia and in the United Kingdom due to the sensationalism of +the claims. We will try to explain why these claims may have been made in this +issue. + + On July 18 the operator of The Private Sector was formally charged +with"computer conspiracy" under the above law, and released in the custody of +his parents. The next day the American Civil Liberties Union took over his +defense. The ACLU commented that it would be very hard for Rockoff to prove a +conspiracy just "because the same information, construed by the prosecutor to +be illegal, appears on two bulletin boards." especially as Rockoff admitted +that "he did not believe any of the defendants knew each other." The ACLU +believes that the system operator's rights were violated, as he was assumed to + + Page 89 + + + + + The Official Phreaker's Manual + +be involved in an illegal activity just because of other people under +investigation who happened to have posted messages on his board. + + In another statement which seems to confirm Rockoff's belief in guilt by +association, he announced the next day that "630 people were being investigated +to determine if any used their computer equipment fraudulently." We believe +this is only the user list of the NJ Hack Shack, so the actual list of those to +be investigated may turn out to be almost 5 times that. The sheer overwhelming +difficulty of this task may kill this investigation, especially as they find +that many hackers simply leave false information. Computer hobbyists all +across the country have already been called by the Bound Brook, New Jersey +office of the FBI. They reported that the FBI agents used scare tactics in +order to force confessions or to provoke them into turning in others. We would +like to remind those who get called that there is nothing inherently wrong or +illegal in calling any ANY BBS, nor in talking about ANY activity. The FBI +would not comment on the case as it is an "ongoing investigation" and in the +hands of the local prosecutor. They will soon find that many on the Private +Sector BBS's user list are data processing managers, telecommunications +security people, and others who are interested in the subject of the BBS, +hardly the underground community of computer criminals depicted at the news +conference. The Private Sector BBS was a completely open BBS, and police and +security people were even invited on in order to participate. The BBS was far +from the "elite" type of underground telecom boards that Rockoff attempted to +portray. + + Within two days, Rockoff took back almost all of the statements he had +made at the news conference, as AT&T and the DoD [Department of Defense - +Shark] discounted the claims he had made. He was understandably unable to find +real proof of Private Sector's alleged illegal activity, and was faced with +having to return the computer equipment with nothing to show for his effort. +Rockoff panicked, and on July 31, the system operator had a new charge against +him, "wiring up his computer as a blue box." Apparently this was referring to +his Novation Applecat modem which is capable of generating any hertz tone over +the phone line. By this stretch of imagination an Applecat could produce a +2600 hertz tone as well as the MF which is necessary for "blue boxing." +However, each and every other owner of an Applecat or any other modem that can +generate its own tones therefore has also "wired up his computer as a blue box" +by merely installing the modem. This charge is so ridiculous that Rockoff +probably will never bother to press it. However, the wording of WIRING UP THE +COMPUTER gives rockoff an excuse to continue to hold onto the computer longer +in his futile search for illegal activity. + + "We have requested that the prosecutors give us more specific +information," said Arthur Miller, the lawyer for The Private Sector. "The +charges are so vague that we can't really present a case at this point." +Miller will appear in court on August 16 to obtain this information. He is +also issuing a demand for the return of the equipment and, if the prosecutors +don't cooperate, will commence court proceedings against them. "They haven't +been particularly cooperative," he said. + + Rockoff probably will soon reconsider taking Private Sector's case to +court, as he will have to admit he just didn't know what he was doing when he +seized the BBS. The arrest warrant listed only "computer conspiracy" against +Private Sector, which is much more difficult to prosecute than the multitude of +charges against some of the other defendants, which include credit card fraud, +toll fraud, the unauthorized entry into computers, and numerous others. + + Both Rockoff and the ACLU mentioned the Supreme Court in their press + + Page 90 + + + + + The Official Phreaker's Manual + +releases, but he will assuredly take one of his stronger cases to test the new +New Jersey computer crime law. by seizing the BBS just because of supposed +activities discussed on it, Rockoff raises constitutional questions. Darrell +Paster, a lawyer who centers much of his work on computer crime, says the New +Jersey case is "just another example of local law enforcement getting on the +bandwagon of crime that has come into vogue to prosecute, and they have +proceeded with very little technical understanding, and in the process they +have abused many people's constitutional rights. What we have developing is a +mini witch hunt which is analogous to some of the arrests at day care centers, +where they sweep in and arrest everybody, ruin reputations, and then find that +there is only one or two guilty parties." We feel that law enforcement, not +understanding the information on the BBS, decided to strike first and ask +questions later. + + 2600 magazine and the sysops of the Private Sector BBS stand fully behind +the system operator. As soon as the equipment is returned, the BBS will go +back up. We ask all our readers to do their utmost to support us in our +efforts, and to educate as many of the public as possible that a hacker is not +a computer criminal. We are all convinced of our sysop's innocence, and await +Rockoff's dropping of the charges. + +NOTE: Readers will notice that our reporting of the events are quite different +than those presented in the media and by the Middlesex County Prosecutor. We +can only remind you that we are much closer to the events at hand than the +media is, and that we are much more technologically literate than the Middlesex +County Prosecutor's Office. The Middlesex County Prosecutor has already taken +back many of his statements, after the contentions were disproven by AT&T and +the DoD. One problem is that the media and the police tend to treat the seven +cases as one case, thus the charges against and activities of some of the +hackers has been extended to all of the charged. We at 2600 can only speak +about the case of Private Sector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 91 + + + + + The Official Phreaker's Manual + + Chapter 4 + + By now I assume that the reader has a fair idea of what phreaking is, and +know a little bit about how to go about it. From now on, I will assume that +the reader has read all the material before this or understands all the +material covered. Now we will take a journey into the "Basics of +Telecommunications" and learn a little about how everything works, and is +related to everything else. This series of articles is extremely good and +should be read by all levels of phreaks. + As we go further into the advanced world of phreaking, we come closer to the +edge of technology. As we approach it, everything seems to become larger and +more complicated. We notice that many things that were possible aren't +anymore. Blue boxing is starting to become the only method of exploration as +Equal Access looms nearer and nearer. As it stands now, equal access is here, +and many LD services such as Sprint and MCI will be tougher to hack. Extenders +will become more used and abused, which will cause them to get access codes +miles long... + Blue boxing becomes harder as all Bell switching and transmission facilities +go under to CCIS. Then to further complicate things, digital microwave, fiber +optic, and satellite transmission are all coming to be digital and do not +recognize 2600hz for the hang up signal. I predict that around 1990, blue +boxes will be obsolete from all major cities. A new type of box will have to +be invented, or you'll have to get two fone line to phreak with, on to place +the actual call and the other to tap into a COSMOS computer to change the +status of the call from toll to toll-free, ie. 800#. + Well somethings will change for the better, with ISDN you'll get 144k bps +lines and some other neat stuff. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 92 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * BASIC TELECOMMUNICATIONS * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART II * + * * + ************************************************************ + + PREFACE: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL#'S, SUCH AS: CN/A, +AT&T NEWSLINES, LOOPS, 99XX #'S, ANI, RINGBACK, AND A FEW OTHERS. + + CN/A: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO +THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY +CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED +#'S. + +HERE'S HOW IT WORKS: + +1) YOU HAVE A # AND YOU WANT TO FIND OUT WHO OWNS IT, E.G. (914) 555-1234. + +2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THE +NPA IS 914 AND THE CN/A# IS 518-471-8111. + +3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE, +"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I +HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234." MAKE UP +YOUR OWN REAL SOUNDING NAME, THOUGH. + +4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS. + + HERE'S THE LIST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NPA CN/A # NPA CN/A # + --- ------------ --- ------------ + 201 201-676-7070 517 313-232-8690 + 202 202-384-9620 518 518-471-8111 + 203 203-789-6800 519 416-487-3641 + 204 ****N/A***** 601 601-961-0877 + 205 205-988-7000 602 303-232-2300 + 206 206-382-8000 603 617-787-2750 + 207 617-787-2750 604 604-432-2996 + 208 303-232-2300 605 402-345-0600 + 209 415-546-1341 606 502-583-2861 + 212 518-471-8111 607 518-471-8111 + 213 213-501-4144 608 414-424-5690 + 214 214-948-5731 609 201-676-7070 + 215 412-633-5600 612 402-345-0600 + 216 614-464-2345 613 416-487-3641 + 217 217-525-7000 614 614-464-2345 + 218 402-345-0600 615 615-373-5791 + + Page 93 + + + + + The Official Phreaker's Manual + + 219 317-265-7027 616 313-223-8690 + 301 301-534-11?? 617 617-787-2750 + 302 412-633-5600 618 217-525-7000 + 303 303-232-2300 701 402-345-0600 + 304 304-344-8041 702 415-546-1341 + 305 912-784-9111 703 804-747-1411 + 306 ****N/A***** 704 912-784-9111 + 307 303-232-2300 705 416-487-3641 + 308 402-345-0600 707 415-546-1341 + 309 217-525-7000 709 ****N/A***** + 312 312-769-9600 712 402-345-0600 + 313 313-223-8690 713 713-658-1793 + 314 314-436-3321 714 213-995-0221 + 315 518-471-8111 715 414-424-5690 + 316 816-275-2782 716 518-471-8111 + 317 317-265-7027 717 412-633-5600 + 318 318-227-1551 801 303-232-2300 + 319 402-345-0600 802 617-787-2750 + 401 617-787-2750 803 912-784-9111 + 402 402-345-0600 804 804-747-1411 + 403 403-425-2652 805 415-546-1341 + 404 912-784-9111 806 512-828-2502 + 405 405-236-6121 807 416-487-3641 + 406 303-232-2300 808 212-226-5487 + 408 415-546-1341 BERMUDA ONLY + 412 412-633-5600 809 212-334-4336 + 413 617-787-2750 812 317-265-7027 + 414 414-424-5690 813 813-228-7871 + 415 415-546-1132 814 412-633-5600 + 416 416-487-3641 815 217-525-7000 + 417 314-436-3321 816 816-275-2782 + 418 514-861-6391 817 214-948-5731 + 419 614-464-2345 819 514-861-6391 + 501 405-236-6121 901 615-373-5791 + 502 502-583-2861 902 902-421-4110 + 503 503-241-3440 903 ****N/A***** + 504 504-245-5330 904 912-784-9111 + 505 303-232-2300 906 313-223-8690 + 506 506-657-3855 907 ****N/A***** + 507 402-345-0600 912 912-784-9111 + 509 206-382-8000 913 816-275-2782 + 512 512-828-2501 914 518-471-8111 + 513 614-464-2345 915 512-828-2501 + 514 514-861-6391 916 415-546-1341 + 515 402-345-0600 918 405-236-6121 + 516 518-471-8111 919 912-784-9111 + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS +HE NEVER CALLED. + +NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY +5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT +ORIGINALLY APPEARED IN TAP ISSUE #78. + AT&T NEWSLINES: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST + + Page 94 + + + + + The Official Phreaker's Manual + +INFO ON STOCK, TECHNOLOGY, ETC. CONCERNING THE BELL SYSTEM. + + HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST ME, ANYWAY): + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + 201-483-3800 NJ 513-421-9060 OH + 203-771-4920 CT 516-234-9914 NY + 212-393-2151 NY 518-471-2272 NY + 213-621-4141 CA 617-955-1111 MA + 213-829-0111 CA (GTE) 702-789-6711 NV + 213-449-8830 CA 713-224-6116 TX + 312-368-8000 IL 714-238-1111 CA + 313-223-7223 MI 717-255-5555 PA + 314-247-5511 MO 717-787-1031 PA + 408-493-5000 CA 802-955-1111 VE + 412-633-3333 PA 808-533-4426 HI + 414-678-3511 WI 813-223-5666 FL + 416-929-4323 ONT. 914-948-8100 NY + 503-228-6271 OR 916-480-8000 CA + + LOOPS + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE +BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT... + + "NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT A +LOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS A GREAT +ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVEN'T EVEN +BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, IT WOULD BE HELPFUL TO +VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND IN THE TELCO CENTRAL +OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS +AT THE SAME TIME, POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT +YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO +MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T +YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR +HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED # +FROM THE BUSINESS OFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING +ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET, STUMBLING UPON A +LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FOR THOSE LATE-NIGHT +CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE +ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP +AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE +TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE (NON-SUP) SIDE, (212) +332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900. AS YOU CAN SEE, I WAS +CHARGED ONE MSU, AND MY FRIEND AS CHARGED ZILCH, FOR AS LONG AS WE WISHED TO +TALK!!!" + + ********** + + AHHH...HAVE I PERKED YOUR INTEREST YET? IF SO, HERE IS HOW TO FIND A LOOP +OF YOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE +THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE +DON'T WANT TO RUN INTO AN IRATE LINEMAN NOW, DO WE?) TO FIND A LOOP, HAVING 2 +#'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL #'S AT HIS LOCATION. +LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES. NOW GET YOUR TRUSTY +WHITE PAGES (*), AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR +EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA) THE IDEA IS TO FIND A LOOP + + Page 95 + + + + + The Official Phreaker's Manual + +THAT IS WITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL +AREA A). THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL +OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE +DISCUSSED SHORTLY). + + BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO: + + LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, +IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP +FORMAT: + +MANHATTAN & BRONX-------NNX-9977/9979 +BROOKLYN & QUEENS-------NNX-9900/9906 + + NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND +IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIO +STATIONS: + +212-220-9900/9906 +212-283-9977/9979 +212-352-9900/9906 +212-365-9977/9979 +212-529-9900/9906 +212-562-9977/9979 +212-982-9977/9979 +212-986-9977/9979 + + THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS +SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER +SIDE OF THE LOOP. IF YOU ARE ON THE HIGHER #, YOU'LL HAVE TO LISTEN TO THE +CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT +FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN +ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED +IN, ONE AFTER ANOTHER. ON THE NYC 982 & 986, YOU SOMETIMES CAN'T GET ANY MORE +CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND +THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE +AUTOMATICALLY DISCONNECTED. THESE LOOPS ARE GOOD FOR BACK-UP PURPOSES WHEN ALL +OTHER LOOPS ARE BUSY. + + 99XX SCANNING: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND +OTHER "GOODIES," SUCH AS LOOPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 +AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN +YOUR EXCHANGE AND YOU MAY BECOME LUCKY! + +HERE ARE MY FINDINGS IN THE 914-268: + +9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE) +9936 - VOICE # TO THE TELCO CO +9937 - VOICE # TO THE TELCO CO +9941 - CARRIER +9960 - OSC. TONE (TONE SIDE LOOP) +9963 - TONE (STOPS: MUTED) +9966 - CARRIER +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + + + Page 96 + + + + + The Official Phreaker's Manual + + MOST OF THE #'S BETWEEN 9900 & 9999 WILL RING, BE BUSY, GO TO A SPECIAL +INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE +REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN +THE EXCHANGE AND THE TELCO OPERATING COMPANY. + + WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES +WHEN YOU FIND ONE: + +1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK +EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO. THIS TYPE IS GOOD FOR BACK-UP USE +BUT THE FUCKING CLICK IS SUPER ANNOYING. + +2. ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER. + +3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY +AGAIN IN A MONTH OR SO) + +4. YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP HERE! + + MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME. +IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE +SWITCH", IE, TURN OFF THE LOOP. + + SINCE I HAVE DONE THE ABOVE 914-268 99XX SCAN, CONGERS (268) HAS INSTALLED +NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE +NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THIS AREA. +268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 +FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 +(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S +DON'T SUPE EITHER. + + IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A +SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP +LINES (AS MENTIONED ABOVE). + IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE +BELOW: + + + NPA-NNX-99XX SCAN + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + _________________________________________________________ + | 99X X>|0 |1 |2 |3 |4 |5 |6 |7 |8 |9 | + |_______|____|____|____|____|____|____|____|____|____|____| + | 990 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 991 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 992 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 993 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 994 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 995 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 996 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + Page 97 + + + + + The Official Phreaker's Manual + + | 997 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 998 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + | 999 | | | | | | | | | | | + |_______|____|____|____|____|____|____|____|____|____|____| + + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS LEAVES YOU WITH 100 BOXES (1 FOR EACH # BETWEEN 9900 & 9999). YOU +SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORTHAND IN +THEM. FOR EXAMPLE: + +B - BUSY (TRY AGAIN AT ANOTHER TIME) +R - RINGS (TRY AGAIN AT ANOTHER TIME) +O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) +R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RECORDINGS YOU GET) +T - TONE ] TONE AT A LOWER # + IGNORE +I - IGNORE ] AT A HIGHER # = LOOP +V - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. +C - CARRIER + + THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN +UNDERSTAND. + + NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND A +MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF +A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER +EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914) +634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE. +IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I" +NEXT TO EACH OTHER FOR A LOOP. + SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN +THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING +TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE +IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE +#'S! + ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR +EXAMPLE: "(713) 324-1799/1499" IS A LOOP. + +THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: + +1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A +TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS +SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! + +2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & +9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. + +3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES. + + FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN +STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE. + + +NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER +FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR +OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS + + Page 98 + + + + + The Official Phreaker's Manual + +MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. + + ANI + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT +WILL TELL YOU WHAT # YOU ARE CALLING FROM. + THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T +HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE +LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE +DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS. +IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM +AREA TO AREA. + +HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN: + +890-751-5191 +202-222-2222 +1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE +TO DIAL 1-990-1111) + + TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX +SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE +NEXT PART), TRY 1-9XX-1111. + ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR +NEIGHBOR WHO WORKS FOR THE FONE COMPANY. + + RING BACK + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL +THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF +THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 +SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL +RING. + IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP +FOR THE FIRST TIME (IE, AT THE FIRST TONE). + + OTHER RINGBACK #'S THAT I HAVE SEEN ARE: + +26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. +THE LAST 2 DIGITS (11) ARE DUMMY DIGITS. + +890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #. + +119911/11911/1199911 - GTE + +NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE + + + THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN +SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD +DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE +PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS +USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN +PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN +SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS +AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY + + Page 99 + + + + + The Official Phreaker's Manual + +SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD +THEN RINGBACK. + + TOUCH-TONE TEST: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE +FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP +TWICE. +I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191 + + COMING SOON: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE +NETWORK. + + + BREAK UP OF BELL: + <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT +AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED +HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD +"FONE NETWORK" FOR BELL SYSTEM. + + +AU REVOIR, + +*****BIOC +*=$=*AGENT +*****003 + +DECEMBER 8, 1983 + +ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST, +& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN +DISTRIBUTING THIS TUTORIAL. + + + + + + + + + + + + + + + + + + + + + + Page 100 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART III * + * * + ************************************************************ + +PREFACE: + + IN PART III, WE WILL DISCUSS THE DIALING PROCEDURES FOR DOMESTIC AS WELL AS +INTERNATIONAL DIALING. WE WILL ALSO TAKE A LOOK AT THE TELEPHONE NUMBERING +PLAN. + +NORTH AMERICAN NUMBERING PLAN +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +IN NORTH AMERICA, THE TELEPHONE NUMBERING PLAN IS AS FOLLOWS: + +A) A 3 DIGIT NUMBERING PLAN AREA (NPA) CODE, [IE, AREA CODE] + +B) A 7 DIGIT TELEPHONE # CONSISTING OF A 3 DIGIT CENTRAL OFFICE (CO) CODE PLUS +A 4 DIGIT STATION #. + + THESE 10 DIGITS ARE CALLED THE NETWORK ADDRESS OR DESTINATION CODE. IT IS +IN THE FORMAT OF: + +AREA CODE TELEPHONE # +--------- ----------- + N*X NXX-XXXX + +WHERE: N = A DIGIT FROM 2-9 + * = THE DIGIT 0 OR 1 + X = A DIGIT 0-9 + +AREA CODES +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + CHECK YOUR TELEPHONE BOOK OR THE SEPARATE LISTING OF AREA CODES FOUND ON +MANY BBS'S. HERE ARE THE SPECIAL AREA CODES (SAC'S): + +510 - TWX (USA) +610 - TWX (CANADA) +700 - NEW SERVICE +710 - TWX (USA) +800 - WATS +810 - TWX (USA) +900 - DIAL-IT SERVICES +910 - TWX (USA) + + THE OTHER AREA CODES NEVER CROSS STATE LINES, THEREFORE EACH STATE MUST +HAVE AT LEAST ONE EXCLUSIVE NPA CODE. WHEN A COMMUNITY IS SPLIT BY A STATE +LINE, THE CO #'S ARE OFTEN INTERCHANGEABLE (IE, YOU CAN DIAL THE SAME # FROM 2 +DIFFERENT AREA CODES) + +TWX: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + Page 101 + + + + + The Official Phreaker's Manual + + + TWX (TELEX II) CONSISTS OF 5 TELETYPE-WRITER AREA CODES. THEY ARE OWNED BY +WESTERN UNION. THESE SAC'S MAY ONLY BE REACHED VIA OTHER TWX MACHINES. THESE +RUN AT 110 BAUD. BESIDES THE TWX #'S, THESE MACHINES ARE ROUTED TO NORMAL +TELEPHONE #'S. TWX MACHINES ALWAYS RESPOND WITH AN ANSWERBACK. FOR EXAMPLE, +WU'S FYI TWX # IS (910) 988-5956, THE CORRESPONDING REAL NUMBER TO THIS IS +(201) 279-5956. THE ANSWERBACK FOR THIS SERVICE IS "WU FYI MAWA." + + IF YOU DON'T WANT TO BUY A TWX MACHINE, YOU CAN STILL SEND TWX MESSAGES +USING EASYLINK [800/325-4112 - SEE TUC'S AND MY ARTICLE ENTITLED "HACKING +WESTERN UNION'S EASYLINK] + +700: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + AT THE TIME OF THIS WRITING, THE 700 EXCHANGE DOES NOT YET EXIST. AT&T +PLANS TO USE IT SOON THOUGH. THEY PLAN TO MAKE IT A TYPE OF FANCY CALL +FORWARDING SERVICE. IT WILL BE TARGETED TOWARDS SALESMEN ON THE RUN. + + TO UNDERSTAND HOW IT WORKS, I'LL EXPLAIN IT WITH AN EXAMPLE. LET'S SAY JOE +Q. SALESPIG WORKS FOR AT&T SECURITY AND HE IS ON THE RUN CHASING A PHREAK +AROUND THE COUNTRY WHO ROYALLY SCREWED UP AN IMPORTANT COSMOS SYSTEM. LET'S +SAY THAT JOE'S 700 # IS (700) 382-5968. EVERY TIME JOE GOES TO A NEW HOTEL, HE +DIALS A SPECIAL 700 #, ENTERS A CODE, AND THE # WHERE HE IS STAYING. NOW, IF +HIS BOSS RECEIVED SOME IMPORTANT INFO, ALL HE WOULD DO IS DIAL (700) 382-5968 +AND IT WOULD RING WHEREVER JOE LAST PROGRAMMED IT TO. NEAT, HUH? + +800: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS SAC IS ONE OF MY FAVORITES SINCE IT ALLOWS FOR TOLL-FREE CALLS. + +INWARD WATS (INWATS): INWARD WIDE AREA TELECOMMUNICATIONS SERVICE IS THE 800 +#'S THAT WE ARE ALL FAMILIAR WITH. 800 #'S ARE SET UP IN SERVICE AREAS OR +BANDS. THERE ARE 6 OF THESE. BAND 6 IS THE LARGEST AND YOU CAN CALL A BAND 6 +# FROM ANYWHERE IN THE US EXCEPT THE STATE WHERE THE CALL IS TERMINATED (THIS +IS WHY MOST COMPANIES HAVE ONE 800 # FOR THE COUNTRY AND THEN ANOTHER FOR JUST +ONE STATE). BAND 5 INCLUDES THE 48 CONTIGUOUS STATES. ALL THE WAY DOWN TO +BAND 1 WHICH INCLUDES ONLY THE STATES CONTIGUOUS TO THAT ONE. THEREFORE, LESS +PEOPLE CAN REACH A BAND 1 INWATS # THAT A BAND 6 #. + +INTRASTATE INWATS #'S (IE, YOU CAN CALL IT FROM ONLY 1 STATE) ALWAYS HAVE A 2 +AS THE LAST DIGIT IN THE EXCHANGE (IE, 800-NX2-XXXX). THE NXX ON 800 #'S +REPRESENT THE AREA WHERE THE BUSINESS IS LOCATED. FOR EXAMPLE, A # BEGINNING +WITH 800-431 WOULD TERMINATE AT A NEW YORK CO. + +800 #'S ALWAYS END UP IN A HUNT SERIES IN A CO. THIS MEANS THAT IT TRIES THE +FIRST # ALLOCATED TO THE COMPANY FOR THEIR 8P0 LINES; IF THIS IS BUSY IT WILL +THEN TRY THE NEXT #, ETC). YOU MUST HAVE A MINIMUM OF TWO LINES PER EACH 800 +#. FOR EXAMPLE, TRAVELNET USES A HUNT SERIES. IF YOU DIAL (800) 521-8400, IT +WILL FIRST TRY THE # ASSOCIATED WITH 8400; IF IT IS BUSY IT WILL GO TO THE NEXT +AVAILABLE PORT, ETC. INWATS CUSTOMERS ARE BILLED BY THE # OF HOURS OF CALLS +THAT ARE MADE TO THEIR #. + +OUTWATS (OUTWARD WATS): OUTWATS ARE FOR MAKING OUTGOING CALLS ONLY. LARGE +COMPANIES USE OUTWATS SINCE THEY RECEIVE BULK-RATE DISCOUNTS. SINCE OUTWATS # +CANNOT HAVE INCOMING CALLS, THEY ARE IN THE FORMAT OF: + + + Page 102 + + + + + The Official Phreaker's Manual + +(800) *XX-XXXX + + WHERE * IS THE DIGIT 0 OR 1 WHICH CANNOT BE DIALED UNLESS YOU BOX THE CALL. +THE *XX IDENTIFIES THE TYPE OF SERVICE AND THE AREAS THAT THE COMPANY CAN +CALL. + +REMEMBER: INWATS + OUTWATS = WATS EXTENDER (SEE PART I) +900: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THIS DIAL-IT SAC IS A NATIONWIDE DIAL-IT SERVICE. IT IS USED FOR TAKING +TELEVISION POLLS AND OTHER STUFF. THE FIRST MINUTE CURRENTLY COSTS AN +OUTRAGEOUS 50 CENTS AND EACH ADDITIONAL MINUTE COSTS 35 CENTS. BELL TAKES IN +ALOT OF REVENUE IN THIS WAY. + +DIAL (900) 555-1212 TO FIND OUT WHAT IS CURRENTLY ON THE SERVICE. + +CO CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THESE IDENTIFY THE SWITCHING OFFICE WHERE THE CALL IS TO BE ROUTED. + +THE FOLLOWING CO CODES ARE RESERVED NATIONWIDE: + +555 - DIRECTORY ASSISTANCE +844 - TIME ] THESE ARE NOW IN +936 - WEATHER ] THE 976 EXCHANGE +950 - FUTURE SERVICES +958 - PLANT TEST +959 - PLANT TEST +970 - PLANT TEST (TEMPORARY) +976 - DIAL-IT SERVICES + + ALSO, THE 3 DIGIT ANI & RINGBACK #'S ARE REGARDED AS PLANT TEST AND ARE +THUS RESERVED. THESE NUMBERS VARY FROM AREA TO AREA. + +950: [ALSO SEE PART I] +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +HERE ARE THE SERVICES THAT ARE CURRENTLY ON THE 950 EXCHANGE: + +1000 - SPC +1022 - MCI EXECUNET +1033 - US TELEPHONE +1044 - ALLNET +1066 - LEXITEL +1088 - SBS SKYLINE + +THESE SCC'S (SPECIALIZED COMMON CARRIERS) ARE FREE FROM FORTRESSES! + +Publishers note: Most 950's now require the station code (1022, 1000, 1088, +etc.) to be five digits long. MCI 950-10222, US telefone 10333, ALLNET 10444, +etc. Look in "Equal Access and the American Dream" p. for a complete list. +PLANT TESTS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +THESE INCLUDE ANI, RINGBACK, AND OTHER VARIOUS TESTS. + + + Page 103 + + + + + The Official Phreaker's Manual + +976: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + DIAL 976-1000 TO SEE WHAT IS CURRENTLY ON THE SERVICE. ALSO, MANY BBS'S +HAVE A LISTING OF THESE #'S. + + +N11 CODES: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + BELL IS TRYING TO PHASE SOME OF THESE OUT, BUT THEY STILL EXIST IN MANY +AREAS. + +011 - INTERNATIONAL DIALING PREFIX +211 - COIN REFUND OPERATOR +411 - DIRECTORY ASSISTANCE +611 - REPAIR SERVICE +811 - BUSINESS OFFICE +911 - EMERGENCY + +INTERNATIONAL DIALING +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + WITH INTERNATIONAL DIALING, THE WORLD HAS BEEN DIVIDED INTO 9 NUMBERING +ZONES. + +TO MAKE AN INTERNATIONAL CALL, YOU MUST DIAL: INT. PREFIX + COUNTRY CODE + NAT. +# + + IN NORTH AMERICA, THE INTERNATIONAL DIALING PREFIX IS 011 FOR +STATION-TO-STATION CALLS AND 01 FOR OPERATOR- SERVICED CALLS. IDDD STANDS FOR +INTERNATIONAL DIRECT DISTANCE DIALING. + + THE COUNTRY CODE, WHICH VARIES FROM 1 TO 3 DIGITS, ALWAYS HAS THE WORLD +NUMBERING ZONE AS THE FIRST DIGIT. FOR EXAMPLE, THE COUNTRY CODE FOR THE +UNITED KINGDOM IS 44, THUS IT IS IN WORLD NUMBERING ZONE 4. + + SOME BOARDS MAY CONTAIN A COMPLETE LISTING OF OTHER COUNTRY CODES, BUT HERE +ARE A FEW: + +001 - NORTH AMERICA (US, CANADA,ETC) +020 - EGYPT +258 - MOZAMBIQUE +034 - SPAIN +049 - GERMANY +052 - MEXICO (SOUTHERN PORTION) +061 - AUSTRALIA +007 - USSR +081 - JAPAN +098 - IRAN + + IF YOU CALL FROM AN AREA OTHER THAN NORTH AMERICA, THE FORMAT IS GENERALLY +THE SAME. FOR EXAMPLE, LET'S SAY YOU WANTED TO CALL THE WHITE HOUSE FROM +SWITZERLAND. FIRST YOU WOULD DIAL 00 (THE SWISS INTERNATIONAL DIALING PREFIX), +THEN 1 (THE US COUNTRY CODE), FOLLOWED BY 202-456-1414 (THE NATIONAL # FOR THE +WHITE HOUSE). + + ALSO, COUNTRY CODE 87 IS RESERVED FOR MARITIME MOBILE SERVICE, IE CALLING + + Page 104 + + + + + The Official Phreaker's Manual + +SHIPS: + +871 - MARISAT (ATLANTIC) +872 - MARISAT (PACIFIC) +873 - MARISAT (INDIAN ) + +INTERNATIONAL SWITCHING: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN NORTH AMERICA, THERE ARE CURRENTLY 7 NO. 4 ESS'S THAT PERFORM THE DUTY +OF ISC (INTERNATIONAL SWITCHING CENTERS). ALL INTERNATIONAL CALLS DIALED FROM +NUMBERING ZONE 1 WILL BE ROUTED THROUGH ONE OF THESE "GATEWAY CITIES." THEY +ARE: + +182 - WHITE PLAINS, NY +183 - NEW YORK, NY +184 - PITTSBURGH, PA +185 - ORLANDO, FL +186 - OAKLAND, CA +187 - DENVER, CO +188 - NEW YORK, NY + + THE 18X SERIES ARE OPERATOR ROUTING CODES FOR OVERSEAS ACCESS (TO BE +FURTHER DISCUSSED WITH BLUE BOXES). ALL INTERNATIONAL CALLS USE A SIGNALING +SYSTEM CALLED CCITT. IT IS AN INTERNATIONAL STANDARD FOR SIGNALING. + +COMING SOON: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + IN PART IV, WE WILL DISCUSS SWITCHING EQUIPMENT, VARIOUS OPERATORS, CO +TYPES, ETC. + +PHREAKING LIVES IN '84, + +*****BIOC +*=$=*AGENT +*****003 + +<<=-FARGO 4A-=>> +23-FEB-84 + +REFERENCES/ +ACKNOWLEDGEMENTS: NOTES ON THE NETWORK (AT&T), TAP (ROOM 603, 147W 42 ST, +NEW YORK, NY 10036),UNDERSTANDING TELEPHONE ELECTRONICS,AND MANY OTHERS/TUC, +MULCHER... + + + + + + + + + + + + + + + Page 105 + + + + + The Official Phreaker's Manual + + ************* << BIOC AGENT 003'S COURSE IN >> ************* + * * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * %$ BASIC TELECOMMUNICATIONS $% * + * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * + * PART IV * + * * + ************************************************************ + +PREFACE: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + PART IV WILL DEAL WITH THE VARIOUS TYPES OF OPERATORS, OFFICE HIERARCHY, & +SWITCHING EQUIPMENT. + + +OPERATORS: +<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> + + THERE ARE MANY TYPES OF OPERATORS IN THE NETWORK AND THE MORE COMMON ONES +WILL BE DISCUSSED. + +TSPS OPERATOR: +____________________________________________________________ + + THE TSPS (TRAFFIC SERVICE POSITION SYSTEM) OPERATOR IS PROBABLY THE BITCH +(OR BASTARD FOR THE PHEMALE LIBERATIONISTS) THAT MOST OF US ARE USE TO HAVING +TO DEAL WITH. + +HERE ARE HER RESPONSIBILITIES: + +1) OBTAINING BILLING INFORMATION FOR CALLING CARD OR 3RD NUMBER CALLS. + +2) IDENTIFYING CALLED CUSTOMER ON PERSON-TO-PERSON CALLS. + +3) OBTAINING ACCEPTANCE OF CHARGES ON COLLECT CALLS. + +4) IDENTIFYING CALLING NUMBERS. THIS ONLY HAPPENS WHEN THE CALLING # IS NOT +AUTOMATICALLY RECORDED BY CAMA (CENTRALIZED AUTOMATIC MESSAGE ACCOUNTING) & +FORWARDED FROM THE LOCAL OFFICE. THIS COULD BE CAUSED BY EQUIPMENT FAILURES OR +IF THE OFFICE IS NOT EQUIPPED FOR CAMA (MOST ARE). + + + + YOU SHOULDN'T MESS WITH THE TSPS OPERATOR SINCE SHE KNOWS WHERE YOU ARE +CALLING FROM. SHE ALSO KNOWS WHETHER OR NOT YOU ARE AT A FORTRESS FONE & SHE +CAN TRACE CALLS QUITE READILY. OUT OF ALL THE OPERATORS, SHE IS ONE OF THE +MOST DANGEROUS. + +INWARD OPERATOR: +____________________________________________________________ + + THIS OPERATOR ASSISTS YOUR LOCAL TSPS ("0") OPERATOR IN CONNECTING CALLS. + diff --git a/textfiles.com/phreak/PHREAKING/pnet.phk b/textfiles.com/phreak/PHREAKING/pnet.phk new file mode 100644 index 00000000..ed712ca0 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/pnet.phk @@ -0,0 +1,138 @@ +:%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: +:% %: +:% PHREAKERS' NET %: +:% Written by The Blue Buccaneer %: +:% %: +:%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%: + + + So you've always wanted to be your own operator? + + So you've always wanted to run your own Long Distance Service? + + So you've always had a slight yearning to make money with minimal amounts + of work on your part? + + So you've always had visions of your computer making you money? + + + Well here's your chance.... + + P H R E A K E R S ' N E T + + Not exactly legal, safe, or feasible - by an exciting idea none the less! + + +Step 1: Set up your LDS system on your computer. + + [Since Phreakers' Net is just an interesting idea and not really intended to +be put to use, you will have to create your own system based on what you read on +my theoritical one in this file. If you really want to run a P Net, contact me +somewhere and I'll see about helping you to write one - What the hell?] + +Step 2: Find your customers. + + This step shouldn't be all that hard as many people should be more than +willing to subscribe to a LDS with a low rate & hi-tech system like yours. Your +rates should be set at about five to ten cents less than say Sprint or whatever +else is available to the customers. You would find your customers personally +and not advertise in any sort of way (this is a scam, remember?). You will only +need a few of them anyway (no more than thirty). + +Step 3: Ok, now you have your "Super Hi-Tech LDS" set up and your customers + lined up. Here is an example of exactly how your awesome system + that beats the hell out of Sprint works: + +- [Fred Johnson, your customer, calls] + + {Note: Your system will be busy a lot (obviously, you only have one line). +But hey! Do they know that? Hell no! Do they realize that they are one of +only a few customers? Nope! They, understandably, will be firm believers in +your great LDS network and will easily believe your excuse that your system is +only able to hand twenty or so callers at one time.} + + (By the way, the motto is: P T&T - The less you hear, the more we laugh!!!) + + Your ever-so-friendly Cat answers and says (notice that Sprint never says much +at all to anyone?): + + Hello. Welcome to the _____ LDS. Please type your identification number: + + {Beats the hell out of a dull tone} + + {At this point your Cat decodes the id number by either TT decoder chip or + by use of the Apple Cassette Input Port (see Tic-Tac-Talker / Apple Talker)} + + {Now your wonderful system starts to show off} + + {After going to Ram-Disk very quickly} + + Hello again, Mr. Fred Johnson of 2600 Alley Street, New York, New York. This +is your 11th call, totaling 128 minutes, 12 seconds and amounting to 31 dollars, +71 cents. Your last call was made on Monday, June 10, 1985 at 3:31pm to +Chicago, Illinois to 312-665-0264. Your call lasted six minutes, 29 seconds. +The total came to three dollars, 43 cents. The Doritos are on sale for $1.67 at +your local grocery store. Thank you for using the _____ Long Distance System. + + {Now if that doesn't convince your customer that your system is bigger and at +least fifty times better than Sprint already (remember his bill is less too), +the guy has serious problems, probably voted for Nixon & still does!) + + Step 4: So, while your furry Cat has been impressing the shit out of this +fool with his life history and local blue light specials, it also has picked up +your second line, dialed the local Sprint port, typed "your" ode, and connected +the line in 3-way with ole Mr. J. who is now heard his life history and ready +to call someone: + + {Cat:} Please enter the number you wish to dial. + + And your awesome system (Sprint) puts the call through! Then your Cat starts +its little Cat Clock to time the length of the call and maybe even starts its +cute tape recorder going. You may wish to have a few good laughs with your +phriends (phreaker friends) that evening reviewing the days conversatins. ( You +might even be lucky enough to pick up some extra cash with blackmail? ) + + Step 5: When the caller wishes to end his conversation he can either hit a +key (like the '*') or just have whoever he called hangup. The Cat would dump +the 3-way and tell the good & kind customer that: + + Your call to Miami, Florida to 305-556-6858 lasted 12 minutes, 42 seconds. +The tolls amount to 4 dollars, 21 cents which will be charged to your bill. + + {Collect the bill personally or have him pay by check to _____ LDS} + + Then after it has recorded all this wonderful information (plus printing the +days take on the top of your screen) your Cat can ask Fred if he would like to +make anyother calls now or simply hang up. I'm sure your system could do a +variety of other things for Fred like crank calling his neighbors, but that is +up to you and your system. + + +:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-: + + + Well good! It made it this time. I originally typed this three days ago, +except my AE blew up. I'll say one thing for it, AE sure does crash in style. +I was inserting lines and all of a sudden we get all kinds of neat music from +the speaker than boom. GONE! Anyways, being to devistated to find the Inspec +and try to recover the file from memory, I went and had lunch. + + +:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-: + + I haven't really come to an answer on how feasible this idea is, but I guess +it could be done with ome help from some of your advanced Phreak friends. A +known way of get an annonomous (safety) line is having them change a payfone +into a regular phone and forwarding the call to your system. + + And as long as the FCC didn't get interested in you, you would be really safe +and probably able to pull in a fair amount of extra cash for doing almost +nothing. You could also charge your customers a one time sign up fee to be a +user of your LDS. + + The toll rate and area code/city converting may be done through various +Applesoft programs available now (see Phone Utilities and Toll Rate Computer). + +:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-: +Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/ptech.txt b/textfiles.com/phreak/PHREAKING/ptech.txt new file mode 100644 index 00000000..d1250af4 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/ptech.txt @@ -0,0 +1,122 @@ + %MWI% -=> MICRO WORLD INC <=- %MWI% + %MWI% PRESENTS: %MWI% + %MWI% %MWI% + %MWI% The Technical Book %MWI% + %MWI% Of Phreaking %MWI% + %MWI% %MWI% + %MWI% For The Master Phreak to %MWI% + %MWI% Those Just Learning %MWI% + %MWI% Some Definitions %MWI% + %MWI% %MWI% + %MWI%MWI%MWI%MWI%MWI%MWI%MWI%MWI%MWI%MWI%MWI%MWI% + + Created during January and Febuary 1989 + v1.0 + + Introdution to the Article + File One (of four) + + This file was just to be a short set of definitions for those of you who don't know all the phreaking terms. This was requested by a few people on a small 312 board called The Magnetic Field Elite (312-966-0708, call, board has potential) like Th +e Don. But I have decided against making this small file that is common in many places but instead to make something that I have never seen before. Not just a common file but one of high technical use. With a printout of this you will never need to mis +sout on a definition again. But that's not all. The file will discuss, indepth, the working of each of these operations below. If you are viewing this file simply for the sake of finding one meaning I suggest that you get the entire thing and then never + need to call and view phreak files again. + + + + Topic 1: The Phone/Modem + + Scince phreaking is impossible without a phone or modem you I will start with the most important and most complex part of phreaking. The Phone. Now, the phone is a device that transfer sounds as sound enters a receiver, is transfered to an amoun +t of voltage, sent through the telephone lines and decode back to sound. A modem is based on a universal language of sounds transfered through the modem. Modem stands for the work Modulator/Demodulator. This is like receiveing and sending. Now, with m +ost modems, before connecting, tones just are just the same as the tones that a common phone can make. + But the phone can make many tones and some have purposes that are very useful, tones that are reserved for At&t, and thus dangerous. + To go through all the tone would be senseless and a book on tones alone could be written (Hmm...maybe I could...) so I will not go into that. + But, assuming that you know what a box is I will explain what the odd types of modems can do. + If you own an Apple Cat modem you may use it to generate any tone. This is very useful. Some people are against the Cat for various. I will remain neutral on the topic but if you have no understand then phreak the way you see easiest and safest +. + The other way is by using an acoustic modem. You may modify a phone to make certain tones and you may make then send these tones through the acoustic modem by placing the headset of the phone on the acoustic's couplers. + You may also attempt to make the box modfications directly to the modem but if you error and damage the modem alot of money is wasted while you could have used an acoustic and messed up a twenty dollar phone. + Basicaly the common phone can make 18 tones. For example, when you press a number on the phone two tones are made together and make the signal for the number or charater you hit. This is the entire phone to line explantion of the phone. Now the + actual internal working of the phone is very complex and can be best under stood by getting a book from the library on it. + + + + Topic 2: The Calling of Numbers + + + When you call a local number as soon as you hit a number other than one you the phone knows that you are calling localy. Once seven digits are entered the numbers are sent to the nearest switching station and you call goes out. The station deter +mines the units per minute and start billing as soon as the called phone answers. All calls are automaticaly one minute long. If you hit a one as the first digit you dial the phone recignizes this as a long distance call and sends you to either the At&t + switching station or to another long distance service if you have chose to use other than At&t. + If you are using a At&t the call goes through the long distance switching station where unit per minute is determined and then it is refured to the number you called. The call may be slowed down depending on how many times the switching station c +hanges between you and the place you are calling. If it changes between ESS and X-Bar (described below) one it would go through fast. If it changed between them 50 times it would be a very slow call going through. Plus the sound quality may decrease bu +t that is not a fact, just an understanding I have come to when callign long distance with At&t. + If you are calling through any other service, such as MCI, Alnet, Teleco, US Sprint or any of the other endless companies, then things are not the same for long distance calls. + You call first goes to the company you call through and price of call is determined by any of the ways a company determines price. The call then goes out through the lines to the long distance companie's station nearest to the number you dialed a +nd tres to go though. If the number is too far away from a station you may get a "The number you have dialed cannot be reached from your calling area." + Thus, you have the basic information of how call goes out. Now to get to phreaking and the real reson you read this file. + + + + Topic 3: The Long Distance Company and Codes. + + The way of using a different long distance company or not paying a quarter when calling from a payphone. Using the phone card or the code. + Names for these numbers: + 950's + 800's + Extenders. + PBX's + 950 ports + Port + Code port + (Company name) port + + The above mentioned names are the phreaks lifeline. They are places where you call and enter a code, then the area code of the place you want to call and finally the number for the place you want to call. When the code is entered it is checked i +f it is valid and then the person how owns the code pays for the call. If the code is not valid you normaly get a message saying that the code you entered is not valid. + When a call goes through it is the same as a normal long distance call except that it is charged to the owner of the card. + Some places may require that you enter a nine or a one before you enter the code. + Now, the phreak uses these places by calling them over and over again until they get a code. But they do this with a computer and a program such as Hack-a-Matic, Hacking Construction Set (often called HCS), Hack This Buddy, Intellihacker (Old), C +at-(and then a name, for the Apple Cat. Has to many names to list), and some others. These are all Apple programs but there are also code hackers for the Commodor 64, 128, Amiga, IBM (of course) and so on. Most computers have them. + One thing I have found useful is to use a Radio Shack portable computer with a built in modem and hack from other houses, this is much safer. Secrity in these companies run from really tough (MCI) to sad (like the places that tryo to scare off ha +ckers with tape recordings). 950 ports in the ESS area are set up to trace and could do so very easily but for some reson they are against it. Possibly the time and modey to cheack the calls and pay for tracing. Places have gotton tougher though, if th +ree people get busted off a number in one week and this has never happened before then you can almost be sure that they have stepped up security and that it is time to use a new port. + + + Now I will discuss some of the things used by the Phreak. + + Topic 4: The Loop + + Loops, although they may seem fun they are really rather useless. They work as follows. + Two numbers are looped together. Usually they are almost the same just a digit different from one another. If you call the lower number you will wait a few secounds and then hear a 1000mhz. tone. If you call the higher number you will hear noth +ing. If you can one number (dosen't matter which) and someone else calls the other number you will be able to talk to each other. The purpose of these is to test trunk lines. This way they could make sure there was no break in each trunk. + Now the old purpose for loops was that they where free to call so one person would call one and another would call the other and they would get to talk for free. Also, one person might call one number and just wait and talk to whoever called the +other number. Like a two line bridge. + Today you cannot call these without being charged because the phone company caught on. But you can split a phone call with these so if there is a loop between you and a person you want to talk to you can only pay for half by calling the loop. An +d the phone company dosen't care because either way they get their money. + The billing service for a loop is one all by itself, not like normal local calling and for this reson I might almost belive the rumor that Blue Box tones can be used to call loops. + The loops billing service didn't exist awhile back so a call to one was free. Now, if you call this new billing system picks it up. But the loops billing system is just something that At&t scraped together and there are most likly some holes in +the system (like not recording blue box tone generation numbers). + + + Topic 5: The Diverter + + The diverter has been a very simple, yet incredibly usefulthing through the years. To use one you must call, after hours and let someone answer the phone, don't answer them, let them hang up and get a faint dialtone. Then you dial again and call + from the diverter. + Before, you could use a diverter and call through it. The you would only be charged for the call to the diverter, not the one after it. That bill went to the diverter itself. But they fix this problem easily and now you still get charged if you + are in the ESS area. + Also before, you could use a diverter to call a number that traces and instead of being traced to your number it is traced to the diverter. But ESS eliminated that too. + But you can still use a diverter to call hard to reach numbers. Like if you called a place and it gave you a "The number you have dial cannot be reach from your calling area" then if you knew of a diverter in the area of the number you could call + through it to the unreachable number and get through. The way a diverter works is after hours when you call a place the call is forwarded to another place. Then, when you don't answer the person at the other place hangs up and your call tries to +disconnect from the forwared number and you end up at the diverter with it's dialtone. + + + + + Hope this file was of some use to you all. + If you want to see more like it leave me E-mail + on + these great boards! + +------------------------------------------------------------------------------------Ripco - (312)-528-5020 +TFBII - (312)-945-3665 +The Blue Fire + BBS (312)-377-???? sysop: The Micro Master +The Metal AE (201)-879-6668 entry: Kill diff --git a/textfiles.com/phreak/PHREAKING/real.phr b/textfiles.com/phreak/PHREAKING/real.phr new file mode 100644 index 00000000..84b7294e --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/real.phr @@ -0,0 +1,266 @@ + + _____________________________ + | | + *REAL PHREAKERS GUIDE VOL. 1* + | | + * typed and created by * + | | + * Taran King * + | and | + * Knight Lightning * + | | + * Written on 6/10/85 * + |___________________________| + + This guide is written in the same stream as the Real Pirates + Guides, but for the Real Phreak. This is basically what real + phreaks do and don't do according to other real phreaks... + "Written by Real Phreaks for Real Phreaks". This phile has + been written with the compiled ideas of phreaks other than + the two writers listed in the intro. Therefore, we have a + wider view of what you should be like. Well...on with the + show!!! + _____________________________________________________________ + + Phone Phreak - (as defined by Forest Ranger) In the mid- + 1970's, cheating the phone company became the great national + pasttime among a select group known as "Phone Phreaks". + These hearty young souls knew more about the phone network + than many AT&T engineers, and they learned most of it by + reading AT&T technical journals and by experimenting with + their own phones. But today, the Phone Phreaks have been + hurt by a mass group known as the "Rodents". These Rodents + have caused much pain and sorrow to what we know today as + phreaking. This phile will show the do's and don't's of a + real Phone Phreak... + _____________________________________________________________ + + + Real phreaks don't just leech off of BBS messages for their + codes. + + Corollary: Real phreaks know that codes posted on BBS's are + the most used and are probably the closest to being unsafe. + Also, it is a known fact that pheds occasionally plant trap + codes (codes with traces) to catch the phreak at work. + + Real phreaks don't worry about spelling. If their preference + of spelling cool (K00L) is different from someone elses, they + don't worry about what they say. + + Real phreaks don't try to bluebox from their home if they + have ESS. + + Corollary: Real phreaks know that almost anything on ESS + besides phreaking from your home is unsafe! + + Real phreaks don't call out of state Atari boards (unless + they of course are an Atari looking for wares) unless + it is a phreak board (a rare case!). + + Real phreaks don't even attempt to use 2400 baud on + extenders. + + Corollary: Real phreaks hope for the day that + MCI/Sprint/Metro/etc. make it safe for phreaks to do 2400 + baud transmissions. + + Corollary 2: Real phreaks know that extenders are the same as + phreak numbers as MCI and any other service. + + Real phreaks read the Basic Telecommunications philes by BIOC + Agent 003 to find out what is safe and what is not. + + Real phreaks have been on a conference. + + Corollary: Real phreaks know how, and could at their will, + any time, set up a conference. + + Real phreaks don't try to use pulse fones on an extender. + + Corollary: If they don't have a touch tone fone, they know to + use Travelnet's voice verification (even though it's not the + safest to use from your home). + + Real phreaks don't have problems obtaining numbers to their + local long distance service. + + Corollary: Real phreaks don't post messages asking for the + number to the local long distance service dial-up. + + Real phreaks don't spend hours redialing Diversi-Dials all + over the country, knowing that they are basically the same, + and it won't help to keep the code valid. + + Corollary: Real phreaks don't call Diversi-Dials to get + recognition on their name because they know that other people + call up Diversi-Dials under false handles of other phreaks to + get attention. + + Real phreaks pirate. + + Real phreaks don't work for any government agency. + + Real phreaks don't bust other phreaks (for any reason). + + Real phreaks know that P-80 isn't a legal board for you to + call and voice your opinion about the new P-80 model of the + TRS computer. + + Corollary: Real phreaks don't call boards named "H.O.M.E.", + "Family Circus", or anything else that indicates family + outings on the BBS's. + + Real phreak boards aren't named "Phreak/Hack Centre USA" and + have their number posted on the Compu-Serve national BBS + listing. + + Real phreaks have better things to do with their time than + have Compu-Sex through a Diversi-Dial, E-mail, or any + Dial-Your-Match BBS. + + Corollary: Real phreaks get the real thing. + + Real phreaks don't listen to Duran Duran...ever! + + Corollary: Real phreaks change the channel with swiftness if + they hear any gay group come onto the channel they are + listening to. + + Real phreaks aren't named "Mr. Phreak" on boards like + "H.O.M.E." or any legal board. + + Corollary: Real phreaks can think up a creative name unlike + "Mr. Phreak" for their permanant name. + + Real phreaks don't watch Saturday morning cartoons. + + Real phreaks don't use their codes to call up sysops of + boards all over the country to bother them voice for hours. + + Real phreaks don't have to start G-philes disks by leeching + off of other phreaks because they are original enough to + realize that they are readily available on most phreak + boards. + + Real phreaks can spot a rodent 10 miles away. + + Real phreaks don't get sext (sex text) philes to get off by. + + Real phreaks don't watch the Bible Banger's shows on Sunday + mornings. + + Real phreaks know how to separate phreak messages and hack + messages. + + _____________________________________________________________ + + Well, that about wraps it up for Real Phreakers Guide Volume + 1. If there is already a volume one for a Real Phreakers + Guide, well, this is our volume one. If any of this is + copied from your Real Phreakers Guide, we apologize, but this + has all been original. This has been brought around with the + help of the following phreaks: + Forest Ranger, The Lone Ranger, Napoleon Solo, and other + minor phreaks that I might have missed. + + Real Phreakers Guide Volume 1 --- by Taran King and Knight + Lightning + + From Metal Shop: Dark Tower Phase II --- 314-432-0756 + Many more philes where this one came from!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/textfiles.com/phreak/PHREAKING/realpwoc.txt b/textfiles.com/phreak/PHREAKING/realpwoc.txt new file mode 100644 index 00000000..4bfe72e6 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/realpwoc.txt @@ -0,0 +1,360 @@ + R.A.G. T.I.M.E. + THANX TO PIRATES TREK + HOW TO BE A REAL PHREAK + THE WORLD OF CRYTON + [414] 246-3965 + + IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO BE +A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: "MANY PEOPLE THINK OF +PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR ALL SHE IS WORTH. NOTHING +COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE SOME WHO GET THEIR KICKS +BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE PHREAKS. REAL PHONE +PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, PLAY WITH AND LEARN +FROM THE PHONE SYSTEM. OCCASIONALY THIS EXPERIMENTING, AND A NEED TO +COMMUNICATE WITH OTHER PHREAKS ( WITH- OUT GOING BROKE), LEADS TO FREE CALLS. +THE FREE CALLS ARE BUT A SMALL SUBSET OF A >TRUE< PHONE PHREAKS ACTIVITIES. + + THE TEN COMMANDMENTS + +REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY +10036. SEND A SASE FOR THEIR INFO SHEET "WHAT THE HELL IS TAP?" AND TELL THEM +THAT BIOC AGENT 003 TOLD YOU ABOUT IT.) + + THE PHONE PHREAK'S TEN COMMANDMENTS + + I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST + SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. + + II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TEL- EPHONE + WIRES, FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. + + III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY + THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. + + IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO + USE THINE OWN SELF AS A SACRIFICIAL LAMB. + + V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE + AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. + + VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH + THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN + BOSSES. + + VII. STOREST THOU NOT THINE STOLEN GOODES IN THINE OWN HOME, FOR THOSE WHO DO + ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT + LONG FOR THIS WORLD. + +VIII. ATTRACTEST THOU NOT THE ATT- ENTION OF THE AUTHORITIES, AS THE LESS + NOTICABLE THOU ART, THE BETTER. + + IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER + THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE + AUTHORITIES WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. + + X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK + WILL BE FAR MORE LIMITED. + + CN/A NUMBERS + + CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY +OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A +OPERATOR THE CUSTOMER'S TEL. # ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING +UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. + +HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: +"HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTAL SERVICE CENTER, CAN I HAVE THE +CUSTOMERS NAME AT (123) 555-1212." THE EMPLOYEES USUALLY USE THESE FOR CHECKING +WHO BELONGS TO A # THAT SOMEONE CLAIMED THEY DIDN'T CALL. + +IF YOU SOUND CHEERY AND NATURAL THE OPERATOR WILL NEVER ASK ANY QUESTIONS. IF +YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE IT! ALWAYS PRACTICE FIRST & SO +YOU DON'T SCREW UP AND MAKE THE OPERATOR SUSPICIOUS. USE NAME THAT SOUNDS +REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY THAT YOU ARE FRO A CITY THAT IS +FAR AWAY FROM THE ONE THAT YOU ARE CALLING. + +THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & +914) IS>>>>>>>>>(518) 471-8111<<<<<< AND IS OPEN DURING BUSINESS HOURS. + [DON'T ABUSE IT!] + + AT&T NEWSLINES + + AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL TO +FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED REPORTS +RANGE FROM VERY BORING TO VERY INTERESTING. + +HERE ARE A FEW OF THE NUMBERS: + *(201) 483-3800 NJ (518) 471-2272 NY + (203) 771-4920 CN (717) 255-5555 PA + (212) 393-2151 NY (717) 787-1031 PA + (516) 234-9941 NY *(914) 948-8100 NY + +SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. + +* THESE NUMBERS ARE NOT ALWAYS UP! + +NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. + + ANI NUMBERS + + ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS USEFUL +WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND OUT +THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT DOESN'T +HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU JUST +HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL +1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF ANI +# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE NXX IS +THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. + + PHREAK NEWSLETTER + + TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. +EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER +PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, +ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. + + A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE +SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. + + AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 +PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS +$1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE +WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF +MATERIAL (ARTICLES), MONEY, AND VOLUNTEERS. + + TAP + ROOM 603 + 147 WEST 42ND STREET + NEW YORK, NY 10036 + +BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... + + BLACK BOX + + THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE THAT +ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO +CALL. + + YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), +1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. + + NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE +TWO SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 +SCREWS. LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE +RESISTOR BETWEEN THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE +PROPER TERMINALS! NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. +FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS +TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. +PUT THE SWITCH IN A POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. +MARK THE OTHER SIDE FREE. + + WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE +RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT +IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION +AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. WHEN SOMEONE +CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU ANSWER. THE TELCO +KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT FLOWS WHEN YOU +PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE VOLTAGE SO IT IS +BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE MOUTHPIECE. +ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT IT IS NOT +ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE FULL SECOND, +BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND SWITCH TO +FREE. + +WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! + +--------------------------------------- +: : +***BLUE WIRE**>>F< : +: * * : +**WHITE WIRE**** * : +: * : +: RESISTOR : +: * : +: * : +: >RR<*******SWITCH*** : +: * : +****GREEN WIRE********************* : +: : +--------------------------------------- + + DIAL LOCKS + + HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE +CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? + +FRET NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE +KNOWLEDGE! + +THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE THE +TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES ADVANTAGE +OF TELEPHONE ELECTRONICS. + +TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A CIRCUIT +KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN YOU DIAL +(PULSE) IT ALSO BREAKS THE CIRCUT BUT NOT LONG ENOUGH TO HANG UP! SO YOU CAN +"PUSH-DIAL." TO DO THIS YOU >RAPIDLY< DEPRESS THE SWITCHHOOK. FOR EXAMPLE, TO +DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) >RAPIDLY< & +>EVENLY< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL 634-1268, DEPRESS 6 X'S +PAUSE, THEN 3 X'S, PAUSE, THEN 4 X'S, ETC. IT TAKES A LITTLE PRACTICE BUT +YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # SO YOU'LL GET A BUSY +TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE A DTMF LINE WILL ALSO +ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR MORE THAN A SECOND OR +IT'LL HANG-UP! + +FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE ASSHOLE +WHO PUT THE LOCK ON IT! + + EXCHANGE SCANNING + +ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" SUCH +AS LOOPS WITH DIAL-UPS. + +THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL EXCHANGE. +IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR EXCHANGE AND YOU MAY BECOME +LUCKY! + + HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: + +9900 - ANI (SEE SEPARATE BULLETIN) +9901 - ANI (SEE SEPARATE BULLETIN) +9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) +9936 - VOICE # TO THE TELCO CENTRAL OFFICE +9937 - VOICE # TO THE TELCO CENTRAL OFFICE +9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) +9960 - OSC. TONE (TONE SIDE LOOP) -- MAY ALSO BE A COMPUTER IN SOME EXCHANGES +9961 - NO RESPONSE (OTHER END OF LOOP?) +9962 - NO RESPONSE (OTHER END OF LOOP?) +9963 - NO RESPONSE (OTHER END OF LOOP?) +9966 - COMPUTER (SEE 9941) +9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS + +MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, PLEASE?" +OPERATOR. + +HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! + + TOUCH-TONE & FREE CALLS + +THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY +PHONE. THEY ARE: + + 1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) + 521-8400. AS OF WRITING THIS, A CODE WAS 57617895. + A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, + PLEASE." THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS + SAID. AFTER EVERY GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, + THEN SAY YES IF IT IS CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS + CORRECT, IT WILL THANK YOU AND ASK FOR THE DESTINATION #, THEN SAY THE + AREA CODE + NUMBER AS ABOVE. ANOTHER SUCH # IS (800) 245- 8173, WHICH + HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING TOUCH-TONE ON THIS #, ENTER + THE CODE IMMEDIATELY AFTER THE TONE STOPS.) + + 2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM + THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK + BOX. THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE +# + USING ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE + ROTARY FONE WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE + THE 2 WIRES. (NOTE: IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A + ROTARY FONE THEN YOU CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT + THIS USUALLY ISN'T THE CASE.) SUCH AS RADIO SHACK'S 43-138. + +OTHER ALTERNATIVES + + 4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENTIONS IF YOU REMOVE + IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW! + THESE FONES FOR THE BENEFIT OF THOSE WHO DON'T KNOW ARE BLUE WITH NO COIN + SLOTS) + + 5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR + DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, + IMMEDIATELY PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT + IS A TONE FIRST FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND + ANOTHER FONE. + + TELCO TRACING + +THE GOOD 'OL DAYS: +------------------ + +WAY BACK BEFORE I WAS A PHREAK, MA BELL WOULD HAVE TO MANUALLY TRACE A CALL IF +THEY THOUGH SOMETHING WAS FUCKED UP. FIRST THEY WOULD SEND A 2000 HZ TRACING +TONE, THE WOULD BE FOLLOWED B ALOT OF NOISE AND CLICKS. IT TOOK ABOUT 2-3 +MINUTES TO TRACE A CALL AND ALOT OF PEOPLE WERE INVOLVED IN THE PROCESS. SO AT +1 IN THE MORNING THEY WOULD HAVE TO WAKE UP PEOPLE FOT THE TRACEES (PHREAK +JARGON FOR A PAY FONE). BUT NEVER USE THE SAME ONE MORE THAN ONCE OR TWICE +BECAUSE THE GESTAPO(ER..EXCUSE ME MEAN BELL SECURITY) HAS BEEN KNOW FOR STAKING +OUT TROUBLED FORTRESSES. IT'S ALSO POSSIBLE FOR TRAVELNET OR SP TO ASK FOR A +TROUBLE # BUT THE TELCO IS SLOW IN PROCESSING STUFF--ESPECIALLY FOR THE +COMPETITION--SO DON'T FRET PHELLOW PHREAKS. + +MODERN TECHNOLOGY: +------------------ +THIS CAN BE ATTRIBUTED TO ESS + CCIS WHICH CAN BE TRACED IN 1 SECOND. + + MISCELLANEOUS STUFF + +HERE ARE A PHEW (PUSHING IT ON THAT WORD) BITS OF INFO ON TELEPHONE ELEC- +TRONICS. IF YOU DON'T APPRECIATE IT THEN I SAY PHUCK U. + +VOLTAGES: + +WHEN YOUR FONE IS ON-HOOK (IE-HUNG UP) THERE IS A 48 VOLT DC CURRENT FLOWING +THROUGH THE LINE ( I HAVE A GREAT IDEA ABOUT HOOKING A BATTERY CHARGER UP TO MY +FONE ). WHEN THE FONE IS OFF-HOOK THE VOLTAGE DROPS DOWN TO AROUND 15VDC. THE +BLACK BOX (SEE SEPARATE ARTICLES) EXPLOITS THIS FOR FREE CALLS SINCE BELL USES +THIS VOLTAGE DROP WHEN THE CALLED PARTY PICKS UP TO START BILLING. BELL MAY +ALSO REVERSE THE POLARITY OF THE LINE TO START BILLING--IF YOU HAVE A TONE FONE +THE KEYPAD WON'T WORK IF THE POLARITY IS REVERSED. USUALLY, THE RED WIRE IS +CALLED THE TIP SINCE IT IS THE MORE (+) OF THE 2 WIRES + THE GREEN WIRE IS +CALLED THE RING (-). + +RING TRIP: + +WHEN SOMEONE CALLS YOU BELL HAS TO SEND 90 VOLTS AC DOWN YOUR LINE AT ABOUT 60 +HZ TO ACTIVATE YOUR BGLL (THIS IS WHY DEAF PEOPLE CAN HAVE LIGHT BULBS FANS GO +OFF INSTEAD OF A BELL). THE DEVICE THAT DOES THE RINGING IS CALLED A RINGING +GENERATOR ANDTH PROCESS OF RINGING IS CALLED A RING TRIP. THIS COSTS BELL +MONEY AND THEY DON'T LIKE USING ALL THAT ELECTRICITY FROM THE LOCAL RIP-OFF +POWER COMPANY- SO LET IT RING. THIS IS ALSO, HOW BELL CAN CHECK FOR EXTRA +FONES FROM THEIR CENTRAL OFFICE BY SEEING HOW MUCH VOLTAGE THE LINE TAKES WHILE +RINGING AND THEY CAN TELL HOW MANY FONES YOUR NOT SUPPOSE TO HAVE. SOLUTION: +DISCONNECT THE BELL. + + MODERN TECHNOLOGY: +------------------ + +THE 2 WORST ENEMIES TO THE PHREAK BESIDES THE FBI + BELL SECURITY,ARE: ESS + +CCIS. ESS STANDS FOR ELECTRONIC SWITHCING SYSTEM AND IT CAN TRACE A CALL IN +SECONDS, IT ALSO RECORDS ALL CALLS AND CAN EVEN TAP INTO LINES (ER.. I MEAN +CHECK FOR LINE QUALITY) AND RECORD CALLS. CCIS STANDS FOR COMMON CHANNEL +INTER-OFFICE SIGNALING AND IT ALLOWS FOR CONTROL SIGNALS TO BE SENT VIA +SEPARATE DATA LINKS INSTEAD OF TONES OVER THE VOICE CHANNEL--START KISSING YOUR +BLUE BOX GOODBYE. + + + +SOURCES: +-------- + +FOR THOSE OF YOU WHO WANT TO GO MORE IN-DEPTH ON THE SUBJECT OF SHIT, I +RECOMMEND THE FOLLOWING READING MATERIAL: + + 1) ELECTRONICS COURCES A-B, TAP, ROOM 603, 147 W. 42 ST., NY, NY 10036. @ 75 + CENTS EA. + + 2) UNDERSTANDING TELEPHONE ELECT.'S, TEXAS INSTRUMENTS, RADIO SHACK MAY HAVE + IT. + + 3) A MULTITESTER + YOUR FONE FOR YOUR OWN EXPERIMENTING. + + 4) MISC. INFO FROM SEVERAL SOURCES MAKE FRIENDS + GET YOUR OWN CONNECTIONS. + + +*****BIOC AGENT 003 +*****PHREAK ADVISOR OF PIRATE TREK + *914-634-1268 + THANKS TO PIRATES TREK !! + + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/rodeguid.txt b/textfiles.com/phreak/PHREAKING/rodeguid.txt new file mode 100644 index 00000000..b9ae1982 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/rodeguid.txt @@ -0,0 +1,307 @@ + + +HEY KIDZ!!! + +It's the R0DENTS guide to PHREAKING! + + +////////////////////////////////////////////////////////////////////////////// +/ / +/ THE R0DENTS GUIDE TO / +/ PHREAKING! / +/ / +/ by Weapons Master / +/ / +////////////////////////////////////////////////////////////////////////////// + + Feel like a R0DENT because you don't know what a 950 is? Do you pretend +to be ELITE all day and then cry at night as you realize you're just a R0DENT +P0SER? Well, look on the bright side... you'll get the LAST LAUGH when your +friends get BUSTED FOR 950s!!! But if you still want to learn something +anyway, read this file and learn the basics. + +btw this file isn't just for RODENTS, of course, it's for anyone who wants to +learn a little more about phreaking. Just to set something straight, +phreakings not really my thing. I'm a kid programmer who knows a zillion +computer languages. Next, I'm an aspiring hacker. I just picked up phreaking +along the way. However, it seems like every week I get a call from some runt +who wants to know how to phreak, so it seems there's definately a demand for +this sort of thing. And anyway, I don't mind helping runts... how are they +ever going to grow up, give me codes and info, and eventually get BUSTED while +I get off scot free if I don't get them started? + + Hey, another thing, this file isn't going to have too many specifics, so +if you're just gonna scan it for code templates and extenders, don't bother. +Talk to me directly if you want that sort of info. + +okay, so let's say you're really a rodent, and don't even know what phreaking +is. I'll explain phreaking and give some historical background on it. If +you're too cool for this section, go ahead and skipt it, but you'll sure feel +like a T0TAL L00ZER when someone posts "Hey, whatever happened to Captain +Crunch", and you reply "Well, my favorite's the crunchberries." Then you +wonder why you've been given SLUG access on all the elite boards. (That's +where you call, and the only main menu option you can select is 'G' for +goodbye.) + + The original definition of phreaking was "exploring the phone system", +but since it's degenerated into just making free fone calls. I guess a good +working definition of phreaking is 'phone tricks'. + + Phreaking started with Captain Crunch, the cereal. In the late 70s, +Captain Crunch cereal was giving away a whistle in its cereal, one of those +free toys that you get. Well, a group of blind kids learned that the whistle +made a perfect 2600hz tone, and if one of them blew the whistle into the fone, +they could do all sorts of amazing things, such as get free fone calls to +anywhere. They shared this secret with a man named John Draper, who would +from this moment on be called Captain Crunch. He was the first fone phreak. +Not long after the blue box was invented, a box that made several different +tones. Later in life you could find Captain Crunch driving down roads and +pulling up to payfones in his vw bug loaded with electronics equipment, and +just staying there for days at a time, calling places, tapping people's lines +and doing all sorts of arcane things I can't begin to imagine. btw he was +eventually busted for Fone Fraud. + + Anyway, lots of people got into the blue box thing.. the founders of +Apple would hold demonstrations in their dorm (before the made the famous +Crapple II) where they would use a blue box and a payfone and box the call +around the world to a payfone right beside them. + + btw Blue Boxing doesn't work anymore, so don't rush out and download a +blue box plan. Using a blue box from home is one of the surest ways to have +the Gestapo (Fone police) at your door. Try it next time you're having fone +trouble if you want to get good service... just have a lawyer handy. + + So when blue boxing got dangerous, people turned to code hacking. Code +hacking was great, you could just set up a good code hacker all night when you +slept, and have a bunch of codes by morning. Almost noone got caught, and the +phreakers had a field day, making calls wherever they wanted. It wasn't quite +as easy as blue boxing, and you couldn't do quite so many things (such as +tapping people's lines or boxing calls around the world), but it still was +easy. + + People may disagree with me, but I think that the code hacking days are +over. Nowadays the companies are getting smarter, and an extender that once +was thought of as safe suddenly busts four people. Sure, there are still some +safe extenders, but you never know which ones they are without putting your +freedom at risk. Nowadays a good pbx is worth its weight in gold, and a +reliable outdial can also do wonders. For those into ninja/espionage shit, +there's also beige boxing, but that's a little much for me. + + What's the future? To me it looks like a cellular fone with the rom +reprogrammed. I don't have a cellular fone, but from what I understand, get a +nice supply of proms, and rom programmer, and you'll be making free fone calls +off your cellular fone for years. Unfortunately, it'll be a few years before +most of us can afford a cellular fone. + + + okay, HISTORY LESSON'S OVER. Now let's talk about phreaking. What can + you do with phreaking? + + 1. Make free fone calls. (If you didn't know this, please SLAM your + keyboard into your SKULL.) + 2. Get somebody's address and name from their phone number. + 3. Tap other people's fone lines. + 4. Make conference calls. + 5. Take over voice mail boxes. + + I'll discuss each of these briefly, except the first. I'll reserve a +whole section for that. + +GET SOMEONE'S NAME AND ADDRESS FROM THEIR FONE NUMBER + + It's called a CNA. CNA stands for customer name and address. Bell has +certain super/secret departments called CNA bureaus. You can call one of +them, and get the name and address for any fone number you want. How do you +find CNA numbers? Get yourself a copy of Professor Falken's Phreak Tools, and +it has a list of them. If the number's out of date, then you're out of luck. +The way it works is there's one number for each area code. + + What do you say when you call? I'm not quite sure, but "I'm David Ross +from Customer Service in Detroit. Can you give me the name and address on +xxx-xxxx? Thanks." They may ask you a password. In that case, you're shit +out of luck. But I hear they usually don't. + +TAP OTHER PEOPLE'S FONE LINES + + This is ninja shit, hardly phreaking. Build yourself an FM wireless mike, +and go to their house, and install it on the bell box outside their house. I +really haven't tried this, and probably won't, unless I suspect my +girlfriend's cheating on me or something. + +MAKE CONFERENCE CALLS + + Simple, call ALIANCE TELECONFERENCING, and tell them you want to make a +conference call. They'll be more than happy to help you. WAIT, but you don't +want to pay for it? Well, use a pbx. More on these below. + +TAKE OVER VOICE MAIL BOXES + + Wouldn't it be fun to have a voice mail box (VMB) so all your friends +around the country could leave you messages for free? Well, maybe it would, +but I haven't tried it. But get yourself a few numbers to VMBs, and just +start hacking codes. (When it asks you to leave the message, enter in your +four or five digit code, and if you're right, you'll get control of it.) +They're all different, though, so it's hard to make generalizations about +VMBs. + + + okay, now what you've all been waiting for HOW TO MAKE FREE FONE CALLS! + + nope. not yet, anyway. Before I get into that, let me explain the two +things every phreaker should know. I don't care what kind of rodent you are, +you should know this. It's for your own safety. + + SO READ THIS!!! + + #1. Trace times. TV has indoctrinated in us the myth that it takes +forever to trace a call. How long do you think it takes to trace a call? +Fill in your answer here _____________. Okay, it's a trick question. ALL +CALLS ARE ALREADY TRACED!!! Every single digit you enter into the fone is +recorded somewhere in the fone company dungeons. Normally, they never check +them. I've heard varying stories of how long they keep these printouts, some +say a couple days, some say months. But if they suspect fraud on a number, +they can just set up a trace for a week, and have the numbers of everyone who +called, as well as the times and the length of the calls. So watch those +local calls from your home fone. When in doubt, use a payfone. + + #2. 800 exception flag. Jimmy Phreaker finds a really good extender +that he hacks the hell out of all month. "Haha, they won't bust me on +950-1087 like everybody else, I'm hacking 1-800-xxx-xxxx!!!" The next month +Jimmy Phreaker comes home to find FBI agents putting his computer in boxes, +and keeping it for six months. What happened? Did his pal SUPERRODENT rat on +him? No, his hacking triggered the 800 exception flag. When you call an +excessive amount of 800 numbers (more than you usally do every month), then a +trouble card shows up at your local fone company with your name and address. +Not good. 800s can also trace fairly easily, btw, though they usually can't +find all your digits.. probably just your area code and exchange. So feel +free to call a few 800 numbers every month, but if you're calling more than 50 +or 100 from your home fone, than you'll proabaly have some explaining to do. + + MAKING FREE FONE CALLS/BEATING THE TRACE + + I've included this together as most ways of making free fone calls also +beat the trace. Here's the main ways to make free fone calls: + + 1. Blue Boxing (Don't try it.) + 2. Stealing Long Distance Services + 3. Using 800 pbxs + 4. using local pbxs + 5. using a pc pursuit outdial + 6. using a telenet outdial + 7. beige boxing + 8. reprogramming a cellular fone + + BTW in all of this, I will assume the phreaker is using his home fone. +There's another section later on making calls when you don't have to worry +about safety, like from a payfone or institution. + +BLUE BOXING - Not worth mentioning, except for the fact that it doesn't work +anymore, and is very dangerous. Don't try it. + +STEALING LONG DISTANCE SERVICES - okay, Joe Q. Salespig is in Miami, and he +wants to make a long distance call. He dials 950-1022, his MCI port number, +and enters in his code and then the number he wants to call. "k-kool", you're +saying, "can I do that?" Sure you can. Get yourself a good extender +(950-1087 is the extender), a template (XXX6XX is a template, and it means the +first 3 digits can be any number, the fourth is a six, and the fifth and sixth +can be any number), and a good code hacking program. Try to hack two ports or +extenders at once for safety. Is it risky? Well... I wouldn't do it. Then +there are some people who have been hacking codes for years with no problems. +Talk to one of them if you want to go this route. + +USING 800 PBXs - Remember my describing the 800 exception flag above? Well, +hacking anything starting with 800 should be avoided at all costs... way too +dangerous. You don't want to trip a BELL trouble card. So don't hack these. +Shouldn't be a big deal to use them though. + +USING LOCAL PBXs - Okay, this is the way to go. Takes a lot of work though. +Every pbx is a little different, but basically you call, dial a 9 or a code + +9, and then you're on THAT COMPANIES fone line. Call anywhere, they get the +bill. Use it sparingly, and you'll have free calls for months. If it's a +flat rate pbx, you can probably use it without a problem. Otherwise they'll +get pissed and change the code when they find you out. Rehack the code, if +you're a dick, or just move on to another pbx. Okay, what's the catch to +local pbxs? Well, you have to find them, which is a pain in the ass. There's +been rumors of a pbx scanner going around, but I haven't seen anything that +works reliably on a hayes compatible. So the only method of finding them is +to leave your computer on with a wardialer program, and sit there and listen. +Find some companies in the fone book with their numbers all grouped together, +and scan a range of likely numbers. Listen for a funny tone, and that may be +the pbx. They also may just give you a dial tone (like you dial... ring... +ring... click... dial tone...). So local pbxs are the way to go, if you can +find them. + +USING A PC PURSUIT OUTDIAL - This is complicated. There's a service called +telenet and it has a service called pc pursuit. If you can access the outdial +modems, you can call most places in the country. To access these you need +either.. + 1. an nui (network user id) (also called PC pursuit id and password) + 2. a method of making non-collect calls, such as a private telenet pad. +Telenet is to big a topic for me to go into in this file, as it is worth at +least a file on it's own, and there's no way I could do it justice here. +maybe in another file. + +USING A TELENET OUTDIAL - Basically you call a computer on telenet, and it +gives you access to it's modem. You csan make calls, and they'll be charged +to this computer. Again, telenet is worth a file of it's own. + +BEIGE BOXING - More ninja shit. You go to somebody's house, and bring your +own fone (or laptop) and splice into their line, and make fone calls that wind +up on their bill. No, you don't have to break into their house, just find a +bell "can", on of those green boxes that say fone company, and bust in. + +REPROGRAMMING YOUR CELLULAR FONE - I don't have a cellular fone, so I don't +know much about this, but cellular fones have a built in ROM which sends the +switching office a certain id. Program it to give other people's ids, and +you're on other people's accounts. Get a vw microbus, bring a laptop, a +cellular phone, and some proms and programmers. Drive cross country picking +up chicks, calling boards, and hacking into computers, all risk free. Sounds +like fun, huh? I have some files on this (reprogramming cellular fones, not +picking up chicks), so if anyone does have a cellular fone, and wants a guy to +drive cross country with, or just some info on making free calls, let me know. + + +PHREAKING WHERE SAFETY ISN'T AN ISSUE + + okay, you're one of those lucky bastards with a laptop, or you have +access to your schools modem, and you know there's no way they can catch you. +Use old codes, that's the best way. Just use them until they die. I call all +my college friends every week with an old 800 pbx I have... perfectly safe, as +long as you do it from a payfone. I've heard of people programming phone +dialers to hack codes from payfones, but I think that's just a rumor. But +feel free to hack 1087s if you're using a laptop form a payfone. There are +lots of good templates around, and safety doesn't mean anything from a +payfone. Just don't use the same one. So if you have a laptop, hack 1087s or +whatever's easiest, and just use the codes until they die. Don't start using +these codes from home though.. stick to payfones. + + + Okay, that's the file. I was pretty general in this file, but I had a +lot of ground to cover. If you want specifics, get in touch with me directly. +I'm always willing to help people. If I screwed up, let me know too. Don't +bug me for codes, though, as I hate that. (That means you, Batman...) + +GREETS!!! - to The Noid for letting me on your board when I was a PD l00zer, +to Basket Case for doing the same, to The Excommunicator and Laughing Gas for +getting me started, to Batman for bugging me for codes every day (don't call +me until you have some information for ME, and stop giving out my info as your +own.), to Coroner for being a nice guy and beating me every time in Global +War, to BaD for taking other people's cracks and putting their name on them +(talk about lame.) + + +GRAFFITI!!! - That gum you like is coming back in style. Al's abortion's, you +rape em, we scrape em. Would you like fries with that? HOMIE DON'T PLAY +THAT! "Yeah, I've been hacking 1087s, what's the big deal?" "Did the dial +tone sound fainter than normal?" "Remember that 3 gig board that was going +up?" Somebody, SHOOT ME!!! "I'm writing ZooMaster." "Just give your hard +drive a good shake, that'll fix it." Bob. So manly he's Danly. + + +I can be reached on the following boards: + The Digital Underground (NAP/PA home) + Hall of Illusion + +(c) 1990 by Weapons Master. You may distribute this file to any baord without +modifications. + diff --git a/textfiles.com/phreak/PHREAKING/rodphk.txt b/textfiles.com/phreak/PHREAKING/rodphk.txt new file mode 100644 index 00000000..c89c7324 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/rodphk.txt @@ -0,0 +1,295 @@ + +HEY KIDZ!!! + +It's the R0DENTS guide to PHREAKING! + + +////////////////////////////////////////////////////////////////////////////// +/ / +/ THE R0DENTS GUIDE TO / +/ PHREAKING! / +/ / +/ by Weapons Master / +/ / +////////////////////////////////////////////////////////////////////////////// + + Feel like a R0DENT because you don't know what a 950 is? Do you pretend +to be ELITE all day and then cry at night as you realize you're just a R0DENT +P0SER? Well, look on the bright side... you'll get the LAST LAUGH when your +friends get BUSTED FOR 950s!!! But if you still want to learn something +anyway, read this file and learn the basics. + +btw this file isn't just for RODENTS, of course, it's for anyone who wants to +learn a little more about phreaking. Just to set something straight, +phreakings not really my thing. I'm a kid programmer who knows a zillion +computer languages. Next, I'm an aspiring hacker. I just picked up phreaking +along the way. However, it seems like every week I get a call from some runt +who wants to know how to phreak, so it seems there's definately a demand for +this sort of thing. And anyway, I don't mind helping runts... how are they +ever going to grow up, give me codes and info, and eventually get BUSTED while +I get off scot free if I don't get them started? + + Hey, another thing, this file isn't going to have too many specifics, so +if you're just gonna scan it for code templates and extenders, don't bother. +Talk to me directly if you want that sort of info. + +okay, so let's say you're really a rodent, and don't even know what phreaking +is. I'll explain phreaking and give some historical background on it. If +you're too cool for this section, go ahead and skipt it, but you'll sure feel +like a T0TAL L00ZER when someone posts "Hey, whatever happened to Captain +Crunch", and you reply "Well, my favorite's the crunchberries." Then you +wonder why you've been given SLUG access on all the elite boards. (That's +where you call, and the only main menu option you can select is 'G' for +goodbye.) + + The original definition of phreaking was "exploring the phone system", +but since it's degenerated into just making free fone calls. I guess a good +working definition of phreaking is 'phone tricks'. + + Phreaking started with Captain Crunch, the cereal. In the late 70s, +Captain Crunch cereal was giving away a whistle in its cereal, one of those +free toys that you get. Well, a group of blind kids learned that the whistle +made a perfect 2600hz tone, and if one of them blew the whistle into the fone, +they could do all sorts of amazing things, such as get free fone calls to +anywhere. They shared this secret with a man named John Draper, who would +from this moment on be called Captain Crunch. He was the first fone phreak. +Not long after the blue box was invented, a box that made several different +tones. Later in life you could find Captain Crunch driving down roads and +pulling up to payfones in his vw bug loaded with electronics equipment, and +just staying there for days at a time, calling places, tapping people's lines +and doing all sorts of arcane things I can't begin to imagine. btw he was +eventually busted for Fone Fraud. + Anyway, lots of people got into the blue box thing.. the founders of +Apple would hold demonstrations in their dorm (before the made the famous +Crapple II) where they would use a blue box and a payfone and box the call +around the world to a payfone right beside them. + btw Blue Boxing doesn't work anymore, so don't rush out and download a +blue box plan. Using a blue box from home is one of the surest ways to have +the Gestapo (Fone police) at your door. Try it next time you're having fone +trouble if you want to get good service... just have a lawyer handy. + So when blue boxing got dangerous, people turned to code hacking. Code +hacking was great, you could just set up a good code hacker all night when you +slept, and have a bunch of codes by morning. Almost noone got caught, and the +phreakers had a field day, making calls wherever they wanted. It wasn't quite +as easy as blue boxing, and you couldn't do quite so many things (such as +tapping people's lines or boxing calls around the world), but it still was +easy. + People may disagree with me, but I think that the code hacking days are +over. Nowadays the companies are getting smarter, and an extender that once +was thought of as safe suddenly busts four people. Sure, there are still some +safe extenders, but you never know which ones they are without putting your +freedom at risk. Nowadays a good pbx is worth its weight in gold, and a +reliable outdial can also do wonders. For those into ninja/espionage shit, +there's also beige boxing, but that's a little much for me. + What's the future? To me it looks like a cellular fone with the rom +reprogrammed. I don't have a cellular fone, but from what I understand, get a +nice supply of proms, and rom programmer, and you'll be making free fone calls +off your cellular fone for years. Unfortunately, it'll be a few years before +most of us can afford a cellular fone. + + + okay, HISTORY LESSON'S OVER. Now let's talk about phreaking. What can +you do with phreaking? + 1. Make free fone calls. (If you didn't know this, please SLAM your +keyboard into your SKULL.) + 2. Get somebody's address and name from their phone number. + 3. Tap other people's fone lines. + 4. Make conference calls. + 5. Take over voice mail boxes. + + I'll discuss each of these briefly, except the first. I'll reserve a +whole section for that. + +GET SOMEONE'S NAME AND ADDRESS FROM THEIR FONE NUMBER + It's called a CNA. CNA stands for customer name and address. Bell has +certain super/secret departments called CNA bureaus. You can call one of +them, and get the name and address for any fone number you want. How do you +find CNA numbers? Get yourself a copy of Professor Falken's Phreak Tools, and +it has a list of them. If the number's out of date, then you're out of luck. +The way it works is there's one number for each area code. + What do you say when you call? I'm not quite sure, but "I'm David Ross +from Customer Service in Detroit. Can you give me the name and address on +xxx-xxxx? Thanks." They may ask you a password. In that case, you're shit +out of luck. But I hear they usually don't. + +TAP OTHER PEOPLE'S FONE LINES + This is ninja shit, hardly phreaking. Build yourself an FM wireless mike, +and go to their house, and install it on the bell box outside their house. I +really haven't tried this, and probably won't, unless I suspect my +girlfriend's cheating on me or something. + +MAKE CONFERENCE CALLS + Simple, call ALIANCE TELECONFERENCING, and tell them you want to make a +conference call. They'll be more than happy to help you. WAIT, but you don't +want to pay for it? Well, use a pbx. More on these below. + +TAKE OVER VOICE MAIL BOXES + Wouldn't it be fun to have a voice mail box (VMB) so all your friends +around the country could leave you messages for free? Well, maybe it would, +but I haven't tried it. But get yourself a few numbers to VMBs, and just +start hacking codes. (When it asks you to leave the message, enter in your +four or five digit code, and if you're right, you'll get control of it.) +They're all different, though, so it's hard to make generalizations about +VMBs. + + + okay, now what you've all been waiting for HOW TO MAKE FREE FONE CALLS! + + nope. not yet, anyway. Before I get into that, let me explain the two +things every phreaker should know. I don't care what kind of rodent you are, +you should know this. It's for your own safety. + + SO READ THIS!!! + + #1. Trace times. TV has indoctrinated in us the myth that it takes +forever to trace a call. How long do you think it takes to trace a call? +Fill in your answer here _____________. Okay, it's a trick question. ALL +CALLS ARE ALREADY TRACED!!! Every single digit you enter into the fone is +recorded somewhere in the fone company dungeons. Normally, they never check +them. I've heard varying stories of how long they keep these printouts, some +say a couple days, some say months. But if they suspect fraud on a number, +they can just set up a trace for a week, and have the numbers of everyone who +called, as well as the times and the length of the calls. So watch those +local calls from your home fone. When in doubt, use a payfone. + + #2. 800 exception flag. Jimmy Phreaker finds a really good extender +that he hacks the hell out of all month. "Haha, they won't bust me on +950-1087 like everybody else, I'm hacking 1-800-xxx-xxxx!!!" The next month +Jimmy Phreaker comes home to find FBI agents putting his computer in boxes, +and keeping it for six months. What happened? Did his pal SUPERRODENT rat on +him? No, his hacking triggered the 800 exception flag. When you call an +excessive amount of 800 numbers (more than you usally do every month), then a +trouble card shows up at your local fone company with your name and address. +Not good. 800s can also trace fairly easily, btw, though they usually can't +find all your digits.. probably just your area code and exchange. So feel +free to call a few 800 numbers every month, but if you're calling more than 50 +or 100 from your home fone, than you'll proabaly have some explaining to do. + + MAKING FREE FONE CALLS/BEATING THE TRACE + + I've included this together as most ways of making free fone calls also +beat the trace. Here's the main ways to make free fone calls: + + 1. Blue Boxing (Don't try it.) + 2. Stealing Long Distance Services + 3. Using 800 pbxs + 4. using local pbxs + 5. using a pc pursuit outdial + 6. using a telenet outdial + 7. beige boxing + 8. reprogramming a cellular fone + + BTW in all of this, I will assume the phreaker is using his home fone. +There's another section later on making calls when you don't have to worry +about safety, like from a payfone or institution. + +BLUE BOXING - Not worth mentioning, except for the fact that it doesn't work +anymore, and is very dangerous. Don't try it. + +STEALING LONG DISTANCE SERVICES - okay, Joe Q. Salespig is in Miami, and he +wants to make a long distance call. He dials 950-1022, his MCI port number, +and enters in his code and then the number he wants to call. "k-kool", you're +saying, "can I do that?" Sure you can. Get yourself a good extender +(950-1087 is the extender), a template (XXX6XX is a template, and it means the +first 3 digits can be any number, the fourth is a six, and the fifth and sixth +can be any number), and a good code hacking program. Try to hack two ports or +extenders at once for safety. Is it risky? Well... I wouldn't do it. Then +there are some people who have been hacking codes for years with no problems. +Talk to one of them if you want to go this route. + +USING 800 PBXs - Remember my describing the 800 exception flag above? Well, +hacking anything starting with 800 should be avoided at all costs... way too +dangerous. You don't want to trip a BELL trouble card. So don't hack these. +Shouldn't be a big deal to use them though. + +USING LOCAL PBXs - Okay, this is the way to go. Takes a lot of work though. +Every pbx is a little different, but basically you call, dial a 9 or a code + +9, and then you're on THAT COMPANIES fone line. Call anywhere, they get the +bill. Use it sparingly, and you'll have free calls for months. If it's a +flat rate pbx, you can probably use it without a problem. Otherwise they'll +get pissed and change the code when they find you out. Rehack the code, if +you're a dick, or just move on to another pbx. Okay, what's the catch to +local pbxs? Well, you have to find them, which is a pain in the ass. There's +been rumors of a pbx scanner going around, but I haven't seen anything that +works reliably on a hayes compatible. So the only method of finding them is +to leave your computer on with a wardialer program, and sit there and listen. +Find some companies in the fone book with their numbers all grouped together, +and scan a range of likely numbers. Listen for a funny tone, and that may be +the pbx. They also may just give you a dial tone (like you dial... ring... +ring... click... dial tone...). So local pbxs are the way to go, if you can +find them. + +USING A PC PURSUIT OUTDIAL - This is complicated. There's a service called +telenet and it has a service called pc pursuit. If you can access the outdial +modems, you can call most places in the country. To access these you need +either.. + 1. an nui (network user id) (also called PC pursuit id and password) + 2. a method of making non-collect calls, such as a private telenet pad. +Telenet is to big a topic for me to go into in this file, as it is worth at +least a file on it's own, and there's no way I could do it justice here. +maybe in another file. + +USING A TELENET OUTDIAL - Basically you call a computer on telenet, and it +gives you access to it's modem. You csan make calls, and they'll be charged +to this computer. Again, telenet is worth a file of it's own. + +BEIGE BOXING - More ninja shit. You go to somebody's house, and bring your +own fone (or laptop) and splice into their line, and make fone calls that wind +up on their bill. No, you don't have to break into their house, just find a +bell "can", on of those green boxes that say fone company, and bust in. + +REPROGRAMMING YOUR CELLULAR FONE - I don't have a cellular fone, so I don't +know much about this, but cellular fones have a built in ROM which sends the +switching office a certain id. Program it to give other people's ids, and +you're on other people's accounts. Get a vw microbus, bring a laptop, a +cellular phone, and some proms and programmers. Drive cross country picking +up chicks, calling boards, and hacking into computers, all risk free. Sounds +like fun, huh? I have some files on this (reprogramming cellular fones, not +picking up chicks), so if anyone does have a cellular fone, and wants a guy to +drive cross country with, or just some info on making free calls, let me know. + + +PHREAKING WHERE SAFETY ISN'T AN ISSUE + okay, you're one of those lucky bastards with a laptop, or you have +access to your schools modem, and you know there's no way they can catch you. +Use old codes, that's the best way. Just use them until they die. I call all +my college friends every week with an old 800 pbx I have... perfectly safe, as +long as you do it from a payfone. I've heard of people programming phone +dialers to hack codes from payfones, but I think that's just a rumor. But +feel free to hack 1087s if you're using a laptop form a payfone. There are +lots of good templates around, and safety doesn't mean anything from a +payfone. Just don't use the same one. So if you have a laptop, hack 1087s or +whatever's easiest, and just use the codes until they die. Don't start using +these codes from home though.. stick to payfones. + + + Okay, that's the file. I was pretty general in this file, but I had a +lot of ground to cover. If you want specifics, get in touch with me directly. +I'm always willing to help people. If I screwed up, let me know too. Don't +bug me for codes, though, as I hate that. (That means you, Batman...) + +GREETS!!! - to The Noid for letting me on your board when I was a PD l00zer, +to Basket Case for doing the same, to The Excommunicator and Laughing Gas for +getting me started, to Batman for bugging me for codes every day (don't call +me until you have some information for ME, and stop giving out my info as your +own.), to Coroner for being a nice guy and beating me every time in Global +War, to BaD for taking other people's cracks and putting their name on them +(talk about lame.) + + +GRAFFITI!!! - That gum you like is coming back in style. Al's abortion's, you +rape em, we scrape em. Would you like fries with that? HOMIE DON'T PLAY +THAT! "Yeah, I've been hacking 1087s, what's the big deal?" "Did the dial +tone sound fainter than normal?" "Remember that 3 gig board that was going +up?" Somebody, SHOOT ME!!! "I'm writing ZooMaster." "Just give your hard +drive a good shake, that'll fix it." Bob. So manly he's Danly. + + +I can be reached on the following boards: + The Digital Underground (NAP/PA home) + Hall of Illusion + +(c) 1990 by Weapons Master. You may distribute this file to any baord without +modifications. + + \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/rodphk1.txt b/textfiles.com/phreak/PHREAKING/rodphk1.txt new file mode 100644 index 00000000..32c03162 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/rodphk1.txt @@ -0,0 +1,295 @@ + +HEY KIDZ!!! + +It's the R0DENTS guide to PHREAKING! + + +////////////////////////////////////////////////////////////////////////////// +/ / +/ THE R0DENTS GUIDE TO / +/ PHREAKING! / +/ / +/ by Weapons Master / +/ / +////////////////////////////////////////////////////////////////////////////// + + Feel like a R0DENT because you don't know what a 950 is? Do you pretend +to be ELITE all day and then cry at night as you realize you're just a R0DENT +P0SER? Well, look on the bright side... you'll get the LAST LAUGH when your +friends get BUSTED FOR 950s!!! But if you still want to learn something +anyway, read this file and learn the basics. + +btw this file isn't just for RODENTS, of course, it's for anyone who wants to +learn a little more about phreaking. Just to set something straight, +phreakings not really my thing. I'm a kid programmer who knows a zillion +computer languages. Next, I'm an aspiring hacker. I just picked up phreaking +along the way. However, it seems like every week I get a call from some runt +who wants to know how to phreak, so it seems there's definately a demand for +this sort of thing. And anyway, I don't mind helping runts... how are they +ever going to grow up, give me codes and info, and eventually get BUSTED while +I get off scot free if I don't get them started? + + Hey, another thing, this file isn't going to have too many specifics, so +if you're just gonna scan it for code templates and extenders, don't bother. +Talk to me directly if you want that sort of info. + +okay, so let's say you're really a rodent, and don't even know what phreaking +is. I'll explain phreaking and give some historical background on it. If +you're too cool for this section, go ahead and skipt it, but you'll sure feel +like a T0TAL L00ZER when someone posts "Hey, whatever happened to Captain +Crunch", and you reply "Well, my favorite's the crunchberries." Then you +wonder why you've been given SLUG access on all the elite boards. (That's +where you call, and the only main menu option you can select is 'G' for +goodbye.) + + The original definition of phreaking was "exploring the phone system", +but since it's degenerated into just making free fone calls. I guess a good +working definition of phreaking is 'phone tricks'. + + Phreaking started with Captain Crunch, the cereal. In the late 70s, +Captain Crunch cereal was giving away a whistle in its cereal, one of those +free toys that you get. Well, a group of blind kids learned that the whistle +made a perfect 2600hz tone, and if one of them blew the whistle into the fone, +they could do all sorts of amazing things, such as get free fone calls to +anywhere. They shared this secret with a man named John Draper, who would +from this moment on be called Captain Crunch. He was the first fone phreak. +Not long after the blue box was invented, a box that made several different +tones. Later in life you could find Captain Crunch driving down roads and +pulling up to payfones in his vw bug loaded with electronics equipment, and +just staying there for days at a time, calling places, tapping people's lines +and doing all sorts of arcane things I can't begin to imagine. btw he was +eventually busted for Fone Fraud. + Anyway, lots of people got into the blue box thing.. the founders of +Apple would hold demonstrations in their dorm (before the made the famous +Crapple II) where they would use a blue box and a payfone and box the call +around the world to a payfone right beside them. + btw Blue Boxing doesn't work anymore, so don't rush out and download a +blue box plan. Using a blue box from home is one of the surest ways to have +the Gestapo (Fone police) at your door. Try it next time you're having fone +trouble if you want to get good service... just have a lawyer handy. + So when blue boxing got dangerous, people turned to code hacking. Code +hacking was great, you could just set up a good code hacker all night when you +slept, and have a bunch of codes by morning. Almost noone got caught, and the +phreakers had a field day, making calls wherever they wanted. It wasn't quite +as easy as blue boxing, and you couldn't do quite so many things (such as +tapping people's lines or boxing calls around the world), but it still was +easy. + People may disagree with me, but I think that the code hacking days are +over. Nowadays the companies are getting smarter, and an extender that once +was thought of as safe suddenly busts four people. Sure, there are still some +safe extenders, but you never know which ones they are without putting your +freedom at risk. Nowadays a good pbx is worth its weight in gold, and a +reliable outdial can also do wonders. For those into ninja/espionage shit, +there's also beige boxing, but that's a little much for me. + What's the future? To me it looks like a cellular fone with the rom +reprogrammed. I don't have a cellular fone, but from what I understand, get a +nice supply of proms, and rom programmer, and you'll be making free fone calls +off your cellular fone for years. Unfortunately, it'll be a few years before +most of us can afford a cellular fone. + + + okay, HISTORY LESSON'S OVER. Now let's talk about phreaking. What can +you do with phreaking? + 1. Make free fone calls. (If you didn't know this, please SLAM your +keyboard into your SKULL.) + 2. Get somebody's address and name from their phone number. + 3. Tap other people's fone lines. + 4. Make conference calls. + 5. Take over voice mail boxes. + + I'll discuss each of these briefly, except the first. I'll reserve a +whole section for that. + +GET SOMEONE'S NAME AND ADDRESS FROM THEIR FONE NUMBER + It's called a CNA. CNA stands for customer name and address. Bell has +certain super/secret departments called CNA bureaus. You can call one of +them, and get the name and address for any fone number you want. How do you +find CNA numbers? Get yourself a copy of Professor Falken's Phreak Tools, and +it has a list of them. If the number's out of date, then you're out of luck. +The way it works is there's one number for each area code. + What do you say when you call? I'm not quite sure, but "I'm David Ross +from Customer Service in Detroit. Can you give me the name and address on +xxx-xxxx? Thanks." They may ask you a password. In that case, you're shit +out of luck. But I hear they usually don't. + +TAP OTHER PEOPLE'S FONE LINES + This is ninja shit, hardly phreaking. Build yourself an FM wireless mike, +and go to their house, and install it on the bell box outside their house. I +really haven't tried this, and probably won't, unless I suspect my +girlfriend's cheating on me or something. + +MAKE CONFERENCE CALLS + Simple, call ALIANCE TELECONFERENCING, and tell them you want to make a +conference call. They'll be more than happy to help you. WAIT, but you don't +want to pay for it? Well, use a pbx. More on these below. + +TAKE OVER VOICE MAIL BOXES + Wouldn't it be fun to have a voice mail box (VMB) so all your friends +around the country could leave you messages for free? Well, maybe it would, +but I haven't tried it. But get yourself a few numbers to VMBs, and just +start hacking codes. (When it asks you to leave the message, enter in your +four or five digit code, and if you're right, you'll get control of it.) +They're all different, though, so it's hard to make generalizations about +VMBs. + + + okay, now what you've all been waiting for HOW TO MAKE FREE FONE CALLS! + + nope. not yet, anyway. Before I get into that, let me explain the two +things every phreaker should know. I don't care what kind of rodent you are, +you should know this. It's for your own safety. + + SO READ THIS!!! + + #1. Trace times. TV has indoctrinated in us the myth that it takes +forever to trace a call. How long do you think it takes to trace a call? +Fill in your answer here _____________. Okay, it's a trick question. ALL +CALLS ARE ALREADY TRACED!!! Every single digit you enter into the fone is +recorded somewhere in the fone company dungeons. Normally, they never check +them. I've heard varying stories of how long they keep these printouts, some +say a couple days, some say months. But if they suspect fraud on a number, +they can just set up a trace for a week, and have the numbers of everyone who +called, as well as the times and the length of the calls. So watch those +local calls from your home fone. When in doubt, use a payfone. + + #2. 800 exception flag. Jimmy Phreaker finds a really good extender +that he hacks the hell out of all month. "Haha, they won't bust me on +950-1087 like everybody else, I'm hacking 1-800-xxx-xxxx!!!" The next month +Jimmy Phreaker comes home to find FBI agents putting his computer in boxes, +and keeping it for six months. What happened? Did his pal SUPERRODENT rat on +him? No, his hacking triggered the 800 exception flag. When you call an +excessive amount of 800 numbers (more than you usally do every month), then a +trouble card shows up at your local fone company with your name and address. +Not good. 800s can also trace fairly easily, btw, though they usually can't +find all your digits.. probably just your area code and exchange. So feel +free to call a few 800 numbers every month, but if you're calling more than 50 +or 100 from your home fone, than you'll proabaly have some explaining to do. + + MAKING FREE FONE CALLS/BEATING THE TRACE + + I've included this together as most ways of making free fone calls also +beat the trace. Here's the main ways to make free fone calls: + + 1. Blue Boxing (Don't try it.) + 2. Stealing Long Distance Services + 3. Using 800 pbxs + 4. using local pbxs + 5. using a pc pursuit outdial + 6. using a telenet outdial + 7. beige boxing + 8. reprogramming a cellular fone + + BTW in all of this, I will assume the phreaker is using his home fone. +There's another section later on making calls when you don't have to worry +about safety, like from a payfone or institution. + +BLUE BOXING - Not worth mentioning, except for the fact that it doesn't work +anymore, and is very dangerous. Don't try it. + +STEALING LONG DISTANCE SERVICES - okay, Joe Q. Salespig is in Miami, and he +wants to make a long distance call. He dials 950-1022, his MCI port number, +and enters in his code and then the number he wants to call. "k-kool", you're +saying, "can I do that?" Sure you can. Get yourself a good extender +(950-1087 is the extender), a template (XXX6XX is a template, and it means the +first 3 digits can be any number, the fourth is a six, and the fifth and sixth +can be any number), and a good code hacking program. Try to hack two ports or +extenders at once for safety. Is it risky? Well... I wouldn't do it. Then +there are some people who have been hacking codes for years with no problems. +Talk to one of them if you want to go this route. + +USING 800 PBXs - Remember my describing the 800 exception flag above? Well, +hacking anything starting with 800 should be avoided at all costs... way too +dangerous. You don't want to trip a BELL trouble card. So don't hack these. +Shouldn't be a big deal to use them though. + +USING LOCAL PBXs - Okay, this is the way to go. Takes a lot of work though. +Every pbx is a little different, but basically you call, dial a 9 or a code + +9, and then you're on THAT COMPANIES fone line. Call anywhere, they get the +bill. Use it sparingly, and you'll have free calls for months. If it's a +flat rate pbx, you can probably use it without a problem. Otherwise they'll +get pissed and change the code when they find you out. Rehack the code, if +you're a dick, or just move on to another pbx. Okay, what's the catch to +local pbxs? Well, you have to find them, which is a pain in the ass. There's +been rumors of a pbx scanner going around, but I haven't seen anything that +works reliably on a hayes compatible. So the only method of finding them is +to leave your computer on with a wardialer program, and sit there and listen. +Find some companies in the fone book with their numbers all grouped together, +and scan a range of likely numbers. Listen for a funny tone, and that may be +the pbx. They also may just give you a dial tone (like you dial... ring... +ring... click... dial tone...). So local pbxs are the way to go, if you can +find them. + +USING A PC PURSUIT OUTDIAL - This is complicated. There's a service called +telenet and it has a service called pc pursuit. If you can access the outdial +modems, you can call most places in the country. To access these you need +either.. + 1. an nui (network user id) (also called PC pursuit id and password) + 2. a method of making non-collect calls, such as a private telenet pad. +Telenet is to big a topic for me to go into in this file, as it is worth at +least a file on it's own, and there's no way I could do it justice here. +maybe in another file. + +USING A TELENET OUTDIAL - Basically you call a computer on telenet, and it +gives you access to it's modem. You csan make calls, and they'll be charged +to this computer. Again, telenet is worth a file of it's own. + +BEIGE BOXING - More ninja shit. You go to somebody's house, and bring your +own fone (or laptop) and splice into their line, and make fone calls that wind +up on their bill. No, you don't have to break into their house, just find a +bell "can", on of those green boxes that say fone company, and bust in. + +REPROGRAMMING YOUR CELLULAR FONE - I don't have a cellular fone, so I don't +know much about this, but cellular fones have a built in ROM which sends the +switching office a certain id. Program it to give other people's ids, and +you're on other people's accounts. Get a vw microbus, bring a laptop, a +cellular phone, and some proms and programmers. Drive cross country picking +up chicks, calling boards, and hacking into computers, all risk free. Sounds +like fun, huh? I have some files on this (reprogramming cellular fones, not +picking up chicks), so if anyone does have a cellular fone, and wants a guy to +drive cross country with, or just some info on making free calls, let me know. + + +PHREAKING WHERE SAFETY ISN'T AN ISSUE + okay, you're one of those lucky bastards with a laptop, or you have +access to your schools modem, and you know there's no way they can catch you. +Use old codes, that's the best way. Just use them until they die. I call all +my college friends every week with an old 800 pbx I have... perfectly safe, as +long as you do it from a payfone. I've heard of people programming phone +dialers to hack codes from payfones, but I think that's just a rumor. But +feel free to hack 1087s if you're using a laptop form a payfone. There are +lots of good templates around, and safety doesn't mean anything from a +payfone. Just don't use the same one. So if you have a laptop, hack 1087s or +whatever's easiest, and just use the codes until they die. Don't start using +these codes from home though.. stick to payfones. + + + Okay, that's the file. I was pretty general in this file, but I had a +lot of ground to cover. If you want specifics, get in touch with me directly. +I'm always willing to help people. If I screwed up, let me know too. Don't +bug me for codes, though, as I hate that. (That means you, Batman...) + +GREETS!!! - to The Noid for letting me on your board when I was a PD l00zer, +to Basket Case for doing the same, to The Excommunicator and Laughing Gas for +getting me started, to Batman for bugging me for codes every day (don't call +me until you have some information for ME, and stop giving out my info as your +own.), to Coroner for being a nice guy and beating me every time in Global +War, to BaD for taking other people's cracks and putting their name on them +(talk about lame.) + + +GRAFFITI!!! - That gum you like is coming back in style. Al's abortion's, you +rape em, we scrape em. Would you like fries with that? HOMIE DON'T PLAY +THAT! "Yeah, I've been hacking 1087s, what's the big deal?" "Did the dial +tone sound fainter than normal?" "Remember that 3 gig board that was going +up?" Somebody, SHOOT ME!!! "I'm writing ZooMaster." "Just give your hard +drive a good shake, that'll fix it." Bob. So manly he's Danly. + + +I can be reached on the following boards: + The Digital Underground (NAP/PA home) + Hall of Illusion + +(c) 1990 by Weapons Master. You may distribute this file to any baord without +modifications. + +  \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/sanatm.txt b/textfiles.com/phreak/PHREAKING/sanatm.txt new file mode 100644 index 00000000..29cd1f9a --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/sanatm.txt @@ -0,0 +1,114 @@ +12/25/90 +-------------------============< SANCTUARY >============------------------- +| | +| -----------==> Town Criers Posting Board <==----------- | +| | +| Just another EXCRETION from the bowels of Sanctuary... | +|_____ City of _____| +| |_____ Beggars, _____| | +| The |_____ Criminals, _____| The | +| Home |_____ and Thieves _____| Hellfire | +| Board of |_____ _____| Bulletin Board | +| Sanctuary |_____________| 1-908-495-3926 | +|_________________________________________________________________________| + CALL IT!!! + +Originally Printed in: +CYBERTEK +The Cyberpunk Technical Journal Issue #4, November/December 1990 +P.O. Box 64, Brewster, NY +10509 +Send $2.50 for sample or ask for details. + +Call The Manta's Lair + 206/361-5742 Sysop: The Black Manta + +This Phile Typed by: Havok Halcyon, Chief Magistrate of the City + of Sanctuary + +I've added in an occasional hint or two in parenthesis to help some of the +more uneducated phreaks understand some of the terms and whatever. + + Those help phones in ATM Machine lobbies can be very useful if you +have to make an emergency phone call. They work on one of two different +ways. The first (and best for us) type is the kind that you pick up the +phone and press a button; which activates an autodialer that calls customer +service. This one generally looks like a regular traditional style wall +phone without a dial and a push button somewhere near the phone instructing +you to press it to get customer service. The second type can either be a +phone, or is sometimes just a handset set into a mounting on the counter +which tells you to pick it up for assistance. There are variations in +appearance with the two types, but the button is the giveaway. + + What you can do with the first type is pick up the phone and not push +the button. You should just get a dialtone like in most regular phone +lines, and you can dial out to anywhere by flashing the switchhook, or if +the line has touchtone service, by using a portable touchtone dialer +available at RADIO SHIT (er..I mean Radio Shack. Also, if you do not know +how to "flash" a switchhook, consult BIOC Agent 003's Tutorials or your +local phreak or phreak oriented BBS.) for $19.95. Some of these phones are +hooked up to the bank's PBX (Private Branch Exchange), in which case you'll +have to dial the extension for an outside line, in most places this is +usually a "9", "99" or something similar. You can sometimes find out if +it's on a PBX by listening to the tones coming out of the autodialer. If +it puts out more than 10 digits (tones), or puts out a couple digits and +pauses before dialing the rest, then it's on a PBX. Of course some +autodialers mute the touch tones so you can't hear them. + + With the second type you can call customer service, and either ask +some stupid question, or say "Sorry, wrong number". When the nice lady +hangs up in MOST cases you will get a dialtone and then you can dial out. +(A lot like when you use a diverter). However if the phone line does not +have touch tone, you are outta luck; as the autodialer is activated by +picking up the phone, the flashing of the switchhook will false start the +autodialer. So, if you can't use your TT(touch tone) pad, your outta luck. + + Getting into ATM lobbies is pretty easy. They use magnetic strip card +access. An ATM card obviously works, as well as credit cards, calling +cards, and anything else with a magnetic strip on the back. The bolts on +the door are often exposed and can be jimmied open. Some of the locking +mechanisms don't even work. + + There are a few things that you have to worry about. The first is +that someone might notice you staying on the phone for an extended period +of time, and get suspicious (This is not a BIG risk because most people +could really care less what you are doing, EXCEPT for those fucking goodie- +two-shoe bitches which want to make a Citizen's Arrest so that they can get +in good with your local PTA). The second is that you run the risk of being +recorded when you are in the lobby. Most ATM lobbies have cameras in them. +Usually the camera is located in the ATM, and only goes on when a +transaction in being made, but some places have 24 hour surveillance +systems. These are usually externally mounted, and quite visible. If you +see a camera in the lobby, don't mess around in there. The other +possibility is that the phone itself could be BUGGED by the bank. +According to law they are supposed to inform you with a beep every ten +seconds, but no one does that anyway (NOTE: The Gestapo [Ma Bell] is +supposed to notify you in the same way if they were bugging you at your +home phone, but they will usually say something like "I was checking the +line to see if everything was ok, and OVERHEARD some criminal dealings". +This is a common way to catch people on the phone, so be careful what you +say on public telephone lines.) You could do a quick look around to see if +you can find anything on the line. If you don't see anything "funny", and +can trace all the wiring, then you are probably safe. All in all, your +best and safest bet is to use an ATM located away from a bank, and one +where you can see the wiring coming from the outside to the phone. Even +then, call only people who'll forget you called right after you hang up. + + +___________________________________________________________________________ +-=> !!!!! STUPID AND RETARDED DISCLAIMER GOES HERE !!!!! <=- +-=> <=- +-=> Dear Government type people, I'm just a plain ol' <=- +-=> irresponsible person. But, you can't prove who wrote <=- +-=> this so up yours. It could be anyone just using my <=- +-=> name. Why, I could even by your boss, or the President <=- +-=> of The United States. ACTUALLY, I AM The President of <=- +-=> The United States. Arrest me PLEASE, before I corrupt <=- +-=> any more young minds!! My name is truthfully GEORGE <=- +-=> BUSH!!! Really, I SWEAR TO GOD!!!!! (heheheh) <=- +-=>_____________________________________________________________________<=- + + +Call the boards and get Cybertek. They're all cool. +Peace and Reggae Music to all. Later muchachos... + diff --git a/textfiles.com/phreak/PHREAKING/scam.txt b/textfiles.com/phreak/PHREAKING/scam.txt new file mode 100644 index 00000000..f9555187 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/scam.txt @@ -0,0 +1,32 @@ +Phreaker Scams + +Every business should be aware that there has been an outbreak of +attempted telephone fraud which targets PBX systems. Some +of the more frequently used tactics to breach the systems include: + +1. An outside caller pretending to be a telephone maintenance technician +reaches a victims extension and asks the victim to participate in a +test of the telephone line or the touch tones by dialing 9-0-# or 9-0-0 +and then hang-up; DON'T DO IT! This is an attempt by the phreaker to +connect to an outside line operator and get long-distance access from +your business's extension and thus your company would be charged for the long +distance calls. + +2. Another way for the would-be phreaker to get fraudulent access to a toll +operator is to call into an extension and, pretending to have reached +the wrong number, ask the person to transfer the call to an extension +beginning with 9-0 or 9-0-0, e.g., 9001, 9015, 9027, etc. DON'T DO IT! + +Beware of any forwarding or call transfer request from a caller you +don't know. Never agree to a transfer request or to participate in a +telephone "test" if it includes as a first digit an outside line access +number. + +Most of these scams target businesses and not residential customers so don't be afraid +little kiddies. + + +** For Informational purposes only ** + +Do not try this at home kids...because the person you call will be on that business's COLLECT +call record. *duH* \ No newline at end of file diff --git a/textfiles.com/phreak/PHREAKING/tap-int.1 b/textfiles.com/phreak/PHREAKING/tap-int.1 new file mode 100644 index 00000000..83735de6 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/tap-int.1 @@ -0,0 +1,725 @@ +(: {Interview's & Conversations} :) +:) {with famous phreaks/hackers} (: +(: by The Infiltrator :) + +From the WHAT IS THIS AND WHO ARE YOU department. + +This is a series of files about conversations I have had with some of the +better known phreaks and hackers in the NY area, specifically those that I met +at TAP. I was a regular at TAP until everyone but the "950 Kode Kids", Richard +and Agent 6 left. Richard for those uneducated enough to not know, is Chesire +Cat, and 6 and a group of 60's throwbacks are the new regulars. The old group +has more or less become extinct. (Chesire and 6 were also the old group, but +the people who left are the ones who counted, and I used to go there to listen +to. Now I don't go anymore eithr.) TAP used to be the publication and the Fri. +night meetings. For the last 2 years its been just the meetings, since the +newsletter stopped being published. + +During those 2 years there have been a small group of individuals who I thought +to be the most interesting to talk to at the time. Central among those: Tuc (on +the few occasions he did show up there), Lord Digital and Paul Maud'dib. I +also met a large number of losers with large opinions of themselves. Central +among those: Broadway Hacker (I think, the only person I really learned to +consistantly disklike at TAP while he was there.), The Surge (on his few guest +appearances.), MadMan, Criminal Element, The Phantom and others. +People that passed through for a day or two included: +Big Brother : Thought himself very funny, nobody spoke with him and I guess +feeling embarassed, he left after about 2 hours of talking to the only person +who came with him. +BIOC Agent 003 : Very businesslike, carries a briefcase filled with 500 xerox +copies of everything, which he freely hands out. Altogether a nice guy, if a +bit weird. +Sharp Razor : Typical LOD members, heavily opinionated about everyone and +everything in the world, mostly offensive to people there, unless they were +some of the previously mentioned regulars, who he would kiss up to, only to +call them losers the moment they left the table. +King Blotto : He seemed like a nice person who knew what he was talking about, +fit right into greenwich village since he came sporting multi-colored hair and +a bicycle chain for a belt. Have to wonder what people think of him back in the +midwest. +The 950 kode kids : This group includes, The Ninja NYC, Ginn Fizz, The Jackel, +and a grouping of others that come and go. +And a large group of people I refer to as "LODITES in training", typically 14- +21 yr olds carrying around 50 lbs of manuals they promptly turned over to the +cheif LODdy present. These included: X-Man, The Knipper, Doctor Who (who now +hates LOD i think.) and other less noticables. + +Who am I? I'm a 19 year old Hunter College student, who started attending the +weekly meetings to learn how to make free phone calls or "be a phreak" and +learned what being a "real phreak" was all about during my 2 years there. This +is just a text file from some of my notes, the "interviews" when they appear +were done with a tape recoder (walkman) I had turned on and hooked to a mic +under my collar. The the people being recorded had no knowledge of this fact. +All the quotes are word for word reproductions of what was said. There is no +professional formatting, or fancy text graphics, just some notes slapped +together on what I have heard along with my comments. I also would not consider +any of the mentioned peolpe my friends, rather people I grew to know and have +good conversations with over the Friday nights. You cannot call someone your +friend if you essentially know nothing about them and are basically untrusted. + +Conversation with Chesire Catalyst (Held at TAP.) +{Chesire is the ex-editor and publisher of TAP.} +(Me: is what i said, An: is what he answered, this is usually about 5 minutes +into a otherwise "normal" conversation. Richard is about 6' tall, black hair & +beard, look like he should have been a truck driver instead of a phreak.) + +ME: So is there any chance of TAP coming back together? +AN: Not by me, I don't have the time, or the funds. It never made me any money + it was more of a public service that I can't afford to do anymore. +ME: Wasn't someone else supposed to take it over? +AN: Yes, Tuc was going to take it, but that's on hold right now, it doesn't + really look like it's going to happen though. With 2600 gone also, there is + nothing there to take the space of TAP at the present time. +ME: So it looks as if TAP has died after all these years? +AN: Well TAP isn't that easy to kill! I'm sure it will re-surface in one form + or another sometime in the next decade. +ME: Oh good, I have something to look forward to in the 90's. What about you? + Do you still phreak or what do you do for a living now? +AN: Oh no, I was much to closely related with the magazine to do any of that + any more. I give lectures on security and appear on talk shows and seminars + that concern our hobby. I'm also a technical consultant for various firms. +ME: Ok, thanks. + +Convo with Tuc: (Held at TAP) +{Tuc is a phone phreak/hacker I have taked to on and off over the last 2 years + he has matured from a fat over-exertive person, into a normal human being who + is nice to talk to.} +(Tuc is about 6'1", used to be fat but has thinned out in the last year, black +hair, no beard, about 20 I'd guesstimate, I never asked him.) + +ME: You look good, lost a lot of weight. +AN: Thanks, I gained a lot of it in college on the junk food. +ME: How'd you manage to lose it? +AN: Took up jogging and lost it again. +ME: Ok, So what is happening with Fargo 4a now? +AN: We plan to go on a member drive and regroup. +ME: Do you actually have any hopes of it coming together? +AN: Well it's more of just something to do for fun, it won't be that hard to + get into the club at this time. +ME: What do you think of the current phreak world compared to the one of say + 2 years ago? +AN: Well everyone hates everyone now, there is no unity, there is only endless + war and threats and disorganazation. Mostly there are people who don't want + to learn anything, but only wish to join a large group and spend the rest + of their time signing it under their handle. +ME: Like LOD +AN: Like LOD +ME: Are you a member of LOD? +AN: No, I'm not and never will be. +ME: What do you think of LOD? +AN: I really can't say anything about that, but I'm not a member, that should + speak for something. +ME: Ok, I understand. Who else here do you consider to be any good? +AN: Well there is Paul and LD, that's about it, if you mean people in our own + underground. They (Meaning richard, agent 6, and others) are also very good + in certain areas and know a lot. +{At "they" he meant chesire cat and others. Paul and LD refer to Paul Maud'dib + and Lord Digital} +ME: Well thank's for your time + +Convo with Lord Digital: {Held in the computer section of B.Dalton's on 15th +st. In NY, about 9 months after the last time I saw him at TAP. He has seemed +to also mature, from a "I'm god, Fuck you" attitude, into a more easy going +human being.} +(Lord Digital is about 6'1", was pear shaped the last time I saw him, seems +to have lost a good 50 lbs. He has black hair, is the only person I have met +in my life who consistantly wears a tie and designer shirts. If you know what +Steve Jobs or Rob Lowe look like, you know what LD looks like.) + +ME: Hey, almost didn't recognize you, lost a lot of weight. +AN: Hum, who're you? +ME: TAP remember? +AN: Oh right, Ok I remember you now. +ME: How'd you manage to lose so much weight so fast? +AN: Took up Shotokan. +ME: ? Karate? +AN: Yeah, subset thereof, more mind over mind/body control though. +ME: Oh, walk over fire and kill people and all that? +AN: Nooooooo, the kill people is just a sort of anti-thesis to acupuncture, + hurt instead of heal, etc. Just knowledge of where to hit and why. As + for anything else, it's up to you to decide. Forget it. +ME: Subject dropped. Saw your story in Sundays businessweek, congratulations. +{One of his companies was profiled in a business section of a local paper, I + know it's name because I brought a 1200 modem from him a year ago.} +AN: Aha, thanks. It's not a big deal, that paper isn't exactly the Times and + the yearly growth was just normal. Only thing that turned them on was that + we started it when I was 15 & he was 17. Sort of '2 local kids make big + bucks in computer enterprize!'. +ME: Well better then I'm doing. Speaking of that, have you seen all the loser + files going around? Your name appears on 1 or 2 of them. +AN: Yeah I was shown one of them, only thing I recall was being pissed as + having my role model listed as Donald Trump. The least they could have + done was given me a decent person I supposedly worship, like Mark Rich. +ME: Who? +AN: Sigh, nevermind. Suffice to say, most of it are the delusions of some bored + 14 yr. old Loser. In order to know all this about everyone, I would guess + one of Carl's idiot friends, or someone like Eric. I Don't know or care. +ME: Then it was correct? +AN: No, but the geographic locations were fairly accurate, so were a lot of + things the typical rodent would not know. There were a lot of errors, but + what it comes down to is; how does this cretin know anything about me to + begin with? answer; he talks with someone I talk to. Probably Carl, but + who really gives a shit, I don't. +ME: Carl as in Criminal Element? Isn't he a loser? +AN: Yeah, CE, well I have no comment's as to what he may or may not know about + phreaking, I am friends with Carl, it's not like Hi! CE!!?, This is LD!!!! + got some cool info? If he knows something or not, doesn't really matter. + He knows enough people that DO know what they're doing, that he doesn't + need to know something if he doesn't care. So effectively speaking he has + access to a large amount of information. +ME: And he doesn't? +AN: Talk to him about it, not me. Only thing that bothers me is the large loser + ratio he speaks with. Wouldn't matter in itself, except these people turn + around distort everything and write C000l Text philez about it. +ME: Like when you were busted and 'died' last year? +AN: Yeah, I've never been busted, nor have I died lately. +ME: Well I know from what people have told me that your father is well off, but + is any of that in the file true? Do you make a lot of money? +AN: Well why would you care? I really don't have any comments about anything + that links my personna to my real ventures. But let's put it this way, if + you have 50k and saturate penny stocks that you know are going to go up, + then you have to be brain dead to not make at least 500% of your investment + every year. However this is all paper, if you liquidize then your broker + gets a slice, taxes throw out half the rest and if you're legally a minor + then even more gets chopped since your parents have to co-sign all that. +ME: I'm not familliar with all that, what about Blue Chip stock? +AN: That's something to use instead of a bank, IBM, WANG, are rock. Nothing + they do will ever have any kind of substantial loss. AT&T more or less + the same. NYNEX also became worth a lot more since diversiture. +ME: Ok, sorry to intrude, I'd really like to ask you about a subject that + generates a lot of interest these days. Phantom Access. Is it real or what? +AN: Hahaha, swell. Yeah it's real. +ME: Care to elaborate? +AN: Ok, the name itself "Phantom Access", is now the registered trademark of a + third party who thought it was nice and wanted exclusive rights to it. The + name, not the programs. The programs are, if you can imagine something like + a small Dbase III related to modem usage and file integration. These are + for the Apple with a Cat, there are a lot of versions, I don't really know + who has what at this point, I basically told my friends that they are free + to do whatever they want with them. +ME: Are there any other versions for other machines or what did you mean by lot + of versions? +AN: Well mine uses mousetext, windows, 256K, clock, hard disk, 212 card and + an optional 2400 modem. The simplest version uses 1 disk drive, 40 columns + and a ][+ with 48k. There are versions for the Amiga, I was never involved + with the Mac, I never had an interest in the machine, the programs for it + were by someone else. +ME: Paul Maud'dib? +AN: No comment +ME: Ok, no problem. What exactly does it do? and why did you write it and why + all the secrecy? +AN: Ok, I just thought of everything I might want a hacker to do. By hacker I + mean in a global sense Telecom Expert System, not a code finder for Sprint. + There was a small pre-processor I did that had about 50 commands added to + basic, like tone generation, wait, test, else, endif, etc, states. Then I + went ahead and did a full fledged hacker, it will literally hack anything + ever devised. It's excellent and apparently no-one has ever thought of + many of the functions. I mean just in the last year have audio-test hackers + come out for the cat. We were doing this 4 years ago. The primary reason + for some of the techniques in it, were to insure no high-profiles on + digital switching systems. Then I wrote an intelligent scanner that worked + with the hackers, then an ascii hacker. +ME: Yes, sounds great. You might be interested, just lately there has been a + ascii hacker made by others. Hackamatic I think. +AN: Yeah I know, i've seen it. Actually ascii hackers have been out for + a long time, just they aren't distributed. Originally I had planned some + thing much like it, but made to work with the hackers & scanner, faster and + less kludgey. But I talked about it with Paul, he just said Wrong, dumb + move, use pattern matching, make it intelligent, not something slow and + useless. At the time I was 15, I though Huffman code & godelization of + text files were just swell and Unix was god. I was unfamilliar with any + real AI techniqes or langauges. So I went out and read some of Knuth's + books, learned lisp and some prolog, and about 2 weeks later came up with + something much better. +ME: How good is Paul, really? +AN: That's a difficult question, in comparision to what you'd call phreaks or + hackers, he is much better. But that's not saying much. +ME: How would you catagorize yourself? +AN: I wouldn't, I don't seek to be integrated into whatever structure they + have set up. +ME: Ok, in comparison to their structures, how would you say you and Paul + would fit it? +AN: Better then 99%, there is always the unknown 1% that someone might be doing + something that would just blow me away. I doubt it, but it's possible and + it's happened before. Also, I wouldn't catogarize myself with Paul, he has + greater general knowledge of some fields that I don't. And visa versa, so + it works out well. During the final writing of the hacker though, it was + really helpful to be able to read 50 different things, see how to mix them + into the 1 thing I needed, and then talk it over with him, usually I can + come up with something he never thought of and he points out stupid moves + on my part. And suggests improvments. +ME: Who are the 1% that impressed you? +AN: Nobody well known, usually just people I'd meet in obscure places, like + some kid I met at an electronics store, who walked out and said, hey those + look like parts for a blue box. I just started talking to him, and after + a few minutes, got the impression that he was either totaly confused or + lying. Then I found out his father is a SCC switchman. So I ended up with + several feet of manuals, 100's of dialups for things in nyc, and gave him + some cosmos manuals which he wanted. It ws very profitable from my end of + it anyway. +ME: I always wondered were all that came from. +AN: ha, yeah, well you can trash from now until 1990, or you can just order the + fucking things from AT&T, I'm on their mailing lists with a maildrop as a + TIRM director. They just keep sending more and more junk. +ME: What did the SCC guy teach you about? +AN: Various things, and cleared up a lot of misconceptions about ANI and how + it actually works, auto-verify, things like that, which I really didn't + know the answers to. He had it as sort of a hobby as well, he was on some + cosmos kick, and I helped him out, so he was grateful. He also had an apple + and to most normal people, you mention free software, and they get this + happy expression. Future 40 yr. old new wares kids being born. +ME: Speaking of that, what do you think of the pirate world? To my knowledge + you are one of the only phreaks to ever be in any large pirate group. +{Apple Mafia} +AN: Well that wasn't through any real involement. I just happened to be friends + with a lot of the people and at the time it was a new idea. (A group), so I + said why not. +ME: What do you think of pirates? did you crack software? +AN: Hahahahaha, yeah dude, I crack the latest!. No, sorry, I don't mean to + insult pirates, just I find it hard to take anyone involved in an endless + cycle of getting new wares, in any kind of serious perspective. I mean Ok, + when I first thought of all the software I could have for free, it was like + being let loose in the vault of bank, or a 7 yr old in a toy store. Whether + people admit it or not, they are new wares kids at first. But also being + realistic, you discover that 95% of all software is useless to you, ok it + might be good for something, but why do *I* need it? the rest is just trash + period. Then there's the 5% I use. I outgrew piracy in about 2 months, most + normal people do as well. Or they become crackers and start cranking out + the wares. +ME: What do you think of the crackers? +AN: It varies, I can understand being interested in programming and protection + schemes, but to actually waste all that time on cracking garbage, just to + get losers to idolize you is pathetic. +ME: Do you still talk to any of the pirates? +AN: Not really, the pirates I talked to are largely gone from the pirate world + as I said, most people outgrow it. If you mean people who were pirates that + I talk to, then there's Zero Page, Mr. Xerox, etc. I mean a LOT of people + WERE pirates, but that doesn't really mean anything at this point, I WAS + a pirate, everyone who has ever gotten software for free was/is a pirate. +ME: Ok, I mean people who are cracking right now, do you talk to any of them? +AN: Not really, most of them came into existance a very short time ago, And I + have no reason to talk to them or associate with them. +ME: So you don't get new software anymore? +AN: Yeah I do, a friend of mine brings over a box ever week or so, usually it + ends up as 20 blank sides, but sometimes there is something decent out in + apple software. I mean I DO use AppleWorks and some new utilities. There's + no reason to not use machines I allready own. +ME: Can you say who you still DO talk to? +AN: Well I suppose it doesn't really matter, Captain Avatar, who I think is now + calling himself Skip Rooney, or some such name. Sigh. +ME: In other word's idiot's. +AN: No, not really, he's just someone who likes software, good for him, who am + I to say that he shouldn't like it? +ME: True I guess, what about crackers? +AN: I think he does crack, I don't know/care. I also know Gadget Master. +ME: How did you meet him? People regard him as a big loser who mis-cracks wares + that are copya. +AN: I don't know and as I've said, I really don't care, I first talked to him + a few years ago when I was still aware of the pirate world, he started out + in something like late '83 I think. He's ok as a person, I really couldn't + care less if the new wares kids love him or hate him. As far as I know he + does it for himself, not for the benefit of others. So what other people + think of him is inconsequential. +ME: Where do you think the pirate world has gone lately, and about the sides + forming in both worlds? +AN: Well as far as I'm told the pirate world has gone downhill a LOT, I don't + know. As far as hatred, most phreaks regard pirates as lowlifes who have + nothing to do with their time. Which is to an extent true. Pirates regard + phreaks as code abusers and losers who cannot program. Which is also to + an extent true, at least of the newer phreaks. It is really easy to + become well known for having essentially no skills, it's like, what do you +-- more -- + + + know? I know Tuc!. That's just keen, WHAT do you know? I just told you, I + know Tuc, I even know where he lives, and am joining a new super elite + board tomorrow! I'm cool!. Everything seems to be cyclical, building up + to it's absolute zenith at late '83, with the ending of securityland and + the original OSUNY. Everything thereonward has been less impressive then + that which came before it, I mean Sherwood Forest (The original run by + Magnetic Surfer {The TKOS board}) was good, Plovernet was good, LOD was + good. But they still did not compare, everything usually disintegrated + into people quoting manuals at each other and a bunch of "We're the + eliteist people in the whole universe" patting each other on the back + kind of messages on the club subs. +ME: So your saying no-one really knows that much? +AN: No, not at all, there are many competant people out there, but compared to + just about any professional we didn't have that much knowledge. Most hackers + have a basic understaning of more OS's then the average DP person will ever + have to learn, but no concrete knowledge of how it works. Usually someone + will specialize in 1 OS and the other people in the group will handle the + others, so it works out more or less. But phreaking is different, OS's are + easy to learn because there is a lot of easily accessible published doc- + umentation available on it. Technical AT&T manuals usually constitute + trade secrets, and are hard to get. Or WERE had to get, now I have almost + infinite access. But I'm talking about the average phreak who knows what + he is doing. As opposed to the average elite poser, who can quote every + # to every "elite" 1 drive board in the univere, and every word of every + file ever written backwards and forwards, yet fail to understand anything. + The poser won't care about the knowledge, just how his name ranks in comp- + arision with other elite posers. +ME: So what do you think of LOD and people like Blotto, I think that from some + of the messages I've seen posted Mr. Xerox contends they are complete + losers? +AN: Well I don't know, I'm not familliar with the group LOD or even if it + exists anymore. +ME: What about Blotto? and blottoland, were you also on the LOD club board? + I've heard that you also don't like Blotto? +AN: I don't even know Blotto, it's hard to dislike someone you have never + spoken with. I have no idea as to his skill, but assume he is competant + in whatever he is doing. +ME: Do you KNOW ABOUT Blotto and newsweek? and what about the boards? +AN: I only know about Blotto through Paul, from what I know he is ok as a + person, I know nothing of his skill or lack thereof. I was on LOD when + it opened in March of '84, or April, whatever. I called a few times, then + didn't call back for about 6 months, by then I think the # had changed + 3 times. I've seen the final LOD club only board, since Paul was still + a member {Paul quit LOD}, and remote sysop of it, it wasn't impressive, + but it wasn't bad either. The same for Blottoland. As for Newsweek, I + don't know why he's being hassled about it, HE didn't have any say on + anything as I recall. If the elite posers had reacted unlike idiot's + for a change nothing would have happened, just another story. Instead of + that they threatened his life, his wifes life, and the next week, boom + prime time "hackers threaten life of Richard Sandza" The original article + became a series of articles, ad infinitum. As for the other newsweek crap, + I would sum it up as losers getting caught and trying to cash in on the + media coverage. It's like "hey I'm lame, I just go busted, why not get on + TV at least?". Hardly people who qualify as any kind of spokespeople for + hackers or phreaks. +ME: What about the phreaks and pirates who appeared on TV also? +AN: If that's what you want, it's easy. Media people love you, I mean you + know Mike {11 news reporter who shows up at TAP.}, you agree to appear + on TV, next day, your on TV, and have 45 seconds to say anything you want + to say, complete with shadowmask, voicemask, free lunch, rides, and a vhs + of the show, and any other shows that you want. The only people he has been + able to convince are the local code mongers, if you remember he asked to + NOT have a shadow or voice mask, so his friends could see his face on TV. + Gosh mom look! +ME: So what do you think of current boards and new phreaks? Also why are you + no longer on boards? Oh yeah, also what was Metronet? +AN: Geez, lot's of questions, ok 1985 has been the year of the radical ultra + elite private board with cool software and spinning cursors and filters, + and users/sysops composed of idiots. EVERY loser in the world with 2 drives + is putting up a elite private board. In a way it's amusing, but sad too. + New phreaks usually start as inexperianced and move into the status of full + time elite posers. Ask yourself this: why do people call boards? To gain + knowledge, talk to their peers, ask questions of better phreaks and to form + radical elite groups! Now as it stands, they will never find anything other + then losers who claim to be something they are not. They believe that all + knowledge is hidden in the elite g-sections of all the best boards. Which + is of course bullshit, frequently the people who transcribed the manuals + managed to fuck it up along the way, didn't even understand it themselves + but just copied it word for word from somwhere. It's easy to run into a + person somewhere and say something involving their latest file, and they + will just look at you and ask what you're talking about. They wrote it yet + dont' understand it, actually let me take they back, they copied it and + fail to understand it. I no longer call boards because I have no reason + to call them. There is nothing out there I need to learn, no-one I need to + talk to, the only people I would talk to on boards, I call voice. So why + call boards? Just for a good laugh maybe, that's about it. +ME: You're saying that no-one out there know's more then you? And what about + metronet. +AN: No, not in the least, everyone knows more about a given subject that is + their specialty then someone else does. But what it comes down to, is + that if I DID want to learn something, I would not call a board or any + thing of the sort. I would get a manual on it and learn it. End of story. + If at the point I wanted some additional tips, I'd call a friend and ask. + As for Metronet, I was simply friends with Terminus, I have no idea why + he freaked out, insulted everyone, took his board down and dissapeared. + But I haven't spoken with him since he was in Paris sometime last May. +ME: Ok, what about the quality of files, where would you suggest a new phreak + start out? And how did you start out? +AN: Argh, again the long questions. I have to get going in a minute, but Ok. + The quality of new files is shit, nothing usefull is being written, I've + seen some of the newer files, it's like, are these people joking or what? + 101 way to spell leech, how to be a phreak, the real pirates guide, a guide + to hacking/phreaking/carding/anything, and they are all total shit. I mean + if people regard these as testimonials on how to card or whatever, then its + no wonder so many of them get busted. Where to start, well go to Shadio + Rack, and buy: understanding telephone electronics. Then get ahold of Don's + files, read and understand them. I KNOW, everyone says they are innacurate, + and plagerised or whatever. But what did they want him to do? make it up + as he went along? of course it has to be simillar with something. The fact + is, even though there are some mistakes, 95% of the text is extremely use- + ful for begginers. No-One has to this date done better job. For specialisd + knowledge you can branch off to files that deal with hat subject matter. + For example: Blue Boxing is covered in about 50 files at any given time, + but the best and most technically correct ones are probably those by Tabas. + I started out, as you put it. When I was about 6, my father was a nuclear + physicist before getting into business. And used to work for NCAR. (Natnl + Center of something or another.) They were one of the first 3 organazations + to get a Cray-1 and I hung around and started doing thing like running + stupid little programs on punch cards through it. I was supposed to just + run their's through, but in reality I could do whatever I wanted to. So I + had fun. Everything I did until 1979 dealt with mainframes. Then someone + introduced me to an Apple, and I ended up hanging around with Magnetic + Surfer (Old phreak). Who also had an apple, running with a casette tape & + a micromodem II. It was fun, there were like 30 boards out then PERIOD. + It was sort of the begining of everything, Rather nice. +ME: How old are you anyway? +AN: Old... almost 18 +ME: Whew, well compared to a lot of people out there your quite young. +AN: It depends. There's a point where you reach a level that you can really do + just about anything. It's not 1 set of skills, but combine a phreak, a + hacker and a pirate, into 1 person. And that person is effectively unstop- + able. He can do just about anything he wants to. But at that point you + usually decide what course you want your life to take. You can easily + become a sucessful computer criminal. Or you can enter the real world with + a host of extra skills that give you an incredible edge over anyone in the + information age. +ME: So what do you think of all the "Elite" 19-25 year olds still out there? +AN: Well, if people started later, then they might still be there at that age, + or they might just enjoy calling boards & joining things just for the fun of + it. If on the other hand they have been into it for 5 years and are still + serious about the entire Rad K000l I'm Elite, cycle, then they are either + complete social outcasts, or losers. If at that point you find that having + some kid in Pig's Knuckle Idaho, idolize you. Is the most important part + of your life, then you have some serious problems. I wish them the best of + luck, and may they all eventually grow up and get real lives. +ME: That sounds about right. Also what did you mean by "can do anything" you + mean get at any information? +AN: Yeah. +ME: With Phantom Access? +AN: Nooo, look Phantom Access is nice, it's good tool, but I only need so many + codes for so many systems. I set it up for 1 night, and have enough codes + to last 5 years. I have no use for a scanner unless I am looking for some + thing particular in a specific ANC. And there are much eaisier ways of + getting a PW then setting up a hacker. They are all essentially toys. + Granted, they are very nice toys, but it's much faster to socially eng- + ineer whatever you might need. I no longer play with systems just for + the hell of it, unless I am in the process of learning them, in which case + I get a real account from my local ACM office. +ME: But why a combination of the three? +AN: Ok, simple, it's a deadly combination. Security people are used to dealing + with hackers, ok make the OS as bulletproof as possible, let's assume they + miraculously achive perfection. Secure system. Now the weak link is users, + it HAS to have users to access the information. So now the weak link is + their pw's. A pirate can program his machine to do anything he wants it to + do, since he is presumably adept enough to write whatever quickie hacker + he might need for the situation. So now you begin to play with getting an + account from one of the users, what is another weak link? the phone lines + themselves. On mechanical systems it's more of a hassle, but still within + reason, but on digital systems it's one large software program with all + kinds of neat functions. +ME: Right, you and Paul are the leading experts on ESS I hear. I see, the above + seems logical, no security could stop that. Also did you write some kind of + single modem data trap? or was that another rumor? +AN: Geez, lot's of rumor's, yeah a while ago. The cat is an incredible modem, + however most people don't comprehend it's power, pirates just think it's + a cheap 202. Argh. +ME: Yes, I have one. It's nice. There was one thing I always meant to ask you: + how do you feel about all this? I mean do you have any moral considerations + at all? +AN: Lovely, this is really getting odd. No, I don't. Morality is a useless and + essentally outdated value. Of course it has it's place, something has to + hold society together I suppose, But that's neither here or now. Personally + I subscribe to the stainless steel rat way of thinking, in short, if it + results in the death of another person, it's wrong, whatever you might want + to define as wrong. Anything short of that doesn't matter. There's just + People and the universe, the universe doesn't care, so do anything you want + to do. It's people who create right and wrong, no-one else. +ME: So why didn't you take the Computer criminal's choice when you had it? +AN: Haha, it's not something I have one chance at, it's just a way of looking + at things. Why should I risk myself on doing this action, if I am caught + & in cases of emmbezlement, etc, it' not if, it's WHEN. Then i get to flee + the country or go to trial, for some trivial sum, that may seem like a lot + of money to me now, but will be loose change 2 years from now. So it's + more a question of practicality, why bother? When I can make 100 times it + legally and not worry? America is a capitalistic country, anyone with half + a mind and an idea can make large sums of money. +ME: So you are retiring from the phreaking world? +AN: Look, am I IN the phreaking world? No, It's just a set of skills I'm glad + I gained, and can use to my advantage in the world. +ME: So all the board's, everything, it's just so much shit? +AN: In a word YES. People get bored, they need something to do, when it comes + down to it, it's fun for a while, for it's own sake. I'm eliter then you + are, I'm a k-k000l dude, and so on. It's a game, like anything else. The + only losers are people caught in an endless loop of calling boards, and + collecting useless information they will never use. +ME: Much like TAP? +AN: Much like TAP. Really, it just comes down to a group of people with a + common interest in theoretical applications of technology. They're info- + maniacs, but will NEVER apply their knowledge to anything. I think it + was Don who appended 'Knowledge is power', to 'The Sucesfull aplication + of knowledge, is power'. Knowing everything about everything, is useless + unless it's applied to something. +ME: Is that why you no longer go to TAP? +AN: There's no reason to, I went there primarily to talk to Paul, I talk to + Paul anyway, why waste my Friday nights? +ME: He doesn't go anymore either. +AN: Yeah I know. +ME: Do you ever wonder about all the new people out there just starting out who + will never make it to any point worth mentioning. Since anyone who is any + good has more or less left? +AN: No I don't. I really don't care, anyone who has an interest will eventually + realize that the answers he wants can be found in just about any local lib- + rary. Not all the answers, but a start. Boards are a social medium, you go + there to talk to people, they don't serve any real purpose at this time. +ME: Question, do you, or did you ever run a board or boards? +AN: Yeah I did, it was more an excercise in programming then anything else. + Then I had a small board written in C up on my local Unix account, just + to see how it would work out. Multi-lines, etc. and about 20 megs + allocated to my use, it was amusing. +ME: Was this an open board? +AN: No, just friends. +ME: Will you ever run an open board again? +AN: I never did and I have no reason to, I will be a consultant for a company + starting next year, which will have a board up, on which I will be remote, + but it won't be a phreak board. Like I've said, I have no use for calling + one, even less use for putting one up. +ME: So what kind of board will it be? +AN: Some sort of multi-user mini-LAN. I don't really know, nor care. +ME: Are you still the Dungeon Master on one of the multi-user role playing + systems? +AN: Yes +ME: Is there anywhere you can be reached? +AN: It varies, I have account on CIS and STC on and off to see what's going + on in the sigs. I'm also going to be on Qantum-Net. (Amiga Developers sig) +ME: Speaking of which, how far did you get on the Amiga Phantom Access? +AN: On the Apple I have it to a point where it can run as a self-contained + expert system I can tell it what to do, and it can go off and do it + for a day, or a week. But as I said, it's essentially useless to me. I'll + probably finish the Amiga version sometime early in '86. C is C, and I can + write infinite libraries of functions, but I need information on hardware + interfacing, the manual's that come with the Amiga suck, the $100 hardware + manual is fluff. I should be getting the developer's pack in the mail some + time this week, that's RamWhack, a Debugger, several really necessary utils + & 3,000 pages. So that should end my problems. +ME: How do you find it? +AN: The Amiga? It's a nice toy, however the OS has some serious problems, the + keyboard is lousy, the monitor sucks. But overall in hardware I'd give it a + 7 on a scale of 1 to 10, 1 being a C64, 10 being a Xerox Dandelion, Apollo, + or Sun wrkstn. It's amazing FOR THE PRICE. But otherwise, as I said, + a nice toy, nothing more. +ME: Will it include some kind of normal terminal program? +AN: Yeah, Terminal program with buffer's, macro's. Only not AE type of macro's + more like a shellscript that can take variable occurances into account and + act upon them. Terminal emulation, Xmodem, Ymodem, Kermit, B Band, Vidtex + and a X.PC & MNP, for the CCITT22, etc. +ME: How do you find it? 2400 baud that is? +AN: Well 2400bps is not that big a deal, you need perfect lines, if you don't + have them then you either get garbage or X.PC or MNP kick in, correct it, + and slow the effective speed down. It's more of a fad then anything else, + it's not going to overtake 212, I mean look at TeleByte 10,000bps, then + someone else has 19,200bps and it just goes on and on, I doubt anything + will replace 212 as a standard in the US. For file tranfers it will just + keep getting faster and faster with specialized equipment. +ME: By the way, on a completely different topic, are you back in school yet? +AN: No, Possibly in Jan. of '86, probably in Sep. '86. And if everything goes + the way I want it to, then I'll quit in Dec. And never return. +ME: Why would you quit MIT? +AN: Why not? No-one's left there, Richard is gone (RMS), everyone else is gone, + I wouldn't be there to have fun at this point, but rather to pick up a + degree. +ME: I wondred about that, why not pick up a degree? Correct me if I'm wrong but + from what i've been told you graduated high school when you turned 16, and + managed to get 1580 on the SAT. Why throw it away? +AN: Throw what away? Why get a degree? to throw onto a resume' and to get a + dead end 30-40k a year job working for someone else, no fucking way. +ME: 30-40K doesn't sound bad to me. +AN: It's not, but then again it's not much. And I have this thing about doing + underpaid work that makes my employers more money then I make. Forget it. +ME: So why go for those 3 months at all? +AN: Oh, the usual reasons. My father wants me to go, the moment I enter my + trust funds escalate and I get more money. +ME: So the only reason you're going is to get money? +AN: Yeah. +ME: Speaking of college, isn't Paul a Cal-Tech. dropout? +AN: Talk to him about it, No comment. +ME: Ok, just I've talked to some of the other people at TAP and heard that. I + understand if you don't want to say anything. What do you think of the + other people at TAP? +AN: I don't, no-one is there anymore. +ME: Can I just ask one thing about Mr. Xerox? From his messages that I saw on + the World of Cryton, he is very opinionated, going as far as to say that + LOD is garage, Blotto is a windbag and making degradory remarks about all + the other LOD members. +AN: Well Xerox knows what he's doing, if he knows them and says they're losers, + then they very well might be. I don't know them, so I can't really agree or + disagree with him. +ME: Well let me put it this way, I know it won't happen, but let's say that for + whatever reason you wanted to put together a group to accomplish any given + goal. Who would you want in it? +AN: Well it's not going to help you very much for me to answer it, since you + wouldn't be familliar with most of the people. +ME: Ok, just theoretically, who? +AN: Well, the people that you'd know: Paul and Xerox, then everybody else would + be local friends who have some particular specialties that would be useful. +ME: Such as? +AN: Ok, 1 person who knows locks, alarms, security systems, sensor's, and high + intensity lasers, one who designs computers and knows hardware perfectly, + one that's into explosives, detonators, acid's, nerve gasses, etc, Hum 3 + people that fully comprehend a large range of micro's, 1 of my father's + programmer's, who doesn't have any moral or legal problems with dealing in + whatever situation might come up, and 2 other friends for various reasons. +ME: So 12 people including yourself. What about apprecntices or people to do + things for the group that you don't want to do yourself. Isn't it common + practice to get kids who are minor to pick up things like carded purchases? +AN: I have no comment's on that, except to say I don't card. What people over- + look is that I live in NYC and through friends have access to an infinite + number of lowlifes. +ME: You mean petty criminals? +AN: Not even that, just lowlifes. They don't cost anything material, one of + the things they most value is blue boxes & international codes so they can + call the motherland and talk to their parents or set up drug shipments or + whatever. +ME: So for some codes or a box they'll do anything? +AN: More or less, the only hard part is getting accepted in their little world, + I have no desire to, nor do I have to, since one of my friends is. +ME: So you have a large group of people willing to do anything. Must be great. +AN: To an extent, but not really. Most of them are complete idiot's, not able + to memorize anything. However the upside is that the only thing they care + about is where their next fix is coming from, so give 10 codes and they'll + do anything. Give them a gram of dust and they'll kill their mother. +ME: Are you serious? +AN: Well no, the going rate to hit someone is 2 grams of coke, or $200, which + is the street price for 2 grams of coke. One of their ongoing jokes is how + white people go out and spend $20,000 on a profesional assassin to kill + their annoying wife for alimony or something and he fucks it up, when they + could go to the local street corner and have a junkie do anything for 200 + bucks. Which is true. +ME: And your involved in this? +AN: Nooo, I never deal with them, I dont hate anyone or want anyone killed, + they're just a large group of people that can be cheaply brought for any + service you want done, they are hardly professional, but can carry boxes + as well as anyone else. Personally I find them pathetic, but what do I + care. +ME: Ok, makes sense. Well is there anywhere you can be reached? +AN: Not really, the people that I want to talk to have my #'s. I don't call any + boards. So.... Well I'll be reachable in Feb. '86, on 1 board in nyc. But + until then, anyone who really has to reach me can leave a message with + someone who knows me, a lot of my friends aren't that hard to reach. +ME: Ok, thanks a lot for your time! + +{} + +Some things that need to be said. All the (,{,< or whatever,are my own comments +not made by the people who were tlkin. Many of these conversation happened over +a longer time period. The one with Lord Digital lasted about 10 minutes of real +time, but as you can see the file is a lot longer. The one's with Chesire and +Tuc lasted about 3 minutes each. I have longer tapes of Tuc, but he didn't have +too many interesting things to say at the time. I also have many of Paul Maudib +which will cover part 2 of this file. This will be out as soon as I get some +more time to type it all in. Alltogether I have about 5 hours of tapes of convo +s with 50 people. I also have more tapes of Tuc and Lord Digital. If anyone is +interested in all of this, then I will type them up as time permits. Everything +has been typed in as accurately as possible. But some parts have been cut, you +obviously can't walk up to someone and start questioning them just like that, +all the small talk has not been included, just the interesting parts. But +remember, text files have a way of getting HUGE. The actualy convo with Lord +Digital lasted 10 minutes, what has been transcribed here would have taken +less then 4 minutes of real time. The other 2 took about 45 seconds each. So +this is a lot of typing to do for me. But if people show enough interest then +I will be willing to do it. I also have about 20 hours of conferences. Some +of them are total wastes of time, but some of them are interesting. I am also +willing to type these up, but mostly they are just a large group of people +yelling and screaming about nothing. Not exactly interesting reading. I also +want to point out that none of the people on any of the tapes knew that I +was making recordings, since I don't go to TAP anymore they can be just as +mad as me as they want to. I don't really think any of them would care, with +the exception of the 950 kode kids who don't like being exposed for being the +losers that they are. + +{} (C) 1985 by The Infiltrator. All right's reserved. {} + + diff --git a/textfiles.com/phreak/PHREAKING/tap-int.2.1 b/textfiles.com/phreak/PHREAKING/tap-int.2.1 new file mode 100644 index 00000000..9487c220 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/tap-int.2.1 @@ -0,0 +1,292 @@ + +^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^ +^* *^ +^* Tap.Interviews II *^ +^* The Infiltrater *^ +^* *^ +^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^ + +Ok, I might as well reveal myself to you all now. I am really Sharp +razor of LOD fame. In this file I am interviewing Lex Luther, we can +get to see what the REAL Lex is like. Here we are: + +ME:Hey Vinny, whats up? +AN:Hey dude, whats that? Hey, thats a nice walkman let me see... +ME: NO! Get away from it. I... sorry... its just that I'm +protective about my walkman... +AN:Ok, I understand. +ME:So Vinny, tell me about yout latest files. +AN:You want to know about my files! $Ok!$I typed in 183 more$manuals into $LOD$ +$text-files. Some$preety good stuff$to. +ME:Um, how come when you talk with all these '$'s? +$AN$:$And I'm gonna$type 54$more...What? oh, sorry, I always get like that +when I talk about my ELITE files... So what were you saying? +ME:Ok, I understand, anyway whats going on in LOD lately? +AN:$LOD$!Well$ we... oh... sorry... um, LOD is doing fine, we have created +our own little world of Elite BBSs. All of them are LOD only, you should see +the incredible info, so many codes! And we have succeded in populating +these ELITE $LOD$, um I mean Elite LOD boards with complete know-nothings. +ME:Sounds preety Elite. Oh shit, my walkman... hold on.. *&&%^&*PIYHIOYB +C)*UAJHFD"LF.... ok, fixed it... So, is LOD's Public relations going? +AN:Elite... Totally ELite, everyone loves us, its great... people who know +A LOT more than us, tell us everything they know about phreak/hack, all +we do is out them through our filter to get info out of them... Its Elite... +ME:Cool, I've heard a lot of rumours going around lately about your +accomplishments, could you tell me about them? +AN:Well to start with, some people are trying to take away my credit for +inventing the blue box. I mean, you think Joe Engressia did it by himself? +He was fucking blind! I told him what to do. Of course, I gave ole' +Al Bell that idea about using acid to the get the telephone to work. +Of course, that never could have happened if I hadn't invented the light +bulb, I don't know why I gave Edison the credit... You know those rumours +that I wrote all of Shakesphere's works aren't true. Lets just say I +dictated... I don't know though, sometimes I think I should have given +my military advice to the turks instead of Alexander the Great... About +the pc world though, the Woz and I are good friends, I did him a favour +once, gave away a computer I had invented, but I didn't like to much, +some thingy with a 6502, um... Apple 2 I think he called it. Of course +after that I went on and made that other computer, the one with the +8088, uh, pc something they called it... And then - +ME:OK! Enough, I'm running out of tape - uh, I mean time, I gotta go... +I have some typing to do... +AN:Oh, really? on what? +ME:Oh, just a little file, you know... + +$Well$dudes$you$just$read$a$very$Elite$interview$!!! + +And now an interview with Executive Hacker, of CEO + +ME:Hey dude, how's The Chief Executive Officers? +AN:Well, we just wrote some more about our opinions on everything +technical, ever.... +ME:Oh, I hear you've been kinda out of the BBS world except to release your +files? +AN:Oh, well, not really, we stay in touch... +ME:Hey, by the way do you have Ultima IV docs? +AN:Haha, very funny. +ME:What do you mean "very funny"? +AN:I meant no one even has Ultima IV, much less the docs, when do you think +it will be released? +ME:um, exec, Ultima IV has been around a few months.. seriously... +AN:WHAT?!?! You're kidding?!?!?! +ME:Look, forget it, back to our discussion, I heard you were running a board +on Tele-cat software? +AN:Ult. IV!? released? What? Oh, I think The Byte should be releasing +version 1.0 of that program soon. +ME:um, exec, its... oh forget it. You said you stayed in touch, with who? +AN:Oh, no one special... well, actually Corprate Criminal... and... no one. +ME:Oh, Corprate Criminal of CEO? +AN:Yes +ME:So, who else is in CEO? +AN:Corprate Criminal. +ME:And? +AN:ME. +ME:And? +AN:Well, thats about all.. in fact, that is all. +ME:Ok, I gotta run now, nice talking to ya... +AN:Later, is Ult. IV really released yet? forget it. +ME:later... + + +Ok, in case you're too stupid, what I am trying to say is that LOD is a group +of egotistical fools, and CEO, even though they know a lot(all 2 of them) +don't know whats going on... + +later... +Don't you just love the Elites? I do, in fact, I love them so much that: + +--------------------------------THE ELITE FILE--------------------------------- + June 2nd, 1986 +Ok, I have just read the "SpecElite 1980-85" disk and I writing partially +in response to it, but also because the things I am going to say have been +building up inside me for a long time. + +To start, "The Doc", who is the sysop of SpecElite claims to be "Elite" all +over the place. He tells us of the hard way to "Eliteness" and how he finally +learned the ropes of Piracy. Very funny. The first thing I would like to +establish, before I go any further is that Piracy is not a "skill" not a +"talent" and takes no effort. Kraking is another matter and takes a slight +amount of skill, but to call Aes and Cfurs and "distribute warez!", which +is what most of out present "Elites" do, means nothing. The Doctor has no +programing skills, no hacking talent, and no phreaking knowledge, his main +claim to fame is that he used to run a kool cat-fur/Pirate BBS(he claims it +was the first!HA!). It is so easy to become Elite now, with all these low +I.Q. new warez kids running aroung, who are looking for pirates to ass +kiss it is relatively easy to build up a following. Now I won't get into +the "To spot a rodent look for 'K00l' and 'C0dezz'" syndrome which so +many people writing rodent files are doing, seriously its the people that +concern themselves with that type of thing that are assholes (then why am +I wasting my time doing this?).note:here "Elite", means Elite Pirate, +not Elite phreak. I would also like to mention that people +that make garbage wares, (ie: take-1 movies, parrot songdisks, and other +no-skill/talent necessary items) are the lowest, they are just out to get +their name better known in piracy. And, whatever you do, don't respect me +for writing this... +Lets take a case that just came to my mind... +for instance, "Monty Python" of 516. Monty started out in Oct. 85(yes! 85!) +as "Hockey Nut". Wow, he was a total moron, posting about snoppy and whatnot +on boards. Ok, so then he changed his handle to "Monty Python" and put +up The Flying Circus Ae, which later became a BBS. Monty had his BBS up for +a few weeks, when he decided he was ready to be *ELITE*. Ok, his board had +been pitiful, with D&D games, etc. Well, the Elite board was even worse, +the new user p.w was NONE. Ok, this was an Apple-net, what is the usually new +-user login? Exactly, but Monty insisted that it was a p/w he had put in. +In fact he actually posted on boards "New user p/w:None". Well he met Taran +King of the 2600 club (No way associated with 2600 magazine), and got in +(it was because he was a sysop). Anyway, to make a long story short, he +got on a few phreak board, was on Stronghold East *ELITE*, and posted a +notice retiring from the "phreak world". As far as I'm concerned he was +never in it. Back to SpecElite though, I know you were all iritated by +the 'SpecElite [###-###-####]' well the # is 213-391-6835. who cares... +Anyway I am supposed to be telling what I think about modems, eh... In my +*ELITE* opinion, if you put up a transfer board, and especially an "Elite only" +transfer board(cough, cough, Blackwater..) you are an asshole. Pirating is +total crap, every lose loves to post his theory on why the wares stopped +flowing, who cares? I got my modem in June '84, now back then... well actually +when I think about it it sucked. It was when all the k00l California pirates +were emerging and when pirating was at its peak. Today, its a lot worse +and lible to become more so. All these Elite boards are popping up all over +all "$LOD$: Invitation only".HA! SpecElite is the worst, to get on you have to +"know someone from the Spectrum." I talked with the doc, and he knows NOTHING! +What should I talk about now... hm... +Why don't I talk about my hometown scene for a while, NYC... I believe a lot +of you have heard of TAP meetings, Chesire Catalyst, the same guy who +founded TAP mag., holds them(call 212-JOY-LILY for more info). Anyway, Today +, as you have probably heard from "TAP.INTERVIEWS" the meetings have +degenerated, Chesire is a tired old man, Broadway Hacker, who is an +obnoxious slob anyway, stopped going, the "950 codes kids" Ninja NYC +and his pals have mostly moved on, thought NYC still attends. Ok Ninja +is, at 17 yrs. old, a complete criminal, the guy has stolen everything you +can think of, I'd love to see what he has hidden under his bed... The +two Sigmunds Frauds also attend(they are partners) one is an skinny +asshole who has an earing and the other I never spoke to, but he is the one +who supposedly does all the bbs calling. There is also some friend of +Ninja's who works for Northern Telcom. Ok, then there is Number 6, this guy +is about 40ish, but from what I have heard is AWESOME, really knows boxes, +etc. is supposed to be working on some new box which traces calls. +There is some young guy with a French accent who always smiles, and +some middle aged fag who is always talking. Then there is MARK! Yes Mark, +though he tries to be friendly, people try to stay away. He works as +a Camera man, but is working on his locksmith license (knows EVERYTHING about +lockpicking). He is slightly (very) unbalanced mentally, and always very +confused. He is teased constantly but tolerated. There are also a few +less important people, such as "Sid" some greasy kid who is proud to have +had a $1700+ fone bill because he thought he was using a divertor. +Right now, they are generally a motley bunch. Also they get kicked out +of restaurants frequently now, and are now down to meeting at Burger King. + How pitiful... Another thing about NY, you guys have all heard of +Lord Digital? And Phantom Access? Well LD used to have a cult following +in NY, it was very funny, you should have seen some of the rumours, +such as the "screamer" an apple-cat program that could blow up another +modem by emiting a 9600 baud carrier, sure... Also He and Paul Maud'ib +got killed a few times, arrested, went bankrupt, made a fortune, and several +other minor things... About Phantom Access, ok by now we have confirmed +that it does exist, only whoever has it isn't giving it out, I don't have it, +and I dont' know anyone who does. I can't understand how it wasn't given out! +What kind of rodents kept it secret? Well don't fret I am going to write +my own hacker/scanner, etc in C language (LD would be proud, he supposedly +loves C). Ahh... What I really want to say any how is that unless you +really love computers and telephones, I mean are really dedicated to them, then +I hope your modem blows up. The age of Hackers has passed because everyone +has gotten a computer to use for word processors, etc. I am very young and +I really love programming and learning about computers and when I look to +find kindred spirt, I find the likes of "Monty Python". I still have more to +say though. I would like to talk about Phrack, TWCB, Stronghold East, Private +Sector, 2600 and some other things. +Actually, all I have to say about TWCB, is that they are child molesters, +who promised to re-publish TAP, but are in jail now so it doesn't look to +likely that they will. They got busted for carding, and are incredible +delinquents. I also talked to Bootleg, and he said that are never ever +going to publish TAP, they were never serious about it in the first place, +and are just a bunch of stupid kids. +Also, Phrack really sucks, if any of you know anything about anything +technical you know that the plagerize ALL their stuff off Telephony magazines +and books, and they don't understand the stuff themselves. It great to read +if you want to end up feeling very melancholy about life. They also reject +anything original and not plagerized (I know from experience). Also Taran +King is a loser, his father beat him up and the police had to drag him +away, nice work. His board, Metalshop Elite(ha!) is awful, I am on it +, and its really sad. Another work of Fart is Stronghold East, the +Sysop, the "Equilizer" is scared to touch his board, "The Slayer" runs +it for him, and won't let anyone on who he thinks doesn't know about +the latest PBX, or whatever rodent nonsense. I said I would talk about +2600 magazine, well it sucks, it never was any good, Private Sector sucks +also. Many people don't know this, but PS always did suck, I have buffers +of it and it was mostly "codes" messages (ie: "Got sum metroz?"). +Their only merit is that they are very militant about phreak's rights, and +sysop's rights to have what they want on their boards, nice work in that +respect. As for phreaking on the Private Sector, forget it, its garbage... +Some other boards worthy of mention, are The Inner View, and The Jailhouse, +I chose these because they are prime examples of shit. To begin with, The Inner +View (617-632-9330) is ALL codes, people ask such burning questions as: +"Can I make Blue Box tones with my micromodem?" "Does Sprint really Trace?" +,"How do you start a Confrence?" and "Is Coca-Cola a good contraceptive?" +The Sysop takes it all very seriously and has even selected a panel of 7 +people to judge who is c00l enough to get on the board. +Another doozie is The Jailhouse(305-788-6354), on this one, you get post +only access to the phreak subs (their are 5. why? don't ask me, the sysop +is a turd). You have to post some of "The latest phreak info" first to get +read access. Obviously the sysop has been mislead, what he wants is PBX's +so he can start confrences. He doesn't understand that a phreak board consists +of a technical disscussion of telephony, not "phreak info". +Also, The Speed Demon Elite (415-522-3074) is another good one, the +sysop devoted half the bbs to music, has a limit of 10 messages per +sub, and calls it "Elite only" <> +I could on for ages, if you really want to see what goes on, call some +of the BBSs in NYC, wow! What GARBAGE! Its all warez!1!11! and my +favorite: The War Board! How many of you have seen a war board? This +invention was a step backwards for homo sapien... +Here people prove themselves at "ragging". Many people consider this a +skill, I had the pleasure of d/loading the e-mail volume from a board called +the forge, and while looking through it, I saw some very intresting things. +People were having disscussions through e-mail about who was good at wars. +somewhere along the line, rodents have picked up the idea that you can "win" a +modem war. How? Its hard enough to fight one, I mean what do you do? Throw +names at each other, well actually, if you really want to know, thats exactly +what you do. <>. I have seen people I thought were cool actually take +modem wars seriously, its amazing, let me tell you about a real encounter I +had with some loser. Somehow, he decided he wanted to "war" with me. So +he posted a message declaring war. Well when I didn't bother to respond, +he got even more excited, and started his "ragging", well for a few monthes, +this guy actually, in his own demented mind thought he was "hurting" me +by posting on the war board, that I really cared, he simply couldn't +believe me when I said I don't care, he still thinks I'm scarred of his +"ragging" abilities(after all he might rag me out dude!). +Hmm, what else do I have to say. The Infiltrator, author of +TAP.INTERVIEWS, some think he is actually Sharp Razor, ah that brings +me to my next subject, LOD... As we all know, LOD stands for Legion +of Doom, and was founded by Lex Luthor. I won't go into the whole +shpiel about their history, I assume you've heard most of it. Anyway, +I will say that they started their own little world of know-nothings +and made it Elite, they and TKOS will be the basis for the next Elite group +, but I shouldn't leak about that now. LOD's main claim to fame is that +Lex types up shitloads of manuals and plasters LOD all over them. Getting +published in 2600 every other month probably helps also. Another emerging +group CEO, isn't as ridiculous as LOD, I mean the memebers know a lot, and +write intelligent stuff, the only problem is, as far as I can tell its made +up of 2 people! Executive Hacker, and Corprate Criminal, not much of a group +even if these 2 do stack up better than the entire LOD. I think I should say +now, before I forget, that if you want to get in touch with me, post a +message about it on Draco Tavern (707-745-5805), you get instant validation, +so thats why I'm using it for mail. Something funny which relates to LOD, +I should tell you about, is a a very funny case of people impresonating +Lex and King Blotto. The Weseal (alias Nap. Bonaparte, John Mulligan) +was running a board, when I called up, said I was Lex, and offered to +take over the board and make it Elite. I called pretending I was +several LOD members, including Blotto, and I even sent him tc //+ software +which was ready for him to put up. The sofware had LOD, written all over +it, and the kid actually put it up. As far as I know, it may still be +up, call at 212-535-2389. +well, by now I am draging this a bit to far, I would just like to say that +Adventurer's Tavern always sucked, it was a shit pirate board, even on my first +call back in early '84, it was nonsense. Sherwood Forest ][ was a great one, +very huge, and very easy to get on. I remember some rodent Disk Raper thought +that they were running the board on a black box, 'cuz the # didn't show up +on his bill, funny... + + +later +The Infiltrator - Ok, I admit it, I'm not really The Infiltrator(HEHE!)... +p.s: I just wannt scream and shout, I have so many stories to tell, about +so many people, the modem world was immense but not always intense, +Atom: Write a 1985 loser file, please... diff --git a/textfiles.com/phreak/PHREAKING/tap-int.2.2 b/textfiles.com/phreak/PHREAKING/tap-int.2.2 new file mode 100644 index 00000000..bd9ee806 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/tap-int.2.2 @@ -0,0 +1,495 @@ +Hello people! Ever remember reading a file and seeing this?: + +^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^ +^* *^ +^* Tap.Interviews II *^ +^* The Infiltrater *^ +^* *^ +^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^ + +Well, welcome to the sequel! Actually, originally Tap2 was just the second +half, you may remember after the interviews I started with "The Elite File", +well this is part II! Now lets formally introduce this file: + +%/%/%/%/%/%/%/%/%/%/%/%/%/%/%/%The Elite File II%/%/%/%/%/%/%/%/%/%/%/%/%/%/%/% +Written, Produced and Directed by Dead Lord. Starring The Doc and the whole +t0tally Elite crowd from SpecElitePosers. +------------------------------------------------------------------------------- + +Introduction: +Now that that's settled I can get right into the writing. As you know I wrote +Tap.Interviews II also, and before I get into this I'd like to excuse myself +for it. Actually I found out that Taran King is actually a pretty cool and +together frood. There were also a lot of rumors going around about a +conflict between myself and Tap, don't believe it, right now I'm on good terms +with many of them. Now, let me make apparent the general gist the rest of the +file will take. I am throughly pissed at piracy, The Doc, and his whole +SpecElite Nonsense, so I will be devoting the rest of this file to rewording +that concept as many different ways as possible, without you actually noticing +the redundancy. It will be quite a task, but I think I can do it. . + +The kind of main body of the file type of secton: +Well, here we are in the main body kinda bit, so I guess I'd better start +talking so I can get in everything I have to say before it gets to be the +conclusion already. You see, I read that Elite's Anyonymous thing a few +monthes ago and it really pissed me. I reread it a few days ago and it sparked +renewed intrest on my part to write a response. This is a bit late, but +the 'ware' never got much distribution anyway so most people didn't see it(I +hope). From talking to people who have been on the Spectrum, talking to The +Doc himself, and reading his little files, I've come to throughly deplore him. +Why? Well The Doc is a firm believer that he is elite and a firm believer in +the theory of "Eliteness by Association". He believes himself to be "Elite" +even though he's never done shit that matters. Lets look at how k-radical +his history of SpecElite is, take special note of The Docs writing style, +I'd estimate it to be around the 2nd grade level... + +HISTORY OF THE SPECTRUM BBS +--------------------------- + + It all started back in 1980 when I put up: 'The Doc's Domain'. It was +a Networks based bbs. Well, in fact, it was Pirate's Mountain. I modified to +my own likes and put it up. Road Runner (the creator of Pirate's Mountain) +obviously got upset, and told me to take it down. I gradually learned more +and more about bulletin board systems.. Doc's Domain was somewhat popular. +It was public, and all the losers were on. I thought it was kool at the time; +however, I soon learned what the 'pirate world' was all about. The people +back then who I associated with were, Micro Ghoul, Tim Tam, the Saint, Green +Manalishi, Snack Attack, the Hoopty, the Swami, Road Runner, and the I.C. Tim +Tam was the one I respected the most. But the biggest influences of my 'road +to eliteness' was Snack Attack and unfortunately, Green Manalishi. I soon got +in my first club which I think was I/N/T/E/N/S/E.. Chief Okoboji and Midway +Hawker were the ones who put me in. Midway Hawker was really cool, and was +the biggest influence in getting me in. Soon after I/N/T/E/N/S/E, Green +Manalishi and I became good friends. He formed a group called the +Incorrigibles and put me in, under one condition...only if I put up an +incorrigible based system with other cool users. This was the beginning of +the Spectrum ELITE. I was very happy to get accepted to a group of elites +such as Ali Baba, the Saint, the I.C., the Cog, etc..etc. Now to make a long +story short.. After Doc's Domain went down I put up a gbbs system for +the first time. I started from original gbbs dos 3.3 and modified that sucker +as best as I could. I got the name, the Spectrum from Philadelphia 76'ers +arena.. then my friend pushed me to use that for a bbs. I did, and it turned +out to be very successful. The public spectrum went okay.. I do not remember +all of it. Soon, I got in Incorrigibles and changed it to SPECELITE. This +was gbbs based (No Modules back then). Pretty wierd. I then learned more +aboud 'm0dz' and soon the SpecElite became one of the most modified gbbs's in +the country. I then got the idea for basketball and this is what really made +the specelite genuine. I soon had many, many cool users and of course all +this time it was private. At one point (the Peak of the SpecElite).. I was +getting 63 new messages a day (63 was the average!) I think the highest was +75 or something. One Eye, and the Cog were my most active users at the time. +My best poster was the Camel Jockey (I'm almost sure). My computer then +burned out, and I had to take the board down for a month or so.. Soon the +Black Market elite was formed and that bbs became somewhat popular. (Of +course Black market started public also - Contact Night Owl for the history of +BME). I then went on a long summer vacation to Hawaii and the board was down +for quite long time. Black Market Elite became very popular and SpecElite +was falling. I then came back, and put the board back up. It went pretty +good. For a long time, it was SpecElite and Black Market Elite...and during +all this, the Tavern Elite had always been up. I guess SpecElite was the 2nd +elite board ever up. When the SpecElite had 63 new messages a day, I believe +at that time, it was the best board in the country. Well, I soon put cat-fur +in my bbs, an became somewhat of a 'pirate'. Then the elites were dying all +of a sudden. And I took down the board..put up a pubic system called the Dark +Realm and made some money and also thought it was a pretty cool bbs. I soon +got really sick and tired of the local losers so I put the SpecElite back up. +When it did go back up.. it was some-what semi-elite. And soon it was crashed +for the first time. I also was getting sick of computers anyways, so I put up +my retirement notice on the Tavern, and there seemed to be the END of the +SpecElite, and me! What happened then? Well I had a better life +without all the computer crap. Well, tragedy struck.. My girlfriend broke up +with me, my boss fired me, and tennis season was over. What was I to do? I +was bored off my ass. I then figured.. I want to call some board see what's +going on with the 'pirate world'. However, my modem was not working, so I +immediately borrowed a modem from a friend (which I have now). He never uses +it, so therefore I think I will have it for awhile. I then started calling +around.. I decided, 'what the hell?' and put the SPECELITE back up.. Calling +it SpecElite //, the Next Dynasty. This is where I am today. I figure the +SpecElite // should be up for quite a long time, since it's going pretty +well... Even if I get a job, girlfriend, and play some sport.. I believe I can +handle running a board. This new board is ProDOS based, and really is easy to +run. I guess that's just a brief summary of the Spec history and me. Hope +you liked +it.. + +the Doc/Elites Anonymous/SpeCrue +author of the Spectrum Bulletin +board systems. (Dos 3.3, ProDOS). + +Wow! Talk about going around in circles. The Doc must have taken his board +up and down more times than anyone. A basic analysis of the above is that +The Doc is outlining everything he's every done with his modem, and we are +supposed to somehow think of him as a model. He then has the gall to proclaim +his board to be the greatest at certain times and to be the second elite board +ever. Wow! But wait, there's still more! The Doc also tells us about how +he 'learned about the pirate world' and got into his local bunch of 13-year +old kids who had modems group. What we are looking at here is a prime +example of someone who holds the 'pirate world' in respect. Let me tell you +what the 'pirate world' is then, just so we can get our definitions straight. +You see, the pirate world is a bunch of kids who can't program(The Doc), can't +hack(The Doc) and don't know the first thing about Telecom(The Doc). So what +is it that these kids do with their modems? How do they live out their +wargames fantasies when they have no skill, talent or motivation? Easy! They +can get the latest wares and be a pirate! Some of them even go on to read +the much revered 'Kracowitz krakfiles' and become what they worship most, a +kraker! Everyone loves krakers, thanks to these highest of the high in our +little 'pirate world' all the elites can get the latest wares! Oh what a +blessing they are! Its a shame that though a few krakers have gone on to show +actually proficiency in programming, to krak a game 95% of the time's a snap. +5% of the time you are even required to know some assembly language!!! Now, +I can understand, despite its simplicity, holding those who krak games as +"Elite", but most of the denziens of the 'pirate world' can't(The Doc), most +are just new wares kids who run around bragging about their association with +XYZ Kraking group. Most of the discussion has become "Well the Bunnymen are +having a war with DG over who will release Ultima XVII. Since I distribute +for LSD, I blah, blah, blah...". Lets look at this next bit of text, oh, and +by the way if you're wondering how I got these files off the disk, after five +minutes of poking around, I realized the the VTOC had been moved to track $11 +from track $0B. Real tough protection as you can see, just move it back. +The Doc is extremely proud of his koolness, and says so, lets take a look at +some of the choice bits from the next part, which is The Doc's biography of + +'The Untouchables'. I've left out all the nonsense about the different +members, I'm going to analyze each of the paragraphs as we go along: + + The Untouchables was formed by +Damien the Dreaded and Zero Page. They +met on Pirates Inn which was the third +pirate board in existance! (The first +and second were: Pirates Harbor, and +Pirates Cove). +[ Ok, so he starts out with a little bit about his heroes, Damien and Zero Page +and how they met on the third pirate board in existance. Ok stop point. +WHAT? What is a pirate board first of all? A board that allows discussion of +software piracy? Couldn't be, Pirates Inn (and incidentally Pirates Harbor +and Pirates Cove) weren't the first with that. Hmm, I guess he must mean +they were the third board to use 'pirate' in the name. Yes, thats a definite +possibility, I'll concede that Pirates Inn was a major groundbreaker for +bulletin boards because it was the third to use 'pirate' in the name. What +a distinction! + Ok, lets scan down to the next line: ] + + When the club died out, the 1200 +Club was just starting up. Many quit +and went into phreaking. + +[STOP! What now? "Many quit and went into phreaking." Hmm, lets look at that +again, "Many quit and went into phreaking." What are these little kiddies +talking about? Do they know? I think that what they may be trying to get +across is that after they dropped kraking, many of the ex-members took up an +interest in telecommunications. Hmm, I don't think that authors know what they +are talking about, and it rather seems that they are as I suspected ignorant +pirates. "Many quit and went into phreaking." Hmm, like they just said, +"Hey! I don't think I'm going to get my power trip from pirating any more! +I'll be a kool phone phreak and everybody will love me even more! yah! I can +start confrences and learn about awl the koolest ma bell info! Hmph! Next +paragraph: ] + + At that time, everyone was cool, +there were no losers. Everone gave each +other wares and everyone was respected. + +[ No losers? You were around weren't you? "Everyone gave each other wares and +everyone was respected." What the hell is that? To me this means a bunch of +pre-teens calling each other great and trading games, this is nonsense! +Next Line: ] + + Damien said "If everything was the +way it used to be, I would get back +into it." Who wouldn't blame him! + +[ Now that's the worst, This Damien misses the old days even though the 'old +days' were just like the new days only then didn't realize what losers you all +were. None of these elite people have accomplished anything, including this +Damien fellow, so why does he miss the old days? grrrr! ] + +--------------------------------------- + +[ The Ice Man - The Doc - The I.C. ] + +[ SpecTacular Pirates Inc. 1985 ] + +The Spectrum Elite.......[###]/###-#### + +And the end I thought was especially interesting as it shows you exactly how +much of a pudnick The Doc and his buddies are. Well I can understand how +he misses the old days, lets take a look at some of his own examples of what +the old days were like: + + The following messages are from the board, 'Pirates Mountain'. These we +re some of the pirates of way back then (1981-1983). + +--------------------------------------- +Compiled by: the Doc/Elites Anonymous + +[21] - <=-WARES-=> +[ MESSAGE FROM ]: SOFTWARE SNOB + +NEW: +NOW IN: +DONKEY KONG +FAT CITY +GUMBALLS +ROAD PIZZA +BOUNCING KAMUNGAS +HOMEWORD + +REPLY TO: +SOFTWARE SNOB + +LOOKING FOR GOOD GRAPHICS SPORTS GAMES. + + -=-THE-=- + =-=SEA=-= + -=-DOGS=- + + +[22] - NMI CARD +[ MESSAGE FROM ]: THE LEECH + +ARE ANY OF U INTERESTED IN GETTING AN +NMI CARD, A BLUE BOX, OR OTHER INTERE +STING HARDWARE DEVICES DESIGNED SPECI +FICALLY FOR CLANESTINE COMPUTER ACTIV +ITIES...... IF SO, LEAVE E)MAIL TO TH +E LEECH AND IF U SEND ME A S.A.S.E. E +NVELOPE, I WILL SEND U SCHEMATICS, PA +RTS LIST, AND INSTRUCTIONS FOR FREE. +LEAVE ME E)MAIL FOR DETAILS. + +THE LEECH + + +[23] - -_]WARES[_- +[ MESSAGE FROM ]: TIM TAM +[PREFERRED USER] + +OK I GOT- + +THE NEW SAM +UPSIDE DOWN SAMMY LIGHTFOOT +PICKADILLY PAIR +HOMEWORD +SHORT-CUTS +INTELLECTUAL DECATHLON +PRO TOUR GOLF (OLD) +SARGON /// (OLD) +OLD---BOUNCING KAMUNGAS,PACMAN,ROBOTRON +AQUATRON + +NEW-- DONKEY KONG + +LOOKING FOR THE NEW ONES!!! + +FLASH!!! BEYOND BELIEF WILL BE BACK +UP TUESDAY NIGHT (22ND),24 HOURS FOR +NOW ON,6 BOARDS,NEW FEATURES,AND MORE +CALL 213=377=6568 STARTING TUES.NIGHT + +LEAVE MAIL TO + + ==== ==== + <>IM <>AM + T.R.A.D.E. +VOTE FOR ME!!!! +WHOD KNOW MORE ABOUT RUNNING A BOARD?? + + +[24] - WANTED***WAREZ +[ MESSAGE FROM ]: MOD MAN + +DOES ANYONE HAVE A --GOOD-- COPY OF +TRANSEND ///, MINE IS MESSED UP!!!!!!!! +T H A N X ! +--------------- +- - +- <<< MOD >>> - +- - +- >>> MAN <<< - +- - +------------------------------ + - VOTE FOR ME - + - AND I'LL BE - + - THE BEST,I'L- + -L PROTECT THE- + -BBS FROM BEIN- + -G CRASHED<><>- + --------------- + +[25] - LOCKSMITH 4.1 PARMS! +[ MESSAGE FROM ]: MOD MAN + +I HAVE OBTAINED ALL THE LOCKSMITH 4.1 +PARMS AND ALL THE COPY II+ PARMS! +THEY MAY BE ON THE <<>>FILES SOON +BUT IF YOU WANT THEM SOONER LEAVE +MAIL FOR.... + +--------------- +- - +- <<< MOD >>> - +- - +- >>> MAN <<< - +- - +--------------- + ------------- + ----------- + --------- + ------- + ----- + --- + - +VOTE FOR MOD MAN FOR BOARD PRES!!! +I'M THE BEST GUY FOR THE JOB!!!!!! + +[26] - RANDAMN!!!!!!! +[ MESSAGE FROM ]: MR. BIT + + + +YES FOLKS IT'S CRACKED AND I GOT IT. +AND IT'S PRETTY GOOD SO LEAVE E-MAIL +IF YOU WANT IT. +ALSO: + +FLYING COLORS +NEW S.A.M. +PICK A DILLY PAIR +SHORT CUTS +ETC. +BYE. + +[27] - =/H<>H WARES\= +[ MESSAGE FROM ]: THE WARE-WOLF + + NEWEST FROM: THE WARE-WOLF & + //\HI-RES<>HIJACKERS/\\ + +=TROMPERS +-COVETED MIRROR +=DONKEY KONG +-SHIFTY SAM +=AQUATRON +-APPLE CAT NW II +=FAT CITY +-DROL + + CALL: [THE WARE-HOUSE]<- + 301-587-0363 + + TO TRADE... + + + [>> THE WARE-WOLF <<] OF + + //\HI-RES<>HIJACKERS/\\ + +--------------------------------------- + +Yes, what a golden time that was. Well, at least everyone respected everyone +else and gave them wares... right? Hmm, if that's an example of what The Doc +considers the 'golden era' then he IS a loser. I mean how many of out there +can see that these messages were written by stupid suburbanite kids who were +bored? C'mon, raise your hands, lets take a headcount. Hmmm, that's most +of ya, what I expected. Let's take another case of little kids taking modems +and boards too seriously. Here we have a small essay by The Reaper on what he +thinks the modem world should be. I'd like to note that he is a good friend +of The Doc and they share a lot of views in common: + + It seems that most of you users have come to realize that the word "Elite" no + longer holds the same aura that it once had in the past. Partly true, you + have stumbled across one of the major issues regarding the world of computer + pirating today. +[ Ok, we will soon see what exactly this idiot thinks elite means, here we see +him apply 'elite' directly to pirating even though there is nothing worthy +of it in pirating, or anything else for that matter ] + I can remember the days of two years past, the days when pirating was + thriving and when I was just entering this realm of silicon sorcery. I wanted + so badly to have the label "Elite". Why? I guess it was partly due to the + obvious ensuing ego trip and partly just for the hell of it. It turned out + that my mentor, Chief Okoboji, had taken an interest in me - at a friend's + request. One thing led to another and I was started on my way in the pirating + world. A few months later and a number of connections afterwards, I began to + be labeled as "Cool", "Elite", etc. It was great. An ever aging veteran now, + I am considered to be an "elite" by those worthy to ajudge a person as such. ] + When I was working towards "elite", the system in effect was one of + seniority, one where the elites were the teachers and the losers were the + students. In the past, loser meant a novitiate or tyro user and elite meant + one who knew the wires. To become elite, you were first a loser, you got a + chance and you worked for what you wanted out of your hobby. Today, this + system has failed - partly because of the vast number of "trendy" losers. + These new users are here to gather fame and an ego trip (as all of us are), + but some are legitimate in their desire for knowledge (as the elites are). + The system has failed because there are so many people. We need to get an + organized system to handle all the new applicants - one which screens very + well. I say cut the losers, teach the disciples who really wish to learn and + keep the elders alive; for in the end, our quality and quantity will damage + us. The losers get busted and the elites suffer. Make it not easy for new + "trendies" to attain levels previously available only to those who deserved + them, the problem will be solvd, and we will remain intact. You do not see a + fresh employee of IBM become Vice President overnight! Consider that. +[ The Reaper : The Chosen/Ware Lords ] +Ok now that was idiotic. He mentions elite a number of times, but fails to +give any definitons. His seniority example is a poor one, does he consider +the fact that someone has hung around for four years a virtue? And what's +this teach the disciples who want to learn? Learn WHAT for God's sake!!! +What do people like The Reaper have to teach! Nothing! Absolutely Nothing! +What he considors an Elite is someone who's been around long enough to be +let on elite pirate boards and gets new wares. Where's the skill? An ever +aging veteran? of fucking WHAT? What did you ever do Reaper? What do you +know that makes you an elite pirate? And I haven't the foggiest idea of these +'worthy to judge the elites', who the hell are you talking about? Do you mean +people who are still playing with their pirate-toys after a few years of it? +An infantile bunch if you want my opinion. +And about the days when piracy was thriving, if I may step into your little +'pirate world' for a moment and compare it, in the 'old days' it follows logic +that you would have been much unhappier, since the way your precious wares +wares were distributed was through individual trades. Today 10 times the +number of people get new wares, and faster because there are huge cat-furs +all over the country for quick distribution. If the ultimate goal of piracy is +quick distribution of wares then you should be happier now, no? But of course +the ultimate goal of piracy is for a bunch of kids to put on their superhero +outfits and for a bit be the high, mighty and powerful people they wish they +were. Its just a power trip for people who have no inherent talent for +Computers, and no motivation to learn. Why don't you get a life and +not just vegatate on boards and involve yourself in petty things like +wares. According to The Reaper the critera for being 'cool' and 'elite' is +just a lesson in making a good impression to other bored little kids on +bulletin boards. + Another subject I'd like to touch upon, is that in The Doc's little file, +he included info about many of his users on his board. The list of users to +choose from is impressive, the only problem is that about 1/5 of the total are +actually available, if you pick someone from the list who is not on the disk, +you are shown the message: + +No information available at the present moment. Information will be available o +n future data disks.. +This gets extremely annoying as you may imagine. For many of the people +who ARE included on the disk, the content is "Joe Pirate is from the 123 area +code (gongeyland, RV) and was one of my best users." This would then be +followed by one or two of Joe Pirate's posts on SpecElite which would be +something like Joe's latest sector edit, and would tell us nothing about the +elite(and I use the term 'elite' facetiously) in question. One of the more +interesting of out friend The Doc's little pieces in on 'Incognito', +Basically the Incognito's data consisted of his 60+ sector rag file on +'leeches' [ another one of those silly pirate-words ] The file is stupid, and +so Incog. The asshole posts he'll never get busted 3 weeks before he gets +busted! Real smart guy there Doc... + +===--- + +Well that's all for this file. This file was written in September, '86. +Everything after the "===---" was written on 16th Dec, '86. Files to look for: +The Direct Connect Story:Chronicles of Mischief(Tentative title) +and my Rebuttal to Fall of The Modem World, which is as of yet untitled and +will be about 150-300 sectors, all about Tap, facts about elites, and buffers +of them. It will be my personal Version of Tap.Interviews I&II, Elite File +I&II, National Enlightener, and Fall of the Modem World all tied together. + +Bye for now! +Dead Lord +thanks: Hungry Hacker + Executive Hacker(the real one) + Ford Prefect + diff --git a/textfiles.com/phreak/PHREAKING/tap-int.3.1 b/textfiles.com/phreak/PHREAKING/tap-int.3.1 new file mode 100644 index 00000000..0f84a7f7 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/tap-int.3.1 @@ -0,0 +1,982 @@ + +$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ +- - +$ Tap.Interviews.III! $ +- The Saga Continues! - +$ $ +- $A New Beginning$ - +$ April 91st, 1987! $ +- - +-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$- + +Hiho! the text file series to end all text file series, in scope, breadth, wit, +originality and great wisdom. IS BACK! Before I start, here's our ElIte Phreak +MC: Live Lord, to tell you about this latest and greatest installment. Hit it +Live! + +{Any simularity between persons in the ElItE phreak/hacker and pirate domains, +is totally off base. By the by, NO this file wasn't converted from prodos to +dos, but we're sticking with the elite filename seperater "." anyway!} + +LL: You know I wouldn't miss this for the world dude! I want to state for the +record that I DIDN'T write Tap.Interviews.II, that was a lie! Someone hacked +into all my accounts and uploaded it and I was under demonic possesion at the +time I wrote it and didn't know what I was doing and I'm not responsible for +anything that was in it and the people I ragged on really like me, we're best +friends now and they're cool and please just don't kill me ok? and.. {cut} + +ME: Getting carried away are we LL? Let's stick to the agenda ok? + +LL: Can I have my mom back now? + +ME: No! Not yet, after you're all done maybe I'll swing something. + +LL: Sigh, ok dude. As I was saying: It's not my fault! But whoever DID write +Tap.Interviews.II was a genius, compare it to the real, I mean original Tap. +Interviews. How many times does THAT make you laugh? huh? Not once by god! I +made a vast improvement, I mean whoever wrote it made a vast improvement over +the original. Didn't you laugh? I did! Chris did and you gotta respect anyone +who would fill up 2 sides of a disk with his opinions on everything right? I +sure do, in fact in the near future I hope to fill up more than two sides of +a disk with my opinions, maybe even 4 or more and.. {cut} + +ME: Shall we get on with it? + +LL: Fuck you, you're cramping my style. + +{Live Lord's mom begins to scream as her hair is set on fire.} + +LL: Ok goddamnit, fucking OK. Here is the slightly changed format that will +be used in Tap.Interviews.III. Since there will be so many people interviewed +I will be LL: {instead of the time honored ME:} and the person I'm talking to +will be their initials: {instead of the time honored AN:} After I get done +with the EliTe phreak/hacker interviews, Elven Magician will come on as MC for +the pirate interviews. There is also a special prize for the person who can +figure out who's writing Tap.Interviews this time! I'll give you 2 hint's! It's +not the real Infiltrater {just as well, Tap.Interviews.I wasn't funny!} and +it's not me! The prize will be a 3 week fun filled vacation to scenic Pigs +Knuckle Idaho, the town made ElItE and famous because Lord Analog said it's +name in Tap.Interviews.I {can you imagine? the ultra ElItE one himself saying +that? It gives me such a rush}. Which was the only funny thing in there. But +that's not all! Skip Avatar & Captain Rooney will be your tour guides and The +Shitman's mom will be your personal escort for the entire length of your stay! +Put some pancake makeup on her and she's as good as new! Who could ask for more +than this!??!?! Enough of this, on to the interviews! + +First up is the elitest of the elite, that god cast into mortal form himself, +the {C}reator {see where his ego's at} of Ethereal Access, that preppie turned +mental patient, the greatest living arguement yet that AD&D does cause Satan +worship, anti-social behavior, total personality reversal and possible brain +damage, the dude who has surpassed eliteness and found a new state of mind +beyond it, the supre.... {cut by editor}: Lord Analog! + +LL: {Struggling to keep from fainting from the excitement}. Shit! It's great to +meet you! My entire life is based upon yours, I think you're as elite as anyone +will ever get. Except, I gotta say I was very dissapointed when Ethereal Access +leaked out and ended up being real! What kind of a joke is a real program? + +LA: la de da.... lalalalalala.... la de da.... Hear that? echo's from space are +flashing by as we speak. Woooooshhhhhh, wooooooooshhhhhhh. Can you hear the +Loons? wooooooooshhhhhhhhhhhh wooooooooooooooooo..... {cut} + +LL: Yeah I hear them! great sounds, should tape it and it would replace Floyd +in a second. Let me just take this moment to tell you how great Ethereal Access +is and give you a compliment. + +LA: Oh grow up, when I want your opinion I'll give it to you, not only that, +I'll have it tattooed to your forehead. Now shut up, you're disturbing the +wooooooosh woooooosh of interstellar space you idiot. + +LL: Sorry, cheez, I'll never compliment you again, I was just impressed, the +manual, I meant softdox, that came with it were really nice too. Big, uh total +in their completeness, stupendessly large.... Reminded me of War and Peace. + +LA: Being the well read, well versed, all around know it all of all things +that I am, I've heard of War and Peace. Some kind of short story wasn't it? +I remember reading it during a commerical one day. + +LL: Uh........ right, you got it......... about 4,000 pages. + +LA: Yeah, a short story. The 666.666.666 Ethereal Access docs come in at just +under 12 million pages, when I revise them they'll be available on cd. + +LL: Sounds great, I must read them some decade when I'm stuck in the house with +nothing to do. + +LA: They're written in a combination of Latin, Hindi, Chinese and German, with +a technical Russian translation available upon request. Did I mention the new +and improved Sanskrit fontset? No I don't think I did, let me tell you about +it. It......... {cut} + +-- more -- +LL: Sounds awesome. But world is waiting for your opinion of Skip Avatar. Come +on you can tell me! + +LA: No I can't, you saw how I avoided the direct question about Minimal Element +when The Instigator asked me that in Tap.Interviews. If I don't want to answer +a question, it's my divine right to give you a 12,000 paragraph answer that +totally avoids the question! Like when I say something like "His life doesn't +have to meet with my approval" or "he knows many people who know what they're +doing, so if he knows how to do something or not, doesn't matter, because he +knows enough people who know what they're doing, when they're doing it, how to +do it and wax cars, chew gum, walk and do the hoola-hoop at the same time" I'm +practicing what I preach and lying in a very low key way. + +LL: Can you translate that into one sentence? + +LA: They both suck. + +LL: Thank you, see that wasn't so bad! I only have one or two more questions to +ask....... + +LA: Oh very well. What is it that you wanted? + +LL: I wanted to know if you might consider making a user friendly version of +Ethereal Access that can be used without so many arcane commands and maybe a +little simpler to understand. And maybe put 5 minutes of work into translating +some of your source codes, or if you really don't care, telling someone to +give them all out, or even give them out yourself. The great guy, I meant +dipshit, who leaked it out, compiled it and the editor got lost along the way. +Some of the parts and docs are missing too. Will you do anything to help us +out? + +LA: No + +LL: No? + +LA: Yeah, No. Any other questions? + +LL: What exactly does the "[RL19XCQBLT0*^++--99E9946]" function in Sub-Sub-Sub- +Module-Template B9137A do? I don't get it. + +LA: Pretty elementary actually. Let me give you a simple explanation of it, so +that even you can understand it: That function compares the current Dow Jones +average, squares it by the speed of light, divides that by the # of people who +died in Ethiopia today, subtracts that value from the tempeture in NY minus the +Tempeture in California, sqaured to the 4th power, wherin n*7-nl, whereas n=the +total circumphrence of the earth and nl=the annual rainfall in the outback and +puts the end result into the $ZZ(99) array for computations in the strobing +matrix. When the Matrix strobes to the red zone it means your toast is ready. +Got it? + +LL: Um..... + +LA: Told you it was pretty simple, any other questions? + +LL: Um..... any new mods in mind for version 7.0? + +LA: Sure! I have a few lined up ready to go. There's the new temporal hack +modification {note full spelling of modification, never, ever, abbreviate +modification to mod. Don't even think about it} that makes use of the flaws +I found in Einstein's theories, it's not bad, right now I have it where I +can finish hacking before I start. That's ok, but it needs some work. I also +plan to work on a user interface that will give you something to do while +the system is running, like a mini motion picture that is a graphic +representation of all the easy, moderate and complex actions taking place +during every nanosecond of use. + +LL: Sounds amazing! What does it look like? Must take a lot of memory! + +LA: Actually it takes very little memory, see theres the graphic representation +of the system being invaded, it's a little white bunny. Then there's the +graphic representation of Ethereal Access swooping down on the little white +bunny, it's a large, black, armor plated mass, with a set of jaws 3 light +years wide and saliva dripping down some really wicked looking fangs about +to eat the little bunny rabbit. It gets sort of old after seeing it 4 or 5 +thousand times, so I add little effects like blood dripping and things like +that. You know, to make it more cheerfull looking. + +LL: Oh.... sounds user friendly. I must admit I'm a little confused about a few +more things. Could you explain one more time, just how OCC dial theory works, +why did you invent it and what are the benefits? I don't get it. + +LA: Well, see.. Let me draw an analogy for you. Let's say the OCC is this huge +9000 ton blue hedgehog named Arnold ok? Ethereal Access is represented by the +gaps between galaxies in conjunction with the rotation of the zodiac and the +bisecting meridians of the event horizon on a black hole. Now if the azimuth +can be eqaully divided by infinity, thereby.... {cut} + +LL: I appreciate you taking the time to clear that up for me. Enough on the +Ethereal Access questions, now I want to ask you some questions about you! + +LA: Say.... haven't I heard this before? Hey! what's that rectangular bulge +under your jacket huh? If it's a walkman I'm going to cut off your head and +feed it to the devil, he lives in my attic. I have this thing against people +carrying walkmans you know? + +LL: No! No, nope, nope, never! I hate walkman's too, shitty things. Heh, ha,ha +ha,ha.... it's.... it's a paperback book! That's it, a paperback book! No +walkman for me, nope nope nope. That's what I wanted to ask you about a +little, what's this thing about unreality and um... how to say it.... well, +your fast approaching mental breakdown? + +LA: Reality isn't real, nothing at all is real, the only things that are +really real are the real things you really believe to be real. So if Guido +the Knife says the voices made him do it, maybe they did! Just because you +can't hear the voices doesn't mean they aren't there. + +LL: Do you hear the voices? + +LA: Sure all the time! How do you think I come up with all this stuff? I just +stop making the effort to hold on to reality and let my mind roam. Where would +we be without the ability let our minds wander? Or is that a lyric? Anyway I'm +working on a even more modified Ethereal Access 7.0, called Astral Access 66.6, +with it you can do a direct batch hack of astral mainframes and have access +to everything that ever existed, will ever exist, or might ever exist, period. +It's in the planning stage right now, so I expect it'll be.... 5 or 6 hours +before I get the finished version all done an. {cut} + +LL: But.... er...... th.. + +LA: .ee so when the plutorus humocus is in aligment with the death star and +sidereal timeline 94.brt is fluctuating at 23 kilocycles with the amperage set +to the nexus of sominus, it feeds the dog. +............................................................................... +We break now for a brief commerical to help pay the bills. This commerical has +nothing to do with anything else in this interview and shouldn't be taken to +mean that it does. + +Hi! Peppy the Pusher here to tell you about a brand new miracle product! Are +you a little on the rotund side? Do your clothes come from Omar the tent maker? +face it, are you FAT? + +Now there's hope! no more eating 10 pounds of cucumbers! no more sensible meal +plans! Eat all you want! anytime you want! yes that's right! all this and more, +all you have to do is add our miracle product to each meal! or take it during +snacks, instead of snacks, anytime at all! + +What's the name of this miracle product you ask? {as well you should} Available +NOW! supplies are limited so order your shipment of BLOW today and watch those +unwanted pounds and unused brain cells slip away like magic! + +Just look at what BLOW has done for the ultra elite Lord Analog! It's turned +him from a little on the chunky side, normal, everyday, preppie on the way +to being some kind of corporate exec, into the new and improved Lord Analog, +whose mind went out to lunch {heh heh get it?} one day and never came back! +Instead of using a butcher knife on steaks, you too will get the urge to +drive it through people's skulls! I sure as hell wouldn't want to be close +friends with him {or anywhere within 50 feet of him}, but he sure does look +good now doesn't he? Remember "It's better to look good, then to feel good" +brought to you as a joint effort of the better mental health clinic and Mort's +embalming service, to help retain that sleek and sexy look right into the +grave before the maggots eat you {and what's left of your brain!} + +{Editor breaks in} Peppy, you said you weren't going to do this. + +So I lied! buzz off! this is my ad space! + +All this and MORE MORE MORE! Order NOW!!!! + +BLOW is a product of Cocaine labratories, a wholly owned subsidiary of Crack +industries. "Crack - get a piece of the rock!" + +Now back to you Don Pardo! +............................................................................... +{we continue with the interview all ready in progress} + +LL: Sounds real good, but how can I run it if I don't have the hardware? + +LA: Oh it's not too complex this time, all you need is a Cray6 with a MacIV +acting as a intelligent printer buffer, hooked to a apple //e acting as an +intelligent modem, hooked to a sun workstation, acting as a intelligent +tab aligment machine, hooked to a F-15 that's acting as a intelligent power +supply, hooked to a.... {cut} + +LL: Silly me, I thought it would be complicated this time. + +LA: No, I decided to keep is simple. + +LL: How do you feel about the trend you started in Tap.Inverviews? Many people +have taken it as the bible of truth for the online domain. Everywhere you see +people quoting entire sentences out of it {like me for instance} and a almost +complete change in peoples attitudes to elite boards. How do you feel about +starting this? + +LA: I don't care. + +LL: You don't care? + +LA: No. + +LL: Anything else to say about that? + +LA: No. + +LL: What do you do to relax when you aren't........ aren't........ well aren't +doing whatever it is that you usually do? + +LA: I like to take large amounts of acid and write weird poetry while thinking +about the implications of what would happen if inner space became outer space +and infinity was finite, while listening to Led Zeppelin and Doors albums. + +LL: Uh yeah....... sounds very relaxing. + +LA: It is. + +LL: I was just wondering, when's the last time you wrote a complete sentence +that someone without a degree in English could understand, without looking up +words in a dictionary? + +LA: Funny you should postulate such an occurance, I do beleive I wrote such a +sentence back in 1982, yes I recall it fondly myself, simple, to the point, +and people understood it. Can't have that now can we? + +LL: No, I guess not. + +LA: Well there you go. + +LL: You're one of the elitest people to ever hit the modem domain, but you +aren't on any boards where anyone can reach you. What's the use of being elite +if none of your followers can find you? If they can't find you, they can't +kiss your ass, like me for example. I've been trying for years and when I got +so tired of never finding you, I just started impersonating you on a few boards +for laughs. What's wrong with you anyway? + +LA: I think I'm insane, but don't hold it against me. + +LL: You think? + +LA: What? + +LL: You think you're insane? + +LA: Are you trying to imply something? + +LL: Um.... dude.... + +LA: Because if you are, then you can be the next ritual sacrifice. I don't care +about anything, I can get out of any jail, I just disintegrate my atomic +structure and reintegrate it wherever I want to be, I don't care, I don't care, +I don't care about you or anyone else! Or is that a lyric again? and al ..{cut} + +LL: No! I didn't say that, I meant that.... um.... th.. + +LA: I have Adolf's brain in a jar you know. He talks to me sometimes. + +LL: Heh, he. hah ha.... uh.... that's cool. uh.... I think I should be going +now. It's........ + +LA: See I worked out this theorem about matter and light, for example let's +say you sqaure infinity and subdivide it by the total refraction of a purple +cow and then.... {cut} + +LL: Heh hah, look at the time! + +LA: So you see, this consitutes conclusive proof that I can dissapear at will, +the only problem is reapearing, but I think I can figure that out too. So when +you take a mutliple of rk2-b and apply it to the intronsic streams present in +the dna/rna coding, you dissapear! like this! {Poof} + +LL: Ha, heh, ho.... good trick.......... + +LL: Hello? + +LL: Heh, well how about that! Great interviews wasn't it? Heh, um.... ah.... +Let's move onwards now. + +Next up we have that hulking hunk of masculeinity, the "man" who isn't afraid +to tell people he's sensitive by wearing eye shadow, the first elite phreak / +hacker ever to wear eye liner and blusher, the future hardcore mega-star just +waiting to be discovered in the back alley's of some dead town in Ohio, the +only person who cried when he found out newsweek was almost bankrupt, that 5'4" +towering inferno of great info ....{cut again by the editor}: King Blutto! + +LL: Heh, ha.... hey.... looking............ thin...... yeah very thin..... kind +of pale too, or is that makeup? {moving away from Blutto in case he has the +unspeakable disease} + +KB: Are you trying to imply that I'm a heterosexual you brat, rodent, wimpgeek? + +LL: Nooooo, nope, nononononono. I never said you were a heterosexual. + +KB: Are you calling me gay? chickenshit! I'll drink your blood for that you you +you you {steam coming out of ears} you you rodent, geek, brat, wimp! + +LL: Uh.... no. I never for a second thought you might be straight, I meant gay, +I'm sure you'll take the fashion world by storm someday. Nice hair.... blue +offsets your mascara nicely. + +KB: Thanks for the compliment, I now declare you one of my subjects, so when I +open all my messages in exactly the same way on every system {Impersonators +start taking notes} like this "To all my subjects:" you can be a offical +subject of mine too! + +LL: Always looking for an oppurtunity to kiss ass, thank you. + +KB: Anytime, I'll even throw in some tickets to see our band play over at the +65 and over Bingo reception tuesday night. We're called King Blutto and the +Cathedral choir boys. + +LL: I'm really in your debt now, but before I get in too deap, I'll have to +pass on those tickets, my Iranian diplomacy class meets that day. + +KB: Are you trying to say I have no talent you rodent, leach, geek, wimp, brat, +chickenshit? + +LL: Oh nooo! nope, nononononono. Uh huh, I'd love to see you and your band get +out there on the stage and........ and.... and do whatever it is that hardcore +bands do, throw up into the audience was it? no, don't tell me, let it be a +surprise! What I really wanted to ask was a couple of questions about you! + +KB: Oh! that's different. Would you like a autographed autobiography? 8X20 +glossy fit for framing? our latest demo cut of this song I wrote called "I +woke up one morning lying in a alley in a pool of slime", a King Blutto fan +club button? A signed copy of......{cut} + +LL: Um.... I only wanted to talk to you about your elite board and elite +friends and elite wares and all around eliteness. + +KB: Sure! I ran a elite board, it was the most secure board that was ever run, +Richard Sandza is a close personal friend of mine, don't rag on him or else you +will feel my wrath! + +LL: What was so great about your board? + +KB: I ran it. + +LL: Um.... ok.... Oh yeah! I wanted to ask you about Bluttoware! I remember +your opening message used to say you were a elite pirate too. I can go for +that, I'm serious now, when I think of the pirate greats, the names that +come to my mind right away- King Blutto, Mr. Canon, Krac0ritz, Disk Rider, +yeah, in that order in fact. + +KB: See? Told ya i was elite! + +LL: Yeah, I can see how wrong I was thinking you were just another loudmouth +24 year old with the emotional development of a 10 year old kid. By god, you +are elite after all! + +KB: I know. + +LL: Well.. we have some of Lord Analog's accomplishment's, Lex Loother told us +everything he ever did in the last installment and I'll be talking to him next +anyway, so what.... um.... h...... th...... what have you ever accomplished, in +phreaking/hacking that is I mean. What did you do or write or invent or +contribute, or anything, um.... + +KB: I got a 2 word mention in newsweek + +LL: Uh yeah, I know. So did a bunch of oth...... + +KB: But they were rodent, geek, wimp brats, I'm not! + +LL: I can see where you're coming from. Anything else you've ever done? + +KB: I Invented the Blutto box! + +LL: But it's not real and it doesn't do anything an.... + +KB: That's what people said about Ethereal Access! See how wrong they were? I +have built a Blutto box, it's in my pocket right now, I can blow up the entire +phone system whenever I want! + +LL: Think I could take a peek? + +KB: Well.... ok! Look! + +............ +! !\.! +!.......!..! +! ! +! Ti{ Ta{! ! +! ! +! Mints! ! +!..........! + +LL: Um, Blutto...... it looked like a box of tic tac's.. + +KB: Good disguise huh? + +LL: Yeah.... you really think of everything. Anything else you've ever done? + +KB: I discovered Qourom-P conferencing. + +LL: But that was another joke, just like you and Dull Gillette telling everyone +that ROTL ports are really REMOB's and.... + +KB: You wimp, geek, brat, rodent, leach! Wasn't that funny? + +LL: Um.... it was a riot, but what have you done that's of any worth, that's +real? + +KB: Teletrial! The best idea ever invented and I thought of it myself! + +LL: Yeah, amazing invention, the whole world took notice that time. + +KB: I know. + +LL: Uh yeah, I hear you're also very mad about the Molecule calling you a loser +in his Famous Losers of 1984 file, anything to say about that? + +KB: That chickenshit, rodent, wimp, geek, I'll drink his blood for that! I hate +rodents who make loser lists. What a rodentish thing to do! + +LL: Blutto........ didn't your board have one of the first online loser lists? + +KB: What does that have to do with anything? Those were people I called losers! +Who the fuck does the Molecule think he is? Calling me a loser? + +LL: But you did the same thing, in fact you're the first elite to ever spend +more time ragging on people than copying books into text files. You started an +entire trend, an..........{cut} + +KB: Are you trying to say something rodent? + +LL: Not really, just a thought. + +KB: Good, why don't you shut up before I drink your blood! + +LL: Ok, but what did you ever accomplish though? + +KB: Didn't I just tell you rodent? + +LL: Yeah I guess you did. We'll get back to this at some other time {or maybe +never if I can tactfully forget it}. Now what about these things Mr. Canon +said about you being a terrible programmer and the Goonif saying the same thing +in the National Enlightener's? + +KB: I'm the best programmer ever you wimp, rodent, leach, lose, geek! How can +you say I'm not? Why look at what I've programmed! I changed the print's on +GBBS for Bluttoland and I made a arcade machine game with Prof Xavier in my +elite pirate days! Don't my accomplishments speak for themselves? + +LL: Can't argue with it KB, they sure do. Anything to say about Bluttoland +being crashed, inited and uploaded all over? + +KB: Fucking rumors spread by rodents! not true! + +LL: Anything to say about the same thing happening to your current base BBS +Christ's Cathedral, being crashed, the entire confidential userfile and +software downloaded, packed and re-uploaded to every cat-fur around? + +KB: That never happened, another rumor. + +LL: Blutto, this happened in Sept of 86! this is not the far gone past that +you can rewrite to suit yourself and.... + +KB: You rodent wimp geek! dare to question me? I.. + +LL: Blutto, I have the software myself! I've seen it an.... + +KB: What does that have to do with anything you chickenshit geek? I'm telling +you it never happened, what are you going to believe the proof or me? + +LL: Now that you've put it back into perpective for me, I'm sorry, I should +never have questioned you. Please forgive me my king. + +KB: Much better rodent, bow and kneel. + +LL: Thank you. +............................................................................... +We pause now for another commercial message! + +Peppy the Pusher here again to remind you all that you don't have to be +overweight to enjoy BLOW! You can be right at your ideal weight and use BLOW +anyway! The emacipated look is in! 130, 120, even a 110 pounds are within your +reach! Add some make up and you'll look like a walking corpse too! + +If you don't go for the sleek and sexy look, how about the almost dead look! +be a trend setter! don't let others dictate your style! almost dead is very +very in! + +King Blutto also offers his endorsement for BLOW! with 2 mega elites using it +how can you go wrong! + +Elite's use BLOW! If you want to be elite you should too! + +Peppy the Pusher also endorses Coverguy eye shadow! For that strung out look +so popular with junkies! +............................................................................... +{back to the interview all ready in progress} + +KB: Better watch it or I might drink your blood or tattoo celtic runes into +your forhead. + +LL: Oh no! Not this again, didn't I just have one of these conversations? + +KB: {drawing a pentagram and lighting candles} + +LL: What is it with you people? Are you just pagan's or what's wrong with you +guys? Everywhere I turn you "elites" are doing or saying something that 18th +century housewives might have come up with. Does using MCI fry your brain +after x amount of phone calls or something? + +KB: {humming, setting up skulls at the 5 points} + +LL: Uh.... oh my, look at the time again, really must get going now. Thanks for +this interview, it's been.... h........ uh.. it's been great! yeah.... great! + +KB: {something that looks suspicously like the graphic representation for +Ethereal Access eating bunnies, starts to materialize in the pentagram} + +LL: {discretion being the better part of valor, your valiant MC starts to run} + + Next up we have the human xerox machine: Lex Loother! + {editor's note: "Where's the intro"?} + {{I can't do one, he doesn't have a personality. He just types.}} + {Oh...... ok, go on} + +LL: Before we start I'd like to know if you have any dark hidden secrets like +everyone else does, tell me the truth, does the devil live in your attic, or +do you talk to the moon or draw pentagrams? {Editor's note: Not wanting to +confuse our readers, Live Lord will continue as "LL" and Lex will be "L$"} + +L$: No, no time, no time. I haven't left my room in 6 years, so many things +to type and so little time. + +LL: I understand! Did you know that there are these new machines called +optical scanners that copy books directly into text files now? + +L$: Wha.... oh.... no! you mean I'm obsolete?$$$$$$$$$$$$$$$$ + +LL: You could make the machine put a $$$$$$-=} Lex Loother {=-$$$$$$ at the +front and back of every page for you. + +L$: $hey$! $t$h$a$t$'$s a $elite$ idea$! + +LL: Lex...... you're doing it again. + +L$: $what$? $oh$ $orry. + +$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +we pause for another commerical message! + +Peppy the $E$l$i$t$e Pusher $ay$ If you've already gotten to the 98 lb geek +look, we have another miracle product that helps you gain weight! No more +sand kicked in your face down at the beach! Even if you never leave the house +and have never been within 50 miles of a beach, you'll still appreciate the +results! + +This brand new wonder product is called "Hashish!" Yes Hashish! Whenever you +want to pass up dinner and type up some manuals instead, take some of our +Hashish and in a few minutes you will get the urge to eat everything in +sight! + +If you never leave the house and don't know where your nearest foodmart is +located, ask mom to stock up on munchies beforehand! It's always $elite$ to +plan ahead! + +Lex Loother is so found of Hashish that in another few weeks he'll be ready +for our alternate miracle product BLOW! +$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +{back to the interview all ready in progress} + +LL: Anything you want to say? + +L$: Me you mean? + +LL: Yeah + +L$: No, I $think I $almost covered it in my $last talk with $you,$ except $for +$that $time $when $I $parted $the $red $sea $and $what $about $that $time $I +$invented $the $airplane $a$nd.. + +LL: Thanks Lex, time for the next interview! + +L$: Of course I told Openheimer all about atomic power, if NASA had listened to +me that disaster never would have happened, Lee Iacocca took my financial +advice when he was a stuggling immigrant shining shoes and$.... + +LL: Uh.... yeah. thanks again lex! bye! + +L$: ..a$n$d$.$.$$.$.$}$.$.$.$ L0D/L0H$ 4$$$$$$$ Wait! what year is this? Is +there still daylight outside$?$$$?$?$$?$? + +L$: ?$h$e$ll$$$o$? + +L$: H$e $w$asn't $elite$ anyway$$$$ + +$$$$$$$$-=} Lex Loother {=-$$$$$$$$ +$ $ +$$$$$$$$$$$$$L0D/L0H$!$$$$$$$$$$$$$ +$ $ +$$-=} In ca$e you forgot this {=-$$ +$ $ +$$$$-=} wa$ the Lex Loother {=-$$$$ +$ $ +$$$-=} interview$!$!$!$!$$$$ {=-$$$ +$ $ +$$$$$$$$-=} uploaded by {=-$$$$$$$$ +$ $ +$$$$$$$$-=} Lex Loother {=-$$$$$$$$ +$ $ +$$$-=} & the Legi0n 0f D00m! {=-$$$ +$ $ +$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +$ $ +$$$$L0D$L0H$L0D$L0H$L0D$L0H$L0D$$$$ +$ $ +$$$$$.... {cut} + +{cut by editor, we're running out of room} + +Next is that elite pirate turned elite cracker turned elite phreak turned elite +hacker turned elite god in mortal form too. Lord Analog's spiritual equal, that +smooth talking, game playing, egotistical, talented, inventor of everything +that ever was, m.. {cut by editor's}: Mr. Canon! + +LL: You're still alive! + +MC: Sorry, but I can't talk to you. + +LL: Why not? what's wrong? + +MC: You're not worthy of my notice. + +LL: Hey! Lord Analog talked to me! + +MC: He must have thought you weren't real. + +LL: I'm as real as you or him! + +MC: We're not real. + +LL: Uh.... not this again, please! + +MC: I refuse to soil myself by engaging you in coversation. Here's to crime! +{Mr. Canon pulls out a uzi and smiles. It looks like your elite mc is on the +run again.} + +LL: Next up I have the originator of 20 part text files series, the first +person to copy manuals and not give credit, {Lex Loother always gives credit!} +a human word processor even before Lex, th.... {cut}: BIOC Agent 000! + +LL: Great to see you Bioc! What have you been doing with yourself for the last +two years? + +B0: Life is tough, I'm still working at the same restuarant as a waiter LL. + +LL: You mean to say that BIOC Agent 000, speed typist extraordinare, can't find +a better job then working as a waiter? + +B0: There aren't that many jobs out there that only require you to copy books +into text files you know, it's hard to find that kind of specialized work. + +LL: I know the feeling, you think it's easy to find work when your only job +skill is having make-believe conversations with nonexistent people? + +B0: I can see where you'd have problems. + +LL: But we're not here to talk about my problems, we're here to talk about your +problems Bioc, so let's get on with it. You are almost the ideal elite you know +that? You had a big name, giant following, fame, rodents worshipping you and +through it all, you never did anything besides copy manuals, make 500 line +copies of magazine articles, copy books on unix and become the first person +to ever have a signiture 9 lines long. What happened, why'd you leave? + +B0: My boss threatened to fire me if I kept coming in late for work, so I had +to stop being elite and take more time to be a better waiter. + +LL: Oh...... You are also a typical elite in the way you buried your past the +moment you became famous. The average person who thinks of Bioc, thinks of +"your" Basics of Telecom files, they don't think of the Bioc who was a +member of APRA a Apple distributors club that lasted for 3 weeks or the Bioc +who really used to own a Timex or the Bioc who got thrown off 914 boards for +being such a pain in the ass for other users. Hardly any at all would remember +the Bioc who had 30 message wars with Big Brother and the rest of the SF ][ +members all over the general section either. + +B0: I know LL, I've done a good job in the PR department. Even better then LOD +if I do say so myself. + +LL: You sure have, in recognition of that, I've decided to do you a favor! + +B0: What's that? + +LL: I'm mentioning your name! Not being elite anymore you might not know it, +but you aren't even legendary anymore, if it wasn't for me bringing you back +into the spotlight right now, your alias would have sunk into the limbo of +people who used to be elite but don't exist anymore! A select few are destined +for eternal eliteness because of their great notiriety, or some great things +they've done or said or written or all 4, but Bioc, you never said anything or +wrote anything or did anything! You're like Lex, you only copied things and Lex +is the one remembered as the human xerox machine, I'm afraid you've sunk into +obscurity! + +B0: No! it can't be, being elite was the one thing in the world I had going +for me. I had 5 sides of files out when Lex and his $'s were a gleam in some +future computer owners eye! It just can't be. + +LL: It's true Bioc. + +B0: No! nononononono I can't accept that. I'm much better at typing then Lex +ever was, I'm Bioc, the man with a 9 line signiture! That was my idea too! +nobody ever did that before or since then! I can't be forgotten. Wait! I have +it, I'll be the first elite to ever kill a interviewer! Yeah that's it! + +LL: Now Bioc, wait a minute, It's not my fault you're not elite anymore and.... + +B0: Attack!!!!!!!!!!!!! + +LL: {Your elite MC runs out of the soup kitchen doing 80 as a frenzied former +elite runs after him with a steak knife} + +LL: I've had it! all these arrogant, self centered, hostile scumbags are +giving me a headache! {Editor's note the "arrogant, self centered, hostile, +scumbags" have no relation to our interviews} This is the last elite +phreak/hacker interview I have left before turning this over to Elven Magician. +Good riddence and furtherm.... {Live, are you forgetting your mother?} + +LL: Fuck the stupid bitch. I never liked her that much anyway, ever since she +took away my modem for 3 weeks when I got that F, set her hair on fire the +bitch deserves it! + +LLM: {Live Lord's Mother} You little shit! I knew I never should have given you +a Apple Cat! Networkers aren't good enough, Smartmodems aren't good enough and +this is how you repay me you, you, you, you can just forget that //GS! and I'm +sick of all your.... {cut} + +LL: Ok stop sniveling mom, I'll do the last interview already. I'm not eating +any more brussel sprouts when this is over, you can count on that. + +LL: The last interview is a double feature with those masters of the blue box, +those big time larceny experts, those credit card abusers who know what the +score is, those 2 former LOD members grown up and nowhere to go but down, those +examples of what happens to elite phreaks and hackers who "grow up and enter +the real world" {to borrow someones line}, those finely tuned theft machines, +the.... {cut by editor}: Mark Tabs and Karl Lenin! {MT & KL} + +LL: How's jail treating you guys? + +MT: It's not that bad. It's even taught us a lot about ourselves, we're engaged +to be married next week! + +KL: Oh stop it you! + +MT: Don't be so shy! you're the best! even better then that big one Tito from +cellblock 12! + +KL: Heh, I know it dear! + +LL: Um...... if this is private I can leave. + +KL: No, stay, you're kind of cute! + +LL: Uh............ thanks, yeah thanks. I appreciate it. {moving away again} + +MT: What did you want to ask us? + +LL: If you guys are or were, so good, how come you're in jail? + +KL: Good question, got anymore? + +MT: I agree, excellent question. Next question? + +LL: What are your plans when you get out of jail? + +MT: We want to get a big house together overlooking the city dump, with nice +pink frilly curtains and settle down and have children. + +KL: Yup! that's what we want. I can get a job with AT&T as some kind of +operator or something, should be making almost 4 dollars a hour! + +MT: Don't stretch the truth dear, you know were lying got us last time, you +know that 4 dollars is before taxes! + +KL: I know, but true love conqours all! + +MT: So true! +............................................................................... +Peppy the Pusher says: Remember to use Close Contact Condoms for safe sex! +Better to be safe then sorry! For all your abnormal needs, use CC's, I meant +CCC's! Peppy the Pusher sells them and Mark Tabs and Karl Lenin recommend +them! How can you go wrong? +............................................................................... +{back to the interview all ready in progress} + +LL: Uh, yeah...... I can see that. You look happy, really happy. Anything you +want to say before I go throw up, I mean close up these interviews? + +MT: Read a bunch of manuals and elite files and learn all you can about how +the phone network operates! Then you can grow up and become a unsuccessfull +credit card thief like me and Karl! + +KL: He's right you know! It's a long hard {giggle} road to the top, but once +you're there, you'll never turn back! + +{Karl and Mark together}: Stay elite, eat your brussel sprouts and remember +that safe sex really works! From here in jail, to all you aspiring auspicious +{good word don't you think? read my elite files for more uses of auspicious} +elites out there, take it from us! stay elite! + +LL: Thanks guys, I know this has turned my life around, most disgusting thing +I've seen since I saw that black boy in scared straight. + +LL: I survived! another day another paycheck, hey EM get your ass out here, +it's your turn. + +EM: What? What's going on? I haven't been around much since the Tavern went +down, what's going on? + +LL: How should I know, elite pirates are your department. + +EM: No they're not, pirates are totally different from phreaks and hackers, in +that field you have about 5 names that go on forever, who might not be total +losers, but they say and do so many strange things, that they're always +newsworthy. With pirates, if they're any good, they're nothing to rag on, since +pirates don't have personalities and never say anything. What can you do, make +fun of the border color they chose for the latest crack? + +LL: I don't see much difference, you just described both Bioc and Lex. + +EM: They choose bad colors? + +LL: No, they never say anything or do anything besides copy manuals. + +EM: What about all the rest? + +LL: What rest? that leaves about 4 with notiriety up the ass and they worship +the devil or the ozone layer or themselves or all three and are psychotics +anyway, can't get too near them. + +EM: There are only 4 or 5 phreaks and hackers total? what about all the rest? + +LL: Those 4 or 5 are the ones who have at least reached some new depth of +original behaviour disorder and done something, I don't know what, but +something, in their chosen field, so they got a lot of press. + +EM: Like what? + +LL: I don't know, don't ask me all these questions. + +EM: What about all the rest? + +LL: They have attitude problems without having anything to back up their claims +of eliteness, they mostly read phone magazines and then think they know all +there is to know. There are a few thousand of those. + +EM: What do you call them? + +LL: Some people call them posers, some people call them rodents, some people +ignore them which makes them mad since they feel they should be getting some +kind of recognition for being elite. + +EM: That's who I write about! It's not so different after all! There are 8 or 9 +good pirates, they're boring people, you can fall asleep listening to them +drone about autosync bytes and how exciting their new clear screen routine is, +or what awesome protection some 10 sided, 95 track, new ware has, but they have +some kind of real claim for eliteness! The rest are called new warez kids, the +equivalent of your posers or rodents. + +LL: I was wrong then, you write about new warez kids, not pirates, what +difference does it make? get on with it so I can go home and watch Max Headroom +already. + +EM: Go then and leave me to my work, only thing that isn't right about that is +the title new warez kids, some of them are in their 20's, I tried to bring +this to light on the Tavern but it went down too soon. There are new warez men +out there and it's not a pretty sight. + +LL: So write about them and leave me alone already! bye! + +EM: Take care and stay elite! + +LL: You bet and you too! + +LLM: Eat your brussel sprouts dear! + +LL: Shut up mom, I knew I should have left you there. + + +{Kontinyood in part 2! Don't miss a single action-packed word!} + diff --git a/textfiles.com/phreak/PHREAKING/tap-int.3.2 b/textfiles.com/phreak/PHREAKING/tap-int.3.2 new file mode 100644 index 00000000..0ccf35a5 --- /dev/null +++ b/textfiles.com/phreak/PHREAKING/tap-int.3.2 @@ -0,0 +1,1015 @@ + +EM: Hello out there! I am back and faced with a serious problem. All the new +warez people I used to write about, are gone! Not all, but almost all. I used +to rag on The Slutan, Robine Hude, Triple D, The Dung Master and some others +who were less fun, but the first three all got busted for phreaking {a riot, +but they aren't around to poke fun at anymore!} and Dung Master is nowhere to +be found. So you begin to appreciate the problems I face writing about new +warez people! They rotate "elites" too often to keep track of. My best rags +ever were The Rock and Gadget Slave, where are they now? I sure don't +know. Work is work, so I have to set my sights on who is left or who is new, +none of them are even worth the attention, but who am I supposed to write +about if all of them rotate so fast? I can always take the usual stab at +Disk Rider for selling his elite cracking secrets to Newarez Harbor, or Grape +Bandit for being such a liar about everything and turning into such a persona +non gratis, as a human. But what more can I say? even though both are doing +cheap, low and scummy things to make money, that's their business. Cold Rod? +Can't rag on him either, he doesn't do anything besides collect beer cans and +write space invaders copies. Exciting life. Anyway even I admit that Mauve Bag +is ok and that was just a cheap shot I could't resist. So I'm left with new +wares people to work with, such price art. + +EM: Since new warez people all do more or less the same type of shitty little +things to each other and other people, I'll pick 6 names at random from the +latest crop. {reaching into the new warez people phone list and picking them +at random now} + +EM: Look here, first one up is none other then {pause for dramatic effect}: +The Rabbitmen themselves! Wait a minute, editor! hey editor! + +{What?} + +EM: Is this for real? + +{Is what for real?} + +EM: The Rabbitmen? Who would name themselves something that lame? + +{The Rabbitmen, that's who} + +EM: Who are they and how am I supposed to write about them if I don't know +what they're doing? + +{That's your problem, you're the MC} + +EM: Oh all right, all right, go away you scum sucking pile of editorship you. + +{That's $50 out of your next paycheck Elven.} + +EM: Fuck you + +{$75, want to go for $100} + +EM: Uh.... no, no thanks. Go away and let me work. + +EM: Since I'm short on time and short on things to ask these people, since they +don't do much, let's get going! + +EM: Hello Rabbitmen! good to have you here. + +RM: It's not good to be here, you're making us take time out from writing a +couple of lame rag files and besides, someone already did the Rabbitmen +Interviews, in all uppercase, trying {without success} to copy your original +style off the Tavern. A lot of us new warez people like to try to act like you, +you know? + +EM: I know, that's because you're lame, even your attempts at borrowed humor +fall very short. + +RM: We know, we can't help it. + +EM: My update here says that in the short time you've been around, you've +somehow managed to get yourselves into wars with every other newarez group +around, why's that? + +RM: We're worthless and need to center attention on ourselves in some way, so +if we can't crack and can't program, we get ourselves into as many wars as +possible, at least we get some attention that way. + +EM: Makes sense in a new warez kind of way...... Do you think you could stop +doing that? I mean I care what Analog Gang, No Class, Catfur to Catfur and +you guys, have to say, about as much as I care about the mating habits of +siberian fleas. But without your "group" there to start them up, they stay +quiet, "crack" their wares, get into long drawn out disputes about who b942'd +a ware 36 seconds before anyone else, who double released who, and maybe add a +rag page or two, but we aren't forced to read all their attempts at humor in 4 +part, 100 sector files that aren't funny. + +RM: We can't stop, that's the only thing keeping our group together. + +EM: I thought your "group" fell apart anyway. Didn't everyone quit or get +thrown out or something? + +RM: We went on another members drive, we're back to full capacity again. + +EM: Do you think you could keep your arguements on rag pages and your own +boards, so we aren't forced to see files explaing why the Crumb Monster took +a name from sesame street, or explanations of why King Sauron is a original +name and other great info like this? + +RM: We'll try, but I'm afraid we don't "crack" enough wares to keep up with +our shit list and rags. + +EM: Try harder. + +RM: Ok we will, can we go now? + +EM: Yes, get out of my sight. + +RM: Thanks. + +EM: God, that was bad. I'd forgotten how awful it is trying to talk with new +warez people. I hate this job. {Randomizing another name}, it looks like we +have with us, none other then: The Trucker! + +EM: Hey TT, good to have you with us. So....... who are you anyway? + +TT: You mean you haven't heard of me?!??! I'm the best sysop, programmer, +text file writer, pirate, everything!!!!!!! + +EM: Your name doesn't remind me of anything, want to give me some examples of +things you've done? + +TT: Sure! I always love to talk about myself. The first thing I ever wrote was +a patch for catsend. + +EM: Oh, you fixed it up for long distance? + +TT: No, no, I added a 8 phase spinning cursor and made it lose characters when +you typed faster then 5 words a minute. + +EM: Hey, that's cool! I think I remember that one, you put like these +)=-++*&^%{([> The Trucker! <])}%^&*++-=( around your name right? + +TT: Yup! That was me all right! + +EM: Tell me more, this sounds cool! + +TT: Sure! Why don't I tell you about my specialty! Writing 100 sector text +files about things so ridiculous, that people wonder whether I'm serious! +I always start them with a message saying "This file is totally in 80 columns +and lowercase", add about 90 lines of credits, thanks to's, call these rad +boards, then get to the file itself. In the past I wrote a 90 sector file +reviewing joysticks, an {cut} + +EM: You didnt! + +TT: Heh, sure did! Then I wrote about 40 different "patches" for catfur that +didn't do anything usefull. 2 of the best ones changed the prompt and fixed +the Macron's typo. They were each 20 sectors, 18 sectors for the credits and +2 sectors for the rad spots to sector edit. Then I wrote a scanner which didn't +work, I don't scan but I wrote it to make people think I'm rad. Then I took +credit for having the first new wares scan in catfur even though the Western +Alliance had it 5 months before I did, then I called my board RAPS, the Retard +Alliance Pr0fessi0nal system! That means I made lots of modz to the Macron's +Catsend online run board he wrote before writing catfur. and {cut} + +EM: Did you ever do anything, that, well, you know...... was usefull for +anything? + +TT: Sure! I put together a 50 sector program that said I'm starting a new +group, it didn't last too long, but it was rad, then I always like to tell +people to call my board because I don't phreak and I'm too cheap to call them. +I can't understand why none of them ever take me up on my offer and call. And +then I put together a collection of my lame mods into one file, that never +went anywhere and nobody ever used for anything. Then I put together the hard +drive survival pack which had a bunch of fids and my usual credits that took +up 3/4 of the disk and didn't work right. I also like to dedicate warez to +philip esterhaus who has been running a lame board called the pirates chip for +4 years and still doesn't have any users. It's a unmodded t-net, I told him I +could change the print's and make all kinds of cool mods to it, but he didn't +want me to for some reason and then I wrote a full disk transfer program for +the micromodem! cool huh? I did not change the print statements on teleporter +and take credit for writing it! that wasn't me, someone used my name to do that +thing. And.. {cut} + +EM: It's good to kn..... + +TT: ..then I came out with a full disk mods file for telecat that came out 4 +weeks after telecat /// came out with the Macron's 202 1200 mod and claimed +that I was the first person to mod telecat for 202, I was on vacation at the +time though so I couldn't release it untill a month after those losers put it +out and I wrote catdos and didn't get credit for it, then I wrote a 5 page +ad for my board saying it kicked ass all over telecat, who wants all those +features anyway? huh? All a good board needs is a new wares scan. Then I said +the Macron was a good friend of mine and gave me the catfur source code, then +I wrote 5 files asking someone to call the Macron and ask him if I could have +a copy of his source code, I could never make up my mind. Then I claimed to +have sourced catfur and said it was bug free. This was 2 days before someone +crashed my board 4 times in a row and downloaded my elite software and then +gave it out, then I spent 3 months telling people how the Macon who is a good +friend of mine was working on catfur 4 with me, meanwhile the Macron had sold +his Apple and had a Amiga for the last 4 months, why didn't anyone tell me +before I made a total moe of myself? + +EM: dude, that's cool but I....... + +TT: ......ignoring all these setbacks I still had the best board in the whole +world, untill my Sider blew up and put everyone out of their misery. I decided +to take my board down then. But now I'm back and better then ever with another +lame ware to rival all others! the catfur patch pack! It doesn't have any +patches that I wrote, what it has is the first installment of stupid text trix! +Kind of like Letterman's stupid pet trix! Everything you never wanted to know +about such elite stuff like SLOW TYPE! and cool modz for catfur and ae that I +didn't come up with, that have been out for 2 years, but I collected them +together and took credit for them anyway! + +EM: dude! shut up! Is there anything you ever did that was original or that +was of any use to anyone? What I'm asking is did you ever write anything that +anyone besides you, used? + +TT: Well no but... + +EM: Thank you. + +TT: But I did take credit for typing up some programs from Nibble then saying +I discovered them before Nibble did and I have so many cool modz like the +new and improved beep in applesoft! And all.. + +EM: Dude, don't spaz out on me. Why do you write all this shit that nobody +wants to use? and why do you lie about so much stuff. + +TT: I never lie! + +EM: Ok, why do you twist dates around then and claim your programs were before +the real versions. + +TT: I didn't! I didn't! mine were the first, the first! the first! they were! + +EM: Ok, ok, calm down, you're right, they were I'm sure. Now, you didn't +answer me, why write all this lame shit? + +TT: Because I secretly hope people will admire me for it. + +EM: Oh. + +TT: Is it working??? + +EM: Uh...... yeah, I'm sure it is, keep it up. Ok I gotta go dude, more +interviews to do. + +TT: Ok! This has + +Been written in 80 columns and lowecase! )+_&*^&%*&^ The Trucker @(*&#$**#$#@#( +is elite! He has all the modz, all the programz, he does it all! He's the best +sysop ever, like Phil is. I want to dedicate this interview to my mother with +out who I would never have been born. I also want to thank.......{cut} + +EM: dude, sh....... + +TT: Give me a program, any program and I will add some lame and useless modz to +it, write a 300 sector file explaing the modz, of which most will be credits +and thanks messages, then I will sector edit 5 lines of !@(*#$*(!#&*!@#!@#!@# +with my name inside of it, in the main menu of the ware, then I will claim to +be best friends with the programmer, then I.......{cut} + +EM: Dude, get the fuck out! + +TT: Wait, I'm not done with my credits yet! Give me a program, any program. And +I will make it stop working! that's my motto. This file is (C) copyright by me +the Trucker, so don't you dare steal it becuz all rightz are reserved. I saw +that written somewhere so I used it and.......{cut} + +EM: If you don't leave, I'll tell everyone about that copy of "Best of Nibble" +you're holding. + +TT: You wouldn't! + +EM: I would. You have 5 seconds. + +TT: {Gets a terrified look on his face and starts to run} + +EM: {turning on the fan, it smells in here} Randomizing again, this gets so +boring, Gemmy wherever you are, come home! I need someone fun to rag on! Lets +see who I get this time. {getting name}: @@ The Looker @@ + +EM: Uh.. Good to see you Looksy, yeah good to see you. Uh... Editor! Who the +hell is this guy? Hand me the notes fast! + +TL: It's great to be here, anything to push my name a little farther you know! + +EM: Uh yeah I know {getting notes} {reading notes} My god! I've gotten a new +new new warez person! I remember you now! You appeared in Jan of 1986 on the +crashers board on the Tavern asking for the bugs in Catfur and Telecat and got +ragged off the sub for being such a loser. + +TL: Heh, that's me all right! + +EM: I still remember one of your best "Are there any backdoors in the Telecat +obj?". I almost died laughing! + +TL: Is it my fault that I can't read source listings? What do you want? I still +don't know what SPC () means! + +EM: Oh that, that's a built in applesoft phreak command, it dials the # in the +parentheses using Sprint! (very subtle "in" joke just too place. If you have +"F.R.E.S.H." type "beer" at the main menu for a great big surprise!) + +TL: Cool! another m0d! + +EM: Speaking of m0dz, that's your claim to fame! M0dding Telecat's so they have +20 redundant commands and work at 1/2 normal speed. Rad! + +TL: I know, thank you. + +EM: So tell me, what's the secret of your cool m0dz? + +TL: Oh all right! I have 2 programming secrets and being the new warez kind of +guy that I am, I might as well pass them around! The first secret of my m0dz is +a telephone #! + +EM: A telephone #? I don't get it? + +TL: Not just any telephone #! Ms. Slick's telephone #! This ties in with my +second m0d secret! + +EM: Which is? + +TL: The Western Alliance! + +EM: I'm lost. + +TL: Western Alliance is this board in NJ that had the original Telecat ///. The +sysop was making stupid m0dz for almost a year, it has even more stupid m0dz +then my versions of Telecat! So one day around christmass I logged in, tried +every option, saved it to buffer and from this got my "idea" for cool m0dz for +Telecat! I still haven't gotten around to copying all of his m0dz, but I'm +working on it! + +EM: Heh, sounds like a new warez kind of thing to do! But where does the +telephone # come in? + +TL: It's Ms. Slick's. + +EM: And? + +TL: Do I have to spell it out for you? + +EM: Uh.. yeah I think so. + +TL: I call him up, read back the Western Alliance buffers and ask him to +program in those m0dz so I can put my name on it! Ms. Slick could write a +board in his sleep and he doesn't want credit for lame m0dz to Telecat, but +I do! So we made a deal- I call him up, ask him to write my m0dz for me and +in return I promise not to drag his name into this and to stop kissing his +ass in public! cool huh? + +EM: It r0x layk an 0x! So your Telecat /// are the original m0dz from the +Western Alliance, programming by Ms. Slick and what do you do? + +TL: I add my name to it. + +EM: Oh.. sounds rad! So what do you do when you aren't calling the Western +Alliance or other boards looking for m0dz to steal and have Ms. Slick program +in for you? + +TL: I like to spend my time calling Tom E. Sock, Enson Porker, {anyone who will +talk to me without slamming the phone down actually} Dolton {never could +understand him, but I can tell people I talk to him!} and practice my ass +kissing and maybe beg for the latest beta copy so I can call up boards and post +messages saying I have a new elite beta copy of a new elite ware! I also like +to rag on the losers that leak out secret, elite, awesome, new warez without +my permission, even when the author says its ok. {like No-Furs 1.1} When I grow +up I want to be just like Skip Avatar & Captain Rooney! + +EM: A worthy goal if there ever was one. Say, didn't Enson Porker and you have +some kind of dispute? + +TL: He's lame now. + +EM: I thought you were saying he was great only a few weeks ago? + +TL: I changed my mind. + +EM: I see. And what's this problem with Apple Manor? + +TL: There's no problem, they're the problem! Just because they're one of the +oldest surviving pirate boards left, doesn't mean they can get that kind of +uppity attitude with me! + +EM: Uppity attitude? + +TL: They expected me to pay, ME!!?!? Can you imagine that? They just don't +understand who I am, so I'm going to take my eliteness somewhere else now! + +EM: I thought you were deleated? + +TL: Well I've never been party to such lies! Deleated me?!?! hahahhahahahahaha +that'll be the day, just watch if I recommend Apple Manor to any new warez +kidz, I meant real pirates. + +EM: So where did you take your eliteness, TIMECOR? + +TL: No, they wanted me to pay too. + +EM: I see. so? + +TL: I started a new warez network with Ms. Slicks programming and The Finder +201's m0dz, it's called C0sm0s, original name huh? + +EM: Good life. Anyhow it's been great, but I have more interviews to do, so +fuck off ok? + +TL: Sure dude, did you spell my name right? Do you want me to add my name to +your file? + +EM: Go away, get out! + +TL: If you didn't spell my name right I could spell it for you, or even get +someone else to spell it and... + +EM: {getting a .45} + +TL: {Screaming and running, but not before scrawling his name in 3 foot +letters with a green crayola on the wall} + +EM: Your mother the cleaning lady is going to have to clean that up you know. +{couldn't resist that one} I feel sick, nauseous, revolted, new warezness is +so..... new wareish. I'm glad most people outgrow it so you don't have to deal +with old warez kids {the horror} Speaking of old warez kidz, I have a very +special guest here with me tonight, please give a warm welcome to a charter +member of R&R-RRRR, otherwise known and hated as The Knight, the definition of +old warezness, the example of what happens to new warez kidz that never grow +up: Skip Avatar & Captain Rooney! {SC} + +EM: Good to see you again Skip, or do you prefer Captain? + +SC: I'm not Captain Rooney damnit! And I'm not Pete, my name is Dan and my +handle is Skip Avatar. + +EM: Uh..... right Skip, I buy that. {turning to audience} don't you? I mean +it's only you against.... everyone who lives within 50 miles of you and knows +who you are. + +SC: ArghhhhhhhhhhhhhH! They aren't elite enough to shine my shoes, they don't +know who I really am. I'm so slick I fooled them all! ha ha! They didn't even +blink when I slickly told them my name was Pete, but I lied! Yes I lied! And +Gadget Slave is wrong! Are you really going to beleive someone who can't +even "crack" a copya ware? + +EM: No, which is the same reason I don't think he's smart enough to come up +with this....... The worlds first pirate with schizophrenia which somehow +develops when everyone starts to hate you. + +SC: Ohhhhhh that Larry gets me so steamed, what is he? What's he ever done in +his life? Nothing I tell you! Nothing, the highest pinnacle of his career was +being mentioned in Tap.Interviews I. What does he know? He talked to Lord +Analog 3 times in his whole life! hah! I talk to his answering service at +least 3 times every hour. Hah, I'm so elite th.... + +EM: Ok calm down skip, I can see you're a very elite kinda guy and you're +not Captain Rooney despite everyone who ever knew you saying so. They're +wrong, you're right and your secret identity hasn't been penetrated. + +SC: Damn right! Some humphings (C): Why did you type Skip in lowercase in the +previous paragraph? Why do you type this way? Why are your shoelaces green? +Why back in the old days, the old pirates and I wouldn't be caught dead in +green shoelaces, Humph! All these new warezerz running around, thinking they +know what they're doing. Humph! Damn fools they are, I'll set them straight, +take it from...... from..... from....... say..... what am I anyway? I never +cracked anything, I never did anything, I've been around for ages, but what +did I ever do? + +EM: You got them all. + +SC: Yeah, yeah that's right isn't it. I do have them all {Skip begins to smile +and rub his hands together} + +EM: Skip.... calm down now. + +SC: Yes I certainly do, from the most insignificant ][+ ware all the way to +applications software for a Cray, can't use it, but what the fuck! I got it +anyway, few thousand reels of magtape along with my shoeboxes of warez and +I even kept some cassette warez from the old days an.... + +EM: Uh Skip, easy boy, I th.... + +SC: Then next to the Ethereal Access disks which don't exist and I never had +and never did the title page for {someone snuck into my room, booted up my +graphics program, made it, put my name on it, then gave it to Lord Analog and +told him he was me, yeah that's it!} and never even heard of, behind the +latest update of Modem Manager {I don't have that either, don't you think +I would have uploaded it if I had it? {Skip starts to laugh}} are my source +code volumes. Yup, source code for everything ever written anywhere. It's not +much but I'm working on expanding my source collection to include everything +that ever might be written if I can get ahold of Lord Analog to give me his +Astral Algorithm for doing that, of course I don't really know Lord Analog, +did I just say I did? silly me, must have been 20 seconds ago, ignore that, +I never said it either, it's all a rumor being spread and furthermore I... + +EM: Skip STOOPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP! Cut it out! I get the picture. + +SC: What picture? + +EM: You got them all. + +SC: Are you trying to call me a new warez kid? + +EM: No, nope, never even suggested that, I wouldn't call someone who is 25 a +new warez kid. + +SC: Good, I hate those new warez kidz, running around always getting new warez, +Humph (C), what a bunch of non pirates. + +EM: Uh, yeah, I agree Skip, anything you want to say? + +SC: Yeah, I'm not Captain Rooney, Ethereal Access doesn't exist, if it does +exist I don't know anything about it, if I do know something about it, I most +assuredly didn't do the title page, if I did the title page, it's not my fault +for doing it, my name is Dan not Pete, I don't live in Brooklyn, I don't have +Modem Manager just like I didn't have Ethereal Access, I never wear green +shoelaces and all real pirates don't and I'm much too elite to be talking to +you right now, besides in another 92 seconds I have to go insert a new disk +into the drive. + +EM: I understand. Thanks for your time and eliteness and clarifications that +clear up a lot of rumors that I know aren't true, you never lie about anything +Skip, I'm firmly convinced of that. Thanks again. + +SC: It's all right, have to talk to the lower classes sometimes I guess, it's +the price one pays for thinking he's great, I mean for being great, I mean for +knowing, I mean, I mean, I.. I mean.... nevermind, I never said that. Did you +hear it? I didn't, what are you talking about anyway. Gotta go, if you try to +engage me in any form of conversation in the future, I will ignore you, or +come back with a answer that has nothing to do with the question. You're +welcome and Bye-Bye! {like in catfur!} ^C + +EM: I don't know about you, but that has left me excited. The first interview +{and the last} that was even worth doing. Back to the randomizer, I find that +my next interview will be {random, random, random, random}: The D0x! + +EM: My god! Another old warez kid, I mean pirate! + +TD: I'm back! + +EM: Did you leave? + +TD: I retired on The Tavern! remember? + +EM: Not really, I never paid that much attention to you, because you never said +anything on The Tavern. + +TD: That's because I didn't want to get ragged on! + +EM: Good reason. + +TD: I'm back! + +EM: You said that already. + +TD: But you didn't get my hint and ask me why I came back! + +EM: Because I don't want to know, I wish you would have some willpower and +stay gone if you say you're going to quit, then quit damnit! You think anyone +wants to hear about your comings and goings? + +TD: Yes, I'm very elite. + +EM: No arguement there, almost a perfect new warez elite. + +TD: Did you want access to my elite, uncrashable, awesome, 2 drive, private, +very rad, the first ever, pirate board? + +EM: As a matter of fac.... + +TD: I wrote the software myself, awesome huh? Here, fill out this 16 sector +application form for joining and you'll be all set if we decide to vote you on. + +EM: I don't want to call it. + +TD: {Sputtering} You don't want to call it? What's wrong with you? + +EM: What's wrong with me? What's wrong with you! What makes you think anyone +cares about a 2 drive board with you as a sysop! + +TD: I'll have you know it was the first pirate board ever! ever!!!!! + +EM: As far as I know, Pirate's Cove, Pirate's Chest and Pirate's Harbor, +were the first three in that order. Then came 500 more between the late 70's +and when Spectrum first went up. + +TD: Did not did not!!!!! noooooo, I was the first, I was, I'm covering my ears +I can't hear these lies anymore, did not, did not, did no.... + +EM: Ok, shut up! You were the first, sure you were, it's a awesome board and +I wish I was on it. + +TD: {blowing nose and drying tears} you do? Of course you do, everyone does, +it's the greatest board ever! Here have a application form! + +EM: I wasn't serious, I just want you to shut up and calm down. Jesus, what's +wrong with you anyway? + +TD: I climbed the ropes of piracy and after a long and hard struggle learned +the secret of eliteness! + +EM: Which is? + +TD: The secret is form over content! just like Miami Vice! You don't have to be +good at anything to be elite! Look at me! What can I do? Not a damn thing! And +I'm even in Elites Anonymous! + +EM: It's been great D0x, thanks for your awesome time. + +TD: The d0x r0x layk an 0x! Call Spectrum Elite!!!!! 213-you-fool! hahahahaahah +doesn't that break you up? 213-you-fool! hhahahahahaha. + +EM: Calm down and get out. + +TD: You haven't filled out the form yet! + +EM: {reaching for the .45 again} + +TD: The d0x r0x layk an 0x! I'm elite I am! elite elite elite elite! hhahahahah +213-you-fool! hahahahahahahhaha {The D0x starts running} {@@ The Looker's @@ +crayola has been joined by a pink spray painted 213-you-fool. Such slobs} + +EM: Where's the Swine Sty when you need a real board or The Tavern, this is +like a nightmare come true. If people had told me it would be like this, oh +forget it, I'm starting to sound like Skip Avatar, better watch myself or I +might get the urge to start playing pinball construction set. I'm talking to +myself too, not a good sign. + +EM: Here comes my last interview, thank god. For my last interview ever, I'm +going to talk to {random, random, random, random, random, random some more, +random, random}: The Banshe + +EM: Great to have you here Banshe! + +TB: Yeah, It's your pleasure. You're interupting my career of piracy you know? +I was just talking with The Macron and The Underlord, did I tell you that I did +almost all the work on Dog-Fur 1.1? Anyhow, they're working on Amiga-Fur using +Abasic, should be done, by 1989 or so. + +EM: It's interesting you should bring that up, I remember the Goonif, Dr Macro, +Finder 714 and me ragged you into the dust for that. Funniest thing I ever did +see, someone calling it a "career", I almost had a heart attack from laughing +so long. + +TB: Yes well, I didn't expect you to understand. My career was facing serious +problems, what with Extension 300 breaking up and all the new warez kidz, I +meant software buyers, I meant pirates, in it quitting. I had no group left +and I found that my group was the only group that would take me. So it was a +very bad time for my career and looks terrible on my pirates resume'. Besides +I was unprepared for the terror of not being in a group and having 20 people +automatically agree with me whenever I said something really dumb. Oh yes, did +I mention that I did almost all the work on Dog-Fur 1.1? + +EM: Yes you did. Then after Skip Avatar calling you a loser after all of us, +you posted 3 consecutive messages threatening to quit, when everyone told you +to please go ahead and quit, you stopped posting and claimed you didn't read +that board anymore. + +TB: Ragging is so immature. I won't tolerate it, people questioning my over- +whelming knowledge. How many people can say they talk to Macron and Underlord +12 hours a day? How many people can say they did almost all the work on Dog-Fur +1.1? huh? not many I'll say. By the way, did I mention that I did almost all +the work on Dog-Fur 1.1? + +EM: Actually, anyone can say that with about as much truth as you. Dog-Fur +was a standard for about 45 minutes on some boards in Alaska that thought it +was a great advance over their previous wares program: Data Capture. Everyone +else ignored it and nowhere on the ware do I see your name. All I see is a +T.M/T.O - THE AMIGA GURUS! and the Macron's usual credits. + +TB: Yes well that was The Macron/B.E. + +EM: BE? + +TB: Before Enson. + +EM: What happened after Enson? + +TB: His name went away. Enson took full credit for writing No-Fur, added some +new bugs, made it longer, made it require 64K dos, fixed it so it wouldn't +work with enhanced Apple's, added so many beeps and bops to it that if you use +it at night you have to disconnect your speaker and then ragged on the Macron +in his dox. + +EM: Sounds cool. + +TB: It was. I'd do the same if I could steal the source code somewhere. + +EM: I'm sure Skip has it, he has it all. + +TB: Skip won't talk to me, he thinks I'm not elite for some reason. Can you +imagine the nerve of that man? Humph (R) + +EM: No..... could never figure it out myself. + +TB: Did I meantion that I did almost all the work on Dog-Fur 1.1? + +EM: Yeah you did. + +TB: Just making sure. + +EM: Is there anything you want to say? Anything at all? + +TB: Yes, I'm never going to quit. In fact I'm going to keep calling every +board I can get on, post my world weary style, 5 part messages, saying how +I talked to The Macron, Underlord and Disk Rider for the last 4 weeks, say +how cool all the Amiga warez are and talk about the "old days" when +Extension 300 was just starting. + +EM: I remember that one fondly too. You were a very funny guy without even +trying to be you know that? "Old days when Extension 300 was starting" was +one of your best! + +TB: You're making fun of me, wouldn't you say late 1985 is old? + +EM: Not really. + +TB: Oh. By the way, did I mention that I did almost all the work on Dog-Fur? + +EM: Many times. Listen, if you're so tired of it all, as I've said a million +times on the Tavern, with so many people agreeing, we're also all very tired +of you, so why don't you quit? Everyone would be happier! + +TB: I'm not really tired of it. How can anyone who's tired or bored of it, +call boards as much as I do? + +EM: Why don't you quit anyway, as a kind of public service. + +TB: It wouldn't look good on my resume'. + +EM: Oh, I forgot. + +TB: Did I mention that I did almost all the work on Do.... + +EM: Get out, I want to go home and get this over with. + +TB: No need to be rude. Humph (R) + +EM: You aren't going to give me any problems? + +TB: Of course not! + +EM: Good, get out then. + +TB: Ok, but did I mention that I did almost all the work on Dog-F... + +EM: {reaching for the .45 as usual} + +TB: {Running and screaming over his shoulder "Did I mention that I talked to +Disk Rider the other night? Oh yeah did I tell you I did almost all the.......} + +EM: {blam} {blam} + +TB: {thud} + +EM: So much for the Banshe. That felt good, in fact it felt so good that I +think I want to do it some more. Hmmm, how does this strike you? + +Elven Vigilante! + +EM: Too gauche? It needs a little work, but for now this is over! yes over! I +can go home now and get away from these disgusting new warez people. It's been +awful. What's the world coming to? Rock come home, all is forgiven! + +{Editor's notes} The following people bear no resemblance to these people. +{In approximate order of appearance} + +Live Lord WAS NOT Dead Lord +Elven Magician WAS NOT Elven Wizard +Lord Analog WAS NOT Lord Digital +King Blutto WAS NOT King Blotto +Lex Loother WAS NOT Lex Luthor +Mr. Canon WAS NOT Mr. Xerox +Bioc Agent 000 WAS NOT Bioc Agent 003 +Mark Tabs and Karl Lenin WERE NOT Mark Tabas and Karl Marx +The Goonif WAS NOT The Gonif +Minimal Element WAS NOT Criminal Element +The Instigator WAS NOT The Infiltrator +The Shitman WAS NOT The Hitman +The Molecule WAS NOT The Atom +Ethereal Access WAS NOT Phantom Access +Bluttoland WAS NOT Blottoland +The Blutto Box WAS NOT The Blotto Box +Christ's Cathedral WAS NOT Satan's Stronghold +$$$L0D/L0H$$$ WAS NOT $$$LOD/LOH$$$ +The Slutan WAS NOT The Sultan +Robine Hude WAS NOT Robin Hood +Triple D WAS NOT Double D +The Dung Master WAS NOT The Dungeon Master +The Rock WAS NOT The Gem +Gadget Slave WAS NOT Gadget Master +Disk Rider WAS NOT Disk Jockey +Newarez Harbor WAS NOT Pirates Harbor +Grape Bandit WAS NOT Apple Bandit +Cold Rod WAS NOT Hot Rod +Mauve Bag WAS NOT Black Bag +The Rabbitmen WERE NOT The Bunnymen +Analog Gang WAS NOT Digital Gang +No Class WAS NOT First Class +Catfur to Catfur WAS NOT Coast to Coast +The Crumb Monster WAS NOT The Cookie Monster +King Sauron WAS NOT Lord Sauron +@@ The Looker @@ WAS NOT ## The Watcher ## +The Western Alliance WAS NOT The Eastern Alliance +Ms. Slick WAS NOT Mr. Slick +Tom E. Sock WAS NOT Tom E. Hawk +Enson Porker WAS NOT Enson Parker +Dolton WAS NOT Dalton +Skip Avatar and Captain Rooney WERE NOT Skip Rooney and Captain Avatar +*WHO ISN'T The Knight WHO ISN'T The Bishop WHOSE NAME ISN'T Dan WHO ISN'T Pete* +The D0x WAS NOT The Doc +Finder 714 WAS NOT The Tracer (714) +Finder 201 WAS NOT The Tracer (201) +No-Fur WASN'T Cat-Fur or Trans-Fur +The Swine Sty WAS NOT The Pig Sty +213-you fool ISN'T 213-391-6835 +The Banshe WAS NOT The Banshee +The Macron WAS NOT The Micron +Dr. Macro WAS NOT Dr. Micro +The Underlord WAS NOT The Overlord +Dog-Fur 1.1 WAS NOT Dog-Fur 1.1 +The Trucker WAS NOT The Tracker +Extension 300 WAS NOT Extension 1200 +Retard Alliance Pr0 System WAS NOT RAPS +Krak0ritz WAS NOT Kracowicz +Dull Gillette WAS NOT Sharp Razor +Your Mother ISN'T REALLY Your Mother + +$$#> The Infiltrat0r! #3 <#$$ +91-Apr-1902 : 37:04:21:32 QDT + +$$$$> The Infiltrat0rz! <$$$$ +TRW/CBI/VISA/AMEX/DINERS CLUB +++++ !Cat Fuckers Elite! ++++ ++_) Club Y (_+_) *ELITE2* (_+ +!%=% TK0S 2 THE HERETIC! %=%! +!=[] The 0uter Triangle! []=! +-======> L0D/L0H/L0C <======- +\!The S0phtware Brigardz!#1!/ +++_+) The Baud Thieves! (+_++ ++* Metal Avengerz Elite!!! *+ +==] !C0tt0n Sh0ppe Elite! [== +[!S0pht/]-[ard/Ph!rm/Freakz!] +(>Phake/Phalse/Ph0ny/Ph00lz<) +{Phuck/Phlake/Phruit/Phlegm!} +{}Rulerz 0f The Wastelandz!{} ++==- Purpel Sh0pping Bag -==+ + + + I would like to thank my good friend Rabid Rasta and + + J0hnny The Avenger + +Of the Knights of Mysterious Keyboards & The Metal F0rcez of D00m. + +Call: + +Metal F0rcez F0rtrezz 0f Elite D00m IV.............................408-Eat-Me!! +Tranfurz of Elitenezz XXIV.........................................514-You-Suck +L0d00m base B0red 92...............................................305-Lex-D00m +Mental Hideaway Astral Elite 90000 meg.............................212-Dig-ital +Mental Hideaway Ethereal Elite 90000 meg ][........................216-Blo-tto! +The Elite Hacker Board of Elite Eliteness with newscan!............617-Yeh-IROC +Sputum Elite 1 drive/1 ramcard/1 computer with 48k.................213-you-f00l + + +This file was in 80 columns and lower case! (I always wanted to say that) It +came in 190 seperate filez. + +It's exactly 159,000 sectors long. So if yours isn't that long, you know +somone did something to it! See, it's usefull to put the length of the file +inside of the file, in case people mod it. You know, they'd never think to +remove it's original length and substitute the new length right? + +--- ERROR 99! CAT-FUR ABORTED! huh? wazzat? + + Cool! + + + +{One little message to all you little r0dentz out there gett!nk redey 2 b00t + mag!< w!nd0w and becum fam0us: + + Rekwirementz for writing Tap.Interviez seekwellz! + + Must be at least 185 Apple-DOS sektorz. If you can get it to be eggzacktly 185 + sekt0rz, you get a kopy of Phant0mz Ph0rty! even better then Gat0! If your + reel lucky we'll throw in a kopy of integer basick! a hot new language! soon + to replace Apples0pht!} + + {Tap.Interviews! The saga kontinuez!} + +{g0tta take 0ph n0w, I'm writing mah magnum 0puz: Phall of the m0tem werld, + part ][! It'z gunna take up 12 unidisks at least!} + +{A brief interlude of seriousness} + +"Fall of the Modem World": What can I say about it? In SOOOOOO many ways I +loved it and it says a lot of things I would have wanted to say myself. But the +dude (Chris) fucks it up. He starts talking about the way things "SHOULD" be. +Which is a load of shit. He attempts to look at it from a unattached point of +view and gets too deaply involved in whats wrong with everything. And to top +it off he writes way too much heresay about people he doesn't know at all (like +3/4 of the people he wrote about) and is only repeating things other people +told him, which weren't true. Specifically in one section he says he never met +The Plague, then in the next he says he did. While it was "Charged Particle" +who he met at TAP (the elite starting place of all this) as explained by the +person himself in the PA (Phantom Access) Miscdisk's. + +{Gad, I'm glad thatz 0ver with!} + +See ewe laterz! + +***Captain Avata + +oh shit! I almost disclosed my sekret identity! + +***Skip Rooney + NYPA!/Co-founder! + (EPG)/Co-founder! + +Aktully, my pers0nal preztige philled "G0lden D!pshit 0skar M0tem Award" +g0es 2: + +Skip Rooney, in the all around "dipshit of all trades" categ0ry. + +The D0><, Sherl0ck Apple & the !nc0gnit0 share the spotlight for "Piratez wh0 +kant d0 anything, but are detirmed to stick around for at least a decade bef0re +finding something worthwhile to do with their lives, like w0rk at K-mart". + +]_e>< ]_00ther, takes the "Real world? whats that, isn't that like when I call +a number on my modem or copy some books by hand or something?" award. He'll be +eligible f0r the even m0re prestig0us Platnum D!pshit 0skar M0tem Award, if he +sticks around for at least 2 m0re years. (Talk about no life!) + +And the prestige fulled G0lden Fr00tkake award goes to three people as a +k0mmunitye eph0rt! n0ne 0ther than ]_0r[> [>!g!ta]_, ]TKOS +$=$=$=$Fargo 4a +<=-*-=>Phreak Sysop! +{BIOC's signiture fluctuated betwwen 4 and 10 lines depending on what he was +a member of, or what he was calling at the time. This is one dude who never +let it go at "BIOC" or anything like that.} + +Majestically Yours, + King Blotto + Lod/H + +.../\^ Lord Digital ^/\... + )=-> TKOS <-=( +{anybody even remember when he put that stupid waveform shape on either side of +his name? Yearz and yearz and yearz ago} + +$$Lex Luthor and The Legion of Doom! + +***Captain Avatar/EPG Co-Founder +{Sheesh, talk about new warez kidz and loser groups} + + +For a reel gude tyme, read 0ld, 0ld, 0ld, b0red buffers if you can find them. +You'll see stuff like: + +Lex Luthor talking about starting a new ELITE board and ELITE group and +inviting other ELITES to call. {Which wasnt more then 3 years ago and ended +up bekumming $$$$$L0D$$$$$}. + +BIOC asking for new wares + +Lord Digital posting new wares with the /Apple Mafia tagged at the end. + +Blotto asking for new wares {is this a cycle?} + +Lex asking dumb questions about almost everything {especially on the 0ld +Pl0vernet buffers} + + +By reading old philez, you can also see how people evolved and how they wrote +stuff before they had their own "style". {Lex's 40 column uppercase files +filled with $$$$$ from one end to the other, copying books and acting like he +was great for doing it. Lord Digital's old files in which he DOESN'T bring in +pseudo-occultism, theories on society, twisted outlooks, incredible arrogance +and other present-day Digital trademarks, also in uppercase and 40 columns. +Bioc also doing 40 cols and uppercase with ******** all over the place and +copies of other peoples files. And 1000's of others} + + +Dead Lord, peak-a-boo, I see you! +Tnx, EW,TG,TT,SV,*,MZ and all who came before! + + +Wr0ted bie: M0tem B. W00dSte!n + {C} A ophi