|
2600260026002600260026002600260026002600260026002600260026002600260026002600 2600 2600 2600 Excerpts from Various Issues of 2600 Magazine 2600 2600 2600 2600 Brought to you by: The Fixer 2600 2600 2600 2600 Call: The Private Sector 201-366-4431 2600 2600 The Metal AE 201-879-6668 2600 2600 BC Tel Phone Mart 604-658-1586 2600 2600 Tommy's Holiday Camp 604-595-0085 2600 2600 The Neutral Zone BBS/AE (it's BACK!!) 604-478-1363 2600 2600 2600 2600260026002600260026002600260026002600260026002600260026002600260026002600 A note before I get on with it: This file is for those of you who, for whatever reason, do not or have not read 2600 magazine. This issue of this file covers the best short articles from September 1985 to August 1986. Anyways, why bother waiting for me to type this stuff up? Why not do as I do and get a subscription? All you have to do is send $12 to 2600, Box 752, Middle Island NY 11953-0752. Call them voice at 516-751-2600 or call the 2600 BBS, THE PRIVATE SECTOR, at 201-366-4431. The things they need most are money and articles, they can get money by more subscribers but they need YOU to write GOOD articles on hacking, phreaking, etcetera in order to keep going. 2600260026002600260026002600260026002600260026002600260026002600260026002600 ::::August 1985:::: ------------------------------------------------------------------------------- 2600 A Hacking Victim... When we received our June SBS Skyline bill, we were a bit surprised. Over six hundred dollars of it came from calls we never made. But what's really interesting is the way that the Skyline people handled it. In early June, we got a call telling us that their sophisticated equipment detected hackers trying to guess a code by scanning numerically. They said our code would soon be discovered, so they were going to give us a new one, with two extra digits added. They did this and that very day our old code was inactivated. The illegal calls had occurred BEFORE that day, and we figure Skyline must have known this. Maybe they thought that 2600, in our corporate clumsiness, would pay a huge bill without investigation. Many big companies would. Gotta give them credit for trying. When we called up about it, they didn't want to handleit over the phone! "Send the bill through the mail," they said. Mark the calls you made and we'll deduct the rest." Why are phone companies so afraid to do things over the phone? As long as Skyline decided to give the "perpetrators" some extra time before the investigation starts, we figure we might as well lend a hand too. Our old code was 880099. We loved that code and are very upset at losing it. Our new eight digit one is very difficult to remember and nowhere near as fun. And one last note about those new eight digit numbers. Phone phreaks have ALREADY figured out a way around them. If you dial the first six digits of an eight digit code, then the ten digit phone number and hit a # key, you'll get your tone back! That means there are only a hundred possible codes since there are only two more digits to figure out and one of them DEFINITELY works! If you enter six digits that are not part of an eight digit code, and then a ten digit phone number, you'll get an error message immediately or that fake carrier tone Skyline loves to send out. That tone, incidentally, is for you hackers with Apples and Commodores that scan all night long looking for the code that will get you through to a number that responds with a carrier tone. In the morning, you see how many carrier detects you got and which codes got them for you. Skyline's idea is that if EVERY invalid code gives a hacker a carrier tone, there is no way for a computer to separate the good codes from the bad ones. Come on! How about setting your computer to dial a NON-carrier and telling it to print out only those codes that DIDN'T get a carrier tone? And there are probably a hundred more ways. Big corporations can be SO much fun. ------------------------------------------------------------------------------- ::::September 1985:::: Reaching Out On Your Own by Forest Ranger Verification is a very touchy subject. The telephone company wants to keep verification secret from anyone beyond telco employees. But as phone phreaks should know that is quite impossible. There are two types of operators that do verifications. "0" (TSPS) for local verifications and IO (INWARD) operators for verifications beyond your NPA. They use their operator console, but other people use blue boxes. KP:NPA+0+XX+NPA+XXX+XXXX:ST The first NPA (area code) is yours and the 0 will get you on your TSPS operator lines. The next XX part is an area identifier. They are 00,11,22, 33,44,55,66,77,88,99. There are ten possible choices depending on which area you are in. For example, blue box verification for Michigan would be KP:313+0+66+NPA+XXX+XXXX:ST. The second NPA is the NPA of the number you are going to verify. The XXX+XXXX part is the rest of the number you are going to verify. Once you have routed your verification you will receive a series of clicks (tandems stacking), the you will hear a beep and you will be on the line. You won't understand what anyone is saying because everything is scrambled. The verification will last about thirty seconds. Then you will be beeped out and finally disconnected. Federal laws regarding line listening have become much stronger - especially after 1974 when a subcommittee of the House of Representatives held a public hearing called "Telephone Monitoring Practices by Federal Agencies". At this hearing it was discovered that Bell had listened in to lines of their employees and had the power to listen in on anyone. This shocked many people and made federal laws concerning such activity much stronger. My point is don't abuse this verification, because all you need is a simple descrambler from Radio Shack to descramble the conversation on the line. ------------------------------------------------------------------------------- ::::November 1985:::: The History of ESS by Lex Luthor Of all the new 1960's wonders of telephone technology - satellites, ultra-modern Traffic Service Positions (TSPS) for operators, the picturephone, and so on - the one that gave Bell Labs the most trouble was, and unexpectedly became the greatest development effort in Bell System's history, was the perfection of an electronic switching system, or ESS. ESS should be well known to many a technical enthusiast. It is known as the big brother of the phone system, capable of controlling almost all aspects of any phone call and keeping track of calling patterns. How ESS works and what it is capable of has been covered previously in 2600 (February, 1984) and will be covered in future issues. It may be recalled that such a system was the specific end in view when the project that had culminated in the invention of the transistor had been launched back in the 1930's. After successful accomplishment of that planned miracle in 1947-48, further delays were brought about by financial strategy and the need for further development of the transistor itself. In the early 1950's, a Labs team began serious work on electronic switching. As early as 1955, Western Electric became involved when five engineers from the Hawthorne works were assigned to collaborate with the Labs on the project. The president of AT&T in 1956 wrote confidently, "At Bell Labs, development of the new electronic switching system is going full speed ahead. We are sure this will lead to many improvements in service and also to greater efficiency. The first trial will start in Morris, Illinois in 1959.". Shortly thereafter, Kappel said that the cost of the whole project would probably be $45 million. But it gradually became apparent that the development of a commercially usable electronic switching system - in effect, a computerized telephone exchange - presented vastly greater technical problems than had been anticipated, and that, accordingly, Bell Labs had vastly underestimated both the time and the investment needed to do the job. The year 1959 passed without the promised first trial at Morris, Illinois; it was finally made in November 1960, and quickly showed how much more work remained to be done. As time dragged on and costs mounted, there was concern at AT&T and something approaching panic at Bell Labs. But the project had to go forward; by this time the investment was too great to be sacrificed, and in any case, forward projections of increased demand for telephone service indicated that within a few years a time would come when, without the quantum leap in speed and flexibility that electronic switching would provide, the national network would be unable to meet the demand. In November 1963, an all-electronic switching system went into use at the Brown Engineering Company at Cocoa Beach, Florida. But this was a small installation, essentially another test installation, serving only a single company. Kappel's tone on the subject in the 1964 annual report was almost apologetic: "Electronic switching equipment must be manufactured in volume to unprecedented standards of reliability...To turn out the equipment economically and with good speed, mass production methods must be developed; but, at the same time, there can be no loss in precision...." Another year and millions of dollars later, on May 30, 1965, the first commercial electronic central office was put into service at Succasunna, New Jersey. Even at Succasunna, only 200 of the town's 4300 subscribers initially had the benefit of electronic switching's added speed and additional services, such as provision for three party conversations and automatic trasnfer of incoming calls. But after that, ESS was on its way. In January 1966, the second commercial installation, this one serving 2900 telephones, went into service in Chase, Maryland. By the end of 1967 there were additional ESS offices in California, Connecticut, Minnesota, Georgia, New York, Florida, and Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million customers; and by 1974 there were 475 offices serving 5.6 million customers. The difference between conventional switching and electronic switching is the difference between "Hardware" and "Software"; in the former case, maintenance is done on the spot, with screwdriver and pliers, while in the case of electronic switching, it can be done remotely, by computer, from a central point, making it possible to have only one or two technicians on duty at a time at each switching center. The development program, when the final figures were added up, was found to have required a staggering four thousand man-years of work at Bell Labs and to have cost not $45 million but $500 million! Dear 2600: Is it true that Blue Boxing is on the way out? I hear it has something to do with CCIS. What exactly is this and why is it so troublesome to phreaks? Worried Phreak Dear Worried: Blue Boxes are indeed a dwindling resource. But there's no need to throw them out yet. They aren't going to be totally useless for quite some time. Basically, AT&T is converting to CCIS trunks. These don't allow boxing. In-band signaling is the only kind of trunk sugnaling that supports boxing. It is by far the most prevalent at the moment. Basically, in-band uses a 2600 hertz tone to indicate that a trunk is idle, and thus can accept routing instructions from an "outsider". To box a call, the criminal blasts 2600 down the line after making a long distance call. The line thinks it's idle and waits for routing instructions. Now the criminal puts a KP tone and a ST tone around the number that he's trying to get through to. These comprise the routing instructions. Thus, the line thinks it's idle, then it receives the routing instructions, and routes the call to whereever the person sent it. Now, his central office (CO) which does all the billing still thinks he is making the call to wherever, so it keeps billing him at that rate. If it happens to think he was making a toll-free call, it won't bill him at all! Another form of signaling is out of band. This uses control tones out of the normal band of telephoone transmission (approximately 800 hertz to 3000 hertz). The idle tone is 3200, others shifted upward as well. So why couldn't you make a new box? Don't forget, it's out of band. These tones aren't in normal transmission, so the local CO and customer interface loop just don't bother to transmit them. You can blast all the 3200 you want - it won't go through the CO to the trunk. But this is not the "death of boxing" as it has several disadvantages to the telco too numerous to mention. The real death of boxing lies in Common Channel Interoffice Signaling (CCIS). This is a direct connect data line going from one ESS switcher to another at speeds up to 4.8 kB (usually 1.2) - incredible speeds. All routing instructions are sent through these lines. It isn't looking for control tones on the trunk; it's getting them elsewhere. This means that you can blast 2600 hertz tones all you like. It won't make a difference because the equipment is no longer listening for them. This kind of signaling is being phased in all over the country. Look for one in your neighborhood. Since CCIS has benefits for really high volume trunks, you can try looking for long distance trunks to Canada, or rural states. These probably won't be phased in for a long time, if at all. (Remember, very few companies just invest in new technology for new tech's sake; even AT&T won't be able to do this for long). The Early Phreak Days by Jim Wood When I decided to get married back in 1962, I traded my DJ and broadcasting odd jobs for one at the phone company; employment which, at the time, was ultimately secure though my take-home pay was about $300 a month. Assigned to the Palo Alto, California central office as a Toll Transmissionman, my duties included maintenance of toll traffic circuits and related short-haul N and ON carrier equipment. Circuit testing was initiated at a black bakelite Type 17B Toll Testboard. A field of several hundred jacks gave access to as many inter-office trunks, many to the San Jose 4A and Oakland 4M 4-wire switching centers. Though it was strictly forbidden, one could easily and safely "deadhead" toll calls for one's self, family, or friends from the testboard. Around Christmastime our office could easily have been confused with the Operator room on the floor below. The 17B testboard had a 0-9, DTMF keypad arranged in two rows of 5 buttons wired to the central office "multifreq" supply. A rack of vacuum tube L/C oscillators comprised the MF supply and was buried somewhere in the bowels of the building. Long days with too much (mostly union) staff and not enough to do precipitated a lot of screwing around on the job. Some of these guys would just daydream out the windows, others would hassle and torment the Operators downstairs. One favorite trick was to sneak into the access space behind the bank of 3C switchboards and push the cords slowly up towards the Operators. The screams and commotion caused by a tip, ring, and sleeve "snake" was worth the risk of getting chewed out by the old battleaxe who ran the place. Myself, I just played with the Bell System; never with any intent to defraud, merely to increase my understanding of how the whole thing worked. It was a singularly dull day that I hit on the idea of "deadheading" calls through one of the local subscriber loop jacks which rang into the testboard. Sure enough, I could rotary-dial through the step office to Sacramento (the shortest hop on L carrier with inband signalling), "dump" the call in Sacramento with a blast of 2600 fromthe 19c oscillator mounted overhead, then multifreq out of Sacramento anywhere I wanted to go. Wow! I could hardly wait to demonstrate this potential source of lost revenues to my first-line supervisor. Both he and his boss were mildly impressed, but assigned minimal importance to the event, since, in their words, "no one has a multifreq supply at home." Ma Bell invented the transistor but was among the last to put it into service. One of the few places a transistor was used was used in our office was in the alarm circuit of the ON carrier system. The 13H was a wretched little "top hat" PNP with just enough beta to work in a bridged-T oscillator configuration. A half-dozen of these, some Olson Radio pushbuttons, and a handful of resistors and caps made a dandy MF supply. The next demonstration was from the Chief's own desk and did finally raise some concern. I was asked to "donate" the box and told to keep the findings strictly to myself. I have done so for 20 years now. ------------------------------------------------------------------------------- ::::February 1986:::: It Could Happen To You! A bizarre story is unfolding in New York City, one which typifies both hacker ingenuity and corporate indifference to the average customer. It all started when Hacker A met Hacker B on a loop somewhere. At first, they got along quite well, exchanging all kinds of information. Over time, however, Hacker B got more and more obsessed, while Hacker A wanted to get on with a normal life. B would not stop calling A, which led A to tell B that if he didn't stop bothering him, he would get the authorities on his case. Well, B didn't and A did. And that's where the trouble really started. For the last couple of years, almost every few minutes, A's phone has been ringing. At the other end is B or someone or something that B has programmed. Sometimes nothing is said; sometimes a threat is uttered; sometimes the caller just laughs. A and his family have been trying, literally for years, to put an end to this. At first they simply changed the number to an unlisted one. Within an hour, B had found the new one. So they tried to change it again. New York Telephone refused. Either they would have to pay an exorbitant fee this time, or the number would not be changed. They said it was impossible for somebody to find out their number so fast - he must have been told by somebody in the family. This scene was repeated a number of times, with A's family changing their number practically a dozen times and having to pay the fee for most of them. It reached the point where B would call them BEFORE they received their new number to tell them what the new number would be. This wasn't all. B had also managed to charge outrageous amounts to the family's phone bill. He would call their answering machine collect on a long distance trunk and make it sound to the operator as though he'd said "yes". then he'd leave the connection open for hours. He also managed to place third party calls, using their number as the billing number. Their bill was outrageous and the phone company insisted that they were responsible for it. Their service was disconnected and today they are slowly paying back the huge debt. Meanwhile, A has tried to get the authorities to look at B (whose address and phone number he has), with only lukewarm interest. The FBI says it has an eye on him, but won't help A deal with the phone company. To this day it continues. The calls keep coming and A is powerless to do anything. B knows the phone system like the back of his hand and he can make it do almost anything. The phone company does not want to admit this and, on many levels, isincapable of understanding it themselves. The result: an innocent victim gets it from both ends. ------------------------------------------------------------------------------- ::::May 1986:::: The SBS/Skyline Algorythm by Nynex Phreak SBS Skyline has one of the easiest methods of finding codes of all of the long distance companies. It's very similar to the old Sprint bug which allowed people to find codes very quickly, even without the use of a computer. To see how this methodd works, access SBS Skyline at their equal access number (950-1088). Enter six digits. These are the six digits you are "betting" on to be part of a valid code. After the six digits, enter five other numbers (it's not important what numbers they are). If you hear a ring immediately after the last number, followed by "Message MS2", the six digits are part of a valid code. If you don't hear a ring, hit the pound sign (#) key. If you get your tone back, the six digits were not part of a valid code. You can try a new six digit series without having to hang up and redial. This is what makes this method so fantastically easy. (If you don't get your tone back after hitting the pound sign and also don't get "Message MS2", chances are you've stumbled across one of those SBS toll-free numbers. This might also be the case if you get "Message MS2" before entering five additional numbers.) After finding a working set of six digits, all that must be done is to find the next one or two numbers of the code. Enter the six digit code, followed by an additional one number to guess, followed by four random digits. If it rings and gives "Message MS2", this is not the right guess. You must hang up and redial Skyline for each unsuccessful attempt at this point. If it doesn't ring, and you can get the tone back by hitting the pound sign, you have found a seven digit code. If you try all the numbers from zero to nine and they all give "Message MS2", then you have two digits to guess--your six digits are actually part of an eight digit code. The same method must be used, except your range is now from 00 to 99. ------------------------------------------------------------------------------- (>View:101 BCTEL TOLL SECURITY BUGS (just kidding folks, I wish there WAS such a file...) -=( The FIXER )=-