2600260026002600260026002600260026002600260026002600260026002600260026002600
2600 2600
2600 Excerpts from Various Issues of 2600 Magazine 2600
2600 2600
2600 Brought to you by: The Fixer 2600
2600 2600
2600 Call: The Private Sector 201-366-4431 2600
2600 The Metal AE 201-879-6668 2600
2600 BC Tel Phone Mart 604-658-1586 2600
2600 Tommy's Holiday Camp 604-595-0085 2600
2600 The Neutral Zone BBS/AE (it's BACK!!) 604-478-1363 2600
2600 2600
2600260026002600260026002600260026002600260026002600260026002600260026002600
A note before I get on with it: This file is for those of you who, for whatever
reason, do not or have not read 2600 magazine. This issue of this file covers
the best short articles from September 1985 to August 1986.
Anyways, why bother waiting for me to type this stuff up? Why not do as I do
and get a subscription? All you have to do is send $12 to 2600, Box 752,
Middle Island NY 11953-0752. Call them voice at 516-751-2600 or call the 2600
BBS, THE PRIVATE SECTOR, at 201-366-4431. The things they need most are money
and articles, they can get money by more subscribers but they need YOU to write
GOOD articles on hacking, phreaking, etcetera in order to keep going.
2600260026002600260026002600260026002600260026002600260026002600260026002600
::::August 1985::::
-------------------------------------------------------------------------------
2600 A Hacking Victim...
When we received our June SBS Skyline bill, we were a bit surprised. Over six
hundred dollars of it came from calls we never made. But what's really
interesting is the way that the Skyline people handled it. In early June, we
got a call telling us that their sophisticated equipment detected hackers
trying to guess a code by scanning numerically. They said our code would soon
be discovered, so they were going to give us a new one, with two extra digits
added. They did this and that very day our old code was inactivated. The
illegal calls had occurred BEFORE that day, and we figure Skyline must have
known this. Maybe they thought that 2600, in our corporate clumsiness, would
pay a huge bill without investigation. Many big companies would. Gotta give
them credit for trying.
When we called up about it, they didn't want to handleit over the phone! "Send
the bill through the mail," they said. Mark the calls you made and we'll
deduct the rest." Why are phone companies so afraid to do things over the
phone?
As long as Skyline decided to give the "perpetrators" some extra time before
the investigation starts, we figure we might as well lend a hand too. Our old
code was 880099. We loved that code and are very upset at losing it. Our new
eight digit one is very difficult to remember and nowhere near as fun.
And one last note about those new eight digit numbers. Phone phreaks have
ALREADY figured out a way around them. If you dial the first six digits of an
eight digit code, then the ten digit phone number and hit a # key, you'll get
your tone back! That means there are only a hundred possible codes since there
are only two more digits to figure out and one of them DEFINITELY works! If
you enter six digits that are not part of an eight digit code, and then a ten
digit phone number, you'll get an error message immediately or that fake
carrier tone Skyline loves to send out. That tone, incidentally, is for you
hackers with Apples and Commodores that scan all night long looking for the
code that will get you through to a number that responds with a carrier tone.
In the morning, you see how many carrier detects you got and which codes got
them for you. Skyline's idea is that if EVERY invalid code gives a hacker a
carrier tone, there is no way for a computer to separate the good codes from
the bad ones. Come on! How about setting your computer to dial a NON-carrier
and telling it to print out only those codes that DIDN'T get a carrier tone?
And there are probably a hundred more ways. Big corporations can be SO much
fun.
-------------------------------------------------------------------------------
::::September 1985::::
Reaching Out On Your Own
by Forest Ranger
Verification is a very touchy subject. The telephone company wants to keep
verification secret from anyone beyond telco employees. But as phone phreaks
should know that is quite impossible. There are two types of operators that do
verifications. "0" (TSPS) for local verifications and IO (INWARD) operators
for verifications beyond your NPA. They use their operator console, but other
people use blue boxes.
KP:NPA+0+XX+NPA+XXX+XXXX:ST
The first NPA (area code) is yours and the 0 will get you on your TSPS
operator lines. The next XX part is an area identifier. They are 00,11,22,
33,44,55,66,77,88,99. There are ten possible choices depending on which area
you are in. For example, blue box verification for Michigan would be
KP:313+0+66+NPA+XXX+XXXX:ST. The second NPA is the NPA of the number you are
going to verify. The XXX+XXXX part is the rest of the number you are going to
verify.
Once you have routed your verification you will receive a series of clicks
(tandems stacking), the you will hear a beep and you will be on the line.
You won't understand what anyone is saying because everything is scrambled.
The verification will last about thirty seconds. Then you will be beeped out
and finally disconnected.
Federal laws regarding line listening have become much stronger - especially
after 1974 when a subcommittee of the House of Representatives held a public
hearing called "Telephone Monitoring Practices by Federal Agencies". At this
hearing it was discovered that Bell had listened in to lines of their employees
and had the power to listen in on anyone. This shocked many people and made
federal laws concerning such activity much stronger. My point is don't abuse
this verification, because all you need is a simple descrambler from Radio
Shack to descramble the conversation on the line.
-------------------------------------------------------------------------------
::::November 1985::::
The History of ESS
by Lex Luthor
Of all the new 1960's wonders of telephone technology - satellites,
ultra-modern Traffic Service Positions (TSPS) for operators, the picturephone,
and so on - the one that gave Bell Labs the most trouble was, and unexpectedly
became the greatest development effort in Bell System's history, was the
perfection of an electronic switching system, or ESS. ESS should be well known
to many a technical enthusiast. It is known as the big brother of the phone
system, capable of controlling almost all aspects of any phone call and keeping
track of calling patterns. How ESS works and what it is capable of has been
covered previously in 2600 (February, 1984) and will be covered in future
issues.
It may be recalled that such a system was the specific end in view when the
project that had culminated in the invention of the transistor had been
launched back in the 1930's. After successful accomplishment of that planned
miracle in 1947-48, further delays were brought about by financial strategy and
the need for further development of the transistor itself. In the early
1950's, a Labs team began serious work on electronic switching. As early as
1955, Western Electric became involved when five engineers from the Hawthorne
works were assigned to collaborate with the Labs on the project. The
president of AT&T in 1956 wrote confidently, "At Bell Labs, development of the
new electronic switching system is going full speed ahead. We are sure this
will lead to many improvements in service and also to greater efficiency. The
first trial will start in Morris, Illinois in 1959.". Shortly thereafter,
Kappel said that the cost of the whole project would probably be $45 million.
But it gradually became apparent that the development of a commercially usable
electronic switching system - in effect, a computerized telephone
exchange - presented vastly greater technical problems than had been
anticipated, and that, accordingly, Bell Labs had vastly underestimated both
the time and the investment needed to do the job. The year 1959 passed without
the promised first trial at Morris, Illinois; it was finally made in November
1960, and quickly showed how much more work remained to be done. As time
dragged on and costs mounted, there was concern at AT&T and something
approaching panic at Bell Labs. But the project had to go forward; by this
time the investment was too great to be sacrificed, and in any case, forward
projections of increased demand for telephone service indicated that within a
few years a time would come when, without the quantum leap in speed and
flexibility that electronic switching would provide, the national network would
be unable to meet the demand. In November 1963, an all-electronic switching
system went into use at the Brown Engineering Company at Cocoa Beach, Florida.
But this was a small installation, essentially another test installation,
serving only a single company. Kappel's tone on the subject in the 1964 annual
report was almost apologetic: "Electronic switching equipment must be
manufactured in volume to unprecedented standards of reliability...To turn out
the equipment economically and with good speed, mass production methods must
be developed; but, at the same time, there can be no loss in precision...."
Another year and millions of dollars later, on May 30, 1965, the first
commercial electronic central office was put into service at Succasunna, New
Jersey.
Even at Succasunna, only 200 of the town's 4300 subscribers initially had the
benefit of electronic switching's added speed and additional services, such as
provision for three party conversations and automatic trasnfer of incoming
calls. But after that, ESS was on its way. In January 1966, the second
commercial installation, this one serving 2900 telephones, went into service in
Chase, Maryland. By the end of 1967 there were additional ESS offices in
California, Connecticut, Minnesota, Georgia, New York, Florida, and
Pennsylvania; by the end of 1970 there were 120 offices serving 1.8 million
customers; and by 1974 there were 475 offices serving 5.6 million customers.
The difference between conventional switching and electronic switching is the
difference between "Hardware" and "Software"; in the former case, maintenance
is done on the spot, with screwdriver and pliers, while in the case of
electronic switching, it can be done remotely, by computer, from a central
point, making it possible to have only one or two technicians on duty at a time
at each switching center.
The development program, when the final figures were added up, was found to
have required a staggering four thousand man-years of work at Bell Labs and to
have cost not $45 million but $500 million!
Dear 2600:
Is it true that Blue Boxing is on the way out? I hear it has something to
do with CCIS. What exactly is this and why is it so troublesome to phreaks?
Worried Phreak
Dear Worried:
Blue Boxes are indeed a dwindling resource. But there's no need to throw
them out yet. They aren't going to be totally useless for quite some time.
Basically, AT&T is converting to CCIS trunks. These don't allow boxing.
In-band signaling is the only kind of trunk sugnaling that supports boxing.
It is by far the most prevalent at the moment. Basically, in-band uses a 2600
hertz tone to indicate that a trunk is idle, and thus can accept routing
instructions from an "outsider".
To box a call, the criminal blasts 2600 down the line after making a long
distance call. The line thinks it's idle and waits for routing instructions.
Now the criminal puts a KP tone and a ST tone around the number that he's
trying to get through to. These comprise the routing instructions. Thus, the
line thinks it's idle, then it receives the routing instructions, and routes
the call to whereever the person sent it. Now, his central office (CO) which
does all the billing still thinks he is making the call to wherever, so it
keeps billing him at that rate. If it happens to think he was making a
toll-free call, it won't bill him at all!
Another form of signaling is out of band. This uses control tones out of
the normal band of telephoone transmission (approximately 800 hertz to 3000
hertz). The idle tone is 3200, others shifted upward as well. So why couldn't
you make a new box? Don't forget, it's out of band. These tones aren't in
normal transmission, so the local CO and customer interface loop just don't
bother to transmit them. You can blast all the 3200 you want - it won't go
through the CO to the trunk. But this is not the "death of boxing" as it has
several disadvantages to the telco too numerous to mention.
The real death of boxing lies in Common Channel Interoffice Signaling
(CCIS). This is a direct connect data line going from one ESS switcher to
another at speeds up to 4.8 kB (usually 1.2) - incredible speeds. All
routing instructions are sent through these lines. It isn't looking for
control tones on the trunk; it's getting them elsewhere. This means that you
can blast 2600 hertz tones all you like. It won't make a difference because
the equipment is no longer listening for them. This kind of signaling is being
phased in all over the country. Look for one in your neighborhood.
Since CCIS has benefits for really high volume trunks, you can try looking
for long distance trunks to Canada, or rural states. These probably won't be
phased in for a long time, if at all. (Remember, very few companies just
invest in new technology for new tech's sake; even AT&T won't be able to do
this for long).
The Early Phreak Days
by Jim Wood
When I decided to get married back in 1962, I traded my DJ and broadcasting
odd jobs for one at the phone company; employment which, at the time, was
ultimately secure though my take-home pay was about $300 a month.
Assigned to the Palo Alto, California central office as a Toll
Transmissionman, my duties included maintenance of toll traffic circuits and
related short-haul N and ON carrier equipment. Circuit testing was initiated
at a black bakelite Type 17B Toll Testboard. A field of several hundred jacks
gave access to as many inter-office trunks, many to the San Jose 4A and
Oakland 4M 4-wire switching centers.
Though it was strictly forbidden, one could easily and safely "deadhead"
toll calls for one's self, family, or friends from the testboard. Around
Christmastime our office could easily have been confused with the Operator room
on the floor below.
The 17B testboard had a 0-9, DTMF keypad arranged in two rows of 5 buttons
wired to the central office "multifreq" supply. A rack of vacuum tube L/C
oscillators comprised the MF supply and was buried somewhere in the bowels of
the building.
Long days with too much (mostly union) staff and not enough to do
precipitated a lot of screwing around on the job. Some of these guys would
just daydream out the windows, others would hassle and torment the Operators
downstairs. One favorite trick was to sneak into the access space behind the
bank of 3C switchboards and push the cords slowly up towards the Operators.
The screams and commotion caused by a tip, ring, and sleeve "snake" was worth
the risk of getting chewed out by the old battleaxe who ran the place. Myself,
I just played with the Bell System; never with any intent to defraud, merely
to increase my understanding of how the whole thing worked.
It was a singularly dull day that I hit on the idea of "deadheading" calls
through one of the local subscriber loop jacks which rang into the testboard.
Sure enough, I could rotary-dial through the step office to Sacramento (the
shortest hop on L carrier with inband signalling), "dump" the call in
Sacramento with a blast of 2600 fromthe 19c oscillator mounted overhead, then
multifreq out of Sacramento anywhere I wanted to go. Wow! I could hardly wait
to demonstrate this potential source of lost revenues to my first-line
supervisor. Both he and his boss were mildly impressed, but assigned minimal
importance to the event, since, in their words, "no one has a multifreq supply
at home."
Ma Bell invented the transistor but was among the last to put it into
service. One of the few places a transistor was used was used in our office
was in the alarm circuit of the ON carrier system. The 13H was a wretched
little "top hat" PNP with just enough beta to work in a bridged-T oscillator
configuration. A half-dozen of these, some Olson Radio pushbuttons, and a
handful of resistors and caps made a dandy MF supply.
The next demonstration was from the Chief's own desk and did finally raise
some concern. I was asked to "donate" the box and told to keep the findings
strictly to myself. I have done so for 20 years now.
-------------------------------------------------------------------------------
::::February 1986::::
It Could Happen To You!
A bizarre story is unfolding in New York City, one which typifies both
hacker ingenuity and corporate indifference to the average customer.
It all started when Hacker A met Hacker B on a loop somewhere. At first,
they got along quite well, exchanging all kinds of information. Over time,
however, Hacker B got more and more obsessed, while Hacker A wanted to get on
with a normal life. B would not stop calling A, which led A to tell B that if
he didn't stop bothering him, he would get the authorities on his case. Well,
B didn't and A did. And that's where the trouble really started.
For the last couple of years, almost every few minutes, A's phone has been
ringing. At the other end is B or someone or something that B has programmed.
Sometimes nothing is said; sometimes a threat is uttered; sometimes the caller
just laughs. A and his family have been trying, literally for years, to put an
end to this. At first they simply changed the number to an unlisted one.
Within an hour, B had found the new one. So they tried to change it again.
New York Telephone refused. Either they would have to pay an exorbitant fee
this time, or the number would not be changed. They said it was impossible for
somebody to find out their number so fast - he must have been told by somebody
in the family.
This scene was repeated a number of times, with A's family changing their
number practically a dozen times and having to pay the fee for most of them.
It reached the point where B would call them BEFORE they received their new
number to tell them what the new number would be.
This wasn't all. B had also managed to charge outrageous amounts to the
family's phone bill. He would call their answering machine collect on a long
distance trunk and make it sound to the operator as though he'd said "yes".
then he'd leave the connection open for hours. He also managed to place third
party calls, using their number as the billing number. Their bill was
outrageous and the phone company insisted that they were responsible for it.
Their service was disconnected and today they are slowly paying back the huge
debt.
Meanwhile, A has tried to get the authorities to look at B (whose address
and phone number he has), with only lukewarm interest. The FBI says it has
an eye on him, but won't help A deal with the phone company.
To this day it continues. The calls keep coming and A is powerless to do
anything. B knows the phone system like the back of his hand and he can make
it do almost anything. The phone company does not want to admit this and, on
many levels, isincapable of understanding it themselves. The result: an
innocent victim gets it from both ends.
-------------------------------------------------------------------------------
::::May 1986::::
The SBS/Skyline Algorythm
by Nynex Phreak
SBS Skyline has one of the easiest methods of finding codes of all of the long
distance companies. It's very similar to the old Sprint bug which allowed
people to find codes very quickly, even without the use of a computer.
To see how this methodd works, access SBS Skyline at their equal access number
(950-1088). Enter six digits. These are the six digits you are "betting" on
to be part of a valid code. After the six digits, enter five other numbers
(it's not important what numbers they are). If you hear a ring immediately
after the last number, followed by "Message MS2", the six digits are part of
a valid code. If you don't hear a ring, hit the pound sign (#) key. If you
get your tone back, the six digits were not part of a valid code. You can try
a new six digit series without having to hang up and redial. This is what
makes this method so fantastically easy. (If you don't get your tone back
after hitting the pound sign and also don't get "Message MS2", chances are
you've stumbled across one of those SBS toll-free numbers. This might also be
the case if you get "Message MS2" before entering five additional numbers.)
After finding a working set of six digits, all that must be done is to
find the next one or two numbers of the code. Enter the six digit code,
followed by an additional one number to guess, followed by four random
digits. If it rings and gives "Message MS2", this is not the right guess.
You must hang up and redial Skyline for each unsuccessful attempt at this
point. If it doesn't ring, and you can get the tone back by hitting the pound
sign, you have found a seven digit code. If you try all the numbers from zero
to nine and they all give "Message MS2", then you have two digits to
guess--your six digits are actually part of an eight digit code. The same
method must be used, except your range is now from 00 to 99.
-------------------------------------------------------------------------------
(>View:101 BCTEL TOLL SECURITY BUGS
(just kidding folks, I wish there WAS such a file...)
-=( The FIXER )=-
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
