💾 Archived View for gemini.theuse.net › textfiles.com › 100 › lod-1 captured on 2022-01-08 at 13:49:24.
View Raw
More Information
-=-=-=-=-=-=-
The LOD/H Technical Journal: File #1 of 12
Volume 1, Issue 1 Released: Jan. 1, 1987
THE
LOD/H TECHNICAL JOURNAL
-----------------------
INTRODUCTION:
Welcome to the premiere issue of the LOD/H TJ!
The LOD/H TJ is a soft-copy free newsletter whose primary purpose is to
further the knowledge of those who are interested in topics such as:
Telecommunications, Datacommunications, Computer & Physical Security/Insecurity
and the various technical aspects of the phone system.
The articles contained herein, are totally original unless otherwise
stated. All sources of information for a specific article is listed in the
introduction or conclusion of the atricle. We will not accept any articles that
are unoriginal, plagiarized, or contain invalid or false information. Articles
will be accepted from anyone who meets those criteria. We are not dependant
upon readers for articles, since members of LOD/H and a select group of others
will be the primary contributers, but anyone can submit articles.
Readers are encouraged to download all files for each issue, not just the
ones they are interested in. The reason for this is twofold: The newsletter
was designed to be a group effort, and the files herein were not intended for
individual distribution, and secondly, keeping the issue intact allows you to
distribute it to other BBS's and phriends who are interested in it.
There is no set date for releasing issues, as we have no monetary or legal
obligation to the readers, but we predict subsequent issues will be released
between 2 and 3 months from the previous one. Thus, expect 4 to 6 issues a year
assuming we continue to produce them, which we intend to do.
Newsletter sponsors are boards which will get the newsletter directly from
the staff as soon as it is released, and has added our 'staff account' to the
userlist in order for the readers to respond directly to us about the content
of the newsletter. If your board would like to become a sponsor, leave us mail
on any of the following sponsors boards:
Atlantis
Metal Shop Private
or B-type Manhole cover lifter), although an ordinary 3/4 - 1 inch crow-
Digital Logic
Hell Phrozen Over
An LOD/H TJ staff account is on all our sponsor BBS's. This allows readers
to get in contact with us for the following reasons:
- If you have questions about any article, or question the validity of the
material, you are welcome to contact us through the staff account and leave
a way for the author to contact you. This insures a better understanding from
the readers of the topic and also, insures the integrity of the author as far
as knowledge and originality of the topic is concerned.
- You may leave questions for the staff which will be answered in our 'Ask the
Staff' section of the newsletter. The questions selected will be of general
interest to others. Any questions not published will try to be answered via
E-Mail. We don't know everything, but anything we do know will be shared
with those who ask.
Various features of the newsletter include:
Editorials: These will feature short articles on topics which affect the
telecom world in general.
Network News & Notes: News articles and other things of interest pertaining to
the things this newsletter specializes in.
Reader Mail: Questions and comments about previous issues from readers who
contact us through our staff account on sponsor boards.
Special Features: These will pop up from time to time and can be anything which
does not fit in the general format of the newsletter.
-------------------------------------------------------------------------------
TABLE OF CONTENTS:
01 Introduction to the LOD/H Technical Journal Staff 05 K
and Table Of Contents for Volume 1, Issue 1
02 Custom Local Area Signalling Services (CLASS) The Videosmith 17 K
03 Identifying and Defeating Physical Security and Lex Luthor 23 K
Intrusion Detection Systems Part I: The Perimeter
04 The Traffic Service Position System (TSPS) The Marauder 23 K
05 Hacking DEC's TOPS-20: Intro Blue Archer 19 K
06 Building your own Blue Box (Includes Schematic) Jester Sluggo 16 K
07 Intelligence and Interrogation Processes Master Of Impact 18 K
08 The Outside Loop Distribution Plant: Part A Phucked Agent 04 25 K
09 The Outside Loop Distribution Plant: Part B Phucked Agent 04 23 K
10 LOH Telenet Directory: Update #4 (1-1-87) Part A LOH 25 K
11 LOH Telenet Directory: Update #4 (1-1-87) Part B LOH 18 K
12 Network News & Notes Staff 10 K
Total: 12 files 223 K
-------------------------------------------------------------------------------
That wraps it up for the introduction, hope you like it and we will look
forward to hearing from you.
The LOD/H Technical Journal: File #2 of 13
Custom Local Area Signalling Services
Written by: The Videosmith
Version - 1.1
----------------------------(c) Copyright 1994---------------------------
This article will explain the newly developed LASS system (AT&T Bell Labs),
and how it may affect us in the near future. Note that the service as it
appears for customers is called "CLASS", the C standing for Custom. I
assume this is just for looks.
LASS
----
The telephone was destined to become a well used and powerful tool for
otherwise tedious tasks. Gas meters and other metered services would be
surveyed through the use of automatic data retrieval employing telephone
communications. All in all, some have big plans for the uses one could put
the telephone system up to, and CLASS is one plan that is going to drop
an innovative bombshell on the telecommunicating world.
At this moment, a local CCIS network feature is being developed by
Bell Laboratories. This feature will change the way people use fones, and
will also change the attitude in which they use them. It will give far
more control of the telephone to the user than ever before. This feature
is called CLASS (Custom Local Area Signalling Services).
Everyone will find something useful in this newly developed telephone
feature. Pizza parlours will no longer have to worry about fraudulent italian
food mongers, and little old ladies won't have to worry about prank calls
by certain dubious characters.
What are all these fantastic features? These features will
include call back of the last caller, regardless of whether you have their
telephone number or not. Another will be distinct call waiting tones, and
preselected call forwarding (only those people whom you wish to speak to
will be forwarded). This is a rudimentary list of CLASS features to come.
It is a very powerful system, and it all relys on LCCIS (Local Common
Channel Interoffice Signalling), an intra-LATA version of the ever-popular
CCIS.
CCIS Background
---------------
CCIS was originally introduced in 1976 as, basically, the signalling
system to end all signalling systems. Instead of using the voice grade
trunks to carry signalling information on, a data network would be used. This
network is comprised of data links from each TO [involved with CCIS] to
the appropriate STP (signal transfer point). Signalling information is sent
through these links at 4800 bps to the STPs (Note that baud rates may increase
due to the economic availability of faster data communications hardware),
where stored program control routes the signalling information to the needed
offices in order to open and complete the call path. SPC checks automatically
for on-hook/off-hook status before opening the path, and if the status is
off-hook (in this case the customer does not have the call waiting custom
calling feature), returns information to the originating CO to apply a busy
signal to the customer. This is but one of many features toll CCIS provides
the network with.
Since this text is not centered on the topic of toll CCIS, technical
aspects aren't as important (except for the comparison between the local
and toll networks for observational purposes): yet it is important to
notice how automated and flexible this type of signalling method is, as well
as its speed and efficiency. All the software control involved with local
and toll networks is called, fittingly, the "stored program control network."
or ISDN (Integrated Services Digital Network). LCCIS will be addressed in a
future article.
CLASS/LCCIS Features
--------------------
LCCIS would look like this:
/--X
CO-2
ESS#
/----I-T-G-----1A-----I-T-G----X
| X--/ |
| | |
| LCCIS |
| | |
| ---------- |
/--X--LCCIS--|CCIS/SPC|--LCCIS--/--X
CO-1 ---------- CO-3
ESS# ESS#
-1A----interoffice trunk group---1A-
NPA - Dial 1223 213 NPA (GTE) - Dial 114
SPC = Stored Program Control (Network control and Signal Transfer Point)
ITG = Interoffice Trunk Group
Using a high-speed data link between local offices creates a much more
flexible and more effecient way for intra-LATA central offices to communi-
cate. Instead of using per-trunk signalling (using the same trunk used for
voice transmission to send routing and billing information), such data would
be sent thru a 2400 bps dedicated data link, which interacts with a local
signal processing and transfer point. From that point, signalling information
is distributed to appropriate central offices or tandem switches.
At the during which this article was being initially researched, CLASS was
only being developed for the #1A ESS switch due to the flexibility of it's
memory handling, it's speed and what Bell Labs called 'cost efficiency'. At
the end of the research involved with this article, CLASS was already
implemented in data stage on ESS#5.
LCCIS will work with the local switches using stored program con-
trol, keeping track of call data. The 1A switches will use what
is called "scratch pad" memory (also known as call store), in conjuction
with LCCIS's database, to accomplish all the features that LASS provides.
This memory will hold such data as "line history", and a "screening list".
That information will make it possible for autoredial, selective call
forwarding, nuisance call rejection, and distinctive call waiting tones.
Selective CF
------------
Selective call forwarding is defined by the subscriber (the sub-
scriber must have conventional call forwarding to request this service).
Using call store, or more specifically the screening list, one will
be able to selectively forward a call to another directory number by
executing a few simple commands on the friendly home-bound telephone
(unlike migrating telephones most frequently found in hotel rooms). An
access code (a list will appear at the end of the file) will be entered,
and a special tone will be issued from the subscriber's CO. The cus-
tomer will then dial in the numbers he wants forwarded to the particular
number. After each number, a tone will sound indicating the acceptance
of the number. Individual BOC's (Bell Operating Companies) will be
able to define the amount of numbers which may be screened. Once this is
done, the cusomter hangs up and the ESS takes over. Now, whenever some
one calls this particular customer, the customer's switch will compare
the calling line's directory number with those stored in scratch pad
memory. If the CLID matches one of the numbers in 1A memory associated with
the called directory number, the number is forwarded. If not, the phone will
ring at the original destination. This in particular could make it very
difficult on system hackers, as you could probably imagine. A company can
subscribe to this CLASS feature, and enter only the numbers of authorized
users to be forwarded to a computer. Bureaus inside the various telephone
companies and other sensitive operations can screen calls to particular
numbers by using this service.
This is a security that's hard to beat, but of course there is a way
(simple law of nature: nothing is fail-safe). There will always be the
obvious way of finding numbers which are being forwarded to, like auto-
dialing entire exchanges (one after the other). Unfortunetly, CLASS will
be providing other services which might make "scanning" seem less
attractive.
Distinctive Ringing
-------------------
Distinctive ringing is handled in the same fashion as selective call
forwarding is: the screen list in scratch pad memory. The customer may
enter numbers which the ESS should give special precedence to, and when-
ever a call is placed to this particular customer's number, ESS checks
to see whether the CLID matches a directory number listed in the
switch's memory. If a match is made, the subscriber's CO gives the off-hook
line a special call waiting tone, or the on-hook phone a distinctive ring
(possibly using abnormally timed ringing voltage... some readers may picture
a British Telecom ring as an example, although many foreign audible rings
tend to be different).
Call Rejection
--------------
Nuisance call rejection, a feature making it possible to block certain
idiots from ringing your fone (a feature we can all benefit from at
one time or another... or all the time), uses the information retrieved
from LCCIS (CLID). Let's say customer A calls customer B:
----LCCIS----
A ---> CO< >CO ---> B
----trunk----
Customer B happens to despise customer A, and keys in a special *##
code. ESS again takes over and looks at the CLID information, and stores
the calling line directory number in a special screen list associated with
with customer B. The next time customer A tries calling customer B, the
terminating office will reroute the call to a local (the originating CO)
digitized recording telling customer A that the call he made cannot be
completed due to customer B's request ("I'm sorry, but the customer you
have tried to reach wishes you were eaten by a rabid canibal on drugs").
Dial Back
---------
To create such a feature as "dial back" (for called or calling party),
the ESS scratch pad memory is used again. The same principles are
used as are employed in the already established custom calling feature,
auto-redial. CLID will be used in this way:
(received from CLID)
last-called-mem last-caller-mem
---------- ----------
|###-####| |###-####|
---------- ----------
Your ESS switch will keep track of who you called last, and who called
you last, thru the retrieval of calling line information provided by
LCCIS in conjunction with your switch (Your switch will know what number
you called last by directly storing the digits you dialed previously. Local
signalling will provide calling line information via LCCIS call
information forwarding using the data link mentioned). This way, with your
access code (*##), you will have total re-dial service.
Customer Trace
--------------
This type of memory handling and signalling method will also allow the
feature that everyone was afraid would abolish "phreaking". Subscriber
initiated tracing, using the last caller directory number stored at your CO,
will be available as far as Bell Laboratories is concerned. There seems to be
two types of "customer originated trace". One will forward the number to local
authorities, at which it will be handled through the police. The other
feature AT&T/Bell Labs is working on will be a display module that will sit by
your fone, and will display calling directory numbers. All other CLASS
features that use the calling line information are used at the descretion of
the caller. The customer originated trace, however, using the individual or
bulk calling line identification features ("trace") allow the customer to view
the calling number. The world is not ending... yet, in any case. Individual
customers will be able to employ a special "privacy code", which when dialed,
tells the far-end switch not to forward the calling number to a desk display.
Whether there will be a way to override this or not is obvious: of course.
The police, the military and government agencies are all likely to have a
higher priority level than your privacy. It seems that long distance
carriers could benefit greatly from CLASS. Why Bell/AT&T should give any type
of special services to OCCs not given to other non-telephone companies,
especially after equal access is fully implemented, I don't know (but then
again, it is EQUAL access). It's always possible. It is also possible that
there will be no desk display. There are those phone phreaks who feel that
BOC's will never give the end party the priviledge of retrieving the calling
party's number directly, if not due to plain old Bell policy on the issue of
privacy. We'll have to wait and see about that point: the desk display is, in
fact, operational and is being used in test stage. Whether Bell Labs feels
that this feature can and will be used in a full scale non-beta stage BOC
situation is a different story. The economic feasability is questionable.
End Notes
---------
CLASS, using local CCIS, will not function on inter-LATA calls. The
local CCIS network is exactly that: local, and does not extend into the
realm of "toll network". This will eventually be corrected (allowing toll
CCIS to interact with LCCIS as far as CLID information is concerned). How
the various long distance networks will exchange information with the local
BOC network has not been determined [by the writer of this article]. It
would seem like a monumental task to try to integrate the emerging long
distance companies into the AT&T/BOC ISDN, be it because of equipment
inconsistancies or lack of cooperation on the part of the OCC, etc. This
will be discussed in an upcoming article dealing with toll CCIS.
Although CLASS has been built around the ESS #1A switch, it has, as has been
mentioned, been co-developed for use with the ESS #5 switching machine.
CLASS is going to cause problems, as well as create a new environment
for telephone users. Of course, those problems are only problems to people
who will generally be reading this article, but the more you know about CLASS
the more comfortable you'll feel about the service. It can be used to
one's advantage, even as a telecommunications hobbyist. Just as a
corporation will be able to set up a complete history of who is calling their
system, and eventually keep people off the system using the screen list in
memory, the same features can be applied to bulletin board systems and the
like. Imagine being able to keep all the local bozos off your board, or
being able to screen all but your private local users (making your system
completely inaccessible through the PSTN network from any telephone but
that of one of your users). It would seem to be a useful feature, if nothing
else but an easy feature, to implement.
It is a little difficult, if not plain awkward, to write an article about
a topic which is subject to change at the researcher's ignorance. I think
that CLASS is enough of a momentous issue that at least some text by a
hobbyist should be released for public knowledge purposes. Yet my awareness
of the fact that some of this text may be outdated, or inaccurate, by the
time CLASS is released as a BOC service, is in itself the explanation of why
there is a version number at the head of this article. Most likely, when CLASS
becomes public, the second version will be released with update notes
(if need be...most probably so). I hope you enjoyed it,
The Videosmith.
LOD/LOH!
---------------------------------------
Test stage defaults for some features:
NPA - Dial 760 914 NPA - Dial 990
DTMF ! Pulse ! Description of Service
---------------------------------------
*66 ! 1166 ! Reconnect last caller
---------------------------------------
*63 ! 1163 ! Selective Call Forward
---------------------------------------
*60 ! 1160 ! Nuisance Call Blocking
---------------------------------------
*57 ! 1157 ! Customer "Trace"
---------------------------------------
Note: These command codes may vary from BOC to BOC. The codes listed above
were found in a general description of CLASS and did not specify a particular
implementation of these services.
Acknowledgements:
Mark Tabas for his views on various included topics... for example, subscriber
tracing ("FUCK NO").
Doctor <413> Who
Mr. DNA
The LOD/H Technical Journal: File #3 of 12
Lex Luthor and The Legion Of Doom/Hackers Present:
Identifying, Attacking, Defeating, and Bypassing
Physical Security and Intrusion Detection Systems
PART I: THE PERIMETER
The reasons for writing this article are twofold:
1) To prevent the detection and/or capture of various phreaks, hackers and
others, who attempt to gain access to: phone company central offices, phone
closets, corporate offices, trash dumpsters, and the like.
2) To create an awareness and prove to various security managers, guards, and
consultants how easy it is to defeat their security systems due to their
lack of planning, ignorance, and just plain stupidity.
In the past, I have written articles on "Attacking, Defeating, and Bypassing"
Computer Security. Now I take those techniques and apply them to Physical
Security. The information contained herein, has been obtained from research
on the different devices used in physical security, and in practical "tests"
which I and others have performed on these devices.
INTRODUCTION:
-------------
Physical Security relies on the following ideas to protect a facility:
Deterrence, Prevention, Detection, and Response. Deterrents are used to 'scare'
the intruder out of trying to gain access. Prevention tries to stop the
intruder from gaining access. Detection 'sees' the intruder while attempting to
gain access. Response tries to stop and/or prevent as much damage or access to
a facility as possible after detection. There are 3 security levels used in
this article and in industry to designate a facility's need. They are: Low,
Medium, and High. The amount, and types of security devices used by a facility
are directly proportional to the level of security the facility 'thinks' it
needs. When I use 'facility' I am refering to the people in charge of
security, and the actual building and assets they are trying to protect. This
article will be primarily concerned with the protection of the perimeter. I
have 2 other articles planned in this series. The second is the security
concerning the exterior of a facility: cipher locks, window breakage detectors,
magnetic contact switches, etc. The third part will deal with security systems
inside a facility: Passive Infra-Red detectors, ultrasonic detectors, interior
microwave systems, and the various card access control systems.
THE PERIMETER:
--------------
A facility's first line of defense against intrusion is its' perimeter. The
perimeter may have any or all of the following:
- An interior fence coupled with an exterior fence
- Various fence mounted noise or vibration sensors
- Security lighting and CCTV
- Buried seismic sensors and different photoelectric and microwave systems
Fences:
-------
Fences are commonly used to protect the perimeter. The most common fence in use
today is the cyclone fence, better known as the chain link fence. Fences are
used as a deterrent and to prevent passage through the perimeter. Common ways
of defeating fences are by cutting, climbing, and lifting. Cutting is not
usually recommended for surreptitious entry, since it is easily noticeable. In
this article, we will be taking the 'Stealth' approach. Climbing is most
commonly done, but if the fence is in plain view, it may not be advisable since
you can be seen easily. The higher the fence, the longer it takes to climb. The
longer it takes to climb, the longer security has to detect and respond to your
actions. Lifting is better since you are closer to the ground, and not as
easily spotted, but the fence must be very flexible, or the sand very soft so
you can get under the fence quickly and easily. Whenever you see a somewhat
'unclimbable' fence (or one that you just don't want to climb) you should check
the perimeter for large trees with uncut branches hanging over the fence or
other objects which will enable you to bypass the fence without ever touching
it. You could use a ladder but you don't want to leave anything behind,
especially with your fingerprints on it, not that you plan on doing anything
illegal of course.
Electric fences are not used for security purposes as much as they were in the
past. Today, its main use if to keep cattle or other animals away from the
perimeter (either from the inside or outside). There are devices which send
a low voltage current through a fence and can detect a drop in the voltage when
someone grabs onto the fence. Again, not too common so I will not go into it.
For high security installations, there may be 2 fences. An outer fence, and an
inner fence which are 5-10 yards apart. It isn't often that you see this type
of setup, it is mainly used by government agencies and the military. You can
be very sure that there are various intrusion detection devices mounted on the
fence, buried underground between them, and/or line-of-sight microwave or
photoelectric devices used. These will be mentioned later. If you insist on
penetrating the perimeter, then you should try to measure how far it is between
fences. Now find a 2 foot by X foot board where X is the distance between the 2
fences. Very slowly place the board on top of both fences. If there are no
fence vibration sensors you can just climb the fence and step onto the board to
walk across the top. If there are fence sensors, you will need a ladder which
cannot touch the fence to get you on top of the board. You can then walk on the
board, over the ground in between, and jump down, being careful not to disturb
the fences. This will work if there are no sensors after the 2 fences. Identi-
fying sensors will be mentioned later. Obviously the method of using a long
board to put on top of the two fences will not work if the fences are spaced
too far apart. Also, you and the board can be seen very easily.
Barbed Wire:
------------
There are two common types of barbed wire in use today. The more common and
less secure is the type that is strung horizontally across the fence with three
or more rows. The 'barbs' are spaced about 6" apart, enough for you to put your
hand in between while climbing over. Also, it is thin enough to be cut very
easily. If you think you will need to leave in a hurry or plan on problem free
surreptitious entry and the only way out will be to climb over the fence again
you can cut the wire from one post to another, assuming the wire is tied or
soldered to each post, and replace it with a plastic wire which looks like the
wire you just cut. Tie it to each post, and come back anytime after that. You
can then climb over it without being cut. The other type of wire, which is more
secure or harmful, depending on how you look at it, is a rolled, circular wire
commonly called Razor Ribbon. One manufacturer of this is the American Fence
Co. which calls it 'the mean stuff'. And it is. The barbs are as sharp as
razors. Of course this can be cut, but you will need very long bolt cutters and
once you cut it, jump as far back as you can to avoid the wire from springing
into your face. As mentioned earlier, cutting is irreparable, and obvious. If
the wire is loosely looped, there may be sufficient room in between to get
through without getting stitches and losing lots of blood. If the wire is more
tightly looped you may be able to cover the the wire with some tough material
such as a leather sheet so you can climb over without getting hurt. This method
is not easy to accomplish however. You may want to see if you can get under the
fence or jump over rather than climb it.
Fence mounted noise or vibration sensors:
-----------------------------------------
Let's assume you have found a way to get past the fence. Of course you have not
tried this yet, since you should always plan before you act. OK, you have
planned how you would theoretically get over or past the fence. You are now
past the deterrent and prevention stages. Before you put the plan into action
you had better check for the things mentioned earlier. If a fence is the first
step in security defense, then fence mounted sensors are the second step.
The types of detection equipment that can be mounted on the fence are:
Fence shock sensors: These mount on fence posts at intervals of 10 to 20 feet,
or on every post. They are small boxes clamped about 2/3 up from ground level.
There is a cable, either twisted pair or coax running horizontally across the
fence connecting these boxes. The cable can be concealed in conduits or inside
the fence itself, thus, making it hard to visually detect. Each fence sensor
consists of a seismic shock sensor that detects climbing over, lifting up or
cutting through the fence. So if the fence is climbable, it would not be wise
to do so since you may be detected. Of course it doesn't matter if your
detected if there is no security force to respond and deter you.
Another type, is called the E-Flex cable. It's simply a coax cable running
horizontally across the fence. This cable can not only be used on chain link
fences, but can also be used on concrete block, brick, or other solid barriers.
It may be on the outside, or mounted inside the fence, thus, making detection
of the device harder. Of course detection of this and other similar devices
which cannot be seen, doesn't make it impossible. A way to detect this, is by
simply repeatedly hitting the wall with a blunt object or by throwing rocks at
it. If nothing out of the ordinary happens, then you can be reasonably sure it
is not in place. This is basically a vibration sensor.
Low frequency microphones: This is essentially a coax cable that responds to
noise transmitted within the fence itself.
Vibration sensors: These are based on mercury switches, a ring or ball on a
pin, or a ball on a rail. Movement of the fence disturbs the switches and
signals alarms. A hint that this is in use is that it can only be used on a
securely constructed and tightly mounted fence, with no play or movement in it.
Otherwise, they will be getting false alarms like crazy.
OK, you know all about these types, how the hell do you get around it? Well,
don't touch the fence. But if there is no alternative, and you must climb it,
then climb the fence where it makes a 90 degree turn (the corner) or at the
gate. Climb it very slowly and carefully, and you should be able to get over
without being detected by these sensors! Make sure you climb on the largest
pipe and don't fall.
Security lighting and CCTV:
---------------------------
Sometimes, fences may be backed up by Closed Circuit TV (CCTV) systems to make
visual monitoring of the perimeter easier and quicker. By installing an
adequate lighting system and conventional CCTV cameras, or by using special
low light sensitive cameras, the perimeter can be monitored from a central
point. Security personnel can then be dispatched when an intruder is detected
on the monitors.
Some systems are stationary, and others can be moved to view different areas of
the perimeter from within the central station. It would be in your best
interest to determine if the camera is stationary or not. If so, you may be
able to plan a path which will be out of the view range of the camera. If it is
movable, you will have to take your chances.
Light control sensor: This utilizes a Passive InfraRed (PIR) sensor to detect
the body heat emitted from someone entering the detection area, and can
activate a light or other alarm. PIR's will be discussed in Part II of this
series. The sensor has an option called: 'night only mode' in which a light
will flash when a person enters the area, but only during night hours. It can
tell if its dark by either a photoelectric sensor, or by a clock. Of course if
its daylight savings time, the clock may not be totally accurate, which can be
used to your advantage. If it is photoelectric, you can simply place a
flashlight pointing directly into the sensor during daylight hours. When it
gets dark, the photoelectric sensor will still 'think' its day since there is
sufficient light, thus, not activating the unit to detect alarm conditions.
This should enable you to move within the area at will.
Buried Seismic Sensors:
-----------------------
Seismic detectors are designed to identify an intruder by picking up the sound
of your footsteps or other noises related to passing through the protected
area. These sensors have a range of about 20 feet and are buried underground
and linked by a cable, which carries their signals to a processor. There, the
signals are amplified and equalized to eliminate frequencies that are unrelated
to intruder motion. The signals are converted to pulses that are compared with
a standard signal threshold. Each pulse that crosses this threshold is tested
on count and frequency. If it meets all the criteria for a footstep, an alarm
is triggered. These sensors can even be installed under asphalt or concrete by
cutting a trench through the hard surface. It is also immune to weather and can
follow any type of terrain. The only restriction is that the area of detection
must be free of any type of obstruction such as a tree or a bush.
Electronic field sensor:
------------------------
These detect an intruder by measuring a change in an electric field. The field
sensors use a set of two cables, one with holes cut into the cable shielding to
allow the electromagnetic field to 'leak' into the surrounding area. The other
cable is a receiver to detect the field and any changes in it. Objects passing
through the field distort it, triggering an alarm. This sensor can either be
buried or free standing, and can follow any type of terrain. But its very
sensitive to animals, birds, or wind blown debris, thus, if it is very windy
out, and you know this is being used, you can get some paper and throw it so
the wind takes it and sets off the alarm repeatedly. If it is done enough, they
may temporarily turn it off, or ignore it due to excessive false alarms.
It is not hard to tell if these devices are in use. You cannot see them, but
you don't have to. Simply get 3-4 medium sized stones. Throw them into the
place where you think the protected area is. Repeat this several times. This
works on the lesser advanced systems that have trouble distinguishing this type
of seismic activity from human walking/running. If nothing happens, you can be
reasonably sure this is not in use. Now that you can detect it, how do you
defeat it? Well as far as the electronic field sensor is concerned, you should
wait for a windy night and cause excessive false alarms and hope they will turn
it off. As far as the seismic sensors, you can take it one step at a time, very
softly, maybe one step every 30-60 seconds. These sensors have a threshold,
say, two or more consecutive footsteps in a 30 second time interval will
trigger the alarm. Simply take in one step at a time, slowly, and wait, then
take another step, wait, until you reach your destination. These detectors work
on the assumption that the intruder has no knowledge of the device, and will
walk/run across the protected area normally, thus, causing considerable seismic
vibrations. The problem with this method is that it will take you some time to
pass through the protected area. This means there is more of a chance that you
will be seen. If there are a lot of people going in and out of the facility,
you may not want to use this method. Another way would be to run across the
protected area, right next to the door, (assuming that is where the response
team will come out) and drop a large cat or a dog there. When they come out,
they will hopefully blame the alarm on the animal. The sensor shouldn't really
pick up a smaller animal, but odds are the security force are contract guards
who wouldn't know the capabilities of the device and the blame would fall on
the animal and not you, assuming there were no cameras watching...
Microwave systems:
------------------
In an outdoor microwave system, a beam of microwave energy is sent from a
transmitter to a receiver in a conical pattern. Unlike indoor microwave
detectors, which detect an intruders' movement in the microwave field, the
outdoor system reacts to an intruders' presence by detecting the decrease in
energy in the beam. The beams can protect an area up to 1500 feet long and 40
feet wide. All transmission is line-of-sight and the area between transmitter
and receiver should be kept clear of trees and other objects that can block the
beam. Microwave systems can operate in bad weather, and won't signal an alarm
due to birds or flying debris.
These systems work on the Doppler effect, in which they detect motion that
changes the energy, and sets off an alarm. These devices will usually be placed
inside a fence to avoid false alarms. These devices are very easy to visually
detect. They are posts from 1-2 yards high, about 6 inches by 6 inches and
there are 2 of them, one receiver and one transmitter. In some cases there will
be more, which enables them to protect a larger area.
To defeat this, you can enter the field, very slowly, taking one step at a time
but each step should be like you are in slow motion. It doesn't matter how hard
you hit the ground, since it doesn't detect seismic activity, only how fast
you approach the field. If you take it very slowly you may be able to get past.
Detectors of this type get more and more sensitive as you approach the posts.
Ergo, choose a path which will lead you furthest away from the posts.
Photoelectric systems:
----------------------
These systems rely on an invisible barrier created by beams of infrared light
sent from a light source to a receiver. When the beam is interrupted, the alarm
sounds. The beam can have an effective range of up to 500 feet. Multiple beams
can be used to increase the effectiveness of the system, making it harder for
you to climb over or crawl under the beams. Photoelectric systems can be prone
to false alarms as a result of birds or wind-blown debris passing through the
beam. The problem can be corrected by the installation of a circuit that
requires the beam to be broken for a specified amount of time before an alarm
is sounded. Weather conditions like heavy fog, can also interrupt the beam and
cause an alarm. This can also be corrected by a circuit that reacts to gradual
signal loss. These systems should not face directly into the rising or setting
sun since this also cuts off the signal beam.
As you can see this system has many problems which you can take advantage of to
bypass this system. As with any system and method, surveillance of the facility
should be accomplished in various weather conditions to help verify the
existence of a particular detection device, and to see how they react to false
alarms. Many times, you will be able to take advantage of various conditions
to accomplish your mission. If there is only one set of devices (transmitter
and receiver), try to estimate the distance of the sensors from the ground. You
can then either crawl under or jump over the beam. This also works on the
assumption that the intruder will not recognize that the device is in use.
MISCELLANEOUS:
--------------
Guards: There are two types, in-house or company paid guards and contract
guards. Contract guards are less secure since they do not work for the facility
and if they make a mistake they simply get transferred to another facility no
big deal. In-house guards know the facility better and have more to lose, thus,
they are probably more security conscious. Be aware of any paths around the
perimeter in which guards can/will walk/ride to visually inspect the exterior
of the facility.
Central monitoring: Monitoring of the devices mentioned in this article is
usually accomplished at a 'Central Station' within the facility. Usually,
guards *SHOULD* be monitoring these. If you have planned well enough, you may
find that the guard leaves his/her post to do various things at the same time
every night. This would be an ideal time to do anything that may be seen by
cameras. Unfortunately, there will probably be more than one guard making this
nearly impossible.
Gates: Probably the easiest way to pass through the perimeter is to go through
the gate. Whether in a car, or by walking. This may not be too easy if it is
guarded, or if there is a card reading device used for entry.
Exterior card readers: An in-depth look at the types of cards used will be in
part 3 of this series. But for now, if the card used is magnetic (not Weigand)
it is quite possible to attack this. If you have an ATM card, Visa, or other
magnetic card, slide the card thru, jiggle & wiggle it, etc. and quite possibly
the gate will open. Reasons for this are that since it is outside, the reader
is subjected to extreme weather conditions day in and day out, thus, the
detecting heads may not be in the best of shape, or since it is outside it may
be a cheap reader. In either case, it may not work as good as it should and
can make 'mistakes' to allow you access.
Combinations: The devices listed in this article do not have to be used alone.
They can and are used in conjunction with each other for greater security.
Diversions: In some cases, a diversion could better insure your passage through
the perimeter. Keep this in mind.
Extreme weather conditions: All devices have an effective operating range of
temperatures. On the low end of the scale, most devices will not operate if it
is -30 degrees Fahrenheit or lower. Though, quite a few will not operate
effectively under the following temperatures: -13 f, -4 f, +10 f, +32 f. On
the other side of the scale, they will not operate in excess of: +120 f, +130 f
and +150 f. It is unlikely that the outside temperature will be above 120
degrees, but in many places, it may be below freezing. Take this into
consideration if a facility has these devices, and you cannot bypass them any
other way.
I could not have possibly mentioned everything used in perimeter protection in
this article. I have tried to inform you of the more common devices used. Some
things were intentionally left out, some were not. I welcome any corrections,
suggestions, and methods, for this article and the future articles planned. I
can be contacted on a few boards or through the LOD/H TJ Staff Account.
CONCLUSION:
-----------
This article primarily dealt with the identification of various 'tools' used in
physical security for the deterrence, prevention, detection, and response to an
intruder. There also were some methods which have been used to attack, defeat,
and bypass these 'tools'. None of the methods mentioned in this article work
100% of the time in all circumstances, but ALL have worked, some were under
controlled circumstances, some were not. But all have worked. Some methods are
somewhat crude, but they get the job done. Some methods were intentionally left
out for obvious reasons. Even though this article was written in a tutorial
fashion, in no way am I advising you to go out and break the law. I am merely
showing you how to identify devices that you may not have known were in place
to keep you from making a stupid mistake and getting caught. The Establishment
doesn't always play fair, so why should we?
ACKNOWLEDGEMENTS:
-----------------
Gary Seven (LOH)
The LOD/H Technical Journal: File #4 of 12
Understanding the Traffic Services Position System (TSPS)
Part I - The Console
By The Marauder
&
The Legion of Doom!
/ Revision 1.0-02 X
Written Sometime in 1986...
- Special thanks to Bill from RNOC, Phucked Agent 04, and The (602) Scorpion
for their help in acquiring & compiling this information.
In this article I will discuss the basic layout description, and use of
the keys, found on the standard AT&T 100-B TSPS Console. Possible uses for the
information contained herein (besides for just wanting to know about the TSPS
Console) are primarily for social engineering purposes. The more you know about
operators and their jobs, the more you can get them to do things for you...
I. Basic Console layout
====================
+---------------------------------------------------------------------------+
! +---------------------+ +-------------------------------------+ !
! ! (Ticket Box) ! ! ( Display ) ! !
! +---------------------+ +-------------------------------------+ !
! !
! (NonCoin) (--- Coin 1-----) (-- Hotel --) !
! VFY OVR SCN INW EMR Sta 0+ 0- Sta 0+ 0- Pst Tne Sta 0+ 0- Gst !
! SES INT Pay !
! !
! (Outgoing trunk) (--- Ring Designation --- ) (Release) !
! DA R&R SWB OGT BAK FWD CAL T&C Nfy Chg Key BAK FWD SR MB Mt PT !
! BAK due clg !
! !
! +-----+ Cw (Station) PA CL SP SP AT DDD !
! ! M B ! CG CD CT !
! ! u u ! !
! ! l l ! (Person ) PA CL SP SP NO !
! ! t l ! CG CD AMA !
! ! i e ! !
! ! t ! (Coin 2) (AMA Timing) (Loop Ctl) !
! ! L i ! COL RET CA ST Cg Cg Cg !
! ! e n ! TMG TMG (Kpls key) (Num pad) !
! ! a ! Cd Cd Cd KP KP KP 1 2 3 !
! ! f T ! CA REC TB RT HO !
! ! r ! CAL MSG HD HD HD 4 5 6 ST !
! ! a ! KP KP !
out - 54"H x 40"W x12"D), with some newer size F, H, and some 3M series-
! ! ! RLS !
! ! ! (Display Ctrl) KP KP 0 !
! +-----+ tim chg CLG CLD SPL BK FD +--------!
! min NUM NUM NUM ! Number !
! ! Plate !
+---------------------------------------------------------------------------+
Figure 1. 100-B TSPS Console layout
(Due to 80 col width, picture is a little distorted vertically)
Legend:
o Abbreviations in all capital letters are ILLUMINATED KEYS
o Abbreviations in all lower case letters are NON-ILLUMINATED KEYS
o Abbreviations in upper & lower case letters are LAMPS ONLY
ie: VFY = Lighted VERIFY key, tim = Unlighted TIME key, Cg = CALLING Lamp
-- Above is the standard AT&T 100-B console layout, while there may be
additional or different keys on the various consoles, they will generally
resemble the above layout closely. In the lower right hand corner you will
notice the numbers 0-9 laid out into what resembles a keypad, this is exactly
what it appears to be. The TSPS Operator uses this keypad for keying in not
only routing information (Phone numbers, Inward routings, etc..) but as a multi
purpose tool for entering various numeric codes recognized by the TSPS software
itself. Routing information applied onto the trunks from the TSPS position is
of course in MF (Multi-Frequency). When a TSO keys in a number or routing, the
console buffers the KP+INFORMATION DIGITS until the ST key is pressed, at which
time it plays the buffered KP+INFO DIGITS+ST onto the trunk in a uniformly
spaced sequence. So if you were somehow able to listen in on a TSO actually
routing a call, it would not sound like someone placing a call on a standard
Touch-Tone telephone (or homemade blue box), but more like someone pressing a
"Redial key" on a Touch-Tone (TT) phone. The duration of the tone and space
between the tones are a network-wide standard, although the network in most
cases is quite tolerant to deviations of this standard. (This "loose" tolerance
is what allows us to simulate In-band signalling with our blue boxes).
-- At the upper left hand side of the diagram you will see the Ticket box,
This box has 4 slots marked New, Cancel, Scratch and Completed. I believe this
is used for manually filled out trouble and/or time tickets. As far as I know
manually filled time tickets are a thing of the past, however in case of
equipment failure the tickets are available I assume. TSO would manually fill
out a trouble ticket to report trouble reaching a number out of her LAN (Local
Area Network - or, The area directly served by her particular TSPS position),
whereas to report trouble with a number in her LAN she would simply key in a
trouble code (utilizing the KP-TRBL (Trouble) key). to automatically place a
trouble report.
-- To the right of the Ticket box you will see the DISPLAY. The display works
in conjunction with certain keys on the console, and is used to display timing
information (hours, mins, sec's), Cost per minute, Calling number
identification (what most people refer to as TSPS ANI), numbers called, and
various special codes. The console display can be in one of two states, either
1) displaying digits, or 2) displaying nothing (dark). Both of which have
different meanings when resulting from certain procedures attempted by a TSO.
LIGHTED KEYS, and LAMPS on the console can be in one of three states either 1)
NOT ILLUMINATED (dark), 2) ILLUMINATED, or 3) FLASHING. Again the state of a
lamp/lamp-key meaning different things under different conditions.
II. KEY DESCRIPTIONS & USES
=======================
-- Below the Ticket box you will see a row of 5 keys starting with the key
labeled "VFY" (Verify), these are various special purpose keys used by TSPS
that have no real "grouping" unlike the other "Key groups". These are:
(VFY) - Verify, Illuminated key. Used in conjunction with the keypad, allows
the TSO to verify (listen in) on a telephone call that is in progress, although
any conversation taking place on that call is scrambled to the TSO, and despite
popular belief THE SCRAMBLING PROCESS IS DONE AT THE CONSOLE LEVEL, AND NOT ON
THE TRUNK LEVEL, SO FOR THOSE OF YOU WHO SEEN REFERENCE TO THE "BLV SCRAMBLING
SHUT OFF TONE" PLEASE IGNORE IT, IF YOU WERE TO SOMEHOW GAIN ACCESS TO A
VERIFICATION TRUNK FROM A NON-TSPS POSITION, THE CONVERSATION WOULD NOT BE
SCRAMBLED.
(OVR SES) - Over Seas, Illuminated key. Used in overseas call completion
through an Overseas Toll Completion Center/Server (IOCC). I believe it also
allows the TSO to key in more than 10 digits (standard POTS) for IDDD call
completion.
(SCN) - Screen, Illuminated key - Lights to notify TSO that incoming call has
an associated screening code, (ie: 74=collect calls only, 93=special billing).
Depressing this key causes the code to show on display, and it's up to the TSO
to decipher the code and explain its meaning to the customer if he/she is
attempting something forbidden by his associated screening code. (ie: Prison
phones have a screening code of 74, allowing them to place collect calls only.)
(INW) - Inward, Illuminated key - Lights to notify the TSO that the incoming
call is "Operator to Operator", therefore she answers by pressing the key and
answering "Inward!". In most cases Inward Operators are actually TSPS, with
their INWARD lamps lit.
(EMR INT) - Emergency Interrupt, Illuminated key. Used in conjunction with
the VFY key, to interrupt a call in progress while a line Verification is being
done, pressing this key causes an audible "beep" to be applied to the line, and
de-activates the console scrambling (for roughly 30 seconds) , allowing the TSO
to talk to the parties being verified/interrupted. Use of this key & the VFY
key, is constantly kept track of via various security & maintenance TTY's and
any abuse/misuse will set off alarms.
-- To the right of the above set of keys you will see three groups of
LAMPS/Keys labled "Non-coin", "Coin 1", and "Hotel". The TSO utilizes the
condition of these lamps to identify the status of incoming calls. There are
three lamps that are common to each of the three groups, these are: "Sta",
"0+", and "0-" their meaning is identical in each case as you will see below.
(Sta) - Lamp, NON-COIN STA lamp lights when a non-coin caller requires TSPS
assistance in placing an otherwise direct-dialable call (in some rural areas
that have limited DDD features). COIN STA lamp lights on direct dialed coin
calls that are sent to TSPS for payment collection. HOTEL STA lights on Hotel
originated DDD calls, TSPS also receives room number call is being originated
from.
(0+) - Lamp, Lights to signify that the incoming call was originated by a
customer dialing a "0+telephone number" for an operator assisted call in each
of the three groups (coin, non-coin, hotel/motel). (ie. if a customer were to
place a "person to person (op assisted) call from a payphone, this would cause
the "0+" lamp in the "coin" group to light, one placed from a residential phone
would cause the "0+" lamp in the "non-coin" group to light, etc..)
(0-) - aka "Dial Zero", Lamp. Lights to signify that the incoming call was
originated by a customer simply dialing 0 (zero), in each of the three
categories (non-coin, coin, hotel/motel).
(PST PAY) - Post Pay, Illuminated key. Coin group only, Depressed by TSPS when
a customer requests a "post pay" call from a payphone, allowing him to deposit
the full charge at the completion of the call.
(Tne) - Tone, Lamp. I believe this lamp lights to inform the TSO that a coin
customer has flashed his/her switchook during a call in progress, requesting
operator assistance, although I'm not positive of this.
(GST) - Guest, Illuminated key lights on all hotel originated calls.
-- Below the above rows of keys and to the far left you will see a row of
keys labled "Outgoing Trunks". TSPS utilizes this group of keys to select
various outgoing trunk groups the keys are used as follows:
(DA) - Directory Assistance, Illuminated key. Used by TSO to place calls to the
directory assistance group.
(R&R) - Rate & Route, Illuminated key. Used to place calls to rate and route, I
believe TSPS now goes to the Universal Rate and Route position known to all you
boxers to be found at KP+800+141+1212+ST.
(SWB) - Switchboard, Illuminated key. I believe this key is used to reach a
cord-board position, although I have no evidence of this.
(OGT) - Outgoing Trunk, Illuminated key. Depressed by TSO to select an outgoing
trunk to be used to place operator assisted calls, special purpose calls (ie.
Inward), etc..
-- To the right of this row of keys you will find the group labled "Ring",
these keys are utilized by TSPS to activate special purpose ring features and
line handling.
(BAK) - Ring Back, Illuminated key. Used by TSO to ring the originating party's
line while holding the forward line in the event that the originating party
looses his connection
(FWD) - Ring Forward, Illuminated Key. Exactly the opposite of ring back.
(CAL BAK) - Call Back, Illuminated key. Used in special operator call back
situations on person to person calls where the called party is not available
but a message is left anyway, I really don't understand it's full potential and
most positions I have spoken with don't either.
(T&C) - Time and Charges, Illuminated key.
(Nfy) - Lamp. Used in Non-ACTS (Automatic Coin Toll Service) originated calls,
lights to inform TSPS to notify caller of expiration if initial n minute period
(n = number of minutes entered via the KP NFY key at the origination of the
call).
(Chg Due) - Lamp. Lights to inform TSO that more money is needed at the
completion of a TSO assisted coin call, the usual procedure is to ring the coin
station back and attempt to frighten the customer into making the proper
deposit ("If you don't pay we'll bill the called party...").
(Key Clg) - Key Calling, Lamp. This lamp is used by TSPS to determine the
status of an incoming "Operator Number Identification" (ONI) marked caller or
an incoming caller that was routed to TSPS due to an "ANI Failure" (ANIF) Both
call conditions come to as a "0+" call (hotel, non-coin, coin - see above), if
the calling party is marked as "ONI Required" the appropriate "0+" lamp will
light, and the "Key Calling" lamp will be LIT STEADY. If the incoming call was
due to an ANIF, the "0+" lamp will be lit, and the "Key Calling" lamp will be
LIT & FLASHING.
-- Directly to the right of the "Ring" group of key's you will find the
RELEASE set of key's, these two Illuminated key's allow the TSO to selectively
release (disconnect from) either the calling, or called parties by pressing
either the "Release Back" (BAK), or "Release Forward" (FWD) key respectively.
-- To the right of the release set, you will see a group of four key's with
no particular "group designation", these again are various multi-purpose key's
that serve the following:
(SR) - Service (assistance) Required, Illuminated Key. Pressed by TSO to
Forward calling party to a supervisory console (ie. Irate Customers demanding
supervisor), can also be used if she is confused and needs assistance.
(MB) - Make Busy, Illuminated key. Used to "Busy out" her console, lights when
pressed, console will not take any incoming calls until it is pressed again.
(ie: Useful when gabbing, doing nails, or filling out time/trouble tickets).
(Mt) - Maintenance, Lamp. This lamp Illuminates to warn the TSO that her
console has been placed into remote maintenance/testing mode. A flashing MTNC
lamp indicates a faulty console.
(PT) - Position Transfer, Illuminated Key. A TSO depresses this key to transfer
the call in progress from her console (position) to another console.
-- Below the "Outgoing Trunk" keygroup, you will see a Lamp marked "Cw" Call
Waiting - This lamp lights on every active console to inform a TSO that there
are incoming calls waiting.
-- To the far right of the "Cw" lamp, you will find the AMA group of keys,
broken into two sub-groups, which are "Station" and "Person", a complete
description of each key in this group would require more room than I have
available here, so if there's sufficient interest I will devote another article
to the use of these key's. Basically these key's are used in conjunction with
the "KP" and "AMA Timing" groups of key's (see below), for attaching the
appropriate class of charge to the call being originated. The keys in the
"Station" sub-class from left to right are "Paid" (PA), which is used to attach
a "Station to Station" originating caller paid class of charge, "Collect" (COL)
to attach "Station to Station" Collect Call. "Special Calling" (SP CG), and
"Special Called" (SC CD) which are both used in "Special" Station to Station
billing procedures, such as third party, or credit card calls. "Auto Collect"
(AT CT), used in coin billing procedures and "Direct Distance Dialing" (DDD),
Attaches a DDD class of charge in cases where you have trouble dialing a number
and require operator assistance in completing a call. Below this row of keys
you will find the "Person" sub-group of AMA keys, their uses are identical to
those in the "Station to Station" group only they attach a "Person to Person"
rate of charge. The "No AMA" (NO AMA), key is pressed to eliminate a charge for
a person to person call where the called party is unavailable. Although all
the key's in this group can take on different meanings under different
conditions, the above definitions are suitable for the sake of this article.
All key's in this group are Illuminated keys.
-- Below the "Cw" lamp you will find two keys under the heading "Coin 2",
their uses on "Coin originated (payphone)" calls are: "Coin Collect" (COL) -
which causes the payphone to collect coin, and the "Coin Return" (RET), causes
it to return a coin. Both are Illuminated Key's.
-- To the right of the "Coin 2" group, you will find the "AMA Timing" group.
These key's are used in conjunction with the "AMA", and "KP" groups for:
(CA TMG) - Cancel Timing, Illuminated Key. Cancels AMA timing charges and also
allows TSO to change the class of charge on a call.
(ST TMG) - Start Timing, Illuminated Key. Used to start AMA timing after
appropriate class of charge has been entered, and the calling party has reached
the called party in person to person calls (or in station to station DDD calls,
destination ring has been established).
(CA CAL) - Cancel Call, Illuminated Key. Used in conjunction with the Cancel
Timing key to Cancel a call and mark a "NON-COMPLETED" call on the AMA tapes
(ie. A person to person call where the called party is not available).
(REC MSG) - Record (AMA) Message, Illuminated Key. Used at the completion of
(completion meaning calling & called party are done talking), to record the
time of the call and the appropriate class of charge onto the AMA tapes and
releases their forward connection. -- To the right of the AMA timing group
you will see three columns of four buttons under the heading of Loop Control.
These allow the TSO to access any of the three loops available to her for
placing calls. The keys have identical meaning in each set they are used in the
following manner:
(CLG) - Calling Party, Lamp. Lights to signify person on said loop is a calling
party.
(CLD) - Called Party, Lamp. Lights to signify that person on loop is a called
party.
(HLD) - Hold, Illuminated key. Places a loop into a hold state, the calling and
called party can talk to each other, and AMA timing can be started. The call is
held at the console.
(ACS) - Access, Illuminated key. Used by TSO to initially access a loop.
Pressing this key selects an outgoing loop, and readies the console for placing
a call onto it. It is also used to allow TSO back into a loop(s) in a HOLD
state.
-- To the right of the loop control group you will see the "Keypulse Key"
group, these key's are pressed by the TSO to initialize the keypad parser into
the proper mode for entering information, which is completed/entered by
pressing the ST (START) key (to right of keypad). Their uses are as follows:
(KP TB) - KP Trouble, Illuminated key. Used to enter various TSO encountered
trouble codes such as noisy line, customer(s) were cut off, couldn't complete
call, etc. I believe the format for entering a trouble code is as follows: "KP
TBL + TC + NTE + CN + ST" where KP TBL = KP Trouble Key, TC = 2 Digit Trouble
code, NTE = Number of times Trouble was encountered (1 Digit), CN = Callers
(phone) Number, and ST = the START key. a record of the trouble is made on the
AMA tapes and the calling party is usually given credit.
(KP RT) - KP Rate, Illuminated. Used to enter and display Rate (Charge)
information. Can also be used to display rate information at a customer
request.
(KP HO) - KP Hotel, Illuminated Key. Used for manually entering a verbally
requested room number on Hotel/Motel originated calls.
(KP NY) - KP Notify, Illuminated key. Used for entering time in Minutes on a
NON-ACTS originated Coin call, when entered time duration is up, it causes the
NFY Lamp (See above) to Flash.
(KP SP) - KP Special, Illuminated Key. Used for entering Special numbers such
as credit card id's and third party billing numbers, causes TSPS software to
automatically query the BVA (Billing Validation) database to check validity of
number/CC, will flash if billing to an illegal card or number is attempted.
(KP BK) - KP Back, Illuminated Key. Used in entering the calling number in ANI
failures (ANIF), and ONI (Operator Number Identification) required situations.
(KP FD) - KP Forward, Illuminated. Most commonly used KP Key. Used to enter
called party's number on all TSO assisted calls. Pressing the ST (START) key
causes the entered number to be applied onto the accessed trunks in MF.
(ST) - Start, Illuminated Key (Found to the right of the keypad). Used in
completing all KP+number sequences listed above.
-- Below the "Coin 2" set of key's you will see the (POS RLS) - Position
Release key, this key is used by the TSO to release her position from the call.
She would hit POS RLS after completing a call, and also to release a person
calling to ask her questions and not actually requesting a call be placed (ie.
Name/place requests, etc..)
-- Below the Position Release key you will see a set of 5 key's labeled
"Display Control", these key's are used to make the console display show
various information. Their use is as follows:
(TIM) - Time, Unlighted Key. Displays time of day in Military format.
(CHG MIN) - Charge per Minute, Unlighted Key. Displays the $ charge per minute
on a call in progress.
(CLG NUM) - Calling Number, Illuminated Key. Displays the number of the calling
party.
(CLD NUM) - Called number, Illuminated Key. Displays the number of the called
party.
(SPL NUM) - Special Number, Illuminated Key. Display's various special numbers
such as Calling Card numbers, and third party billed numbers. Use of this key
in displaying Calling Card numbers is as follows: Press it once you get first
10 digits of 16 digit Calling Card, press it a second time and get the second 6
digits of the Calling Card, press it again and it darkens the display.
-- That's it for the key's on the console, on the left hand side of the diagram
you will see the "Multi Leaf Bulletin Tray", this is an all purpose holder for
information leaflets that contain information on special numbers, Rate & Route
information, special non-standard assistance routes, and various other TSPS
related information. At the lower right hand side of the console is the "Number
Plate", this is simply the console's Position number and ID number. It is a
stamped metal plate, I haven't figured out any way to abuse it yet, other than
scaring a TSO by knowing of it's existence.
- * That's about it for this article, if there is sufficient interest in TSPS I
will write further articles with more detail on the actual procedures used by
the TSPS operator in call handling and such, I will also be writing an article
on the BOC TOPS (Toll Operator Position Service) operators that have begun to
pop up since the divestiture when I get some better information on the position
itself. It seems that AT&T inwards no longer handle only long distance
assistance in TOPS services areas and the TOPS op's handle all local area
assistance.
Until then, Dial with Care.
The
Marauder
Legion of Doom!
------------------------------------------------------------------------------
Any questions, comments or clarifications can be made directly to me, or via
the TJ's Staff account.
The LOD/H Technical Journal: File #5 of 12
An Introduction to Hacking TOPS-20s
by
The Blue Archer
To begin with, I would like introduce this article and clarify a few things.
Firstly, this article was written to familiarize interested hackers in DEC's
TOPS-20 (Total OPerating System-20) and give them knowledge of how to
properly utilize its resources. This article will generally be limited to the
basics, with an advanced article forthcoming. Secondly, you may have seen
other articles I have written on the Tops-20 a while back. Well this is simply
a better organized and updated article with primarily the same information.
And finally, I would like to say that I welcome any and all questions about
the article or the operating system and would be glad to help out with any
problems. I may be reached on certain boards or through the LOD/H TJ Staff
Account on sponsor BBS's. Anyway, have a good time hacking your local TOPS!
Starting Notes
--------------
o Capital letters in the beginning of a command indicate that those letters
alone may be typed for the whole command.
o <>: Brackets around any element(s) are required.
o (): Parenthesis are not required unless otherwise stated.
o D: This symbol refers to control (ex: DA= Control-A).
o @: Is the general system prompt and is not considered to be typed by the
user when shown in examples.
o $: This is the enabled state system prompt (explained hereafter).
----------------
/EXTERNAL USAGE/
----------------
SECTION I: ACCESS
The commands for entering and leaving a Tops-20 are LOGin and LOGOut
respectively. The correct usage of these command are as follows:
@LOGin USERNAME
@LOGOut USERNAME
Where username is a variable for the account name. Account names may be
virtually anything, depending upon the system. I employ two methods for
attaining usernames. The first, and most commonly known and used is checking
the system status. This is done thusly:
@SYstat
This will cause the computer to list out various information about the
assorted users logged in and their status and the status of the system as a
whole. This command does not work on all Tops-20 computers from a non-logged in
state, namely versions 6.1 and higher. A second and immensely more effective
method is superior use of the escape character. The complete use of this
character will be discussed later. For use in logging, one types LOGin and
then a letter or series of letters and then the escape key. Depending on the
number of usernames beginning with the same letter(s), the computer will fill
in the rest of the username. Once the letters are in such a way that if one
continued typing, only one valid username could be gotten, the escape key
will fill in the rest if pressed. Here is an example:
@LOGin S(escape)
(the computer responds with a beep because there is more than one username
starting with the letter S, so I type another letter)
@LOGin SM(escape)
(beep once more)
@LOGin SMI(escape)
@LOGin SMIth (PASSWORD)
^^
(The computer fills in the 'th' part of the username for me and asks for the
password with the parenthesis and all).
One note: If the computer fills in an account name and then when a password is
tried it responds with a 'not valid account' message, it simply means that it
is a non-loginable files-only account which will be discussed later.
While trying to gain access to a system, it is wise to use all the pre-login
resources avaiable. On versions 6.x these resources are virtualy nil but on the
older versions, one may sometimes find an incredible amount of help. To
see what actual help is available, type:
@HELP ?
Look for certain things like SECURITY and LOGINHELP. If the system in use is
on a net, or for some reason the dialup number is not known but wanted, it can
sometimes be found in help files most commonly named DIAL, DIALUP(S), and
PHONES. So, to view them, simply type:
@HELP DIALUPS
Or the name of whatever help file that is desired to be seen.
The Information command is also a useful command, more fully discussed
later. The most useful Information commands are as follows:
@Information VERSion
This will display the banner. If the computer, for security reasons, did
not display the banner upon connection, then this may prove useful in
identifying the target computer
@Information DEC
lists the various Decnet nodes available. On 6.x versions
@I DEC NODENAME
will tell if a path is open to the node or is the object node is currently
up and running.
@I ARPA
will tell the status of ARPANET with respect to this particular computer.
Meaning whether or not the software is up and running and the status of
connections.
Networking will be explained in the advanced Tops hacking file.
----------------
/INTERNAL USAGE/
----------------
SECTION II: SYSTEM FUNCTIONS
Under normal circumstances, with the exception of currently running programs,
the exec level (command level) prompt will be either @' or