[ D4RKCYDE ] yyyyyssssyyyy yyyyssssyyyy yyyy yyyy |lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy :|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$ :||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$ :::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS ::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l .:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::| [ F41TH ISSUE NINE: AUGUST 1999 ] -o[ D4RKCYDE ]o- L0RDZ 0F THE BAUD -o[ hybrid ]o- http://darkcyde.phunc.com #darkcyde efnet. -o[ zomba ]o- http://hybrid.dtmf.org/files/faith/faith(x).zip/txt. -o[ downtime ]o- -o[ digiphreq ]o- ' technology has turned reality into a paradox, -o[ lowtek ]o- forms are not always as they seem. ' -o[ shadowx ]o- -o[ jasun ]o- - fear factory. remanufacture (demanufacture) -o[ microwire ]o- -o[ bodie ]o- -o[ shylock ]o- ' 0WNED ' - ? -o[ force ]o- -o[ sintax ]o----------------------------------------------------------- " Hi, I'm Helen firth " -hellfire -o[ sh0utz ]o- Shouts to all that went to DNScon, the organisers, john, savy, darkcyde, psyclone, abattis, coldfire, b00ger, hellfire, cyborg, crashd, backardi. Also shouts 9x, b4b0, substance, oclet, knight, phunc, ch1ckie, gr1p, epoc, kryptus, simmeth, dgtlfokus, voltage, tip, phix, siezer, oeb, infidel, phace, katkilla, aktiver, typeo, essgurl, port, euk, 5O5, #darkcyde. -o[ contents ]o- -o[ editorial ]o- -o[ hybrid ]o- -o[ E911 news/update II ]o- -o[ digiphreq ]o- -o[ D4RKCYDE at secondary DNScon, Blackpool'99 ]o- -o[ h,j,z,b,s ]o- -o[ overview of meridian hacking ninja style ]o- -o[ hybrid ]o- -o[ review of.. ANTISOCIAL magazine... ]o- -o[ hybrid ]o- -o[ a short guide to the evolution of switching ]o- -o[ hybrid ]o- -o[ f41th CNID advisory/bug ]o- -o[ f41thless ]o- -o[ digiphreq's trip to a 5ESS CentralOffice ]o- -o[ digiphreq ]o- -o[ BTs lite ADSL technology/proposed test area ]o- -o[ sonicborg ]o- -o[ xDSL local loop access technology ]o- -o[ exphunged ]o- -o[ introduction to the workings of a cellphone ]o- -o[ downtime ]o- -o[ underground BellAtlantic secure vaults ]o- -o[ degauss ]o- -o[ .gov radio freqency listing/info ]o- -o[ digiphreq ]o- -o[ defeating CLI with simple but effective stealth ]o- -o[ hybrid ]o- -o[ outness/general imph0 ]o- -o[ hybrid ]o- ARTICLES: hybrid@dtmf.org zomba@phunc.com digiphreq@webcrunchers.com MAILTO: hybrid@dtmf.org zomba@phunc.com digiphreq@webcrunchers.com US/PHONE: 1-877-873-7454 (toll-free) comments/suggestions/questions/phonebone US/FAX: 1-877-873-7454 (toll-free) comments/suggsetions/questions/faxbone -o[ editorial ]o- -o[ D4RKCYDE ]o- -o[ by hybrid ]o------------------------------------------- Welcome to f41th issue 9, this time editited/hosted by yours truely :> f41th 8 was like huge, well over 3OOk of text, so dont expect us to pull somthing like that off in a while. When I started f41th, back at christmas 98, the idea was mainly to give D4RKCYDE a kind of purpose, or somthing to focus on. Now f41th has grown into a modest sized zine, with loads of 'modern' info. We never even thought that we would manage to get f41th even past issue 4, but it seems the zine is just getting better all the time; We've also noticed a massive increase in the amount of people that read the zine, for example when f41th 7 was released at one point it was being downloaded more than 15 times a minute for a steady period of over 24 hours. That may not sound like much, but to us that's great, I'd like to say thanks to everyone who takes the time to read f41th each time we release it. This issue we have decided to take extra care with the content of the zine because we have recieved various comments through the mail that f41th is getting a little bit ascii packed and the irc logs etc take up to much space. Personaly I think the irc logs are hilarious, but thats my opinion, and after all this is a public zine designed for public readers, so the customer is always right, so to speak. So from now on, expect f41th to be more interesting to read, and packed full with more technical/contempory info than ever before. As I was saying before, we have noticed a colosal increase in the f41th issue downloads from the servers that host f41th. When we release a new issue, it is only uploaded to one server, so we can get an idea of who and how many people are reading it. That is why we ask for people that wish to host f41th on there own box/server that they contact us in advance before doing so. In other words, please do not host f41th unless you have emailed us and asked us first. We will then be able to send distrobutors of f41th the new issues within 2 hours of it actualy being released. I'd like to state that the [C] at the end of each issue means somthing, just ask before you decide to distro, thanks. Again, it seems f41th is being read/monitored by certain oganisations, for what purpose is a mistery to us. Perhaps they want skooling or somthing. For example, here are some of the shady looking host's that downloaded f41th8. scully.mugu.navy.mil - - [14/Jul/1999:12:30:34 -0500] "GET /faith8.txt shiva-isp144.nctsw.navy.mil - - [21/Jul/1999:10:02:32 -0500] "GET /faith8.txt puck.pnl.gov - - [08/Jul/1999:14:56:34 -0500] "GET /faith8.txt firewall.camcnty.gov.uk - - [17/Jul/1999:08:14:33 -0500] "GET /faith8.txt mailhost.dera.gov.uk - - [18/Jul/1999:16:10:05 -0500] "GET /faith8.txt security.mi5.gov.uk - - [24/Jul/1999:15:04:01 -0500] "GET /faith8.txt Looks like someone out there has DNS 0wning technique, lol, dera.gov.uk and mi5.gov.uk.. Somehow I dont think they would be that obvious about their intellegence garthering, if they are, it would be obvious that the UK .gov have no stealth. ;> WTF are the navy doing reading f41th? - beats me, maybee they get bored in the middle of the ocean and need something to read, heh. There is just one thing I'd like to add to my editorial. Lately we've had so many comments from people saying things like, 'you guys think your leet', and things like 'you wont get any respect from people if you flame them all the time in f41th'. The fact is, we don't care what people think of f41th! It's mearly a produce from D4RKCYDE, all we are doing is writting a zine based from our knowledge as a h/p group. Also, we only flame people we think deserve it, for example.. PhoneLOOSERS-uk/england, they rip other peoples stuff off, so we dont like them, big deal, take a look for yourselves, goto: http://www.ple.8m.com.. heh, we even put a little advertising in there for them, where not all that bad, heh. Anywayz, enough from me. We hope you enjoy this issue of f41th, take it easy. hybrid -o[ News - Regarding Wireless E911 ]o- -o[ D4RKCYDE ]o- -o[ Digiphreq ]o-------------------------------- I was cruising around and came across this. I wrote an article a while back regarding Wireless E911 so i figured i might update things. Anyway I found this so I'll republish it here. I take no credit for writing this and so on and so on. Bell Labs Geolocation Technology Pinpoints Wireless 911 Calls Within 15 Feet. WHIPPANY, NJ (June 30, 1999)-- Researchers at Lucent Technologies' (NYSE: LU) Bell Labs have developed the most sensitive technology yet for pinpointing the location of wireless 911 emergency calls. The approach is accurate within 15 feet when users are outdoors and 100 feet when they are indoors. The Bell Labs geolocation technology offers marked improvements over currently deployed systems for locating wireless 911 emergency calls. Moreover, it provides network operators the double benefit of meeting a 2001 federal mandate while opening opportunities for new service revenues. For example, pinpointing a customer's location could yield such services as detailed driving directions and local traffic information, especially when combined with improved data services expected two years from now. "We intend to pursue standardization of this geolocation technology so that it can be widely and inexpensively deployed," said John Freidenfelds, director of wireless technology applications at Lucent's Wireless Networks Group. The Bell Labs technology works with all of today's global digital networks and also will be compatible with next-generation (3G) broadband wireless networks, which will provide a broad assortment of location-based services, as well as high-speed, Internet-based multimedia services. The driving force for the Bell Labs research has been a U.S. Federal Communications Commission mandate stating that by October 2001, all wireless 911 calls must be pinpointed within 410 feet. Currently, wireless 911 calls can be pinpointed within only a three- to six-square mile service area on average. The Bell Labs geolocation technology would provide more precise location information to police, which is especially helpful when callers are unfamiliar with their whereabouts, and also would allow 911 calls to be routed more quickly to the appropriate rescue squad. The Bell Labs approach involves both the wireless handset and network infrastructure. Global positioning system (GPS) units are placed throughout a wireless network. As the units keep track of GPS satellites orbiting the Earth, they pass along key satellite information - including estimated time of the signal's arrival - to nearby wireless handsets, which are equipped with scaled-down GPS units. Then, based on time differences between when the network's GPS units and the handsets receive signals from the satellites, it's possible to precisely pinpoint the handset's location. "With the information boost that the network gives the handset, our approach is 100 times more sensitive than the handset approach for wireless geolocation that involves putting an entire conventional GPS unit into each handset," said Bell Labs researcher Giovanni Vannucci. Besides providing very poor performance indoors, those handsets are costly, bulky and are a drain on portable batteries. Another common wireless geolocation technology is solely network-based, but that approach requires expensive base-station equipment, is imprecise, and does not perform well in hilly areas. The Bell Labs researchers also have enhanced their geolocation approach by developing a method to estimate handset location, which shortens the handset's initial search for a satellite signal. A software program, based on the wireless signals that a handset receives from several base station antennas, helps to estimate a handset's location. Other researchers working on the Bell Labs geolocation technology include Bob Richton, T.C. Chiang, Richard Leung, Ren Da, and others in Whippany and Naperville, Ill. This information is based on a press release written by Sam Gronner and Steve Eisenberg of Bell Labs Media Relations. -o[ D4RKCYDE at DNScon Blackpool UK ]o- -o[ D4RKCYDE ]o- -o[ by hybrid zomba bodie jasun & sonicborg ]o------------------------------------------- On Friday 13th August a few of us decided to take a trip to the computer security/hacker convention D-N-S in Blackpool (www.dnscon.org). The con was split into 2 sections: Various things such as 'hack the flag' and 'hacker jeopardy' arranged by Manchester 26OO & AntiSocial Magazine. The second half was a series of lectures related to computer security mostly from a defense perspective. We arrived in Blackpool on Friday night, and joined the other DNScon ppl in a pub, then later procceded to blackpool pleasure beach (where hybrid got lost) then later to a bar where we departed from the DNS crowd and went off to do our own thing. We spent most of the night in some club where we got sonicborg drunx0red on 3 pints of finest blackpool watered down beer. The next morning we went to the actual DNScon... The con was littered with advertisment flyers for AntiSocial magazine, one of which made us laugh.. " STILL PAYING FOR YOUR PHONE CALLS - read A-S mag "... Like, they must be giving out free calling cards or somthing. HEH. Hack the flag competition: This was the fun part.. a 'network' set up by AntiSocial magazine where the goal of the competition was to own the AntiSocial suse 6.1 box at the other end of the network. To prove that you had done so, you had to take a keyfile from the root directory of the target box. Participents of the game, also had to have a keyfile in the root directory of there own boxes which other participents of the game had to try and claim aswell. We configured our laptop ready to connect to the AS mag network, but where unable to connect to the 'network' because the AS team where unable to network 3 or 4 486 boxes to an ethernet hub in the space of 6 hours. So... Q. how can you root a box if you cant get a network connection to it? A. wait until AS magazine attend a unix security lecture (to be skooled), walk over to the target box (which was left un-attended, loged in as ROOT for over 1 hour at a hacker convention). O dear o dear o dear... AS mag have obviously never heard of physical access security before, and decicided to leave the target box in a root shell, running multiple screens.. why? -beats us.. its common sense, you dont leave an un-attended box loged in as root slap bang in the middle of a hacker convention@%^! (but they did) So we walked into the room and decicided to go take a look at the box we where supposed be be 0wning (if AS mag ever managed to set the network up).. so hybrid sat down infront of the target terminal.. " OMG!, SHIET!, .. its fuckin loged in as root! " -hybrid About 10 minutes later (after all 5 of us managed to stop rolling round on the floor in sheer histerics at AS magazines unix security teqn1q) a few un-savoury things 'happend' to the AS mag box... we copied the keyfile/flag- file to the /floppy drive, changed its access permissions and made multiple copys of the file in hidden public-accessable directorys, added multiple users with root shells, etc etc, then finaly backdoored it (incase the realy knowledgable AS mag team managed to get the 'network' up) They did'nt even notice that the box had a distinct lack of bash history. As expected, AS mag blatently denied that they where 0WNED, and re-installed the entire OS and said "no-one touched it". obviously ASmag where in fear of our 0day walking over to an un-attended loged in root console teqniq. If the ASmag team actually managed to connect the box to the network we would have played fair, but the fact is, ASmag could'nt network 2 gameboys together if they tried. Anyways, we did have fun, so thanks ASmag for providing us with the entertainment, although we where expecting a little more of a challenge :> Saturday evening: We foolishly entered ourselves for the 'hacker jeopardy' competion.. first up was bodie who managed to score a grand total of -700 points on starwars questions, next up was hybrid and helfire in 'team drunk' against a single american dude 'team yank' -we got 0wned. Q. its a strange souding Scotish ISP.. A. AOL. Q. its a black and white american h/p publication the same size as 2600 mag.. A. blacklisted.. SHIET i mean what is bla.. A. what is blacklisted 411.. Our excuse for l00zing: We where to busy admiring the hostess that was keeping the scores. :P~ :) The aftermath.... A room full of drunkx0red hax0rz (and computer security professionals).. We had a picture taken of us all in our D4RKCYDE t-shirts (which we are sure will appear on certain websites - pic taken by armageddon).. Well thats our extreamly short account of DNS blackpool. Big shouts to John the organiser, aswell as Crashd from ASmag (the only ASmag member that spoke to us) werd, shouts to BRITISH RAIL for providing us with the free transport, shoutz to MCDONALDS for the free food... shoutz to the pub for the free beer. shoutz to the chick that winked at hybrid at the station, shouts to the dude we saw laying in his own vomit at a blackpool kerbab stand. Shouts to the GBH dudez.. not so big shouts to.. the old woman who shouted at bodie for doing a pipe on the train, the loud mouth slappers that would'nt shut up while we tried to conf on a train.. the dude that had his pint knocked over by zomba (when he brought you another pint the content was slightly altered), the rain, the wind, the ugly chicks, the cab drivers. WERD to EVERYONE that attended the D-N-S Convention, Blackpool 1999. See you next year. :> hybr1d z0mba j4sun bodie sonicborg EYE 0F THE T1GER (private joke) www.dnscon.org -o[ hacking meridian mail - an overview ]o- -o[ D4RKCYDE ]o- -o[ by hybrid ]o----------------------------------- I think I have read about 6 guides to hacking meridian mail, and they get worse all the time. Every meridian text I have read concentrates on the features and architecture of the meridian mail system, however I am supprised at the lack of information available that concentrates on the actual hacking of meridian mail. This article with concentrate on various techniques that can be used when hacking meridian mail. For those of you who are unaware, meridian mail is a voice messaging system designed by Nortel technologys and has many advanced features. Alot of people seem to think that hacking voicemail networks is lame; bullshit. I would argue that meridian mail is the most advanced voice platform there is when it comes to voicemail and voicemail networking. Meridian is way more advanced than any other voicemail system out there, it puts Octel, Audix, Aspen, Phonemail and other network leaders such as Infostar to shame. Meridian is designed to be fairly secure, but like most networks it can be very vulnerable if you know the weak points. The only voicemail system that I believe offers a respectable level of security is the Audix voicemail platform, but thats another article. Unlike the other meridian mail guides out there, I'm not going to rant on and on about meridian mail features and network architecture, I've written several files on that already, so I'm going to get staight to the point; here is how you hack meridian mail (the effective way). Before you do anything, you need to be able to identify a meridian mail system properly. There are many different ways to identify a meridian mail system, most of the time people only pick up on the real obvious meridian mail systems, where you get a login prompt after you have dialed the number, (" meridian mail, mailbox?.. "). However, there are many different ways to identifying a meridian mail system. The voiceprompts on merdian mail are all in a female voice, and can adopt a multitude of forms from different accents to different languages, depending on where you are. The majority of the time the voice prompts will be Americian-English in accent, and quite monotone in nature. There are several different prompts you can come accross when dialing a meridian system. As I said before, the most obvious one would be.. 18OOxxx xxxx.. " meridian mail, mailbox? ". Here is a table to show you different types of meridian mail dialin examples. [ " meridian mail, mailbox? " ] Here you are confronted with the meridian user login prompt, your only option here is to guess a box number and password. Here is where meridian mail can be a real bitch, there is no way of telling if you have dialed a valid box on the system, you could hit any number of digits and still get a password prompt. Either way, you will usually have 3 login attempts before you will hear somthing like: " login incorrect, please contact your system administrator for assistance, goodbye. " Because there is no way of telling what prefix the mailbox/extension numbers are in from this dialin prompt, you are dialing blind, so your only hope with this type of dialin prompt is simple guess work, or if you read this, an educated guess. Most systems will have 4 digit boxes, which will usually have a default passcode set to be the same as the box number. The login convention is like this: you dial your mailbox number xxxx suffixed by [ # ] you then recieve the password prompt which will ask you to enter your password followed by the # key. Like I said before, there is no way of telling if you have found a valid box because you will be asked for a passcode whatever you enter. So, for this type of login prompt we simply guess. The box ranges could be 3 to 5 digits long+ depending on the size of the voice network, 4 digit boxes is the most common though. Just try random boxes like this.. 5463 [ # ] 5463 [ # ], 3788 [ # ] 3788 [ # ] etc etc, until you successfully login to a valid box. (more on this later) note: if someone trys to incorrectly login to a valid box to many times, the system will disable the box so even the legitimate user cant access it, they would subseqently have to goto the sys- admin in order to get the box reactivated. [ " express messaging, to mailbox? " ] Here is another common meridian prompt that you are likely to come accross. It is simply a meridian prompt for an external users to leave a message for someone on that system, if they know the persons extension/mailbox number. Here you cant really go wrong, because you are able to find out what prefix the mailbox/extension numbers are likely to be in. You will get one of these 2 system messages after entering an extension/mailbox number + [ # ]. a) " There is no mailbox at, xxxx " b) " mailbox xxxx, please leave a message at the tone. (or the persons recorded name - if they bothered to set one). If you guessed an invalid mailbox number, just keep trying until you find a valid mailbox and you should recieve system recording [ b ]. When you have successfully managed to find a valid box, note the prefix down as there is bound to be a nice cluster of mailboxes in that area aswell. You now have the option to do a few things. Once you get system recording [ b ] you could hit * and you will hear " there is no recorded message, to record a.... " or if you waited for the tone prompt to record you message for that mailbox hit [ # ] and you will get " recording stoped " (wherever you get lost with the commands of meridian mail, simply hit [ * ] to here a limited set of help on message/mailbox commands. Now, you could hit [ 81 ] and you will recieve the standard meridian mail login prompt as described above, but all you can do here is try to login as the box number you successfully guessed, which should work most of the time, but if it does'nt you need to find more boxes, which can be achived by dialing various extensions on the internal pbx system. I will discuss this in a little while. [ " the person at extension xxxx is not available to take your call, please leave your message at the tone. " ] Again, here you can hit * to get your list of options, such as [ 81 ] to login, 0 xxxx[ # ] to dial an extension etc. [ " mailbox xxxx, please leave your message at the tone " ] Again, hit [ 81 ] to login, * to get message options. [ " the person at extension xxxx is not a subscriber to this service, call answering cannot be completed at this time, transfering to an attendant, one moment please.. or: please try again later, goodbye. " ] Here there is not alot you can really do, unless you have dialed the number after buisness hours and it transfers you to the attendtant/operator who is not likely to be there so a recorded greeting would be in place, where you would be able to login, dial around the system as normal. [ " please dial the number of the person you are calling. " (hit * and you will hear: " you have reached an automated service which will connect you to the phone number you enter.. " you also have an option to dial by name. ] Here is meridian's biggest vulnerabily, you are able to dial extensions on the system. Big deal I hear you say. The fact is, if you are going to hack a meridian mail system effectivly, you need to get to this prompt so you can explore the entire system. You can get to this prompt through many ways as discussed before, or by dialing 0 number # at a recording prompt, but this prompt can usally be found by direct dial. You are looking for a number of things here, such as modems on extensions (meridian remote administration), valid extensions (valid mailboxes) and meridian goodies such as the MICB built in meridian conference bridge. Other things to look out for on meridian extensions are prompt maintanance extensions, PA extensions (where you control the companys PA system) and external lines. (more on external lines in a while). Guessing valid extensions is fairly self explanitory, but sitting there for ages getting " that number cannot be reached from this service " over and over again can be a little off-puttting, so we employ our own ways of gussing an extension number. Here is a vulnerablity that exists on most meridian mail systems where you are able to get an extension prompt, I give a guy called 'public_nuisance' credit for this, as he was the person who origionaly found this meridian vulnerabilty. This is what you do if you cant seem to guess a valid extension. First start at the higher numbers and work your way up, for example, hit 8 then [ # ] you will get either " beep, that number cannot be reached from this service, please try again.. " or " pause.. your call cannot be completed at this time, transfering to an attendant, one moment please.." If this is the case, and you get " transfering to an attendant " quickly hit [ * ] a couple of times and it will drop yo back to the dial extension prompt. Now, here is where the vulnerability lays, if you recieve that system recording, it means that the system is expecting more digits to be dialed after [ 8 ] or whatever number you choose to start with. So next you try dialing 89[#] if you get the same system recording it means it wants more digits so just hit ** again to get back to the dial extension prompt, or you may get " that number cannot be reached... " which means you need to try 8 then somthing else like 87[#] see where I'm going?.. Basically you are trying to step up the digits and looking for the system anouncment that says " transfering to an attendant " where you will hit [ * ] a few times, and keep dialing adding more digits to the seqence each time until eventually you find the prefix of box/extension numbers. 1 2 3 8[ # ] " your call cannot be | completed at this time " | ( ** ) 4 <-x-- 5 <---- 6 87[ # ] " that number cannot be | reached from this service " | 89[ # ] " your call cannot be 7 <-x-- 8 ----> 9 completed at this time " ( ** ) | 896[ # ] " your call cannot be 0 completed at this time " ( ** ) 8965[ # ] " your call cannot be completed at this time " ( ** ) 89654[ # ] " that number cannot be reached from this service " 89652[ # ]--> [ ring ring ring ring ] So, in the above diagram/working example, we see that the valid extension number was [ 89652 ], this was found via the means of a proccess of elimination with the help of the extension vulnerability. This way you do not have to sit there for ages guessing vaild extensions, you just step up and up through the trunk selection. This method can also be used if the system is configured for through-dialing but has a passcode protecting the outdial service, in which case you can get the passcode by using the above vulnerabilty because meridian outdialing passcode protection is based on trunk selection on the pbx system.. way-to-go Nortel ;] One of the reasons people hack meridian is because of its nice outdialing feature. Usually once inside a box, you can sometimes get an outside line by dialing 9 before the number. So for example, if inside a box, you dial 0, 1234 [ # ] that will put you through to extension 1234. But if system outdialing is enabled you can simply dial like this, 0,9,number [ # ] and this will select an exteranl trunk and route your call to the outside. On a poorly configured system (which most are) you may be able to dial externaly without even loging into a mailbox. For example, if you get to the dial an extension prompt, you could simply prefix the number with a [ 9 ] and your call would be proccessed as normal. Word of warning though. Meridian logs all routing activity, so for example, say you called your g/f via the means of meridian outdialing, the system administation part (MAT - meridian administration tool) would log the following; you dialed 0,9,npa-blahblah[ # ].. meridian will log the extension (or origionating location) from where the call attemt is commuing from, it will then log the number, the time of the call, length of the call, and even how long it took you to dial the digits. (very handy for the 'law'). There are several ways around this though. for starters, dont even think about calling a meridian direct from your home if you are going to use one for outdialing, if you do, route you call. Or, if you managed to find the remote administration dialin modem on one of the extensions, you can configure your own trunks for through-dialing ie; with no origionating point or call tracking features enababled. Now, thats enough of the extensions and call routing etc, now for the rest of the article. If you dial a number and you get somthing like " press 1 for blah-blah, hit 2 for yack-yack " etc etc, dont just pass it off as some IVR system whatever, because meridian can be configured to act as a dialin menu aswell. Infact, this is the most popular type of meridian dialin that you are likely to come accross. To identify the menu system as meridian, you can use the following: If you hit an invalid key that is not in the menu options you may get: [ " that command is not recognised " ] Again, this is a dead givaway that the system is likely to be meridian based. If this is the case, it is likely that in the dialin menu, you may have an option to dial an extension number, leave a message (express messaging) login to meridian mail etc. If none of those options exist, call the number back after buisness hours, and try out all of the options until you eventually get routed to an un-attended extension where the extension owners voicemail greeting should come on, where you will be able to do what was discussed before. If all else fails, simply hit [ 0 ] for the operator, if they are not attending the switchboard, the general voicemail box for that company should come on, and you can do your stuff. Now, you know how to identify a meridian mail system, and have managed to login to a box. Heres what to do next.. When you have loged into a box you will hear somthing like " you have no new messages " or " you have x new messages " or " your mailbox is full, to delete a message you no longer require press 76 " or " your password has expired, to change your password press 84 " etc etc. Now, you know the defualt password for the system, so you need your own box. The mistake alot of people make when hacking meridian is they take over a box that they think is not being used becuase it has no messages in it, the fact is, if a box has no messages in it, it's likely that the legitimate owner checks thier messages on a regualar basis. What you are looking for is a box that either asks you to change your password, or a box with backdated new messagess from like months ago. To scan for more valid boxes, login to the one that you have access to, and hit 75. You will then be asked to enter the mailbox of the recipient, where you have the option to address the message to multiple boxes, ie: 5400#, 5401#,5402# etc etc. keep addressing the message to seqnetial boxes, so you are scanning the system internaly. eventually, when you have written down a list of valid boxes, hit [ # ], then, 76 to erase/cancel the message. You will then be retured the the mailbox main menu, where you can hot 81 to re-login to meridian mail, try 2 boxes from your list, if they dont have the default passcode, log back into a box that you know the passcode to, then 81 again to go through the next 2 boxes on your list, this way you can avoid being loged off from the system, and keep going until your fingers fall off. Eventually you will find a box as described before that is not in use (either loads of backdated messages, or passcode change prompt). You can then hit 84 to change your passcode, and then you can call the box 'yours'. I'm not going to list all the functions/options available on meridian mail user boxes, simply becuase all you need to do is hit [ * ] to have them read out to you by the automated system help. All you need to know really is that [ 2 ] will play any messages you have, 76 will erase it, 71 will reply, 79 will send, 75 to compose a message, etc. A few notes on meridian mail: If outdialing is enabled, you may find that certain numbers are blocked, for example ld numbers, numbers prefixed with a 1, or 01 for UK. This can be overcome in most cases. If you can call the external operator [ 09,00# ] go through the usuall bullshit with him/her/it to get them to dial/place the call for you. Or you can find a telco service provider that offers 8OO numbers that bill back to the line you are calling from. Or if you are in the UK, you can sometimes trick the outdial baring by prefixing your call with things like 9,[141] or 9,[1470] etc. You can sometimes set the operator assistance number for your voicemail box to dial an external number, when inside the box hit 82 then follow the prompts. The number you set would usually be prefixed with a 9, then suffixed with a # to end the string of entered digits. So when someone calls your extension/mailbox and they hit [ 0 ] at your personal greeting, they would get routed to a number of your choice, instead of the internal operator. This feature can be usefull for simple diverters, but again, not very safe. Meridian Integrated Conference Bridge (MICB) is a fully integrated, all- digital audio conference bridge from Nortel (Northern Telecom) designed to improve and simplify enterprise conferencing capabilities. MICB provides fast and reliable access to an in-house conference bridge, eliminating the need to frequently contact conference service bureaus or accommodate complex third- party conference bridge equipment. Offering simple plug-and-play installation within a Meridian 1 Intelligent Peripheral Equipment (IPE) shelf, software keycode activated upgrades, and a variety of flexible features for increased conference control, MICB is for organizations requiring frequent audio collaboration to keep multiple dispersed parties connected with critical communication. As an integrated solution, a single MICB card supports up to 32 ports and up to 10 simultaneous conference calls. There are four MICB card capacity options available: 12, 16, 24 and 32 ports. If the conferencing requirements increase, software keycodes activate additional ports on the MICB card to support the larger port capacities. In addition, multiple MICB cards can be supported within the Meridian 1 Communications System. Expunged from one of my previous meridian files, an extract from a Nortel technical document explaining how meridian call-logging is implemented etc. "Detect and Alarm Toll Fraud" Day by day, your Meridian 1 operates, routing calls to and from your company. Ever wonder what your traffic calling patterns look like on a realtime basis? Using MAT Call Tracking, you can now visually monitor traffic patterns. How long are station users on the phone? What percentage of calls are incoming, outgoing, or via tandem tie lines? These are a few of the available features. Better yet, you can set up your own meter to visually cue on the criteria that you want to monitor. Have you ever been a victim of toll fraud? Want to know who's making long international calls, as they happen? The integrated alarm filter can detect these scenarios and alarm you when the event occurs. With multiple alarming notification methods, the system is sure to reach you, where ever you may be. Features Call Tracking is an on-line call monitor and alarm application for the examination of call usage patterns leading to toll fraud detection. Graphs are used to indicate trends and provide displays of unusual calls, enabling you to adjust equipment and services to maximize resources. Multiple filtering templates allow for your customization of [ toll fraud ] criteria. The Call Tracking Module provides a number of alarm notification options to alert you when the filter criteria have been met. Call Tracking is designed to be used with Call Accounting but can also exist on a stand- alone basis. Welp, thats it for this brief overview of hacking meridian. Shouts to: [ D4RKCYDE ] [ 9X ] [ B4B0 ] [ downtime ] [ zomba ] [ substance ] [ gr1p ] ------------------------ http://hybrid.dtmf.org hybrid@dtmf.org hybrid@ninex.com http://phunc.com/~hybrid hybrid@b4b0.org hybrid@phunc.com " 4-wire trunk circuits were converted to 2-wire local cabling, using a device called a hybrid. Unfortunately, the hybrid is by its very nature a leaky device. " -o[ review of.. AntiSocial Magazine ]o- -o[ D4RKCYDE ]o- -o[ by hybrid ]o--------------------------------------- URL: http://www.antisocial.cjb.net/ MAILTO: armageddon@hack-net.com STAFF: armageddon, loki, crashd, phil, tefx. ISSUES: 17 to date (short review, as-16) We never usually review other h/p ezines, but sinse AS mag decided to review f41th, we thought we'd retern the favour and review them... First impressions: To be be honest, when I first loaded up a-s16, I was quite impressed with the general layout and organisation of the zine as a whole. Its quite difficult to get the articles you need for an ezine, editing, organising and presenting a zine is the most time consuming part, I'm sure armageddon would agree with me there. I've read most of the a-s zines, but decided to review number 16 as it seemed to be quite weighty in K's. A-s claim to cover most of the underground scene, right from tracking, hardcore, to hacking and telephony. Because of this, A-s have attracted a wide range of audiences, from white glove wearing whistle blowing hardcore followers to hackers, its not supprising that they have a respectable volume of readers. I was however slightly confused.. The zines makers claim that a-s mag is on a majority aimed at the UK h/p underground. I was unable to find much, if any h/p related articles in a-s magazine (with the exception of the news). The amount of telephony information is minimal (if not void), but I was impressed with the programming related articles, such as the ASM info. Here I would argue that a-s magazine is not underground at all (hp), Dont get me wrong, I'm not saying this for no reason.. Throughout the zine, there is a distinct feeling that the editors are more interested in seeing how well known they can get there mag, and are constantly bragging at their supposid colosal readership. I'm sure many would agree, a h/p zine is not underground if the editors are trying to get it hosted left right and center, it would'nt supprise me if I saw a advert on TV for it. There are also sections in the zine that are designed to be used as advertising space for other "groups".. Why would an underground h/p group want to 'advertise'; acording to a-s mag: "so they can become the biggest name in the scene" - is this really underground?, it's not supprising that the group advertisments consisted of advertisments for fake ID and lame groups such as PLE. Overall I was impressed with the contents of the zine. The articles are of a technical nature, and easy to read. The thing that impressed me the most was the obvious time and thought that armageddon has put into the zine.. The editorials, coverage etc are all in depth and interesting to read. As an honest opinion, loose the advertisments, loose the happy hardcore, loose the PLE stuff and you've got a great zine. Respect is definitly due to the fact that a-s mag as a team have managed to keep the zine going over such a long period of time, I think the "fame" factor is getting to them just a little bit though ;] Another thing that was brought to my attention is the fact that some of my group members are complaining that articles they wrote for f41th are strangly appearing in a-s magazine (either trunkated or as whole). I managed to find an article in a-s mag written by PLE (PhoneLoosersEngland). The article was called "the PLE phonebook" or some shit like that, COMPILED by PLE members. Is this a joke? -- EVERY SINGLE number in that listing has been taken from previous D4RKCYDE scanlists and f41th scanlists. I personaly noticed that all the carriers listed in that "phonebook" where found by yours truely.. We are NOT happy to say the least (bye bye PLE). And again, another scan, this time by shadowx, written for f41th.. suddenly appears in a-s magazine. I'm not going to go on about copyright at this point. I just want to make somthing clear to PLE/AS: DO NOT RIP OFF F41TH. - thats all I wanted to say. Closing up here, I feel AS mag is generally a good read, both entertaining and informative. The .EXE t loader sucks a little, but its different, thats what counts. Generaly well organised, with a nice layout - with the exception of the anoying blinking graphics and the group adds which seemed a little on the childish side. But who am I to judge? hybrid Shouts to crashd for having good taste in music in the mebers listing, manics nirvana, BEASTEE BOYS werd. werd to armageddon. broken legs to PLE. ----------------------------------------------------------------------------- note from shadowx: big shout out to alex-uk, undernets biggest fucking lamer.. i told you what would happen if you go around changing passwords... look where it got you. armageddon... how did hack the FAG go? (nice typeo's) -- alex-uk, see you at catastrophe you hampster fucking lame undernet piece of shit. ----------------------------------------------------------------------------- -o[ brief guide to the evolution of switching ]o- -o[ D4RKCYDE ]o- -o[ by hybrid ]o----------------------------- Switching Systems Before the phone network went automated, phone switching was achieved by operators that manaully made the connections between subscriber lines on huge panels of inter-connecting circuit boards. As telephony technology progressed, so did the type of swithing techniques; the manaul switchboards where replaced by electromechanical switches which took the place of the manual switchboard operators. These primitive electromacanical switching mechanisms used a series of fingers that would rotate and then make contact with the circuit, therfore connecting the subscriber line; these types of switches where called stepper switches, in essance they where verical laders of rotary switches with rottating contacts that would either step up or down. This switching technology was invented in 1891, and has sinse past its sell-by-date by far. Next in the line of switch evoloution was a new bread of electromacanical switch, this time called the crossbar switch. Again, the crossbar switch was an analog device which only supported mechanical switching functions. The crossbar switches used multiple verticle and horiztontal paths with some electromechanical relay switches for the interconnecting of the vertical paths to the hozzitontal paths. The crossbar switching interface was refered to as the TXC switch (Telephone eXchange Crossbar). There where various hybrid's/variants of the TXE switching system such as the number 5 crossbar switch (5XB) which where deployed throughout end-offices during the 193O's. Now some more fammiler ground to cover; the next breed of switch that came to dominate the network where the electronic switches. Like the previous switches they where also electromacanical, the difference being that these switches where controled by computers, and therefore adopted the form of computer controlled electromechanical or electronic switching devices. These switches where designed to handle/distrobute analog signals, and used a new method of call handeling; Unlike the previous switches where each digit dialed would be proccessed one at a time, these new switches stored the dialed number in a register and then executed the dialed connection. We refere to this this type of switch as a common control switch, it soon beacame the first steeping stone towards ESS. Now, we all know what ESS is right? (you damn well should d0). This breed of switching technology was derived from the previous switch, with the exception that they implement[ed] stored program control so trunk up calls. The first ever switch to implement this new stored program control was the Number 1 -- Electronic Switching System, more comanly refered to as (1ESS). The 1ESS was a computer controled crossbar switch, which implemented computers to instruct the elecromechanical functions of the switch; Such a system is refered to as TXD (Telephone eXchange Digital). At the time this method of switching was considered to be very advanced and ahead of its time; The concept was infact rather simple, but effective. The ESS switches had to use an identical or 'generic' program in each class of switch. The differences between offices was determined by parameters used by the 'generic' program. Parameters are the number and location of active lines and trunks, tone or rotary dialing, etc. During the 197Os when this type of switching architecture was at large, call handeling traffic increased, so the next breed of switch implemented with an upgraded CPU type, and morphed from 1ESS to 1AESS, but was still effectivly a computer controlled crossbar switch. As the demand for phone services grew, the switching systems advanced into a newer breed of switching, it was this time that the famous 4/5ESS switches where born and have sinse been used as the workhorses for the phone network. The first computer controller digital switch was the 4ESS system, which was specifically designed for toll switching and routing. It implemented the previous 1AESS CPU and was coupled together with a TMS (Time Multiplexed Switch) capable of handeling 5O,OOO[+] similtanous loop connections. The switch was designed to handle digital signals, but at the time the local offices had to patch the older local loop equipment to it by ringing subscriber lines with a 9O volt AC current; Sinse the semiconnductors had a hard time dealing with this, the new breed of ESS was born -- 5ESS. In the previous ESS systems, the analog signals where switched at local offices, but the new 5ESS system converted the analog signals into a digital form, and stored program switching was born. The AT&T 5ESS switches are based on a TST (Time Space Time) digital switching concept that are capable of handeling over 1OO,OOO subscriber lines. The current switch are identified as Telephone eXchange Electronic (TXE) because they employ electronic switching, as opposed to electromechanical means such as Crossbar or step-by-step switches. Northern Telecom is another manufacturer of digital telephone switches designated as DMS-1OO, DMS-2OO, and DMS-25O. Each is tailored to specific switching functions on the phone network. Cellular switch vendors market PBXs or CO switches reconfigured with software to support mobile subscribers. Three of the major U.S. cellular switch equipment suppliers -- AT&T, Ericsson, and Northern Telecom (of Motorola Nortel) -- are also leading suppliers of CO switches. Today the phone network is becoming increasingly advanced with new telephony inovations developing all the time. At present the phone network is run via advanced digital CO switches which support many fucncions such as CLASS services (a basic example). We also see the mass implementation of Signaling System 7 (SS7), Integrated Services Digital Network (ISDN), Custom Local Area Signaling Services (CLASS -- the phone company delivering the number and/or name of the calling party to the subscriber), Centrex, cellular communications, and Advanced Intelligent Networks (AIN) are supported by CO switch suppliers' products today. http://hybrid.dtmf.org hybrid@dtmf.org hybrid@ninex.com http://www.phunc.com/~hybrid hybrid@b4b0.org hybrid@phunc.com " Hybrid echo, which is generated at the 2-4 wire conversion point, is the only source of echo that is generated from the PSTN. " -o[ f41th advisory CNID spoof ]o- -o[ D4RKCYDE ]o- -o[ f41th ]o-------------------------------------------- It has been found that on certain Motorola phones that contain the M145447 chip there is a certain option that allows the chip to be powered down. When the phone rings, the chip is then woken up and is then in ready state to recieve, process and deliver the CNID (CallingNumberID) signal, after which the chip then shuts down again and is then powered up when the next call occurs. Should this option be disabled, the chip will be in a 'listen always' state and it is theoretically possible to 'flood' a line making a vulnerable box record successive erroneous numbers. There is a device available called the 'presto chango' which works by transmiting extra data in the form of an ADSI modem tone after the call has been picked up. Phones that are fitted with the M145447 caller id chip are vulnerable to this attack, and will only recieve the data transmitted via the extra ADSI modem transmission. It has been found that not only are the motorola M145447 chips are vulnerable to this spoof, but so are the CNID boxes that come from the RBOC, USWest. So if for example the data '31337' (for example) was transmitted in ascii via the ADSI modem tone transmission to a CNID box equipt with such an M chip or USWest box, the recieving line would see the numbers '31337' appear on their CNID box. Neat huh? - Thank USWest and Motorola for this nice CLI vulnerability. :) For more info on CLI/CNID UK and US specifications etc, check out the phunc telecommunications security research site at www.phunc.com/~hybrid [ temp ]. Also, a file I wrote for 9x which can either be found on www.ninex.com or on my own website at http://hybrid.dtmf.org. -o[ The Workings of a 5ESS Central Office ]o- -o[ D4RKCYDE ]o- -o[ digiphreq ]o-------------------------------- Ok several weeks ago I took this telecommunications class at a local university. It wasn't really a class or anything just something this dude put together. Actually at this point it was probably like a month or two ago. Anyways thats not important. During the seminars the professor gave he discussed many aspects of 5ESS and where the industry is going and so on. All fairly boring as hell... Most of which I slept through. So after 10 hours of boring as seminars I was finally given the oppurtunity to go through a CO. Which was really rather cool. While I was there i took alot of notes and then saved them till now. I should have wrote this for faith8, but I haven't been near my computer for the last 3 weeks and just couldn't.. This article isn't the least bit technical really, its just an account of what i saw on my tour. The CO is made of several different buildings. They aren't actually buildings, but that's what they call them. There is the Outside Plant, Cable Vault, Frame Room, Battery Room, and Fiber Distribution Center. The Outside Plant isn't actually a plant they just call it that. Anyway, it's the point between the Subscriber's Minimum Point of Entry (MPOE) and the CO Main Distribution Frame (MDF). Next there is the Cable Vault which resides underground. While the locations of other parts of the CO can very, the Cable Vault is always underground, because of the basic nature of what the complex houses. The Cable Vault is where all the cables from other CO and that CO's subscribers come together. It's kind of a creepy little area. Anyway the cables enter through these ducts in the walls and the ducts lead to manholes. After entering the Cable Vault, the cables are racked and plugged with pressure plugs. These pressure plugs are used to put several pounds of air pressure on each cable as it leaves the CO to detour moisture from the cable's sheath. After the pressure plugs the cables are spliced and run into compartments where each cable's 3600 pairs are put into 100pair groups which run are run through more ducts to the frame room. Each of these pairs contains an average of 3600 twisted pairs or 3600 telephone lines. A few other types of cable such as coaxial, fiber optic, and interoffice are also run throught the Cable Vault. The Main Distribution Frame (MDF) is where the 100 pair groups are seperated into individual pairs and attached to connectors. This room by no surprise is the same length as the Cable Vault which is directly below it. You would also not believe how organized they have the cables in the MDF. I mean your computer becomes a mess if you get more than 10 cables running behind it. They've got thousands of cables and they are all organized.. Anyway, there are two sides to the MDF, the vertical (Vertical Distribution Frame - VDF) and horizontal (Horizontal Distribution Frame - HDF). The vertical side is where the outside wiring attached to connectors and is feed through the protector fuses from. From there the tip and ring of each pair is cross connected to the horizontal side where the hardwired connectors to the switching system are located. These hardwired multi-conductor cables run from the connectors to the physical location of the switching equipment. To keep them all striaght technicians have access to COSMOS (the phone network mainframe) from which they can print out information regarding cable and pair and Office Equipment (OE). With this information they can VDF and on the HDF connecting/disconneting services as indicated. The VDF side is marked by cable and pair. The HDF varies in format depending on what type of switch they are using. Basically a Special Services line would be routed to different switching equipment that a regular POTS line. That was just a quick example of how the HDF can vary... The Battery room is a room which houses the office battery. Inside there are several racks which hold batteries which look like car batteries. They are larger in size though. The batteries are all wet cell. Together they provide power to the copper lines. Copper facilities idle at 48 volts DC current. The current drops to 6 or 8 volts DC when dial tone is requested. The current peaks at around 90 DC when a ring is sent. T1 lines peak at around 140 total DC volts. Each copper wire has an output of between 14 and 16 milliamps from the frame. However the batter room creates an average of 1400 amps. The Fiber Distribution Frame is a centralized optical termination frame for facilitating the cross-connecting of optical fibers. Technicians can connect Outside Plant (OSP) facilities to the CO equipment. Its what allows the minimum handling of fragile optical fibers after installation. Each individual FDF bay is placed adjacent to each other to form a continous Frame. An FDF is used to connect OSP facilities to CO equipment. Conections are flexible and are made using jumper/patch cables. Thus allowing connections to be changed without disturbing the fibers or fiber splices. A jumper can be temporary to get around any trouble or permanently placed if need be. Basically the FDF allows access to the fibers. After the tour of all this junk the tour dude then discussed some of the other equipment which is found in the MDF. This was all prompted by questions we asked. This particular CO had the following equipment in the frame room. These aren't equipment per say, more just other things that are found in the room... T1 or DS1, X.25, SONET, DS3, Cisco 200, MAARS, E9-1-1 (all three variants). That's basically it for my notes that I took during the tour. So maybe you now have some idea of how a CO operates. Then again maybe you don't... it's not my problem. -o[ BTs lite ADSL technology ]o- -o[ D4RKCYDE ]o- -o[ by sonicborg ]o---------------------------------------------- /* I take sod all credit for this apart from taking the time out to copy it up from print outs, to the computer disk you are reading this off right now. */ While the objective of the market trial is to assess customers reactions to a wide variety of interactive multimedia services, significent technical advances have been made since the technology trial of 1994. The set-top-box (STB) is based on a Apple Macintosh computer - the LC475 - running MAC O/S moified to support MPEG and a 2Mbit/s network interface. At start-up it is downloaded with the applications and Oracle Media Objects (OMO), the run time version of the authorware tool in which the services are created. The network plateform is being delivered by Alcatel Network Systems and comprises STM-16 SDH rings delivering content from the media server in Colchester to six remote telephone exchanges based in Colchester and Ipswich. Alcatel's ATM technology switches individual video and control channels at the remote exchanges where they are delivered as a 2 Mbit/s stream over either copper using Asymmetric Digital Subscriber Loop (ADSL), or fibre. The ADSL technology, manufactured by westell international, delivers over an ordinary telephone loop 2 Mbit/s in one direction a 9.6 kbit/s bidirectional control channel, and the ordinary analogue telephone service. Fibre customers are connected using Alcatel's APON technology The Alcatel switching platform provides the concentration and distrobution to allow up to 1200 of the 2500 customers to be connected to the server at anyone time. The server system consists of an nCUBE massively parallel computer controlled by a Sequent UNIX computer both running Oracles Media Server software. The significant advance in server technology since the earlier trial has been ability to scale the server to allow up to 1200 customers independent access to 1000 hours of entertainment as well as the other applications. Thereis an EDI gateway to the server supporting the banking application. All the video content compressed in to the MPEG1 standard at 2Mbit/s and carried in MPEG2 frames. The coding of all the short video sequences and bitmaps is carried out by BT using real-time coding technology. Business support services utilise Oracles database software and applications and all the significant components of the system are integrated with BT's normal billing, network management and customer services systems (CSS) The invention is currently in use in BT's network. All PSTN and cashless calls are priced using the pricing engine descriped in the patent application, with 10 pricing engines dedicated to development for use with feature-rich virtual networks for major business customers The pricing engine allows billing processing to be performed at a few centrally located sites rather than distributing the processing across all of the switches in the network. The lexibility of the pricing architecture has allowed BT to view billing as a marketing tool rather than as a necessary evil. FILTERS FOR ADSL SYSTEMS ~~~~~~~~~~~~~~~~~~~~~~~~ This invention was critical component in the success of the BTs video-on- demand market trials recently carried out in east anglia. ADSL is a transmission technique that allows broadband signlas to be carried over a standard copper pair such as those owned by BT, UK cable companies, and european PTO's ADSL is likely to become a key technology as the access network migrates from copper to optical fibre. The filters have a novel 'hybrid' structure enabling the broadband signals to be separated from the telephony signals. It is expected that significant patent protection will be obtained, giving BT a competitive advantage when using ADSL to supply broadband services such as video on demand and fast internet access. TETING NETWORKS USING REAL SPEECH SIGNALS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These two inventions both address the issue of how to measure a subjevtive variable, such as the speech quality provided by a network, using an objective measurement technique, which measures components of transmitted speech in order to calculate the quality of the circuit. Because these is no use of a pre-determinded test signal, monitoring can take place on live circuits without interrupting the calls being made. We expect to gain patent protection for all the most important aspects of the inventions. These inventions are already used by Cellnet, in a test system that measures the quality of new systems and services, and in a non-intrusive measurement system that assesses the quality of BTs global networks. REAL TIME RESOURCE ALLOCATION (WORK MANAGER) Work Manager is used across BT to organise the work of BTs field engineering workforce. It is currently used daily by nearly 20,000 engineers, making it the largest automatic work allocation system in the world. The system allocats jobs to engineers as they become free, which is far more efficient than the old system of booking out engineers to jobs in advance. The skills and geographical location of the engineer are taken into account, as is the priority of the job. -o[ xDSL local loop access technology ]o- -o[ D4RKCYDE ]o- -o[ foundonthenet ]o------------------------------------- xDSL Local Loop Access Technology Delivering Broadband over Copper Wires By Robyn Aber Today's environment is ripe for the emergence of digital subscriber line (xDSL) technologies. The use of more multimedia information on the Internet and World Wide Web by business and residential users is a major growth factor. Another is the availability of affordable networking equipment that enables larger numbers of users to access corporate information from remote sites. The opening of the telecommunications industry in the United States and throughout the world is sparking the entry into new service delivery by incumbent local exchange carriers (ILECs), interexchange carriers (IECs), Internet service providers (ISPs), competitive local exchange carriers (CLECs), and satellite and cable companies. Mixed media networking, the need for affordable broadband transmission rates, and a competitive telecom service environment all contribute to making xDSL the right technology at the right time. xDSL services promise to dramatically increase the speed of copper wirebased transmission systems without requiring expensive upgrades to the local loop infrastructure. New xDSL services are being readied to join the bandwidth race. This paper describes the different xDSL technologies in development today and compares them to other current and emerging WAN service technologies. It also reports on current and future worldwide xDSL deployments and gives some market introduction projections. Finally, the paper describes 3Com's strategic direction with respect to the emerging xDSL technology market. Contents: o What Are Digital Subscriber Line (xDSL) Services? o Development History o Different Types of xDSL and How They Work o Asymmetric Digital Subscriber Line (ADSL) o Rate-Adaptive Digital Subscriber Line (R-ADSL) o ADSL Lite o How ADSL Modems Work o ISDN Digital Subscriber Line (IDSL) o High Bit-Rate Digital Subscriber Line (HDSL) o Single-Line Digital Subscriber Line (SDSL) o Very High Bit-Rate Digital Subscriber Line (VDSL) o xDSL Delivers Broadband over Copper o Technology and Applications Comparison o 56 Kbps Analog Modems o DSL Modulation Schemes o ISDN o Cable Modems o xDSL o ADSL Development and Deployment Progress o Getting Started with ADSL o ADSL Suppliers o Upgrading Digital Loop Carriers (DLCs) o Network Design: What's Needed o Conclusion o Glossary of Related Terms What Are Digital Subscriber Line (xDSL) Services? xDSL services are dedicated, point-to-point, public network access technologies that allow multiple forms of data, voice, and video to be carried over twisted-pair copper wire on the local loop ("last mile") between a network service provider's (NSP's) central office and the customer site, or on local loops created either intra-building or intra-campus. xDSL is expected to have a significant impact in the next three years by supporting high-speed Internet/intranet access, online services, video-on-demand, TV signal delivery, interactive entertainment, and voice transmission to enterprise, small office, home office, and, ultimately, consumer markets. The major advantage of high-speed xDSL services is that they can all be supported on ordinary copper telephone lines already installed in most commercial and residential buildings. Development History xDSL was designed initially to provide video-on-demand and interactive TV applications over twisted-pair wires. Interest in copper-based digital subscriber line services was spurred when fiber-based broadband loops proved to be too costly for widespread deployment. Another boost came with the passage of the Telecommunications Reform Act of 1996, which allows local phone companies, long-distance carriers, cable companies, radio/television broadcasters, Internet/online service providers, and telecommunications equipment manufacturers in the United States to compete in one another's markets. The race to provide broadband bandwidth was on. In xDSL, telecommunications companies see an opportunity to leverage customer demand for faster data access that has resulted from the explosive growth of the Internet and the advent of IP telephony. xDSL has the potential to deliver high-speed data access and much more. xDSL technology is in the early stages of commercial availability. The key players have agreed on standards and continue to work out interoperability, provisioning, and operations issues. Different Types of xDSL and How They Work The "x" in xDSL stands for the various kinds of digital subscriber line technologies, including ADSL, R-ADSL, HDSL, SDSL, and VDSL. To fully grasp the significance of these technologies and the applications for which each is best suited, it is important to understand how they differ. Key points to keep in mind are the trade-offs between signal distance and speed, and the differences in symmetry of upstream and downstream traffic. Asymmetric Digital Subscriber Line (ADSL) ADSL technology is asymmetric. It allows more bandwidth downstream-from an NSP's central office to the customer site-than upstream from the subscriber to the central office. This asymmetry, combined with "always on" access (which eliminates call setup), makes ADSL ideal for Internet/intranet surfing, video-on-demand, and remote local area network (LAN) access. Users of these applications typically download much more information than they send. Downstream, ADSL supports speeds between 1.5 and 8 Mbps; upstream, the rate is between 640 Kbps and 1.54 Mbps. ADSL can provide 1.54 Mbps transmission rates at distances of up to 18,000 feet over one wire pair. Optimal speeds of 6 to 8 Mbps can be achieved at distances of 10,000 to 12,000 feet using standard 24-gauge wire. Rate-Adaptive Digital Subscriber Line (R-ADSL) R-ADSL operates within the same transmission rates as ADSL, but adjusts dynamically to varying lengths and qualities of twisted-pair local access lines. With R-ADSL, it is possible to connect over different lines at varying speeds. Connection speed can be selected when the line synchs up, during a connection, or as the result of a signal from the central office. ADSL Lite ADSL Lite is a lower-speed version of ADSL that will eliminate the need for the telco to install and maintain a premises-based POTS splitter. Elimination of the POTS splitter is intended to simplify DSL installation and reduce the costs of DSL for NSPs. ADSL Lite is also supposed to work over longer distances than full-rate ADSL, making it more widely available to mass market consumers. It will support both data and voice and provide an evolution path to full-rate ADSL. The effort to introduce ADSL Lite has been spearheaded by the Universal ADSL Working Group, an industry group that worked to develop a worldwide G.Lite standard within the International Telecommunications Union (ITU) Study Group 15. An ITU standard (G.992.2) was approved in October, 1998. Additional standards work can be expected in ANSI TIE1.4, the ATM Forum, and the ADSL Forum to address issues such as compatibility with home wiring and network interfaces. 3Com is an active participant in these standards bodies working on the development of ADSL Lite. How ADSL Modems Work To create multiple channels, ADSL modems divide the available bandwidth of a telephone line using one of two methods: frequency division multiplexing (FDM) or echo cancellation. FDM assigns one band for upstream data and another band for downstream data. The downstream path is then divided by time division multiplexing (TDM) into one or more high-speed channels and one or more low-speed channels. The upstream path is also multiplexed into corresponding low-speed channels. Echo cancellation assigns the upstream band to overlap the downstream band and separates the two by means of local echo cancellation, the same technique used by V.32 and V.34 modems. Echo cancellation uses bandwidth more efficiently, but increases complexity and cost. For both FDM and echo cancellation, a filter called a POTS splitter front-ends an ADSL modem to split off 4 kHz for voice service (referred to as plain old telephone service, or POTS). This means that both POTS and ADSL can be transmitted on the same wire, eliminating the need to have a separate POTS line for voice communication. ISDN Digital Subscriber Line (IDSL) IDSL provides full duplex throughput at speeds up to 144 Kbps. Unlike ADSL, IDSL is restricted to carrying data only. While IDSL uses the same 2B1Q modulation code as ISDN to deliver service without special line conditioning, it differs from ISDN in a number of ways. Unlike ISDN, IDSL is a non-switched service, so it does not cause switch congestion at the service provider's CO. ISDN also requires call setup, while IDSL does not (DSL is an "always on" service). High Bit-Rate Digital Subscriber Line (HDSL) HDSL technology is symmetric, providing the same amount of bandwidth upstream as downstream. HDSL is the most mature of the xDSL technologies, and has already been implemented in telco feeder plants (lines that extend from central offices to remote nodes) and also in campus environments. Due to its speed-1.544 Mbps over two copper pairs and 2.048 Mbps over three pairs-telcos commonly deploy HDSL as an alternative to repeatered T1/E1. (T1 lines, used in North America, have a data rate of 1.544 Mbps; E1 lines, used in Europe, have a data rate of 2.048 Mbps.) Although HDSL's 12,000 to 15,000-foot operating distance is shorter than ADSL's, phone companies can install signal repeaters to cost-effectively extend its useful range. HDSL's reliance on two and three twisted-pair wires makes it ideal for connecting PBX systems, digital local loops, IEC points of presence (POPs), Internet servers, and campus-based networks. HDSL II is pro-posed as the next-generation HDSL within ANSI and ETSI. It will offer the same performance as HDSL, but over a single pair. Single-Line Digital Subscriber Line (SDSL) Like HDSL, SDSL supports symmetrical TI/E1 transmissions, but SDSL differs from HDSL in two important ways: it uses a single copper-pair wire, and it has a maximum operating range of 10,000 feet. Within its distance limitation, SDSL is capable of accommodating applications that require identical down- stream and upstream speeds, such as video conferencing or collaborative computing. SDSL is a precursor to HDSL II. Very High Bit-Rate Digital Subscriber Line (VDSL) VDSL technology is the fastest xDSL technology, supporting a downstream rate of 13 to 52 Mbps and an upstream rate of 1.5 to 2.3 Mbps over a single copper-pair wire. VDSL can be viewed as a cost-effective alternative to fiber to the home. However, the maximum operating distance for this asymmetric technology is only 1,000 to 4,500 feet from the central office; this distance can be extended by running fiber optic cable from the CO to an optical network unit and copper from that point to the user location up to 4,500 feet away. In addition to supporting the same applications as ADSL, VDSL's additional bandwidth could potentially enable NSPs to deliver high-definition television (HDTV), video-on-demand, and switched digital video, as well as legacy LAN extension symmetrical services. VDSL is in the requirements and standards definition stage. xDSL Delivers Broadband over Copper The best thing about xDSL technologies is their ability to transport large amounts of information across existing copper telephone lines. This is possible because xDSL modems leverage signal processing techniques that insert and extract more digital data onto analog lines. The key is modulation, a process in which one signal modifies the property of another. In the case of digital subscriber lines, the modulating message signal from a sending modem alters the high-frequency carrier signal so that a composite wave, called a modulated wave, is formed (Figure 2). Because this high- frequency carrier signal can be modified, a large digital data payload can be carried in the modulated wave over greater distances than on ordinary copper pairs. When the transmission reaches its destination, the modulating message signal is recovered, or demodulated, by the receiving modem. Technology and Applications Comparison There has been a lot of speculation in the industry about which remote access technologies will succeed and which will fail. As new local access technologies are rolled out, they do not displace others; actually, the reverse is true. Technologies like analog dial-up, dedicated leased lines, Frame Relay, and ISDN all coexist successfully in the market based on differences in service availability and on their ability to generate incremental revenue by serving different applications. The fact that so many WAN services continue to coexist often leads to confusion and complexity for enterprise network managers and planners. The range of services will certainly continue into the next century. Factors that will determine the success of one technology versus another include availability, pricing, ease of installation and use, and relevance to users' applications. Some of the key issues surrounding xDSL and competing technologies are summarized in this section. 56 Kbps Analog Modems 56 Kbps analog modems (ITU V.90 standard) provide a range of midband (28.8 to 56 Kbps) access to the Internet, intranets, and remote LANs. In order to realize 56 Kbps throughput, there must be a 56 Kbps modem using compatible modulation techniques at each end of the connection. Therefore, NSPs and ISPs must have V.90 modems at their points of presence. A single 56 Kbps modem at the user's site will deliver the next highest speed with which it can synch up. Even when 56 Kbps modems are installed at both the carrier and user sites, these modems achieve top speeds only if the connection has just a single analog/digital conversion, and actual through-put is determined by line quality. Another important fact to keep in mind is that this technology is asymmetric. The 56 Kbps rate is only achieved downstream on a digital line from the network to the user. The upstream connection is analog and operates in the 28.8 to 33.3 Kbps range. DSL Modulation Schemes There are many ways to alter the high-frequency carrier signal that results in a modulated wave. For ADSL, the most talked-about xDSL technology, there are two competing modulation schemes: carrierless amplitude phase (CAP) modulation and discrete multitone (DMT) modulation. CAP and DMT use the same fundamental modulation technique-quadrature amplitude modulation (QAM)-but differ in the way they apply it. QAM, a bandwidth conservation process routinely used in modems, enables two digital carrier signals to occupy the same transmission bandwidth. With QAM, two independent message signals are used to modulate two carrier signals that have identical frequencies, but differ in amplitude and phase. QAM receivers are able to discern whether to use lower or higher numbers of amplitude and phase states to overcome noise and interference on the wire pair. Carrierless Amplitude Phase (CAP) Modulation Generating a modulated wave that carries amplitude and phase state changes is not easy. To overcome this challenge, the CAP version of QAM stores parts of a modulated message signal in memory and then reassembles the parts in the modulated wave. The carrier signal is suppressed before transmission because it contains no information and is reassembled at the receiving modem (hence the word "carrierless" in CAP). At start-up, CAP also tests the quality of the access line and implements the most efficient version of QAM to ensure satisfactory performance for individual signal transmissions. CAP is normally FDM based. CAP, a single carrier system, has several advantages: it is available today at 1.544 Mbps (T1) speeds, and it is low on the cost curve due to its simplicity. It has the disadvantage that it is not a bona fide American National Standards Institute (ANSI) or European Telecom Standards Institute (ETSI) standard. Discrete Multi-Tone (DMT) Modulation DMT offers a multicarrier alternative to QAM. Because high-frequency signals on copper lines suffer more loss in the presence of noise, DMT discretely divides the available frequencies into 256 subchannels, or tones. As with CAP, a test occurs at startup to determine the carrying capacity of each subchannel. Incoming data is then broken down into a variety of bits and distributed to a specific combination of subchannels based on their ability to carry the transmission. To rise above noise, more data resides in the lower frequencies and less in the upper ones. DMT's main advantage is the fact that it is the ANSI, ETSI, and ITU standard. But DMT also has drawbacks: it will initially be more costly than CAP, and it is very complex. A variant of DMT, discrete wavelet multi-tone (DWMT), goes a step further in complexity and performance by creating even more isolation between subchannels. When fully developed, DWMT could become the ADSL protocol of choice for long-distance transmission in environments with high interference. Other versions of DMT, including Synchronized DMT and "Zipper" are being proposed for use with VDSL. ISDN ISDN is also considered a digital subscriber line service. ISDN and xDSL technologies share some common technical characteristics: use of the existing telephone company copper cabling infrastructure; digital quality-of-service capabilities such as low noise, less interference, and clearer voice transmission; and the security of digital communications, which is inherently more difficult to tap than traditional analog systems. However, ISDN differs from xDSL technologies in that it is a switched service in which both ends must support ISDN, whereas xDSL is a point-to-point access service. ISDN also requires external power for operation. To ensure continuous operation, customers need either a backup power system or a redundant POTS line. In contrast, xDSL carries its own power on the line. Voice and data transmission is split (multiplexed) on the wire: voice is carried under 4 kHz; data is carried above 4 kHz. If a power failure occurs, xDSL data transmission is lost, but lifeline POTS still operates. Another key difference is that ISDN is widely available now and has momentum in the marketplace. Telcos, competitive access providers, and ISPs are investing the resources and building out the infrastructure to develop it further. As ISDN modems and terminal adapters become easier for users to configure, customer premises equipment (CPE) prices continue to drop, and tariffs are reduced, ISDN is gaining broader appeal among telecommuters and small office and retail users who require Internet and intranet access, remote LAN access, credit authorization, or database connectivity. Cable Modems Designed to provide broadband Internet access, cable modems are primarily targeted at consumers for residential use. Cable modems offer the potential of broadband (up to 30 Mbps) information delivery downstream to users and midband (128 Kbps) to broadband (up to 10 Mbps) connections back upstream to the cable headend. Unlike xDSL and ISDN, cable modems are a shared-not dedicated-access technology. The total available bandwidth is shared among users in a neighborhood as if they were on a LAN. Given that design, not everyone on the network will get the top speeds of 10 to 30 Mbps that are quoted for downstream throughput. Actual rates will vary according to the number of users on the system at any given time and the type of modem that is being used. Security is also an issue on these shared access systems. The multimedia cable network system (MCNS ) standard for the delivery of data over cable has been defined and is being adopted by major multiple system operators (MSOs) and cable modem manufacturers. Its adoption adds more stability to cable as a data transmission technology. However, the wide- spread introduction of cable modems is still contingent upon the development and implementation of complex, two-way transmission systems and operations systems for management and billing. Today's systems are primarily telco return, in which phone lines are used to provide upstream transmission. Another hurdle that cable modems must overcome is negative perceptions about the quality of service delivered by cable systems. Some users are approaching the use of cable modems for data transfer with caution. For cable modem access providers to be successful, they must be able to compete not only on price, but also on reliability of service. xDSL For all intents and purposes, xDSL modems can be considered "next-generation" modems, initially targeted for business users. xDSL technologies are being positioned for a wide range of data dialtone, video dialtone, voice, and PBX interconnect applications. For the near term, however, the trend continues to be toward data applications, with voice-over-IP emerging as a new application. While xDSL technologies hold a lot of promise, there are a number of critical issues to be resolved before they can achieve wide-spread commercial deployment. Standards are now agreed upon. During 19961997, standards bodies split along the partisan lines of DMT versus CAP modulation schemes. In January 1998, ANSI re-ratified DMT as the standard of choice, and the ITU adopted it in February 1998. Other ongoing issues for xDSL technologies include interoperability, spectral compatibility (e.g., interference between different services carried in the same cable binder), near-end crosstalk associated with reverse ADSL provisioning, and loop qualification. A nontechnical but critical factor will be how successfully NSPs move from xDSL technology and market trials to commercial rollout. Sometime in the next three to five years, xDSL technology could potentially be used to deliver Asynchronous Transfer Mode (ATM) to the home over the existing copper infrastructure or via a hybrid fiber/copper network. Efforts to define the standards for doing this are now under way in ANSI, ETSI, the ADSL Forum, the ATM Forum, and the Full Service Access Network (FSAN) Council. While joint development efforts are proceeding, considerably more cooperative work is needed before these organizations can agree upon a set of standards that will enable the delivery of low-cost, end-to-end ATM to the desktop over xDSL. ADSL Development and Deployment Progress Of all the emerging xDSL technologies, ADSL is receiving the most attention because there is a standard (DMT) for it, and its capabilities provide NSPs with a competitive offering to cable modems. But there is increasing interest in symmetrical xDSL offerings such as HDSL and SDSL. As a local access service, ADSL's implementation has no critical drawbacks. It can be deployed as an overlay network where there is subscriber demand, eliminating the need for NSPs to risk building out their infrastructure unnecessarily in the hope that the technology will catch on. ADSL development and deployment is focused primarily in North America, followed by northern Europe and the Pacific Rim. In North America, US West, GTE, Ameritech, SBC, BellSouth, and Edmonton Tel (Canada) are the service providers leading the current wave of ADSL/xDSL deployment. Covad, Northpoint, and a handful of other CLECs are entering high-density metropolitan areas-typically offering a portfolio of xDSL offerings at different classes of service and price points, and competing with incumbent local exchange carriers. Chicago-based InterAccess was the first ISP to offer ADSL. Telia (Sweden), Telenor (Norway), British Telecom (UK), and Telfonica (Spain) are leading xDSL proponents in Europe. In the Pacific Rim, Telstra (Australia), Hong Kong Telecom, and Singtel (Singapore) are deploying xDSL for data and video applications. ADSL modems have been tested successfully by more than 40 telephone companies, and close to 50,000 lines have been installed in various technology trials and commercial deployments. Increasingly, alternative service providers such as enterprises, multi-tenant building owners, hospitality businesses (hotels and resorts), and office park developers are offering or considering offering ADSL to their users as private network operators. Getting Started with ADSL ADSL is not yet generally available. It is an emerging technology that is predominantly in the early commercial deployment stage. NSPs still must put in place the overlay networks to handle commercial service offerings, and network equipment vendors must build production-level DMT systems. Users can expect to see ADSL products and services introduced throughout 1998, followed by more wide-spread deployment in 1999 and 2000. ADSL Suppliers xDSL suppliers generally fall into three categories: * Component manufacturers * Systems providers * Service providers Component manufacturers provide the chips, modems, and POTS splitters used at both ends of a line to receive, send, and process digital data. Systems providers offer end-to-end solutions that include modems, splitters, and multiplexers as well as operations, administration, management, and technical support capabilities. Service providers offer xDSL access services and may or may not bundle products from component manufacturers or systems providers to offer their subscribers turnkey solutions. Prospective users of ADSL need to determine whether their local service provider offers a turnkey solution, or whether they must work directly with equipment manufacturers, value-added resellers, or systems integrators. It is possible that ADSL modems will be available at retail outlets during 1999 in a number of markets where service is deployed. Upgrading Digital Loop Carriers (DLCs) The DLC system is the carrier's local loop infrastructure that connects end users located more than 18,000 feet, or 3.5 miles, from the central office. DLC systems consist of physical pedestals containing line cards that concentrate residential traffic onto digital circuits. To provide end users with ADSL capability, NSPs will simply retrofit the line cards in the DLC systems. This is a very cost-effective solution for NSPs, because they are not required to update their infrastructure to provide ADSL services. It is estimated that 30 percent of U. S. telephone customers are on DLC systems. These systems tend to be concentrated in the suburbs, where more affluent people reside; the initial residential target audience for ADSL service will be this suburban population. Potential users of ADSL will need the following: * An ADSL modem (compatible with the one at the NSP's point of presence) * A POTS splitter to separate voice and data transmissions (unless using ADSL Lite) Since the ADSL modem essentially front-ends a LAN (or is capable of doing so), branch office or small business users will need a router or hub; home users will need a computer interface. Providers of ADSL services will need modems and POTS splitters in their digital subscriber line access multiplexer (DSLAM) to terminate and aggregate incoming ADSL lines and redirect voice traffic to the public switched telephone network (PSTN) and data to a high-speed digital line (DS3, OC-3, or OC-12). The DSLAM is the major intelligence component in the ADSL system. It consists of central site modems and a service access multiplexer (SAM) that interfaces to the NSP's ATM or Frame Relay backbone. The ADSL service provisioning model includes two types of DSLAM: the central office DSLAM is built for high density and concentration, while the remote DSLAM sits in the remote DLC system. Service providers will also need billing systems, testing and diagnostic functionality, and network management capabilities. Significant development work is still needed by NSPs and equipment manufacturers alike to develop more affordable, scalable, interoperable, and easily provisioned ADSL systems. But this is an exciting emerging technology that will initially provide high-bandwidth local access for enterprise networks and teleworkers. Conclusion xDSL technology-with its ability to support voice, content-rich data, and video applications over the installed base of twisted-pair copper wires-is inherently suited to meet user demands for broadband, multimedia communications. The most promising of the xDSL technologies for integrated Internet access, intranet access, remote LAN access, video-on-demand, and lifeline POTS applications in the near term is ADSL or R-ADSL (a rate- adaptive version of ADSL). During the past year, ADSL has concluded trials by more than 40 network service providers throughout the world, primarily in North America and northern Europe. Service introduction began in 1997, but ADSL service is still being rolled out in many areas. In the meantime, xDSL technologies and standards will continue to evolve, as will user demand for these emerging services relative to other local access service alternatives. Glossary of Related Terms [ ADSL ] Asymmetric digital subscriber line. An xDSL technology in which modems attached to twisted-pair copper wires transmit from 1.5 to 8 Mbps downstream (to the subscriber) and from 16 to 640 Kbps upstream, depending on the line distance. amplitude. The maximum value of varying wave forms. [ ANSI ] American National Standards Institute. The principal standards development body in the United States. It consists of voluntary members that represent the U.S. in the International Standards Organization (ISO). Membership includes manufacturers, common carriers, and other national standards organizations, such as the Institute of Electrical and Electronics Engineers (IEEE). [ ATM ] Asynchronous Transfer Mode. A switching technology that allows voice, data, image, and video traffic to be combined into evenly sized cells for high- speed transmission over one access circuit. Each 53 byte cell contains 48 bytes of payload and 5 bytes of control information. [ AWG ] American Wire Gauge. A wire diameter specification; the lower the AWG number, the larger the wire diameter. backbone network. The major transmission path for network interconnection. [ broadband ] A communication channel with a bandwidth in excess of 1.54 Mbps. [ CAP ] Carrierless amplitude phase modulation. A version of quadrature amplitude modulation (QAM) that stores parts of a modulated message signal in memory and then reassembles the parts in the modulated wave. The carrier signal is suppressed before transmission because it contains no information and is reassembled at the receiving modem (hence the word "carrierless" in CAP). [ CLEC ] Competitive local exchange carrier. An alternative access provider that competes with incumbent local carriers. CO. Central office. A facility that contains the lowest node in the hierarchy of switches that comprise the public telephone network. core network. A combination of switching offices and transmission plant that connects switching offices together. In the U.S. local exchange, core networks are linked by several competing interexchange networks. In the rest of the world, core networks extend to national boundaries. [ CPE ] Customer premises equipment. [ dial up ] A type of communications that is established by a switched circuit connection using the public telephone network. [ DLC ] Digital loop carrier. The carrier's local loop infrastructure that connects end users located more than 18,000 feet or 3.5 miles away from the central office. DLC systems consist of physical pedestals containing line cards that concentrate residential links onto digital circuits. [ DMT ] Discrete multi-tone modulation. A wave modulation scheme that discretely divides the available frequencies into 256 sub-channels or tones to avoid high-frequency signal loss caused by noise on copper lines. [ DSL ] Digital subscriber line. A local loop access technology that calls for modems on either end of copper twisted-pair wire to deliver data, voice, and video information over a dedicated digital network. [ DSLAM ] Digital subscriber line access multi-plexer. Multiplexing equipment that contains a high concentration of central office splitters, xDSL modems, and other electronics to connect traffic to the wide area network (WAN). [ DWMT ] Discrete wavelet multitone. A variant of DMT modulation, DWMT goes a step further in complexity and performance by creating even more isolation between subchannels. [ E1 ] The European basic multiplex rate that carries 30 voice channels in a 256-bit frame transmitted at 2.048 Mbps. [ echo cancellation ] A technique used by ADSL, V.32, and V.34 modems that isolates and filters unwanted signal energy from echoes caused by the main transmitted signal. [ ETSI ] European Telecom Standards Institute. A consortium of manufacturers, service carriers, and others responsible for setting technical standards in the European telecommunications industry. [ FDM ] Frequency division multiplexing. A technique that divides the available bandwidth of a channel into a number of separate channels. [ frequency ] The rate of signal oscillation in hertz (Hz). [ FSAN ] Full Service Access Network Council. A consortium of European service providers (PTTs) responsible for defining access network requirements. [ HDSL ] High bit-rate digital subscriber line. An xDSL technology in which modems on either end of two or more twisted-pair lines deliver symmetric T1 or E1 speeds. Currently, T1 requires two lines and E1 requires three. [ HDTV ] High-definition television. A system of transmitting television signals at 24 Mbps, which increases the horizontal lines of resolution from 480 to 560 lines per display. [ IDSL ] ISDN digital subscriber line. An xDSL technology that provides full duplex through-put at speeds up to 144 Kbps based on the 2B1Q ISDN modulation code. [ IEC ] Interexchange carrier. A long-distance service provider. [ IEEE ] Institute of Electrical and Electronics Engineers. [ ILEC ] Incumbent local exchange carrier. [ ISDN ] Integrated Services Digital Network. A digital subscriber line network with circuit and packet switching capabilities for voice and data communications at data rates of up to 1.544 or 2.048 Mbps. [ ISO ] International Standards Organization. [ ISP ] Internet service provider. [ ITU ] International Telecommunications Union. An international standards body, formerly called the CCITT. [ Kbps ] Kilobits per second. [ LAN ] Local area network. A type of broadcast network, covering a limited area, in which computers and other devices are attached to a common transmission medium. [ local loop ] The line from a subscriber to the telephone company central office. [ Mbps ] Megabits per second. [ MCNS ] Multimedia cable network system. A standard for the delivery of data over cable. [ midband ] A communication channel with a bandwidth range of 56 Kbps to 1 Mbps. [ modem ] Contraction for modulator/demodulator. A modem converts the serial digital data from a transmitting device into a form suitable for transmission over the analog telephone channel. [ modulation ] The process in which the characteristics of one wave or signal are varied in accordance with another wave or signal. Modulation can alter frequency, phase, or amplitude characteristics. [ MSO ] Multiple system operator. Cable service providers owning two or more cable systems. [ multiplex ] Combining signals of multiple channels into one channel. This process provides multiple users with access to a single conductor or medium by transmitting in multiple distinct frequency bands (frequency division multiplexing, or FDM) or by assigning the same channel to different users at different times (time division multiplexing, or TDM). [ multiplexer ] Equipment that divides a data channel into two or more independent, fixed data channels of lower speed. [ narrowband ] A communications channel with a bandwidth of less than 56 Kbps. [ NSP ] Network service provider. [ phase modulation ] A technique that changes the characteristics of a generated sine wave or signal so that it will carry information. [ POP ] Point of presence. Physical access point to an IEC network. [ POTS ] Plain old telephone service. [ POTS splitter ] A passive filter that separates voice traffic from data traffic. [ PSTN ] Public switched telephone network. A telephone system through which users can be connected by dialing specific telephone numbers. [ QAM ] Quadrature amplitude modulation. A bandwidth conservation process routinely used in modems, QAM enables two digital carrier signals to occupy the same transmission bandwidth. [ R-ADSL ] Rate-adaptive digital subscriber line. An emerging variation of CAP; it divides the transmission spectrum into discrete sub-channels and adjusts each signal transmission according to line quality. [ SAM ] Service access multiplexer. A component of the DSLAM. [ SDMT ] Synchronized DMT. A multicarrier modulation scheme that adds time division duplexing on top of DMT systems and permits transmit and receive in discrete time slots. Proposed for use with VDSL. [ SDSL ] Single-line digital subscriber line. SDSL is essentially HDSL over a single twisted pair. [ SMDS ] Switched Multimegabit Data Service. A connectionless, high-speed, packet- switched WAN technology offered by telephone companies. [ SNMP ] Simple Network Management Protocol. [ T1 ] A 1.544 Mbps line; the same as DS1. [ TDM ] Time division multiplexing. A digital transmission method that combines signals from multiple sources on a common path. This common path is divided into a number of time slots and each signal or channel is assigned its own intermittent time slot, allowing the path to be shared by multiple channels. [ telco ] American jargon for telephone company. [ twisted-pair ] Telephone system cabling that consists of copper wires loosely twisted around each other to help cancel out any induced noise in balanced circuits. [ UAWG ] Universal ADSL Working Group. An industry group that supports the development of a worldwide G.Lite standard within the ITU Study Group 15. [ VDSL ] Very high bit-rate digital subscriber line. A technology in which modems enable access and communications over twisted-pair lines at a data rate from 1.54 Mbps to 52 Mbps. VDSL has a maximum operating range from 1,000 feet to 4,500 feet on 24-gauge wire. [ WAN ] Wide area network. A geographically dispersed network. [ xDSL ] The "x" represents the various forms of digital subscriber line (DSL) technologies: ADSL, R-ADSL, HDSL, SDSL, or VDSL. [ Zipper ] A DMT-based modulation scheme using frequency division multiplexing. It requires synchronization of systems within the same bundle. Proposed for use with VDSL. -o[ The workings of a cellular phone ]o- -o[ D4RKCYDE ]o- -o[ by downtime ]o------------------------------- I WILL NOT BE HELD RELIABLE FOR ANY TROUBLE YOU MAY GET FROM THIS ARTICLE. I AM HERE TO SHARE MY KNOWLEDGE WITH THE REST. DO NOT ATTEMPT TO DO ANYTHING UNLESS YOU ARE WILLING TO TAKE RESPONSIBILITY FOR YOUR OWN ACTIONS. This was found in the Bell Atlantic RBOC in the state of New Jersey USA. It probably doesn't apply to other RBOCs or telephone networks due to differences in telephone networks. As i was driving around one day looking for pinouts, I came across an ugly green thing protruding out of the ground. Taking a closer look at it, i found bell atlantic symbols and a "storm door" type of top with a door handle. It had the numbers 1-5 under the door handle acting as some kind of lock. A couple of days later i came back with some people and decided to try and break into it out of curiousity. The numbers under the handle (1-5) had push buttons next to each number (pretty old looking, no technology or state-of-the-art equipment here). I figured i was going to have to spend a lot of time trying different numbers for a while because i did not know the exact combination or how many numbers there were in the combination. After sitting there for no more then a minute, a few numbers worked and the door was able to be pushed up. Peering down i saw a ladder going down into a big room. On my arrival, i found many leds flashing and a lot of equipment with lucent technologies stickers on them. I found out later this was all fiber optic equipment. Everything was attached to computers and what looked liked routers, so i opted to take the manuals and documents. One book was named "Controlled Environment Vault and Equipment Enclosure" In this book i found many useful facts about the Vault. -The dimensions of the "underground vault" are as follows: approx 10 ft. high 24 ft. long and 6 ft wide. -There are many climate control systems including ventilation and dehumidifying machines, air conditioning and heating. -There is an *intrusion alarm* that is activated on opening of the vault and is easily turned off by: "The intrusion switch is located inside the hatch cover frame. It is activated whenever the cover is opened. Authorized personnel can deactivate the alarm by pulling the plunger switch out about 1/4 inch further. Yadda yadda yadda." The Vaults are extremely easy to get into. I am not aware of the exact combinations, or how many digits, but I know I opened 2 Vaults up in less then a minute trying 3 digit combinations, turning the handle and pushing the door up and trying again. Kind of like brute forcing in less time. It is highly recommended to turn off the *intrusion alarm* if you attempt to get into one of these things. Down there you will find fiber optic equipment that will amaze you. I will not be held responsible for you getting in trouble in anyway for going down one of these things. Have fun and keep information free for everyone. -degauss shouts to wing, sim, the hat and shadow for making the vault info happen and shouts to the rest of the people in my area: nothingg, dgtlfokus, deadkurt, voltage, and to my boy downtime far away. -o[ Federal Government freq list ]o- -o[ D4RKCYDE ]o- -o[ by digiphreq ]o----------------------------- Ok, I've been reading and writing for faith ezine for a long time now and have noticed a couple of things. None of which are important right now other than the one that details a complete lack of radio. So I figured what the hell I'll throw something together quick. So here is a list of Goverment radio freqquencies I have compiled. I've been compiling this list for the past 3 or 4 years. * = trunked Dept of Agriculture 170.450 Otis Air Force Base, Falmouth, MA 171.525 Waltham, MA 413.900 Beltsville, MD REsearch Center Security US Attorney 415.850 Nationwide 416.175 Nationwide Washington DC Police 164.625 Washington Car to Car 164.800 Washington F1 Dispatch CIA 163.810 165.010 165.110 165.385 165.875 Langley Security 407.800 407.600 USCG 162.125 LANT 164.1375 Police 166.225 Aircraft 171.3125 Falmouth, MA ANARC Net 171.3375 Utility Network 171.5875 172.300 Security- Boston 415.625 Link- Boston 419.125 Security- Boston US Congress 169.5750 Cloack Room Page - Washington Dept of Defense 167.7125 Millitary INtelligence 164.1375 Dept of Defense Police 165.1375 DEA *418.625 416.050 input Ch1 Operations *418.900 416.325 input Ch2 Operations Central MA *418.750 415.600 input Ch3 Surveillance/ Strike Force Oderwire Patch System 418.675 Surveillance Ch4 Strikeforce *418.825 415.600 input Ch5 Operations *418.950 416.200 input Ch6 Operations 416.375 input Operations, Cape Cod *418.975 417.025 input Ch7 Operations 418.975 Simplex Ch8 Operations 416.050 Long Island KLR757 418.700 Nationwide 418.725 Nationwide 418.750 Washington F3 Simplex *418.750 415.600 NY 418.775 Nationwide 418.800 Nationwide 418.875 Nationwide 418.900 Bridgeport, CT 418.925Nationwide *419.00 input 417.400 NY Task Force KLR710 Dept of Energy 4.6045 Nuclear Transport 3.3350 Nuclear Transport 5.7510 Nuclear Transport 7.7000 Nuclear Transport 11.5550 Nuclear Transport 164.2250 Brookhaven National Lab. L.I. N.Y Fire Dept 164.3250 Brookhaven National Lab. L.I. N.Y KRF255 *164.750 167.850 input middleton, ma *167.825 164.275 brookhaven nat. lab. KFW703 167.9750 brookhaven nat. lab. paging KCG827 411.3500 Germantown, MD KZQ924 US Engraving and Printing Office 172.2750 Washington 171.3875 Washington General Services Administration Federal Protection Service 413.875 Boston Pagers 414.8500 Washington F3 415.200 Washington F1 Security KGC253 415.2000 Washington Simplex F2 417.200 input 415.2 Boston 417.200 Boston Simplex 419.1750 Baltimore Security-Simplex Printing Office 411.200 Washington Security Federal Aviation Administration 162.2750 Washington DC HQ 165.5000 Dulles Airport Police/Fire Operations 165.6625 National Airport Police 165.7125 Dulles Police - Access Highway Net 166.1750 Net York Link *167.1755 165.6125 New England Network 169.2625 Dulles Police 169.3250 Dulles Police Mobile Lounges *172.850 169.25 Safety Operations Cape Cod 172.950 169.35 Safety Operations Boston 408.8250 Washington DC HQ 410.9000 Washington DC HQ FBI 9.2400 10.5000 162.6375 163.425 163.925 *163.725 163.3375 Black/ECC - F2 NY KEC270 163.775 *163.800 164.55 *163.850 167.4175 Blue/ECC2 KGB750 *163.8625 167.5375 Black/ECC CT Tactical\ 163.8875 New Haven F5 KEX600 *163.9125 167.150 Black/ECC F1 163.9125 Washington Simplex F3 KGB770 163.9125 167.5125 ECC1 Washington 163.925 F5 163.9375 New Jersey KEX620 163.950 New York F3 Black/ECC 163.9625 167.6625 Maryland 163.9625 MD Simplex F3 163.9875 197.725 AXO Station Alexandria KFQ240 164.1500 Exeter, RI Simulcast w/167.6000 Ok, I'm really sick of typing all this crap... I think I'll finish typing the rest of it and publish that in faith 10. So watch for it -o[ Defeating the Caller ID system ]o- -o[ D4RKCYDE ]o- -o[ by hybr1d ]o---------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Defeating The Caller ID System With Simple but Effective Stealth. July 1999. hybrid (hybrid@dtmf.org) (http://hybrid.dtmf.org) quick disclaimer: I do not encourage any of the information provided in this file. I, or f41th cannot be held responcerble for your use of the information provided in this article, it has been provided for informational purposes only. (introduction) CallerID (CID) or CND (Calling Number Delivery), is an extension to the widley used ANI (Automatic Number Identification) system. The telcos use ANI as a means for billing information when you make a toll-call, however dispite what alot of people think, ANI is not used as part of the CID system, it was the first system used to allow the recieving party know who was calling and was widely used before the advent of the SS7 telephony protocol, but sinse the implementation of SS7 CID/CND has become popular, both in residential subscriber loops, and commercial lines. In this file I am going to show how the CID/CND system works, specific to different *bell specifications aswell as the differences in other countrys, such as the UK. Before we go any further, you need to know the basics of the *bell CID protocol; CID information (data) is transmitted on the subscriber loop using a method known as FSK (Frequency Shift Keyed) modem tones. This data is transmitted in ASCII format and contains the information needed to display the CID mesage at the terminating line. The actual data burst occurs between the first and second ring of the line, and contains basic information about the originating point of the call, such as the date, time, and of course the calling number. On more upto date systems, or in a local area, the name of the caller will be displayed next to their number aswell. Further advances in CID include a new system called CIDCW or (CID on Call Waiting), where the call waiting tone is heard and the CID of the second calling person is exposed. (definition) As I said before, Caller ID is the identification of the originating subscriber line. For example, say you had a line installed under your own name, your details would be stored alongside your line information in your telcos directory listings. So when you call someone with a CID unit that displays the calling partys name, your name would be displayed alongside the number, or whoever pays the bill for the line. Obviously the telco has no real way of knowing just _who_ is making the call, so the term Caller ID would be inapropriate, and should technically be refered to as Calling Number Identification because it is the name of the person associate with the line rental, and not your docs that are transmitted. The actual CID information is transmitted to the terminating subscriber loop, as I said before, between the first and second ring implementing a bell202 type modem specification. There are 2 tones that are tranmitted, one of them contains the mark transmission (logic 1) and the other contains the space transmmision (logic 0), mark and space. The transmitted message contains a channel seizure string and then a mark string followed by the actual caller information. If the recieving line only has basic CID information installed (where they only recieve the date, time and number of the caller) SDMF (Single Data Message Format) is used in the CID data burst. If however, the recieving person has a more advanced version of CID where they can see the name of the person calling, MDMF (Multiple Data Message Format) is used in the data burst. If the MDMF method is used, and you have withheld your CID, the recieving line will only see a message saying the information was blocked by the caller, or is unavailable. Later I will discuss ways of making your line information completly unavailable to the called party. In New Jersey 1987, the first CID service was offered to subscribers of NJBell because NJBell where at that time implementing new high-speed networks and wanted to rake in a little more money by offering this new service to its customers. Before SS7 ANI was used as a means of obtaining the calling number info as a means for billing purposes on certain lines. Before SS7, your ANI would go no furthur than your central office, and would not be forwarded to international calls. However, that was then and this is now, SS7 has been implemented big time over the international/national PSTN (Public Switched Telephone Network) and ANI can be a phreaks worst enemy. These days ANI information can be transmitted internationaly, and in some cases globably, depending on the similaritys of the concerned signalling/switching systems. Numbers that are renowned for implementing full ANI capture are 800 and 900 services (full SS7 based) aswell as operator services, and of course 911. ANI is _completly_ different from CID, so if you call a line that has an ANI service installed, you will not be able to block your line information from going through as ANI works on a different protocol than CID, ie, the * services used to withhold your CID wont work on an ANI system because they are designed _only_ for blocking of CID _not_ ANI, remember they are completly different things. There are alot of rumours that I have heard from people about ANI, such as its supposid ability to capture your line information, which ever method you use to call a number. The fact is, ANI is dependant on SS7, which in turn is dependant on translation tables, who says you have to use the SS7 network to call someone ;> I'll go into this further later in this file. Now, back to CID; Because of the mass implementation of the SS7 protocol, CID informaion is transmitted to the called party's central office. This is done using SS7, and is called CPNM or (Calling Party Number Message). Now, heres the bitch of SS7; when you call someone, your line informaion is sent to the persons central office _regardless_ of the fact that you may have reqested that your line informaion is withheld. If you have withheld your CID, the remote person's central office still get your line information, but notices that you reqested that your info is withheld (UNLESS the person you are calling has a deal with their local telco to expose any CID information held at their central office to be automaticaly transmited to their CID unit, Thats where things begin to get nasty (at the end of the day, the telcos are more concerned about the money they are recieving for providing _full_ CID services to people, and could'nt care less if you reqested your line informaion remains private). (lets get technical) -- exphunged from CallerID specifications by Michael W. Slawson Eventually standard CID (SDMF) where only the calling number and date etc are displayed will be completly phased out and replace by the enhanced CNAM (Calling Name Delivery) where the MDMF data burst transmission is used. The CID information is sent serially at a rate of 1200 bits per second using continuous-phase binary frequency shift keying for modulation. The two frequencies used to represent the binary states are 1200 Hz for the Mark (logic 1) and 2200 Hz for the Space (logic 0). The data is sent asynchronously between the first and second ring at a signal level of -13.5 dBm. The level is measured at the central office across a 900 ohm test termination. Following a minimum of 500 ms after the end of the first ring, the sequence of transmission begins with a Channel Seizure. The Channel Seizure is a string of 300 continuous bits (250 ms) of alternating "0"s and "1"s. This string starts with a "0" and ends with a "1". A Mark Signal of 180 mark bits (150 ms) is sent immediately following the Channel Seizure Signal. The purpose of the Channel Seizure Signal and the Mark Signal is to prepare the data receiver in the Customer Premise Equipment (CPE) for the reception of the actual CID transmission. Once the Channel Seizure and Mark Signals have been sent the CID information is then transmitted starting with the Least Significant Bit (LSB) of the most significant character. This is true for both SDMF and MDMF. Each character in the message consists of 8 bits. For displayable characters these bits represent a code defined by the American Standard Code for Information Interchange. When transmitted the character's 8 bits are preceded by a start bit (space) and followed by a stop bit (mark) giving a total of 10 bits sent for each character. The CID information is followed by a checksum for error detection. Figure 1 shows a visual layout depicting the association of the 1st Ring, Channel Seizure Signal, Mark Signal, Caller ID information, Checksum, and the 2nd Ring. The checksum word is a twos complement of the modulo 256 sum of each bit in the other words of the message. The Channel Seizure and Mark Signals are not included in this checksum. When the message is received by the CPE it checks for errors by taking the received checksum word and adding the modulo 256 sum of all of the other words received in the message. The addition done by the CPE does not include the Channel Seizure and Mark Signals, nor does it include the received checksum word. The result of this addition should be zero to indicate that no errors have been detected. Figure 2 shows a CID message in SDMF. For ease in describing the process of determining the checksum, the decimal values will be used for the calculations. Character Decimal ASCII Actual Description Value Value Bits (LSB) - ------------------- ------- ----- --------------- Message Type (SDMF) 4 0 0 0 0 0 1 0 0 Message Length (9) 18 0 0 0 1 0 0 1 0 Month (December) 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 Day (25) 50 2 0 0 1 1 0 0 1 0 53 5 0 0 1 1 0 1 0 1 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (30) 51 3 0 0 1 1 0 0 1 1 48 0 0 0 1 1 0 0 0 0 Number (6061234567) 54 6 0 0 1 1 0 1 1 0 48 0 0 0 1 1 0 0 0 0 54 6 0 0 1 1 0 1 1 0 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 51 3 0 0 1 1 0 0 1 1 52 4 0 0 1 1 0 1 0 0 53 5 0 0 1 1 0 1 0 1 54 6 0 0 1 1 0 1 1 0 55 7 0 0 1 1 0 1 1 1 Checksum 79 0 1 0 0 1 1 1 1 The first step is to add up the values of all of the fields (not including the checksum). In this example the total would be 945. This total is then divided by 256. The quotient is discarded and the remainder (177) is the modulo 256 sum. The binary equivalent of 177 is 10110001. To get the twos compliment start with the ones compliment (01001110), which is obtained by inverting each bit, and add 1. The twos compliment of a binary 10110001 is 01001111 (decimal 79). This is the checksum that is sent at the end of the CID information. When the CPE receives the CID message it also does a modulo 256 sum of the fields, however it does not do a twos complement. If the twos complement of the modulo 256 sum (01001111) is added to just the modulo 256 sum (10110001) the result will be zero. If the result is not zero then the message is discarded. It is important to note that there is no error correction in this method. Even if the CPE were to notify the central office of errors, the central office will not retransmit the information. If an error is detected, the CPE receiving the message should display an error message or nothing at all. Although Bellcore SR-TSV-002476 recommends that the CPE display an error message if erroneous data is received, most CPE manufacturers have elected to just ignore the errored message. The content of the CID message itself depends on whether it is in SDMF or MDMF. A message in SDMF includes a Message Type word, a Message Length word, and the actual Message words. A message in MDMF also includes a Message Type word, a Message Length word, and the actual Message words, but additionally includes Parameter Type and Parameter Length words. There are certain points within these messages where up to 10 Mark bits may be inserted to allow for equipment delays in the central office. These Stuffed Mark bits are generally not necessary. The Message Type word defines whether the message is in SDMF or MDMF. It will be a binary 00000100 (decimal 4) for SDMF or a binary 10000000 (decimal 128) for MDMF. The Message Length will include the number of characters in the message. This length does not include the checksum at the end of the message. For SDMF the minimum length will be 9 characters. The minimum length for MDMF will depend on whether the customer has subscribed to CNAM service as well as CND. In the case of CND only the minimum length will be 13 characters. If the customer also has CNAM then the minimum will be 16 characters. In all three of the minimums mentioned there will be no actual number or name delivered. The field will be marked either "O" (Out of area) or "P" (Private). Figure 3 shows an example of a minimum message layout for SDMF. The number will not be delivered because it has been blocked by the calling party. The CPE will receive the date, time, and a "P" to indicate that the caller's identification has been blocked at the caller's request. Character Decimal ASCII Actual Description Value Value Bits (LSB) - ------------------- ------- ----- --------------- Message Type (SDMF) 4 0 0 0 0 0 1 0 0 Message Length (9) 9 0 0 0 0 1 0 0 1 Month (December) 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 Day (25) 50 2 0 0 1 1 0 0 1 0 53 5 0 0 1 1 0 1 0 1 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (30) 51 3 0 0 1 1 0 0 1 1 48 0 0 0 1 1 0 0 0 0 Private 80 P 0 1 0 1 0 0 0 0 Checksum 16 0 0 0 1 0 0 0 0 Character Decimal ASCII Actual Description Value Value Bits (LSB) - -------------------------- ------- ----- --------------- Message Type (MDMF) 128 1 0 0 0 0 0 0 0 Message Length (33) 33 0 0 1 0 0 0 0 1 Parameter Type (Date/Time) 1 0 0 0 0 0 0 0 1 Parameter Length (8) 8 0 0 0 0 1 0 0 0 Month (November) 49 1 0 0 1 1 0 0 0 1 49 1 0 0 1 1 0 0 0 1 Day (28) 50 2 0 0 1 1 0 0 1 0 56 8 0 0 1 1 1 0 0 0 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (43) 52 4 0 0 1 1 0 1 0 0 51 3 0 0 1 1 0 0 1 1 Parameter Type (Number) 2 0 0 0 0 0 0 1 0 Parameter Length (10) 10 0 0 0 0 1 0 1 0 Number (6062241359) 54 6 0 0 1 1 0 1 1 0 48 0 0 0 1 1 0 0 0 0 54 6 0 0 1 1 0 1 1 0 50 2 0 0 1 1 0 0 1 0 50 2 0 0 1 1 0 0 1 0 52 4 0 0 1 1 0 1 0 0 49 1 0 0 1 1 0 0 0 1 51 3 0 0 1 1 0 0 1 1 53 5 0 0 1 1 0 1 0 1 57 9 0 0 1 1 1 0 0 1 Parameter Type (Name) 7 0 0 0 0 0 1 1 1 Parameter Length (9) 9 0 0 0 0 1 0 0 1 Name (Joe Smith) 74 J 0 1 0 0 1 0 1 0 111 o 0 1 1 0 1 1 1 1 101 e 0 1 1 0 0 1 0 1 32 0 0 1 0 0 0 0 0 83 S 0 1 0 1 0 0 1 1 109 m 0 1 1 0 1 1 0 1 105 i 0 1 1 0 1 0 0 1 116 t 0 1 1 1 0 1 0 0 104 h 0 1 1 0 1 0 0 0 Checksum 88 0 1 0 1 1 0 0 0 In Figure 4, if the number and name had not been included then the parameter types for those fields would be different. These alternate parameter types are used to signify that the data contained in that parameter is the reason for its absence. The parameter type for the number section would have been a binary 00000100 (decimal 4) and the parameter type for the name section would have been a binary 00001000 (decimal 8). When the parameter type signifies that the data contained is the reason for that fields absence, the parameter length is always a binary 00000001 (decimal 1). If the reason for absence is that the calling party does not want their number/name displayed then the parameter data would be a binary 01010000 (ASCII "P") for Private. If the reason for absence is that the information is just not available then the parameter data would be a binary 01001111 (ASCII "O") for Out of area. The number/name may not be available if the calling party is not served by a central office capable of relaying the information on through the network. (lets talk d1rty) The above specifications are relevant to the US CID system, and not to the UK specification. Enough of the technical stuff for now though, its time to look at CID systems from an attack and deffense point of view. First the real basics; if you are in US you can reqest that your CID is withheld by using *67 as a prefix when dialing a number. As I said before though, this is absolutly usless in completly withholding your CID because we know that CID information is passed onto the called party's central office regardless of *67 via implementation of the SS7 network. If you are in the UK you would prefix your call with 141, but again our nice systemX digital exchanges a real bitches at passing on our CID information to _other_ exchanges, so in essance your call routing is loged as it passes through exchange boundarys on the PSTN. So here I am going to discuss different techniques that can be used to completly render your CID information useless as it is transmitted through various excahanges and offices. I'm going to begin with some basic concepts so you can understand the more advanced techniques better. Now, lets consider this scenario for the following techniques; You are in Texas (RBOC: SWBell) and you want to set-up a call to someone in Chicago (Ameritech). Obviously, you know that *67 wont help you if the person you are calling has full CID (or has access to there central office ;>) so you consider the following techniques and call-setup examples. [ example A: simple diverting ] Here you can use a host that will be traced back to in the advent that the person has full CID. In other words, its real simple, you use a PBX (preferably a long distance one located in another RBOC). This is very self explanitory, but alot of people get it wrong. Heres how the call setup would look in a metaphorical diagram: ______ ______ ______ | | | | | | (800)XXX-XXXX | CO |------------->| CO |------->| PBX | POTS:(123)456-7890 |______| |______|<-------|______| | | | | | __|___ ( you ) | | | CO |----------------------> ( them ) |______| Now, whats happening here is you are calling the PBX at *671800XXXXXXX, you then login to the PBX and from there you dial the person you want to call. When the person checks there CID unit, they will see the number of the PBX you are calling from instead of your actuall originating number. Now, this is OK for very very very simple CID spoofing, but if the person you are calling is resoursefull, they could very easily have words with the host from which you where calling from (who would have your ANI -its an 800 number) The CO of the PBX would also have the time, date, and trunk setup information for when you called the PBX etc, so this example is still not quite as effective as you would imagine it to be. Now, to make a long story short, we can enhacne the above method by implementing our _own_ CID blocking methods along the above routing example. Look at the diagram in detail, and you will realise that there can be many different alterations made that can make the routing alot safer, and _alot_ more hastle for them to pin-point your OCP, or originating point. First we take into account the call we make to the PBX. For starters, you can op-divert to the 800 number (depending on where you live) so the 800 PBX recieves operator assisted call ANI instead of yours. This can be done very easily, and involves you calling your local operator and asking them to call the number for you. The central office located near to the PBX then has the OPC of your operator, rather than you. Now, the PBX host is your safgaurd when it comes to hiding your CID. For those of you who dont know, all PBXs or privatly owned switching and trunking mechanisms/systems log incomming and outgoing trunk setups for billing purposses etc. These days, most PBX exchanges have administration modules that deal with call routing. The call-setups are stored in the databases of the PBXs and can be intercepted. Most of the time, a PBX will have 1 if not several dialin modems that connect to the PBX administration modules for remote maintanance. Its simply a case of internally scanning the extensions of the remote PBX for a carrier, and checking out each one until you find what you are looking for. Once you have access, you could do _many_ things depending on how advanced the system is. For example, you could erase any log of your connection to the PBX (aswell as any furture connections), you can set up incomming and outgoing trunks on the PBX exchange that dont even exist, you can also select which trunk you wish to call your party with and therefore selecting which number you wish to be displayed to the called party. I wont go into to much detail here, you get the picture right? So now we are using a host to call through that will not log anything that could point towards you, with the exeption of the timestamping at the central officess along the routing path. (again, that could be delt with in a similar fashion). You could also implement op-diverting from the PBX to the dialed person, or triple the amount of hosts you use to place the call at the same time using the above methods, but via more PBXs and operators. In my opinion though, the above method is no way near as secure as you need it to be, so in the next examples, we take adavntage of ld-carriers, and global PSTN networks that do not co-operate with each other, ie: calling party data is not translatable or transmitable (electromechanical). Now, to really throw someone off track in the advent of a trace (realtime or aftermath) we take advantage of one of the biggest flaws in the PSTN known today: new digital exchange units such as digital ESS, systemX etc cannot effectivly communicate with older lesser implemented electromechanical exchanges such as crossbar, and CCITT#5 protocols implemented in lesser developed countrys such as Indonisia, Libia etc. The worlds telcos are also very lazy when it comes to passing on originating calling party information from country to country, simply because it is to much hastle for them, time and money runs into the picture once more. So ld call setups become a good counter defense when it comes to routing un-traceable calls. Now, I can think of literaly 100s of methods that could be implemented here, but I'm going to discuss the structure of how this type of call would be setup, I'll leave the rest to your imagination (if you have one) [ example B: international routing ] Now, consider the previous call setup example, and imagine how it would be trunked if you placed a long distance barrier in-between. Here we will imagine we have 2 PBXs, one in the US and one in the UK. Again, you are in Texas and want to setup a call to someone in Chicago without revealing your identity. The basic call setup would appear like this: ______ ______ ______ | | | | | | (800)XXX-XXXX | CO |------------->| CO |------->| PBX | POTS:(123)456-7890 |______| |______|<-------|______| | | ___ | [ US PSTN ] | ESS routing .--->|co | | __|___ ____|_ |___|------ ( them ) ( you ) | | | | | CO |------->| DMS | (international DMS |______| |______| gateway router) : : : [ super LD ] .........................\........................ \ : So here you have op diverted : to the US PBX, then from the : US PBX op diverted and called ______ ___:__ the PBX in the UK, already | |------->| | the UK PBX has lost the US | CO |<-------| DMS | (international DMS PBXs CID, and from the UK PBX |______| |______| gateway router) you call the person in chicago, |: which in turn is re-routed back |: through the international PSTN |: [ UK PSTN ] systemx routing effectivly deteriating your __|:__ origionating line. | | | PBX | (UK PBX) |______| The problem with this kind of routing example is that you are costing the 2 PBX exchanges involved big bux, and is generaly not a very nice thing to do, heh. Again, as in the previous example, you can implement the PBX administration for extra security, the above diagram could be used vise-versa whether your origionating point was the UK or US. It is howver inconvinient, both for you, and for the poor owners of the PBXs who have to falk out for your toll-fraud adventures. There are however other ways of implementing the above techniques. Now, probably the most favourable technique to use would be to box your way out of a country that runs C5, and from there re-route a call back to the US and even implement a few PBXs along the way, therefore you would have [ 0 ] CID worrys. A more advanced technique involves the forwarding of subscriber lines to a designated number (A C5 country direct, PBX etc). Now, if you are in the US, you could be super lame and simply have another US line forwarded to another number via the means of posing to the forwarded lines co as a field engineer requesting a line be forwarded to xxx while you carry out field 'maintanance' on it, _or_ if you wanna stay away from the lameness, you could so this: Lets take Indonisia for example. You can remotely forward an Indonisian residential line to anywhere you want (providing you can find an english speaking exchange). Indonisia is just an example, but like the US method of forwarding lines you have 2 options. You could a) pose a local field engineer, or if the country has a DMS[+] architecture you could forward the lines via the means of remote switch access. (Thats another file, but you get the general idea). So, when it comes down to it, its all about having the ability to route calls, not spoof them. So, there you have it, a brief guide to CID blocking (the effective way), its your choice, *67 (blah) or *67,00-->1800XXXXXXX-->*67,00-->1800XXXXXX(CD)--> KP2-44-141-0800-XXXXXXX-ST -->001-1800XXXXXXX-->*67,00-->555-555-5555 hello? :> I hope you enjoyed this file as much as I did writing it, take it easy and remember to check out my website.. :) Shouts to 9x, substance, downtime, ch1ckie, oclet, jasun, zomba, psyclone, bodie, digiphreq, w1repa1r, gr1p, t1p, jorge, b4b0, shadowx, osiris, essgurl, lowtek, pbxphreak, katkilla, drphace, prez, euk, simmeth, dgtlfokus, voltage, knight, siezer, oeb, lusta, infidel, devious, werd to #9x #darkcyde #phunc #b4b0 #2600 #2600-uk & wErd to D4RKCYDE. : . http://hybrid.dtmf.org ___ ___ _____.___.____________________ ____________ hybrid@b4b0.org / | \\__ | |\______ \______ \/_ \______ \ hybrid@ninex.com / ~ \/ | | | | _/| _/ | || | \ hybrid@dtmf.org \ Y /\____ | | | \| | \ | || hy_ \ \___|_ / / ______| |______ /|____|_ / |___/_______ / +++ NO CARRIER \/ \/ : \/ \/ . \/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: cp850 iQEVAwUBN5dSy7TUyHciIYgJAQGcSgf/er3ngPoYsPon9rmU4VG0klcp9koc5aoA hBBheVxeeVQOzrUl0kPv5sCUPdHoEKbabHqAyDcoJY9feoM5aZ4U0kryuTBm415z M57ff31CH+T+8iUaW7ZlQkBfFuJfNr2B3pro6KvDGzU2S7nJhYSCugoCf3IExlLt +FSXEAl+HC0PCpDcEYlQ+2kNwgOBMLLQ9w3On/vFcRJnD26E9Hk4j5IMv8iv+37F sdQDDhqQ3ah2y1CN3KGAOrcsaYRhT1OyLjbw+JDwR1buCa38yqawBjpbAuM/PTfU eoNCmwzFEucjcFKpQJisT1428MgeuK2cWmIj8flfuIr9fhIi/7wdNA== =570J -----END PGP SIGNATURE----- -o[ outness ]o- -o[ D4RKCYDE ]o- -o[ write for f41th ]o------------------------------------------------------- Eventually f41th magazine is going hard copy. We did orionaly plan to do this by the time we got to issue 1O, but things did'nt go as planed. We are looking for people to write for f41th magazine, so if you have somthing you would like to publish in f41th, just email it to one of the following email addresses. [ hybrid@dtmf.org ] [ hybrid@ninex.com ] [ zomba@phunc.com ] [ downtime@dangerous-minds.com ] [ digiphreq@webcrunchers.com ] Until we get our own bawx online, just use the above addresses to send anything you want to publish in f41th, ie: letters, comments, articles etc. If you are writting an article, it must meet the following: [ all articles sent to f41th must be origional ] [ all artciles must be at least 10K ] [ all articles must be in pure .txt format, no .doc ] [ all articles sent to f41th should not be realeased anywhere else ] If you are writting us an email that you want to have published in f41th, put [ f41th ] in the subject header in enclosed square brackets, all other mail without that header will be considered as reader to writter mail and will not appear in f41th. Cometo #darkcyde on EFNET and eydle with all the D4RKCYDE dewdz/dewdesses/weirdos/convicts/exconvicts/fbi/junkees/entitys/things/etc. If you are submitting to f41th, you can use the bellow pgp key if you desire. Type Bits/KeyID Date User ID pub 2048/4D077481 1999/07/30 f41th -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQENAzehyBUAAAEIALNZc5Ba1zi7JrAAaJEDSXlnyQv4U47OavbwyXyidvUSv4Js siVbSAEGlLfGAEgNHgyGHxoJGdMXMoOdFLhlHAT/N6ye4NtaJGloIy34UUPd9+rj Cb+Yqz/az/Be56QaexDFSqrcOeOEZPCCNzjzlfW8EN23noHIj42zDppkOcd35VCV 0GZ2sZbKqrtfYca1yf0IVe/yoKBVF+TMfftvAO63kJ+rfl5G8t3mU5xbH7fT5UPU lrmELJf/372F2RZUCCRwWxdo14ymlSW3QVk7L+DynX7dZ9FNyrQ0Wqpyqh8Anctw O8fxYD+59n+ezuuBUomxmSiPIThFEyt4UU0HdIEABRO0IWY0MXRoIDxodHRwOi8v ZGFya2N5ZGUucGh1bmMuY29tPokBFQMFEDehyBoTK3hRTQd0gQEBm5IH/0MPx8FO Gmc0Epr9Zurk2mx9j77ZsqzvS9AkupTD7uV3UdlVGFNcl8oFUVgpUb5JiM4KuXcv 79uGIFfIy0LzCgitjPrl9STjiWHulHfkA9vdY/Tp8K+IFqXaktCagWJV2DNZF/pK u26BjNE8T3bUNo+9h9dSvzdobs5Hnj+eks5kdI/A49+hIHsrn5SAyllTL5eIsrei 33ZHwrAtu9KnGkV/YZ1a173VW+h715UgXlPtb3xA7WNVcVGQtaAPhRnLBVtDOYgV +C98dyjuS0/IgL7ZC+RYz3esvFSiKgJibL/4AU6mXUaOHspCt8d3l/aZ5+z+CKmz uaa7MkTM77rWWMM= =lLe4 -----END PGP PUBLIC KEY BLOCK----- #darkcyde EFNET. http://darkcyde.phunc.com. [C] D4RKCYDE Communications. E0F.