k-22-(10)-01 OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=> : -`- -`- OoO=o=oOO=o=O=> ; _|_--oOO--(_)--OOo--_|_ OoO=oOO==OoO=o=oOO=o=O=> | ‘ K-1ine Zine ! | OoO=o=oOO=o=O=> ! issue 22, volume 10‘ OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ---------O^O---- OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ;. |__|__| oOYourO=oO=oOO=MotherooOWas=oA=o=O=> || || OoO=o=oOO=oBullfrog!=O=OoOOO=o=O=OoO=o=oOO=o=O=> ooO Ooo OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O=O=o=ooO=o=> ;`-.> December 2001 <=o=O=o=O=o=O 'Give Us A Break' Das machine is nicht fur gerfingerpoken und mittengrabben. Ist easy schnappen der Sprinngwerk, blowenfusen und poppencorken mit spitzensparken. Ist nicht fur gewerken by das Dummkopfen. Das rubbernecken sightseeren keepen hands in das Pockets. Relaxen und watch das blinkenlights... _____________________________________________________________________________ » .- Words from the Editor -. « | *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *: (-) Advertisment .......................................... HackerSalvage:* *: (-) Link of the Month ..................................... The Clone :* *: (-) K-1ine Mirrors ........................................ The Clone :* *: (^) NEWS: For All Hack Canada Writers ..................... The Clone :* ____________________________________________________________________________ » .- Documents -. « | *: (x) 'Exploration of Wireless Networks' .................... Magma/TheP0pe:* *: (x) 'Advanced Loop Line Analysis' ......................... Phlux :* *: (x) 'TTY.TXT (canadian (telus, namely) prespective)' ...... Phlux :* *: (x) 'OFFICIAL DATU DOCUMENTATION' ......................... The Clone :* *: (x) 'The Canadian Test Number Compilation' ................ The Clone :* _____________________________________________________________________________ » .- Conclusion -. « | *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* _____________________________________________________________________________ Introduction - Welcome to the newest issue of K-1ine... issue #22. We have a bunch of great article compilations for your liking. Take the time to read through them, and don't forget to submit something - you might just be in the next issue. I hope you enjoy this issue... see you next month, see you in 2002! --> Contact Information; =-=-=-=-=-=-==-=-=-= Comments/Questions/Submissions: theclone@hackcanada.com On IRC: irc.2600.net - #hackcanada, #cpu (key) Check out my site: (Nettwerked) http://www.nettwerked.net --> -- -- Advertisment -- +++ WWW.HACKERSALVAGE.COM +++ HackerSalvage.com is a non-profit website dedicated to keeping old hardware in circulation. Many of us have piles of it sitting around but can't just toss it out. Here you can post computer items for sale or post a want ad for items you are looking for. A perfect place to get rid of perfectly good junk.... and get some new stuff to rebuild the pile. +++ +++ -- --=[ LINK OF THE MONTH ]=-- Every month I post one really great "link of the month" on every issue of K-1ine magazine. The link can be anything in the technology industry, music scene, rave scene, punk scene, or even a good article you read on a news site. I'll be taking submissions via e-mail or IRC right away; so get your links in and maybe you'll see it in the next issue of K-1ine! For the month of December, the link of the month is: https://www.nsacom.net:1952/txt/Website_Mirrors/ Mirrors of L0pht, Nettwerked, and other neato sites! [submitted by: The Clone] -- K-1ine Mirrors: http://the.wiretapped.net/security/info/textfiles/k1ine/ "Wiretapped.net is an Australian site offering an archive of open source software, informational and advisory textfiles and radio/conference broadcasts covering the areas of network security, network operations, host integrity, cryptography and privacy. We aim to become the largest archive of this nature in the Asia/Pacific region through steady growth of our archives and regular updates to them (most updated nightly). We are proudly telehoused on a 10Mbit/sec connection by Connect.com.au using OneGuard hardware donated by eSec Limited. The archive, along with its sister site on the same machine, The AusMac Archive, generates between 10 and 60 gigabytes of outbound traffic daily. Wiretapped.net is hosted in Sydney, Australia." -- NEWS: For All Hack Canada Writers I thought I'd advertise this in my zine, just incase you haven't already read this on Hack Canada. A crook by the name of Dale K. Kubin has outright stolen every file from Hack Canada (files that have been written by a dozen or so authors) and put them in a couple of "hacking" books. This isn't about information sharing, or helping to get the word out about talented hackers/phreakers. This is just a case of some greedy asshole who decided he could make money by stealing files that WE (the underground community) have worked countless hours on. If you want more information, please read what Cyb0rg/ASM had to say: http://www.hackcanada.com/hackcanada/mistake.html -- im a drunk pony -- Exploration of Wireless Networks Using the 802.11b protocol It seems that the new thing in the underground is breaking into various systems via a wireless connection. This is so because the wired equivalent protocol (WEP) has, especially recently, been shown to be flawed. What WEP attempts to do is deliver an infrastructure that makes it harder to "plug in" to the wireless network. Picture a corporate LAN with ethernet jacks every meter along the walls. This is what WEP actually accomplishes :) Also remember that wireless networks reach beyond the area they are meant to service, so not only are there ethernet jacks every meter along the walls, they go down the street a few blocks as well. WEP protects a network using a 40/64-bit or 128bit key. When wireless network was still in diapers security was not a priority, walking was. Some of WEP's problems stem from mistakes in the algorithm. WEP has addresses that can be forged. /* here, it's not WEP that's at fault. 802.11 emulates a standard ethernet in a wire-free form, and as part of the 802.foo specs, there are MAC addresses that are a part of the level 2 protocol. these are in theory spoofable, but in practice it's not always as easy. There are genuinely few cards that allow you to change the mac address, and out of those that do, sometimes (this is the case with wavelan based cards, such as the AIRport and Lucent cards) at the -hardware- level it get's blocked by the card itself. For the wavelan based cards, there exists a firmware patch that lucent will only release under strict NDA and licensing that will enable the cards to broadcast level-2 packets that contain source addresses -other- than their hard coded address. */and lastly, the encryption key or keys must be shared by all the users on the same network. This most of all reduces the security level of the network, as the -same- key get sent out repeatedly and once you get the key, there is nothing in the way except for possible encryption at level's 3 or 4. When a wireless network is being created most people either do not test the placement of the base station(s), or do not take into account such things as brick walls that block the signals, or large metal plates that may reflect the signal Or the park bench down the street that for some reason, the packets fly by. Now that you are interested in this subject you first need to know how to access these magical wireless networks. The first thing you will need is a computer with 802.11 compatibility. Laptops are always preferred, for the obvious reasons, and keep in mind that there are different revisions of the 802.11 specification. The original spec called for 2mb/s and no WEP. The next level, 802.11c introduced WEP and 11mb/s, and with 802.11b we saw 128 bit keys for WEP. There is a new spec coming online now, 802.11a. This will allow 54mbs sans-fils, although I believe it offers no improvements to the WEP feature. As of this writing (fall 2001) there is just one company producing these new cards, with others promised for the near future. Before we get into the fun parts, there are a few things that I think you should know about if you want to have FWNW (Fun With No Wires, watch out, it's addictive), and that is simply a little about the structure of the layer-1 802.11 packets. These packets are remarkably similar to low-level ethernet packets, but with additions for ESSID (Extended Service Session ID), encryption (by WEP), and Station names, which are different than MAC addresses in that they are strings, as opposed to a series of hex digits. These an also be duplicate, and quite often base stations (or access points, whatever) have the Station name set the as the ESSID, for simplicities sake. So, you have to remember that each network broadcasts using the same Session ID, and that each station is assigned a Station ID. Normally ESSID's are manually assigned, using whatever tool your OS supports. One neat thing though is that the 802.11 spec says that if there is no ESSID set and the interface transmits or receives a packet, then the card is to use whichever ESSID it finds first. If the card gets reset (you can force resets via software), then it looks for another ESSID, and failing that, falls back on the old one. At this point light bulbs should be going off in your head, as this is the basis of wireless network scanning. There are multiple ways you can go about looking for these networks, either by using one of the pre-made pieces of software such as AP Scanner, which runs on Apple (used and recommended by Magma). I know there are a few of these on freshmeat, graphical and/or console. Or,if you are like me then you could just write your own in perl. I'll give you some tips and a simple script at the end of the file. Lots of the wardriving (or warbiking, or warwalking) sites stress that you need an external antenna, and I'd like to say that while helpful, they are hardly necessary. Most of the time when I'm scanning, I'll be walking around with my laptop in my backpack, and a headphone running to my ear for output from the scanner. I personally own an iBook, and these have an omni directional antenna which has some front-back tendencies (the signal goes more forward and backwards than side to side), and it works fine. Now, if you are in a car, it's a bit different, as you are traveling at a higher velocity, and (in most cases) farther from the buildings. Although I must say that I have used my laptop sans antenna from a moving car, and it does work, just requires a bit more planning in the placement of the laptop. For the most part, to get online via an 802.11 it's quite easy for the simple reason that most people either forget or forgo a WEP password for whatever their reason may be. If this is the case you can simply assign the discovered ESSID or have it automatically set for you, and then your card will begin catching the desired packets. /* I don't know about this section as much, as I haven't done too much with wep cracking. I'm just rewriting this part for clarity :) */ If there is WEP in the picture, things change somewhat. Some of the more advanced scanners (I'm not sure if there are any free ones that do this, I know the scripts' I've written and seen don't do this) will report ESSID's for networks that have WEP enabled. If this is the case, then you can just make a brute force cracker, but this can take a while as passwords can run into quite a few characters long. Fortunately, as we know, WEP is insecure. The theories for cracking it have been around for quite some time, and in the past few months people have released software (some commercial, some freeware/GPL with names like Airsnort and WEPcrack) that does it at the click of a button. The only prerequisite for most of these pieces of software is large amounts of data to fool with. You need to gather packets at the site in question for periods of time ranging from minutes to hours. Also, most of the already- written crackers are dependent on specific wireless chipsets, like the prism2 chipset. Depending on your situation, this may or not be a problem. If the target network is located at a public library or a coffee shop, then you would have no problem staying there for hours at a time. If the network is located on a busy downtown street, then your options are more restricted to things such as walking back and forth multiple times a day, compiling the packet logs over a period of weeks, or even months, or even just sitting in there stairwell for a few hours. The software will then analyze the packet logs and try to guess which packets have encoding problems, that is, the sources of randomness (SYN numbers, TCP flags) weren't computed as well as they could have been. I don't have much experience with this personally, because none of the networks I've found so far have had WEP activated :). And never forget of course the time honored traditions of brute forcing and guessing. It's easy, just use perl, and apply the same steps as mentioned for collecting data. The key is for these things is that you don't have to be connected all the time, you could, for example, take a detour on the way to work each morning and wander around the building the target network is located. Or even just walk past it. If it's a busy network, there will be plenty of traffic, even for the few minutes it takes you to walk past. And remember that 802.11 is a level 2 protocol, so all the dns queries, arp queries, WOL (wake on lan), things like that are always floating around out there, just waiting for an antenna. There are many opinions on the ways you can actually go out and find networks, and I'm going to go over a few just to give you some inspiration. First off, humans have been graced with two feet. They are very useful. Personally, I prefer to do all my packet hunting on foot, as this allows you to get the closest to the networks themselves, or to go inside and hide in a stairwell at a moments notice. As far as user interface goes, my scripts so far have used audio output, and I wear a headphone in one ear while I'm scanning. Using speech synthesis, the scripts let me know what's going on. There are of course numerous disadvantages to this. It's slow, you can't cover nearly as much ground as most other methods, and it can be suspicious looking (try walking downtown with one headphone in your ear and holding a directional antenna made from a tomato juice tin and an old nintendo zapper, with it's lead running into your backpack, and you'll know what I mean). But if you don't own a car, and you don't always carry around external antennas (*wink*) then this method is pretty much the most anonymous of them all. You're just another monkey with a backpack, one of hundreds out there... The next most popular method (and the one with a catchy media term) is using a car. In your car, you can be warm, and you can interactively use the computer while you comfortably sit down, not exerting your legs at all. One thing I've noticed is that it really really helps to have an external antenna while doing this, as you are traveling at a higher velocity and the networks are in general farther away. This isn't to say that you won't pick up any networks, you just won't pick up as many. Sniffing packets as they go by or using software to find Base stations is a passive attack meaning that you don't leave a trial. This also means that the admin on a system cannot what you are doing. However, once you connect to a network you leave behind the MAC (same as on a wired LAN)address of your wireless card. In theory if you cause substantial amounts of damage you could be tracked down through it (buy your 802.11 card using cash, kids). You've been warned but do keep in mind that this scenario is not very likely to happen, as it's quite resource intensive. /* :( dos is silly.*/ Just when you thought you have heard the last of Denial Of Service attacks. Yes, you can do such a thing to a wireless network. Due to the nature of radio transmission wireless networks are very prone to denial of service attacks. If you really wanted to crash a network and had a powerful enough transceiver you could easily create enough interference that the wireless network would be unable to communicate. This kind of attack can be done from a somewhat remote location for example in an apartment on the same block as the network. If you are or know someone that is well versed in short-wave radio you should have no problem in creating such a mess. At a reasonable price too. There is a much simpler way to cause the same effect of a somewhat smaller scale. I'll use my ibook as an example. The software that was shipped with my ibook allows me to use my ibook or another computer with a wireless card as a software base station. What this means is that I can use it as an access point without buying a base station. This is an option for some people that only have two wireless cards but lack a hardware base station. So now you know why Apple ships this software. The wonderful thing is that when I activate my ibook as a software base station and walk into any area that has a wireless network, I'll use a university for this example. It causes everyone within 150 feet (the distance increases when you can an antenna) to try to connect to me rather then the network the university has. This is done because most people will connect to the access point with the strongest signal. Of course my signal will be stronger if I'm right beside you. As you can see this will cause people to not be able to access the information they are seeking. As soon as I leave the area all will be fine. This large gap in security may not be around for too much longer. Under development are new versions of both WEP and 802.11b protocols that will include stronger security features such as personal password. This may mean new hardware for those currently operation wireless networks, or it may come in the form of software patches. However, these features will not be released until mid-2002 at best. In the meantime, there are other options out there, ranging from IPsec to other things involving dynamic interactive firewalls, to only using ssh and remote X on your machine :) - Magma (www.ghu.ca) - The_p0pe 11/26/2001 -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <<<<<<<<<<<<<<<<<<<<<<<<<<<<< Advanced Loop Line Analysis >>>>>>>>>>>>>>>>>>>>>>>>>>>>> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< by phlux : phlux@fucktelus.com __________ Disclaimer: If you perform any of the acts described in this text you may die. (and i will not be held responsible) ______________________________________________________________________ / _____________ ' Introduction; / / _____________________________________________________________________/ This file pertains to Loops in the form of wiring, commonly called a pair, the twisted pair, or just the "line" and/or "phone line". Normally Analyzing a loop requires a 250$ multimeter from Radio Shack with a serial cable(phlux style anyways), or a toner/probe set, and other tools, which are usually expensive. One can easily overcome this with a telephone patch cable, or even just an RJ-11 mod(female) jack(jill?) on your wall. By simply touching the ring(red) and tip(green) wires on your tongue, a short is created, and your tongue is the load in some sense. If the pair that you analyzed is onhook, you will feel a zap, and the area of your tongue that you electrocuted will be numb for a bit. When a line is idle (onhook) there is generaly 40~volts across ring and tip, and you will learn to 'taste' this. If an extension on the pair is off hook, there will generaly be around 9~ volts on the pair. There is only a mild sensation (on my pair anyways) much like licking a 9 volt battery at full capacity. You will easily be able to tell the difference as to wether or not your line is idle or not, by the self inflicted electrocution. With a powerful short, your reflexes act faster then your hand, and your head will pull back as you remove the wires/mod jack from your tongue. Keep this in mind when licking raw terminals from an open baseboard style mod jack setup. (with 2 lines and 4 terminals in those little plastic boxes, this can be a challenge.) This technique is also good for testing the integrity of Radio Shacks "WebLock Phone Lock" part #279-8511 where there is a single female mod jack on a surface wall mount plate with a physical key lock as the on/off switch. If it is determined that there is no current, one can quickly unscrew the cover and rewire. I find this technique a lot faster then most conventional methods, and therefore it is suited for the field. One thing you need to keep in mind is that the voltage across the pair when the line is being rung, it is around 90volts. If you were just touching a pair with 90 volts going through, i'm sure you would be fine, however your tongue is a better conducter then your skin. ASCII diagram of a tongue and the taste buds(guideline): (grade 7 science rules!) |xx xx| |xx xx| |xx xx| |## ##| |### ###| 'S# #S 'SSSSSSSSSS' ' - ' Legend: the "x" 's denote taste buds that are sensitive to sourness the "#" 's denote taste buds that are sensitive to saltyness the "S" 's denote taste buds that are sensitive to sweetness The middle portion of the tongue (Fillform papillae) are sensitive to sour flavors. Personally i found the # region of the tongue to be the best portion to electrocute as it's not as sensitive as the very tip or frontal portion of the tongue. Keep this in mind if you don't want your tongue numbed... (it really isn't that bad) A spare 9v can serve as practice. ______________________________________________________________________ / ___________ ' Conclusion; / / _____________________________________________________________________/ Licking a twisted pair and not a mod jack(if you do, make sure it's a male one fag) allows for more control over the electrocution. When you get good you will be able to grab any pair/patch/mod and check its state and you may wonder how you did without. _____ Notes: -Avoid analyzing mod jacks, as it's harder to press your tongue into the slits, stay away from female mod connectors(resist!) -Avoid analyzing foreign pairs as a ring could be fatal. -During analysis, always avoid using the tip of the tongue. -Stay away from digital lines, if in doubt the multimeter ye shall bust out. _______________ Extra Curicular: -Lick a toll stations pair -Lick your girlfriends pair -Lick a pair while pulse dialing 12/01/2001 - TTY.TXT by phlux (canadian (telus, namely) perspective) phlux@fucktelus.com -=TTY Basics -Your First TTY call -Using a TRS payphone -=TTY Payphone Locations -Alberta -British Columbia -=TTY Benefits TTY isn't something every phreak needs to concern themselves with, its quite simple, but at the same time it can definately be useful to know how to use one, as there are Telus millennium payphones equiped with TTY keyboards. This will save you lots of money if your constantly paging the fuck out of someone because they dont know how to turn on theyre fucking cellphone. Local TTY calls placed through TRS (711) are free. Long distance is charged 50% off the regular rates. ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ; I'll let Telus explain they're TTY relay service; ; ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,' A person who is deaf, hard of hearing or speech disabled uses a TTY to type his / her conversation to a Relay Operator who then reads the typed conversation to a hearing person. The TELUS Relay Operator then types the hearing person's spoken words back to the TTY user. So an operator relays what you type, pretty much. You can use your modem and a terminal program (i recomend Super Terminal by super voice for windows, minicom for linux) and use the service, or you can purchase TTY hardware (a tele-typewriter) which can be acoustical. Check ebay. - Important TTY terms+definitions. TRS=Telus Relay Service TTY=Teletypewriter TDD=Telecommunications Device for the Deaf (now defunct, use TTY) CA=Communications Assistant GA=Go Ahead SK or SKSK (stop keying, do this before you disconnect) q=? Due to incompatability issues, the letter q is used to denote a question mark. VCO=Voice Carry Over(VCO enables you to speak directly to the person you are calling, for hearing impaired people who can speak clearly. When you connect to a CA, just say 'requesting VCO, GA' or equivelant to use this feature) VCO can only be turned on when the call is answered, to which she will announce 'VCO on GA' or something. HCO=Hearing Carry Over(you can hear but can't talk, same as above but reverse.) When using the service, common abbreviations will be understood by the CA: PLS=Please GA=Go Ahead NBR=Number OPR=Operator (or CA) DA=Directory Assistance ASAP=As Soon As Possible MSG or MSGE=Message PPL=People - ,,,,,,,,,,,,,,,,,,, Your first TTY call: Any old modem will do, use SuperVoice for windows(it can transmit baudot i believe) of you can just use minicom in linux, all you need is a minidistro, so you can dedicate a vintage computer to the task of TTYing quite well. Use the modem string: ATDT711 This will dial 711 using DTMF. If you want, you could set your modem to auto answer incoming calls, and if any are TTY you can connect and talk... Extra Fun: setup a baudot TTY BBS :P With most TTY devices there is an LED on them somewheres that blinks to signify ringing/busy. ,,,,,,,,,,,,,,,,,,,, Using a TRS payphone: The only TTY payphones i have seen are Telus Millenniums, which have a keyboard mounted under the booth where the phone book would normaly be. You will most likely only find TTY payphones indoors for obvious reasons. Keep reading for Alberta/BC TTY payphone locations or just goto an airport, bus depot, or any other place that caters to lots of people. There is 2 wires coming out of the TTY keyboard, one white, one black. This most likely means the TTY keyboard is non dependant of the millennium, to test, try splicing into these 2 wires and hooking up your test set. If you get a dialtone, you can unscrew the 6 screws holding the keyboard to the booth for a free TTY. Do not do this. When a TTY call is inititated on a TTY payphone, the keyboard will open, watch the LED to see ringing. The keyboard will close upon disconnect unless a key is pressed to keep it open. If you want to annoy someone during a voice call, press the * key 3 times and the payphones voice will say 'TTY call, use text telephone' Anyone know how to change the TTY call alert message? If you are from a standard payphone, or any phone for that matter, you can call 1 800 855 0511 and a TRS CA will ask the number of the TTY user you wish to call. Avoid speaking after the operator has said 'go ahead'. TTY operators are just there to relay, you cannot talk to them(trust me). Also they MUST relay everything you say. You can instruct them to spell stuff like fear 'ph33r'. You can talk about phreaking telus, or whatever, they just relay it all... Don't talk too fast because remember the op has to type it all If you've used CB or any kinda radio you shouldn't have a problem with the relay service. It's just half duplex, so remember to tell the CA GA when you are done. _____________________________________ Locations of TDD payphones (Alberta): _____________________________________ EDMONTON Alberta Vocational College 10215 - 108 Street 5th Floor Bonnie Doon Mall East Entrance Capilano Mall North Entrance City Hall Main Entrance Law Courts Main Floor Edmonton Centre Food Court Edmonton Transit University LRT Station Hub Mall Transit Entrance Grant MacEwan Community College Millwoods Campus Greyhound Bus Depot 10324 - 103 Street South by A & W ^-look for the blue and white TTY signs depicting a handset ontop of a keyboard. International Airport - Terminal Departure area, North Arrival area, by elevators North Holdroom South Holdroom Transborder International Holdroom Canada Customs NAIT Main Entrance University of Alberta SUB by elevators, across from bookstore CALGARY International Airport Departures Canada Customs, Arrivals Concourse A by Duty Free Shop Concourse D Concourse D Concourse D Arrivals, Main Terminal Concourse C Concourse B Greyhound Bus Depot Public Waiting Area BANFF Brewster Banff 100 Gopher Street _________________________________ And for BC TTY payphone locations: _________________________________ Kamloops Airport Near ticket counter Kelowna Airport Departure area Port Hardy Port Hardy Airport Prince George Airport LH Side of main front doors Vancouver Vancouver International Airport International Terminal - Level 3 East Chevron, Gate EC2 International Terminal - Level 3 East Chevron, Gate EC3 International Terminal - Level 3 East Chevron Gate EC5 International Terminal - Level 3 East Chevron Gate EC8 International Terminal - Level 3 East Chevron Gate EC9 International Terminal - Level 3 East Chevron Gate EC10 International Terminal - Level 3 East Chevron Gate ECII International Terminal - Level 3 by Gate D56 International Terminal - Level 3 by Gate E91 International Terminal - Level 3 by Gate E75 Domestic Terminal Level 3 Wall by Gate 34 International Terminal - Level 3 Inside North entrance Domestic Terminal - Level 3 Opposite Gate C37 Domestic Terminal - Level 3 Pillar centre Domestic Terminal - Level 3 South end by bank ATM South Terminal Building - Level 1 Arrivals at rear International Terminal - Level 3 Inside hotel entry East International Terminal - Level 3 Inside hotel entry West Domestic Terminal - Level 2 escalator North side International Terminal - Level 3 By Gate D54 International Terminal - Level 3 Int’l check-in by staff elevator Domestic Terminal - Level 3 link by washrooms Domestic Terminal - Level 3 by washrooms Gate B16 Domestic Terminal - Level 3 by washrooms at Gate A5 International Terminal - Level 2 behind escalator International Terminal - Level 3 by Gate D52 Victoria University of Victoria University Centre – Lobby McPherson Library – Lower level Business and Commerce – Level 2 Human and Social Development – 2nd Floor Camosun College Landsdowne Campus: Parking lot – Lansdowne entrance; Fisher Building – Lobby Interurban Campus: Parking Lot #6; Campus Centre – Lower level Royal Roads University Adult Ed Centre – Building 2 Victoria International Airport Lobby BC Ferry Corp – Swartz Bay Coffee Shop - North entrance Note: TDD Payphone Locations are subject to change. I don't know how updated that list is... you could probably phone 711 and ask if theres one in your area. ______________________________________ So what are the benefits of using TRS? I have verified that local TTY calls through TRS are toll free, even from payphones. For extra curicular: Use a computer, a 386 with minicom+2 modems is all you need. Have 2 TTY ops talk to eachother on a loop. The TTY ops will know theyre relaying to one another, and they must wonder why the two TTY users aren't just calling eachother direct. The joy of this is obvious. (telus lesbian TTY phone sexor!) TTY can be very anonymous, your voice cannot be used in biometrics and that shit. You can specify male or female operators if you really want. This is good for having a TTY op set your voice mail/pager greeting, or whatever else. I would like to try having TRS dialup a simple text only BBS. Perhaps as a little service for phone phreaks, one could make a TTY on a spare line accept calls that would announce recieved ANI/Caller ID, it would perform line tests, anything.. could be fun. TTY is somewhat secure, if its your mom trying to listen in on your call and she hears modem like tones and thinks your on the internet or something.. Could also be fun, but REMEMBER (baudot is carrierless.. no more NO CARRIER) TTY is a service intended for the hard of hearing and speech impaired. There isn't as many TTY ops as there is TSPS. Do not abuse this service. By all means experiment with it, but don't do anything malicious. TTY supports Baudot code, ASCII and in some places turbocode. Approx. 95% of calls through relay services are in Baudot. According to a .html i had backed up on a CD, the speed for baudot is 45.45baud (north america) speeds and protocols vary if your foreign. Questions about the telus relay service? Direct them to telus.relay@telus.com Keep on the lookout for future TTY projects.. I am working on some simple code to emulate baudot, perhaps an add-on to the Hash project; www.hackcanada.com/hash.txt -phlux phlux@fucktelus.com SKSK. 11/30/2001 -- OFFICIAL DATU DOCUMENTATION Date: Fri, Nov 23, 2001 Typed Up By: The Clone E-MAIL: theclone@hackcanada.com URL: www.nettwerked.net -- Reference Image: http://www.nettwerked.net/DATU/DATU1.jpg 1 DIAL DATU ACCESS NUMBER 2 ENTER PASSWORD 1234 3 DIAL SEVEN DIGIT SUBSCRIBER NUMBER 4 DATU will respond "CONNECTED TO XXX-XXXX," "OK," or "CONNECTED TO XXX-XXXX, BUSY LINE, AUDIO MONITOR" Non pair gain lines proceed to step 7 Note: If Busy Line, DATU will not access the DC By-Pass Pair or the Metallic Access Unit. 5 SLC lines: If line is idle DATU will respond "PAIR GAIN LINE" followed by "Processing" ("Processing" may be repeated for up to 25 seconds.) DATU will voice message: Single Party Line } {Good} Multi-Party Line } Followed by Coin Line "ENTER RT NUMBER" Channel Not Available (No/Bad Channel test Results) PGTC Failure/By-Pass If same recording is heard Pair Busy repeatedly, alert supervisor Pair Gain System Alarm {Alter Supervisor} 6 If Good (or Bad) Channel test results, enter the RT number, Dial "*" to end ("**" toggles on or off the Alpha mode). Enter Pair Number, dial "*" to end. Dial "0 *" to use existing DC TEST Pair. DATU will connect to the By-Pass Pair or call the Metallic Access Unit in the RT, except when By-Pass is busy or Pair Gain system is in Alarm. See step 7 after connection to the remote site -- Reference Image: http://www.nettwerked.net/DATU/DATU2.jpg 7 LINE PREPARATION FUNCTION DIAL CODES: 2 " Audio Monitor 33 = Short Tip and Ring to ground 37 = Short Ring to groun (Tip open) 38 = Short Tip to group (Ring open) 44 = High Level Tone on Tip and Ring 47 = High Level Tone on Ring (Tip grounded) 48 = High Level Tone on Tip (Ring grounded) 5 = Low Level Tone 6 = Open Line 9 = Permanent Signal Release # = New Subscriber Line ## = Force Disconnect * = Confirmation preparation function after dis- connect (system programmable from 1 to 99 minutes); enter number of minutes after "*" Single Line Access: 1. Dial the DATU access number 2. Enter the user password 3. Enter the "*" and subscriber number for non- pair gain lines or Enter "**" and subscriber's number for pair gain lines and then enter RT number. Dial "*" to end. Enter Pair Number. Dial "*" to end. 4. Enter Function Desired 5. Enter number of minutes to apply condition 6. Hang up and wait 30 seconds for DATU to access and condition line, (90 seconds for RT connection). Alpha Character Codes: [space] = 11 A = 21 F = 33 K = 52 P = 71 U = 82 Z= 94 = = 12 B = 22 G = 41 L = 53 Q = 74 V = 83 , = 13 C = 23 H = 42 M = 61 R = 72 W = 91 - = 14 D = 31 I = 43 N = 62 S = 73 X = 92 / = 15 E = 32 J = 51 O = 63 T = 81 Y = 93 [H] HARRIS DRACON DIVISION DATU(tm) RT USER GUIDE __________________________________________________________________ | | | | | Central Office Name | DATU Access Number | Password | |------------------------------------------------------------------- | | | | | Bayside | 224-0852-0958-1145 | 2345 | |------------------------------------------------------------------- | | | | |------------------------------------------------------------------- | | | | | Flushing | 520 1207 1320 151807 | | |------------------------------------------------------------------- | | 1553 | | |------------------------------------------------------------------- | | | | |------------------------------------------------------------------- | | | | | Corona | 699-0016 - 1053 | | |------------------------------------------------------------------- | | | | |------------------------------------------------------------------- | | | | |------------------------------------------------------------------- | | | | |------------------------------------------------------------------- | | | | |------------------------------------------------------------------- | | | | ------------------------------------------------------------------- -- Reference Image: http://www.nettwerked.net/DATU/DATU3.jpg Password 2545 ____________________________________________________________________ | | | | | Central Office Name | DATU Access Number | Password | |--------------------------------------------------------------------- | BELLE HABOR | 945-1650-1651 | | |--------------------------------------------------------------------- | CORONA | 699-0016-1053 | | |--------------------------------------------------------------------- | FAR ROCKAWAY | 327-7762-7766 | | |--------------------------------------------------------------------- | HOLLIS | 468-3647-3648 | | |--------------------------------------------------------------------- | J. F. K. | 632-1213-1228 | | |--------------------------------------------------------------------- | RICHMOND HILL | 805-6597-6598 | | |--------------------------------------------------------------------- | 115 AVE./OZONE PARK | 641-1644-0489 | | |--------------------------------------------------------------------- | NORTH JAMAICA | 969-1018-1055 | | |--------------------------------------------------------------------- | JAMAICA | 658-1963-1899-5699 | | |--------------------------------------------------------------------- | BAYSIDE | 224-0853-0958-1145 | | |--------------------------------------------------------------------- | LAURELTON | 528-8374-8375-8376 | | --------------------------------------------------------------------- L. I. C. 472-0567-0572-0576 ____________________________________________________________________ | | | | | Central Office Name | DATU Access Number | Password | |--------------------------------------------------------------------- | FLUSHING | 460-2775-4055-2861-4155 | | |--------------------------------------------------------------------- | FOREST HILLS | 520-1207-1320-1518-1553 | | |--------------------------------------------------------------------- | ASTORIA (FOR NNX'S | 278-728-626-204-956-267) | | |--------------------------------------------------------------------- | DIAL | 626-2432-2422 | | |--------------------------------------------------------------------- | ASTORIA (FOR NNX'S |726-274-932-721-545-777-546| | |--------------------------------------------------------------------- | DIAL | 721-2722-2822 | | |--------------------------------------------------------------------- | NEWTOWN (FOR NNX'S |335-899-446-898-458-457-397| | |--------------------------------------------------------------------- | 760-533-396) DIAL | 335-7715-7810-7832 | | |--------------------------------------------------------------------- | NEWTOWN (FOR NNX'S | 651-672-478-779-334-205) | | |--------------------------------------------------------------------- | DIAL | 779-9129-9136-3308 | | |--------------------------------------------------------------------- | NEWTOWN (FOR NNX'S | 424-429-639-426-476-565- | | |--------------------------------------------------------------------- 507-936-803) DIAL | 424-0157-0173 .END. -- The Canadian Test Number Compilation >> Date: Fri, Nov 23, 2001 >> By: The Clone Disclaimer: The content within this file is for informational and entertainment purposes only. Unauthorized access of the test systems spoken about in this file may get you in trouble with local and/or national law enforcement. By reading this, you agree not to try any of this. Audience: The Telecom Enthusiast Community - Alberta Terminating Test Line #: 780-459-2325 (see: 'An Introduction to Telus' Terminating Test Lines' http://www.hackcanada.com/canadian/phreaking/albertatest.txt) - 1000Hz / 1004Hz Test Tone #'s: (Requirement: Loop Analyzer for 1000Hz / 1004Hz test tones) 780-458-2304 780-458-2307 780-459-2304 780-459-2307 780-459-2308 780-460-2304 780-460-2307 800-387-0023 (toll-phree) - Edmonton Region Plant Test Prefix: 780-297-XXXX suffixes you can try on this prefix are: 297-ANAC (2622) 297-4TEL (4835) - Relevant for Alberta and British Columbia 297-LMOS (5667) (same as 297-LOOP) 297-DATU (3288) 297-RNCC (7622) - National Listing of Area-Code and Prefixes for Test #'s: (Taken from the CANADIAN PLANT TEST PREFIXES file: http://www.hackcanada.com/canadian/phreaking/planttst.txt) .-----.----------------------------------------. | NPA | Listed Plant Test CO Codes | |-----|----------------------------------------| | 204 | 590, 591, 959, 970, 971, 972, 973, 974 | | 250 | 958, 959 | | 306 | 958, 959, 970, 993 | | 403 | 958, 959 | | 416 | 958, 959, 970, 997 | | 418 | 320, 958, 959 | | 450 | 320, 958, 959 | | 506 | 572, 958, 959, 963, 964 | | 514 | 320, 958, 959 | | 519 | 320, 958, 959, 970, 997, 999 | | 604 | 958, 959 | | 613 | 320, 958, 959, 970, 999 | | 647 | 340, 810, 958, 959 | | 705 | 320, 958, 959, 999 | | 709 | 958, 959, 992, 993, 994, 995 | | 780 | 958, 959 | | 807 | 320, 958, 959, 997, 999 | | 819 | 320, 958, 959 | | 867 | 958, 959 | | 902 | 811, 958, 959, 999 | | 905 | 958, 959, 997, 999 | `-----"----------------------------------------' - If you have any other test numbers to add, contact me. Shouts: The Canadian Phreakers Union, Alan, Phlux, RT. >> URL: www.nettwerked.net >> E-MAIL: theclone@hackcanada.com -- Credits Without the following contributions this zine issue would be fairly delayed or not released, so thank you to the following people: Magma, Phlux, The Clone, The P0pe -- Shouts: Hack Canada (#HackCanada), Canadian Phreakers Union (#cpu), The Grasshopper Unit, Flippersmack, Pyrofreak, soapie (*muah*), Melanie, Kybo_ren, Flopik, Pinguino, and lastly to everyone and anyone who contributes to the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .; ..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ..;. ..;.. .;. ;.;..;;..;.; ;.;;..;.. ;.;.; .; . ;.;..;. .;. ;.;:.;. ,;....;. .;.;. .;.; .;.;.; .;.; ;..;. .;.;;.; .;. ..; ;. > > > > > > I LIKE ALL SORTS OF ASTRONOMY...