k-25-(12)-02 .,..,...,.,.,.,................,.,.,.....,..........,...,.,.,.,.............,. i ______ .______ I I _ __ _ \___ \ | ___/ i i___ / |/ / __ /7 /7 __ _ /7 __ _/7 7 __ ___ / ___/_ |___ \ __i I__ / || /,'o/ /_7 /_7/7/7/7,'o/ //7 //_7,'o/,'o/ _ (c' __ / \ / \ _I i /_/|_/ \_< // // \_^_/ \_< // //\\ \_< \_/ /__) \_____ \/____ / i i \/.,:th\/. i i ,;t; .,ijfLLLfti.i i ,jf' ,jLGGGGGGGGGG; i . LL :tLGGGGGGGGGGGGG i .ij' tL' :jLGGGGGGGGGGGGGG i '` .;tftP ;E' :jGGGGGGGGGGGGGGGG i .;:, ,;c ,Li af' fP .LL jGGGGGGGGGGGGGGGGG i :fS"fi ,iLi tf" kP ;f fP ,El;, .iLGGGGGGGGGGGGGGGDD i SGk ,pitp ,iL,y' jf iP ,A ,;AL,LE"' ` tLGGGGGGGGGGGGGGGGEE i fSDk:, ,P"'iG tEe;' jC, ,iEf^tGf"'` iLGGGGGGGGGGGGGGGDEf: i "fSG: dL ,G; Ei ,t^Gic"' ..,,. ,LGGGGGGGGGGGGGGGDEL.: i fSj.M:it" `ift:' .,::iitjfGGGGDL. ,fGGGGGGGGGGGGGGGDD,..; i i; .;j; DP' .,:;;tjffjttfGGGGGGEG.. ;fGGGGGGGGGGGGGGGDD,.. i i `tS;i' G; .,;ttj;;::. :jGGGGGGGDD,. ;LGGGGGGGGGGGGGGDEL... i i iG .,;tt;:. .ifGGGGGGGDEi.. ,fGGGGGGGGGGGGGGDD;.. i i :Pt:,;ii,.. ;fGGGGGGGGGEL.. ,fGGGGGGGGGGGGGDEf:.. i i .;i,i;:. .;jLGGGGGGGGGDE:.. ifGGGGGGGGGGGGGDDt.. i i ::,.: .iLGGGGGGGGGGGDE;.. iLGGGGGGGGGGGGDDi... i i ... :ifGGGGGGGGGGGGDEL.. iLGGGGGGGGGGGDEL,.. i i . .,tLGGGGGGGGGGGGGGEj.. ,tGGGGGGGGGGGDEf:.. i i ;jLGGGGGGGGGGGGGGGDE... ,fGGGGGGGGGGDED;... i i ,ifGGGGGGGGGGGGGGGGGDE;.. .iLGGGGGGGGGDEf,.. i i ,tLGGGGGGGGDGGGGGGGGGGEL.. ,tLGGGGGGGGDEGi... i i :ifGGGGGGGGDEjiiGGGGGGGGDG:. :tLGGGGGGGDDEj,.. i i .ifGGGGGGGGGDEi..:fGGGGGGDEi..:;fGGGGGGGGDDL,... I i :jLGGGGGGGGGGDE;.. iGGGGGGGDG :tLGGGGGGGDELi.... i i .iLGGGGGGGGGGGDEi.. :fGGGGGGDE;:jGGGGGGGDDj;... i i .ifGGGGGGGGGGGGDD:.. :jGGGGGGGDL iLGGGGGGGGEt,.. i i:jGGGGGGGGGGGGGDD;.. .tLGGGGGGDE;:fGGGGGGGGGDEEi... i fjGGGGGGGGGGGGGDE,.. iLGGGGGGGEG..iGGGGGGGGGGGDKf... I DGGGGGGGGGGGGGDD;.. iLGGGGGGGDE;. .iGGGGGGGGGGGDE;.. i EGGGGGGGGGGGGEG:.. .;LGGGGGGGGEi.. :LGGGGGGGGGGGKj... i EGGGGGGGGGGDEj... .tLGGGGGGGGDD:. .fGGGGGGGGGGGKf... i GGGGGGGDDDDj;.. .tLGGGGGGGGGEt.. :fGGGGGGGGGGGKf.. i i.;jjfjji,... :jGGGGGGGGGGDD:.. ,LGGGGGGGGGGDK;.. i i .... ifGGGGGGGGGGDEj.. .tGGGGGGGGGGGDK,.. i i ,jGGGGGGGGGGGGDE.. iLGGGGGGGGGGGDE:.. i i .;LGGGGGGGGGGGGDEj.. .fGGGGGGGGGGGGDE... i i ,fGGGGGGGGGGGGGGDG:. ,LGGGGGGGGGGGGDE.. ,## @@ i i ;fGGGGGGGGGGGGGGDE;.. iLGGGGGGGGGGGGDE.. ## yy kggg, ,nnn, i i :iLGGGGGGGGGGGGGGGEf.. tGGGGGGGGGGGGGDE.. ### #M ## MN NG #ggg# i i :jLGGGGGGGGGGGGGGGDD:.. iGGGGGGGGGGGGGDE.. ## G# #N #N #t i i :jGGGGGGGGGGGGGGGGDE;.. ,LGGGGGGGGGGGGGE;. .G#, MM NG NG 'E##t, i i jGGGGGGGGGGGGGGGGDDj.. :LGGGGGGGGGGGGGDG,. i i ;LGGGGGGGGGGGGGGGDE;.. jGGGGGGGGGGGGGGDG. i i iGGGGGGGGGGGGGGGDEi.. ,LGGGGGGGGGGGGGGGL, i i ;GGGGGGGGGGGGGDED;.. ,GGGGGGGGGGGGGGGGGLLL i i .LGGGGGGGGGGGDDt:.. ;GGGGGGGGGGGGGGGGDEG.. i i .tGGDDDDDEDLi... .iLGGGGGGGGGDDDEfi.. i i ,;tjtti;:... .;tfLLLLLfjti:... i i .... i i i i - K-1ine - 25 -- March 2002 ---- - Still Pimpin ASCII! -- i i i #,::,:::,:::,;,;,;,::::;:;:::::,;,;,:::::,;::;:::::;,:::,;,;,;,::::::::::,::,# ":;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;:cyb0rg/asm:;;:" ":;;;;;;;;;:;;;;;;;;;;;:;;;;;;;;;;;;;;;:;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;:" `''''''''"'''''''''''""'''''''''''''""""'"''"'''''''''''''''''"'''"' _____________________________________________________________________________ » .- Words from the Editor -. « | *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *: (-) Advertisment .......................................... HackerSalvage:* *: (-) Link of the Month ..................................... The Clone :* *: (-) K-1ine Mirrors ........................................ The Clone :* ____________________________________________________________________________ » .- Documents -. « | *: (x) 'Public TTY Installation Testing and Troubleshooting'.. The Clone :* *: (x) 'Telus Call Management Assistant Exploitation' ........ The Clone :* *: (x) 'Basic Electronic Theory' ............................. plappy :* *: (x) 'Cell Phone Spam - (A Wireless "Fuck You")' ........... Axion :* *: (x) 'An Update to DSN's (Defense Switched Networks)' ...... Treephrog902 :* *: (x) '"Canadian Government IP List"' ....................... H410g3n :* *: (x) 'BellSouth Government Emergency Telecommunications'.... Phlux :* *: (x) 'CODES.SS7' ........................................... Phlux :* *: (x) 'Beige Boxing Common Sense 101' ....................... Captin B :* *: (x) 'Hacking Voicemail Boxes' ............................. ic0n :* *: (x) 'HAPPY 25TH ISSUE - K1INE ROX MY SOX. (Skan)'.......... Magma :* *: (x) 'Toll-Free 800-219-12XX to 800-219-14XX Hand Scan'..... The Clone :* _____________________________________________________________________________ » .- Conclusion -. « | *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* _____________________________________________________________________________ Introduction - Welcome to the latest issue of K-1ine zine... Still Pimpin ASCII!, volume 12. I can't believe it, but it's true; we're already at issue #25! From its humble beginnings in June of 1999, K-1ine started out as a compilation of the latest H/P writings/hand scans from within Canada. A few people in Alberta and British Columbia (including myself) would submit articles, and every now and then I would compile these files into an online zine I called "K-1ine". Since August 2000, K-1ine 'zine has become a monthly release... with an assortment of writers from across Canada, and a few American and International contributors. With the web-mirrors, web-links, and word of mouth, K-1ine has become (by far) one of the largest underground zine in Canada. Thanks again for all the file contribution throughout the years to help keep this e-zine alive! On a side note, I've decided to change the slogan of K-1ine from "A 'zine for the 780 undergrØund scene." to "A 'zine for the Canadian underground scene.". Also, I've changed the slogan of my site from "Nettwerked; A web-site for the 780 undergrØund scene." to "Nettwerked; A web-site for the Canadian undergrØund scene." More suitable slogan... wouldn't you agree? :) --> Contact Information; Comments/Questions/Submissions: theclone@hackcanada.com Check out my site: (Nettwerked) http://www.nettwerked.net --> -- Advertisment -- +++ WWW.HACKERSALVAGE.COM +++ HackerSalvage.com is a non-profit website dedicated to keeping old hardware in circulation. Many of us have piles of it sitting around but can't just toss it out. Here you can post computer items for sale or post a want ad for items you are looking for. A perfect place to get rid of perfectly good junk.... and get some new stuff to rebuild the pile. +++ +++ -- --=[ LINK OF THE MONTH ]=-- Every month I post one really great "link of the month" on every issue of K-1ine magazine. The link can be anything in the technology industry, music scene, rave scene, punk scene, or even a good article you read on a news site. I'll be taking submissions via e-mail or IRC right away; so get your links in and maybe you'll see it in the next issue of K-1ine! For the month of March, the link of the month is: http://www.blinkenlights.de Chaos Computer Club has made a special present to itself and the city of Berlin. [submitted by: The Clone] -- K-1ine Mirrors: http://www.mirrors.wiretapped.net/security/info/textfiles/k1ine/ (Now mirrored in two places, one in Belgium and another in Sydney) "Wiretapped.net is an archive of open source software, informational textfiles and radio/conference broadcasts covering the areas of network and information security, network operations, host integrity, cryptography and privacy, among others. We believe we are now the largest archive of this type of software & information, hosting in excess of 20 gigabytes of information mirrored from around the world." http://jdm.hostingextreme.com/files/k1ine/ Tekk250's mirroring of the K-1ine issues --> Public TTY Installation Testing, and Troubleshooting Guide Tuesday, February 19, 2002 typed by: The Clone found by: MSM and son4r - For use on Millennium Payphones Manufacturer: Ultratec, Inc. The Public TTY consists of: * Drawer Assembly * Interface Cable * Interface Board * Power Transformer * Shell - Installation Step 1 - REMOVE THE DRAWER 1. Use the included wrench to remove the six outside security screws from the bottom of the shell. 2. Slide the drawer assembly halfway out. 3. Disconnect the drawer assembly cable from the interface board by squeezing the tabs on the white plastic connector and pulling the connector out. - Installation Step 2 - MOUNT THE SHELL If shell is not pre-drilled, drill and countersink at least 4 mounting holes in the top of the shell. Use #10 or ¼" slotted flathead screws. Screws must be flush with the inside of the shell or they will impede the drawer's motion. Attach the shell. - Installation Step 3 - CONNECT THE TRANSFORMER CABLES Model M240FS Notes CAUTION: Be sure to put the transformer in an enclosed, sheltered location. Remove the wiring cover next to the interface board inside the shell before attempting to connect the power transformer cables. Replace the cover when all wires are connected. Adding wire to the transformer: These gauges must be used to add extra wire to the transformer secondary Add. Feet Wire Gauge 12 22 19 20 30 18 48 16 77 14 123 12 Verify wire connections are electrically sealed and meet appropriate safety standards for your area. General Connection Instructions: 1. Be sure the transformer is unplugged. Route the cable from the power transformer through the hole in the back of the shell, through the cable Tywrap, and up to the POWER terminal block on the interface board. 2. Attach the transformer wire with the red lug to the +12V position. 3. Attach the wire with the black lug to the position marked GND. 4. Install a separate ground wire by attaching one end to the telephone's ground post, routing the ground wire through the Tywrap cable and the back of the shell, and attaching the other end to the position marked _+_ 5. In a noisy environment, the TTY can mute the handset to prevent background noise from disrupting the text conversation. Handset muting shorts the handset microphone contacts during TTY conver- sation. To mute the handset, connect a blue wire and a brown wire to the J2 (HANDSET) terminals. Polarity is not important. Connect the wires to the payphone terminal that controls the handset microphone. - Installation Step 4 - CONNECT THE TELEPHONE LINE Route the telephone line through the hole in the shell and the cable Tywrap and up to the J3 (LINE) terminal block on the inter- face board. Connect the more positive lead of the pair to R(+) Connect the other lead to T(-). Tighten the Tywrap. Interface Board: J3 (LINE) J2 (HANDSET) _+_ GND +12V R(+) T(-) --- --- -- -- -- -- -- || || || || || || || J1 || || || || || || || (POWER) -- -- -- -- -- -- -- red green blue brown green black red + - - + Ring Tip Handset Earth Power Phone Line Microphone Ground Supply Mute - Installation Step 5 - INSTALL THE DRAWER ASSEMBLY 1. Slide the drawer assembly halfway into the shell. 2. Reconnect the drawer assembly cable to the interface board. The connector is keyed to plug into the socket only one way. 3. Slide the drawer assembly all the way in until the bottom front edge of the drawer assembly is aligned with the shell. Be careful not to pinch any cables between the back plate, the interface board, and the internal drawer components. Be sure that the switch wire loop is bent toward the center of the drawer. 4. Use the six security screws to attach the drawer to the shell. 5. Mount the handset cradle close enough for easy access by the user. Be sure the handset card does not block typing. 6. Install one of the enclosed user instruction labels on the front of the drawer and the other one at eye level on the enclosure. - Installation Step 6 - TESTING AND TROUBLESHOOTING 1. Plug the power transformer into a standard ground 3- position 110 VAC electrical outlet. Caution: The drawer will open automatically when you plug in the transformer. 2. Place a regular payphone call. The Public TTY should not interfere with use of the phone. 3. Put the payphone handset in the handset cradle and press *8* twice within 7 seconds. The TTY drawer should open fully and you should see a statistics menu prompt on the display. Hang up the handset. The TTY drawer should automatically close within a few seconds. If the drawer fails to close: unplug the transformer and reverse the Tip and Ring connection. The voltage potential between Tip and Ring must be greater than 30 VDC. If the drawer does not close when you plug in the transformer again, call Ultratec at: 1-800-482-2424. 4. Repeat Step 3, except that when the TTY drawer begins to close, pick up the handset again and quickly press the spacebar. The TTY drawer should open again. Hang up the handset and allow the drawer to close. 5. Important safety check: Repeat Step 3 again, except that as the TTY drawer begins to close, place an object such as a screwdriver handle between the TTY drawer and the shell. The TTY drawer should reopen when it hits the obstruction. If the TTY drawer fails to reopen, it must be returned to Ultratec. 6. Pick up the payphone handset and press the * key on the payphone 3 times. Listen to the handset. A recorded voice should repeat the phrase, "TTY call, please use text tele- phone," until the drawer opens or you press any key on the payphone keypad. Note: Because some payphones may not pass DTMF until you make a connection, you may need to make an actual call to test the announcer. You can call any voice number. 7. Call another TTY and use the keyboard to type a message. If you do not have a local TTY number, call Ultratec at: 1-800-482-2424 and ask for a Public TTY test. If you are not familiar with TTY calling, call customer service at Ultratec and ask for assistance. - -- 'Telus Call Management Assistant Exploitation' BY: The Clone DATE: March 13, 2002 URL: www.nettwerked.net EMAIL: theclone@hackcanada.com Disclaimer: This document was written for information and entertainment purposes only. If you choose to mess with other people's Telus accounts, you have to deal with the consequences, not me. - Introduction: Telus has recently come out with a neat service for its Alberta and British Columbia customers (residential and business) called "Anonymous Caller ID". Through a special activation number, the subscriber has the ability to create a numerical password which allows them to access the Telus Call Management Assistant system. From there, the subscriber can add "special" ring features to their line, so that only certain phone numbers that have been manually added by the subscriber will give that ring when they call their line. They also have the ability to modify the "Private" number Priority Caller Authorization List, create a PIN Authorization Code to give to Priority Callers, Send Anonymous calls to Voice Mail, and Turn the Telus Call Management service OFF or ON. However there exists a rather intriguing exploitable authentication vulnerability with the Telus Call Management Assistant system. This paper will delve a little bit into how the Anonymous Caller ID system works, a simple navigation guide, and of course the authentication vulnerability and a couple ways one can exploit it. For a detailed paper on another (and similar) exploitable Telus self-serve system, check out this file I wrote on June 30, 1999: http://www.hackcanada.com/canadian/phreaking/self_serve.txt - How It Works... Dial 310-TOUCH (8682) toll-free using a touch-tone phone. For your "protection" your first call must be from the line on which Anonymous Caller ID has been installed. The first time you access this service you will hear: "Welcome to the TELUS Call Management Assistant. To set up your services, please create a password that is between 6 and 10 digits in length." Now what you need to do is enter your new password, then press #. Press * to exit. Once you have created your password, you will be able to dial the Call Management Assistant from *any* touch-tone phone in any location. If you are a phreak calling from outside Alberta, go ahead and dial 1-403-263-6981 (for Southern Alberta) or 1-780-428-6824 (for Northern Alberta). If you're outside British Columbia, you'll need to dial 1-604-520-3212. -- Simple Navigation Guide... * Setting up your "Private" # Priority Caller Authorization List * This allows you to create a list of priority callers with "Private" numbers whose calls will bypass the service and ring directly through to your phone. Unfortunately International long distance numbers cannot be added to the Priority Caller List. Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. Enter your password, then press #. At the Main Menu, listen to the voice prompt and press 4 for Anonymous Caller ID. Press 3 to Create, Play Back, Edit or Delete your Priority Caller Authorization List. To create a list: Enter the phone number you would like to add to the list, exactly as you would dial it, followed by #. For Long Distance callers: Area code + 7 digits. Repeat the above process to continue adding numbers. Press # when your list is complete. * To Play Back the list press 1. * To Edit the list press 2. * To Delete the entire list press 3. * To confirm deletion, press #. * Press * to EXIT the system when you are finished. Note: If you hear the password prompt, press * if you want to enter a phone number other than the phone you are using. For cellular callers who are prompted to "Press 1 to unblock" their number, you will be able to enter their number into your Priority Caller Authorization List. * Creating a PIN Authorization Code to give to Priority Callers * This PIN Authorization Code allows designated callers to bypass the service. Give it to overseas callers, friends and family members... any callers with "Unknown" numbers whose calls you always want to receive. Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. Enter your password, then press #. At the Main Menu, listen to the voice prompt and press 4 for Anonymous Caller ID. Press 9 to set up your Anonymous Caller ID PIN Authorization Code which must be between 3 and 10 digits long. * Callers using your PIN Authorization Code * Once they hear the Anonymous Caller ID announcement, have them proceed as follows: 'Private' callers: Press the '#' key; enter your PIN code, Press the '#' key again. 'Unknown' callers: Enter the PIN code immediately, then press the '#' key. The call will then proceed displaying on your set as "Authorized Call". * Use SMART Ring with Anonymous Caller ID * SMART Ring subscribers can choose the option of having calls to their SMART Ring number bypass the Anonymous Caller ID service. This works will fo those who receive faxes or international calls on their SMART Ring number. Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. Enter your password, then press #. At the Main Menu, listen to the voice prompts and press 9 for Additional Options. Press 6 to change your SMART Ring options. Press 4 for Anonymous Caller ID and SMART Ring. Follow the spoken instructions. * Send Anonymous calls to Voice Mail * Voice Mail subscribers have the option of sending anonymous calls to Voice Mail. To turn your Anonymous Caller ID Voice Mail option ON or OFF: Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. Enter your password, then press #. At the Main Menu, listen to the voice prompts and press 9 for Additional Options. Press 5 to change your Voice Mail option. Follow the spoken instructions. * Turn the service OFF or ON * Dial 310-TOUCH (8682) toll-free from anywhere in BC or Alberta. (If you are calling from outside BC or Alberta, dial 1-604-520-3212, 1-403-263-6981, or 1-780-428-6824.) Enter your password, then press #. At the Main Menu, listen to the voice prompt and press 4 for Anonymous Caller ID. Press 1 to turn Anonymous Caller ID ON. Press 2 to turn Anonymous Caller ID OFF. Press * to EXIT the system when you are finished. Here's a helpful Graphical Flow Chart: http://www.nettwerked.net/telus/flow_chart.pdf - The Exploit... Because the Anonymous Caller ID activation system (310-TOUCH) only requires your caller id information for authentication, one would only need to be located at the residents line in order to call it up and set their own 6-10 digit password. You need to either be using the subscribers phone, or better yet "beige boxing" the subscribers line, to be able to pull off the actual activation. After you have successfully activated your account by setting the password, you can then access the system from anywhere in Canada (see: "How It Works"). If you wanted to be a little bit adventurous, you could simply use the methods spoken about in a file I wrote called 'The Mobile Phone ANI-Diversion Technique' which is available at: http://www.hackcanada.com/canadian/phreaking/cell-ani-diversion.txt In this case you would need have a cellular phone with a local carrier - Telus, Rogers AT&T, or FIDO will do - and then you call up a toll-free operator at Telus. Social Engineer the operator by saying something like: "Yes, hello there. I have just subscribed to the Telus Anonymous Caller ID package, but my telephone is not working. When I try to access the 310-TOUCH number from anywhere but my line, I get an error message. I guess I need to be calling it from my line to activate it properly. Would you be a dear and transfer me through to 310-TOUCH, and pass my caller ID information to it so it knows who I am? My name is [say subscribers name]. Thanks." Now this trick isn't 100% fool proof, and may require the account number belonging to the subscribers. But sometimes, you'll be lucky enough to get an operator who will do what you say and transfer your call and the subscribers ANI info to 310-TOUCH. Remember to be creative, and don't blow it. If you make the operator suspicious, he or she will think you're trying to trick them, and immediately assume you're not who you say you are. If this happens, you should pretty much give up because the operator may write a report and display it on the account - so that when the next operator brings it up, they'll see it and clue into what you're up to. That's bad... that's indictable too. :-( - Conclusion... I hope this opened up the window of opportunity for you to have fun with individuals or corporations you hate. =] - -- Basic Electronic Theory 03/15/02 written by: plappy This file is mean to teach you, the reader, the basic concepts behind the electronic devices that we use in our every day lives. By the time you are done this file, you will understand the rudiments of many different technologies and how to apply your new found knowledge to unknown situations and problems. Why This Approach? You will notice that I take a very mathematical approach to most problems. The reason is NOT because I am good at math, or that I like it but because of the fact that if you TRULY understand something, it means that you can apply your knowledge to new problems with great accuracy. Take for example the engineers from NASA that worked on the moon missions. I would say they knew thier stuff because they were able to calculate with GREAT precision all of the chemical, physical and electrical needs that it took to get men on the moon. In contrast, I would say that someone like free energy and perpetual motion entusiasts do NOT know the forces at large. They cannot calculate things with any precision at all whatsoever and generally have very poor lab work. Unfortunately, we see all to many times in modern life where people CLAIM to have an understanding of something when really all they have is a passing knowledge of a subject. You will NOT be in this category once you are done this document. :) Electrons The key word in electronics is electron. Electrons are one of the basic building blocks of all matter (the classic atom, contaning protons, neutrons and electrons). Electrons have very low mass compared to the other elementary particles and free electrons can be created in various ways such as chemical reactions, light reactions, mechanical motion or moving magnetic fields. Power and Energy Let us take a look at some common examples of power and energy. Mechanical energy can exist as either kinetic or potential energy. Kinetic refers to the fact that the energy is already in the form of motion. Potential refers to the fact that we can CREATE motion with the stored energy. This is not all that different from the concepts in electronics. You can have a power supply that is capable of delivering a certain amount of power to a load and you also have the actual act of delivering power to the load in which power is being used. The reason why I make these analogies is because many people make the mistake that mechanical power and electrical power are not the same, however, they really are the same thing, but simply in a different form. Lets take for example (no, no such thing exists!) a 100 percent efficient generator that is hooked to a 100 percent efficient electrical motor. If we put in 100 watts into the motor, 100 watts WILL come out of the generator. How do we know this? We look at the setup as a self contained system. If there is zero power loss in the system, then what goes in must come out! (if you disagree with me here, feel free to tell me where the extra power went and what form its in and give me a rough calculation as to how much.) If we take this same setup and put a gearbox on the motor that is also 100 percent efficient and increases the speed of the motor to twice what it was and we hook that generator on there, guess what!!! We have twice as much power right? Not bloody likely. If you increase the speed twice, you have just reduced the tourque of that motor by half. Power output is still equal to power input. What can we deduce from these lessons? First and formost I would like to point out that there was no magical things done here. We had solid numbers that we could use to derive solid answers. Second, we learned the basics of what power is. We now know that power is not just electricity or motion. It is the ability to do work and that ability can exist in many forms. Chemical energy, mechanical energy and electrical energy are really all the same thing, but different ways of storing and using it. This is WHY you can't get a car that does 200 miles to the gallon, electric hybrid or otherwise. Its why you pay for power and why you keep hearing about free energy devices but never seeing any (have you seen a pheonix lately?) What ways can we measure power? We can measure electrical power in watts. We can Measure mechanical power is horsepower. We can ALSO measure electrical power in horsepower. We can measure mechanical power in watts. In fact, you will notice that it is quite common to see kilowatt ratings for gasoline or fuel oil motors nowadays. These ratings directly describe the ability of the motor to do work. Given a 100 percent efficient generator hooked to that motor, its output power in kilowatts would be the same as the rated kilowatt output power provided by the manufacturer. In fact, just for the sake of it, lets give you the hard numbers. 1 horsepower = 746 watts Now, as an excercise, the next time you go to the hardware store, take a close look at the generators that they have there. You will notice that they will NEVER state they are capable of more electrical power than they are mechanical power. In otherwords, they will never have MORE electrical power in watts than they will in horsepower (at least if thier honest.) Now, when it comes to electricity, how do we define power, or watts? We define wattage as the current times the voltage in a direct current circuit. The mechanical version is rpm times the torque. In fact, you can even find tables in engineering literature that show the values of horsepower for various torque/rpm comb- inations. For all you car buffs out there, try some examples. Look at your magazines and do some rough calculations with the numbers they give you. You will find that horse- power is indeed equal to the rpm times the torque (and no, gearing does NOT increase horsepower. It allows proper impedance matching so to speak). (end of file) -- ______________ February 2002 / __________ \=---------------------------------------------- (**) (**) Cell Phone Spam - (A Wireless "Fuck You") / ºººººººººººººººººººººººººººººººººººº / / Written by Axion / / http://axion.0catch.com / / ________________________________________________________/ **************************************************** **************************************************** ** Legal Stuff: Umm, don't listen to me, m'kay? ** ** I'm one of those silly people your priest ** ** warned you about who believes in freedom of ** ** information. I break the law sometimes, and ** ** that means I'm gonna go to hell. But you don't ** ** have to! This text file is for "informational ** ** purposes ONLY", and I can't be held responsible** ** for your actions. Okay? Breaking the law is ** ** bad, so don't break the law. Please pray for ** ** my evil sinning soul. *sips coffee* ** **************************************************** **************************************************** Ahh, spam... We've all grown to love this stuff more and more over the years. What? You hate spam?!?! ...Well, I do too. Everyone does. That's the whole point of this article. Here, I'll teach you one method of using spam to your advantage, which will no doubt cause your enemies to ph33r j00r mad §killz. Since the beginning of time (well, the world wide web, at least), spam has been probably one of the most loathed aspects of connectivity. I'm not just referring to "spam" in the advertising sense of the word, but in the "unwanted e-mail" tense. Man, do we ever hate going to our precious in-box and having to click all those little boxes every day, trying to keep up with all that shit e-mail we get. I swear to god, you sign up to have your website hosted at just one "free" server, and all of a sudden you're on 50 mailing lists. Of course, if you wanted to get revenge on someone, you could just get spammy on their ass & sign them up for tons of such spam. But so far, this has served no purpose. Sure, it's annoying having to manually delete 15 or 20 e-mails at a time, but it's no big deal. Likewise, anybody with half a brain (not actually too many people) would probably have some type of spam filter enabled on their account. (A popular option with large e-mail providers like Hotmail and Yahoo.) So you see, signing up an enemy for spam has never posed any real threat, and never caused any real damage... Until now. A few months ago, I decided to finally jump on the bandwagon and buy a shiny new GSM phone. (No, you can't have the number.) It was a brand new Mitsubishi G310, which although not the greatest shiniest new phone on the market, was capable of recieving text messages. (whoopie...) My provider was Fido, as I chose to remain anonymous and have a contract-free pre-paid mobile. ("Get to the freakin' point, Axion!") Well, when I signed up, I could also recieve brief e-mail messages on the phone. The address format on a Fido account in Canada is as follows: XXXYYY****@fido.ca The "XXX" is the area code, the "YYY" is the prefix, and "****" the suffix. Duh. Through Fido's shitty website, you can create an alias for this address for customization & anonymity purposes. (i.e. "magnumPIdork@fido.ca") Both addresses will work interchangeably. On a Fido handset, you are charged 10 cents for every e-mail or text message you recieve or send. (Here's where the fun starts.) All of a sudden, we can look at spam in an entirely new way! Rather than the simple annoyance it used to be, we can turn spam into an evil account-draining weapon!!! Simply go to a website where you can sign the victim up for multiple e-mails, and enter the address. *click!* There goes ten cents. *click!* Another ten cents. Whoop-dee-doo. Well, here's how we can make things more interresting: Go to and you'll see many wonderful discussion groups you can join. Click the first 30 of them, then go to the bottom of the page to fill in the test subject's email address. In case you were'nt following, that's (the area code & phone number)@fido.ca The reason you only click the first 30 is that debian.org have a "security" feature where you can only sign up for 30 groups at a time. (Remember this whilst getting j00r spam on. Most such pages have similar rules.) Big deal. You just cost someone $3.00. That was easy enough, right? In about two minutes, their phone will be beeping like crazy, and their account will be debitted 3 bucks. Now go to ...There you go: another $1.20 Or maybe , if your victim happens to love Ultimate Frisbee. (Who does'nt?) Well, you get the point. 1 unwanted e-mail sent to the handset = 10 cents wasted. This should also work with Rogers, Telus, ect, so long as the provider supports e-mail. The only downfall of this lame "exploit" (if you can even call it that): you need to know the person's telephone number. But on the plus side, they'll be beeping like crazy, and you're wasting their money. So there. I found a use for spam. Final Notes: I'm sure there are probably a few discussion groups out there that don't have the forethought to send out confirmation e-mails, so obviously subscribing the victim to one of these would instantly flood their phone with an unstoppable onslaught of annoying, expensive spam. If anyone finds such a discussion group, please let me know so I can compile a list. This file was created to educate, not to destroy. When I realised how succeptible most mobiles are to such an attack, I felt it neccessary to get the word out. I'm simply warning all of you not to hand out your wireless e-mail address. - Axion 02/14/02 - -- An Update to DSN's (Defense Switched Networks) by: Treephrog902 27/02/02 This will be brief, because my knowledge in this particular area is limited. However, I'm tired of the lack of 902 information in the phreak community, and I want to share my knowledge, if for no other reason than to show the rest of the Canadian phreak community that 902 doesn't need a chalk line drawn around it... yet. *grinz* All information in this text phile is for "edutainment" purposes only, and anyone stupid enough to phuck with the military gets what they deserve... One other thing; I make certain assumptions in this phile, the main one being that when the military upgrades something, then all areas (bases, outposts, command centers) get that upgrade as well. I don't think what I've seen is limited to the 2 bases that I have access to. A while back, say 3 years ago, the military did a massive overhaul of their telecommunications system. They essentially ripped the entire guts out of the thing and rebuilt it from scratch. (I'd love to know what became of the old hardware!) When they re-built, they used all the latest equipment from the civilain side of the industry. Thus, if you go into a telecom tunnel (the military puts ALL that shit underground), the equipment there is exactly the same as in any civilian apartment complex. The 2 particular bases that I visit regularly are designed almost exactly the same. Horseshoe "U" or "C" shaped buildings with all power, CATV, data and voice wiring in tunnels underneath the buildings that follow the shape of the building. The common access point is at the bottom of the horseshoe or the back of the "C". Either way, the entrance leads into a hugh boiler room, which controls heating (and only heating; portable water supply is handled much more securely) for the building. There are only 3 doors in this room; the one you just came through, leading up and outside; a large steel door off to the far right behind a HUGE ASS boiler tank, labelled "Master Telecommunications Closet" (!); and another large steel door off to your left with a VERY large sign on the door that says "WARNING: CONFINED SPACE! AUTHORIZED PERSONNEL ONLY!" Whatever. Unless you're a complete clausterphobe, you won't find the tunnels too bad. They are about 8 feet wide and 8 feet tall, but there's a gazillion wires, pipes and conduits over head, so it feels MUCH smaller. (Note: The boiler room is ALWAYS hotter than the hinges of hell, even in the middle of winter with the doors wide open, but the tunnels are actually air conditioned.) In the master telecommunications closet is the main demarcation point for the in-house wiring, and the two telco providers. This is all brand new equipment installed by the military telco guys. There is a main trunk feed coming in from the street for both outside providers, as well as a main CATV feed. This room gives you access, telephone and data wise to all the rest of the base. Continuing the nickel tour, when you enter the tunnel, you can either go left or right. Both dead-end when you run out of housing above you. There will be 3 or 4 "cages" in the inside wall at various points throughout the tunnel. These are locked with chainlink fence, a chainlink door and barb-wire accross the top 2 feet of the fence, with a metal sign attached to the door, "Telecommunications Sub-Closet XXXX", XXXX is some sort of letter/number combination. Not sure what's up with the barb-wire on the sub-closets and only a deadbolt on the master room in the boiler room, but it's the military, so phuck knows. Anyway, in the subclosets are the secondary demarcation points for telco, as well as the CATV hook-ups. Some things to note: 1) EVERYTHING is under lock and key. There's a HUGE key ring with about 20 different keys on it that we have to get every time we get an order for a phone or CATV hook-up. Only 4 or 5 of these keys are relevant to our job, but I can guess what the rest of them are for. (!) 2) Of the 50 or 60 times I have been in this area, only 4 times have there been military personel present. All 4 times I was asked for relevant ID, and some form of paperwork showing that I was supposed to be there, i.e. copy of the work order from the company I work for, saying I'm supposed to be installing a cable modem for John Doe in MOD 5, BLOCK D. or phone for Jane Doe in MOD 2, BLOCK A. 3) Of the 4 times I was stopped, none of them were while I was in the tunnel, which is fortunate for me, because before you even touch the door to the tunnel, you're supposed to be Certified in Confined Spaces work, which I am not. 4) All aspects of this phile went out the phucking window after September 11th. For a good 5 weeks after that, I was stopped at the gate, frisked, metal detectored, had my van searched, and had an escort with a LIVE M-16 for the duration of my visit. Ever seen a live M-16? It makes you move very slowly. To answer the unasked question, I was TOLD it was live WITHOUT asking. No more than 2 service vehicles were allowed into the base at any time, and if there were 2 already in there, you had to pull off to the side after the fact and wait. They have since eased up in this procedure, in that now you only have to check in at the front gate (before we used to drive right in, wave on the way by) and let them know about how long you're going to be, show them 1 piece of ID, and let them take your licence plate number. 5) I DO NOT RECOMMEND DOING ANYTHING WITH THIS INFORMATION OTHER THAN USING IT AS BEDTIME READING MATERIAL. As soon as you set foot on the base, you are no longer under the jurisdiction of the RCMP or the local cops. You are under military jurisdiction, and I've got a pretty good idea of what they'd do to someone caught phucking with their shit. Have phun, and treat the military the same way you would treat a bear in the wild; admire it from afar, and be ready to play dead at a moments notice. Tha 'Phr0g -- "Canadian Government IP List" [Contact.nfo] #URL: http://www.h410G3n.com #e-mail: h410G3n@h410G3n.com #IRC: irc.h410G3n.com / #hackcanada + irc.h410G3n.com #shoutz: Cyb0rg/ASM, theclone, wizbone, wildman -- Disclaimer: I do not assume ANY fucking responsibility for what you do. For Example: if you just so happen to lean back in your chair after using these techniques, knock your momma's DSS receiver out of your window and land it in a swimming pool full of 'leet wannabe hackLERS killing them and rupturing a fault line, sending half of California into the ocean. IT'S NOT MY FUCKING FAULT! -- Hello again, I have decided to release my list of Canadian Government IP addresses for your firewalling/scanning pleasure. If you have any additions you would like to see on this list, please email them to me. Thanks! -= Government of Canada =- 198.103.0.0/16 192.197.83.0/24 192.139.201.0/24 192.139.202.0/24 192.139.203.0/24 192.139.204.0/24 -= Canadian Department of National Defense (DND) =- 128.43.0.0/16 131.132.0.0/16 131.133.0.0/16 131.134.0.0/16 131.135.0.0/16 131.136.0.0/16 131.137.0.0/16 131.138.0.0/16 131.139.0.0/16 131.140.0.0/16 131.141.0.0/16 192.12.98.0/24 192.5.144.0/24 192.16.207.0/24 192.16.208.0/24 192.42.68.0/24 192.12.215.0/24 192.16.205.0/24 192.16.206.0/24 192.35.144.0/24 192.16.242.0/24 192.16.243.0/24 Have fun! -- h410G3n 2002.02.28 -- bs_gets.txt _____________________________________________________________________________ BellSouth Government Emergency Telecommunications Service (GETS) (ripped from BellSouth) by phlux - fraud@telust.net _____________________________________________________________________________ Mainly to bring to light some of the more overlooked aspects of the GETS, and to clear up some of the BULLSHIT confabulation. Some quick information(read other GETS txts to familiarize yourself but don't fucking let them get to your head.); NPA 710 is non-geographical, and is toll-free, Using LATA 999(Assigned to the US Government). LATA 999 has no Rate Centers. Any exchanges in 710 are administered by NCS and NOT by NANPA. NANPA.com's NPA search states 710 has an in service date of 01/01/84 This is some what misleading as GETS only became operational in '94. (See NANPA document #: PL-NANP-172) The OCN assigned to the US Government is 4758. "4758 OFFICE OF THE MANAGER, NATIONAL COMMUNICATIONS SYS GENERAL" Ear candy: http://ch2.tripod.com/710_1169.wav (234k) REM begin snip _____________________________________________________________________________ Service Description The Office of the Manager, National Communications System has been charged by the White House with providing a survivable and enduring telecommunications capability for the purposes of National Security and Emergency Preparedness (NSEP). To this end, a set of switch-based and Advanced Intelligent Network features have been developed to provide a High Probability of Completion (HPC) for critical users of the Public Switch Network. GETS is an evolving service which allows authorized government users to gain access to enhanced call completion features. _ GETS features include: GETS Dialing Plan Calling Party Number Alternate Carrier Routing High Probability of Completion (HPC) HPC Detection and SS& IAM Message Priority HPC Trunk Queuing HPC Exemptions From Network Management Controls Enhanced Alternate Carrier Routing Default Routing _ GETS Dialing Plan The 710-NCS-GETS number is defined as the AIN Dialed Number Trigger (DNT) for GETS service. A user dials 1-710-NCS-GETS to place a call. The SCP then provides routing instructions to the SSP, which causes the call to complete to one of the IXC networks, contracted for GETS Service. GETS capabilities are currently offered in the networks of AT&T, MCI and Sprint. Once the call is completed to an IXC, authentication via PIN code is required and collection of the final routing number is performed. _ Calling Party Number The CPN feature, allows the calling party number to be replaced by the GETS number (i.e., 710-627-4387) which is needed to identify the call for GETS treatment by any network or network element. - Alternate Carrier Routing The Alternate Carrier Routing feature allows the End Office to route a GETS call alternately to the three Interexchange Carriers (IXCs), identified by Carrier Identification Codes (CICs) in an ordered sequence. The carrier chosen for the call is predetermined from a customer directed selection or user specified through the use of a dialed carrier code. _ High Probability of Completion This capability is invoked when a caller originates a call and dials a number of the form 710-NXX-XXX, typically 710-NCS-GETS. This capability detects such originations and marks them as GETS-HPC calls, whether at the originating EO, or at a Local Tandem. Once the call has been marked HPC, other GETS-HPC capabilities will provide Trunk Queuing, Network Management Exemptions, etc., to attempt to give the HPC call a higher probability of completion than non-GETS traffic during times of natural disaster or local or national emergency, when network congestion is likely. _ HPC Detection and SS7 IAM Message Priority This capability sets the Calling Party's Category value of the ISUP Initial Address Message of a HPC call to the NSEP value of "1". All other POTS traffic will have an assigned value of "0". The implementation of routing POTS traffic at a "0" level will not begin until 2000. Until that time, POTS traffic will continue to carry a routing value of "1". _ HPC Trunk Queuing The HPC Trunk Queuing (HPC TQ) feature allows trunk groups that are assigned HPC TQ to queue HPC calls within a route chain. _ HPC Exemptions from Network Management Controls This feature impacts network management capabilities associated with application of trunk group controls. Trunk group controls are used to limit the access of calls to a trunk group, to control the overflow of calls from a trunk group, and to offer alternate routing chains to busy groups. Protective controls are used to control the spread of congestion in the network by restricting normal trunk access and overflow. Expansive controls allow the routing to expand beyond the normal in-chain routing during failure or overflow conditions. This feature modifies several of these controls to make HPC calls exempt from control action. _ Enhanced Alternate Carrier Routing ACR, which has already been implemented in BellSouth, only detects trunks busy at the switch. Therefore, if all of the three carrier routes are busy, the call ends and is completed to a reorder tone. With EACR, the switch will attempt to route the call based on routing parameters provided by the SCP. The expected SCP action for GETS calls is to return another routing component instructing the switch to attempt the same set of carriers again. Other actions might also include other treatment (other than reorder), such as providing an announcement or providing a set of different routes to attempt. _ Default Routing This allows GETS calls to route to an IXC network in the event no AIN response is received from the SCP. The GETS call will be routed to the presubscribed or dial-selected (10XXX) IXC if an AIN fault occurs. _ Application The objective of GETS service is to provide authorized government users with a reliable and survivable nationwide NSEP switched voice and voice band data communications service by utilizing the Public Switch Network resources. The benefits of the service has been demonstrated to work during periods of extreme network congestion associated with catastrophic events. _ Benefits GETS service provides a mechanism to facilitate telecommunication of federal officials during emergency situations. Because telecommunications services are vulnerable to disruption by natural and man-made disaster GETS service is designed and maintained to operate in a constant state of readiness to make maximum use of all telephone resources should outages occur. _ Availability Calling Party Number (CPN) and Alternate Carrier Routing (ACR) has been implemented in all AIN capable NORTEL DMS 100/200 and Lucent 5ESS switches in the BellSouth region. The other GETS features (enhanced services) are currently under development and will be implemented over the next three years. _ Restrictions The use of the GETS Service is limited to authorized state, local and federal National Security and Emergency Preparedness users. GETS access is validated through the use of a personal identification number (PIN). GETS PINs are provided through subscription with the National Communications System. _____________________________________________________________________________ END snip Be sure and keep the 'Restrictions' paragraph in mind while contemplating the world, or perhaps a GETS HPC exploit. Keep checking hackcanada.com, nettwerked.net and telust.net for your 0h day. 03/05/2002 sksk. -- CODES.SS7 # acquired by phlux for phlux for HASH www.hackcanada.com/hash.txt # Point codes are 24 bit binary codes which are needed for all signaling points using the SS7 (Signaling System 7, also known as Common Channel Signaling) network. They identify network nodes in order that the SS7 network can route calls properly. Point codes consist of 9 digits. # The first three digits represent the network, the second three the cluster, and the third three the member. Large networks start at network 254 and are decrementing. Small networks are assigned from network code 002, and point code blocks are assigned from network code 005. # Network Code/Company Name/Docs(last name, first name/initials) # 254XXXXXXXXX AT&T COMMUNICATIONS ELFERS, T J 513-629-5025 253XXXXXXXXX US SPRINT HAVENS, RON 913-624-6881 252XXXXXXXXX BELLSOUTH WASHER, STAN 205-977-2668 251XXXXXXXXX PACIFIC TELESIS BENNETT, BRUCE 510-823-2880 250XXXXXXXXX AMERITECH SERVICES FLECK, PAT 847-248-5325 249XXXXXXXXX SOUTHWESTERN BELL MCCUNE, PATRICIA L 314-235-1945 248XXXXXXXXX US WEST MEINS, C L 206-345-4699 247XXXXXXXXX NYNEX MCGARRY, TOM 212-395-6371 246XXXXXXXXX BELL ATLANTIC GALLAGHER, JO 703-974-8160 245XXXXXXXXX AT&T CANADA LONG DISTANCE SERVICES WHYTE, DAVE 416-345-2697 244XXXXXXXXX MCI ENGLEMAN, STEVE 214-918-5166 243XXXXXXXXX SOUTHERN NEW ENGLAND TELEPHONE COX, RONALD H 203-553-6162 242XXXXXXXXX ALLNET COMMUNICATION SERVICES, INC. PAULEY, STEVE E 214-437-2820 241XXXXXXXXX DEFENSE COMMUNICATIONS AGENCY BRIENZA, NICHOLAS 202-696-5764 240XXXXXXXXX GTE SERVICE CORPORATION TIEDT, LARRY M 203-965-2718 239XXXXXXXXX SPRINT LOCAL TELECOMMUNICATIONS DIVISION CHAPMAN, JOHN 423-854-8010 238XXXXXXXXX INDEPENDENT TELECOMM. NETWORK EDWARDS, W L206-493-6000 237XXXXXXXXX CABLE & WIRELESS COMMUNICATIONS, INC. STEPHEN, BUNNING L. S703-734-7151 236XXXXXXXXX AT&T CANADA LONG DISTANCE SERVICES WHYTE, DAVE 416-345-2697 235XXXXXXXXX CONTEL (GTE WIRELESS) AMUNDSON, H. 404-551-4900 234XXXXXXXXX ALLTEL KOHUT, JOHN B 216-650-7676 233XXXXXXXXX FRONTIER COMMUNICATIONS INT'L, INC. MURRAY, T J 716-777-7112 232XXXXXXXXX CENTURY TELEPHONE ENTERPRISES NUTTALL, GARY P 318-388-9615 231XXXXXXXXX AT&T (VSN) BRECKINRIDGE, CAROLE J 908-234-4160 230XXXXXXXXX SPRINT LOCAL TELECOMMUNICATIONS DIVISION CHAPMAN, JOHN 423-854-8010 229XXXXXXXXX TEST CODE (T1S1) WU, ALEX 908-949-7783 228XXXXXXXXX PACIFIC TELECOM KARNOPP, D 206-696-0983 227XXXXXXXXX NORTH AMERICAN CELLULAR NETWORK MEINES, CHARLENE 206-828-1232 226XXXXXXXXX CANTEL GOTTLIEB, A 416-440-1400 225XXXXXXXXX LINCOLN TELEPHONE COMPANY KOHLES, ROGER 402-476-5796 224XXXXXXXXX CINCINNATI BELL TELEPHONE PITMAN, DARRELL 513-397-6380 223XXXXXXXXX TDS TELECOM BATRA/VAN BARNETT, VINOD 608-845-4442 222XXXXXXXXX INS/MEANS/SDN CLEVENGER, JOHN 515-830-0497 221XXXXXXXXX CTIA ZWEIFACH, STEVE 202-785-0081 220XXXXXXXXX SOUTHWESTERN BELL MOBILE SYSTEMS CORCORAN, KEN 214-733-2015 219XXXXXXXXX NEXTEL DOLAT, BRUCE 703-762-7408 218XXXXXXXXX CITIZENS TELECOM DRAKE, MITCH 214-365-3302 217XXXXXXXXX ICG NETWORK SERVICES KLEIN, JOE 303-575-6203 216XXXXXXXXX MCIMETRO JOERGER, JAMES 214-918-5137 215XXXXXXXXX AT&T DUCHESNE, JR. EDMUND, 908-771-8562 214XXXXXXXXX SPRINT SPECTRUM L.P. ACKROYD, MICHAEL 816-559-5072 213XXXXXXXXX MOBILITY CANADA SO, RAYMOND 416-798-5035 212XXXXXXXXX TELEGLOBE USA GURZICK, JOHN W 703-610-6312 211XXXXXXXXX OMNIPOINT COMMUNICATIONS, INC. GERVELIS, CURT 201-257-2419 210XXXXXXXXX NEXTWAVE TELECOM LOUIS, PAXTON J 914-686-1644 209XXXXXXXXX BELLSOUTH ENTERPRISES JOHNS, ALAN 404-249-0334 208XXXXXXXXX GST TELECOM MANN, KENITH 360-891-6317 207XXXXXXXXX LEVEL 3 COMMUNICATIONS RANDALL, JACQUELINE 303-635-9603 206XXXXXXXXX PAC WEST TELECOMM, INC. PUENTES, FIL 209-926-3201 205XXXXXXXXX NEXTLINK COMMUNICATIONS INC. HARVEY, MICHAEL 972-578-6479 # eh more to come. fuckin email me the codes you bunch of fuckin whiteys. fraud@verizonmail.com props to the ops March 8, 2002 -- ______________________________ *Beige Boxing Common Sense 101 * *By: Captin B * *______________________________* This actually Isn't so much a phile as it is a few basic ground rules of common sense and whatnot. It should be common sense to anyone. But, for the newbie phreak, it may not. So here we go: Well, certainly don't beige box in broad daylight at some busy intersection, right? The early morning (overnight) hours are best. (Especially very early Monday morning in the wee hours of the AM). The worst nights can be Friday and Saturday night. (The most drunks, criminals, and other trouble making types are on the streets.) At least, this is what seems to apply for inner-city America. Try to find as low-profile a location as you can. (Which can be difficult at best in inner-city America). And, when it comes to SAIs, (Telco cans) most seem to be padlocked in the big cities. At this point, you have 3 options... Pick the lock, (It would help if you own a lock pick, and are fairly adept at lockpicking.) use bolt cutters to cut the lock off, or simply find a telco can that Isn't padlocked somewhere. Of those 3 options, I think the last is the best way to go. Because, no matter what, lockpicking can take some time. The longer you're hanging around on the scene, the riskier it gets. (Especially in inner-city America, where your average telco can is at the corner of "Major St." and "Very Big Ave".) If you cut the lock off with bolt cutters, Ma Bell will know you've been screwing around with the equipment. The idea is to leave no trace that you've ever even been inside the Telco can. Also, most bolt cutters are FAR too big and bulky to be lugging around on the streets. It's not like bolt cutters can be easily concealed in your jacket, or something. Better to just look for a telco can that's unpadlocked somewhere. And, even if you find one, you'll need a 7/16 socket (ratchet) bit and a 1/4 socket driver to open one. These can be bought from Home Depot, and other hardware stores. I think you may be able to use a 7/16 nutdriver as well, but haven't had the chance to try opening one with that yet. Actually, it can be better to locate some out of the way TNI box somewhere. Because TNI boxes are on the side of buildings, it can be easier to find TNI boxes in low profile locations than Telco cans. By the way, Telco cans are also sometimes refered to as Service Area Interface boxes. Or, SAI. Icon already explained how to open a TNI box on the customer access side, I'll explain how to open it on the "Telco access only" side. Once again, you'll need a 1/4 ratchet (socket) driver, and a deep 3/8 ratchet bit. (Or, a 3/8 nutdriver). The Telco access side is the right side of the box, in case you didn't know. You'll find the 3/8 nut on the far right side of the right side half, roughly half-way between the top and bottom of the TNI. Simply use the ratchet (w/ deep 3/8 socket bit) or 3/8 nutdriver, and turn counter- clockwise, just like with any screw (Duh). After being loosened enough, the whole right and left sides open together as one big door. On the right (Telco access) side, you can only beige box via alligator clips. Usually with TNI boxes, there are 4 screws. Connect the alligator clips to 2 of the screws vertical-wise. If the customer has one line service, the incoming overhead (or underground) cable will termitate to one of the 2 columns of these 4 screws. If 2 line service, there will be wires connected from the phone company wiring to all 4 screws. In which case, you can connect the 'gator clips to either vertical column. Just make sure to keep the polarity correct of the wires from your beige box. Reminder: Red=Ring (Negative) Green=Tip (Positive). I forget off hand which is which as far as the phone company's wiring. But, I know one pair is orange, the other orange with a white stripe. And the other pair blue and blue with a white stripe. Just observe how they're connected to the left side of the TNI via the red and green wires running from the 4 screws to know the polarity. Unlike the customer access (left side) of the TNI box, there's no way to disconnect the inside customer wiring from the phone network at the interface (TNI) on the right side (Telco access) of the TNI box as compared to the left (Customer access). With TNI boxes, just like Telco cans, make sure to close everything up properly, and not leave anything behind when leaving the scene. Final notes: Wearing dark colored clothes will make it harder for you to be seen at night. Also, if you have a portable police scanner tuned to your local police district, you'll get a fair "heads-up" warning in advance. Having someone serve as lookout helps too, of course. Sure beats doing it all by your lonesome. Above all, make sure to be quiet! You certainly don't won't any unwanted attention. Other than what I've already stated, make sure to apply as much of your own caution and common sense as you can. Have phun, and above all, be careful. -- ___________________________________ | Hacking Voicemail Boxes | | by: ic0n | | email: ic0n@phreaker.net | | aim: ic0n420 | |__________________________________| Intro: Okay I'm redoing this text file for a few reasons. But that does'nt matter anyways a voicemail box is good for a few reasons I'm not going to get into that I'm pretty sure you can figure that out yourself. Finding a system: There are so many voicemail systems today it's not even funny. The best way to find a system or a direct dial box is to find them by scanning toll free numbers. About half of the systems will tell you that it's a voicemail system by saying 'welcome to the blank voicemail system' or they will ask for an ext. number. Make sure you note everything you find while scanning you may find something really cool and not even know about it. After you finish you scan go back and find out what vms (voicemail systems) you have found The best way to see if there systems is after you dial up hit * (star) or # (pount) and if they are a vms they may give you a login prompt. Here's a list on how to login prompt to all the diffrent vms that i know about: Audix: *8 Octel/Aspen: # sometimes * # Meridian: *81 Message Center: * Phone Mail: none it just ask for your pass code Partner Mail: *8 On some direct voicemail boxes: 0 Most Common On Direct Dial boxes: # (pount) or * (star) Defult Pass codes: On 2 digit systems 9999,1234 On 3 digit systems 1234,9999,box number,999,123,000,111,222,333,444,555,666,777,888, On 4 digit systems 1234,9999,box number,box number backwards,0000,1111,2222,3333,4444,5555,6666,7777, and 8888 On 7 digit boxes 1234,9999,1234567,9999999,box number, last 4 digits of box number,0000 On 10 digit boxes 1234,9999,9999999999,0123456789,1234567890,box number,0000 Admin Boxes: Admin boxes are the coolest thing ever since sliced bread. It's pretty much the box that runs the whole system. On some systems you can create and delete boxes and login to a box without even knowing the code. I also was told on some systems that there is no admin box like these systems (Audix and Merdian). Other then them two systems i have found and hacked or talked to some fellow who hacked a admin box on all the other type of systems. One more thing Never ever change the code on these boxes. Some Defult Places For Admin Boxes: 1000,9999,9000,1111,1234,5000 Hacking 2 digit Boxes: Systems that I've seen that used this layout: (Partner Mail) Now as you might have guessed this system is so easy to hack a box on. The 1st few boxes I tell you to try will almost get you at lease one box. 99 if that box does not work try 10 and 00. If for some reason these boxes where not valid try 20,30,40 and so on and 05,15,25 and so on with this done you have a good layout on the system. and try the basic defult pass codes and you should have at lease one box. Hacking 3 Digit Boxes: Systems that I've seen that used this layout: (audix,octel,aspen,cheap companys) Most Older and cheaper Systems have this type of layout and really is quite easy to find more boxes than on than any other system. The First few boxes I try are x00,999,888,777 and so on. Chances are very good to find more than 5 boxes this way but only 1 or 2 maybe hackable or that are no longer in use with the user. Hacking 4 Digit Boxes: Systems that I've seen that used this layout: (Audix,Octel,Aspen,Meridian, Message Center,Phone Mail and cheap companys) This is the Most Popular layout and almost every system has over 30 boxes that have the temp code still in place. Witch making getting the box very easy. Like in all the other systems i try 9999,1000,x000,1111, 2222,3333 and so on. Also it would be a good idea to scan like 1100,1200,1300 also because some systems try to fool you (Witch Never works). Hacking 7 digits boxes: Systems that I've seen that used this layout: (octel,local systems,Message Center) Now most of the time you come acrossed a system like this the boxes are someone fone number minus the area code. and or a greety fone company. Here's the first pick of boxes to try 9999999,9999998,1000000,2000000, and so on. Systems with boxes this long most of the time have direct dial feature witch means you have a direct number to your voicemail box. Hacking 10 Digit Boxes: Systems that I've seen that used this layout: (octel,verizon,ameritech,bell canada,bell south, and many other long distance voicemail systems) Now your thinking no way or something but getting boxes on here are quite simple if you have the time on your hands. But try the fone number you dialed to get the system this box should be valid and the admin box. If not it will be the outgoing greeting box witch is also cool to be able to do. Other k d45h r4d voicemail hacking tricks and stuff: Audix when you dial up a audix vms and hit star (star) 8 it tell you how many digits the boxes are. Also I Octel When scanning for boxes this trick will help you. This works on all layouts also but you enter all the digits but the last one and wait if a error message starts playing you know there's no boxes in that 10 number range. Messgae Center- The 1st time the box has been log in to a box there is no password. Some VoiceMail Systems Dial in Numbers: 1-800-317-6245 Message Center 1-800-232-3472 Audix type 1 1-800-222-6245 Audix type 2 1-800-574-6245 Meridian 1-877-447-6245 Fone Mail 1-800-954-6245 Octel 6 Digit boxes Company's VoiceMail Systems 1-800-408-6245 3 digit boxes 1-800-366-76245 1-800-631-3400 box 998 code 998 thanks to c0n for the 1337 phr34king 5ki115! _ ____ (_)____/ __ \____ / / ___/ / / / __ \ / / /__/ /_/ / / / / /_/\___/\____/_/ /_/ -- HAPPY 25TH ISSUE - K1INE ROX MY SOX. So, to celebrate i've done a "31337" skan for you. Congrats and keep it up. - Magma 1.800.313.3700 - 2ck 1.800.313.3701 - 2ck 1.800.313.3702 - fast busy signal 1.800.313.3703 - 2ck 1.800.313.3704 - fast busy signal 1.800.313.3705 - fast busy signal 1.800.313.3706 - fast busy signal 1.800.313.3707 - fast busy signal 1.800.313.3708 - 2ck 1.800.313.3709 - AT&T Easy Reach 800 number. the pin is 3709 1.800.313.3710 - no answer 1.800.313.3711 - 2ck 1.800.313.3712 - 2ck 1.800.313.3713 - 2ck 1.800.313.3714 - 2ck 1.800.313.3715 - 2ck 1.800.313.3716 - AT&T Easy Reach 800 number. the pin is 3716 1.800.313.3717 - 2ck 1.800.313.3718 - "Enter a numeric message after the tone." 1.800.313.3719 - 2ck 1.800.313.3720 - no answer 1.800.313.3721 - AT&T Easy Reach 800 number. the pin is 3721 1.800.313.3722 - Some american shipping company 1.800.313.3723 - Seminar Company 1.800.313.3724 - CCEX or something like that. 1.800.313.3725 - 2ck 1.800.313.3726 - 2ck 1.800.313.3727 - "enter telephone number or numeric message." 1.800.313.3728 - "enter telephone number or numeric message." 1.800.313.3729 - 2ck 1.800.313.3730 - "enter area code number or numeric message." 1.800.313.3731 - "you have reached the voicemail box of 31337..." 1.800.313.3732 - If anyone knows what this is please email me. 1.800.313.3733 - 2ck 1.800.313.3734 - 2ck 1.800.313.3735 - "Enter telephone number or numeric message." 1.800.313.3736 - "Enter telephone number or numeric message." 1.800.313.3737 - 2ck 1.800.313.3738 - "Enter telephone number or numeric message." 1.800.313.3739 - "Enter telephone number or numeric message." 1.800.313.3740 - 2ck 1.800.313.3741 - "Enter telephone number or numeric message." 1.800.313.3742 - 2ck 1.800.313.3743 - 2ck 1.800.313.3744 - 2ck 1.800.313.3745 - "to reach the outpatient dept. press 1.." 1.800.313.3746 - 2ck 1.800.313.3747 - 2ck 1.800.313.3748 - 2ck 1.800.313.3749 - 2ck 1.800.313.3750 - 2ck 1.800.313.3751 - very odd modem number. 1.800.313.3752 - Realestate company 1.800.313.3753 - 2ck 1.800.313.3754 - Stallion 1.800.313.3755 - fast busy signal 1.800.313.3756 - 2ck 1.800.313.3757 - "please enter the telephone number from which you are calling" 1.800.313.3758 - Promo telephone cards. 1.800.313.3759 - 2ck 1.800.313.3760 - busy 1.800.313.3761 - Someones personal 800 number. 1.800.313.3762 - Someones personal 800 number. she's french. 1.800.313.3763 - 2ck 1.800.313.3764 - 2ck 1.800.313.3765 - "there's a new name in town..." 1.800.313.3766 - 2ck 1.800.313.3767 - 2ck 1.800.313.3768 - 2ck 1.800.313.3769 - "something international..lisa speaking." 1.800.313.3770 - another personal 800 number. 1.800.313.3771 - 2ck 1.800.313.3772 - another personal 800 number 1.800.313.3773 - 2ck 1.800.313.3774 - "Epree Fisrt" 1.800.313.3775 - recording of a promo that is no longer running 1.800.313.3776 - 2ck 1.800.313.3777 - 2ck 1.800.313.3778 - lksdfjhsdjheue cathy speaking.. mumbling motherfuckers. 1.800.313.3779 - Diaognostic imaging place.. (xrays) 1.800.313.3780 - 2ck 1.800.313.3781 - husdfkjhsdkjf may i help you. 1.800.313.3782 - 2ck 1.800.313.3783 - enter the X you wanna reach. 1.800.313.3784 - 2ck 1.800.313.3785 - EDI operations. 1.800.313.3786 - 2ck 1.800.313.3787 - 2ck 1.800.313.3788 - Dead silence 1.800.313.3789 - "please enter the number you are calling from." 1.800.313.3790 - 2ck 1.800.313.3791 - fast busy signal 1.800.313.3792 - Easytel customer serive.. she hangs up on you.. 1.800.313.3793 - 2ck 1.800.313.3794 - 2ck 1.800.313.3795 - 2ck 1.800.313.3796 - "please enter the number you are..." 1.800.313.3797 - 2ck 1.800.313.3798 - another modem. play nice. 1.800.313.3799 - fast busy signal m4d shoutouts go to Foodstamp. -! 'Toll-Free 800-219-12XX to 800-219-14XX Hand Scan' By: The Clone Date: Friday, March 15, 2002 www.nettwerked.net theclone@hackcanada.com Scanned from: Area Code 780 Note: This *very* short scan, was originally intended for finding interesting numbers that were either Equafax or Canadian Government related. What I found was something completely different... -- 1-800-219-1200 - "This is Nicole" 1-800-219-1201 - Not In Service 1-800-219-1202 - Not In Service 1-800-219-1203 - Not In Service 1-800-219-1204 - Not In Service 1-800-219-1205 - Not In Service 1-800-219-1206 - Not In Service 1-800-219-1207 - Nortel Networks 1-800-219-1208 - Not In Service 1-800-219-1209 - Not In Service 1-800-219-1210 - Not In Service 1-800-219-1211 - Not In Service 1-800-219-1212 - Not In Service 1-800-219-1213 - Not In Service 1-800-219-1214 - "2191214" / Numeric / Pager System 1-800-219-1215 - Not In Service 1-800-219-1216 - Not In Service 1-800-219-1217 - Answering Machine 1-800-219-1218 - Not In Service 1-800-219-1219 - Not In Service 1-800-219-1220 - 2-Way Text Messaging 1-800-219-1221 - Not In Service 1-800-219-1222 - Not In Service 1-800-219-1223 - Not In Service 1-800-219-1224 - Not In Service 1-800-219-1225 - Not In Service 1-800-219-1226 - Peacock Pharmaceutical 1-800-219-1227 - Not In Service 1-800-219-1228 - Not In Service 1-800-219-1229 - Not In Service 1-800-219-1230 - Not In Service 1-800-219-1231 - Not In Service 1-800-219-1232 - Not In Service 1-800-219-1233 - Not In Service 1-800-219-1234 - Not In Service 1-800-219-1235 - "Hello?" 1-800-219-1236 - About Focusfactor 1-800-219-1237 - AT&T Easy Reach 800 1-800-219-1238 - Not In Service 1-800-219-1239 - Not In Service 1-800-219-1240 - "800-219-1240" / VMB 1-800-219-1241 - Not In Service 1-800-219-1242 - Not In Service 1-800-219-1243 - Bell Canada Sales / Sammy Erks 1-800-219-1244 - Not In Service 1-800-219-1245 - Not In Service 1-800-219-1246 - Cruise.com 1-800-219-1247 - "Good evening, customer service" 1-800-219-1248 - Not In Service 1-800-219-1249 - Not In Service 1-800-219-1250 - Not In Service 1-800-219-1251 - Not In Service 1-800-219-1252 - Not In Service 1-800-219-1253 - Not In Service 1-800-219-1254 - Not In Service 1-800-219-1255 - Not In Service 1-800-219-1256 - AT&T Easy Reach 800 1-800-219-1257 - FAX 1-800-219-1258 - Not In Service 1-800-219-1259 - Not In Service 1-800-219-1260 - Not In Service 1-800-219-1261 - Not In Service 1-800-219-1262 - Not In Service 1-800-219-1263 - Cingular Wireless 1-800-219-1264 - Not In Service 1-800-219-1265 - Not In Service 1-800-219-1266 - Not In Service 1-800-219-1267 - Not In Service 1-800-219-1268 - Not In Service 1-800-219-1269 - Not In Service 1-800-219-1270 - Not In Service 1-800-219-1271 - Not In Service 1-800-219-1272 - Not In Service 1-800-219-1273 - Not In Service 1-800-219-1274 - Not In Service 1-800-219-1275 - Modem Carrier 1-800-219-1276 - Historic Preservation Society 1-800-219-1277 - Not In Service 1-800-219-1278 - Bell Canada, Lydia Sida Cana (No I didn't make this name up) 1-800-219-1279 - Not In Service 1-800-219-1280 - Not In Service 1-800-219-1281 - Not In Service 1-800-219-1282 - Not In Service 1-800-219-1283 - Not In Service 1-800-219-1284 - Not In Service 1-800-219-1285 - Automated Answering Machine 1-800-219-1286 - Cook Residence 1-800-219-1287 - Not In Service 1-800-219-1288 - Not In Service 1-800-219-1289 - Not In Service 1-800-219-1290 - Not In Service 1-800-219-1291 - Not In Service 1-800-219-1292 - Not In Service 1-800-219-1293 - Not In Service 1-800-219-1294 - Not In Service 1-800-219-1295 - Centric-Extra-Humility (?) 1-800-219-1296 - Not In Service 1-800-219-1297 - Not In Service 1-800-219-1298 - Not In Service 1-800-219-1299 - Not In Service 1-800-219-1300 - Not In Service 1-800-219-1301 - Not In Service 1-800-219-1302 - Not In Service 1-800-219-1303 - Not In Service 1-800-219-1304 - Not In Service 1-800-219-1305 - Not In Service 1-800-219-1306 - Not In Service 1-800-219-1307 - Not In Service 1-800-219-1308 - Not In Service 1-800-219-1309 - Not In Service 1-800-219-1310 - Not In Service 1-800-219-1311 - Not In Service 1-800-219-1312 - Numeric Messaging System 1-800-219-1313 - Alpha Christian Registry 1-800-219-1314 - Not In Service 1-800-219-1315 - Not In Service 1-800-219-1316 - Not In Service 1-800-219-1317 - Not In Service 1-800-219-1318 - Not In Service 1-800-219-1319 - Not In Service 1-800-219-1320 - Not In Service 1-800-219-1321 - Not In Service 1-800-219-1322 - Not In Service 1-800-219-1323 - Not In Service 1-800-219-1324 - Not In Service 1-800-219-1325 - Not In Service 1-800-219-1326 - Not In Service 1-800-219-1327 - Rights of Autums 1-800-219-1328 - Not In Service 1-800-219-1329 - Not In Service 1-800-219-1330 - Not In Service 1-800-219-1331 - Not In Service 1-800-219-1332 - Not In Service 1-800-219-1333 - Not In Service 1-800-219-1334 - Real Estate, LTD. 1-800-219-1335 - Not In Service 1-800-219-1336 - Not In Service 1-800-219-1337 - Not In Service 1-800-219-1338 - Not In Service 1-800-219-1339 - Not In Service 1-800-219-1340 - Not In Service 1-800-219-1341 - Not In Service 1-800-219-1342 - Not In Service 1-800-219-1343 - Not In Service 1-800-219-1344 - Not In Service 1-800-219-1345 - Not In Service 1-800-219-1346 - VMB 1-800-219-1347 - Not In Service 1-800-219-1348 - Not In Service 1-800-219-1349 - Not In Service 1-800-219-1350 - Not In Service 1-800-219-1351 - Not In Service 1-800-219-1352 - Not In Service 1-800-219-1353 - Not In Service 1-800-219-1354 - Not In Service 1-800-219-1355 - Not In Service 1-800-219-1356 - Not In Service 1-800-219-1357 - Not In Service 1-800-219-1358 - Not In Service 1-800-219-1359 - Not In Service 1-800-219-1360 - Not In Service 1-800-219-1361 - Not In Service 1-800-219-1362 - Not In Service 1-800-219-1363 - Not In Service 1-800-219-1364 - Not In Service 1-800-219-1365 - Not In Service 1-800-219-1366 - Not In Service 1-800-219-1367 - Not In Service 1-800-219-1368 - Not In Service 1-800-219-1369 - Not In Service 1-800-219-1370 - Not In Service 1-800-219-1371 - Not In Service 1-800-219-1372 - Not In Service 1-800-219-1373 - Not In Service 1-800-219-1374 - Not In Service 1-800-219-1375 - Not In Service 1-800-219-1376 - Not In Service 1-800-219-1377 - Not In Service 1-800-219-1378 - Not In Service 1-800-219-1379 - Not In Service 1-800-219-1380 - Paging Terminal 1-800-219-1381 - Not In Service 1-800-219-1382 - Not In Service 1-800-219-1383 - Not In Service 1-800-219-1384 - Not In Service 1-800-219-1385 - Not In Service 1-800-219-1386 - Not In Service 1-800-219-1387 - Not In Service 1-800-219-1388 - Not In Service 1-800-219-1389 - Not In Service 1-800-219-1390 - Not In Service 1-800-219-1391 - Not In Service 1-800-219-1392 - Not In Service 1-800-219-1393 - Not In Service 1-800-219-1394 - Not In Service 1-800-219-1395 - Not In Service 1-800-219-1396 - Not In Service 1-800-219-1397 - Not In Service 1-800-219-1398 - Not In Service 1-800-219-1399 - Not In Service 1-800-219-4000 - Not In Service *Phew* All this scanning is making me thirsty... For a complete listing of other numbers I have found in the past few years, go to: www.nettwerked.net/files.html under the section titled: "Scanning (Manual)". --!@> -- Credits Without the following contributions, this special zine issue would be fairly delayed or not released. So thank you to the following people: Extra Thanks to Cyb0rg/asm (for the new ascii logo & the special K-1ine image/New Nettwerked index.html layout... and the idea for the title of K-1ine 24/25) AND Axion, Captin B, H410g3n, ic0n, Magma, MSM, Phlux, plappy, Son4r, RT, The Clone, Treephrog902 -- Shouts: Hack Canada (#HackCanada), Canadian Phreakers Union (now called HackTel Corporation), The Grasshopper Unit, Flippersmack, *Mandy*, soapie, `enjoy, Kybo_ren, Flopik, and lastly to everyone and anyone who contributes to the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .; ..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ..;. ..;.. .;. ;.;..;;..;.; ;.;;..;.. ;.;.; .; . ;.;..;. .;. ;.;:.;. ,;....;. .;.;. .;.; .;.;.; .;.; ;..;. .;.;;.; .;. ..; ;. > > > > > > ... "To all those dead souls inching along the highways in those metal coffins, we show them that the hacking spirit is still alive."