\Com"mu*nism\, n. [F. communisme, fr. commun common.] A scheme of equa1izing the socia1 conditions of 1ife; specifica11y, a scheme which contemp1ates the abo1ition of inequa1ities in the possession of property, as by distributing a11 wea1th equa11y to a11, or by ho1ding a11 wea1th in common for the equa1 use and advantage of a11. ,,,,,,,, . ,,:;jiii"''''''"iiii;;,. . ,it;' ':;ji;. ,i;: ':;i, ;i;: ';ti, ,,, ,,,, :j' ,,,,,,, ,,,, ,,;;iEj;, ,,,,,,,,, j###j :###Y t; ,######K j###; ,d########&, ,d#########b j###j K##K' ,t #######K j###; j###GK#KK###, j###G###W### j###j j###' ;i ###K j###; j###j `####i; j###i K### j###t,###' ,i ,,,,,,,,,,. ###K j###; j###j K### i,j###t K### j###;K##F .j ##########; ###K j###; j###j K### jj######KW### j###K##K i, E#########: ###K j###; j###j K### :j##########P j###;K##k t. : ###K j###; j###j K### j###j j###t'###t; :: ###K j###; j###j K### ;j###j K#W# j###j i###t .; ###K j###; j###j K### ;j###i K### j###j K### ;. 1WWW####WW#I j###; j###j K### tj####WWW#### i###i :###k ; 1##########i 1###i 1###i W### ,j,##########" i i ji t: .i . ,ji:. .j t. . jkWT0$NSA;. i:,j ,t `, &, ,% .fD0D#HC#DND&, ;f: ,##f t#, tEb dEP :j: `fNW0k, C t,; j###L, K# X#XX#X ji `tA$k, ;; . `" "#&,W# ' ,fTEMPESt, ;f, 'WAR; C j j#%, "y#&, jt, .GLLfE##EfLLG. f; IRSi .f j#f"f#j#9"##; ;t t YY fi ;NSA C :f jWF "ji .ti;j:, ii :ji iKGB jt ,: jti tj. ,jj' CIA# P .tji,:. .,if, j;t.,j:t, ;;. .,;jj; j$R# .,jtjttji, t;it:.i;j, :;jjtttj;i; ;CYB ii:tji ,tjt'tti;. :ttt..t #OSS f: tt ,j t ,#FBI :f f f. i: j#WB' ,,. ;t ;i t, ,i #$#W .jEKKWEi, j: j. ;n,e t t w e: r k, e :d :j j' ,NSA; .tWDEEEKKWKj, f..t : o :w n. z u: , f t' ,#IMF :WWDDEEEKKEKW#L: ;j ,, ., , . t: ;; dEA#' t#GGGGDEEKKEEEEWi ti i: t: .j #CIA f#KDLLLLGEEDDDDEf f, t, :j, j' IR$# t#KKKDLLLLGKEGGW f; .,: .;; j' .#G#E `#WKKKKEGLGW#EWP 'i;. . . ,;j ;KGBi `WWKKKEEE##KWf 't; . ,;i;' #HC#' `KWKKEW##KEWG;. ';i;i;;i;iji;;ii;' ,#D0J `fW#ECHELON#WGt, #NW0' `tE#CARNIVORE#Dt. .ttti;,. fBI#' `"fK#ECHELON#EKKf;, iEGGEEEEEEDa, ,#G$W `"jW#CARNIVORE#KKt;, :GDLGGGDDDEGGGGK, #DND' `"tGWK#ECHELON#EDK#KGGDDGDDGGGLGGD; #NSA . `"fK#CARNIVORE#LLLLLLLLGGE#WGD .KGB' `"fj#KWWKKWKKEEDGGGffE##f ;WTC' 2004-04 . `"tfEWWWKKKKKKKKWWK' #GWB ``"iFjEWWWWfj##, #CIA N0. F0RTY-THR33 . ``"""' "#j&, ,. ,KGB; .Wifi$&, ,#G$M C0MMUNI5M 15 N0T D3AD . ":#WT0&;,. ,;KGBS' ":#W#CSIS$D0D#A' 1T 15 AL1V3 1N TH3 PH0N3 L1N35 . '"!Cyb0rG"' . _________________________________________________________________________________ ; .- Random Words -. + | *: [-] Introduction ............................................ The Clone :* *: (-) Inspirational Music ..................................... The Clone :* *: (-) Contact Information ..................................... The Clone :* *: (-) Link of the Quarter ..................................... The Clone :* *: (-) K-1ine Magazine Mirrors ................................. The Clone :* *: (-) Nettwerked Meetings ..................................... Nettwerked :* *: (-) Nettwerked BBS .......................................... Nettwerked :* *: (-) Nettwerked Stickers for Sale ............................ Nettwerked :* *: (+) An e-mail from Steve Wozniak ............................ The Clone :* *: [!] Honourable Mention; H1D30U5 for 780-958-XXXX ............ The Clone :* _________________________________________________________________________________ ; .- Documents -. + | *: (x) 'The Comprehensive Guide to AWAS' ........................ The Clone :* *: (x) 'Millennium Hardware Modification' ....................... H1D30U5 :* *: (x) 'Alberta CLLI's and other stuff' ......................... Tr00per :* *: (x) 'Telus Physical Key Systems; an internal memo' ........... A.P.H. :* *: (x) 'Disabling Deep Freeze' .................................. Aftermath :* *: (x) 'No Sleep Magazine Interviews The Clone' ................. Jackel :* *: (x) 'Internet Psychology' .................................... Aestetix :* *: (x) 'Why AI is Possible' ..................................... Aestetix :* *: (x) 'Number Systems' ......................................... Ice :* *: (x) 'Cheap And Effective WireTapping' ........................ Jackel :* *: (x) 'Crafting Symlinks for Fun and Profit' ................... Shaun2k2 :* *: (x) 'Phun with the Audiovox 8900 and Telus Mobility' ......... TeK-g :* *: (x) 'MORE CODES FOR AUDIOVOX 8900' ........................... TeK-g :* *: (x) 'The Codec War: Operation Zipem' ......................... Jedkiwi :* _________________________________________________________________________________ ; .- K-1ine News -. + | *: (x) Nettwerked Lays off 4500 from Red Deer factory ........... Wizbone :* *: (x) New York City E911 Crashes (no fault of my own!) ......... Nyxojaele :* _________________________________________________________________________________ ; .- Conclusion -. + | *: [-] Credits ................................................. The Clone :* *: [-] Shouts .................................................. The Clone :* _________________________________________________________________________________ [ Introduction ] Welcome to the Spring season issue of K-1ine #43! Boy do you ever have a bunch of great articles lined up for you kids this time 'round. Everything from artificial intelligence to phreaking Telus (as per usual), to interviews, to CDMA phreaking. Again, thank you to Cyb0rg/asm for his wicked ASCII art, and thanks to everyone who contributed their time and full fledged effort to help make this one of the best releases in the (nearly) 5 years of K-1ine history. It's beautiful to see this kind of dedication to something that was created as a simple hobby when I was but a wee lad in the 20th century in good ol' nineteen hundred and ninety nine. Lets get this rolling. Here we go with the latest installment of K-1ine goodness... ... *splooge* ... ---> This issue of K-1ine was inspired by the song: 'Black Steel' by Tricky -- Contact Information; |*> Comments/Questions/Submissions: theclone@hackcanada.com |*> Check out my site: (Nettwerked) http://www.nettwerked.net |*> Check out the Web-forum: http://nettwerked.mg2.org/phpBB2/ -- --=[ LINK OF THE QUARTER ]=-- Every quarter I post one really great "link of the quarter" on each issue of K-1ine magazine. The link can be anything in the technology industry, music scene, rave scene, punk scene, or even a good article you read on a news site. I'll be taking submissions via e-mail or IRC right away; so get your links in and maybe you'll see it in the next issue of K-1ine! For the Spring, the link of the quarter is: http://www.bahga.com/gallery/bell_canada Bell Canada images within the Central Office. Need I say more? :-) [submitted by: The Clone] --> K-1ine Magazine Mirrors: http://www.mirrors.wiretapped.net/security/info/textfiles/k1ine/ (Now mirrored in two places, one in Belgium and another in Sydney) "Wiretapped.net is an archive of open source software, informational textfiles and radio/conference broadcasts covering the areas of network and information security, network operations, host integrity, cryptography and privacy, among others. We believe we are now the largest archive of this type of software & information, hosting in excess of 20 gigabytes of information mirrored from around the world." -- http://www.hackcanada.com/canadian/zines/index.html#K-1ine Hack Canada - Canadian H/P - E-Zines -- http://www.bawks.net/geek/k-1ine/ Bawks.net - Wizbone's web-site. -- http://archive.undergroundnews.com/index.php?&direction=0&order=&directory=Zines/K-1ine Undergroundnews.com - Gizmo's web-site ---> [ Nettwerked Meetings ] As promised in the last issue of K-1ine, Nettwerked Meetings are now a reality, and so far have been highly successful in turnout and measurement of the fun factor. So far we've had meetings in January, February, and March. For all three meetings we have had an amazing turn out. January brought us about 20 people, February brought us 24, and March brought us an ass kicking 25 people! We have contests, prizes, and great conversation. Best of all, the food at Boston Pizza is simply awesome! If you live in the Edmonton Alberta area, or are planning on visiting the Edmonton area on the last Friday of the month, be sure and stop by a Nettwerked Meeting. You'll be happy you did. For more information visit: http://www.nettwerked.net/meetings/ ---> [ Nettwerked BBS ] On Tuesday, February 17th, 2004 The Nettwerked BBS was born... .ed"""" """$$$$be. -" ^""**$$$e. ." '$$$c / "4$$b d 3 $$$$ $ * .$$$$$$ .$ ^c $$$$$e$$$$$$$$. d$L 4. 4$$$$$$$$$$$$$$b $$$$b ^ceeeee. 4$$ECL.F*$$$$$$$ e$""=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$ z$$b. ^c 3$$$F "$$$$b $"$$$$$$$ $$$$*" .=""$c 4$$$$L \ $$P" "$$b .$ $$$$$...e$$ .= e$$$. ^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$ "**$$$ec "\ %ce"" $$$ $$$$$$$$$$* .r" =$$$$P"" "*$b. "c *$e. *** d$$$$$"L$$ .d" e$$***" ^*$$c ^$c $$$ 4J$$$$$% $$$ .e*".eeP" "$$$$$$"'$=e....$*$$**$cz$$" "..d$*" "*$$$ *=%4.$ L L$ P3$$$F $$$P" "$ "%*ebJLzb$e$$$$$b $P" %.. 4$$$$$$$$$$ " $$$e z$$$$$$$$$$% "*$c "$$$$$$$P" ."""*$$$$$$$$bc .-" .$***$$$"""*e. .-" .e$" "*$c ^*b. .=*"""" .e$*" "*bc "*$e.. .$" .z*" ^*$e. "*****e. $$ee$c .d" "*$. 3. ^*$E")$..$" * .ee==d% $.d$$$* * J$$$e* """"" "$$$" Gilo95' << N E T T W E R K E D . N E T >> telnet://nettwerked.bawks.net STATUS: ONLINE Please direct all login / BBS problems to: theclone@hackcanada.com. ---> [ Nettwerked Stickers for Sale ] Nettwerked Stickers here. 3 for $5.00 (CDN). Credit Card, Money Order, and Cheque Accepted. Nexus XI & Paypal Processing available. Buy your- self into our bad ass rebel world, silly wankers! SIZE: 1 X 3. High quality, Glossy Stickers. Nettwerked web-site address: "WWW.NETTWERKED.NET", with Nettwerked's official witty slogan below: "Fuck the system? Nah, you might catch something." Indeed. GET THEM NOW: http://www.nettwerked.net/store/stickers/ ---> [ An e-mail from Steve Wozniak ] I hope this makes your guys' day. I know it made mine. I e-mailed Steve Wozniak congratulating him on Apple Macintosh's 20th anniversary, and thanking him for the contributions he made to the phreak scene and he replied and offered me an interesting caller ID spoofer (requires payment) that a friend of his runs! I figured an e-mail from Steve Wozniak, the inventor of the first computer for regular people and the designer of the first electronics blue box. Here's to you Mr.Wozniak... you changed the world of phreaking and hacking forever! At 4:23 AM -0700 1/24/04, Steve Wozniak wrote: Thanks. Cool that there are still active phone phreaks. One of my friends set up a [billing] caller ID spoofer - 1-800-658-6716. He also has access to a lot of line test/disable capabilities. That's all I know of modern phone phreaking though. -- Regards, Steve (is tv wake zone?) At 2:28 AM -0700 1/24/04, The Clone wrote: "On January 24th Apple will introduce Macintosh. And you'll see why 1984 won't be like '1984'". That was 20 years ago today. Congratulations, Steve. You made it happen. You are my personal hero. Thank you for everything you have done. From the personal computer for regular people to the blue box which you helped develop. As an active phone phreak and computer nut, I wanted to just show my appreciation. --> [Honourable Mention; H1D30U5 for 780-958-XXXX] H1D30U5 was too lazy to give me his 780-958-XXXX hand scan, simply because he found absolutely nothing. Zero. Ziltch. Why? The answer is easy; Telus blocks any non-CO calls to that prefix from any non-test system, such as a residential phone line. Bummer. Still, great job on the hand scan. At least now we know it's not possible to find anything unless you're calling from within a central office. *evil thoughts*... - The Clone --> goodman2 you're hetero aren't you Thank you very much for calling me that! Admit it! you are Are you or are you not? i dont wanna argue like a kid Are you a heterosexual? Please yes or no If you tell me I'll stop bugging NO,if that's what you're asking HAHAAHAHAHAAH So what, you're gay then? :( --> [> The Comprehensive Guide to AWAS <] "No amount of effort and intellect is being withheld in the drive to augment your overall experience as a valued customer." - Darren Entwistle, Telus Corporation. We beg to differ, spanky. * Author: The Clone * Written: Sunday March 28, 2004 * Web-site: http://www.nettwerked.net * Contact: theclone@hackcanada.com * Credits: Tr00per. Thanks for your enormous contribution of information. Nyxojaele for the additional documentation you found. * Shouts: Hack Canada, Nettwerked, K-1ine 'zine, GHU.CA, 2600 magazine. Also to H1d30u5 and Kankraka for inspiring me to get off my ass and actually get this guide finished for public release. heh. Disclaimer > This information was aquired through legal means. Please do not use the information contained in this file for illegal purposes. You are completely responsible for what you do. Notes > The Comprehensive Guide to AWAS is one of the most fascinating western telecommunications systems that I have had the sincere pleasure of studying and learning about. This entire document will give you insight into the Automated Work Administration System, a system used by two of the largest telecom carriers in North America; Telus and Verizon. This document however, will focus mainly on Telus' implementation of AWAS rather than the original AWAS system that was first created and used by GTE (now Verizon) in the early to mid 1990's. -> ---------------------- The Table of Contents: ---------------------- * An Introduction to AWAS * eNetwork Wireless Gateway * AWAS Identification ID's * AWAS Driver Codes * AWAS Clearing Codes * SAP Region Codes * Terminal Equipment Codes * Attendance / Absence Codes * Premiums / Hourly Differentials * SAP Internal Orders and AWAS * Network Functional Locations * AWAS Related Telephone #'s * Online AWAS Resources * Conclusion to Document <-> [> An Introduction to AWAS <] AWAS which stands for 'Automated Work Administration System' is an efficient, low maintenance, customer billing, employee performance monitoring, trouble ticket tracking and creation system utilized by every field-technician within Telus Communications. AWAS includes subsiduary companies, independent entities within the company (Telus Mobility), as well as outside 3rd party contractors. AWAS was adopted by Telus in the late 1990's and fully implemented on August 18 1999 through an industry shaking a merger with BC TEL after it experienced some major billing problems with its existing 6099 customer billing processing system. The 6099 customer billing processing system was used by service technicians both on the landline and wireless side of the Telus corporate spectrum. 6099's customer billing process handled all billable activities, including remote admin- istration of business, government, and residential telephone / data lines, service tickets, etc. Several problems soon began with the use of AWAS's dial up by Telus field-technicians. With dial-up AWAS, service technicians found the system to be slow, inconvenient and unreliable, and generally not up to the standard that they required to do their important jobs with the utmost efficiency. At the completion of each job, field technicians would dial into the dispatch system and listen to details on next job and bulletin announcements. A problem encountered was the inconvenience of finding a POTS phone line and then the added inconvenience of having to get through to dispatch. A lot of their time was spent on locating a landline and accessing the Telus dispatch system. To add to the problem, "dial up AWAS" did not even give Telus field-technicians access to the company's remote intranet, meaning they wouldn't have the added convenience of getting company memos in real-time, or be able to learn about the CEO's latest hooker n coke party for executive staff until the news and gossip was considered "old". Think about how something like this could affect the self-esteem and morale of an employee! Telus just didn't seem to care one little bit. It got so bad that dial-up AWAS brought in a lot of unfortunate built-in delays such as the re- assignment of technicians' schedules to handle changing customers, workload requirements, and updates on possible network problems that could affect the field-technician's job for the day. And another thing that lacked with Telus' dial-up version of AWAS; its security. According to a case study on Telus' AWAS by IBM (see: 'Online AWAS Resources' section for the url), any technician at Telus had the ability to tap on to work orders of co-workers and modify them because old AWAS lacked strict authentication. You basically logged onto the network using the same Username and Password as everyone else. Talk about a pain in the big proverbial ass! Something needed to be done, and quick! Soon the power that be, IBM, stepped up to help out poor Telus. With IBM's half-a century strangle hold on business/government/consumers, convinced Telus that they could help resolve the problems associated with the Automated Work Administration System. But how? The answer was; better data management, faster and more reliable backend servers, and the most innovative approach; wireless. Through the efforts of IBM and business partner GE Capital IT Solutions, 'eNetwork Wireless Gateway', 'eNetwork Wireless Software' became the world's first wireless deployment of GTE's AWAS application. eNetwork Wireless hasn't replaced the dial-up side to AWAS (see phone number list at the end of this document) completely, however it has been adopted as the best way to use Telus' field tech system. Read below for some specifics on eNetwork Wireless Gateway. -> [> IBM's eNetwork Wireless Gateway <] Definition: "The IBM eNetwork Wireless family of middleware products extends the reach of the network by providing mobile users secure access to existing IP-based applications over wireless and dial-up networks, with- out complex reprogramming. This software can reduce the cost, complexity and time required to deploy mobile computing solutions. These products continue to deliver on the IBM eNetwork Software promise of providing customers with access anytime, anywhere to their mission critical information, whether host or Web based." Hardware: IBM Thinkpad 380 laptops, later upgraded to the 'Itronix' ruggedized laptop featuring a Sierra Wireless GPS module (MP200/210 CDPD GPS). The AWAS server backbone: IBM RS/6000. Software: 'IBM eNetwork Wireless Gateway' middleware for AIX (Operating System), controlling the IBM eNetwork Web Express used by Telus employees for road to office wireless communication. The SB 220 software by Sierra Wireless offers multi-mode access - wireline, Circuit-Switched Cellular (CSC) and Cellular Digital Packet Data (CDPD). CZT Gateway for dial up AWAS access. Application: Wireless Access for Telus Field Technicians. Depending on the jobs required, the Sierra SB 200 modem allows the Telus technician to select any of the three options (wireline, Circuit-Switch Cellular and Cellular Digital Packet Data) for wireless data tran- smissions to the Telus Intranet / Dispatch Centre. The main advantage is the convenience of contacting the dispatch system to download information on new jobs and file completed assignments - all wirelessly without the need of a landline. A typical situation now occurs when a Telus employee completes the order and time- sheet on the laptop with the built-in Sierra modem, sends wirelessly through the selected cellular network, downloads the job completion information to the host system, which then sends the next job back to their wireless laptop. Ultimately, this convenience has given the staff more time to spend with their customers. Telus also accesses the database for information services, like inventory, customer records and purchase order status. The field technicians now have the added ability of giving customers pricing information on telephone rates, monthly billings and schedules for service. -- Configuring Itronix Laptop for AWAS Access: 1. Add Sierra 220 wireline modem. Go to start, control panel, modems, add, install new modem, other, select 'don't detect', find Sierra Wireless under manufacturer, find Sierra wireless sb220wireline, next select com1, next. Windows will install modem. Finish. 2. Drag icons from shortcut bar and rename with 1,2, and 3 after name. 3. Set address for temp server for training. Open Daswin 2, open gateway 3, login as admin, password [8 digit #. Stupidly obvious. Take a guess]. select OK, cancel out of employee data, go to admin, change host name from *.edtel.ab.ca (or host of your city) over to the *.agt.ab.ca address and then 'Exit Gateway'. 4. Open client 1 and log in via cdpd modem with passwords. 5. To add default number 423-**** (Scan for it, you lazy bloke) under Gateway. Open Daswin 2, open Gateway 3, login as admin, password [8 digit #. Stupidly obvious. Take a guess], select OK, enter student's clearing number (see 'AWAS Clearing Codes' section) enter company AGT, enter dac as cal, press add, close. Sign off as ADMIN and then connect to Gateway as yourself. It will bring up a box with student ID, select, it will ask for new password three times, enter test12, then it comes to connect to gateway screen - place cursor in telephone number box and enter [LOCAL EDMONTON #], tab to description, enter DEFAULT NUMBER. Click add. DO NOT CONNECT AT THIS POINT! 6. Change windows desktop theme to Window Default. 7. Check that CPDP IP address is 172.29.*.*. 8. Check dial-up number is [TOLL FREE # NOT LISTED IN THIS FILE] 9. Secure ID number [TOLL FREE # NOT LISTED IN THIS FILE] 10. Set address for active server for training. Open Daswin 2, open Gateway 3, login as yourself, select OK, cancel out of employee data, go to admin, change host name from *.ent.agt.ab.ca to *.edtel.ab.ca as last thing you do before ending course. 11. To set up on Outlook go to control panel, mail and fax, show profiles, add, select manually configure, select next, type in your username as in abriggs1, select next, select services, select add, select exchange server, input exchange2 in exchange server box, input your actual name in mailbox. Select check name - if it underlines, you are successful. It may ask you for a username as in abriggs1, a domain which is telus, and a password which will be your current outlook password. It will also update the server to correct exchange server. You must be online via CDPD or wireline modem preferably wireline to perform this. --> Gaining access to AWAS through the field laptops, and connecting to the AWAS network using the CZT Gateway to connect to the dial up AWAS and/or the AWAS (IBM Corp) e-wireless gateway: 1. Logging into AWAS. [General Login Instructions] To add new ID to account: 1. Get to the AWAS sign on screen (on field laptop). 2. Sign on with AWAS Clearing Number of ADMIN. 3. Password is [8 digit #. Stupidly obvious. Take a guess]. (If you go to the Employee Date screen that indicates clearing number go to point 11) 4. On the "Your Password Has Expired" Message Box press space bar or click OK. 5. The user ID field is Blue. Press the letter A on the keyboard. Admin goes into "User ID" 6. Enter Current password of [8 digit #. Stupidly obvious. Take a guess] 7. Enter new password of [8 digit #. Stupidly obvious. Take a guess. Same password as step 6] 8. Click update. Message says "Please Re-enter the password for validation" (type same password). 9. Click on Update. 10. Press spacebar to close "Password updated successfully" box. 11. With the cursor blinking in clearing number, enter the last 5 numbers of your employee number. 12. Press Tab. 13. With the cursor on Company enter AGT. 14. Press Tab. 15. With the cursor blining on DAC enter CAL. 16. Click on the Add button. Your ID will change color. 17. Click on Cancel button. 18. In the upper left hand corner of the screen, click on a picture of a hand. 19. On the AWAS sign on screen, enter your new ID. 20. The system will prompt you for a new password. You can use your old one if you want. (heh!) -- AWAS Sign On and Administration: OBJECTIVES: At the end of this section, you will be able to successfully: * Access the CZT Gateway Application using CDPD. * Identify options on the CZT Gateway Menu Bar. * Use the Job Selection Window. * Change Administration settings. GETTING the L/PC ready for use: Before you can communicate to AWAS through L/PC, the AWAS Laptop Configuration window must be setup. AWAS downloads information for all access types. (NOTE: The information on this window is extremely important. Supervisors are the only employees making changes to this window. If you want to login as a supervisor, please refer to the Telus employee list and choose one of the managers accounts. Make sure to take note of the employer ID #, and name.) -- Sign On: Your coach is responsible for setting up your user ID before you sign on to AWAS. Your ID populates the CLEARING NUMBER field in the L/PC EMP (employee) record. This allows the L/PC to retrieve important employee data from the AWAS application when you dial in for the first time. Your user ID must be unique within the AWAS L/PC. The process of signing on to AWAS consists of two basic steps. The first is to connect to CDPD using ARTour, and the second is to log in to Gateway. * Remember four incorrect attemps to sign on causes the CZT Gateway application to lock you out. If this occurs, you must contact your coach for assistance. This is case sensitive as well. Verify that Caps Locks or NukLk are not enabled. Four common reasons for connecting to Gateway are: * To select work to being your day. * Your laptop has a job that is complete and you need to upload it and have a new job downloaded to you. * A job has remarks that must be sent to the host to provide a current status before completing the job. (Remarks Only) * You need to readjust your time. (FTR Only) ARTour - Gateway Sign on ------------------------ Locate the ARTour or Client icon on your desktop and "double click" the icon. You may find this icon in the system tray just right of the "Start" button. The icon in the system tray only requ- ires a "single click" of the mouse. Clicking on the ARTour or Client icon opens the eNetwork Wireless - Connect window. This window connects us to the ARTour server, which gives us secure, password-protected access to the AWAS server. The drop down connection window gives you two connection choices: * Telus - CDPD for digital cellular connection * Telus - Dialup for modem connection Once you have chosen your connection type, "single click" your mouse in the Password field and key in the required password. Due to security requirements, this password must be changed every 45 days. Do Not click on the save Password check box because of security concerns if the laptop is lost or stolen. The latest release of Gateway does not show the save password option. Once the password is entered, point and click on the "Connect" button. The "Connecting - Telus - Dialup" or "Connecting - Telus - CDPD" window opens giving you a visual picture of the connection process. During this process ARTour validates your password and unique laptop "IP" address. The same password will work for ARTour authentication whether for Dialup or CDPD. If validation is successful, the eNetwork Wireless - Connect window reduces to a small window with a Disconnect button and a digital clock showing your connect time. If validation is not successful you may have entered a wrong password or the ARTour server may not recognize you as a valid user. This is usually relayed to you through an "ERROR" pop-up window. This could be caused by Cap locks or Num locks being on. Log in ID's are case sensitive. Assuming you have received a successful ARTour connection, the next step is to locate and "double click" on the DASWin icon on your desktop. If you have a DASWin icon in the system tray to the right of the "Start" button, you can "Single Click" on it to attain the same results. DASWin is a required program, which acts as an "interpreter" between ARTour and CZT Gateway. Once the DASWin Main window opens you can locate the CZT Gateway icon. "Double clicking" on the CZT Gateway icon on your desktop opens CZT Gateway, which gives you access to the AWAS server. If you have a CZT Gateway icon in the system tray to the right of the "Start" button, you can "single click" on it to attain the same results. The CZT Gateway application opens with the "Welcome to the CZT Gateway Network" window in the center of the screen. You must enter your User ID and Password then click on "OK". The first time you access CZT Gateway you must enter an alphanumeric password of 6 - 8 characters. You will then be asked to re-enter and confirm this password on this initial entry into CZT Gateway. You may also use this window to change your CZT Gateway password, which should be changed every 45 days, as is the ARTour password. Once you are validated by CZT Gateway, the "Connect to Gateway" window appears. You must change the Comm- unication Type to NETWORK by selecting it from the drop-down list. Once NETWORK has been selected you must Tab to the Network User ID field and enter an "X". Pressing Tab again takes you to the Network Password field where you enter another "X". Pointing and clicking on the Connect button connects you to the AWAS server which gives you the Job Selection window or a new job depending on your settings in the AWAS Empl- oyee Tables. * Note: The Time field shows how much time remains to select a job. Another important field is the Ovr indicator field. If the job is overridden to you, an asterisk [*] appears in the Ovr field. There are two methods used to select a Job: * Point and click on a Job box * Press the Up & Down arrow keys so the cursor highlights a job, then press the Enter key. After selecting a job, the empty job box to the left of each job contains a number. The jobs are downloaded in the order they are selected. You can deselect a job if you change your mind before you download a job using one of the following methods: * Point and click on a Job Box * Press the Up & Down arrow key so the cursor highlights a job, then press the Enter key. Job Selection Summary The Job Selection Summary window provides additional information that you may need to select a job. Before selecting your job, review the Job Select Summary window for additional information. The Job Select Summary window displays detailed information regarding the following: * Job Request Information * Job - allows you to select each job from the Job Select window, thus eliminating the need to go back and forth between the Job Select and Job Select Summary windows. * Customer Information * Key Indicators * Facility Information * Time Left To return to the Job Selection window you can point and click on the OK button. * Note: The Quit button discontinues the connection proces. If you click on the Quit button and jobs reside on the laptop, the Review Jobs window appears. If you click the Quit button and no jobs reside on the laptop, the sign on window appears. You can choose to have a job downloaded to your laptop in one of three ways: * You can select and view a job within 3 minutes then point and click on the Download button. * You can point and click on the Download button without selecting a job to automatically download the optimal job [job 1]. * If you do not select a job within 3 minutes AWAS automatically downloads the optimal job to the laptop. When you download a job, the Review Jobs window and Memo window appears. Using the ADMIN Menu -------------------- The ADMIN Menu is an option on the Gateway Menu Bar. You use the ADMIN Menu to modify the system parameters within your L/PC. The ADMIN Menu allows you to perform all the following: * Change Job Class Code (Employee Data) * Laptop Communication Config * Change Password * Unlock a Password Change Job Class Code (Employee Data) ------------------------------------- The Employee Data window allows the user to add, delete or update users on an individual laptop. This information is validated with the host AWAS system to insure only authorized users will AWAS. Laptop Communication Config --------------------------- The Laptop Communication Configuration window allows the user to change communication parameters, as new or updated communication devices are required. Change Password --------------- The Change Password window allows you to change your existing password which should be done at least every 180 days or every 6 months. Click on the Current Password: field and key in your current password, then press Tab to move to the New password: field. Key your new password in the New Password: field, then press the Update button. You will be asked to Re-enter the password for validation, then press the Update button. Unlock a Password ----------------- If you key a password incorrectly four times in a row, CZT Gateway will "Lock" you out of the application and notify you that your User ID is locked. To unlock the technican's password, the coach must sign-on to the CZT Gateway application using the techn- ician's laptop and the administrative ID [8 digit #. Stupidly obvious. Take a guess]. Next, the coach pres- ses the Cancel button on the Employee Data window so he/she can select the Change Password option from the ADMIN menu. When the Change Password window opens, the coach selects the technician's user ID from the User ID list box then Tabs to New Password field and enters a new password. Once the new password has been entered, the coach points and clicks on the Update button, re-enters the password, then clicks on Update again. A message box confirms that the password is updated. The coach can now exist the application and have the Technician sign on using the new password supplied by the coach. ---> [> AWAS Identification ID's <] AWAS JOB IDENTIFICATION JOB ID'S: A - OOS/Customer Trouble B - NOS/Customer Trouble C - Change Service Order F - From Service Order G - OOS/Company Trouble H - NOS/Company Trouble I - In Service Order J - Optional Job Report K - OOS/ISC Circuit Trouble L - NOS/ISC Circuit Trouble M - Mandatory Job Report N - Exceptions O - Out Service Order P - Plant Service Order Q - Special Assignment R - OOS/Customer Circuit Trouble S - NOS/Customer Circuit Trouble T - To Service Order U - OOS/Company circuit Trouble V - NOS/Company Circuit Trouble W - Prewire Service Order X - OOS/Other Telco Circuit Trouble Y - NOS/Other Telco Circuit Trouble Acronym Definition: (OOS - Out of Service, ISC - Impedence Short Circuit) (NOS - Not in Service) -> [> AWAS Driver Codes <] ----------------- AWAS Driver Codes ----------------- Driver Used For Description 11 TCI Used for all work done for TCI. This is used for all TELUS Communications as of 01/01/99. 13 MOB Used for all work done for TELUS Mobility. This code became effective 01/01/99. 16 TAC Enhancement Used for all work done for TELUS Advanced Communications. 20 Multimedia Used for all work done for TELUS Multimedia. 36 TAC Main Stream Used for all work done for TELUS Advanced Communications. ------------------- -------------- AWAS Product Worked AWAS BID CODES ------------------- -------------- Product Used For BID Used For 1000 Res. Single Line - --- R Repair Work 2000 Bus. Single Line P Preventive Maintenance 3000 Bus. Multi Line M Modification & Improvement 4000 VLOB Centrex S Service 5000 Coin Telephones K Maintenance Contract 6000 DLOB (Including Centrex Data) O Operational 7000 VLOB Special Services C Capital 8000 Cable Locates L Cable Locates 9000 Take Outs A Absence/Administration 9900 Absence / Admin -> ------------------------- A W A S Clearing Codes ------------------------- [ Type ] [ Sub Codes ] [ Cause and Sub ] ---- [ SET ] ---- ---- [ LEASED SETS-All ] ---- Plant/Equipment - DIRT/POOR HOUSEKEEPING n/a 1 01 Plant/Equipment - AGE/DETERIORATION n/a 1 02 Plant/Equipment - OUT OF ADJUSTMENT n/a 1 03 Plant/Equipment - OVERLOADED EQUIPMENT n/a 1 04 Plant/Equipment - BLOWN FUSE/BREAKER n/a 1 05 Plant/Equipment - CORROSION/ELECTROLYSIS n/a 1 06 Plant/Equipment - CRACKED/DAMAGED/DEFECTIVE n/a 1 07 Customer - PHYSICAL DAMAGE n/a 4 01 Customer - ILLEGAL EQUIPMENT CONNECTION n/a 4 02 Customer - INTEREXCHANGE CARRIER n/a 4 03 ---- [ NETWORK SERVICE WIRE ] ---- DROP/ERV WIRE (INCL BONDING) 01 n/a n/a PROT/NID/CCB (INCL GROUND) 02 n/a n/a Weather - LIGHTNING n/a 2 01 Weather - FLOOD n/a 2 02 Weather - WIND n/a 2 03 Weather - ICE, SLEET AND SNOW n/a 2 04 Weather - MOISTURE/RAIN/CONDENSATION n/a 2 05 Weather - TEMPERATURE n/a 2 06 Weather - EARTHQUAKE n/a 2 07 Employee - FIELD TECHNICIAN n/a 3 01 Employee - OSP CONSTRUCTION n/a 3 02 Employee - ASSIGNMENT PERSON n/a 3 14 Employee - OSP CABLE REPAIR/MAINTENANCE n/a 3 06 Employee - TELUS CONTRACTOR n/a 3 16 Employee - CO CONVERSION RELATED-RECORDS n/a 3 17 Employee - CO CONVERSION RELATED-SW SVC n/a 3 18 Employee - CO CONVERSION RELATED-OSP n/a 3 19 Foreign Workman - GAS n/a 5 01 Foreign Workman - ELECTRIC n/a 5 02 Foreign Workman - CATV n/a 5 03 Foreign Workman - SEWER n/a 5 04 Foreign Workman - WATER n/a 5 05 Foreign Workman - BUILDING CONSTRUCTION n/a 5 06 Foreign Workman - DEPT OF HIGHWAYS (ROAD CONST) n/a 5 07 Foreign Workman - TREE TRIMMING-MOWING n/a 5 08 Foreign Workman - GOVERNMENT AGENCIES n/a 5 09 (POLICE, FIRE, ETC) Foreign Workman - CONTRACTORS (NON TELUS PERSONNEL) n/a 5 10 Foreign Workman - FOREIGN WORK PERSON n/a 5 11 Foreign Workman - IXC/CLEC (CAUSING TROUBLE ON n/a 5 12 THE TELUS NETWORK) Miscellaneous - FIRE n/a 6 01 Miscellaneous - INSECTS/BIRDS/ANIMALS n/a 6 02 Miscellaneous - VEHICLE ACCIDENTS n/a 6 03 Miscellaneous - POWER BURN/INFLUENCE n/a 6 04 Miscellaneous - COMMERCIAL/POWER FAILURE n/a 6 05 Miscellaneous - TREES n/a 6 06 Vandalism - MALICIOUS DAMAGE n/a 7 05 ---- [ COIN ] ---- HANDSET 01 n/a n/a COIN ACCEPTER/SCANNER/VALIDATOR 02 n/a n/a COIN RELAY/ESCROW 03 n/a n/a CIRCUIT CARD - ALL TYPES 04 n/a n/a DISPLAY SCREEN 05 n/a n/a DIALPAD/KEYPAD 06 n/a n/a CARD READER 07 n/a n/a HOOKSWITCH 08 n/a n/a COIN RETURN 09 n/a n/a REPLACE UPPER HOUSING 10 n/a n/a REPLACE SET 11 n/a n/a PROGRAM SET 12 n/a n/a PROGRAM HOST 13 n/a n/a COIN BOX FULL/COIN BOX COLLECTION 14 n/a n/a INSTRUCT, CARD/SIGNS/BINDER/BOOKS 15 n/a n/a SHELF/BOOTH/POWER 16 n/a n/a LIGHTING (NON SERVICE AFFECTING) 17 n/a n/a TDD (TELEPHONE DEVICE FOR THE DEAF) 18 n/a n/a PAYPHONE-OTHER 19 n/a n/a ---- [ OUTSIDE PLANT ] ---- CHANGE PAIR 01 CABLE SHEATH 02 SPLICE CLOSURE 03 TRANSMISSION (BOND, GRD, PROT) 04 EQPT (COIL, BOL, BOC, RPTR, XFMR, ETC.) 05 CONNECTOR 06 CLEAR CAP 07 TERMINAL (INCLUDING JUMPERS) 08 CABLE CUT/DIGUP 09 CUT SHEET/WORK ORDER 10 PUG UNECONOMICAL TO REPAIR 11 LATS/ALIT - REFERRED TO PMO 12 ---- [ ENHANCED ] ---- ADSL - Modem Replaced 52 ADSL - Power Supply Repalced 53 ADSL - Software (Modem Software) 54 ADSL - Software (Installation Kit) 55 ADSL - Software (PC) 56 ADSL - Hardware (PC) 57 ADSL - NIC Replaced 58 ADSL - NIC Reinstalled 59 ADSL - Tweak/Provisioning 60 ADSL - CO - Hardware Card 61 ADSL - CO - Hardware Port 62 TOPS SOFTWARE 63 TOPS HARDWARE 64 TOPS/POSITION SOFTWARE 65 TOPS/PLATFORM SOFTWARE 66 TOPS/PLATFORM SOFTWARE 67 TOPS/PLATFORM HARDWARE 68 ---- [ PABX (Private Automatic Branch Exchange ] ---- MULTILINE ELECTRONIC LEASED 01 ---- [ AUXILIARY EQUIPMENT ] ---- ENTERPHONE (LEASE ONLY) 01 AUXILITARY SIGNALING EQUIPMENT 02 ---- [ RECORDS ] ---- ASSIGNMENT/FACILITIES 01 DISCONNECT/RECONNECT ERROR 02 CARRIER CHANNEL/DESIGN ASSIGNMENT 03 IXC ASSIGNMENT 04 CUSTOM CALLING FEATURE 05 RECENT UPDATE - SWITCH CHANGES 06 TES COMPUTER NETWORK FAILURES 07 RECENT UPDATE - LSMS CHANGES (LNP) 08 ---- [ SUBSCRIBER CARRIER SYSTEMS ] ---- FILTER - ALL 01 POWER UNITS - ALL TYPES 02 ANALOG CHANNEL UNIT - FIELD 03 ANALOG CHANNEL UNIT - C.O. 04 ANALOG REPEATER - ALL 05 DIGITAL CHANNEL - FIELD 06 DIGITAL CHANNEL - C.O. 07 DIGITAL REPEATER - ALL 08 CONCENTRATOR CARDS - ALL TYPES 09 CONCENTRATOR LINES - ALL TYPES 10 ---- [ CENTRAL OFFICE ] ---- SWITCHING HARDWARE - LINE 01 SWITCHING HARDWARE - PERIPHERAL 02 SWITCHING HARDWARE - FRONT END 03 SWITCHING SOFTWARE - PERIPHERAL 04 SWITCHING SOFTWARE - FRONT END 05 SWITCHING SOFTWARE - PATCHES 06 SWITCHING POWER 07 TRANSPORT HARDWARE 11 TRANSPORT SOFTWARE 12 TRANSPORT CROSSCONNECT FRAME 13 TRANSPORT POWER 14 CUSTOMER COAM/CPE 21 SITE DC POWER AND SIGNAL 22 MOBILE RADIO 23 SITE MASTER CLOCK 24 LOOP ENHANCEMENT EQUIPMENT 25 ENGINEERING WORK IN PROGRESS 26 AUTOMATIC MESSAGE ACCTG 27 I/O EQUIPMENT 28 FRAME-JUMPER/TERMINATION 61 FRAME-PROTECTION 62 (EXCLUDE CODES) ---- [ TEST OK ] ---- PRIM TEST CLR - NO ANSWER / VERIFICATION OK W/SUBS 01 ---- [ FOUND OK ] ---- FOUND OK 01 ---- [ CUSTOMER ] ---- RECEIVER OFF HOOK 01 INCORRECT DIALING 02 CUSTOM CALLING PROGRAMMING 03 NUISANCE CALLS 04 EQUIPMENT MISUSE 05 DISCONNECT POWER 06 SERVICE ORDER IN PROGRESS 07 IMPROPER CUSTOMER INSTALLATION 08 CUSTOMER TRAINING/EDUCATION/ENQUIRY 09 PPU USAGE 10 PERSONAL VOICE MAIL USAGE 11 CUSTOMER REFUSES CHARGES 12 CUSTOMER REFUSES ACCESS 13 CUSTOMER CANCELLED 14 ---- [ EXCLUDE ] ---- NO ACCESS - CUSTOMER (FIELDED) 01 NO ACCESS - TELCO (NON-FIELDED) 02 2ND PARTY REPORT 03 DISCONNECTED NUMBER 04 WRONG RPTS OR CREATE SCREEN USED 05 ---- [ REFERRED OUT ] ---- OTHER TELCOS 01 INTEREXCHANGE CARRIERS 02 VENDORS 03 ALARM COMPANIES 04 COMPETITIVE LOCAL EXCHANGE CARRIER (CLEC) 05 OTHER TELUS DEPARTMENTS 06 TELUS MOBILITY 07 REFERRED TO SECURITY / POLICE 08 INTERNATIONAL CARRIERS 09 ---- [ CPE / COAM ] ---- CPE/COAM NOT REPAIRED BY TELUS 01 CPE/COAM REPAIRED BY TELUS 02 ISW DIAGNOSTIC CHARGE ONLY 03 ISW DIAGNOSTIC & REPAIR CHARGE 04 ENTERPHONE REPAIRED - MAINTENANCE CONTROLR APPLIES 05 CPE/COAM REP'D-MAINTENANCE CONTROLLER APPLIES 06 ---- [ NSA NATIONAL BROADCAST ] ---- Audio/Video - Cameras 01 Audio/Video - Audio Local Loop 02 Audio/Video - Analog Switch 03 Audio/Video - Analog Patch 04 Audio/Video - Program Equipment 05 Audio/Video - Carrier Equipment 06 Audio/Video - Audio Sub Carrier 07 Audio/Video - Customer Action 08 Video Conf - COAM Equipment Config 09 Video Conf - COAM Equipment Failure 10 Video Conf - Customer Wiring 11 Video Conf - TELUS Network 12 Video Conf - Telco Wiring (Non TELUS) 13 Video Conf - Telco Network (Non TELUS) 14 ---> ------------------------------------------ S A P Region Codes for Terminal Equipment ------------------------------------------ [ Function Location ] [ FL Description ] SAP Region (rrrr) CLGR CLGR - Calgary and Fringe Area EDTN EDTN - Edmonton and Fringe Area NTHR NTHR - Northern Alberta Region STHR STHR - Southern Alberta Region -> ----------------------------------------- Terminal Equipment Codes for AWAS and SAP ----------------------------------------- Definitions: AWAS = Automated Workforce Administration System SAP = Nortel Networks' Norstar Applications _____________________________________________________________________________________________________________ AWAS AWAS AWAS A W A S Driver Supplies Function B I D wwww Code Level 3 Level 3 Level 4 Level 4 Description Asset Description Prod/Tech CO Region Code AWAS Code Type of Work Business Sys. BUS --- --- 2000 ---- Business Sys. BUS AUXILLARY AUX c rrrr AUX 2001 SRK Business Sys. BUS Enh - Others ENHC c rrrr ENHC 2002 sRK Business Sys. BUS Enh - Call ENHCALL c rrrr CALL 2003 SRK Sequences Business Sys. BUS Enh - CDR ENHCDR c rrrr CDR 2004 SRK Business Sys. BUS Enh - Companion/ ENHCOMP c rrrr COMP 2005 SRK Lucent Wireless Business Sys. BUS Enh - CTI PBX ENHCTIP c rrrr CTIP 2006 SRK Business Sys. BUS Enh - Lucent ENHLUVM c rrrr LUVM 2007 SRK Voice Mail Business Sys. BUS Enh - M1 ENHM1VM c rrrr M1VM 2008 SRK Voice Mail Business Sys. BUS Enh - M1 IVR ENHM1VR c rrrr M1VR 2009 SRK Business Sys. BUS Enh - NORSTAR ENHNSAP c rrrr NSAP 2010 SRK applications Business Sys. BUS Enh - Norstar VM ENHNSVM c rrrr NSVM 2011 SRK Business Sys. BUS Enh - Octel Mail ENHOCVM c rrrr OCVM 2012 SRK Business Sys. BUS Enh - VISIT ENHVISP c rrrr VISP 2013 SRK Products Business Sys. BUS KEY - All Others KEY c rrrr OKEY 2014 SRK Business Sys. BUS KEY - Norstar KEYNRTR c rrrr NRTR 2015 SRK Business Sys. BUS KEY - Partner KEYPTNR c rrrr PTNR 2016 SRK Business Sys. BUS PBX - Discontinued PBX c rrrr OPBX 2017 SRK Business Sys. BUS PBX - Lucent PBXLUCE c rrrr LUCE 2018 SRK Business Sys. BUS PBX - M1 option PBXMMOD c rrrr MMOD 2019 SRK 21 - 81 Business Sys. BUS PBX - MI Option II PBXOP11 c rrrr OP11 2020 SRK Business Sys. BUS PBX - SL1 sets PBXSL1S c rrrr SL1S 2021 SRK Business Sys. BUS Desk Top Products DESKTOP c rrrr DSKT 2022 SRK -- Existing Drop Facilities: Customer CDF CDF BUSINESS CDFBUS/COIN c rrrr CDFB 2101 CSRMK Customer CDF CDF DATA CDFDATA c rrrr CDFD 2102 CSRMK Customer CDF CDF RESIDENCE CDFRES c rrrr CDFR 2103 CSRMK -- New Drop Facilities: Customer CDF CDF BUSINESS CDFBUS/COIN c rrrr CDFB 2104 CSRMK Customer CDF CDF DATA CDFDATA c rrrr CDFD 2105 CSRMK Customer CDF CDF RESIDENCE CDFRES c rrrr CDFR 2106 CSRMK -- Customer Site DTM c --- --- 2200 --- Data Termination Data networking DTM Modems: Ascend MASCEND c rrrr MASC 2201 SRPMK products Data networking DTM Modems: Other MDIAL c rrrr MDMD 2202 SRPMK products Dial Up Data networking DTM Modems: GDC MGDC c rrrr MGDC 2203 SRPMK products Data networking DTM Modems: Motorola MMOTR c rrrr MOTR 2204 SRPMK products Data networking DTM Modems: Nortel MNRTL c rrrr MNR 2205 SRPMK products Data networking DTM Modems: Paradyne MPDYN c rrrr PDYN 2206 SRPMK products Data networking DTM Modems: Other MPRIV c rrrr MDMP 2207 SRPMK products Private Data networking DTM Modems: U.S.R. MUSR c rrrr MUSR 2208 SRPMK products (US Robitics) -- Inside Wiring INW --- --- 2300 --- Inside Wiring INW INSIDE WIRE BUS INWBUS c rrrr INWB 2301 SRK Inside Wiring INW INSIDE WIRE DATA INWDATA c rrrr INWD 2302 SRK Inside Wiring INW INSIDE WIRE RES INWRES c rrrr INWR 2303 SRK -- Internet NET --- --- 2400 --- Internet NET NIC and Software PLANET c rrrr NICP 2401 SRK -- Payphones PAY c rrrr 2500 OSRMK Enclosures PAY Pay: Enclosures ENCIN c rrrr ENCI 2501 OSRMK Indoor Indoor Enclosues PAY Pay: Enclosures ENCOUT c rrrr ENCO 2502 OSRMK Outdoor Outdoor Centurion PAY Pay: Centurion CENTUR c rrrr CENR 2503 OSRMK Protel PAY Pay: Protel PROTEL c rrrr PROT 2504 OSRMK Charge a Call PAY Pay: Charge a Call CHGCALL c rrrr CHGC 2505 OSRMK Millennium PAY Pay: Millennium MILLEN c rrrr MILN 2506 OSRMK -- Customer Site PSW c --- --- 2600 --- Packet Switching Data networking PSW HUBS: 3COM HUB3COM c rrrr 3COM 2601 SRPMK products Data networking PSW HUBS: Ascend HUBASND c rrrr HASC 2602 SRPMK products Data networking PSW HUBS: Bay Networks HUBBAY c rrrr BAY 2603 SRPMK products Data networking PSW HUBS: Cisco Systems HUBCSCO c rrrr CSCO 2604 SRPMK products Data networking PSW HUBS: Newbridge HUBNEWB c rrrr NEWB 2605 SRPMK products Data networking PSW HUBS: Other HUBS c rrrr HUBS 2606 SRPMK products -- Telephone sets SET c --- --- 2900 --- Telephone sets SET Cordless CRDL c rrrr CRDL 2901 SRK Telephone sets SET Discontinued or DSET c rrrr DSET 2902 SRK Old Technology Telephone sets SET hotel/motel HOTL c rrrr HOTL 2903 SRK Telephone sets SET Harmony HRMY c rrrr HRMY 2904 SRK Telephone sets SET Meridian 9216 M216 c rrrr M216 2905 SRK Telephone sets SET M8000 M8K c rrrr M8K 2906 SRK Telephone sets SET M9000 series M9K c rrrr M9K 2907 SRK Telephone sets SET MBS MBS c rrrr MBS 2908 SRK Telephone sets SET Others(single line, OSET c rrrr OSET 2909 SRK Centrex consoles, unity, etc.) Telephone sets SET Others(Residential) ORES c rrrr ORES 2910 SRK Telephone SET Signature SIGN c rrrr SIGN 2911 SRK Telephone SET Solo SOLO c rrrr SOLO 2912 SRK Telephone SET Vista 100 V100 c rrrr V100 2913 SRK Telephone SET Vista 200 V200 c rrrr V200 2914 SRK Telephone SET Vista 2000 V2K c rrrr V2K 2915 SRK Telephone SET Vista 350 Base V350B c rrrr V35B 2916 SRK Telephone SET Vista 350 Module V350M c rrrr V35M 2917 SRK -- Vid-conf'ing VID c --- --- 2700 --- Vid-conf'ing VID Tanberg Video TAND c rrrr TAND 2701 SRK conferencing Wireless term WTD c rrrr WTD 2800 SRPMK device Circuit Swtchg CSW c wwww --- 1000 --- Circuit Swtchg CSW Other CSW OTHCSW c wwww OCSW 1001 SRPMK Circuit Swtchg CSW DMS100 DMS100 c wwww S100 1002 SRPMK Circuit Swtchg CSW STP DMS100S c wwww STP 1003 SRPMK Circuit Swtchg CSW DMS200 DMS200 c wwww S200 1004 SRPMK Circuit Swtchg CSW TOPS DMS200T c wwww TOPS 1005 SRPMK Circuit Swtchg CSW DMS250 DMS250 c wwww S250 1006 SRPMK Circuit Swtchg CSW GTD 5 GTD 5 c wwww GTD5 1007 SRPMK Circuit Swtchg CSW 5 ESS 5ESS c wwww 5ESS 1008 SRPMK -- Subscrbr Carrier CXR c wwww --- 1100 --- Subscrbr Carrier CXR S6A, S6B, ANALOG c wwww ANLG 1101 SRPMK Lenkurt 84A Subscrbr Carrier CXR UMC 1000 UMC c wwww --- 1102 SRPMK Subscrbr Carrier CXR Lynch 300S 300S c wwww 300S 1103 SRPMK Subscrbr Carrier CXR Time Span TMSP c wwww TMSP 1104 SRPMK Subscrbr Carrier CXR Nortel DMS-1 Urban DMSU c wwww DMSU 1105 SRPMK Subscrbr Carrier CXR Nortel DMS-1 Rural DMSR c wwww DMSR 1106 SRPMK Subscrbr Carrier CXR Nortel Access Node ACN c wwww ACN 1107 SRPMK Subscrb Carrier CXR Pair Gain PRGN c wwww PRGN 1108 SRPMK Subscrb Carrier CXR Tadiran Multi Gain TADN c wwww TADN 1109 SRPMK Subscrb Carrier CXR Fiber Loop Carrier FITL c wwww FITL 1110 SRPMK Subscrb Carrier CXR Other Subs Carrier OCXR c wwww OCXR 1111 SRPMK -- Digital Access DAC c wwww --- 1200 --- Cross Connects DACS DAC Alcatel 1633 AL33 c wwww AL33 1201 SRPMK DACS DAC Alcatel 1630 AL30 c wwww AL30 1202 SRPMK DACS DAC Tadiran T:Dax TD31 c wwww TD31 1203 SRPMK DACS DACS Tellabs Titan 5500 TL31 c wwww TL31 1204 SRPMK DACS DACS Lucent 1:0 LU10 c wwww LU10 1205 SRPMK DACS DACS Other DACS ODAC c wwww ODAC 1206 SRPMK -- Network Data DTM c wwww --- 1300 --- Termination ADSL MODEM DTM Netspeed ADSLMDM c wwww ADSL 1301 SRPMK Data Termination DTM General NETDTM c wwww DTM 1302 SRPMK -- Fibre optic FOT c wwww --- 1400 SRPMK Terminals Fibre optic FOT Asynchronous ASYT c wwww ASYT 1401 SRPMK Terminals Transport Fibre optic FOT Asynchronous ASYM c wwww ASYM 1402 SRPMK Terminals Multiplex Fibre optic FOT Nortel OC 3 NO3 c wwww N03 1403 SRPMK Terminals Fibre optic FOT Nortel OC 12 N12 c wwww N12 1404 SRPMK Terminals Fibre optic FOT Nortel OC 48 N48 c wwww N48 1405 SRPMK Terminals Fibre optic FOT Fujitsu OC 1 F01 c wwww F01 1406 SRPMK Terminals Fibre optic FOT Fujitsu OC 3 F03 c wwww F03 1407 SRPMK Terminals Fibre optic FOT Fujitsu OC 12 F12 c wwww F12 1408 SRPMK Terminals Fibre optic FOT Lucent OC 3 L03 c wwww L03 1409 SRPMK Terminals Fibre optic FOT Lucent OC 48 L48 c wwww L48 1410 SRPMK Terminals Fibre optic FOT Other FOTS OFOT c wwww OFOT 1411 SRPMK Terminals -- Multiplex MUX c wwww --- 1500 --- Multiplex MUX Network Analog NETA c wwww MXNA 1501 SRPMK Multiplex MUX Network Digital NETD c wwww MXND 1502 SRPMK Subscriber Multiplex MUX Subscriber Analog SUBA c wwww MXSA 1503 SRPMK Multiplex MUX Subscriber Digital SUBD c wwww MXSD 1504 SRPMK Multiplex MUX Channel Banks CHNL c wwww MXCB 1505 SRPMK Multiplex MUX DS-1 Cross- DS1X c wwww DS1X 1506 SRPMK connect Multiplex MUX DS-3 Cross- DS3X c wwww DS3X 1507 SRPMK connect Multiplex MUX STS-1 Cross- STSX c wwww STSX 1508 SRPMK connect Multiplex MUX Optical Cross- OPTX c wwww OPTX 1509 SRPMK connect Multiplex MUX Synchronization SYCH c wwww MXSY 1510 SRPMK Multiplex MUX ADSL Multiplexer ADSLMUX c wwww ADSM 1511 SRPMK -- PCM PCM c wwww --- 1600 --- PCM PCM Transport TRNP c wwww PCMT 1601 SRPMK PCM PCM Access ACS c wwww PCMA 1602 SRPMK -- Power PWR c wwww --- 1700 SRPMK Power PWR Battery BATT c wwww BATT 1701 SRPMK Power PWR Plant PLNT c wwww PLNT 1702 SRPMK Power PWR Auxiliary UPS c wwww UPS 1703 SRPMK Power PWR Other OPWR c wwww OPWR 1704 SRPMK -- Radio RAD c wwww --- 1800 --- Radio RAD Mobile Radio MOB c wwww MOB 1801 SRPMK Radio RAD Subscriber Radio SUB c wwww SUB 1802 SRPMK Radio RAD General Radio ORAD c wwww ORAD 1803 SRPMK Radio RAD Nortel RD3 NORRD3 c wwww RD3 1804 SRPMK Radio RAD Nortel RD6 NORRD6 c wwww RD6 1805 SRPMK Radio RAD Farinon DM-2A DM-2A c wwww DM2A 1806 SRPMK Radio RAD Farinon DVM-6 DVM-6 c wwww DVM6 1807 SRPMK Radio RAD Quadralink T1 QUADLNK c wwww QUAD 1808 SRPMK Radio RAD Alcatel 4000 4000 c wwww 4000 1809 SRPMK Radio RAD Alcatel 6000 6000 c wwww 6000 1810 SRPMK Radio RAD Outside Wave Guide WAVEGYD c wwww WAVE 1811 SRPMK -- Supplementary SCS c wwww --- 1900 SRPMK Circuit Swtchg Supplementary SCS 800 Service 800S c wwww 800S 1901 SRPMK Circuit Swtchg Supplementary SCS 900 Brite 900B c wwww 900S 1902 SRPMK Circuit Swtchg Supplementary SCS IBM Voice IVMM c wwww IVMM 1903 SRPMK Circuit Swtchg Msg Machine Supplementary SCS Boston Voice BVMM c wwww BVMM 1904 SRPMK Circuit Swtchg Msg Machine Supplementary SCS Octel Voice OVMM c wwww OVMM 1905 SRPMK Circuit Swtchg Messaging Supplementary SCS AIN AIN c wwww AIN 1906 SRPMK Circuit Swtchg Supplementary SCS VNET SVCS VNET c wwww VNET 1907 SRPMK Circuit Swtchg Supplementary SCS E911 E911 c wwww E911 1908 SRPMK Circuit Swtchg -- Aerial Copper AC c wwww AC 3000 LSRPM cable & wire Aerial Fibre AFC c wwww AFC 3001 LSRPM optic cable Aerial Coaxial AXC c wwww AXC 3002 LSRPM cable Buried Copper BC c wwww BC 3003 LSRPM cable Buried Fibre BFC c wwww BFC 3004 LSRPM optic cable Buried Coaxial BXC c wwww BXC 3005 LSRPM cable Cable closures CT c wwww CT 3006 LSRPM & terminals In-Conduit IC c wwww IC 3007 LSRPM Copper cable In-Conduit Fibre IFC c wwww IFC 3008 LSRPM optic cable In-Conduit Coax- IXC c wwww IXC 3009 LSRPM ial cable Conduit CON c wwww CON 3010 LSRPM Poles POL c wwww POL 3011 SRPMK Framework & FRM c wwww FRM 3012 SRPMK Support Application APS c wwww APS 3013 SRPMK Software Broadcast Equip- BRD c wwww BRD 3014 SRPMK ment Network Manage- NWM c wwww NWM 3015 SRPMK ment Traffic Operator TOW c wwww TOW 3016 SRPMK Workstations Towers TWR c wwww TWR 3017 SRPMK Packet Switching PSW See Terminal Equipment c wwww PSW 2600 SRPMK -- ------------------------------- AWAS Attendance / Absence Codes ------------------------------- _____________________________________________________________________________________________________________ SAP Description SAP Old AWAS Old UDS Code New AWAS Codes Function Code Function Code Approved Furlough AF 9918, 9919, 9920, 9921 AWO, D/O, LOU, LWO 9918 Apprenticeship Training AT 9925 ATL 9925 Formal Training FT 9926, 9927 IST 9926 Bereavement Leave BL 9913 BRV 9913 Pallbearer Leave PL 9914 9914 Compensation Absence CA 9909 WCF, WCO, WCR 9909 Compensation Doctor CADM WCS 9910 Appointment Doctor Medical DM 9906 MDL 9906 Serious Distress DS 9907 9907 Funeral Leave FL 9915 9915 Holiday in Lieu HL 9937 SHL 9937 Holiday Unpaid HU 9938 Working Scheduled HW 9939 SHW 9939 Stat Holiday Northern Vacation NW 9904 9904 Sick Absence SICK 9908 LSP, S7, S8, S9, 9908 SI, SIE, SWO Union Leave UL 9916 LNG, LWS 9916 Vacation VA 9902, 9901 VAC 9902 Vacation Bank Taken VB 9903 9903 Vacation Leave Without Pay VF VWO 9901 VACATION OVERTIME PAYOUT VP 9912 9912 Jury Duty JD 9920 Military Leave ML 9905 Paid Absence XP 9929 LWP 9929 Regular Time RG 9917, 9930, 9931, REG, ST, STE 9917 9932, 9933, 9934, 9935, 9936, 9937, 9938 Banked Time Off BTO 9911 BU 9911 FWAP Straight Time Banked FTO 9912 Worked up leave Weekend DNP 9940, 9924 9940 Personal Family Day Off KS PLD 9930 Limited Sick Pay (Part Time LSP LKA 9938 Employee) Suspension Without Pay SO 9921 SSO 9921 PREGNANCY FURLOUGH PF 9922 9922 ADMIN SUPPORT YA 9035 9035 INTERNAL SUPPORT YI 9036 9036 OUTSIDE SUPPORT YO 9037 9037 ACTING SUPERVISOR AS 9038 9038 -- ----------------------------------- SAP Premiums / Hourly Differentials ----------------------------------- _____________________________________________________________________________________________________________ SAP Description SAP Old AWAS Old UDS Code New AWAS Codes OTH EHC OTH EHC Standby Pay SB SB FWAP Straight Time Banked STOT ST Overtime OT DT, TH, SV, BOT, BOTR, DB, OT VH, VO, TV, DBR, DT, DT94, VS, ST, VT DTR, OT, TT Overtime Non Continuous OTB OB Premium Call Out PC PC Tower Climb TC TC Tower Time TT TT Charge Hand CH CH CH Training TR TR TR Class Instructor 7002 CI CI Plant to Management 7004 PM PM Equipment Servicing 7005 ES ES Heavy Equipment Operator 7006 HE HE Mechanic Field Worker 7007 ME ME Truck Driver 7008 TD TD Partial Assignment of P6 PAM6 P6 Management Duties Partial Assignment of PM PAM PM Management Duties Partial Assignment of PR PAMR PR Management Duties Responsibility Pay R1 RP1 R1 Responsibility Pay R2 RP2 R2 Responsibility Pay R3 RP3 R3 Responsibility Pay R4 RP4 R4 -- ---------------------------- SAP Internal Orders and AWAS ---------------------------- _____________________________________________________________________________________________________________ Description SAP Internal AWAS AWAS Product AWAS Function AWAS Product/Account Order Number Driver Worked Code BID code Entered MULTIMEDIA SUPPORT 5001886 20 1000 4000 S,R 5001886 (RESIDENTIAL) PUBLIC PAYPHONE 5009309 TCI 5000 4000 M 5009309 Change to ($0.35) -- ---------------------------- Network Functional Locations ---------------------------- _____________________________________________________________________________________________________________ Functional Location FL Description AWAS C.O. Codes Wire Centre (WWWW) ACVY Acadia Valley Area 0603 ACME Acme Area 0146 ARDR Airdrie Area 0118 ATBH Alberta Beach Area 0372 ADFL Alder Flats Area 0339 ALIX Alix Area 0172 ALNC Alliance Area 0315 ALRO Altario Area 0170 ANDR Andrew Area 0512 ANZC Anzac Area 0428 ADSN Ardrossan Area 0366 AWWD Arrowwood Area 0138 ASMT Ashmont Area 0543 ASMP Assumption Area 0495 ATBC Athabasca Area 0433 BNFF Banff Area 0127 BRNS Barons Area 0277 BRHD Barrhead Area 0381 BSHW Bashaw Area 0305 BSSN Bassano Area 0625 BWLF Bawlf Area 0306 BRCN Bear Canyon Area 0485 BUMT Beaumont Area 0365 BRLG Beaverlodge Area 0452 BSKR Beiseker Area 0147 BLLV Bellevue Area 0260 BNTL Bentley Area 0179 BWYN Berwyn Area 0483 BGVY Big Valley Area 0168 BDLS Bindloss Area 0606 BLFD Blackfalds Area 0174 BLKE Blackie Area 0137 BLRM Blairmore Area 0258 BLRG Blue Ridge Area 0385 BACD Bon Accord Area 0350 BNNZ Bonanza Area 0451 BNVL Bonnyville Area 0550 BWIS Bow Island Area 0607 BWDN Bowden Area 0189 BOYL Boyle Area 0435 BGCK Bragg Creek Area 0114 BRTN Breton Area 0331 BRCK Brocket Area 0255 BRKS Brooks Area 0622 BNVA Brownvale Area 0487 BRHE Bruderheim Area 0360 BRDT Burdett Area 0609 BYMR Byemoor Area 0167 CDMN Cadomin Area 0401 CLLK Calling Lake Area 0431 CLMR Calmar Area 0320 CMRS Camrose Area 0301 CNMR Canmore Area 0128 CRBN Carbon Area 0196 CMGY Carmangay Area 0278 CRLN Caroline Area 0191 CRST Carstairs Area 0143 CAST Castor Area 0164 CYLY Cayley Area 0136 CREL Cereal Area 0602 CSFR Cessford Area 0627 CHMP Champion Area 0141 CHVN Chauvin Area 0534 CWLK Chipewyan Lake Area 0430 CHMN Chipman Area 0363 CRMT Clairmont Area 0455 CRHO Claresholm Area 0256 ARWY CLGR - Airways Area in Calgary 0061 BNVT CLGR - Bonavista Area in Calgary 0014 BWNS CLGR - Bowness Area in Calgary 0009 CPHL CLGR - Capital Hill Area in Calgary 0004 CHTS CLGR - Cres Heights Area in Calgary 0046 CRCD CLGR - Crowchild Area in Calgary 0033 ELPK CLGR - Elbow Park Area in Calgary 0007 FSLN CLGR - Forest Lawn Area in Calgary 0010 HLHT CLGR - Hillhurst Area in Calgary 0031 HNHL CLGR - Huntington Hills in Calgary 0013 KLRN CLGR - Killarney Area in Calgary 0002 KGLD CLGR - Kingsland Area in Calgary 0012 MAIN CLGR - Main Area in Calgary 0001 MCKZ CLGR - Mckenzie Area in Calgary 0051 MTRY CLGR - Mount Royal Area in Calgary 0006 OKRG CLGR - Oakridge Area in Calgary 0015 OGDN CLGR - Ogden Area in Calgary 0038 SNSY CLGR - Shawnessy Area in Calgary 0049 TMPL CLGR - Temple Area in Calgary 0022 CLIV Clive Area 0173 CLYD Clyde 0375 CODL Coaldale Area 0274 CCHR Cochrane Area 0113 CDLK Cold Lake Area 0549 CLMN Coleman Area 0259 CNKL Conklin Area 0427 CNST Consort Area 0166 CRNT Coronation Area 0165 CTHL Country Hill Area Calgary 0054 COTS Coutts Area 0269 CWLY Cowley Area 0261 CGMY Craigmyle Area 0629 CMNA Cremona Area 0144 CSFD Crossfield Area 0119 CSTN CSTN - Cardston Area 0254 CZAR Czar Area 0533 DYLD Daysland Area 0307 DBLT Debolt Area 0462 DLBR Delburne Area 0187 DELI Delia Area 0631 DRWT Derwent Area 0524 DEVN Devon Area 0319 DSBY Didsbury Area 0145 DXVL Dixonville Area 0492 DNLD Donalda Area 0161 DNLY Donnelly Area 0471 DRVY Drayton Valley Area 0334 DMHL Drumheller Area 0197 DCHS Duchess Area 0623 EGHM Eaglesham Area 0454 ECLE East Coulee Area 0198 ECVL Eckville Area 0181 EGTN Edgerton Area 0528 EDSO Edson Area 0395 BVLY EDTN - Beverly Area Edmonton 0752 BNDN EDTN - Bonnie Doon Area Edmonton 0711 CTDW EDTN - Castle Downs Edmonton 0742 CLBR EDTN - Clover Bar Area Edmonton 0743 ESGT EDTN - East Gate Area Edmonton 0712 EDIA EDTN - Edmonton International Airport 0346 EMAN EDTN - EDTN Main Area Edmonton 0701 ELSL EDTN - Ellerslie Area Edmonton 0732 EVGR EDTN - Evergreen Area Edmnoton 0744 JSPL EDTN - Jasper Place Area Edmonton 0721 KASK EDTN - Kaskitayo Area Edmonton 0733 LNDM EDTN - Lendrum Area Edmonton 0731 LWIS EDTN - Lewis Farms Area Edmonton 0722 LDDY EDTN - Londonderry Area Edmonton 0741 MDWS EDTN - Meadows Area Edmonton 0713 MLWD EDTN - Mill Woods Area Edmonton 0714 NRST EDTN - North East Area Edmonton 0745 NRWD EDTN - Norwood Area Edmonton 0751 OLVR EDTN - Oliver Area Edmonton 0763 PLSD EDTN - Pilot Sound Area Edmonton 0746 ROPR EDTN - Roper Area Edmonton 0715 SEIP EDTN - South East Industrial Area Edmonton 0716 STON EDTN - Stone Area Edmonton 0764 STRC EDTN - Strathcona Area Edmonton 0734 TWGR EDTN - Terwillegar Area Edmonton 0735 TWBK EDTN - Twin Brooks Area Edmonton 0736 WJPL EDTN - West Jasper Place Edmonton 0724 WEML EDTN - West Edmonton Mall Edmonton 0723 WSMT EDTN - Westmount Area Edmonton 0761 WRBN EDTN - Winterburn Area Edmonton 0765 CNNL EDTN - Cannell Area Edmonton 0762 ELPN Elk Point Area 0542 EKWR Elkwater Area 0615 ELNR Elnora Area 0201 EMPR Empress Area 0605 ENCH Enchant Area 0268 ETZK Etzikom Area 0620 EVBG Evansburg Area 0335 EXSW Exshaw Area 0129 FRVW Fairview Area 0490 FLHR Falher Area 0470 FAST Faust Area 0472 FRNT Ferintosh Area 0303 FLTB Flatbush Area 0376 FRMS Foremost Area 0618 FSBG Forestburg Area 0313 FTAS Fort Assiniboine Area 0380 FTCP Fort Chipewyan Area 0426 FTMK Fort Mackay Area 0429 FTML Fort Macleod Area 0251 FTSK Fort Saskatchewan Area 0351 FTVM Form Vermilion Area 0497 FXCK Fox Creek Area 0386 FXLK Fox Lake Area 0501 FTMM Ft McMurray Area 0425 GDSB Gadsby Area 0163 GLHD Galahad Area 0314 GIBN Gibbons Area 0353 GFLK Gift Lake Area 0468 GXVL Girouxville Area 0464 GLCH Gleichen Area 0126 GLND Glendon Area 0537 GLWD Glenwood Area 0252 GDCT Grand Centre/Cold Lake Area 0547 GDCH Grand Cache Area 0404 GDPR Grand Prairie Area 0450 GRNM Granum Area 0257 GRLD Grassland Area 0436 GYLK Grassy Lake Area 0266 GMSW Grimshaw Area 0482 GRAD Grouard Area 0467 HRHL Hairy Hill Area 0520 HLKR Halkirk Area 0162 HANN Hanna Area 0628 HRTY Hardisty Area 0317 HYLK Hay Lakes Area 0299 HAYS Hays Area 0267 HSBG Heinsburg Area 0544 HSLR Heisler Area 0309 HILV High Level Area 0496 HIPR High Prairie Area 0465 HIRV High River Area 0132 HILD Hilda Area 0613 HNCK Hines Creek Area 0484 HITN Hinton Area 0399 HBMA Hobbema Area 0326 HLDN Holden Area 0518 HGDN Hughenden Area 0532 HUSR Hussar Area 0205 HYTH Hythe Area 0453 INFL Innisfail Area 0188 INFR Innisfree Area 0514 IRMA Irma Area 0527 IRSP Iron Springs Area 0276 IRCN Irricana Area 0120 IRVN Irvine Area 0612 ISLY Islay Area 0525 JRVE Jarvie Area 0377 JSPR Jasper Area 0403 JSRE Jasper East Area 0402 JENR Jenner Area 0610 JDPR John D'Or Prairie Area 0502 JSRD Joussard Area 0469 KNKS Kananaskis Area 0148 KPHL Keephills Area 0337 KGRV Keg River Area 0500 KILM Killam Area 0311 KNSO Kinuso Area 0475 KTCY Kitscoty Area 0555 LCRT La Crete Area 0498 LBCH Lac La Biche Area 0437 LCMB Lacombe Area 0176 LKLS Lake Louise Area 0130 LAMT Lamont Area 0361 LNGD Langdon Area 0122 LAVY Lavoy Area 0515 LEDC Leduc Area 0318 LEGL Legal Area 0374 LSVL Leslieville Area 0182 LTBR Lethbridge Area 0250 LTBF Little Buffalo Area 0493 LLYD Lloydminister Area 0553 LDGP Lodgepole Area 0338 LMND Lomond Area 0140 LGVW Longview Area 0133 LGHD Lougheed Area 0316 MGRT Magrath Area 0283 MMOB Ma-Me-O Beach Area 0328 MNNG Manning Area 0491 NMVL Mannville Area 0529 MYBR Manyberries Area 0619 MRBO Marlboro Area 0398 MRWN Marwayne Area 0554 MYTP Mayerthorpe Area 0384 MLNN Mclennan Area 0473 MNRV Meander River Area 0503 MDHT Medicine Hat Area 0621 MKRV Milk River Area 0273 MILT Millet Area 0327 MILO Milo Area 0139 MNBN Minburn Area 0523 MIRR Mirror Area 0171 MRVL Morinville Area 0368 MRLY Morley Area 0131 MORN Morrin Area 0200 MLHT Mulhurst Bay Area 0329 MNDR Mundare Area 0519 MRNM Myrnam Area 0522 NAMO Namao Area 0352 NMPA Nampa Area 0481 NATN Nanton Area 0134 NDTN New Dayton Area 0282 NNRY New Norway Area 0302 NSPA New Sarepta Area 0304 NBRK Newbrook Area 0432 NSKU Nisku Area 0323 NTJT Niton Junction Area 0397 NBFD Nobleford Area 0279 NRDG Nordegg Area 0184 OKTK Okotoks Area 0115 OLDS Olds Area 0192 ONWY Onoway Area 0373 OYEN Oyen Area 0601 PRVY Paradise Valley Area 0556 PCRV Peace River Area 0488 PLLK Peerless Lake Area 0479 PERS Peers Area 0396 PNHL Penhold Area 0186 PCBT Picture Butte Area 0275 PNCK Pincher Creek Area 0262 PLDN Plamondon Area 0439 PNKA Ponoka Area 0177 PRDS Priddis Area 0116 PRVT Provost Area 0526 RDWY Radway Area 0355 RNLK Rainbow Lake Area 0499 RLTN Ralston Area 0611 RYMN Raymond Area 0280 RDDR Red Deer Area 0194 RDER Red Earth Area 0480 RDWR Redwater Area 0354 RMBY Rimbey Area 0178 ROBB Robb Area 0400 ROCH Rochester Area 0434 RMTH Rocky Mountain House Area 0183 RKFD Rockyford Area 0123 RLHL Rolling Hills Area 0626 RSLD Rosalind Area 0308 RSBD Rosebud Area 0199 RMSY Rumsey Area 0195 RYCF Rycroft Area 0458 RYLY Ryley Area 0517 SNGD Sangudo Area 0383 SKCS Saskatchewan River Crossing Area 0175 SCHL Schuler Area 0614 SBBH Seba Beach Area 0333 SDWK Sedgewick Area 0312 SVPR Seven Persons Area 0608 SXSM Sexsmith Area 0456 SWPK Sherwood Park Area 0364 SBLD Sibbald Area 0604 SLVY Silver Valley Area 0463 SELK Slave Lake Area 0477 SMTH Smith Area 0476 SMLK Smoky Lake Area 0358 SPRV Spirit River Area 0461 SPGV Spruce Grove Area 0369 SPVW Spruce View Area 0190 STAL St Albert Area 0367 STMC St Michael Area 0362 STPL St Paul Area 0535 STOF Stand Off Area 0253 STDD Standard Area 0125 STVY Stavely Area 0135 STLR Stettler Area 0160 STNG Stirling Area 0281 SYPL Stony Plain Area 0370 STMR Strathmore Area 0121 STRM Strome Area 0310 SCOC Sunchild O'Chiese Area 0185 SNDR Sundre Area 0193 SNHL Swan Hills Area 0379 SYLK Sylvan Lake Area 0180 TABR Taber Area 0264 TRHL Thorhild Area 0359 THRS Thorsby Area 0322 THHL Three Hill Area 0204 TLLY Tilley Area 0624 TOFD Tofield Area 0516 TMHK Tomahawk Area 0336 TRTN Torrington Area 0203 TRCH Trochu Area 0202 TRVY Turner Valley Area 0117 TWHL Two Hills Area 0511 VYVW Valleyview Area 0466 VXHL Vauxhall Area 0265 VGVL Vegreville Area 0510 VRML Vermilion Area 0531 VTRN Veteran Area 0169 VKNG Viking Area 0521 VILN Vilna Area 0538 VLCN Vulcan Area 0142 WBMN Wabamun Area 0371 WBSC Wabasca Area 0478 WNWR Wainwright Area 0530 WLSH Walsh Area 0617 WNRV Wandering River Area 0438 WNHM Wanham Area 0457 WRBG Warburg Area 0321 WRNR Warner Area 0270 WSPT Warspite Area 0357 WKTN Waskatenau Area 0356 WRTP Waterton Park Area 0263 WMBY Wembley Area 0459 WLOC Westlock Area 0378 WTKW Wetaskiwin Area 0325 WTCO Whitecourt Area 0382 WHLW Whitelaw Area 0486 WDWR Widewater Area 0474 WLWD Wildwood Area 0332 WLDN Willingdon Area 0513 WNFD Winfield Area 0330 WOKG Woking Area 0460 WRSY Worsley Area 0489 WRHM Wrentham Area 0272 YNTW Youngstown Area 0630 ZAMA Zama Area 0494 --- AWAS Related Telephone #'s / IP's: 'DISPATCH / ANALYSIS CENTERS' LOWER MAINLAND: Bus DAC - CPE (604) 453-2212 BUS DAC - NET (604) 453-2213 I/R DAC - (604) 453-2330 or 1-800-665-2927 Network DAC - (604) 453-2900 or 1-877-828-8812 TNO CSD Support Line - 1-800-665-2927 -- KELOWNA: Bus DAC - (250) 470-5455 or 1-800-665-4249 I/R DAC - (250) 470-5455 or 1-800-665-2927 -- VICTORIA: Bus DAC - (250) 388-8021 I/R DAC - (250) 388-8877 or 1-800-665-2927 --> LAPTOP SUPPORT NUMBERS: 'TELUS OPERATIONS LAPTOP SUPPORT' 7035 Greenwood Street Burnaby, B.C. V5A 1X7 (604) 432-5559 or 1-888-999-2927 Fax (604) 415-9067 -- SPOC (PASSWORD TROUBLES) - 1-800-606-7762 -- FIELD SUPPORT NUMBERS: 'CUSTOMER SERVICE REPS' Residential - 1-888-483-4777 Business - 1-888-388-3302 -- ASSIGNMENT AND PROGRAMMING: Assignment - 310-3344 -6 -1 Local # Portability - 310-3344 -6 -2 Activations (CDA) 310-3344 -6 -3 -- TEST DESK: 1-800-665-1774 (250) 861-2280 (604) 430-7333 -- (PLANT) TEST NUMBERS: Line Opener - 958-4111 ANI (ANAC) - 958-6111 ADSL Provisioning - (604) 878-3101 or 1-877-519-9292 -- LAPTOP (MODEM) DIAL-UP NUMBERS: AWAS local: 205-5923 AWAS long dis: 1-888-665-2100 Secure ID local: 205-5263 Secure ID long dis. 1-888-886-7877 --> 'Online AWAS Resources' --------------------- The following are some links for additional information on AWAS: http://www-1.ibm.com/industries/wireless/doc/content/bin/telusappbrief.pdf http://www.crtc.gc.ca/ENG/publications/reports/8660/TCBC/Aug98a2.doc http://www.hackcanada.com/canadian/phreaking/gc_dima.txt http://www.e-voliucija.lt/2001presentations/evoliucijaIBM.pdf -- [ 'Conclusion to Document' ] There you have it, folks; The Comprehensive Guide to AWAS. I hope it was worth it. The Automated Work Administration System, a network of love, hate, and chaos. Can you sit around and let this system control your lives, or are you going to stand up and fight against the new world order? Fear not, for we are here to protect you. This guide represents part of my effort to widen the audience of the latest and great est groundbreaking technologies from the incumbent telecommunication powers that be. Phreaking has had an enormous influence on my life and my view of the universe. My only regret is that the limits of the current technologies we're involved with today fail to capture the full fidelity of the bigger picture. The bigger picture is that you are a slave! A slave to POTS copper, a slave to the proprietary. Wake up, sleepy! AWAS' wireless side... to die? In other news, the CDPD side of AWAS is said to be in the works of "deconstruction". Is AWAS too expensive, too complex, too resource intensive to keep alive? Is AWAS going to be replaced with an advanced Teradyne engineered 4TEL (VRS) system? A telus technician from Edmonton who spoke with my associate H1D30U5 said this may happen, or are these foolish rumours in a failed attempt to TRICK local phreaks into leaving the "system" alone? Only time will tell because, of course... the future is friendly(tm)! ---> buy me an ice cweam? ---> Millennium Hardware Modification for the purpose of Redboxing By: H1D30U5 03/29/04 Shouts to Hackcanada, Nettwerked, The Clone, Wizbone, Kankraka, Cyb0rg/Asm, Question, Tr00per, H410G3N, and of course Nortel (for giving us a laugh or 2) Thanks to Joe Clark for taking the time to send me some information. And thanks to Jackel for writing the first document regarding this idea. Equipment required to pull this 'sploit 1. Propane torch + Lighter 2. Wire cutters 3. Electrical Tape 4. Super Glue 5. Balls of Solid Rock. For Reference, the tones for NACTS are as follows Quarter 2200hz 33ms on 33ms off 5 times repeated Dime 2200hz 66ms on 66ms off 2 times repeated Nickel 2200hz 66ms on 66ms off once 3900hz can also be substituted because Telus' switching equipment will also accept this as a valid frequency. If it's easier to produce, go for it. Also see the redboxing file on Hackcanada.com written by Cyb0rg/Asm for more details on how to build your redbox. ***Millennium Info/History*** MILLEN MTR 2.0--Millennium Payphone (A0748017) The Millennium Payphone was once called the "Un-Phreakable Phone" simply because it has many fraud deterrants such as the false dial tone, the remote DTMF dialling, and the microphone muting. It was manufactured by Quortech and licenced for use and distribution to Nortel. The birth of the Millennium happened in 1993, according to Doug Matatall, director of Millennium marketing at Northern Telecom. Ordinary people on the street and marketing designers wanted to produce the "Perfect" pay-telephone. Consumers asked that the buttons on the dialing pad not be hidden under the handset as they are on the older Centurion model, so the Millennium's handset was placed next to the buttons. People with tremors, cerebral palsy, and other motor impairments had difficulty inserting coins and dialing numbers, so the Millennium's buttons are farther apart and the coin slot is surrounded by a tapered bezel to guide a coin in. It has an alpha-numeric display, and an internal computer that will set off alarms in case of vandalism / abuse, a full coin box, or when the coin slot is jammed (so don't say it's jammed to a live op, THEY KNOW.) Matatall states that there are just over 167 000 payphones in Canada, and over 60,000 of them are Millenniums. There are over 150,000 Millenniums in North America alone. They are also found in Singapore, Australia, and Thailand. This phone has been engineered, and re- engineered to weather anything. The LCD was even engineered with a special substance that has a freezing point of -60 Celcius so that the display will not freeze even in the harshest of Canadian winters. The Millennium doesn't merely display information, it also talks to you in a synthesized voice. Though this redundancy should make the phone accessible to people with vision or hearing impair- ments, what you hear doesn't always match what is displayed. Place a long-distance call via a credit card, for example, and the display will read "Card verification in progress" while the synthesized voice simply says "Please wait." These features draw electrical power, using a TA10750 Transformer and only draw up to 8.6 watts a month, at a cost which Matatall estimates at 30 cents. (The Centurion draws no separate electrical power.) Converting all 167,000 payphones in Canada to Millenia will incur a power bill of over $50,000 a month; presumably telephone utilities will try to recoup this overhead through higher rates. ***Millennium Stats*** Height : 533mm (21") Width : 194mm (7 13/16") Depth : 155mm (6 3/16") Weight : 19.05kg (42lbs) *EMPTY* It has an enhanced G type handset with armored cabling, and an Electret Microphone with a dynamic receiver. It's operating temperature range is from -40'C to +60'C, and it's Non operating but still physically undamaged temperature range is from 10'C in either direction from it's operating range. It uses supplemental power (110v DC) and can function without the use of it's LCD to call emergency numbers, and operator assisted calls in case of a power outage. It uses a Vaccuum Fluorescent Display (but for all intents and purposes we'll just call it LCD in this article.) And it's "LCD" is able to function using English, French, Spanish, and Japanese letters and symbols. The display can also be independantly configured to display any message that the owner wants. If it were used as a COCOT, then the owner could program an advertisment into the LCD. ***THE SPLOIT*** The only method of redboxing from a Millennium before Jackel's findings was to cut the power, which is not only in-efficient, but it also automatically signals the telco. Then they'll come and repair it, etc. There is another method... we earlier discussed the "microphone muting". There is a way around this feature, for they were not smart enough to have the local switching station initiate the muting, because there are many makes and types of switches, and the older ones would not have to resources to initiate this feature. Quortech, in their infinite wisdom, then decided to use electrical grounding on a computer controlled switch to mute the microphone. They did this by sending an electrical current from the phone's power supply to the mouthpiece. This current is equal to the voltage required to power the microphone, therefore completing the circuit without passing through the microphone. That means that when the phone is kicked over into NACTS, (when the coin are to be inserted) that the microphone is bypassed. Now that we know WHY it happens, we can make it fail. The only mildly dangerous part of this exploit, is that you have to take a little bit of time to do it. This means that concerned citizen/police officer could see you doing it. I recommend night-time for this, and that you try to pick a Millennium that is semi-secluded. Not the one that's beside the door of your local 7-11... The "Bloated Gas-Bag" could see you. To stop the phone from bypassing the microphone, we have to open the handset. There are a few methods of doing this, either by breaking it, or otherwise. I prefer to bring a propane torch along with me and heat the microphone cap on the handset. This will melt the glue, and at the same time, expand the cap making it easier to remove. Okay, so we got the cap off. Pull the microphone out and take a look at how the microphone is wired. Study it, and learn something. You'll see 3 wires there; Hot, Neutral, and a strange, out of place looking wire with a clear coating on it. That's the one we're looking for. It's the wire that completes the microphone bypass. All you have to do is cut that wire, and then the phone will send current down the line as per usual, but nothing will happen. The important part though, is to tape the loose ends of the wires with electrical tape. If you go to all of this trouble to modify a payphone, then it'd better damn well work. If you do not tape the wires, and the hot loose end touches something metal, it will either fry the wiring, (it is 110v DC, same voltage as your household plugs) or mute the mouthpiece as normal... therefore undoing all your hard work! What a kick in the pants eh? So tape those wire ends up, and then glue the cap back on the mouthpiece. Done, now you can try to redbox it. I find that op's will fail to notice redboxing from millenniums because it's the "unphreakable fone." When you call from a Millennium, the op knows that you're calling from a Millennium. It will display it on their console, so you have a better success rate. I have had about 95% success when using this technique. The best reason for modifying a Millennium instead of just using a Centurion, or Fortress, is that you can learn something while doing it, and the success rate will dramatically increase. Also, you won't have telco personnel coming around to fix the phone like you'd have if you use the power out exploit. There you have it, The "Unphreakable Phone" has been phreaked. On a side note, I'd suggest that you mark the payphone after you've modified it, to let other phreakers know that it has been rigged. A Nettwerked sticker would be perfect, and that's the way that I marked the one I took apart to research this article. Have Phun, and come back safe. ---> -bush-2.05b$ rm -r /usr/local/bin/laden Are you guys having fun? :D not anymore :( you ruined it thanks alot rm -rf /usr/local/bush/cia/drugs/cocaine/white.txt ^- cover up haha you're a coverup thanks ---> ------------------------------ Alberta CLLI's and other stuff ------------------------------ By: tr00per Shouts: Question, The Clone, steelethan, kankraka, port9, hades, Jackel, Treephrog, tek and everyone else from #hackcanada If you've read k-1ine 41, you probably already know about CLLI's. The CLLI format is the same all over Canada. Ive typed out this chart to show how the CLLI format works. For more detail read 'The Complete (TELUS) British Columbia CLLI Compilation' from k-1ine 41. Here's a little review: COMMON LANGUAGE LOCATION IDENTIFICATION FORMAT CHART ----------------------------------------------------------------------------------- ITEM | CHARACTER TYPE | |-------------------------------------------------| CHARACTER POSITION | 1 2 3 4 5 6 7 8 9 10 11 | ---------------------------------|-------------------------------------------------| PLACE NAME | A A A A| | | | PROVINCE OR STATE | | A A | | | ---------------------------------| | | | | BUILDING | | | A A | | ---------------------------------| | | N N | | ENTITY | | | | | -SWITCHING ENTITIES| | | | X X X | -NON-SWITCHING | | | | A x X | ---------------------------------| | |---------------------| NON-BUILDING | | | | -cUSTOMER | | | N A N N N | -OTHER | | | A N N N N | ----------------------------------------------------------------------------------- A= ALPHA CHARACTER N= NUMERIC CHARACTER X= ALPHA OR NUMERIC CHARACTER This Chart might seem counfusing at first, but it's really quite simple. Here's an example of your standard CLLI : FTSKAB01CG1 F T S K A B 0 1 C G 1 ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ | | | | | | | | | | | The First 6 Characters These two numbers will most likely will usually represent The last 3 characters always be letters. the building site, identify the equipment/ although there are service used by the exeptions. It can have place. numerical or Alpha characters Now... to the good stuff. Here's a list of digital switches, and their CLLI's for the major cities of Alberta: SWITCH (DMS100) CLLI ------------ ----------- Airdrie ARDRAB02DSO Banff BNFFAB01CG2 Bonnyville BNVLAB03CG1 Calgary Main CLGRAB01CG2 CLGRAB01CG3 CLGRAB21DS1 Camrose CMRSAB06DSO Drumheller DMHLAB01CGO Ft McMurray FTMMAB03DSO Ft Saskatchewan FTSKAB01CG1 Grande Prairie GDPRAB01DSO High Level HILVAB01CGO Hinton HNTNAB02DSO Lethbridge LTBRAB01CG1 LTBRAB01DSO Lloydminister LLYDAB01CG1 Medicine Hat MDHTAB02CG1 Peace River PCRVAB01CGO Red Deer RDDRAB01CG1 RDDRAB01CG2 Sherwood Park SWPKAB01DSO Slave Lake SELKAB01CG2 St Albert STALAB01DSO Stettler STRLAB01CGO Vegreville VGVLAB01DSO Wainwright WNWRAB01CGO Wetaskiwin WTKWAB02CGO These are seperate areas within Calgary: AREA'S in Calgary CLLI -------------- ----------------- Airways CLGRAB61CGO Bonavista CLGRAB14DSO Bowness CLGRAB09DSO Crescent Heights CLGRAB46DSO Crowchild CLGRAB33DSO Elbow Park CLGRAB07DSO Forest Lawn CLGRAB10DSO Hillhurst CLGRAB31DSO Huntington Hills CLGRAB13DSO Killarney CLGRAB02DSO Kingsland CLGRAB12DSO Main CG2 CLGRAB01CG2 Main CG3 CLGRAB01CG3 Main DSO CLGRAB21DSO Main DS1 CLGRAB21DS1 Mount Royal CLGRAB06DSO Oakridge CLGRAB15DSO Ogden CLGRAB38DSO Shawnessy CLGRAB49DSO Temple CLGRAB22DSO I hope to have a complete list soon. Since this file is pretty damn short, I've compiled a list of telus/telco acronyms and their definitions that I thought might be useful to make it longer. If you dumpster dive or other shit, you have probably come accross e-mails, or papers or even manuals that make no sense because they are full of weirdo acronyms (silly telus where do they come up with this shit) and terms, hope this helps :) ------- .............................................................................. ANA - Automatic Number Announcement ANI - Automatic Number Identifier BERT - Bit Error Rale Test BOP - Bit Oriented Protocol BRI - Basic Rate Interface (2B+D) ISDN 128 Kbps (2 x 64 Kbps plus 1x16 Kbps channels) CIC - Carrier Identification Code CIR - Committed Information Rate CLCI - Common Language Circuit Identifier (the circuit number) CLLI - Common Language Location Identifier CPE - Customer Premises Equipment, Customer Provided Equipment DCC - Digital Access Cross-Connect DCE - Data Communication Equipment DDS - Digital Data Service DLCI - Data Link Connection Identifier DS-0 - Digital Signaling - Level 0 - ( 64.0 Kbps) DS-1 - Digital Signaling - Level 1 - (1.544 Mbps) DS-3 - Digital Signaling - Level 3 - (44.7 Mbps) DSU/CSU - Data Service Unit / Channel Service Unit DTE - Data Terminal Equipment DVACS - Digital / Voice Access and Control System FOX - Message Pattern FT1 - Fractional T1 (The Customer uses only a portion of the available bandwidth - ie: 128 KBPS) HBM - High Speed Bert Mode ILS - Individual Line Service ISDN - Integrated Service Digital Network ITU - International Telecommunications Union LAN/WAN - Local Area Network / Wide Area Network LCRV - Low Capacity Remoting Vehicle LMI - Local Management Interface MAO - Maintenance Administration Office MAP - Maintenance Administration Position NETCAP - Network Capabilities Database NID - Network Interface Device NIDP - Network Interface Device Point PIC - Preferred Inter-Exchange Carrier PR I - Primary Rate Interface (23B+D) PAD - Packet Assembler Device PAO - Plant Administration Office POC - Program Operating Center POS - Point Of Sale POTS - Plain Old (ordinary) Telephone Service PRO - Plant Provisioning Office PSTN - Public Switched Telephone Network PVC - Permanent Virtual Circuit RILS - Rural Individual Line Service S4T4 - Schedule 4, Type 4 Transmission Tests SND - Switch Network Data SPID - Service Point Identification Number (ISDN circuit number) SSOSS - Special Services Operational Support System (a provisioning and testing database and tool) STS - Synchronous Transport System SV# - Switched Virtual Circuit TDM - Time Division Multiplexing TIMS - Transmission Impairment Measurement Set TLA - Three Letter Acronym (The Surgeon General recommends these be avoided) TLp - Test Level Point or STLP (Standard Test Level Point) TOC - Television Operating Center USO - Universal Service Order USSO - Universal Special Services Order -tr00per --end-- --> Gizmo [IntricateP@dialup-67.75.231.95.Dial1.Seattle.Level3.net] has joined #hackcanada GIZMO CACA!! i love gremlins me too You're a sheep. Baaaah.. baaaaaah.. haha --> Telus Physical Key Systems; an internal memo By: Anonymous Phone Hero 03/04 This is an e-mail I aquired from a much respected member of our community. This regards Telus' new use of override keys on Telus CO's and other buildings used by lineman and switchman. Hopefully this is useful for everyone in one way or another. Again, this is not to be used for malicious purposes, but rather to educate you on Telus' Physical Security. From: Dennis Senio Sent: Friday, June 20, 2003 8:02am To: Barry Iverson; Brian Andrews; Brian Mckelvey; Brian Richardson; Dave O'donahue; Eric Hannem; Gary MacKinnon; Jim Ellis; Lynn Mattoon; Mark Hebert; Mike COllins; Reigh Hughes; Rick Domes; Shawn Cardinal; Vern Tremblay; Verne Forsberg Subject: FW: AB New keys Just a heads up that new gate and building locks are going to be installed in AB and BC that will reduce the number of different keys required for access. The recommended keys for us are the Edm.ABA2.1 and the North ABA4.1. I am trying to order them now so we may actually have them once the rollout starts. ---- Original Message ---- From: Ginger Surgeon Sent: Thursday, June 12, 2003 8:21 AM To: Garry Zannet; Louise Beattie Cc: Paul Lord; Roger Burak; Scott Wellicome; Louis Lafortune; Doug Urichuk; Rick Castonguay; Don Hamaliuk; David Beaudette Subject: AB New keys Please distribute this as necessary. There has been much discussion and e-mails regarding locks in Alberta, below are the details of what is happening. Alberta Lock Upgrades / Re-keying GENERAL SCOPE There is a project in progress to upgrade all the external locks in TELUS buildings. This project is already underway in BC, and will be starting this year in Alberta. The new locks are 'Abloy'. They will replace 'Medeco' locks on the external doors. KEY STRATEGY In an effort to reduce the current amount of keys in use, the province has been divided into 4 sections: CALGARY - all buildings in / around Calgary (must have CLLI codes starting CLGR) EDMONTON - all buildings in / around Edmonton (must have CLLI codes starting EDTN) SOUTH - all other buildings in Southern part of the province (must have area code 403) NORTH - all other buildings in Northern part of the province (must have area code 780) The new keys required for these areas are as follows: CALGARY - gates only ABA1.G - buildings & gates ABA1.1 - card access override CAC1.40 EDMONTON - gates only ABA2.G - buildings & gates ABA2.1 - card access override CAC2.40 SOUTH - gates only ABA3.G - buildings & gates ABA3.1 - card access override CAC3.1 NORTH - gates only ABA4.G - buildings & gates ABA4.1 - card access override CAC4.1 ROLL OUT PLANS 1. Sites being converted to card access wil be changed to 'Abloy' when the card access system is installed. 2. Materials for the remaining lock changes are on order. 3. Once most of the materials are on site, a communication will be sent out advising all AB employees of the lock changes and to request new keys. 4. Once the majority of the key requests have been filled, the rest of the lock changes will begin. DO I NEED TO ORDER KEYS NOW? There is an urgency to order card access override keys, if your sites are being changed to card readers. All other requests should wait until the communication is sent out to all AB employees. That will ensure that there are sufficient keys in stock to process the requests. HOW DO I ORDER KEYS? To simplify the process, a "bulk" key request form has been developed. A copy is attached. Once the form is complete, it should be mailed to "teluslock.key@telus.com" with a cc to the authorizing manager. Additional questions or concerns should be directed to me at the contact information below. Regards, Ginger Spurgeon Physical Security Specialist 10 TPS 10020 100 Street Edmonton AB T5J 0N5 tel. (780) 493-3699 fax. (780) 493-3998 --> i heard there's a new drug that gives men multiple orgasms.. they're still debating whether or not to release it publicly cyb0rg_asm: sweet crazy yeah, instead of pearl necklaces we could be giving the ladies pearl turtlenecks! --> Disabling Deep Freeze The author of this text takes no responsibility for your actions. In this text, I will discribe how to disable deep freeze 2000xp 4.10. The methods discribed in here are relevent to this version of deep freeze and possibly others as well. Deep Freeze is a computer program that works like an etcha sketch. You bring out the etcha sketch, you start doodling it, and when your done, all you need to do is give it a shake and it all goes away. Deep Freeze loads up your operating system, and your operating system is all on top of deep freeze. You go to porn sites, get infected with worms, accidentaly delete command.com and on restart everything comes back to the way it was. Registry settings will go back to the way they were, and all programs will go back to the way they were. Once deep freeze has loaded up on a computer, you cant simply disable it and be able to write to the hard disks. No sir. If deep freeze is loaded, nothing will be changed after a reboot. Deep freeze is good like that. It's great for schools where students like to play with system files and in offices where people like to view e-mail attachments and accidentaly get infected with worms. So, being the person that I am, I found that the way my computer was frozen wasn't exacltly the way I wanted it to be frozen. I wanted some things on it different when it boots up. For example, the refresh rate of the monitor was set too low. I wanted it at 85hrz, but every time I booted it would be at 60hrz and I had to change it EVERY TIME I BOOTED UP! It got to suck. First I found that if you held down shift and double clicked the deep freeze icon you get the deep freeze login screen. Theoreticly you could brute force it, but who knows how long that might take. So I started researching on how to disable deep freeze. It is so very easy, and here's how you do it in three easy steps. 1) Create a DOS boot disk and boot from it. 2) get into c:\progra~1\hypert~1\deepfr~1 3) Copy DFSERVEX.EXE to another folder (I like C:\progra~1\ but put it wherever you want, just aslong as it's not in this folder) Now deep freeze is disabled! To re-enable deep freeze, just copy that file back into the folder and your computer will be totaly frozen again. Why this works. This works because DFSERVEX.EXE is a file that deep freeze needs to freeze a machine. Without this file, deep freeze can't freeze anything. I have been told that on older versions of deep freeze that the actual file is called PERSIO.SYS, a driver or something in the same folder, but I can't comment on this myself. How can sysadmins prevent this? Making the hypertechnologys folder hidden wouldnt hurt, but the real big one is to have a password to get into the bios setup and disalow booting from anything but the hard disk. Recommended Reading: http://www.elitehackers.com/ubb/ultimatebb.php?ubb=get_topic;f=1;t=004522 http://www.deepfreezeusa.com/index.htm Have fun :) -Aftermath 03/04 ---> How's the wife? Is she at home enjoying capitalism? ---> No Sleep Magazine Interviews The Clone By: Jackel 03/04 Inspired By The Epic Interview I Have Decided To Do One About The Man Behind Canada's Longest Running Online Zine; K-1ine. Thats Right, The Clone! The Canadian scene is often over looked, the media tends to focus more on the American Hacking/Phreaking side of things (although it often paints us as evil doers and nerds with no life). Hopefully in this article the people who are not familiar with the Canadian H/P scene will notice we have the same problems as everyone else. I have noticed most of the attention in the Nosleep community going toward H3C so inspired by the Epic interview, I have decided to concentrate on Hack Canada and Nettwerked. NoSleep: How Long Has it Been Since You Started Up Nettwerked? The Clone: I started Nettwerked on May 22nd 1999. So about 4 years and 8 months. Nettwerked was originally a site I started on Hypermart.net as a place to publish my writings, specifically articles surrounding phone phreaking. NoSleep: What Is Your Relation To Hack Canada? TheClone: My relation to Hack Canada? Good question. I first learned about Hack Canada from my friend Wizbone back in December of 1998. We were both into phreaking quite a bit, and we had even started a not-so-serious group we liked to call "Telus Watchers". Telus Watchers was also hosted on a crappy freehost known as Hypermart, and like Nettwerked contained phreak files, and the like. Eventually Wizbone e-mailed the webmaster of Hack Canada, Cyb0rg/asm, congratulating him on the great site, mentioning our group, and getting to know him and the rest of the members a bit better. After a few months of building up the friendship with Hack Canada, I was asked to join the ranks. And the rest my friends is history. NoSleep: What was your first H/P experience? The Clone: My first phreaking experience was when I was 11 years old. I did a dialing of numbers... hand-scanning or "skanning" as some of us call it. Found a lot of inter- esting systems, tinkered a lot, broke into some things that I probably shouldn't of broken into it. Found a lot of interesting systems. Learned a lot about Nortel PBX's as a kid, and that "need-to-learn-about-everything-telecom" has truly stuck with me to this day... allowing me to meet great people and learn a hell of a lot more than I could have ever imagined. NoSleep: In Your Eyes, What Makes The Hack Canada/Nettwerked Scene So Special? The Clone: We contribute... a lot. We contribute more articles and projects than an other so-called hacker / phreak groups do today. We've always respected what L0pht / LOD did, and in a way, we're keeping that h/p candle burning with our own stuff. One thing that makes Hack Canada and Nettwerked so special is that we allow anyone to get involved and write for K-1ine, and our sites. We have that open door policy that a lot of people tend to respect about us. NoSleep: What Major Projects is Nettwerked/HC taking on? The Clone: Hack Canada is involved in a couple of projects that I was forced to sign non- disclosure agreements over, so at this time I cannot say what those are. However I am happy to announce that Nettwerked is involved in an outstanding project it calls the "Anti-Tempest Computer Project." The Anti-Tempest project is a collaborated effort by associates of the Nettwerked.net collective to create a fully functional / operational, "secure" anti-emanation computer using Canadian Government-certified / CSE (Communications Security Establishment) and Ontario Hydro-approved tempest equipment. Originally this machine (with a 386SX processor, and custom-made and well labelled parts) was picked up from Government Surplus Sales in Edmonton Alberta in the mid-1990's by Cyb0rg/asm. After years of dragging this extremely heavy and fairly large computer around, he got sick of it and gave it to The Clone as a present for his 20th birthday in hopes he might have more use for it. Well, it's been a couple of years and after sitting on this project for too long, The Clone is finally getting the proverbial ball rolling with the help of the official building team (H1D30u5, Kankraka, Wizbone) and making this Anti-Tempest computer into more than a glorified paper-weight. NoSleep: How Does Nettwerked/HC cope with the people who are just there to Bring the scene down? The Clone: We ignore them and they usually just go away. Or if that fails, we pay off a certain italian organization, and they are happy to make "those people" disappear for a minimal fee. Joking of course... or am I? :-) NoSleep: I Know Hc/Nettwerked has had some problems with people "selling out" what's your take on that? The Clone: It has? You mean making a living? If attempting to make a living while being a member of Hack Canada, and running Nettwerked, then I guess I'm a sell out. A corporate machine and without a soul. Zing. Selling is out when the un-corporate ideals you once held so dear are thrown out the window in place of a comfortable suit-job, where you suck the executive's cock for job security. Ask the "people" who joined @Stake. They'd be happy to endulge you. NoSleep: How Much Porn Is Too Much? The Clone: You're asking the wrong guy. I worked at a porn company as a writer, beta tester and online support for nearly 2 1/2 years. I've seen more porn in that timespan than most average Joe's see in a lifetime. To answer your question; too much porn is when you start neglecting your friends, family, and work for it. NoSleep: K-1ine has been Canada's longest running H/P zine, how many readers do you have and after 42 issues are you concerned that is it becomming a little "stale"? The Clone: I don't know how many readers K-1ine has since it's archived across the Internet on sites like textfiles.com, wiretapped.net, and Hackcanada.com. I'd say I've had thousands of people read the 'zine. But if you're wondering how many people are on my mailing list, I have about 300+. Stale? Of course not. One thing that will never happen with K-1ine (at least I hope), is that the contributing writers will stop coming up with phresh new articles. But since technology is contantly changing and the creative juices of hackers are always flowing, my answer is no. So here's a suggestion to everyone; don't want K-1ine to become stale? Then sit down and start writing. Thanks. Nosleep: Would You Care to give us a brief history lession about HC/Nettwerked? The Clone: I think I summed it up quickly in answer #2. Nosleep: Got Any Shouts or props you would like to send out to anyone? The Clone: Yeah, I'd like to give props to Hack Canada, Nettwerked, and NoSleep Magazine. No names in particular, as I'm sure I'll forget someone and I'll have them whining obsessively, biting my ankles, wondering why I didn't mention their name in this interview. heh. --> well back to my THG vids what's that, underage anime pron for juniors? --> Internet Psychology Now he was getting somewhere. By: aestetix Joe scanned the screen for certain serial numbers he'd recognize, dates of copyright, version numbers. Anything to help him to identify where it was he'd just got himself into. He was looking at a daemon scroller, but not a typical Apache or Redhat configuration like he was used to. This one was cryptic, not hidden like the one in WarGames but jargled to where it seemed like there was something important that someone not important wasn't supposed to read. Naturally, Joe wanted in. In a day where 99.999% of the world was used to seeing cute flash advertisements in a standard web page format using the latest W3C XML technologies, he'd managed to find this bizarre server. Nobody used telnet anymore if they had something important to share; SSH had taken over the net. Where the hell did he even find this server? It definately wasn't in a routine slashdot comment, or a tracert of some spam email. Maybe he'd picked it up sniffing AIM packets or something. Actually, it was more likely he'd found it in IRC somewhere. But it didn't work right away, like a normal server. Then he ran a trace of the server, found it was in Russia... probably only accepts Russian computers, something this secure. Step one, look up class numbers for Russian ISPs... step two, change IP address. Very rarely would a server running ip authority checks look at your MAC address too, so he was clear. Change the IP address, log into the server and BLIP! it connected, only to display that junk. Hmmm, gotta figure it out. He copied the jargon into Google, to no avail. Ok, maybe ROT-13, just for kicks. Nothing. Pop over to neworder, run a search.... three results, two crap, this one looks like it might work. Strange name for a server, but what is this? It's almost like a buffer overflow, but those are carefully fixed now. Couple RFC references, browse through, here's some interesting syntax... looks like a wierd cross between HTTP and SSH. So maybe the server doesn't actually use telnet, but it performs a node translation.... bizarre. This is the dead time, like writer's block, when you thought you'd gotten somewhere but realized you've only scraped some sand off this massive steel door. None of the pieces really fit anywhere, it's like one of those LucasArts games where you wander around repeating the same thing 50 times because you have no idea what to use. Ninety percent of the time, when you get here it's over. Either there's some insane Netscape plugin you need to listen to the sound that's really not all that important, or you realize you haven't even looked up the cake recipe for your mom yet. But a few relentless devotees won't let it go. They're the hardcore. Some call them idiotic, others call them elite. These are the people who show up at school or work looking like a train hit them, mad at the sun and the annoying test they didn't study for. They live off caffeine like a badger needs garbage, and while they seem completely socially inept occas- ionally they become the life of the party. They don't really need a party though, if they have a good book, a computer, or someone to prove wrong. Joe logs into IRC, server irc.0062.net, pops into his normal channel. "Hey, everyone, look at this!" he says. He mentions the basic nature, private messages the specifics to the three or four users he's known for over a year. Let's see if they can help. Half the channel is debating ideas Joe's already considered, the other half goes into a stupid flamewar. The trusted users, like v3nus and y7ta, are the only ones he really makes progress with. Each of them log into the server, same conclusion. Is it corporate? No, too secure. Could it be a university testing a new protocol? Possibly. Maybe it's government. That sounds way too much like a movie though. Joe imagines the secret service busting down the door any minute, even though he knows it's completely legal to dial into a system, provided he doesn't access anything. Or at least that's what the logs say. It feels strange in one sense, but silly in another. He knows it's most likely some kid who configured his daemon to output jargon so he could show off to his kid friends ("Look, I know how to change the config files!"). At this point, maybe the only thing left stimulating him is the insane techno music streaming from a 24/7 server, though he has no idea who's playing or how long it's been. Something to sink into, a trancey beat, yet with enough bass to propell him into the hunt. With the music everything he does seems a little bit cooler, even if he has nobody else to show off his skills to. He doesn't need to, anyways, because anyone who needs to know already does. Suddenly y7ta messages him, sends him a really obscure web address. But it's dot cx, which he recognizes immediately as Christmas Island. Figures, it's probably some asshole's sick idea of a joke, But y7ta wouldn't do that to him. He loads up the site. Odd, it's a short story about a new internet protocol, something that combines HTTP and SSH to form a new language, one that allows a terminal window to display graphics. That's really fucked up. He picks up the RFC of the protocol, looks it up. Absorbs it. All this new syntax. Amazing. He knows what he wants, a directory list. So he figures it out. Logs back into that server, gets the empty prompt, pastes his request. There's a dot stp file, which works with this new protocol. Fucking sweet! He's rocking, he's rolling, screw that dead type, he's gonna get it. The beats play in the background, but he doesn't need that anymore. He's almost beat the challenge! Back to the RFC, needs to load up that file. Puts in the proper request syntax, waits five seconds.... and his terminal screen fills up with the ass of goatse. ---> I want to meet cyborg.. I'd be like, "Hello cyborg." And he'd be like, "Uh, hi.. who are you^" and I'd be like, "I'm port!" and he'd be like, "Port who^" and I'd be like, "port nine!" and he'd be like, "Umm, right" and I'd be like "Yeah!" and he'd be like, "So, when's your mom coming to pick you up" and I'd be like "7!" and it'd be cool... ---> Why AI is Possible By: aestetix "A strange game. The only winning move is not to play. How about a nice game of chess?" One of the greatest challenges in modern technology is creating a program we can recognize as a sentient being. Although the topic has been explored in dozens of movies and hundreds of stories and novels, we still seem to be stumped. A common stipend is that the "consciousness" which humans seem to have cannot be recreated in logic-- there are many impeding factors like emotion. This has been a real roadblock, especially in the last two decades: MIT AI Lab founder Marvin Minsky has been on record numerous times attacking research, accusing students of wasting their time with ideas they don't understand. Despite this roadblock, there are still evolving theories as to how one can create consciousness. A common criticism is that humans have an uncanny ability to "think", which is impossible to duplicate in a machine because we simply don't understand it. While theories are proposed left and right, they all fall into the same trap of assuming that with logic complex enough, consci- ousness will eventually create itself. This is almost equivalent to a child thinking that he has created a computer system because he has compiled assorted hardware and installed an operating system; even though he has no real conception of how the system works together, the logic all fell into place, made the appropriate connections, and his computer works. In fact, many people unknowingly view computers as conscious beings because they -do- work. However, they immediately disavow any notion of this because, for example, the computer doesn't know how to find a floppy that's next to the drive but not in it. Of course, this falls more into the fault of the human who doesn't know the proper language and etiquette necessary to converse with the system. Let's approach this from another angle: a common laborer doesn't need to know the physics of how a bookshelf works to assemble one, provided he has the instructions. In fact, most of the time he doesn't even need instructions, because he is given input (boards, screws, etc) and with basic logic (match screw 1 to hole 1) he can assemble the board. The question is, can this thought process be represented entirely with logic? It's the same problem a child encounters when she is given a board with holes of shapes in it, blocks of shapes, and told to match them up. She puts the triangle to the square, and because it doesn't go in, she moves it to the triangle with success. The key is that she eventually -remembers- this, so that perhaps in another dozen attempts, she won't make the error. It seems easy enough to imagine creating logic that will mimick this: imagine a robotic arm that's programmed to insert the triangle in the triangle block, repeating the exact trial-and-error process. If a program is capable of learning on this level, then theoretically it can learn on -any- level. This concept extends to the movie WarGames, in which the computer account "Joshua", after repeated attempts at playing a game, is able to learn how to "win." Perhaps we view "consciousness" as being extremely complex because we just don't understand it yet. A good mathematician knows that the simplest answer is always the best one, and likewise, it seems that consciousness should be easy to describe, once understood. An example of this, albeit dealing with animal instincts rather than human thought, is Craig Reynold's "boids" experiment. Essentially, he went out to a park every day for months, making hundreds of observations, trying to understand how the flocking patterns of birds is achieved. Eventually he managed to narrow it down to three simple rules, which, when he wrote into a computer program, imitated the flocking far better than he had predicted. Here's an interesting scenario: is it possible to create a program that can analyse source code and tell you what language it's written in? At first, this seems really rudimentary, and something even the most primitive compiler/parser in capable of. But take it to the next step. What if you deliberately insert semantic errors in your code (ie "printg()")? Even the most idiotic human can probably glance at this and see the error, but can the computer? Moreover, what if you're using one of the newer language systems like PHP, where you can mix two or three languages into the same page? Your "analyser" will be registering all kinds of HTML source, then it gets hit by Javascript, then PHP! Or what if you've written a program that outputs itself in a different language? (ie "printf("PRINT \'HELLO\'"). Finally, what is the program is trying to analyse itself? Your chances of creating this program seem kind of hopeless at this point: however, there is one thing to keep in mind. While there are still an infinitude of possible challenges that can come up in practice, there is still a single axis on which the biological eye rotates. Your scenarios may change, but you do not. The key difference is that you can remember the thought pattern you used to tackle these problems: you can learn. The human mind has a sort of "database" of memory it can analyse to attempt to recall certain skill sets, and we are coming closer to finding out how this database is built. Of course, once we've created the database, we still need to construct tools that can read it. But reconsider the previous challenge: say you come across a language and want to figure out what it is. You take in different pieces of your object, and your brain looks through your memory to find a matching thought or skill. If we can get a program to run "the last time I saw an instruction like this, I used the fuction to output text to the monitor" instead of "IF INSTRUCTION THEN PRINT", we've tackled one of the biggest obstacles in AI. There's a lot of work with AI related pattern recognition going on these days: voice recognition, ad blocking software, etc. But a key problem is that sometimes the algorithms recognize a pattern, but not the pattern we want it to find. For example, a picture of a person's face might be blocked from a web browser because the placement of peach pixels in the photo matches a pattern for porno- graphy. From a fundamentalist AI viewpoint, these ideas still suffer from following instructions, rather than thinking on their own. However, a more liberal voice may point out that almost all human decision can ultimately be mapped out in logic, implying that a program could eventually be written, similar to Joshua, which would, after processing multiple images, learn to distinguish. Ultimately, there are two large barriers keeping AI from advancing: our limited understand of our own consciousness, and the presumption that AI cannot exist. Of course, 150 years ago we knew that humans could never fly, and 25 years ago Bill Gates knew that a computer would never need more than 640K of memory. AI has progressed from primitive forms like an electronic chess game to extremely advanced ideas like Will Wright's "SimCity" and "The Sims". There are so many advances it's silly to even try to list them all, but each one of them reflects a move closer, in some cases a pivotal discovery, to creating AI. ---> GIBS ME SHIT WOMAN! *sniff* I miss the old to2600... right there, i like that Such a great group in its day.. what is it now... :x a gay bar ---> 0x01 <====================> <== Number Systems ==> <== By: Ice ==> <====================> 0x02 This article is just a simple introduction into number systems including the Decimal Number system, The Binary System, The Octal and Hexadecimal number system. The article will look into some simple conversions and basics of these Number systems. 0x03 The Decimal Number System -------------------------> The most popular number system is ofcourse the decimal system (Base 10). This system includes ten different symbols, they are (0, 1, 2, 3, 4, 5, 6, 7, 8, 9). This system has been used for thousands of years, but it's not well suited for modern computers. Therefor, we have three other systems that are used by computers, they are Binary, Octal, and Hexadecimal. Each Number has a Face Value and a Place Value, Lets look at this by using the number 666. Face Value Place Value ---------- ----------- 6 100 = 10 ^ 2 6 10 = 10 ^ 1 6 1 = 10 ^ 0 Lets look at a example that has a decimal in the number like 1884.36 Face Value Place Value ---------- ----------- 1 1000 = 10 ^ 3 8 100 = 10 ^ 2 8 10 = 10 ^ 1 4 1 = 10 ^ 0 3 .1 = 10 ^ -1 6 .01 = 10 ^ -2 As you can see, this is pretty simple, not very complicated at all. You can also write this in an expanded form. 666 = (6*10^2) + (6*10^1) + (6*10^0) = (6*100) + (6*10) + (6*1) 1884.36 = (1*10^3) + (8*10^2) + (8*10^1) + (4*10^0) + (3+10^-1) + (6*10^-2) = (1*1000) + (8 *100) + (8*10) + (4*1) + (3*.1) + (6*.01) This is pretty much the same thing as the Face and Place value method. As you can see, the Decimal Number system is very easy to understand and use. Lets look at Binary System know. 0x04 The Binary Number System ------------------------> The Binary Number System (Base 2) has two symbols, they are 1 and 0. This system is appropriate for electronic computers becuase its either a 1 (on) or a 0 (off). This system is very easy to understand just like the Decimal Number System is. Like Before, each number has a Face Value and Place Value. Lets look at two examples like we did in the Decimal Number System. Face Value Place Value ---------- ----------- 1 8 = 2 ^ 3 1 4 = 2 ^ 2 1 2 = 2 ^ 1 0 1 = 2 ^ 0 Lets look at a example that has a decimal in the number. Face Value Place Value ---------- ----------- 1 8 = 2 ^ 3 0 4 = 2 ^ 2 1 2 = 2 ^ 1 0 1 = 2 ^ 0 0 .5 = 2 ^ -1 1 .25 = 2 ^ -2 0 .125 = 2 ^ -3 1 .0625 = 2 ^ -4 As you can see, the binary number system isnt very difficult to learn either. Lets write these in expanded form as we did in the Decimal System. 1110 = (1*2^3) + (1*2^2) + (1*2^1) + (0*2^0) = (1*8) + (1*4) + (1*2) + (1*0) 1010.0101 = (1*2^3) + (0*2^2) + (1*2^1) + (0*2^0) + (0*2^-1) + (1*2^-2) + (0*2^-3) + (1*2^-4) = (1*8) + (0*4) + (1*2) + (0*1) + (0*.5) + (1*.25) + (0*.125) + (1*.0625) Not very hard to understand, and is just as simple as the Decimal System. Lets look at Octal System. 0x05 The Octal Number System -----------------------> The Octal Number system (Base 8) is just as simple as Decimal and Binary Number System. The Octal system contains eight symbols, they are (0, 1, 2, 3, 4, 5, 6, 7). Lets look at some examples using the Face value and Place value as we did before. (I will just show one example, including the decimal point). Face Value Place Value ---------- ----------- 5 64 = 8 ^ 2 0 8 = 8 ^ 1 7 1 = 8 ^ 0 3 .125 = 8 ^ -1 4 .015625 = 8 ^ -2 Lets write it in Expanded form just like we did with the other examples. 507.34 = (5*8^2) + (0*8^1) + (7*8^0) + (3*8^-1) + (4*8^-2) = (5*64) = (0*8) + (7*1) + (3*.125) + (4*.015625) Just as the other systems, very simple. 0x06 The Hexadecimal System ----------------------> The Last number system is the Hexadecimal System (Base 16). The Hexadecimal system contains 16 symbols, they are: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A (10), B (11), C (12), D (13), E (14), F (15) Dont let the Letters confuse you, its very simple once you remember them and get some practice with the Hexadecimal System. Lets look at some Examples: Face Value Place Value ---------- ----------- 2 256 = 16 ^ 2 F (15) 16 = 16 ^ 1 7 1 = 16 ^ 0 4 .0625 = 16 ^ -1 A (10) .00390625 = 16 ^ -2 Lets see this example written in Expanded form: 2F7.4A = (2*16^2) + (F*16^1) + (7*16^0) + (4*16^-1) + (A*16^-2) = (2*256) + (15*16) + (7*1) + (4*.0625) + (10*.00390625) Same as before, not very difficult. 0x07 Converting Any Base to the Decimal System -----------------------------------------> There are many more ways then doing this, i am going to show you the expanded form way. Lets look at some examples: Binary Example --------------> 1.011 = (1*2^0) + (0*2^-1) + (1*2^-2) + (1*2^-3) = (1*1) + (0*.5) + (1*.25) + (1*.125) = 1 + 0 + .25 + 1.25 = 1.375 So 1.011 (Base 2) is 1.375 (Base 10) Because we are using the Base 2 system, we uses 2^x. Lets look at this Example in the Face and Place Value method. Face Value Place Value ---------- ----------- 1 1 = 2 ^ 0 0 .5 = 2 ^ -1 1 .25 = 2 ^ -2 1 .125 = 2 ^ -3 Octal Example -------------> 616.7 = (6*8^2) + (1*8^1) + (6*8^0) + (7*8^-1) = (6*64) + (1*8) + (6*1) + (7*.125) = 384 + 8 + 6 + .875 = 398.875 So 616.7 (Base 8) is 398.875 (Base 10) Because we are using Octal System in this example. We use 8^x. Lets look at this Example in the Face and Place Value method. Face Value Place Value ---------- ----------- 6 64 = 8 ^ 2 1 8 = 8 ^ 1 6 1 = 8 ^ 0 7 .125 = 8 ^ -1 Hexadecimal Example -------------------> D39 = (D*16^2) + (3*16^1) + (9*16^0) = (13*256) + (3*16) + (9*1) = 3328 + 48 + 9 = 3385 So D39 (Base 16) is 3385 (Base 10) Because we are using Hexadecimal System in this example. We use 16^x. Lets look at this Example in the Face and Place Value method. Face Value Place Value ---------- ----------- D (12) 256 = 16 ^ 2 3 (13) 16 = 16 ^ 1 9 1 = 16 ^ 0 0x08 Converting from Decimal to Any base -----------------------------------> Binary Example --------------> Know that you have a basic understanding of how the number system works. You will be looking at diffrent types of conversions. Lets start with a Binary Example. This example will convert 52 (Base 10) into Base 2. 2^5 = 32 = 1 2^4 = 16 = 1 2^3 = 8 = 0 Our answer is 52 Base 10 is 110100 in Base 2. 2^2 = 4 = 1 2^1 = 2 = 0 2^0 = 1 = 0 Lets have a closer look on how we did this converstion. The first rule is that the place value number cant be bigger then the number we are trying to convert. (So if we did 2^6 is 64. We can't use this because its greater then 52. So the highest we can go is 2^5). Know, 32 fits into 52 once. So we put a one besides it. We then go to 16, we add it to 32 = 48. We go down to the 8 and try adding it to 48. We cant do this because it will be higher then 52. So we place a zero. We go down to 4. We add 48+4 = 52. Bingo.. We got it, We place a 1 and place a zero on the other numbers that we dont need. So we got one 32 + one 16 + zero 8 + one 4 + zero 2 + zero 1 = 52 So our Answer is 110100 Base 2 Octal Example -------------> Same rules apply as they did above, the only diffrences is that we are in the Octal number system and use 8^x. Lets look at a example. In this example will convert 112 (Base 10) into a Base 8 Number. 8^2 = 64 = 1 8^1 = 8 = 6 Our answer is 112 Base 10 is 160 in Base 8. 8^0 = 1 = 0 Lets have a closer look on how we did his converstion. Because the Octal Number System has 8 digits, we dont need to use 1's and 0's like in the Binary example. Know, 64 fits into 112 once. If we used two 64's, it would be 128, you cant do this because its bigger then your number. Know we use six 8's. One 8 (64 + 8) = 72 (To Low, We can go higher) Two 8 (64 + 8 + 8) = 80 (To Low, We can go higher) Three 8 (64 + 8 + 8 + 8 ) = 88 (To Low, We can go higher) Four 8 (64 + 8 + 8 + 8 + 8) = 96 (To Low, We can go higher) Well you get the idea... So six 8 = (64 + 8 + 8 + 8 + 8 + 8 + 8) = 112 (Thats our Original Number) And we dont need any 1's because we hit 112. So the answer is 160 in Base 8. This isnt very difficult once you get the hang of it. Hexadecimal Example -------------------> Lets look at the Hexadecimal Number system using this method. We will convert 220 (Base 16) to Base 10. 16^1 = 16 = D (13) 16^0 = 1 = C (12) We cant go 16^2 because that is 256 and its higher then our number. We can fit 16 thirteen times into 220. This will give use 208 (16*13). Know we need 12 one's, this will give use 220 (208+12). So the Answer is DC in Base 16. As you can see, Hexadecimal isnt very difficult to do. 0x09 Converting Decimal Fractions to Any Number System --------------------------------------------------> Binary Example --------------> Lets start with a Binary Example. Will convert 0.3 (Base 10) to a Base 2 number 0.3*2 = 0.6 0.6*2 = 1.2 0.2*2 = 0.4 0.4*2 = 0.8 0.8*2 = 1.6 = ----- .01001 (Base 2). Lets get a closer look on how we did this. You first multiplied 0.3 by 2 (Base 2) and we received 0.6. Know you take the last digit witch is .6 and multiply it by 2 and you get 1.2. Then you take the .2 and multiply it by 2 and you get 0.4. You take .4 and multiply it by 2 and you get 0.8. You take .8 and then multiply it by 2 and we get 1.6. You may ask, why are we stoping here, well, its simple. We cant take the .6 and multiply it by 2 because we all ready did this. Meaning the numbers will be in a infinite loop. So know we take the left site digits (0, 1, 0, 0, 1) and thats our answer. We put a line above the numbers representing the infinite loop. ----- So our answer would be .01001 in Base 2 Octal Example -------------> Lets look at a Octal Example know. We will convert 0.1 (Base 10) to a Base 8 number 0.1*8 = 0.8 0.8*8 = 6.4 0.4*8 = 3.2 0.2*8 = 1.6 0.6*8 = 4.8 ------ = 0.06314 (Base 8) The same rule applies, and the same method is used. Lets see how we did this in the Octal System. So, we multiply by 8 because we are converting to the Octal System. Know we multiply 0.1 by 8 and get 0.8. We take the last number .8 and multiply it by 8 and get 6.4. We take .4 and multiply it by 8 and get 3.2. We take .2 and multiply it by 8 and get 1.6. We take the .6 and multiply it by 8 and get 4.8. We stop here because .8*8 will be repeated again. This means the same patter will go on and on and on... you get the point ------ So our answer would be 0.06314 in Base 8. Hexadecimal System ------------------> Lets try a Hexadecimal System example. We will convert .2 (Base 10) Into base 16. .2*16 = 3.2 - = 0.3 (Base 16) Hehe, Looks like this one is pretty short and simple. I dont think i need to explain. It's simple enough = ) I will explain it, just in case if anyone needs one. We multiply .2 by 16 (Because we are converting to Hexadecimal) and we get 3.2. We cant use .2 because it will be infinite loop of so .3 is our answer. 0x0A Conclusion ----------> Well I hope you enjoyed reading this article as much as I enjoyed writing it (My First Article I have written). There might me some spelling mistakes (Not the best Speller). I will be making another part to follow this one. It will include some other conversions and Number System Arith- metic such as Addition, Subtraction, Multiplication and Division. I would like to give a shout out to UndergroundNews ==> www.undergroundnews.com Iced Reviews ==> http://ice.promodtecnologies.com (come review some stuff if you have time =] ) Everyone at HackCanada and Nettwerked EOF ---> fruedian slit^h^h^h^hslip ---> Cheap And Effective WireTapping By Jackel Disclaimer ********************************************************************** The information contained in this document is for educational purposes only and I take no responsibility for any actions you may take with use of knowledge. So it's not my fault if you get put behind bars. ********************************************************************** 1.Intro Anyone who can beige box can easily do this, and for those who don't know how to beige box this article will teach you how to do this. Before we start you need to know that wiretapping is a gross violation of privacy and is highly illegal (the cops need permits to do wiretaps) this means possible jail time if you are caught doing this and i am in now way to be held responsible if you fuck up or are spotted doing this. 2. Time Time is the most important factor when doing wire taps. Most likely you either know the victim or its some one you have put a great deal of time and effort into researching and stalking. This means you know their daily schedule, when they get up, when they sleep and when they go to take a piss. If you have no idea of their daily schedule then this is best preformed around 2-3am on a week day when everyone is safely tucked away in their beds and have no clue what is about to happen to them. Now another easy way to get this done but a little more risky is to dig out that old Telus Tech uniform you swiped from the clothes line a few months back and has been collection dust in your closet and put it on. This is where your Social Engineering skills really shine, what? you have never even social engineered a operator? Then turn around right now because you need these type of skills if you are ever going to do any work in the field. Working in the field is unpredictable, you have to be aware of your target area and what goes on in a regular day in that area. I have spent hours on end just sitting in my car watching the same area day after day just to get a good grasp of what goes on and so I'm not supprised when I carry out my dirty deed. So Unless you want to end up next to "Bubba" take my advice. Now after you get all dressed up, and have all your accessories on... its time to head to the house. Keep in mind your target is the telecom box outside the house it will usually be near the gas/water meters, but I will get into that later. After you finally work up the balls to go and lie your ass off to the poor house wife or kid of the person you are targeting you will need to come up with a cover story like "There are been some surges in the phone lines in the past couple days and we need to intall a surge protector to safeguard your lines" remember 99% of people dont know how their phone line works or the components that it needs to work or keep working so if you look like a telus tech and sound like you know what you're talking about 99% of the time they will let you in and just ask simple questions like "how did this happen" or "why did this happen" so be prepared to answer all of these, as I stated before the field is unpredictable. Once you are able to gain entrance to the residence of the victim and get access to the telecom box its all down hill from there. 3. The Bug These things are just beautiful, they aren't the 200 dollar bugs the RCMP uses and there are downs to using them but realistically some of us can't afford those (and you have to special order them in from Japan, also technically they will only sell to Law Enforcement or other related purposes). You can find these "bugs" at your local Radio Shack or the Radio Shack will order them in for you, they are simply Wireless Microphones that work on a FM frequency (yes these will fit into a telcom box and aren't those big stage mics you find people using at a concert). They usually cost around 20-25 dollars. The instructions on how to set the FM frequency are on the back of the box. **TIP** I usually set the bug on a high end FM frequency, as you don't want to hear a radio station when trying to listen to your victim. Upsides To This Bug: 1. Cheap 2. Expendable Downsides: 1. If a tech opens the box its the first thing he sees 2. If the poor bastard you're tapping happens to be radio surfing and comes across the frequency you have the bug on and just happens to be talking on the phone he will hear himself (but what are the chances of that?) 3. The Exploit Okay after you have social engineered you're way to the telecom box (please don't say you don't know what a telecom box looks like), if you can't find it then your cover is blown and your life as a phreaker will be short lived indeed. Now once you have located the telcomm box you will need to open it, easy enough, there are usually 2 bolts, it would be wise to bring a wide range of screw drivers and ratchet heads with you because the bolts the dominate telecom company in your area uses may not be the same ones that they use in my area. After you have opened up the box you will see 4 medium sized metal bolts there are for lines 1 and 2 in the house I assume you know what line you want to tap. Now at this point unless the person is paranoid or has nothing better to do they should have left by now and if they have'nt my advice is to poke around a little bit, mumble something about crossed wires to your self then tell them that this may take a while and you're not sure if you have the tools required to finish the job. After that hopefully the target will leave now after that little annoyance is taken care of you will need to get the bug out, there will be a mic attached to a wire. Cut the wire right at the base of the mic. **IMPOTANT YOU WANT AS MUCH OF THE WIRE LEFT ATTACHED THE THE AM/FM TRANSMITTER AS POSSIBLE** ... because the more wire you have, the more you get to wrap around the line bolts. Now to expose the wire of the mic all you need to do is strip it, but what if you find yourself asking "But Jackel, all I do is whack off and I don't have the dexterity necessary to strip the wires and I always cut right through it!" Well then I can't help ya, sorry. Get a girl and leave phreaking behind :) It's time to do the actual wire tap now. Inside the rubber insulation you melted or stripped off there should be 2 wires, attach these with alligator clips or you can just wrap them around the 2 bolts (attach the wires to the bolts that are located horizontally beside each other, not vertically. While attaching the wires, for the well being of your hand for the love of god do not get your finger or hand to complete the connection between the two bolts. The shock won't kill ya but it fucking hurts like hell. I know, I've done it many times. After you're all done close the box up and make up some bullshit story about how it is all fixed and the victim shouldn't be having anymore problems. If they do just call (insert fake number here). **TIP** Line 1 is usually the house line while Line 2 is usually used for the comp if the target still uses a dial up modem. In that case you can just have more fun with them. Or the line could be used by the teenage son/daughter that never gets off the phone if they happen to have one of those. 5. Conclusion After it's all said and done, just walk back to your car, turn the radio on to the frequency you put the bug on and wait to get some dirt on your victim. But remember that the bug has a very short range so don't go more than a block away. Shouts: NoSleep Crew, All Of Nettwerked, Theclone, Kankraka, Port9, Hades, Tek, tr00per, Treephr0g, Papa Kybo ;), H1D30U5, and all the others I forgot. I'm very sorry my friends. its like im retarded Forgive Me My Friend For I Have Sinned >:) ---> straight up dawgs. mah name iz deadprez n shyyte. im the biggest poseur thsi syde of da calgary trax oh yeah eh which side of the tracks again ? the wrong siiiiide ha ha ha sure I lied. I live in my parents basement and I act tough on IRC. I really have a small bent wiener and I look funny. ---> #################################### Crafting Symlinks for Fun and Profit #################################### by shaun2k2 --[ 0 - Introduction Due to the recent hype of the more in-your-face class of program insecurities, other, slightly more subtle vulnerabilities are often overlooked during the auditing of source code. One of these classes of vulnerabilities is the "sym link bug", which can indeed be *just* as dangerous as buffer overflow bugs, format string vulnerabilities and heap overflows. Although often misconcepted as "not critical", or "not that serious", it is my belief that symlink bugs can be very serious in nature, and deserve just as much attention as buffer overflow vulnerabilities have received - yet the array of papers regarding this class of security holes is slim. In this paper, I attempt to demonstrate and analyze the risks of sym link bugs at large, providing interesting case-studies where necessary to demonstrate my points. Information on preventing these sorts of attacks is also provided, with general safe-guards against preventing them. A knowledge of UNIX-like Operating Systems is assumed, and whilst not necessary it would be helpful to have a working knowledge of C, C++, Perl or BASH scripting. --[ 1 - Symlink bugs: An Overview So, you might ask, what exactly is a symlink vulnerability? In general, sym link bugs are vulnerabilities which may allow an attacker to overwrite certain or even arbitrary files with the permissions of the invoking user of the vulnerable application or script. Typically, symlink bugs present themselves due to lack of checks on a file, before writing to it. So, to put it simply, symlink bugs exist primarily due to sloppy file handling in an application or script. To make matters even worse, an application or script could be SUID or SGID, thus eliminating the need for a legimate user to invoke the program - the attacker can instead run the application or script herself, because of the privileges the vulnerable application has due to the SUID/SGID pre-set on it. In quite a fair number of cases, a symlink vulnerability exists due to the application writing to tmpfiles, which contain data they may need to use at a later time. Programmers, often enough, may forget to, or not feel the need to perform checks when writing to tmpfiles - this is a common recipe for trouble. What sort of possibilities for an attacker can symlink bugs actually provide? Well, this usually depends on the type of functionality the vulnerable program was designed to provide. As stated above, the typical symlink bug allows one to overwrite or corrupt files not usually accessible to themselves. At first, this may not seem like a great window of possibility. But, when reconsidered, this could prove promising; what if an attacker could control what was written to an arbitrary file, or could otherwise trick the vulnerable application or script to write to a *critical* system file which could possibly leave the host OS inoperable? In certain circumstances, this possibility *does* present itself, and in others, the attack has less impact. So, how are symlink vulnerabilities exploited? In most respects, the leverage of symlink attack is actually quite generic across most vulnerable scripts or programs. As touched on above, such bugs usually occur due to poor or lack of file checks before data is written, so a little bit of thinking provides us with the answer: if a vulnerable application or script attempts to write to a file (often tmpfiles, to store data to be used later) without sufficient checks (i.e is the file a symlink? does the file already exist?), an attacker can quickly create a symlink with the *same* name as the file which the application is intending to write to - if the file handling routines are written insecurely enough, the program will obliviously write to the file - *causing the data to be written to where the symlink is pointing*. An attack like this can be demonstrated as below: --- root# vulnprog myfile [...program does some processing...] k1d$ ln -s /etc/nologin myfile [...program writes to 'myfile', which points to /etc/nologin...] --- In the above example attack scenario, the superuser ran a program with poorly written file handling routines, providing the filename 'myfile' to vulnprog for the relevant data to be written to. However, k1d happened to be looking over the shoulder of 'root' at the time, and created a link from myfile to /etc/nologin. Although the chances of finding a program written poorly is not at all great, the above scenario is useful for example purposes, and at least illustrates how vulnerable applications are sometimes attacked. Though more critical files could've been overwritten/appended with semi-useless data, the above sample scenario does demonstrate the possibility of attack - if this had been a real life attack, no users would've been able to login, due to the new found existance of /etc/nologin. Thus, one can see why it is important to reveal symlink bugs, and begin to write more secure code. Although I have only discussed file writing routines being vulnerable to sym link vulnerabilities, other possibilities do arise, such as routines which are written to set privileges. An example scenario would be a SUID root binary which at some point, changes the permissions of a file named 'test' or else to 666. However, the routine does not sufficiently check the state of the file 'test', resulting in a potentially vulnerability. With this, an attacker could create a link from 'test' to /etc/shadow. A very common occurance of symlink vulnerabilities, perhaps the most common is when applications create tmpfiles insecurely. Not only are the tmpfiles created with predicable names, permissions are not correctly attributed, and the program or script often does not even check if the file is a symlink. This sort of problem is quite a common occurance - this is evident by the vast number of 'symlink bugs' and 'tmpfile bugs' in the bugtraq archive. In the example discussed above, the attacker could not control what was written to the file, and the program did not have any special privileges (i.e SUID or SGID), so exploitation of the vulnerability required a legimate user to run the application. However, in some cases, the data written *can* be controlled, and, often enough, the application is SUID root. It is obvious to anyone with a minimal amount of security knowledge that this is not good - let us now explore an discuss a classic example of such a vulnerability. --[ 2 - Case Study: Sendmail 8.8.4 Vulnerability This vulnerability is a classic example, though versions of sendmail vulnerable to this attack are now pretty obsolete. The vulnerability presents itself when the sendmail daemon cannot deliver an email, and thus stores it in the file /var/tmp/dead.letter, incase the email was important to the sender. The sendmail daemon stores the exact email in /var/tmp/dead.letter, exactly how it was written, but what if /var/tmp/dead.letter pointed somewhere? Wouldn't the exact email get written to the file /var/tmp/dead.letter was linked to? Bingo! And since the attacker can write to an arbitrary file (a file of her choice), and also chooses what will be written, this vulnerability is perfect for example purposes. Although /var/tmp/dead.letter must be created as a hard link, rather than a symlink, this is still a link vulnerability, and is of the same class of vulnerabilities, in my opinion. Example exploit techniques were provided during the discussion of the bug, when it was discovered: --- k1d$ ln /etc/passwd /var/tmp/dead.letter k1d$ nc -v localhost 25 HELO localhost MAIL FROM: this@host.doesn't.exist RCPT TO: this@host.doesn't.exist DATA r00t::0:0:0wned:/root:/bin/sh . QUIT --- Sendmail would then attempt to deliver the mail to 'this@host.doesn't.exist', but soon determines that such a recipient does not exist. Due to the design of sendmail, it drops the email message body into /var/tmp/dead.letter. It is due to poor file handling routines that sendmail does not complete sufficient checks on 'dead.letter' in /var/tmp, for possible pitfalls: the possibility of /var/tmp/dead.letter existing as a hard link ('man ln' for more info) to an arbitrary file of interest to an attacker. Instead, sendmail, assumably, just sloppily writes the undelivered email to /var/tmp/dead.letter - this is the manifestation of the vulnerability itself. And since the attacker can exploit this sinister vulnerability to write arbitrary data, privilege escalation is possible - the ultimate goal of an attacker. Assuming the exploit worked, a new account with the name 'r00t' should exist, with a blank password field, and root privileges. Migiting factors exist which may prevent this vulnerability from existing, such as the account 'postmaster' existing, or /var/tmp being on a different partition, but we shall assume the exploit worked, for example purposes. --- kid$ grep "r00t" /etc/passwd r00t::0:0:0wned:/root:/bin/sh kid$ --- The vulnerability was indeed exploited successfully, let us now look at why sendmail was vulnerable to such an attack in the first place. Several more specific reasons might be given, such as where in the actual code the poorly coded file writing routine exists, and why it is insecure, but the two more general reasons for the issue are outlined below: - Sendmail is SUID root, thus giving it permission to do most anything. - Sendmail did not check for the existance of /var/tmp/dead.letter being a hard link - this is due to poor, insecure programming. Although this provides an excellent example of the possible impacts of sym/hard link vulnerabilities, it still does not provide much of an example of how they manifest in program code. Below we will explore another case study in which we will explore and exploit a sample 'vulnerable script', which is particuarly sloppily written, and in it manifest an obvious symlink vulnerability. --[ 3 - Exploitation: A Vulnerable Script Below is a sample vulnerable script: --- vulnscr.sh --- #!/bin/sh if [ -z "$1" ]; then echo "Usage: vulnscr " exit fi echo "vulnscr - vulnerable to a symlink bug." echo "writing 'Hello World' to" $1 sleep 3 echo "Hello World" >> $1 sleep 1 echo "Setting perms." chmod 666 $1 echo "Done!" ---- EOF ---- Just by studying the commands in the script, it should be quite obvious that this script is vulnerable to a fairly bad symlink vulnerability. 'vulnscr.sh' first checks for the existance of $1 (argument 1), and prints an error message accordingly. A simple information message is printed to the user's terminal, the script sleeps for 3 seconds, and the string 'Hello World' is appended to the file specified at the shell. Then, the permissions of the file are set to 666 (world-writable), and a simple 'Done' message is printed to stdout. This is simple enough, but as you have most probably noticed, we see no code performing checks on the file given at the command line. Rather, a simple 'echo' command is implemented by our vulnerable script to do its file writing, and what's more, a 'sleep 3' command is ran by our script, heightening even more the possibility of exploitation. On the second from last line of the script, the permissions of the file is set to world-writable, and again, no check is made for a symlink pointing elsewhere. Below is the offending vulnerable code found in vulnscr.sh: ---vulnscr.sh fragment sleep 3 echo "Hello World" >> $1 [...] chmod 666 $1 --- By taking a quick glimpse at the above commands, it is soon apparent that no file checks take place - just a blind 'echo' command appending our Hello World string, and a quick 'chmod' invokation. Thus, vulnscr.sh is definately an avenue for exploitation, and frankly, a recipe for trouble on a corporate or production machine, but in reality, scripts with code as sloppy as this *do* get packaged with major and popular Linux distributions. Now that we know why it is vulnerable to a classic symlink bug, how could the script be exploited? You can exploit this script by simply creating a symlink to a file writable by the invoking user of vulnscr.sh. Obviously, we would need to know the name of the filename the targetted user specified on the command line, but in a busy workplace environment, this might not be so hard, simply by peering over the shoulder of the person. Another possibility is that the script is to be run as a cronjob, so we know the filename which will be specified. Either way, let's assume we *know* for a fact that a user is about to invoke 'vulnscr.sh', specifying the filename 'test' as the output file. A simple attack scenario is shown below, illustrating the potential impact of exploitation of this symlink-vulnerable script: --- k1d$ ln -s /etc/passwd test [...] root# vulnscr.sh test vulnscr - vulnerable to a symlink bug. writing 'Hello World' to test Setting perms. Done! [...] k1d$ grep -n "Hello World" /etc/passwd 32:Hello World k1d$ ls -al /etc/passwd -rw-rw-rw- 1 root root 1460 2004-03-15 16:00 /etc/passwd --- So, as you can see, k1d's exploitation of 'vulnscr.sh' worked, and worked extremely well, as illustrated by k1d's checks. "Hello World" is now present in the password file, and to make matters even worse, /etc/passwd is now even world-writable, due to the 'chmod' command written in 'vulnscr.sh'. Chmod followed the symlink 'test', and since the invoking user of vulnscr.sh was root, the chmod call inevitably succeeded. So, at this point, k1d has effectively owned the system, and is free to do as he pleases; add root accounts, access mounted devices, corrupt important files and so on. Although it is doubtful that an actual script of this type would appear on a system for real, scripts vulnerable to almost an identical attack do exist in the default install of popular Linux distributions - such as 'extcompose', for example. Extcompose is a small script, packaged with the metamail package. It is designed for allowing a user to make external reference to a file not included in an email. After auditing it for a few short minutes, I realised it was vulnerable to a classic symlink attack, very much similar to the one discussed above. Though it is not SUID root, if an attacker knew what filename a user was going to choose as the output file, she could create a symlink to a file writable by that user - /etc/passwd would be a good choice if the invoking user was root. Due to this vulnerability, important files can be truncated or corrupted, and in theory, privileges could be elevated. Although you will most likely already have extcompose installed (/usr/bin/extcompose), here is extcompose's code: --- /usr/bin/extcompose --- #!/bin/csh -fb # (The "-fb" might need to be changed to "-f" on some systems) # if ($#argv < 1) then echo "Usage: extcompose output-file-name" exit 1 endif set OUTFNAME="$1" chooseaccesstype: echo "" echo "Where is the external data that you want this mail message to reference?" echo " 1 -- In a local file" echo " 2 -- In an AFS file" echo " 3 -- In an anonymous FTP directory on the Internet" echo " 4 -- In an Internet FTP directory that requires a valid login" echo " 5 -- Under the control of a mail server that will send the data on request" echo "" echo -n "Please enter a number from 1 to 5: " set ans=$< if ("$ans" == 1) then set accesstype=local-file else if ("$ans" == 2) then set accesstype=afs else if ("$ans" == 3) then set accesstype=anon-ftp else if ("$ans" == 4) then set accesstype=ftp else if ("$ans" == 5) then set accesstype=mail-server else echo "That is NOT one of your choices." goto chooseaccesstype endif if ("$accesstype" == "ftp" || "$accesstype" == "anon-ftp") then echo -n "Enter the full Internet domain name of the FTP site: " set site=$< echo -n "Enter the name of the directory containing the file (RETURN for top-level): " set directory=$< echo -n "Enter the name of the file itself: " set name = $< echo -n "Enter the transfer mode (type 'image' for binary data, RETURN otherwise): " set mode = $< if ("$mode" == "") set mode=ascii echo "Content-type: message/external-body; access-type=$accesstype; name="\"$name\"\; > "$OUTFNAME" echo -n " site="\"$site\" >> "$OUTFNAME" if ("$directory" != "") echo -n "; directory="\"$directory\">> "$OUTFNAME" if ("$mode" != "") echo -n "; mode="\"$mode\">> "$OUTFNAME" echo "">> "$OUTFNAME" else if ("$accesstype" == "local-file" || "$accesstype" == "afs") then fname: echo -n "Enter the full path name for the file: " set name = $< if (! -e "$name") then echo "The file $name does not seem to exist." goto fname endif echo "Content-type: message/external-body; access-type=$accesstype; name="\"$name\"> "$OUTFNAME" else if ("$accesstype" == "mail-server") then echo -n "Enter the full email address for the mailserver: " set server=$< echo "Content-type: message/external-body; access-type=$accesstype; server="\"$server\"> "$OUTFNAME" else echo accesstype "$accesstype" not yet implemented goto chooseaccesstype endif echo -n "Please enter the MIME content-type for the externally referenced data: " set ctype = $< getcenc: echo "Is this data already encoded for email transport?" echo " 1 -- No, it is not encoded" echo " 2 -- Yes, it is encoded in base64" echo " 3 -- Yes, it is encoded in quoted-printable" echo " 4 -- Yes, it is encoded using uuencode" set encode=$< switch ("$encode") case 1: set cenc="" breaksw case 2: set cenc="base64" breaksw case 3: set cenc="quoted-printable" breaksw case 4: set cenc="x-uue" breaksw default: echo "That is not one of your choices." goto getcenc endsw echo "" >> "$OUTFNAME" echo "Content-type: " "$ctype" >> "$OUTFNAME" if ("$cenc" != "") echo "Content-transfer-encoding: " "$cenc" >> "$OUTFNAME" echo "" >> "$OUTFNAME" if ("$accesstype" == "mail-server") then echo "Please enter all the data to be sent to the mailserver in the message body, " echo "ending with ^D or your usual end-of-data character:" cat >> "$OUTFNAME" endif ---EOF I'd like to leave this as an exercise to the reader - figure out why the script is vulnerable, and how it can be exploited. --[ 4 - Additional Thoughts Although in our examples, exploitation seems ridiculously easy, there are practical considerations to take into account, where theory and practicality are two different things entirely: - Timing - Guesswork - Permission issues These issues are factors which can effect the likely-hood of exploitation of even gaping symlink vulnerabilities, like the example discussed above. Timing ####### Depending on where and why the bug manifests in the application's code, timing can be an issue. For example, if an attacker physically spots a work collegue invoking an application with symlink bugs, even if she can find out what filename the application will deal with, will she be fast enough? In an ideal world, this wouldn't be a problem, but in reality, an attacker would've had to have planed for an attack, to a certain extent, because by the time the attacker had created a symlink from the appropriate file name, the vulnerable program could've already terminated execution. However, this is often not an issue; many applications include various invokations of 'sleep(2)' and 'usleep()'. As noted in the example we discussed previously, delay operations can often greatly increase the attacker's likely-hood of success - during the time a vulnerable application slept, the appropriate conditions could be prepared (i.e creation of a suitable symlink). Guesswork ########## Depending on the nature of the program, oftentimes a little guesswork is required by the attacker. A good example of my point is when a file is specified at the shell, upon which file operations are to be performed by a poorly written vulnerable program. Unsurprisingly, many folks prefer filenames which are easy to remember, but not necessarily relevant to what material is stored in the file in question. Many people may just choose a simple filename like 'test'. In other applications, this is not so much of an issue, due to the fact that filenames are hardcoded into the source code, or are hardcoded to a certain extent - this is often the case for tmpfiles used by many mainstream applications. In this scenario, all an attacker need do is create a symlink bearing the name of the tmpfile which the vulnerable program will operate on (i.e write to, set permissions on it, etc...) to a desirable location (system files, password files, config files etc...). Permission issues ################## On an average system, with a small-to-medium user load, system administrators and users in general are not usually over cautious. However, if an attacker does not have write access to either the directory in which files handled by the vulnerable application are created, or the actual file itself, this can become a significant problem for a would-be attacker, as they do not have sufficient privileges to cannot craft a symlink. Coinciding with points stated above, this is often not an issue if an exploitable application writes temporary files in /tmp, but if a user may specify a file, an attack can be thwarted by specifying a path to which attackers do not have sufficient access. Despite discussions of symlink bugs have been primarily focused towards regular files, tmp directories are vulnerable in almost an identical way. I'll leave it to the reader to delve into the references at the end of the paper. --[ 5 - Prevention & Safe programming The prevention of symlink bugs, as with all programming, is achieved via good programming standards. In general, symlink vulnerabilities can be avoided in part by employing some of the following techniques. - Perform checks on files to be handled. a) Check for existance of file. b) Check for symlinks c) Check for hardlinks d) etc. This can be done by optionally generating a semi-random filename, and adding the 'O_CREAT|O_EXCL' flags to any 'open()' calls made. - Implement safe tmpfile creation. - Give the files restrictive permissions My aim is not to reinvent the wheel, so instead, references and areas of further reading are given, including measures worth taking to avoid the symlink class of vulnerabilities. --[ 6 - References I have attempted to provide papers and material for further reading, which I think may be useful to the reader. - "not-so-dangerous symlink bugs" - a better look. - Preventing Race Conditions. Large archives such as Bugtraq have quite a big collection of symlink vulnerabilities, checking it out would be interesting. --[ 7 - Conclusion Thanks for reading. If you have any constructive critisism or comments, I would appreciate your feedback . ---> KankGAME/#hackcanada wishes he had a hot bf like clone to buy him fone minutes ---> Phun with the Audiovox 8900 and Telus Mobility by TeK-g All codes are entered at main menu. At the conclusion of the code, press the END key (hangup) Some have been reported to work on the 8500 also. THIS IS THE ONLY EXCEPTION: PRESS: 2539** menu says: Input A-Key puts phone into service mode, requires a reboot CODEZ: ##1111 - Fades out screen ##1122 - Test menu (test the phone's features) ##2222 - Blank Menu ##2769737 (##BROWSER)- Internet options (EDITABLE!!) Of Note here is 3 links to 2 proxies each, each with an IP and PORT On mine all are the same (216.198.139.113:80) using a web browser we get: You have reached the Openwave NSM 1.0 Proxy Server. This server does not serve any web content. Use this server only for routing proxy requests. ##242743 (##CHARGE) - Battery info displayed, nothing editable ##27732726 (DEBUG MODE) SW and UI (User Interface versions) Debug screen gives you realtime signal strength, in absolute terms. Some battery values and thermal values listed aswell. LNA state (don't know what that is!) TEST CALL: Allows one call in a variety of modes, no idea if you get billed for this call ##27752345 - MISC. TEST (EDITABLE) Change battery values and other values (Some make your phone freeze and require reboot) Change Channel (dunno what that is!) Change other stuff that doesnt seem to work ##33284 (##DEBUG) Direct link to DEBUG SCREEN IN DEBUG MODE ##2250 RFNV CONTENTS (editable) CDMA/PCS/FM/GPS options all editable USE AT OWN RISK possibly a way to disable GPS tracking of the phone RF AND FACTORY test mode is also available, don't seem to do much ##83587 (##TELUS) ASKS FOR PASSWORD That is all I have found so far, if anyone can figure out which settings to manipulate for free calls, disabling GPS tracking or enabling GPS display, the telus menu codes or other updates please write to: fawkyou420@hotmail.com ** PROPS TO HOWARDFORUMS COMMUNITY FOR MUCH OF THIS INFO!!!!! -ez --- MORE CODES FOR AUDIOVOX 8900 By: TeK-g #5625* DISPLAYS PHONE's LOCK CODE ##4771 (##GPS1) SOME GPS OPTIONS PRESUMEABLY, PASSWORD PROTECTED ##7738 CHANGE P_REV (no idea what this does 3 different modes for it, all changeable) ##2222 Displays phone's Channel ##1133 reset (USE AT OWN RISK doesnt seem to reset much though, perhaps use if you fuck with these menus and can't get back, hehe!!!) ##1144 KEY TONE TIME A-KEY is: a number given to a cell phone that is used in conjunction with a users SSD info for authentication. UPDATE ON GPS IN AUDIOVOX 8900/8500: Back in the beginning, the good'ol gov decided that there should be a method for locating a cell phone... actually, it was the NENA group, created to serve the goals of the 9-1-1 people. There were a lot of methods suggested but it boiled-down to two systems. One was called the "Tower Solution" and the other is known as the "Chip Solution". Most cell phones use the Chip Solution. What's going on in your phone is this... (by the way, your phone can not, does not, and never will, receive any signals from any satellites in orbit) There is an IC in your phone that compares a timing signal received from the local cell towers and derives a value from the data. That value is included with the data portion of any cell call you make and in some special conditions, calls and data messages sent to your phone. When that information is processed at the "head-in", your location (the location of the phone when the data was generated) can be "detected" and then sent to the party who needs it (usually your local 9-1-1 site). The information is known as "Phase 2 ALI data". Unless you use "social engineering" on your local 9-1-1 Call Taker, you will not get any use from your phone's "GPS" feature. Personal comment: The use of the term GPS by the cell phone industry is pure hype. It should have never been allowed. There is no GPS system involved in the phone. The only relationship GPS has to all this location stuff is that the cell sites use the Time Mark data from the GPS to synchronize the cell system. The location of the cell site is known and does not move. --> The Codec War: Operation Zipem by jedkiwi Because I will be getting a Tungsten E ( joy^happiness ) soon, obviously I am gonna use the built-in music player. Even though I am getting a 256mb SD card, I don't really want to waste all that. So naturally, I looked at alternates to MP3. I downloaded a copy of dbPower AMP, got a bunch of codecs, and wasted an hour doing all this. Original Linkin Park - Faint 2470kb 128kbit 44100Hz Stereo ogg1 1870kb 80kbit 44100Hz Stereo 5/5: completely lossless quality. Conversion time 0:32 ogg2 1070kb 48kbit 44100Hz Stereo 4.5/5: almost lossless, the untrained ear shouldn't be able to pick up the difference. Conversion time 0:28 real audio1 898kb ISDN (68kbit) 44100Hz Stereo 4/5: excellent quality for the size, just a few bits metallic sounding. Conversion time unknown real audio2 657kb 56kbit 32000Hz Stereo 4/5: excellent quality for the size, just a few bits metallic sounding and a few bits overstretched. Conversion time 1:03 wma1 2800kb VBR 90 44100Hz Stereo 2/5: pauses after beat, horrid quality, the size is way off. Conversion time 0:11 wma2 1230kb VBR 50 44100Hz Stereo 3/5: pauses after beat, horrid quality. Conversion time 0:13 aac1 2470kb 128kbit 44100Hz Stereo 4.5/5: Just a few clips that I could detect, but not everybody should hear them. Conversion time unknown aac2 1540kb 80kbit 44100Hz Stereo 4.5/5: Just a few clips that I could detect, but not everybody should hear them. Conversion time 0:35 In the end, I think that I will either be using either ogg2 or real audio1 if I compress my tunes. However, I will never ever use wma9, as the quality they have shown me is horrible. M$ should stay out of the music business, those who are 100% devoted to A/V and the open source camps will always prevail. --> Ice - Life is like a box of well lubed dildos... it's painful at first when it's inserted into your ass but then you eventually get used to it and enjoy the ride. --> [ K-1ine News ] Nettwerked Lays off 4500 from Red Deer factory Frank "Paradichlorobenzene" Wizbone, February 16, 2004 In a surprising move, President and CEO of Nettwerked Communinications Inc. (LMNOP/TSX) has announced it will be shutting down its Red Deer, Alberta manufacturing plant and outsourcing the jobs to factories run by independent labour contractors in Import/Export zones in China. At a public press meeting this morning, Mr. Clone stated "This is a positive move for Nettwerked, our Brand must stay competitive. Others such as Nike and IBM have reaped the benefits of more cost-effective labour practices available in other countries. It's our turn for a piece of the globalization pie!" After the announcement, the Nettwerked shares skyrocketed closing at a record $108.40, ten times that of arch-rival Nortel Networks Corp. (NT) --> New York City E911 Crashes (no fault of my own!) (Source: New York Times) Verizon began taking steps yesterday to better protect New York City's 911 emergency line after a data error by an employee brought down the system in Brooklyn, Queens and Staten Island for about two hours on Friday night, city and Verizon officials said. The emergency system broke down about 7:20 p.m. after a Verizon engineer who was making service changes to a bank's telephone numbers in Brooklyn inadvertently included numbers that are used to carry 911 calls, city and telephone company officials said. The numbers were close in sequence, the officials said. The 911 calls then ended up being rerouted to the bank's phone system, and callers heard a busy signal. City and Verizon officials said that while the backup system in place for 911 was functioning properly, it failed to pick up the calls because it was designed to catch a technical error, not a human error that would be interpreted as simply a change of instruction. Daniel Diaz Zapata, a Verizon spokesman, said the telephone company would now require a second person to double-check any entry of data that could affect the 911 system, and said the company planned a thorough review of its procedures that would be documented in a report to the city within a few days. "We determined that a human error resulted in the accidental rerouting of phone calls during a procedure to upgrade service for a corporate client," Mr. Zapata said. "We have immediately altered our processes to ensure this type of situation does not reoccur. We have assured the city that we took immediate steps to make sure this doesn't happen again." Citing privacy concerns, Mr. Zapata declined to identify the Verizon engineer, except to say that he was a veteran of the company. Mr. Zapata said it was unlikely that disciplinary action would be taken against him. Police and fire officials said yesterday that they had no reports of injuries during the 911 failure. Fire officials said that about 60 firefighters responded to a major fire, at 3301 Foster Avenue in Brooklyn, which was called in at 8:49 p.m. by someone using a fire alarm box on the street. There were no injuries in the fire. Paul J. Browne, the Police Department's deputy commissioner for public information, said the department immediately adopted emergency procedures, like requiring e officers on patrol to turn on their flashing lights so people could find them easily and increasing staffing at precinct station houses to answer phone calls. But he said there was no reported increase in crime. "This didn't present an opportunity for the criminally minded - like the blackout did - because probably most people were unaware that it was out of service," he said. However, several City Council members expressed anger that the 911 system could have been so easily disabled, and called for creating a more effective backup procedure. "It's an emergency wakeup call," said Councilman Peter F. Vallone Jr., the chairman of the Public Safety Committee, who plans to hold a hearing about the incident. "We don't have an adequate backup system for 911, which is more important than ever as we fight the war against terrorism." Gino P. Menchini, the commissioner of the Department of Information Technology and Telecomm- unications, said city officials were working with Verizon to ensure that the emergency system's numbers were clearly identified, and that its software and equipment were protected from similar human errors. But Mr. Menchini emphasized that the emergency system already had many built-in safeguards, such as the ability to route 911 calls through either of two central offices and their 911 answering centers. "The bottom line is, 911 works very well, and it's worked very well for a long time," Mr. Menchini said. Several emergency services experts agreed yesterday with Mr. Menchini, saying that New York 911 system compared favorably with those in other large cities and that an error like the one made by Verizon could not necessarily have been prevented because it was not a flaw in the 911 system itself. It's very unusual for that to happen, but it's understandable," said Robert C. Krause, executive director of Emergency Services Consultants in Toledo, Ohio, who is familiar with the New York system. "I don't know if anyone would anticipate this because it's a highly technical thing. I think most public safety administrators would assume that their numbers are safeguarded." Mayor Michael R. Bloomberg did not have any public events scheduled yesterday, and it was unclear whether he was in the city at the time of the 911 failure. "We don't comment on the mayor's where- abouts," said Jordan Barowitz, a spokesman for the mayor. His office referred questions on the disruption to Mr. Menchini. - submitted by: Nyxojaele 03/29/04 --> -- Credits Without the following contributions, this zine issue would be fairly delayed or not released. So thank you to the following people: Aestetix, Aftermath, Anonymous Phone Hero, Cyb0rg/ASM, H1D30U5, Ice, Jackel, Nyxojaele, Shaun2k2, TeK-g, The Clone, Tr00per, Wizbone -- Shouts: Cyb0rg/ASM, Wildman, H410g3n, The Question, Phlux, Magma, Hack Canada, The Grasshopper Unit, Flippersmack, soapie, H1D30U5, Nyxojaele, Ms.O, Tr00per, Flopik, dec0de, caesium, jimmiejaz, oz0n3, *Senorita Chandelier*, Kris, port9, kankraka, hades, Azriel J Knight, coercion, tek, #hackcanada, The Nettwerked Meeting Crew, and the entire (active) Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .; ..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ..;. ..;.. .;. ;.;..;;..;.; ;.;;..;.. ;.;.; .; . ;.;..;. .;. ;.;:.;. ,;....;. .;.;. .;.; .;.;.; .;.; ;..;. .;.;;.; .;. ..; ;. > > >\/ < < < < < < < < < < < < < < <\_| \/ http://www.eesh.net/angryflower/telus.gif