The Phone Punx Network Presents --Phone Punx Magazine-- ----Issue one---- "Carjackers of the Information Super Highway" April 26, 1999 Last Updated: May 04, 1999 http://fly.to/ppn phonepunx@yahoo.com Contents ~Intro by Mohawk ~Seuss -Better Homes and Telephone Surveillance -Paper chase ~Security Breach -NOKIA 2160 NAM PROGRAMMING INFO by Maniac ~Scamming by Nothing ~Beating the Caller ID by the Fixer ~Lineside - LMOS/MLT CODES AND MEANINGS - Field Techs and Wiretaps ~Controlled Environmental Vaults by Tom Farely ~Cyber Culture - The impact of the flag burning amendment by Mr. X2 - Cyber McCarthyism by Mohawk .....The Staff of Phone Punx Magazine..... Mohawk..................Editor in chief Seuss ......................FAQ editor/Head tech. writer Czechmate...............Staff writer Phear.......................Staff writer/Graphics Admiral...................Staff writer Lineside...................Staff writer Black Axe...............Staff writer Maniac....................Staff writer/Head writer of Security Breach .....Magazine Information..... -Disclaimer All information is protected by the 1st ammendment. However, this information should not be used in any other way except education. Our purpose is to provoke thought and we might even entertain you, if you're good. Nothing in this issue has been tested and we do not garuntee that it will work. We cannot assure your safety both legally and phsically and what the hell, mentally if you try anything in this issue. -Release Dates Phone Punx Magazine is released about every 4 months, however there is no set release date. Issues can come out a day or a year after the last one but we will try to stick to around 3 to 4 months. -Writers Wanted We are always looking for more writers. If you want an article published or if you would like to become a regular writers, send us an email. We would really like to concentrate on phreaking and large phreaking projects. That is why the release date for new issues is 3 to 4 months, instead of 2 months like the OCPP. However, not all articles have to be related to phreaking. We are experimenting with some new sections that will cater to our audience with topics other then phreaking. If you feel that you have an article that would be of interest to phreaks but it is about hacking, cyberculture, etc, let us know and we will evaluate each article on an individual basis. We are also looking for ways to compensate our writers for thier time and effort in writing articles. We will add a link to your webpage but we may also start a page where we will post a banner or two of your choice. Any other suggestions are also welcome. -Distribution Sites Help us spread the magazine to a wider audience by becoming a distro site. All you have to do is keep the issues on your website with a link to them somewhere. Not only will this help us reach more people, but our readers will have another place to get the zine if something happens to the site. Email us before you set it up because we need people to distribute the zine, past issues of the OCPP, and the FAQ too. If you would like to distribute all 3, you will revcieve a special link on our page because your just such a nice person. -Network Links The Phone Punx Network is more than just one webpage. We hope to span several webpages that will encompass member websites and distro sites. To get a network link you must be a staff writer or be involved with the PPN in another way and have a website that is related to phreaking in some way or another. If you can't do that, become a distro site and provide a link back to us. A Phone Punx Network link graphic will be made soon and must appear on the main page of the site (it won't be that big). -Issue Updates Issue updates will occur when the warrant. To make sure you always have the freshest issue of PPM, check the "last updated" date on the top of the issue. It is important that you always have the latest issue because we do screw up often and we are always fixing our mistakes. To be notified of updates of the issues, join the mailing list. -Mailing List To stay up to date with the latest in the Phone Punx Network sign up for the mailing list. You will be notified of the release of new issues, updates to past issues and other PPN news. All email address are kept confidential. Just send an email to ocpp@hotmail.com letting us know you'd like to subscribe. -Links Please update your OCPP links. Change the name to Phone Punx Network and the URL to http://fly.to/ppn, if you have a link to us on your page, let us know and we'll link you back. -Letters We will print your letters. If you would like to make a comment, ask a question, or whatever, send them in and we will publish them. If you don't want your letter published, just let us know. -Contact Our email address is phonepunx@yahoo.com To subscribe to the mailing list send an email to ocpp@hotmail.com Copyright info is located at the end of the issue. Intro by Mohawk Two years since the release of the first issue of OCPP, we are back with a new name, look, purpose, writers, etc. Change is good. Where did we go, why the change, what the hell is the PPN/PPM????? . Well let's start from the begining. You might want to skip this whole paragraph if you don't want to read this boring stuff but I do owe the readers an explanation. I warn you, it's nothing exicting. Around the time of the release of OCPP 10, I was thinking about changing the zine and the page to suit the ever changing needs and goals of our staff and our readers. The zine grew into something I never thought posible. It was just a little hobby thing by a couple of people but it wound up being a zine that had a pretty big readership (with no outside help) which many people look toward as a sign of authority, reference, help, etc. I still can't believe it that people refered to us when they we're having problems with something or some people saying that we we're the best zine. While some may or may not dispute that, it isn't our goal. Those we're just people's opinions but it was still amazing to see that stuff. So I wanted to change the format of the zine and the webpage. Between changing the zine and the webpage, maintaining the FAQ, releasing a new issue, and all my real life activites I just couldn't handle it all and I didn't want to release a half-done issue. Around that time, most of the page went down due to someone canceling thier account where we had most of our stuff. Now on top of that all those other things I had to do, I had to put the page back up. A few months after that, ml.org went out of business so almost all of our links were dead so we had almost no traffic coming to the site. Life just kept swamping me with things I had to do but a couple people reminded me around the same time about the zine and I decided I had to get to work on it any chance I get. As I said before, we changed everything to keep up with the changing needs and goals with the zine and the readers. This zine will be forever changing and we will be experimenting with new things. Your input will greatly affect what does and does not go in the zine. Let us know what you like, don't like, or would like to see in the zine. This will still be a phreaking zine but we will also cover other topics such as cyber-culture, hacking, technology, and anything else that we feel our readers might enjoy. We hope to focus on big phreaking projects so that is why the projected release date has been made every 3 to 4 months instead of every 2. The Phone Punx Network, or PPN is made of former OCPP members and other people that help us out in one way or another. Some people are involved with writing the zine, distributing it, writing the FAQ, or anything else that helps us out. By dividing up the work, we are able to bring you a better product. The Phone Punx Magazine is the zine put out by the some of the members of the PPN. Not all PPN members are involved in the zine. All of this is still in it's early stages so this is all subject to change. We are looking for people to get involved in the PPN, email us for more info. Of course, we will always need articles and staff writers. We hope that you enjoy the new format. Things will be changing constantly. We also need people to update thier OCPP links. Change the name to Phone Punx Network and the URL to http://fly.to/ppn, if you have a link to us on your page, let us know and we'll link you back. Send us your comments, questions, and suggestions. Also, this issue is a compilation of articles from the 10th issue of OCPP that never came out and new articles. As we get established the quality and quanitity of the articles will increase. ~Seuss Suess maintains the Alt.Phreaking FAQ, visit the webpage at: http://members.tripod.com/~SeusslyOne/ Better Homes and Telephone Surveillance by Seuss Tapping Phones is old (and black) hat to many phone phreaks. Keeping your tap undetected for a long period is another matter however. Some taps are so poorly made or implemented that spy-shop 'tap detectors' will pick them up. Below are a few suggestions on how to keep your surveillance on the down-low a little longer by using techniques and tools somewhat more advanced than a beigebox. * Physical hiding No matter how well designed or installed, if the person you're monitoring sees your device, you're screwed. Hiding your tap might seem obvious, but remember to be creative. If possible, don't hide the tap on or anywhere near their property. Tracing their line down to a little used wiring cabinet far away is an option. Secreting away your tap in a pedestal terminal or wiring enclosure is easier, but runs the risk of a telco employee finding it. A common solution among 'pros' is to set up a dummy demarc box or other official looking cover for their tap (Foraging in the back of company cherrypicker trucks or the Graybar catalog are the best sources for these things). If you're setting up a fake demarc or have enough time and privacy to mess with a real enclosure, find the connection point for the pair you want to tap and draw traces from them to the back of the circuit board or connector block with metallic paint. Paint over your traces and no one is likely to be the wiser. Large wiring cabinets have fat bundles of wire at the bottom of the blocks, why not secret your device away in the middle of it or split the monitored pair here? The Phone Book by M.L. Shannon has some excellent ideas on hiding phone taps and bugs. * Defeating sweep procedures Balance tests: Resistive balance tests are a standard step in phone sweeps. Effectively a technician measures the resistance from each side of the pair to an earth ground and looks for discrepancies, as series taps generate a large imbalance. (Yes, I know that a proper tech would likely run a more accurate stress balance test) After installing a series device, run a balance test yourself and add a potentiometer or a few resistors so the line is more or less perfectly balanced (within 10 ohms should do it). Make sure the total resistance doesn't go up too far, and remember that the line needs to be disconnected at the CO to measure resistance. Tone Sweeps: Is anyone still using harmonica bugs? I hope not, as these are some of the easiest things for a TSCM tech (or for that matter anyone who can dial a tone sweep) to defeat. *DO NOT* use cheap tone activated taps or bugs. For those of you with a DIY bent, using a series of DTMF tones to trigger a device would be a much better option. You'll want to make a note that wardialers might set one of these off. To overcome the possibility of someone activating the tap by dialing the phone, use A B C D tones or start the code with something a customer usually doesn't dial (like X11 codes that are out of use in your area). Resistance and Capacitance checks: The most obvious way to check for phone taps is to measure the resistance of the line under the correct conditions. If the resistance is much higher than it should be, there's likely something there. Logical. BUT if the line contains a bridged tap or the cable is (physically) wet, the resistance of the loop is altered. If your tap resides on a line with such a flaw, anyone checking the line will likely chalk the resistance discrepancies up to the bridged tap after checking for AC faults. For those of you lacking the several thousand dollars for a line analyzer to determine bridged taps etc. yourself, call the phone company and ask about having 'your' line tested for ISDN or DSL readiness. In order to qualify for high speed services a line must have minimal amounts of bridged taps and no loading coils. Time Domain Reflectometers: These things are stock tools of the TSCM trade and the phone company. A TDR can map out almost anything on a line (like your tap) if used properly. It's unlikely that you'll have to worry about a TDR being used to find a tap unless you attempt to surveil a big company or government agency. Hooking up your tap up behind a loading coil and/or behind a bridge tap will help obfuscate it, but it can still be found through near end/far end crosstalk analysis (its an even bigger pain in the ass than it sounds). * Tricks for sneakier taps Coils and Hall-Effect transistors: Using an induction coil (or electric guitar pickups...) around the pair will make for a VERY hard to detect tap. There’s a debate about the ability of even a good waveform TDR to find such connections. Hall effect transistors give the same result, but with better audio. Splits: Split the pairs and make a sweeper miserable. Find a dead pair in the same binder group as the pair that you want to monitor, and connect it to the pair you want to tap tip to tip and ring to ring and put your tap on that. Anyone finding it will likely chalk it up to an old splice. Series taps: Install series taps as close as possible to the target telephone. Putting a series imbalance (like the one caused by a tap or dropout relay) in an area of high current (near the CO) creates a hum on the line. This is an important point if you're intercepting data. Modem users tend to notice when several kbps are chopped off their connect speed overnight due to line noise. Parallel taps: Install parallel taps as far as possible from the subject phone. Methods of sweeping using o-scopes in conjunction with a tone sweep are less and less effective the farther away the device is. DATUs: Using the audio monitor of a DATU would be the greatest way to monitor a phone, but to the best of my knowledge no one has done it yet. Due to the problem of how the signal is inverted, it’s quite possible that it can't just be reinverted into clear speech. If someone finds out, please drop me a line. Paper chase by Seuss I've noticed most phone phreaks are rather disorganized. I, quite frankly, don't give a damn about the state of other people's living spaces; until someone loses a manual or document of MINE in their tide of crap. If the idea of pissing off your compatriots doesn't bother you terribly, what about rooting through your stuff struggling to burn credit card receipts after you're tipped off that the feds are preparing to come a'knocking. Before you start overhauling all your paperwork it's important to distinguish between notes and archives. Your notes should be in a small, unobtrusive notebook. In here you should have the dialups, passwords, et. al that you use on a constant basis. Archives are your reference library; things that you don't need at your side 24/7. Archives can be squirreled away with minimum inconvenience. Keep your archives together. A filing box is ideal if you have a slew of loose stuff. Accordion folders are great for smaller collections. If you go trashing a lot get a heavy cardboard box too so you can throw your unsorted papers somewhere. Make an effort to empty and sort it regularly. Locking up your documents might be a good idea if you have nosy siblings/roommates/parents. Remember to keep a spare key somewhere in case your first is lost, or you want someone else to open your files in an emergency. Note: cover plates for light switches make ideal places to hide keys. Be picky about what you keep in your archives. Credit card receipts, cellphone contracts and other incriminating documents should have the important parts transcribed and the originals be disposed of ASAP. If you want to get rid of something do it right and destroy it. I don't care what claims pen companies make about "indelible" ink, lighter fluid or WD-40 has dissolved every ink I've ever run across. Most phone phreaks are broke, so buying a shredder is usually out of the question. For those of you with greater resources try to spring for a cross shredder, as it reduces paper to confetti. Burning docs is cheap, effective as anything, and can usually be done quickly. Having a special furnace or burn box for emergency burning is the best idea. Remember that grinding ash to powder also helps, and that many plastics generate toxic fumes. Digital documents require different handling, but allow you to show off more of your cleverness more in hiding them. No matter what, you must ENCRYPT YOUR FILES!!! From here you can interlace your docs into .gif or .jpg files, insert them into program as comments in the code (I have a copy of my phone directory in a copy of PGP I compiled myself), or post them on webservers as undisplayed files (especially handy in case of formats, crashes, beer spills, etc). Remember not to hide files on your k-rad phreaking page, put up an innocuous front. I've accumulated ALOT of stuff in my time, and a lot of it I keep on tape. After a minute of so of music have recordings of you reading off dialups, passwords, notes, or whatever else you might have. If you have a passion for older computers, many of them held data on audio tape..... ~Security Breach Maniac Read back issues of Security Breach on the PPN zine archive. NOKIA 2160 NAM PROGRAMMING INFO by Maniac 1. NOKIA 2160 NAM PROGRAMMING INFO (Maniac note: this is verbatim from the the original sheet. I can probably scan the original sheet for those who are interested. It has some display pictures on it, which I can't include in text.) NOKIA MOBILE PHONES, INC. FOR AUTHORIZED DEALER USE ONLY NOKIA 2160 SERIES CELLULAR TELEPHONE NAM PROGRAMMING INSTRUCTIONS All Nokia 2160 cellular telephones are capable of supporting authentication. The programmer must decide which form of A-Key is desired for use. The two options are either RANDOM or DEFAULT A-Key. If the RANDOM key is desired for use, use the quick NAM programming sequence. If a DEFAULT A-Key is desired, then the complete NAM programming method is used to program NAM location number 2. The clear key can be used to correct mistakes. MENU DRIVEN EASY NAM PROGRAMMING FOR THE NOKIA 2160 P2/EFR HANDPORTABLES USE FOR A RANDOM A-KEY 1. Turn on the phone and enter programming access code (*#639#) 2. Enter the 10 digit area code and phone number and press the 'send' key (or the 'OK' soft key in display) 3. Enter system ID code (SID) supplied by cellular service provider (1-5 digit SID) and press the 'send' (or 'OK' ) key. *Optional settings are language and lock code (see below) *Programming is completed *Phone automatically powers off then back on NOTE: Change the lock code by adding a pound sign and a new lock code after the SID. (Example: 175#7788 ; Lock code = 7788). Change the language by adding a pound sign and a new language code after the code (Example: 175#0 ; Language = English). Language code: 0 (default) = English, 1 = French, 2 = Spanish, 3 = Portuguese Change the lock code and language code by separating each set of numbers by a pound sign (Example: 175#7788#2 ; where the SID = 00175, Lock code = 7788,Language = Spanish). COMPLETE NAM PROGRAMMING INSTRUCTIONS USE FOR DEFAULT A-KEY ACCESS NAM PROGRAMMING MODE: 1.Turn the phone on. 2.Enter the NAM access code. Factory default is: *3001#12345[MENU] 3.If the screen to the right appears, you have entered the access code correctly. (Maniac note: screen to the right looks like this: see below Field Test NAM 1 NAM 2 If it does this you're in luck) If after several attempts you cannot access NAM programming, it is possible that the access code has been changed, or the phone is in need of service. MAIN MENU SELECTION 4. Press the [Scroll-Key] up or down until the indicator points at the desired menu option. Select from the following: NAM 1 NAM 2 NAM 3 Security Emergency SW version Serial No. Programmed Field Test 5.Press the [Select] soft key to access the Sub-Menu from and of the above Main Menu selections. PROGRAMMING NAM's 1 THROUGH 3 6. Press the [Scroll-Key] to scroll through the selected NAM parameter list. An optional personalized wake-up message can be programmed during the "Own Number" sequence by pressing the [ABC] key and entering the text. 7. If the value is incorrect, press the [Select] soft key and use the numeric keypad to make any changes. HOME SYSTEM ID HOME SOC OWN NUMBER PSID/RSID LISTS(Note 1) DEFAULT SETTINGS "DEFAULT SETTINGS" NAM STATUS (Enable/Dis) ACCESS METHOD LOCAL OPTION PRIMARY PAGING CH DEDICATED A CCH DEDICATED A NUMBER DEDICATED B CCH DEDICATED B NBR OVERLAOAD CLASS GROUP ID SID ALPHA TAG CNTRL A-KEY CODE PUBLIC SYSTEMS PRIVATE SYSTEMS RESIDENTIAL SYSTEMS 8. Use the [OK] soft key to store the new information that has been entered. 9. Repeat steps 6 through 8 for the remaining NAM parameter options to be viewed and/or changed. 10. To program other NAMs, press [Quit] to return to the Main Menu. Select NAM 2 or NAM 3. Once the Home System ID and Own Number are programmed, the phone will automatically set the NAM Status to enabled. PROGRAMMING THE SECURITY CODE: 11. From the Main Menu, use the scroll keys to select the "Security" Sub-Menu, then press [Select] and the current 5-digit security code will be displayed. The default value is 12345. 12. To change the Security Code at this time, use the numeric keys to enter the new value. 13. Press the soft key [OK] to store changes. Note: The Lock Code will be automatically changed to the last 4 digits of the new security code. PROGRAMMING EMERGENCY NUMBERS: 14. From the Main Menu use the scroll key to select the "Emergency" Sub-Menu, press the [Select] soft key to access the emergency numbers. EMERGENCY NUMBER 1 (911) EMERGENCY NUMBER 2 (*911) EMERGENCY NUMBER 3 (None) 15. To change the current value, use the scroll key to select the desired field and press [Select]. Use numeric keys to enter new values. 16. To save the value, press the soft key [OK]. Press [Quit] to exit the menu. SERIAL NUMBER (ESN): 17. From the Main Menu, use the scroll key to display the "Serial No." or ESN of the phone. Press [Quit] to exit the menu PROGRAMMED: (DATE THE PHONE IS FIRST PROGRAMMED) 18. From the Main Menu, use the scroll key to display the "Programmed" menu 19. Press [Select] and enter a four-digit number that corresponds to the month and year the phone is sold. Example (mmyy) 0197 = January 1997, 0996 = September 1996. NOTE: This menu location can be programmed only one time. Once the date has been entered it cannot be changed. Any attempt to enter the menu once it has been programmed will receive a short beep and the message "DATE ALREADY STORED". EXITING NAM PROGRAMMING: 20. To exit the NAM programming mode, turn the phone off and leave it off for five seconds. DEFAULT CODES: Lock Code = 1234, Security Code = 12345 System Acquisition; Public/PSID/RSID Access Code = 123456. FIELD TEST: The FIELD TEST MODE is used to investigate how the phone is reacting to the cellular system. The FIELD TEST information covers signal strength, battery charging status, cellular state and encryption status. The information is designed to display information relating to Analog Control Channels, Digital Control Channels, Analog Voice Channels, and Digital Voice Channels. All the information provided in the FIELD TEST display is in accordance with IS-136. To activate the FIELD TEST mode you must be in NAM programming. Instructions for entering NAM programming are on the opposite side of this page. (Maniac note: In this case, opposite side means see above). Use the following steps to enable the FIELD TEST mode. From the Main Menu use the scroll key to display the "FIELD TEST" menu and press the [Select] soft key. Use the scroll key to select Enable and press the soft key [OK]. A second option is available to enable the field test display with back lighting constantly illuminated while connected to a car kit. Turn the 2160 off then back on. Once the power up self-test is complete, the FIELD TEST display will begin automatically. Scroll through the different displays using the scroll key. To disable the FIELD TEST mode, return to NAM programming and disable the function under the FIELD TEST menu. PROGRAMMING PSIDS AND RSIDS: The Nokia 2160 provides the option to program Private (PSIDs) and Residential (RSIDs) System ID's as prescribed by IS-136. The PSID/RSID list is programmed to support system selection/re-selection processes and SID display functions. The Nokia 2160 P2 product will support up to 15 different Private or Residential Systems. These instructions allow a person to program 5 of the 15available locations. The other 10 locations are reserved to ensure available locations for automatic programming. Using the NAM programming menu to program the PSID/RSID is just one of the several ways that this information can be programmed. The phone also supports automatic programming of the PSID/RSID values via registration accept message from a Public & Private system, manually prompting with System Scan Sub-Menu option New Search, or via Over the Air Programming. Follow these instructions to program the PSID/RSID lists 1. Enter the NAM programming menu and select NAM 1 (or desired NAM). (Note: PSID/RSID is currently only available in the NAM 1 location. PSID is included in NAM 2 and 3 for future use.) 2. Use the scroll key to display "PSID/RSID LISTS" and press [Select]. 3. Use the scroll key to select the P/RSID 1 or the desired P/RSID (1 through5). Press the [Select] soft key. 4. Each list contains: SYSTEM TYPE: Select Private or Residential system type. PSID/RSID: System ID of the Private or Residential system. Indicates which PSID/RSID the mobile will respond to. CONECTED SYSTEM ID: Connected System ID. The SID that the PSID/RSID is connected to. ALPHA TAG: The name of the Private or Residential SID that will be displayed when the phone uses the PSID/RSID. OPERATOR CODE: (SOC) This is the System Operator Code. US-AWS=001, Canada-Rogers CantelInc.=002, Bell South Cellular=003, Southwestern Bell Mobile Systems=004, Vanguard=007, Century Cellunet=008, Pacific Telecom Cellular=009, Midwest Wireless Communications=010, Rural Cellular Corporation=011, Cellular Mobile Systems of St. Cloud=012, Palmer Wireless Inc.=014 COUNTRY CODE: Enter the Country Code of the PSID/RSID. PUBLIC SERVICE PROFILES: Contains up to 4-channel and color code values for each private or residential system. This information is necessary to initiate scanning for the Private or Residential System. PRIVATE OPER. FREQUENCIES: Enter the actual channel number(s) that the private system uses. Up to 4channels per PSID/RSID are allowed. ---------END---------- Unfortunately, I don't own this model of phone, so I couldn't test any of this information. But it's straight off the manufacturer's sheet, so it should all be correct. I did have to fix a few typos though...Maniac Scamming by nothingg Six Flags Great Adventure: Well now right away don't be distracted by the fact that I put Great Adventure. For all I know these could work at ANY theme park, but I FOR SURE know they will work at Six Flags Parks, and I have experience at Great Adventure. 1. Employee Notice 2. Ok, so how do I get in?! I'm broke!!! 3. Whew! It's hot! I need a drink, but I'm still broke!!! 4. Ai-ite, it's night, but now I'm hungry, and still broke!!! 5. Hey check out this laser tag game, however, I'm broke!!! 6. How would I go about changing my monetary status? 7. I need to go home, but my redbox's all wet and I have no change!!! 1. Well, if you work there, like I no longer do (I quit) DON'T BE A FOOL! Don't even attempt to steal money and watch it while sneaking a pretzel or churro or funnel cake, They're watching. By they I mean the Loss Prevention Department. They're high tech bastards. Ok, ever see on TV those tiny pencil point type cameras? Oh yeah, they use those, ALOT of them, and they don't just monitor, they RECORD. I've seen too many friends go down like this. Stealing money WILL get you caught. By the way, don't pull ANY of these Six Flags scams if you work there or plan to work there, many employees will recognize you and report you. This is a precaution, do what you want, but as a FINAL warning, PLEASE be careful, and ALWAYS remember, you leave footprints wherever you walk, COVER THEM GOOD! 2. On to the goods. You're standing outside the gate. You do NOT have a ticket. How the hell are you going to get in?! Well, ALAS, there is only one way I know of. Great adventure uses a stamp that can barely be seen as a yellow stamp, but glows in the black light. Now many of us have this stupid SpyTech inkpad which can only be seen in the dark. If you have that you're so set, smear some on your left hand and walk into the re-enter gate. If they ask questions get REALLY bitchy and say you aren't a slob and you wash your hands, it seems to be smeared, anyhow, bitch until you get in, whatever you do DON'T GIVE UP. That's how you get caught. Well, in the case that you have NO IDEA what SpyTech is cuz you weren't an eleet little kiddo like I was, you're not out of luck! As long as someone in your party, preferably a clean someone, has a season pass or a ticket. In this case, let them go in, then they should come out and get their hand stamped. Next they should find a secluded place to meet you. Now comes the cool part, Lick your hand, get it really wet (you could always use the water fountain, but saliva ALWAYS seems to work better). Smack your left hands' together until the saliva/water forms an airtight seal, and PRESTO! you are both stamped! Now, don't be an idiot and come in at the same time as your friend, people may get suspicious. 3. Ok, so now you're hot, thirsty, and broke, right? Get over it, go to the water fountain! Haha, just kidding. Now the only choice is do you want soda or water? Water is the easy one, go up to a stand with a soda fountain and say, can I have some icewater, but none of that expensive poland spring shit. Now, soda's a little trickier. You'll have to be with another person for best results. Go up to a stand with a fountain and say, my friend and I both want some water, can we have it in a big cup so we can share it? Now cups aren't counted so they'll usually be happy to oblige, and if they aren't...BITCH! The customer is #1 all the time, they'll give it to you. Now, I know what you're thinking, now I just have a big water idiot! Well, spill it out, or drink it if you so desire. Go up to another stand that has a fountain (out of sight from the first> and say that you spilled your soda/juice. They'll give you a new one, company policy, and even if they don't believe you, just act cool and don't worry, they'll do it, it's company policy. 4. Hungry eh? Well you have a few options here. You can get anything for free, no problem. Lets start small: fries. Make sure you know exactly what you want. Lets say you want fries and a burger. Go to a place that has MANY ordering windows. Go up to one and say you dropped your burger and fries, but make sure you remember EXACTLY what you told them you dropped. They should give it to you no problem, and if they don't, you guessed it, BITCH. Now if they ask you WHERE you dropped it, just say oh, over by the (insert ride name here), some asshole bumped into me, he didn't even apologize (go on until they're sick of you're little spontaneous story) and they'll give it to you. Now, if you want to risk getting thrown out of the park, go for the biggs. There are two big places in the park to go to: the grill and the pizza place. Now, lets say you want a 4 person order of ribs, which comes to like $40. Now that's a scam, so take your time and stalk the restaurant. Wait until you see one of the cashiers get replaced and when the supervisor who accompanied them leaves, and get on their line. If for some reason you get on the line of a cashier who's been around, abort. Now once you get in this person's line and remember your order good and come up with an exact place where you "dropped it" and a BIG story, and STAY calm while keeping in mind, it IS company policy to replace dropped food. Tell the cashier what you dropped where you dropped it and your sob story. Now, first thing they'll ask you is, do you have you're receipt? Of course you don't so search your pockets and after pulling out no receipt say that it must have been on one of the trays. Now the next question they'll ask is where you dropped it so they can get someone to (wink)(wink) clean it up. A.K.A. check out if you really dropped it. Your response must be immediate and sound something like: well when I dropped it these grounds guys wearing green clothes said they'd clean it up for me and told me that I could get a replacement. This should get you either food or a manager. If you get a manager, retell the SAME story and they'll probably ask you to sign something which you should proceed to do with a false name. If none of this works walk away cursing under your breath loud enough for them to hear you and loudly say, I am going to complain, and I'm never coming back to great adventure again (loud enough to get everyone in the restaurant's attention). If this STILL doesn't work, then you're out of luck, keep walking. 5. Well, if you've never played laser tag, definitely pull this one off. All you have to do is pay for a game, play it, and there's a big timer at the top, when it gets down to the last minute, scream for the attendant and act VERY frustrated with your laser. Tell him it doesn't work and it hasn't worked since the game started, act really bitchy and shake the laser. When he tries it say "See, see!!!" He'll say that it's working perfectly. But you must claim that it isn't. By now the game should be over, and you've had your 14 minutes. Now bitch to the attendant at the desk and he'll either give you a refund or a free game, and if you don't want the free game, bitch until you get a refund! 6. No money? Need money to play Area 51 at the arcade and try to beat me but I am #1 (NIN) anyhow, perhaps you want to win a souvenir for you're girlfriend. These are too risky to scam, so here's what you do. Walk around the park, find 2 arcades and 2 soda machines, the expensive bottle ones. Now tell the attendant you stuck a dollar in the change machine and no change came out, tell them you stuck 2 dollars into the soda machine but the light blinked and NO soda came out, and you pushed ALL of the buttons, you should come out with around 6 bucks, more than you had before. This is a fairly well known trick, but whatever you do, do not claim to have put a $5 in because they open the machine and look at the last 3 bills, and if none of them are $5's, they warn the park about a possible scammer and you're screwed out of ANY type of scamming. 7. Now this one is kind-of Great Adventure specific. There is a giant chair that morons pay like $10 to get their picture taken in. At night the chair is closed due to lack of light. BEHIND the chair is a phone. Since you're a Phreakish Punk, pick it up dial 9, your area code and your number. And nobody will notice, because you are behind a GIANT chair! Anywhere else, just look for a phone with nobody around and use it, be careful though. Thanks for putting up with my typos and I hope this has taught you a bit about scamming Six Flags to death, but wait! There's more, non-six flags scams! Ok, here's the generic scam section. 1. I'm at the movies, but drinks are $3, help me! 2. Mall + Broke + Hungry = scam! 3. Final Note (Springer) 1. Well here's the deal, go over to a garbage can and pull out a cup. Most movie theaters offer free refills. Take a key or any sharp object and poke a tiny hole in the bottom of the cup. Now splash some water on your shirt in the bathroom or at the water fountain. Bring the cup to the attendant and say I'd like a refill of (insert beverage here) but my cup has a leak man, can I get a new one? They'll give you a new one, with unlimited refills of course. 2. Ok, so you have the situation set up what are you going to do? Well, all these Chinese places are willing to give out samples and so is roli boli. Pass by those places and pick up some samples. Now put a hat on and get some more. Next it's time for desert. Go over to McDonalds and say can I have a free sample of ice cream. They'll give it to you, in a nifty little cone too. 3. Well as my final note, I'd like to say that neither nothingg (me) or the PPN or the Twisted Nickel endorse using any of these methods to rip off evil domineering companies nor to we encourage using these methods. I am merely pointing out the many flaws in a system thought to be perfect. ~ nothingg Please send any questions to n0thingg@hotmail.com Beating Caller ID by The Fixer v.1.03 (C) 1998 The Fixer's Tech Room For free distribution - you may freely repost & distribute this but not for profit without permission of the author. See further restrictions at the end of this file. To start off with - 12 Ways to beat Caller ID (0) This doesn't count as a way to beat CID, but there's a general principle to consider when contemplating ways to beat CID. Generally, the CID signal your target sees corresponds to the owner of the dial tone you call him from. If you call direct, you dial from your own dial tone and your line is identified. If you call a third party, and by whatever means manage to acquire his dial tone, and from there dial out, it is the number associated with that second dial tone that your target sees. Some of the ideas following this were developed with this basic idea in mind. (0.5) This also doesn't count, but remember that beating Caller ID as such is only the first layer of your protection. If your calling is sufficiently annoying or criminal, there is *always* a paper trail (ANI data, billing data, trouble reports, *57 traces, etc) leading back to the phone you first called from. That trail is not always easy or worthwhile to track you down with. Whether or not the trail is followed depends entirely upon how pissed off your target is and how much co-operation he can get from the phone company, law enforcement, etc. (1) Use *67. It will cause the called party's Caller ID unit to display "Private" or "Blocked" or "Unavailable" depending on the manufacturer. It is probably already available on your line, and if it isn't, your local phone company will (most likely - please ask them) set it up for free. This is the simplest method, it's 100 percent legal, and it works. (2) Use a pay phone. Not very convenient, costs 25 or 35 cents depending, but it cannot be traced back to your house in any way, not even by *57. Not even if the person who you call has Mulder and Scully hanging over your shoulder trying to get an FBI trace (sic). Janet Reno himself couldn't subpoena your identity. It's not your phone, not your problem, AND it will get past "block the blocker" services. So it's not a totally useless suggestion, even if you have already thought of it. (3) Go through an operator. This is a more expensive way of doing it ($1.25-$2.00 per call), you can still be traced, and the person you're calling WILL be suspicious when the operator first asks for them, if you have already tried other Caller ID suppression methods on them. (4) Use a prepaid calling card. This costs whatever the per-minute charge on the card is, as they don't recognize local calls. A lot of private investigators use these. A *57 trace will fail but you could still be tracked down with an intensive investigation (read: subpoena the card company). The Caller ID will show the outdial number of the Card issuer. (5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is fairly easy to social engineer, but beyond the scope of this file. This is a well-known and well-loved way of charging phone calls to someone else but it can also be used to hide your identity from a Caller ID box, since the PBX's number is what appears. You can even appear to be in a different city if the PBX you are using is! This isn't very legal at all. But, if you have the talent, use it! (6) I don't have proof of this, but I *think* that a teleconference (Alliance teleconferencing, etc.) that lets you call out to the participants will not send your number in Caller ID. In other words, I am pretty sure the dial tone is not your own. (7) Speaking of dial tones which aren't yours, if you are lucky enough to live in an area with the GTD5 diverter bug, you can use that to get someone else's dial tone and from thence their identity. (8) Still on the subject of dial tones that aren't your own, you can get the same protection as with a payphone, but at greater risk, if you use someone else's line - either by just asking to use the phone (if they'll co-operate after they hear what you're calling about) or by the use of a Beige Box, a hardware diverter or bridge such as a Gold Box, or some other technical marvel. (9) This won't work with an intelligent human on the other end, it leaves you exposed if the called party has a regular Caller ID box with memory, and has many other technical problems which make it tricky at best and unworkable for all but experts. A second Caller ID data stream, transmitted from your line after the audio circuit is complete, will overwrite the true data stream sent by the telco during the ringing. If the line you are calling is a BBS, a VMB, or some other automated system using a serial port Caller ID and software, then you can place your call using *67 first, and then immediately after the other end picks up, send the fake stream. The second stream is what the Caller ID software processes, and you are allowed in. See the technical FAQs below for an idea of the problems behind this method; many can be solved. (10) Someone in alt.2600 (using a stolen AOL account, so I can't credit him or her properly) suggested going through 10321 (now 10-10-321) or 10288. Apparently using a 10xxx even for a local call causes "Out of Area" to show up on the Caller ID display. I live in Canada where we don't have 10xxx dialing so I can't verify nor disprove this. (11) There are 1-900 lines you can call that are designed to circumvent Caller ID, ANI, traces, everything. These services are *very* expensive, some as high as $5.00 a minute, but they include long distance charges. This was first published in 1990 in 2600 magazine, and in 1993 the IIRG reported that 1-900-STOPPER still works. Beware - even if you get a busy signal or no answer, you will get charged at 1-900 rates! Another one published in 2600 in 1990: 1-900-RUN-WELL. That one supposedly allows international calls. I'm not about to call either one to find out. Note that you could still be caught if the operators of these services were to be subpoenaed. (12) Use an analog cellular phone. Most providers of plain old analog service show up on Caller ID as "Private" or "Out of Area" or a main switchboard number for the cell network. This is becoming less and less true as cellular providers move to digital cellular and PCS, which pass the phone's number on Caller ID. Corollary: Rent a cellphone by the day. This might even be cheaper than using a prepaid phone card. How Caller ID Works Caller ID is a data stream sent by the Phone Company to your line between the first and second ring. The data stream conforms to Bell 202, which is a 1200 baud half-duplex FSK modulation. That is why serial Caller ID boxes run at 1200 baud. The data stream itself is pretty straightforward. Here's an example: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^D 032415122503806467x The first thing of note is the 30 U's. Those are actually sync pulses. A "U" is 55 hex, or 01010101 binary. This is called the "Channel Seizure Signal." After that comes 130 milliseconds of 1200 Hz (the Bell 202 "mark" frequency) which usually shows up in the datastream as a character or two of garbage. That is followed by the "message type word", which is 04 hex for standard Caller ID, 07 hex for Name & Number. A word, by the way, is 8 bits for our purposes. That is followed by the "message length word" which tells us how many bytes follow. The next four bytes are the date, in ASCII. In the example above, the date is 0324, or March 24th. The next four bytes after the date are the time, also in ASCII. In the example, the time is 1512, or 3:12pm. The next 10 digits is the phone number that is calling. In the example, the phone number is 250-380-6467. The number is also in ASCII and doesn't contain the hyphens. Some phone companies will leave out the area code and only transmit 7 digits for a local call, others will always send the area code as well. If this were a name-and-number Caller ID data stream, the number would be followed by a delimiter (01h) and another message length byte to indicate the number of bytes in the name. This would be followed by the name itself, in ASCII. If this call originated from an area that doesn't support Caller ID, then instead of the phone number, a capital "O" is transmitted (4F hex). If the call was marked "private" as a result of the caller using *67 or having a permanent call blocking service, then instead of the phone number, a capital "P" (50 hex) would be sent. The very last byte of the data stream is a checksum. This is calculated by adding the value of all the other bytes in the data message (the message type, length, number and name data, and any delimiters) and taking the two's complement of the low byte of the result (in other words, the two's complement of the modulo-256 simple checksum of the CID data). Some Technical FAQ's Q: When I block Caller ID with *67, does it send my number anyway and just set a "private bit" so that the other person's Caller ID Display unit won't display it? A: No. The person you're calling doesn't get your phone number anywhere in his data stream if you block your call that way. All he/she gets is "P" and the date/time of the call. I would like to refer to an experiment I performed in March, 1998 with a Serial Port Caller ID, which delivers the raw data stream to a PC for software interpretation. The following Usenet message (edited for this file) is the report I published on that experiment: Newsgroups: alt.2600 From: The Fixer Date: Tue, 24 Mar 98 16:12:58 -0800 Subject: Caller ID and *67 - The Facts OK, it's time to shovel the bullshit that is piling up in this newsgroup about Caller ID. A few people are saying that when you block your Caller ID with *67, the switch sends your number anyway along with a so-called "private bit" that tells the Caller ID display unit to suppress display of the number. In order to squelch those who'd rather flame back with "show me proof" than just read a FAQ, here is the proof. These are actual raw data captures from a Bell 202 demodulator (better known as a serial port Caller ID) which I captured myself today. They prove conclusively that the "Private Bit" is a myth. Here is what I got in my raw data stream when I called my voice line from one of my BBS lines (which is unlisted, hence the PRIVATE string in the name field): UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^A^H03241512^A2503806467^G^OPRIVATE x This is what I got when I did the same thing with *67: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€^P^A^H03241512^D^AO^H^AP(˙ The number I was calling from was 250-380-6467. That string is clearly displayed in the first (non *67) call. In the number field of the second call, only the letter "O" is transmitted. In the name field, only the letter "P" is transmitted. In both calls, the date and time (03/24, 15:12) is transmitted, but transmission of the calling telephone number is suppressed in the second call. There is no "private flag" suppressing display of the number by the display unit; the calling number is not transmitted at all! For those of you unfamiliar with the CID raw data stream, the U's are actually sync pulses (an ASCII "U" is 01010101 binary). The control characters are field delimiters. The first 8-digit number is the date and time in MMDDHHSS format. The second number in the first call is the phone number, in NPANXXXXXX format. That is followed by the name (for those of us with name & number CID). The ^O (0Fh) just before the name indicates how many characters are in the name - in this case "PRIVATE" is padded out with 8 spaces (20h) to make 15 characters. At the very end is an 8-bit checksum. Believe me, if I were wrong about this, there would be a huge marketing frenzy to sell "*67 proof Caller ID boxes" and I would be making a fortune selling my Serial Caller ID software, which works directly with the data streams illustrated above! Q: Can't I just send noise down the line to scramble the Caller ID signal between the rings? A: No. Your phone line doesn't generate the Caller ID signal. It is made by the switch on your calling party's line, and the audio circuit between your line and his is not completed until after he picks up the phone. Q: Do 1-800 numbers have Caller ID? Can I hide my identity from them? A: Some do have Caller ID, and the *67 block will work, but many more have real-time ANI - Automatic Number Identification. This is an older technology which uses a separate line to deliver your number, and cannot be blocked. And all 800 subscribers get a list of everyone who called them on their monthly bill, blocked or not. Q: Can I hide my identity by sending a fake Caller ID signal down the line before they answer? A: *Generally*, no. The audio circuit between your phone line and their line is not completed until the other party picks up. Once they do, they would hear your fake signal and know what you were doing... unless the person you're calling is very poorly informed or untrained. Even so, most Caller ID devices have memory and so the person you're calling could just as easily scroll back through the box's memory and find your true number. Once upon a time, the phone system worked differently, and the audio circuit WAS connected even before the called party picked up. A device called a "mute" or a "black box" was used to take advantage of this fact and allow anyone calling a line with a black box to do so toll-free. If the system still worked that way (and there's no technical reason why it couldn't in these days of digital switching) then yes, it would be very feasible to send a fake Bell 202 data stream down the line; in fact you'd hear the real one every time you called someone with Caller ID and you'd get a really good feel for the timing involved. But if it worked that way, then black boxes would also still work, and they don't. Q: How about *69? If I protect my call using *67, can they still call me back? A: Not in 604/250 anyway, and probably not most places. Some interesting notes about this: When *69 was first introduced here in 250, if you tried to *69 a blocked call, you would get a recording telling you that the number could not be announced. And it would then offer to connect you anyway! I guess it was business who asked for the change because that meant a telemarketer using *67 would have people call back and their switchboard answer "Sleazebag Marketing, how can I help you?". At that point the number was a white pages lookup away. So BC Tel, and I would venture to guess its parent company GTE and many others, changed it so that *69 won't even call back. If you find in your area that you CAN call back with *69 to a *67 protected number, you're a lucky sonofabitch! Why is that? Well, with the "old" working of *69, you may still be able to get the number of a blocked caller if you are (a) lucky and (b) patient. Take your phone off the hook until midnight (if it's a business) or early afternoon (if it's a person). THEN activate *69. No incoming calls will have come into your line since it was off-hook, so your line's *69 last-call register will still have their phone number in it, and at those times you are far more likely to get an answering machine which may spill the beans as to who called you... clever huh? Final Word Caller ID can be worked around in so many ways that it really offers no value to its subscribers. I am not against the existence of Caller ID, as I have been on the receiving end of harassing phone calls and slimy telemarketers, all of whom I've been able to put in their place thanks to this technology. There's no doubt that Caller ID can help bring those who deserve it to justice. But at the same time, we all have the right to privacy, and the option to not share your identity with someone you're calling is, and always should be, available. For this reason, I think that Caller ID should be available free on every line as part of the basic service. It's worth nothing anyway! --------------------------------------------------------------------------- That's it. This file may be updated as I receive more information. Look for updates on my web site at http://techroom.base.org or if that doesn't work, http://bc1.com/users/fixer --------------------------------------------------------------------------- This file is a freely-distributable copyrighted work. You may repost this file free of charge without modifications, but no for-profit distribution is allowed without prior arrangement with the author. Two individuals who have stolen my work in the past are hereby prohibited and enjoined from possessing or distributing this file: Pinhead the Cenobite and Jolly Roger. If you are either of these individuals, you must delete this file from your system now. If you are not, you may not knowingly allow either of these individuals to receive this file if it is in your power to prevent such reception. Retention of this file on your system or on any backup constitutes acceptance of this term. (C) Copyright 1998 The Fixer's Tech Room, a division of Whirlwind Software (British Columbia). All rights reserved. ~Lineside LMOS/MLT CODES AND MEANINGS assembled by Lineside If you didn't know, LMOS stands for Loop Maintenance Operating system, and MLT is the mechanized Loop Test. The following are codes and their meanings for the BellSouth LMOS. They may however be similar, the same or totally different in other areas. Hopefully someone out there will put these to good use. OUTSIDE PLANT (04xx) 0400 Trouble not cleared 0401 Pair change 0402 Pair cut dead ahead 0403 Pair transposed 0407 Pair reconstructed 0408 Miscellaneous 0409 Wrong pair assigned 0410 Cable 0412 Cable damage (non-telco) 0420 Non-accessible plant 0430 Accessible plant 0431 Accessible cross box/SAC etc 0440 Wire 0450 Lightwave/ fiber cable 0461 Repeater plug-in 0462 Apparatus case 0463 RT-common equipment circuit pack 0464 RT-POTS channel unit 0466 RT-Wiring/physical/etc 0467 RT-power 0468 Protection 0470 (DLC) Lockups and precaution measures 0480 Multi-channel and other loop electronics 0490 Air pressure systems PUBLIC COMMUNICATION (02xx) 0200 Other station equipment standard 0210 Full money box 0220 Enclosure/support equipment 0230 Portable phone cart 0240 Coin and card set 0250 1F2 coin telephone 0260 RACTS/OMNI phone 0270 Collect call timing device (CCTD) 0280 AUGAT monitoring equipment 0290 SMART coin telephone WIRE (03xx) 0300 Corporate com./ public wire 0340 Network interface 0350 Network terminating wire 0370 Protection 0381 Service drop wire buried/ permanent 0382 Service drop wire buried/ temporary 0383 Service drop wire buried/ cutover 0384 Service drop aerial FOUND OK- IN (08xx) 0800 Found ok- in 0890 FOK- in for data base driven services 0891 FOK- in calling card service 0892 FOK- in automatic intercept system 0893 FOK- in Expanded 911 service (E911) 0895 FOK- in watch alert 0897 FOK- in 700 service 0898 FOK- in expanded 800 service 0899 FOK- in dial it CAUSE CODES 100 Telephone company employee 200 Non-employee 210 Customer action 220 Other utility 222 Foreign worker 230 Motor vehicle 270 Telco master contractor 280 Petroleum/ chemical 300 Plant or equipment 400 Weather 410 Lightning 500 Miscellaneous 600 Unknown Central Office (05xx) 0501 Dial up port 0502 Data port 0503 Packet switch 0504 Data link 0510 CO equipment 0511 Common equipment 0512 Linkage/network/grid 0514 Billing equipment 0515 Trunk 0516 Public service trunk 0517 Office conversation 0520 Translation 0521 Generic/par. work error 0522 Generic/par. document error 0525 Line work error 0526 Line document error 0527 Network work error 0528 Network document error 0529 Line work error CCSR 0530 Distribution frame 0531 MDF cross connection missing 0532 MDF cross connection broken 0533 MDF cross-connection work error 0540 Frame other 0541 MDF cable protector 0544 Terminal wire clipping/conn. 0550 Power 0551 DC power equipment 0552 AC power equipment 0553 Ringing plant 0554 Standby emergency power 0560 Misc. equipment 0562 Line testing equipment 0563 Concentrator 0564 Range extender 0565 Carrier system 0566 AMARC 0567 ISDN service 0568 SLC channel unit 0569 SLC common circuit pack 0570 Special services equipment 0572 Wiring option 0573 Carrier channel 0574 Signaling 0581 Mechanized system failure 0582 Line translations unknown 0586 Signal transfer point (stp) 0587 Tandem office 0588 Switching system design 0590 Data base for data base driven services 0591 Calling card services (ccs) 0592 Automatic callback calling 0593 Enhanced 911 service 0594 Equal access 0595 Watch alert other 0596 TOUCHSTAR 0597 700 series services 0598 Expanded 800 service 0599 Dial-it service Field Techs and Wiretaps by Lineside 1......General information 2......Wiretap check request 3......Field tech inspection 4......Wiretaps discovered during routine field inspections 5......Other unlawful use of the companies service 1...General The purpose of this section is to specify the terms and conditions of assistance of the telephone company to law enforcement agencies engaged in, or about to be engaged in, wiretapping activities. Also the procedure for handling reports of the use of telephone facilities for bookmaking and dissemination of wagering information. This practice is being revised to remove the Customer Service Center and the Annoyance Call Center from the trouble report flow. Any call to the CSC reporting a wiretap or suspected wiretap should be transferred to the Centralized Repair Service Attendant Bureau (CRSAB). The security organization has the exclusive responsibility for acceptance of Federal or State Court orders written emergency certifications, which is required for a lawful wiretap. Any request received for information or assistance in this regard shall be referred to immediately to the security organization. The security organization has complete responsibility for the direction of the company actions following the discovery of an actual or suspected wiretap. A follow-up procedure will be followed by security to ensure that all assistance provided by the company is terminated when the court order or emergency certification expires. Protection of the privacy of telephone communication is fundamental to the telephone business. It is Bell policy to investigate and resolve any actual or suspected threat to the customers privacy. In line with this policy, every reasonable effort will be made to resolve all customer complaints. However, it is unlawful for Bell personnel to disclose the existence of a lawful wiretap to the customer. Therefore, the following procedures must be observed strictly in processing customer requests for wiretap inspection or in reporting any wiretap device that may be found. All company personnel who discover an actual or suspected wiretap device shall report the discovery through the lines of organization to security, without taking further action. In those instances where a trouble is caused by the wiretap device, it may be disconnected only after the security organization has been notified. 2...Wiretap Check Request The centralized repair service attendant bureau (CRSAB) shall have the responsibility for handling initial customer complaints concerning wiretaps or other illicit activities. The RSA will take the report on any call received at the CRSAB concerning wiretaps or other illicit activities. This report will be taken as a Category 1. Customer Direct (CD). The CRSAB shall transmit all requests of this nature to the installation maintenance center (IMC). The handling code "WIRETAP" will be used to transmit this report. The IMC should input additional auto screen rules to direct these type reports for manual screening. All personnel handling this type report will document findings utilizing the EST transaction in LMOS. This means, MA's will document the test and referral information. SCC will document their findings, I&M will document their findings etc. Each action taken on this report must be documented accurately. The maintenance administration (MA) will perform trouble verification tests. If a wiretap exists, it may be indicated by the test results. It no trouble is indicated or a CO fault is indicated, the MA will refer the report to the switching control center (SCC) for further analysis. The SCC will assign the appropriate CO the task of inspecting the office equipment for the suspected wiretap. The CO will inform the SCC of its findings during the inspection. The SCC will close the report to the IMC. In those instances where the CO may locate wiretap, it must not be disturbed. The technician must inform the manager who in turn will notify the security department. If after analysis has been completed by the SCC and the IMC a wiretap has not been found, it may be necessary to dispatch a field technician for a complete inspection. 3...Field Technician Inspection Reports involving suspected wiretaps should be dispatched on the same day on which they were received, when practicable. It is strongly recommended that a field manager accompany the technician during the inspection. The technician will inspect only equipment/wiring that is owned/provided by Bell. Equipment/wiring that is provided by the customer or agent of the customer, will not be inspected. The customer will not be billed for the inspection of equipment/wiring provided by Bell. If the customer subscribes to a wire maintenance plan, the technician will inspect through the customers connection block. If the customer does not subscribe to a wire maintenance plan, the technician offer to inspect the wiring for time and material. If the inspection does not uncover an unlawful wiretap, the technician may advise the customer that no wiretap was found. When a wiretap, or what appears to be a wiretap is found, security must be notified immediately. Under no circumstances will any Bell personnel disclose or verify the existence of an actual or suspected wiretap to a customer. If a wiretap is trouble inducing, security may direct the technician to correct the trouble or disconnect the device from the line. The security department shall notify the appropriate law enforcement agency and shall determine if further action is required. After the trouble is cleared, the technician will close the report using established procedures. The customer must be advised that the trouble is cleared, but the only statement that may be made about a wiretap device is "NO UNLAWFUL WIRETAP DEVICE WAS FOUND". 4...Wiretaps Discovered During Routine Field Operations If a wiretap, or what appears to be a wiretap, is discovered as a result of routine field operations, where there has been no customer complaint or request for a wiretap inspection, security shall be notified immediately. Under no circumstances will Bell personnel, other than security or individuals acting under the express direction of security, disclose the existence of the actual or suspected wiretap to a customer. -If security determines that a wiretap discovered in this fashion is lawful, no report shall be made to the customer. -If security determines that a wiretap discovered in this fashion is unlawful, law enforcement and the customer shall be notified. 5...Other Unlawful Use of the Companies Service If in the course of one's work an employee overhears a conversation or otherwise obtains information indicating that any services provided by Bell are being used for bookmaking or for the dissemination of wagering information or other unlawful purposes, all facts will be reported to the employee's immediate supervisor, or will notify security. **** THERE IS NO VIOLATION OF SECRECY OF COMMUNICATIONS WHEN DURING THE NORMAL COURSE OF BUSINESS WITHOUT INTENT TO MONITOR FOR THE PURPOSE OF OBTAINING SUCH INFORMATION, AN EMPLOYEE OVERHEARS A COVERSATION WHICH INDICATES UNLAWFUL USE OF TELEPHONE COMPANY FACILITIES AND REPORTS THE CONVERSATION TO HIS/HER SUPERVISOR. **** Controlled Environmental Vaults by Tom Farley Visit Tom Farley's website for more articles and past issues of Private Line at http://www.privateline.com I wrote about controlled environmental vaults in "private line" Number 7 (Volume 2, Number 4, July/August 1995). A C.E.V. is an underground structure that often houses telephone equipment . The one I went into and took pictures of for that issue's Outside Plant article housed a 5ESS. In effect, it is a small central office underground. These inconspicuous, buried buildings allow companies like RTC to distribute its switching capacity more equally around its serving area. Your only clue to a C.E.V.'s location is its top -- a four by four foot flat steel panel two or three feet off the ground, rising out of the earth like a green, squarish mushroom. It turns out that Roseville Telephone Company installed the first C.E.V. in California back in 1986. Here's a history of that vault, reprinted with permission, from Steve Chanecka's book, _The History of The Roseville Telephone Company_: "'The company is looking at the serving area west of Antelope Road by using a controlled environmental vault which meets the concerns of nearby residents since it is aesthetically appealing. We will use it to house a remote switching unit which will serve this area. Plant from our central office to the 'CEV' will be fiber optics and from the remote location to the subscribers will use normal copper wire. Basically, this unit will serve the same function as a mini-substation, but will be underground and therefore does not detract from homes in the neighborhood.' "Ned Kindelt explained the CEV in more detail in a late 1985 article in _Line Chatter_. 'A CEV is a central office located underneath the ground. The equipment vault is 10 feet, six inches wide and 24 feet long, and will contain a remote unit in Citrus Heights for control. The remote switch unit will be wired for 4,608 lines.' In addition, the CEV had air conditioning, a dehumidifier, an automatic sump pump and an alarm system. "The use of CEVs was pioneered by Roseville Telephone in California. The state's first one was placed on Lichen Drive in Citrus Heights in late 1986. The engineering, splicing and installation was a long, arduous process, according to project director, splicer Jim Hood. He reported in the October 1986 _Line Chatter_ 'Our first CEV is almost past history. This has been a very difficult project for many departments. This vault is powered from the Citrus Heights central office by our first fiber optic cable. Our second vault, already a work-day reality for some departments will be located on Antelope Road near the Foothill Christian Center. To say that this has been a learning experience is being tactful.' "That first CEV may have been challenging but the concept was a lifesaver for Roseville Telephone. Faced with an aggressive expansion of residential housing in the Antelope area of Citrus Heights, the company's conduit capacity to run copper cable from its Citrus Heights central office under Interstate 80 was insufficient for the long term. Had there been no other option, the company would have faced costly construction to increase its underground conduit system. "The CEV approach solved this. Rather than making the conduit system larger, the use of fiber optics resulted in the cable bundle running through the conduits being smaller in diameter. Thin, very high capacity fiber optics connected the central office and the CEV. The far thicker copper cable ran from the CEV to the customer. Fiber optics enabled much more information to be transmitted through a much smaller bundle of wires. Leon Bower, director of outside plant engineering, explained to fellow employees why CEVs and fiber optics made sense in the fall of 1985: 'If you read local papers, you are aware that the area roughly north of Antelope Road, between the railroad and Watt Avenue in Sacramento County, is about to be developed. They are projecting between 13,000 and 14,000 new homes in the Antelope Urban Reserve in the next 20 years. For the area west of the freeway we are projecting a requirement of 16,000 lines for that 20 year period.' 'To serve this area with conventional copper cables would require an investment of some $3.5 million at today's cost in outside plant alone. Underground conduit systems would have to be reinforced, at a very high cost, to accommodate the fourteen 1500- pair, 24 gage feeder cables needed. A fiber cable will cost us about $102,000. . .' "Since 1986, 12 more CEVs scattered evenly throughout the company's service have placed impressive digital switching power and data transmission capacity close to the users at an economical price. Moreover, all but one of the company's 13 operating CEVs at the end of 1994 were located inside utility right- of-ways. The company did not have to buy the site of the CEV or obtain permits to put them in the ground. Most people are not even aware of where the CEVs are placed." It is my understanding that each vault is backed up with alternative routing, that is, a separate fiber comes in from two directions to the vault. A single accident will not cause any vault to go down. The _History of the Roseville Telephone Co._, by the way, is a fascinating read and an important contribution to independent telephony. RTC is the 23d largest telephone company in America and one of the most progressive. The book is over four hundred pages in hardback. $20 in the U.S. plus $3.50 shipping. Call (916) 786-1117. There's a discount for orders of five or more. Or order by mailing from the following: Telephone Book, Roseville Telephone, P.O. Box 969, Roseville, CA 95678. And make sure to visit their telephone museum at 106 Vernon Street in Roseville from 10:00 to 4:00 p.m. on Saturdays. ~Cyber Culture In this section, issues in the cyber world that will effect the H/P scene in one way or another will be discussed. Submissions for this section are always welcome. The impact of the flag burning amendment by Mr. X2 There has been a lot of talk lately about the proposed amendment that would make flag burning illegal. Now I have never burned a flag and I don't have any intentions of doing so. However, burning a flag is part protected under free speech. Anyone who studies constitutional law learns that our freedoms are not a 100% guaranteed. If that was the case there would be anarchy. We give up some freedoms in certain situations to protect our other rights and the rights of other people. For example, you cannot yell fire in a movie theater or call in a bomb threat. As long as your expressions does not infringe on the rights of others, than it is basically OK. With all that out of the way, how the hell does burning a flag infringe someone else's rights? Unless you catch someone on fire in the process than I just don's see it. Well this bill is being sent to the government to be kicked around for a while and if it passes it will be put up for vote to become law. In that case, 2/3 of the states have to ratify it in order for it to become law. While it may be a ways off, it is important for everyone reading this zine to keep in the back of your mind. I know your wondering where this is all going in a phreak zine. Well, I'm sure that most of you reading this support free speech and especially free speech on the net. When you support such issues, it is important to look at the big picture and support all related issues. If flag burning is made illegal, then what else isn't protected under free speech? Previous court cases and other laws are taken into account when deciding issues that are new and confusing. If the flag burning amendment passes and then some time down the road, a bill comes up restricting speech on the net, people will look at other free speech issues such as the flag burning amendment. It is also important to support any reasonable free speech issue not just flag burning. When you support something, you have to support other's related beliefs as well. Cyber McCarthyism by Mohawk I'm not gonna go into the Colorado shooting but it is important to focus on one event related to the shooting. Shortly after the media first reported about the shooting, people went on their computers and made fake profiles claiming they were in the Trench Coat Mafia, made jokes about it, and even made a couple of TCM webpages. Once the FBI started it's investigation, there was a broad search conducted on the Internet for any clues about the shooting. This was because Eric Harris had various webpages that gave some signs as to what would happen on april 20th. They also wanted to see if anyone else was involved. All of Eric Harris' accounts and webpages were shut down so that no one could tamper with evidence. Even while I am writing this, there is still a shroud of mystery as to what exactly happened, why, and if anyone else was involved or knew about it. During this Internet investigation, anyone who had anything mentioned about the trench coat mafia on line got their accounts cancelled, webpages removed, and anything else they had on the net deleted. Some people on AOL lucked out and just got warnings although they got all thier files deleted. I've talked to people that go their accounts cancelled for just posting somewhere that the trench coat mafia sucks. While this wasn't a wide spread epidemic it has the implications of someday becoming one. What if a hacker did some major damage. I mean kill a lot of people. Then the hacker is painted as this evil person who just wants to cause havoc for other people and he is just one out of a whole subculture full of these evil hackers. The media has a field day. They do profiles on hackers, ya know pimples face nerds who no one likes, plays doom all day and listens to manson. Can you imagine what would happen to hackers? No one would want anything to do with hackers on their service. Thousands of accounts would be canceled, webpages would be removed, and we would have more than just a crackdown on our hands. Pretty disturbing huh? How do we prevent this? That's a good question. Be responsible and try to keep a good image of hackers would be my best guess. It would be a lot easier to get people to think that most hackers are nice people before this happens than afterwards. This has already happened in spurts but to no major extent. Even if there was a large hackers are nice guys campaign it probably won't even do that much good. I would like to hear from you on this topic of Cyber McCarthyism. Is it something to think about? Is it a problem now? Will it be a problem in the future? What can we do to prevent it? It's not just hackers that have to worry about this, any cyber-community may be vulnerable to this. Copyright 1999 Phone Punx Network. Feel free to distirbute this issue however, do not modify this file in any way. All issues are free and are not allowed to be sold in any form. If you are sellling issues you can only charge what it cost to reproduce them. Keep the information free. All works are owned by the PPN and/or the authors of the article. If you feel that you own the copyright to a work printed in this issue and have not given the permission of the author to republish it, please email us.