The Phone Punx Network Presents --Phone Punx Magazine-- ----Issue three---- "We are the phony in telephony" November 07, 1999 Last Updated: November 07, 1999 http://fly.to/ppn (Mirror: http://worship.to/ppn) phonepunx@yahoo.com Contents ~Intro by Mohawk ~Beginners Guide to the DACS, Part One by BitError ~CallerID: Up close and Personal by hatredonalog ~DATUs - The Tool of the New Age Phreak: Part II by MMX ~Frequency Counters by Black Axe ~An Overview of Trunked Radio Systems by Black Axe ~A different newbie guide by Mohawk ~Notes on ANI by Suess ~Voice Over IP Surveillance with the TTC Fireberd 500 DNA.323 by Seuss ~Concepts of Echelon by Phonetap ~Cyberpunk culture by Mohawk ~Letters .....The Staff of Phone Punx Magazine..... Mohawk..................Editor in chief Seuss ..............Editor/Head tech. writer Lineside...................Staff writer Black Axe...............Staff writer MMX......................Staff writer Bit Error..............Staff writer hatredonalog............Staff writer Phonetap................Staff writer .....Magazine Information..... -Disclaimer All information is protected by the 1st amendment. However, this information should not be used in any other way except education. Our purpose is to provoke thought and we might even entertain you, if you're good. Nothing in this issue has been tested and we do not guarantee that it will work. We cannot ensure your safety both legally and physically (and what the hell, mentally) if you try anything in this issue. -Release Dates Phone Punx Magazine is released about every 4 months, however there is no set release date. Issues can come out a day or a year after the last one but we will try to stick to around 3 to 4 months. -Writers Wanted We are always looking for more writers. If you want an article published or if you would like to become a regular writer, send us an email. We would really like to concentrate on phreaking and large phreaking projects. If you feel that you have an article that would be of interest to phreaks but it is about hacking, cyberpunk-culture, etc, let us know and we will evaluate each article on an individual basis. We are looking for ways to compensate our writers for their time and effort in writing articles. Any suggestions are also welcome. -Distribution Sites Help us spread the magazine to a wider audience by becoming a distro site. All you have to do is keep the issues on your website with a link to them somewhere. Not only will this help us reach more people, but our readers will have another place to get the zine if something happens to the site. We need people to distribute the zine. A list of distro sites is available on the "About PPN" page. -Network Links The Phone Punx Network is more than just one webpage. It spans several webpages that encompass member websites and distro sites. To get a network link you must be a staff writer or be involved with the PPN in another way and have a website that is related to phreaking in some way or another. -Issue Updates Issue updates will occur when they are warranted. To make sure you always have the freshest issue of PPM, check the "last updated" date on the top of the issue. It is important that you always have the latest issue because we do screw up often and we are always fixing our mistakes. To be notified of updates of the issues, join the phone punx mailing list. -Phone Punx Mailing list To stay up to date with the latest in the Phone Punx Network, sign up for the mailing list. You will be notified of the release of new issues, updates to past issues, and other PPN news. All email addresses are kept confidential. Just send an email to ocpp@hotmail.com letting us know you'd like to subscribe. If you would like anything announced or whatever to be added in there, feel free to send it to us. -Links Please update your OCPP links. Change the name to Phone Punx Network and the URL to http://fly.to/ppn, if you have a link to us on your page, let us know and we'll link you back. -Letters We will print your letters. If you would like to make a comment, ask a question, or whatever, send them in and we will publish them. If you don't want your letter published, just let us know. All email address will not be published unless you tell us otherwise. -Contact info Our email address is phonepunx@yahoo.com To subscribe to the mailing list send an email to ocpp@hotmail.com Copyright info is located at the end of the issue Intro by Mohawk I have to start off by thanking everyone for sending in letters. We've gotten a lot more then usual. Now all I ask is that you all sign up for the mailing list so we can keep you informed as to what's going on. We have two new staff writers, phonetap of felons.org and Hatred on a Log from Dissident Magazine and DPP. Both are excellent writers and they fit in nicely with the great staff I already have. Things have been really coming together and the format of the zine will probably stay the same for the next few issues. One problem I am having is the quality of the articles. In my opinion, they're too good. I've had to scrap several articles because they didn't meet the standards that the staff has set with this issue and the last one. However, since I have such a great staff, I have more time to work with people on their articles to improve them. I even scrapped a few of mine to do some more research. We've gone through several improvements since last issue, I suggest you read the news page to keep up with the latest updates. Enjoy the issue, we put a ton of time into this one. Beginners Guide to the DACS, Part One by BitError Ever wonder how phone calls riding on a T-1 line magically get from one switch to another? Ever curious about what (besides switches) is taking up all the floor space at your local CO? Ever wanted to cross-connect your own voice or data circuits from the comfort of your own computer? Then you need the Beginners Guide to the DACS. There has been much study devoted to the DMSs and ESSs of the world, but not a whole lot has been said about the lovable old DACS. It plays a necessary, but unsung, role in the lives of all telecommunications users. First of all, if you hadn't already guessed, DACS (pronounced DAX) is an acronym that stands for Digital Cross Connect System. It cross-connects whole or fractional T-lines from one digital transmission facility to another. These digital facilities may be other DACSs, switches, PBX's, or computers. This just means that the DACS opens digital circuits between these endpoints as needed. The cool thing about a DACS is that the phone company gives customers some limited access to them depending on what type of service they have ordered. If a company has leased one or more T-1's and they have a need to allocate bandwidth from these T-1s to different places on a daily basis, then the phone company gives them the means to do that themselves. Here in Bellsouth country that service is known as Flexserv. It gives clients terminal access to their circuits and pre-defined endpoints. Dial up the DACS and you can literally cross-connect your own circuits (or Flex them as the Bell jargon goes). Videoconferencing makes a good example here. Let's say that the Georgia Chitlin' Company has four offices in different parts of Georgia that all need to be able to connect and videoconference with each other. Each video site has it's own T-line going back to a DACS at their respective CO. With the proper circuit IDs and DACS addresses, the Flexserv client can connect any two of its T1 circuits together through the network just by typing a few keys. Then they can see and talk to each other. If the Savannah office suddenly needs to videoconference with the Athens office, type in a macro at the DACS and Savannah and Athens are instantly connected. If they have a digital data bridge in their Flexserv network, all they have to do is flex each circuit to the bridge, and they can have multipoint conferences. Pretty easy eh? And pretty handy for the customer. Of course, voice circuits can be flexed just as easily, say from one PBX to another. In this first article, we will explore some of the commands you use at the DACS and how to identify the services and circuits available on your account. Some terms and abbreviations you will need to know: CNC -- Customer Network Controller- this is what you are dialing into at the CO. This is the terminal interface between you and the DACS. It also translates messages from the DACS and sends them to you. channel -- one 64k channel of a T1, smallest unit that can be cross-connected digroup -- 24 channels (full T1), the largest unit that can be reconfigured and cross-connected Console Operator -- person at the CO who oversees the CNC system. The Console Operator assigns you login and password, and can monitor CNC activity acc -- access channel, channel connecting a piece of equipment to the DACS idl -- inter-DACS link -- channel connecting two DACS together SRM -- Sub Rate Multiplexor, provide the ability to make circuit connections below the DS0 (64k) rate. MJU -- Multi-Junction Unit -- this is a sub-rate bridge DMB -- Digital Multipoint Bridge The first step, of course, to stepping into the wonderful world of the DACS, is to dial up your local CNC. For some reason, Bellsouth has not applied its usual stringent dialup line ban at the CO to my CNC. Anyone with a terminal emulator should be able to at least dialup their local DACS controller. The only documentation I could find on Flexserv says that terminal settings should be ASCII 9600, 7, E, Caps Lock off, Xon/Xoff set to ON. However, my terminal connects at 8N1 VT100 with autodetect. The weird document settings may have once been a form of first-level security. When your modem connects you should see this: RESTRICTED: CONTAINS PRIVATE AND/OR PROPRIETARY INFORMATION. MAY BE USED ONLY FOR AUTHORIZED BELLSOUTH BUSINESS PURPOSES BY AUTHORIZED INDIVIDUALS. UNAUTHORIZED ACCESS TO, OR MISUSE OF, BELLSOUTH SYSTEMS OR DATA MAY RESULT IN EMPLOYEE DISCIPLINE UP TO AND INCLUDING DISCHARGE, THE TERMINATION OF VENDOR/SERVICE CONTRACTS, AND CIVIL AND/OR CRIMINAL PROSECUTION. BELLSOUTH MAY PERIODICALLY MONITOR AND/OR AUDIT COMPUTER SYSTEM ACCESS/USAGE. LOGIN: Yikes! Man they don't screw around do they? This is not a hacking article, so if you are not familiar with various ways to safely acquire login names and passwords, I'd go read a bunch of articles that cover that. You're not dialing this from your house are you? Well, you might want to read a few more articles about hiding your tracks through the phone system. Trust me, this is good advice and should go without saying. The CNC is UNIX based and some of the commands should look familiar to UNIX users. However, Flexserv is intended to be used by non-techie customers of the phone company and is pretty simple once you understand the acronyms. When you are successfully connected after login/password, you should see a prompt that says CNC *. This is the default prompt and you should return to it every time you hit return. The first command to try is the HELP command. At the prompt just type HELP. You should then see a screen that lists all the commands available to you. Pick one of the commands in the list and type it after HELP. Try HELP CONNECT. You should see a screen that looks like this: CNC* help connect connect : connect [ [-s] -o] [-id] channel(s) 1 channel(s) 2 connect [svctype] connect [channel(s)] connect [-id] connect connects a user's channels and displays connected channels channel(s) = svctype.digroup.channel-list channel/digroup list: j-k, l, m-n, o-p Anyone familiar with DOS should be familiar with these type arguments appended to commands. The square brackets mean the argument is optional. You can use the HELP command with up to 6 commands and it will display them all. We'll get into the connect command later in this article. There's another command you should try first: STATUS. STATUS lets you see what sort of facilities and how many channels you have subscribed to. This is where things get tricky. Let's assume we are logged in again to the Georgia Chitlin' Company's CNC. When you type STATUS and hit return, you should see a screen that is formatted like this: CNC* status Thu 09/09/99 09:09:09 AM CST Used: 0 of 50 symbols 0 of 50 scheduled commands Service Type.Dg.Ch(s) Status Connected Linked DACS acc.0001.01-04 contiguous 0 0 05 acc.0001.05-08 contiguous 0 0 05 acc.0002.01-08 contiguous 0 0 06 acc.0003.01-08 contiguous 0 0 08 idl. 0001.01-12 contiguous 0 12 05 idl. 0002.01-12 contiguous 0 12 06 idl. 0003.01-12 contiguous 0 12 06 idl. 0004.01-12 contiguous 0 12 08 idl. 0005.01-12 contiguous 0 12 08 idl. 0006.01-12 contiguous 0 12 05 pbx.0001.01 contiguous 0 0 05 pbx.0001.02 contiguous 0 0 05 pbx.0002.01-02 contiguous 0 0 06 pbx.0003.01-02 contiguous 0 0 08 dds.0001.01-04 contiguous 0 0 05 dds.0001.05-08 contiguous 0 0 05 dds.0002.01-08 contiguous 0 0 06 dds.0003.01-08 contiguous 0 0 08 (EOF:) The first column designates the Service Name the customer has on that particular digroup. Each circuit Service Name consists of three parts: 1)service type 2)digroup number and 3)channel numbers, separated by periods. 1) Service Type can be custom-named by the Flexserv customer in order to make operation simpler for them. I used some of the default service type abbreviations in the table above, but they may have other names when you find them. Here are the default service type abbreviations and what they stand for: acc -- channel connecting a piece of equipment at the customer premises to the DACS. Every Flexserv customer will have at least two of these. dds -- digital data service vbd -- voice band data dps -- data port service idl -- inter-DACS link srm -- subrate multiplexor mju -- multi junction unit voice -- multipoint voice bridge data -- digital data multipoint bridge You may also see mls and tds but it is unknown what they stand for. 2) Digroup (Dg)- Remember that digroup is just another term for T1 carrier. This is just a number designation for that T-1 circuit, with a particular type of service on it (i.e. acc). A digroup cannot have multiple service types assigned to it. 3)Channel Number (Ch) - Number of channels on the digroup to be used by that service. Channels can be split up between premises too, as long as they terminate in the same DACS. For example, channels 1-12 of one digroup may be assigned to building A, and the other 12 channels assigned to building B. Status Column: The second column in the table shows the status of subscribed services. Contiguous means that all digroup channels used will be consecutive (ie 1,2,3,4,5,6). This is important for data apps like videoconferencing where contiguous channels are IMUXed into one large aggregate bandwidth. The status column will also show OOS and CGA T-carrier alarms for particular channels. Connected: Number of channels connected to other channels in the CNC. Linked: Tells how many channels of your idl's are linked to other DACSs DACS: Number designation of DACs in your network. As we can see by the Georgia Chitlin STATUS screen table, they are hooked up to three DACSs. We can safely assume that they have four locations, two separate buildings each with its own DACS channel in its respective CO (DACSs 6 and 8), and two more buildings each linked to DACS 5. Each premises has pbx and data service subscribed to, and there are six inter-DACS links. That just means that, in order for any two Georgia Chitlin sites that are not using the same DACS to communicate, at least two DACSs must be used. Common sense. Just like two computers on different segments of an ethernet will communicate across at least two hubs or routers. This becomes more apparent when you look at the DACS column in the table and see that each acc channel is assigned to a different DACS number. Two sites share DACS 5. The STATUS command also provides ways to check the status of each digroup, channel, or service type individually using arguments just like the CONNECT command. Type HELP STATUS to see how to format these commands. ***See the files page for a diagram of the what the Southern Chitlin' network might look like.*** Note that there are twice as many inter-DACS links (idl's) as there are DACSs in the network (there are only three DACS listed in the DACS column: 5,6,and 8) How come? Each inter-DACS link must have two Service Names, one for each endpoint. The Flexserv customer must own both ends of the idl to cross-connect between two DACS. If someone else leases the other half of an idl, connections are still possible, but the other people will have to flex it through their own CNC. This could be a major inconvenience. Remember that you will need both of those idl numbers later when it comes time to cross-connect our circuits between sites on different DACSs. The CONNECT Command: Now for the fun part. Cross-connecting user channels. Refer to the network diagram to see which channels are being cross-connected and where they are located. Here's the CONNECT command format: connect [-s] [-o] [-id] channel(s) 1 channel(s) 2 [-s] is the switched facility override option. Basically, this lets you disconnect a cross-connect that contains switched/voice facilities. This is a safeguard against disconnecting active phone calls. [-o] override option. Overlooks channels already connected. [-id] cross connect identifier. This is assigned by the CNC. You can assign your own identifier to easily perform group type operations, but we won't get that deep into it. Let's try a simple CONNECT command. We'll make a 64k connection between Premise A and Premise B via the DACS. Notice that both these sites are linked to DACS 5. Since they are on the same DACS, there's no need for an inter-DACS link. The CONNECT command would look like this: CNC* connect acc.1.1 acc.1.5 (ENTER) connect acc.1.1 acc.1.5 Completed. X-Con ID = x53 The same format can be used to cross-connect the PBX or DDS channels. Pretty simple, eh? Remember, you can cross-connect as many channels as you want as long as both circuits have those channels available and they are conditioned the same. PBX and Data trunks are probably not going to cross connect. If you try to connect unlike channels, you will see an error that looks like this: CNC* connect acc.1.1 pbx.1.2 Sorry, these circuits are incompatible. No connections were made. Let's say you want to connect Premise C with Premise D. This requires going from DACS 6 through DACS 8. This will require an inter-DACS link. We'll say this is a videoconferencing application where all 8 channels of our digital data will be cross connected and used for video between sites C and D. If you type the CONNECT command without the idl's, you will see this error message: CNC* connect dds.2.1-8 dds.3.1-8 Sorry, this command requires inter DACS connections. It's easy to get around this though with the proper idl's, but you must do it in steps. The first step is to cross-connect our eight data channels from Premise C to DACS 6: CNC* connect dds.2.1-8 idl.3.1-8 connect dds.2.1-8 idl.3.1-8 completed. x-con ID = I4 The following channels are linked. Service Type.Dg.Ch(s) DACS linked to Service Type.Dg.Ch(s) DACS idl.3.1-8 6 idl.4.1-8 8 This info tells you that you are connected from Premise C to DACS 6. It also brings up a mini-table (that is also available from the LINKAGE command, but that's for another day) that shows you the other end name of the idl DACS 6 is connected to. In this case it is DACS 8 with the Service Name idl.4.1-8. Now for step two: you must still connect Premise D with DACS 8 on idl.4.1-8. This will create a logical connection within the DACS and Premises C and D should then be able to videoconference. Here's the command: CNC* connect dds.3.1-8 idl.4.1-8 connect dds.3.1-8 idl.4.1-8 completed X-Con ID = I4 Service Type.Dg.Ch(s) DACS linked to Service Type.Dg.Ch(s) DACS idl.4.1-8 8 idl.3.1-8 6 If you want to check your STATUS screen, do it now and you should see that 8 contiguous channels are connected between DACS 6 and 8. In more complex networks, three or more inter-DACS link commands may have to be used. Were you wondering how to disconnect? Type HELP DISCONNECT. The DISCONNECT command works almost exactly like the CONNECT command. It even uses the same modifiers. Just type in the service types and channels you want to disconnect and there you go. Closing: This is a simple overview of the DACS system. There's a whole lot more to explore here. Bridges, mulitplexors, macros, more commands... access to a Flexserv type network should keep you busy for months. As always, be careful and paranoid. In the immortal words of Daffy Duck, "I'll sell you the blue button to get you down..." CallerID: Up close and Personal by hatredonalog (hatredonalog@hotmail.com) 1 - Intro 1.1 What is CID? 1.2 Privacy Issues 1.3 Stuff Stolen from the alt.2600 FAQ 2 - How a message is sent 2.1 Basics 2.2 Figuring out the data & checksums 2.3 Differences between SDMF and MDMF 2.4 The Mysterious "P" Bit explained 2.5 With CIDCW 2.6 Spoofing CIDCW 3 - 0day Exploits 3.1 Defeating CID 3.2 Alternate CID info 4 - Appendix 4.a Acronym Glossary 4.b Resources Introduction to CallerID 1.1 - What is CID? CallerID is a low level knock off of ANI. It is a service from your RBOC that allows you to see who is calling you. It gives you the Month, Day, Time and the number of the person calling you (and optionally, also the name). 1.2 - Privacy Issues When dealing with CallerID, some privacy issues arise. What if you don't want the person you're calling to get your information? Well, when it first came out some privacy activist groups had a hernia over it. Great, eh? Anyway, now RBOC's are SUPPOSED to let you block CND info for free, but from what I've heard, they don't always let you. This is where *67 originates from, and when you use this CLASS code, you enable the P bit when placing a call (more will be explained about the mysterious P bit later on). 1.3 - Stuff stolen from the alt.2600 FAQ Modem Requirements Although the data signaling interface parameters match those of a Bell 202 modem, the receiving CPE need not be a Bell 202 modem. A V.23 1200 BPS modem receiver may be used to demodulate the Bell 202 signal. The ring indicate bit (RI) may be used on a modem to indicate when to monitor the phone line for CND information. After the RI bit sets, indicating the first ring burst, the host waits for the RI bit to reset. The host then configures the modem to monitor the phone line for CND information. Applications Once CND information is received the user may process the information in a number of ways. The date, time, and calling party's directory number can be displayed. Using a look-up table, the calling party's directory number can be correlated with his/her name and the number displayed. CND information can also be used in additional ways such as: - Bulletin board applications - Black-listing applications - Keeping logs of system user calls - Implementing a telemarketing data base How a message is sent Technical information 2.1 - How CID information is sent (the basics) The method of transport was invented by Carolyn Doughty and was first used by New Jersey Bell. Unlike what some people seem to think, the CID Info is sent from the CO handing the call to the CPE (Customer Premise Equipment) otherwise known as the box. Under SS7 the CPNM (Caller Party number message) CANNOT be blocked from the receiving CO, but can be blocked from the called party, when making a long distance call. The CallerID info is sent between the first and second ring (pretty much common knowledge) and is sent via Frequency Shift Keyed (FSK). The Data is sent at 1200 bps and the CPE has a Bell 202 modem in it (or equivalent) to receive the FSK. There are two formats in which the CND (Caller Number Delivery) is sent. These are SDMF (Single Data Message Format) and MDMF (Multiple Data Message Format), both of which I will go into later. The main difference between the two is simply, that the name of the calling party is also sent with MDMF. The modulation is a continuous phased-binary FSK. The Logical 1 is 1200hz give or take 12hz and the logic 0 is 2200hz for logical 0 give or take 22hz (+-5% for variance) [ever wonder why the DATU has Data logic Tone sweeps?] These are the two binary states: 1 and 0. They are sent asynchronously at -13dBm and are tested at the CO across at 900 ohm test termination. The data is sent after a minimum of 500ms (milliseconds) when the Channel seizure is sent. The channel seizure is 250ms in length and is 300bits of alternating 1's and 0's beginning with a 0 and ending with a 1. Immediately after the channel seizure is sent the mark signal is transmitted. It consists of 180 bits, and is 150ms in length. They prepare the CPE to receive the CND data. Then the Least Significant Bit (LSB) of the most significant character is sent (under both SDMF and MDMF). Each character sent is 8 bits (1 octet) for all displayable data and they represent ASCII codes. Each string of 8 bits is preceded by a start bit and proceeded with a stop bit. This equals 10 bits per character. Finally, after all the information sent, it's followed by a checksum. This is to make sure that the data was sent and received properly. Here is a Basic CND signal: 1st ring : (500ms) Channel Seizure : Mark Signal : CID Info : Checksum (200ms) : 2nd ring 2.2 - Figuring out the Data & checksums Figure 1. Character Decimal ASCII Actual Description Value Value Bits (LSB) Message Type (SDMF) 4 0 0 0 0 0 1 0 0 Message Length (18) 18 0 0 0 1 0 0 1 0 Month (December) 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 Day (25) 50 2 0 0 1 1 0 0 1 0 53 5 0 0 1 1 0 1 0 1 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (30) 51 3 0 0 1 1 0 0 1 1 48 0 0 0 1 1 0 0 0 0 Number (6061234567) 54 6 0 0 1 1 0 1 1 0 48 0 0 0 1 1 0 0 0 0 54 6 0 0 1 1 0 1 1 0 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 51 3 0 0 1 1 0 0 1 1 52 4 0 0 1 1 0 1 0 0 53 5 0 0 1 1 0 1 0 1 54 6 0 0 1 1 0 1 1 0 55 7 0 0 1 1 0 1 1 1 Checksum 79 0 1 0 0 1 1 1 1 It is all simple conversion from binary to ASCII (and decimal). Here, we will tear it down, octet by octet. The message Type is fairly straightforward. It specifies one of two types, SDMF or MDMF. If it is SDMF the binary sent is 00000100 (4 bits), and if the type is MDMF, the binary sent is 10000000 (128 bits). The message length is also quite easy to figure out. The binary converted to decimal is the message length. 00010010 is 18, and 18 is the message length. Done, easy. The time is sent in military fashion. To get the normal time, put the two time bits together and subtract 12. (E.I.: 1+5 == 15 - 12 == 3pm). Figuring out the checksum is slightly more difficult, but not that much. Then you just add on the next two values to create the minutes. The numbers are sent as decimals, and a simple decimal to ASCII conversion is all it takes to get the phone number. The checksum word is the last data to be sent, and is a twos complement of the 256 modulo sum of each bit in the other words of the message. When the message is received by the CPE it checks for errors by taking the received checksum word and adding the modulo 256 sum of all of the other words received in the message. Figuring out the checksum is not difficult. The first step is to add up the values of all of the fields (not including the checksum). In this example the total would be 945. This total is then divided by 256. The quotient is discarded and the remainder (177) is the modulo 256 sum. The binary equivalent of 177 is 10110001. To get the twos compliment start with the ones compliment (01001110), which is obtained by inverting each bit, and add 1. The twos compliment of a binary 10110001 is 01001111 (decimal 79). This is the checksum that is sent at the end of the CID information. When the CPE receives the CID message it also does a modulo 256 sum of the fields, however it does not do a twos complement. If the twos complement of the modulo 256 sum (01001111) is added to just the modulo 256 sum (10110001) the result will be zero. 2.3 - Differences between SDMF and MDMF Figure 2. Character Decimal ASCII Actual Description Value Value Bits (LSB) Message Type (SDMF) 4 0 0 0 0 0 1 0 0 Message Length (9) 9 0 0 0 0 1 0 0 1 Month (December) 49 1 0 0 1 1 0 0 0 1 50 2 0 0 1 1 0 0 1 0 Day (25) 50 2 0 0 1 1 0 0 1 0 53 5 0 0 1 1 0 1 0 1 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (30) 51 3 0 0 1 1 0 0 1 1 48 0 0 0 1 1 0 0 0 0 Private 80 P 0 1 0 1 0 0 0 0 Checksum 16 0 0 0 1 0 0 0 0 That is how a "Private" Call would be displayed, if the caller didn't use *67, it would look like figure 1. Figure 3. Character Decimal ASCII Actual Description Value Value Bits (LSB) Message Type (MDMF) 128 1 0 0 0 0 0 0 0 Message Length (33) 33 0 0 1 0 0 0 0 1 Parameter Type (Date/Time) 1 0 0 0 0 0 0 0 1 Parameter Length (8) 8 0 0 0 0 1 0 0 0 Month (November) 49 1 0 0 1 1 0 0 0 1 49 1 0 0 1 1 0 0 0 1 Day (28) 50 2 0 0 1 1 0 0 1 0 56 8 0 0 1 1 1 0 0 0 Hour (3pm) 49 1 0 0 1 1 0 0 0 1 53 5 0 0 1 1 0 1 0 1 Minutes (43) 52 4 0 0 1 1 0 1 0 0 51 3 0 0 1 1 0 0 1 1 Parameter Type (Number) 2 0 0 0 0 0 0 1 0 Parameter Length (10) 10 0 0 0 0 1 0 1 0 Number (6062241359) 54 6 0 0 1 1 0 1 1 0 48 0 0 0 1 1 0 0 0 0 54 6 0 0 1 1 0 1 1 0 50 2 0 0 1 1 0 0 1 0 50 2 0 0 1 1 0 0 1 0 52 4 0 0 1 1 0 1 0 0 49 1 0 0 1 1 0 0 0 1 51 3 0 0 1 1 0 0 1 1 53 5 0 0 1 1 0 1 0 1 57 9 0 0 1 1 1 0 0 1 Parameter Type (Name) 7 0 0 0 0 0 1 1 1 Parameter Length (9) 9 0 0 0 0 1 0 0 1 Name (Joe Smith) 74 J 0 1 0 0 1 0 1 0 111 o 0 1 1 0 1 1 1 1 101 e 0 1 1 0 0 1 0 1 32 0 0 1 0 0 0 0 0 83 S 0 1 0 1 0 0 1 1 109 m 0 1 1 0 1 1 0 1 105 i 0 1 1 0 1 0 0 1 116 t 0 1 1 1 0 1 0 0 104 h 0 1 1 0 1 0 0 0 Checksum 88 0 1 0 1 1 0 0 0 The only differences between SDMF and MDMF is that MDMF is slightly more advanced and has more features. It displays the calling party's name along with the number. It also has the message type and length parameters. The message type is defined as either 00000100 (SDMF) or 10000000 (MDMF). With SDMF the minimum message length can be 9 octets, whereas with MDMF the minimum length can be 13. When the minimum is sent, neither the CND or the CNAM (Caller Name) is displayed. In they're place, either an "O" (out of area) or a "P" (Private) is sent (as in the case of Figure 2). 2.4 - The mysterious "P" Bit I have come to realize that a lot of people don't seem to grasp the concept of the P bit. They think, after reading the last section, that ONLY the P bit would be sent. This is not the case. The P bit is the only bit sent if there is no data for the CO to send, else the P bit *is* sent after the CND and CNAM. It is tacked onto the end of the message string right before the checksum. Most CPE's are designed to, when a P bit is detected, to display an alternate message such as "PRIVATE" or "UNAVAILABLE". There are CPE's that ignore that P bit, and respectively, are called ignorant CID boxes. Where I live, police have these in their homes to protect themselves from harassment. 2.5 - With CIDCW CIDCW stands for CallerID on Call Waiting. It's so you know who is calling, even when your already on the phone. It runs *only* under MDMF (which I think is standard). It varies a bit from normal CID. It doesn't send any kind of channel seizure and the mark signal is only 80 bits. Instead of a channel seizure, it sends a CAS (CPE Alert Signal) along with the SAS (Subscriber Alert Signal) and the box responds with a ACK signal, during which time it mutes the handset. Then it receives the FSK data, at which point it unmutes your phone after the data is received. Here is the sequence: SAS/CAS : CPE returns ACK : CO sends FSK : info displayed handset muted --^ handset unmuted --^ Tone frequencies: SAS == 440mhz (300ms in length CAS == 2030+2750 (DTMF) ACK == "A" or "D"; A == 941+1633hz D == 697+1633Hz Surprisingly enough (to me at least), the ACK response is either the "A" or "D" tones from a Silver Box. So ha, they are still used for something other than PBX's or ham radio. 2.6 - Spoofing CIDCW No, you cannot do it. When the CAS tone is sent to the CPE, it mutes the called parties handset (the other party doesn't hear it because it is broadcast on their line, not yours) and responds to the CO with an ACK tone. It is going to mute the other party from hearing these tones, which is called reverse audio mute. This stops them, also, from playing any tones to the CPE. 0day Exploits 3.1 Defeating CID Okay, I did steal this from dethme0w/Fixer's Beating CallerID File. But, I really couldn't say it any better, so I included it. But mad credits to dethme0w/the fixer for being so elite. =) (Current as of 11/01/99, a newer version *may* be available at: http://phreaking.iscool.net/files/BEATCID.TXT (1) Use *67. It will cause the called party's Caller ID unit to display "Private" or "Blocked" or "Unavailable" depending on the manufacturer. It is probably already available on your line, and if it isn't, your local phone company will (most likely - please ask them) set it up for free. This is the simplest method, it's 100 percent legal, and it works. (2) Use a pay phone. Not very convenient, costs 25 or 35 cents depending, but it cannot be traced back to your house in any way, not even by *57. Not even if the person who you call has Mulder and Scully hanging over your shoulder trying to get a FBI trace (sic). Janet Reno himself couldn't subpoena your identity. It's not your phone, not your problem, AND it will get past "block the blocker" services. So it's not a totally useless suggestion, even if you have already thought of it. (3) Go through an operator. This is a more expensive way of doing it ($1.25-$2.00 per call), you can still be traced, and the person you're calling WILL be suspicious when the operator first asks for them, if you have already tried other Caller ID suppression methods on them.(4) Use a prepaid calling card. This costs whatever the per-minute charge on the card is, as they don't recognize local calls. A lot of private investigators use these. A *57 trace will fail but you could still be tracked down with an intensive investigation (read: subpoena the card company). The Caller ID will show the outdial number of the Card issuer. (5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is fairly easy to social engineer, but beyond the scope of this file. This is a well-known and well-loved way of charging phone calls to someone else but it can also be used to hide your identity from a Caller ID box, since the PBX's number is what appears. You can even appear to be in a different city if the PBX you are using is! This isn't very legal at all. But, if you have the talent, use it! (6) I don't have proof of this, but I *think* that a teleconference (Alliance teleconferencing, etc.) that lets you call out to the participants will not send your number in Caller ID. In other words, I am pretty sure the dial tone is not your own. (7) Speaking of dial tones which aren't yours, if you are lucky enough to live in an area with the GTD5 diverter bug, you can use that to get someone else's dial tone and from thence their identity. (8) Still on the subject of dial tones which aren't your own, you can get the same protection as with a payphone, but at greater risk, if you use someone else's line - either by just asking to use the phone (if they'll co-operate after they hear what you're calling about) or by the use of a Beige Box, a hardware diverter or bridge such as a Gold Box, or some other technical marvel. (9) This won't work with an intelligent human on the other end, it leaves you exposed if the called party has a regular Caller ID box with memory, and has many other technical problems which make it tricky at best and unworkable for all but experts. A second Caller ID data stream, transmitted from your line after the audio circuit is complete, will overwrite the true data stream sent by the telecom during the ringing. If the line you are calling is a BBS, a VMB, or some other automated system using a serial port Caller ID and software, then you can place your call using *67 first, and then immediately after the other end picks up, send the fake stream. The second stream is what the Caller ID software processes, and you are allowed in. See the technical FAQ's below for an idea of the problems behind this method; many can be solved. (10) Someone in alt.2600 (using a stolen AOL account, so I can't credit him or her properly) suggested going through 10321 (now 10-10-321) or 10288. Apparently using a 10xxx even for a local call causes "Out of Area" to show up on the Caller ID display. I live in Canada where we don't have 10xxx dialing so I can't verify nor disprove this. (11) There are 1-900 lines you can call that are designed to circumvent Caller ID, ANI, traces, everything. These services are *very* expensive, some as high as $5.00 a minute, but they include long distance charges. This was first published in 1990 in 2600 magazine, and in 1993 the IIRG reported that 1-900-STOPPER still works. Beware - even if you get a busy signal or no answer, you will get charged at 1-900 rates! Another one published in 2600 in 1990: 1-900-RUN-WELL. That one supposedly allows international calls. I'm not about to call either one to find out. Note that you could still be caught if the operators of these services were to be subpoenaed. (12) Use an analog cellular phone. Most providers of plain old analog service show up on Caller ID as "Private" or "Out of Area" or a main switchboard number for the cell network. This is becoming less and less true as cellular providers move to digital cellular and PCS, which pass the phone's number on Caller ID. Corollary: Rent a cellphone by the day. This might even be cheaper than using a prepaid phone card. 3.2 - Alternate CallerID Information If you're under a DMS-100 switch, you can change your Caller ID information to anything that you would like it to be. Not your ANI, just your CND (and your CNAM). You can do it 1 of 3 ways. Hack the switch, Social Engineer, or have a friend on the inside do it. This also is stolen, from Usenet. It is also really well written. SDNA (Setting Up DN Attributes) plenty of examples in HELMSMAN (DMS on-line help) The following is accomplished in SERVORD: SDNA [return] [prompt] SNPA: [prompt] OFFICE CODE: [prompt] FROM DIGITS: [prompt] TO DIGITS: [prompt] NET NAME: [prompt] FUNCTION: [prompt] OPTION: [prompt] NPA: [prompt] OFFICE CODE: [prompt] DIGITS: YES to confirm ... updating (does so immediately) SNPA is the area code of the line this is being done on. OFFICE CODE is the exchange/prefix of the line this is being done on. FROM DIGITS is the last four digits of the line this is being done on. TO DIGITS is also the last four digits of the line this is being done on. (It can be done to a series of lines.) NET NAME is PUBLIC FUNCTION - there are three legit functions ADD add. CHA change. DEL delete (self-explanatory) OPTION is ADDRESS (phone number) NPA is area code you want your new Caller ID to be OFFICE CODE is the new exchange/prefix you want to have DIGITS are the last four digits of the new Caller ID to be! YES to confirm ....updating Now you can call anyone who has Caller ID and they will think you are calling from the number you changed it to. Please note the following effects and ramifications: * ANI still passes normally. It is only the Caller ID signal which changes. So anyone doing serious investigating at the phone company can still pull Last Incoming Call, etc., correctly. * Billing is not affected. That is, you cannot bill to the virtual (artificial number). * Call Return will call back the Caller ID, so if it's in the same area, it will call back the number. If the Caller ID you chose is from a different area, Call Return won't work. This is one of my favorites. Since having a non-pub number doesn't stop people from Call Returning you. Now it does!! * 800 numbers: AT&T 800's will always get your ANI. MCI tends to usually grab your ANI. Operator 800's will definitely get your ANI. (800-225-5288). Sprint 800's can be configured either way. For example, AOL (America On Line) 800's get ANI. (yes, they resporg to Sprint). However, Western Union, and other Sprint 800's read the Caller ID. Most newer 800's read the CallerID, but one must test to know for sure. This can all be avoided by op-diverting, though. Some RBOC's don't like to op-divert (like USWest) but if you claim to be a some kind of super-gimp and can't use your fingers, they will. The above method of altering Caller ID on a line is the only legitimate way I have ever found to do so that really works. Can the same thing be done on 5ESS? Not that I am aware of, and I have researched it pretty thoroughly. I have not researched Siemens switches, or others. Appendix 4.a - Acronym Glossary Acronym Glossary ACK -- Acknowledgment ANI -- Automatic Number Identification ASCII -- American Standard Code for Information Interchange BFSK -- Binary Frequency Shift Keying CAS -- CPE Alerting Signal CID -- Caller Identification or Caller ID CIDCW -- Calling Identity Delivery on Call Waiting or Caller ID on Call Waiting CNAM -- Calling Name Delivery CND -- Calling Number Delivery CPE -- Customer Premise Equipment CPNM -- Calling Party Number Message DTMF -- Dual-Tone Multifrequency FCC -- Federal Communications Commission FSK -- Frequency Shift Keying ID -- Identification LATA -- Local Access and Transport Area LSB -- Least Significant Bit LSSGR -- LATA Switching Systems Generic Requirements MDMF -- Multiple Data Message Format OSI -- Open Switch Interval PC -- Personal Computer SAS -- Subscriber Alerting Signal SDMF -- Single Data Message Format SPCS -- Stored Program Control Switching System SS7 -- Signaling System 7 4.b - Resources on the Internet http://www.markwelch.com/callerid.htm http://members.xoom.com/hoal/cpid-ani.txt http://phreaking.iscool.net/files/BEATCID.TXT DATUs - The Tool of the New Age Phreak Part II - Non Standard Office Interfaces by MMX Preface: This information was obtained through a very difficult mission. Please understand that this information probably was never intended to be interesting writing. However, since this is a fascinating topic, it deserves some time. If anyone has continued reading to this point, you're in for a treat. You may have noticed that the DATU administrators' manual (and No Test Trunk circuit numbers list) only lists the most popular switches. How then, does it interface with other switches? The answer is a miraculous device developed by Harris - an adapter. For the most part, telephone central office switch equipment employed throughout the United States is provided with a no test trunk, or NTT. An NTT is connected to a test bus which is interfaced with all of the subscriber telephone lines served by the central office, as well as a set of access ports, comprising Tip (T), Ring (R), Sleeve (S) and Ground (G) leads, that allow for installation of a line conditioning or test device, such as the by now infamous DATU. In some central office installations, the central office switch may not include an NTT, so that the T, R, S and G leads are not available to directly connect to a piece of conditioning or test equipment. Examples of such "non-standard" central office switches include those that have installed in a variety of networks outside the United States, such as the Ericsson ARF 101/102 switch and the Standard Electric PC-1000 switch, currently employed in Brazilian telephone exchanges. The Ericsson ARF 101/102 central office switch is ported via A/B leads to line circuit equipment, and contains an access interface having five signaling leads: A, B, C, D and G (ground). The Standard Electric PC-1000 central office switch is connected via A/B leads to it's line equipment, and contains an access interface having eight signaling leads: A, B, S, S1, S2, SL, BL and G (ground). To solve the above described access port incompatibility problem that may exist with certain types of central office switch equipment, such as the Ericsson and Standard Electric units, the test interface adapter, having first ports that are directly connectable to non-standard central office switch configurations, and second ports that are directly connectable to a DATU, that would otherwise be directly connected to the T, R, S and G leads of the no-test trunk. When installed, the interface adapter is operative to map signals at its C.O. interface ports, to which the non-standard central office switch is connected, to its second set of interface ports to which the DATU is connected, and vice versa. The port lead and signal mapping functionality of the interface allows the accessing device to communicate with the respective ports of what would otherwise be a non-compatible test interface of the switch, so that it may controllably condition line circuits of the "NTT-less" central office. To this end, the interface adapter contains a no-test trunk interface emulator unit, so that the DATU will recognize the standard NTT. The NTT interface emulator unit includes a battery voltage conditioning unit, coupled to the tip and ring leads and, under the control of processor, provides NTT battery and battery reversal on the tip and ring leads. It is also able to remove battery voltage from the tip and ring leads, and includes a battery current flow sensor for detecting an off-hook condition. The battery voltage conditioning unit is coupled through an A/B lead cut-through unit to the A and B leads of the central office switch interface ports of the adapter. The A/B lead cut-through unit connects the A and B leads to respective lead connections to which the tip and ring leads are connected. The A and B leads are also coupled to a tone detector for monitoring respective tones generated by the central office switch. The no-test trunk interface emulator further contains an NTT sleeve termination and sleeve current level sensor unit, which is then connected to the sleeve lead, and includes a terminating resistor, that is controllably placed in circuit with the sleeve lead in accordance with a sleeve lead termination input from the on-board processor. This unit additionally includes a peak detector and a pair of threshold comparators, which controllably monitor the current flowing through the sleeve lead and provide a coded output to the processor, representing the amount of the sleeve current, within specified ranges. For replicating the necessary connections to a non-standard central office switch, the test interface adapter of the present invention contains a ground connection unit, which selectively places a ground condition of any of the C and D leads for an Ericsson ARF 101/102 central office switch, and any of the S, S1 and S2 leads for a Standard Electric PC-1000 central office switch, for example. The test interface adapter further includes an SL and BL ground detector unit, coupled to each of the SL and BL leads, which monitors whether these leads are open or grounded. For the open or grounded respective conditions, prescribed logic levels are coupled to the adapter's processor. The adapter's controller employs a table-based tone detection software routine, to identify the cadence and thereby the associated function of a tone or pulse signal sequence applied by the central office switch. Where the switch generates tone signals, as in the case of an Ericsson switch applying tone signals to the A and B leads, the logic level monitored by the micro-controller is that provided by a tone detection comparator which differentially monitors the A and B leads. Where the central office switch supplies on/off pulsing signals, as in the case of a Standard Electric switch applying open and ground to the SL and BL leads, the logic level is that provided by SL and BL lead pulsing activity detectors. The cadence detection mechanism comprises a cadence tokenizer, which translates the state of the monitored signals into a stream of tokens, a cadence parser, which identifies cadences from the stream of tokens, and one or more cadence tables, which the parser uses to identify cadences. The cadence tokenizer is the primary state machine for the cadence detection routine. Each cadence is expressed as a unique sequence of tokens. A token represents the state of the input signal being monitored, and the interval of time over which the input signal is measured. A "pulse" token represents a relatively short period of time during which two state transitions occur (low/high/low or high/low/high). A "level" token represents a longer period of time (e.g. on the order of several seconds or more) during which no state transitions occur. The cadence parser is invoked by the cadence tokenizer to analyze the stream of tokens, representing the monitored signal state and returns a result whenever it recognizes one of a list of a predefined cadences. The parser searches a cadence table associated with the central office switch for an entry (transition) for the selected token. It indicates the new state the parser should enter as result of having seen that token in the current state. The cadence tables list the sequences of tokens that make up each of the cadences recognized by the parser. There is one cadence table for each distinct set of cadences. (In the detailed description below, two cadence tables, respectively associated with an Standard Electric PC-1000 switch and an Ericsson ARF 102 switch, are provided as non-limiting examples.) The cadence table is pointed to by an entry in the parsing routine. Each cadence table accepts the current parser state and the token to be processed, and returns either the new parser state (for a non-terminal transition), a cadence result code (for a terminal state), or an error code (for an unexpected token). ***NOTE** There are additional files that accompany this article which are located on the files page. Frequency Counters by Black Axe The frequency counter is probably one of the most useful radio monitoring tools ever made. It has the ability, when used in the proper manner, to snag frequencies out of the air. This is much more preferable work, as opposed to sifting through FCC databases and personal webpages, finding outdated info, sitting in your car and scanning different frequency ranges, etc. The catch here is that many people see the frequency counter as this magical device that will instantly tell them the frequency of that agency or group that they want to monitor. It's a lot more complex than that, both logistically and technically. First, let's look at (or drool over, your pick) equipment. The first frequency counter you'll probably notice is the one sitting on the shelf of your local Rat Shack. This is about standard for what you'll see available. Range is AF (audio frequencies) to 1.3gHz. Hold function, selectable gate times, and a backlight are included. This is an alright counter, available, and not too expensive (around $100 last time I checked). When shopping for counters, there are counters, and then there is the Opto Scout. It has 400 memories, each with a hit counter capable of counting 255 transmissions on each received frequency, CI-V interface, etc. Really nice. Most other frequency counters were made for testing radio gear to see if it's on frequency, etc.. not so with the Scout. The Scout is the only counter that's made specifically to snag frequencies for monitoring. This may explain the $350 price tag. If you have the cash, it's definitely worth it; however, it's not for everyone. Check it out at http://www.optoelectronics.com/. A frequency counter, in theory, is a very simple device. Flashback to basic electronics and radio class. Radio transmissions oscillate at a certain frequency, in the shape of an AC (alternating current) waveform. What your frequency counter does, basically, is measure the number of times that the waveform's voltage drops from its peak to zero within the given gate time. After that measurement is taken, the number of times that the wave's voltage would drop from its peak to zero in a second is calculated, factoring in the length of time that the counter was counting voltage drops. This calculated value is then displayed, stored into memory, etc. From this, we can determine that the counter's gate time is a setting that will affect the accuracy of the measured signal. In most cases, however, the shortest gate time will prove most beneficial and will give results accurate within 1kHz or so. Remember that frequencies, for police departments and such, are allocated based on a bandplan, with predefined steps. In other words, if you got a reading on your counter of 155.687, one could guess that the actual frequency in use would be 155.685mHz (the closest frequency allocated for police activity). Same goes for a reading of 879.98 - that's in the cellular band, and the cellular band is allocated in 30khz steps, making the closest valid frequency 879.99mHz. Also remember that your frequency counter isn't entirely accurate. And, most likely, neither is the transmitter you're measuring. This inaccuracy should not harm your readings at all - so don't think that your counter is screwed when it reads 155.68592 when counting your local PD. So far, it seems fairly easy to use the counter, right? Wrong. Here comes the bad news, the part that you wish just wasn't true. In order for a counter to operate properly, it needs to see the cleanest AC waveform possible. Think of your average communications tower. Think of all the antennas there that are transmitting simultaneously. When your counter sees 2 AC waveforms at about the same strength, it doesn't know what to do. Some counters may produce some sort of an odd average of the two frequencies. Some may lock up completely and not display anything. And on a communications tower like that, there's _always_ someone yapping. In order for a counter to operate properly, it needs to "see" the desired AC waveform at least 15 to 20db stronger than the rest of the clutter. At your average communications tower, there's probably a cellular base station there. Or a paging transmitter. We all know that a cellular tower is constantly transmitting on its control channel, and that pager transmissions rarely cease. Thus, your stock counter will be unable to snag the frequency of the police repeater amidst all of this clutter. The solution? Engineering the signal before it enters the antenna jack. This is accomplished through the use of filters and tuned antennas. Tuned antennas are, well, tuned to receive best in a specific frequency range. This will "magnify" the AC waveforms seen in that range by the counter, and de-emphasize the other signals. This will only work if one's target frequency is known to be in a specific band. Filters will attenuate (knock down, in other words) signals at certain frequencies. For example, a commercial 88-108mHz filter is available, to de-emphasize the effects of broadcast FM transmitters. Other filters can either be bought or homebrewed. Probably the most useful filter, for the monitoring enthusiast, would be one that attenuates anything over 512mHz or so, leaving most of the public safety band intact, and eliminating a lot of pagers and cellular interference. Don't even bother with preamplifiers or broadband attenuators; what we're trying to do is increase the desired signal's relative signal strength in relation to other signals in the spectrum. Simply amplifying or attenuating everything doesn't change strengths relative to each other. Now let's look at the field end of things, i.e., not hanging out under a comm tower. Things become much simpler here, as all it entails is getting close to a transmitting target. Once you've snagged the frequency, you're _almost_ home free. What you have then is the input frequency. Most listening is done on the output frequency. If the frequency you have is in a band with a standard bandplan (like around 460-470mHz), then you can simply determine the output frequency by subtracting 5mHz if the frequency is between 460-470mHz, or subtracting 3mHz if the frequency is in the UHF T-band (470 to 512mHz). Sometimes this doesn't work too well, and consulting the FCC database is necessary. Do a lookup by state/frequency, and input what you have. Get the callsign of the agency from the input frequency, and do a search on that callsign. You now should have a good chunk of freqs to work with. In the VHF band, there are no standard repeater offsets, so your only recourse is to use the database method. With counter in hand, you should be easily able to identify many frequencies in use in your area with a little elbow grease and a little logical thinking. An Overview of Trunked Radio Systems by Black Axe In the past few years, many public service agencies have decided to move their operations from conventional FDMA (frequency division, multiple access) repeater-based land mobile systems to a new breed of trunked radio systems. Just what, exactly, is a trunked radio system? How does it work? What different types are there? As a monitoring enthusiast, what do I need to do to be able to efficiently monitor these systems? History One of the best and most well-known examples of a trunked radio system would be the analog cellular system (as in cellular telephones, AMPS). As all good phreakers know, a cellular system is based on a control channel, and a number of associated voice channels. Data flowing over the control channel instructs the mobile units to switch frequencies and unsquelch audio, amongst other things. In the cellular system, the control channel would usually address a specific mobile unit. In a trunked radio system, the control channel addresses different talkgroups. Talkgroups are programmable groups of radios; each talkgroup forms a logical "channel" within the trunked system. However, because of the nature of the system, talkgroups can use different frequencies within the system, as allocated by the control channel. In the past, police departments were limited to those frequencies that they were licensed on. So a local police department with 2 licensed frequencies has 2 channels, divided by frequency. In a trunked system, however, the operator can program hundreds of different talkgroups into a trunked system using only 5 or 6 frequencies. The benefits here are obvious: these agencies are no longer limited to only 2 channels. A communications officer can have a talkgroup for EMS calls, another for traffic units, another for detectives, another for the SWAT team. Or, they can divide up their coverage area, with different talkgroups for each section of the town. For these reasons, many agencies have decided to "go trunked". And who can blame them? The advantages are excellent. Another implementation of the trunked system would be a SMR (Specialized Mobile Radio) system. A SMR system is generally owned by a private business. These businesses can then provide communications, on their trunked system, to others for a fee. The basic concept here is that a small organization can rent or buy radios from the SMR business, and rent their own talkgroup within the system. Monitoring Systems/Setup: How it works Before any idiot could walk into Radio Shack, drop a few bucks, and walk away with a radio capable of following trunked systems; trunked monitoring was for the technically inclined only. The original setup consisted of 2 receivers (scanners, if you will) and a computer that controlled the "trunktracking". One receiver had a discriminator tap and fed the control channel data stream into the computer through the appropriate interface. The other radio was controlled by the computer, and this was the radio that actually skipped from frequency to frequency, following calls. Back then, the actual commands as to which frequencies to switch to, etc. were decoded from the control channel only. Nowadays, trunktracking scanners operate in a different fashion. At first, when there's no activity, these new radios listen to the control channel. When activity appears on a talkgroup that is programmed into the scanner, the scanner's only receiver jumps to the frequency in use. Now, you may ask, what happens when the conversation changes frequency? In addition to data over the control channel, there is data encoded into the voice channel (somewhat similar to DPL tones, if you're familiar) that instructs the radios as to where they should now look for activity. This method is used in both trunktracking scanners and the actual mobile units that you're monitoring. Which way is the better way to follow the system? Depends on the situation. If you want to run around town, drinking and acting like a bunch of hooligans, I'd recommend the commercially produced handheld. If you're sitting at home, the original method (using 2 scanners) provides much more information as to how the trunked system works, and as to exactly what's going on within the system. Even if you choose to listen to a commercial trunktracking scanner at home, I highly recommend decoding the control channel on some old 386, just to give you a clearer picture. ** Note: within trunked radio systems, there exists the capability to place telephone calls over the system, also known as an autopatch. On these autopatch calls, a "privacy bit" is set. The call is still on the system, and it's still in analog mode (usually). Uniden, when designing their radios, decided to have the radio skip over and not notice any call with the privacy bit set - yet another reason as to why one may want to use the original setup described above. Equipment When trunked radio systems became popular, Uniden figured that it had better cash in on this new trend in land mobile communications. To date, the only trunktracking radios (with one exception) have been made by Uniden. My opinions, and a few specs to boot: Uniden BC235XLT: The first radio to hit the market. Handheld, 300 channels, can decode Motorola Type I/II systems. Uses rechargeable battery pack. Price: around $200 or so. Uniden BC895XLT: An excellent base radio. It's fairly large, but has many features (computer control, S-meter, easy discriminator mod). 300 channels, follows Motorola Type I/II systems. Price seems to hover around $220-230. Uniden BC245XLT: This one is fairly new. A handheld by Uniden, it was the first handheld to track EDACS (Ericsson) in addition to Motorola Type I/II systems. Specs are much the same as the 235XLT, except that the 245 has a port for computer control. Price: around $230, you can find it cheaper in some places. Optoelectronics Optocom: This offering from Optoelectronics is a "black box" receiver; that is, it's entirely computer-controlled. Channels limited only by your hard drive space, decent control software, and a sensitive receiver. Capable of following Motorola, EDACS, and LTR systems. Reaction tune capability (with the Scout). Price: around $550 (ouch!). ** Note: although the following radios are sold by Radio Shack, they are actually made by Uniden.. if you doubt me, open any of the radios up and look - Uniden likes to mark their own work. RS PRO-90 An _exact copy_ of the 235XLT. Not really worth your money at $300 or so. RS PRO-91 A 150-channel, Motorola only trunktracker. Again, RS shifts their prices around, but it's probably overpriced. The only advantage to this radio is that it may be fairly cheap, and it is the only currently available trunktracking handheld that will take AA batteries. RS PRO-2050 A 300-channel trunktracking base. Nothing spectacular here, Motorola Type I/II only. Price: around $300. RS PRO-2066 A 150-channel trunktracking mobile unit - fits perfectly into a car stereo slot. Price is around $220, so the only reason that I'd be buying this is if I needed something in the car. ** Note: the following radios aren't available for sale yet; they should be out late 1999 or early 2000. RS PRO-92 I'm really drooling over this one. 4 line dot matrix LCD, you can alphatag everything, SAME weather alert, follows Motorola Type I/II, EDACS, and LTR systems. Since this radio is made by GRE, and not Uniden, they may or may not "block" the autopatch calls. 500 channels, divided into 10 banks of 50 channels each. This is the scanner nut's dream handheld. Runs on AA batteries. Price: around $360, but it's worth every penny. RS PRO-94 An interesting handheld. Same case styling as the PRO-91 (and the 67, and the 26). 1000 channels, Motorola/EDACS following capability. Appears to run on AA's. Doesn't appear to be a bad radio; price should be around $300. Try for the PRO-92 though, unless you really need all of those channels. RS PRO-2052 The base version of the 94. Same as the 94, except in a PRO-2050 case. Price: around $340-350. If you handed me a wad of cash, and asked me to buy you the best radios, what would I say? As far as base radios go, the 895XLT blows em all out of the water. Even though it only has 300 channels, and can't do EDACS, it's still a great radio. If you really need the EDACS or the extra storage, however, the PRO-2052 is your only choice. As far as handhelds go... I tend to prefer having AA batteries in my radios - easy to replace, and you can't get fully charged Ni-Cd packs at your local friendly 7-11. Conclusion When you originally heard that your local PD was going trunked, you may have freaked. Hopefully, after reading this, you will have realized that it isn't such a bad change (can even make monitoring more interesting!). Grab a wad of cash, and when they do switch over, trek on down to your local electronics establishment (e.g. Rat Shack) and pick up that oh-so-sweet PRO-92 that I know you want to buy. Before you do this, though, monitor the trunked system and make sure they're transmitting in the analog mode. If they have went "full digital", that is, using a form of digital modulation as opposed to regular FM communications, you're screwed. Almost. More on decoding digital voice, another day. A different newbie guide by Mohawk There are plenty of newbie guides out there explaining what phreaking is and all the related topics but none of them focus on the ways to go about being a newbie. It's important for people new to the scene to understand how to get information, how to act, and just how to be a newbie without making an ass out of yourself. This article contains suggestions based on my many years of experience in the H/P scene. I've seen a lot of people come and go and I've learned from their mistakes. Keep in mind these are just suggestions. -Before you delve into the Pheaking world, ask yourself why you want to be here? Do you want to learn new ways to harass people, screw the phone company, impress others with all your cool knowledge to feed your ego (there are a lot of these people in NY, or so I hear), or because it's the cool thing to do. If so, then leave. Forget you ever heard about phreaking. The last thing we need is more people being phreakers for all the wrong reasons. What's gonna happen is eventually you'll get into trouble or bored and you'll drop out of the scene. I've seen it happen millions of times before. However, if you feel like just learning some stuff or if it turns into your passion, then you're on the right track. This way you'll be into phreaking for a long time, even if it's on and off for a while. You just can't leave a passion. Phreaking is a way of life for most people; it's a way of thinking. Even if you don't get into it that much, you'll get more out of it if you do it for the right reason. -Most people never really hear about phreaking or they dismiss it as stupid. Then they run across a certain text file and they want to get into it all of a sudden. The problem here is that a lot of people want instant gratification. They read about all this cool stuff and they want to do it all today and tomorow. Your not going to accomplish everything in one night and your not gonna learn it all in one sitting. You've gotta be patient about phreaking. If you run right into things, you probably won't have a good experience. I've been into phreaking for the last decade or so and I don't know everything and I probably never will. You have as much time as you want to learn about phreaking and explore your new skills. -Before you email anyone or post anywhere, you have to read. Download everything you can and read it a couple times. Keep in mind that a lot of text files are very old and out dated. The topics covered will most likely be obsolete. You should still read them for history purposes though. The best place to learn about phreaking is the alt.phreaking FAQ and I'm not just saying that because it's a part of the network. I have seen tons of praise for the document and it deserves every bit of it. Seuss, many others, and myself have spent a lot of time making it what it is today and we are always trying to improve it. -Don't just stick to the alt.phreaking FAQ though, read everything and visit as many websites as possible. Go to a page and follow their links. Then on those pages, follow their links, etc. That should keep you busy for a long time. If you have a question that wasn't answered by the FAQ and you don't have time to visit all those sites at the moment, try a search engine. I see tons of questions either on a newsgroup or in my mailbox and the questions could be answered by using any search engine. There a ton of them, I suggest you try them all for your question, you should find the answer. You'll learn more if you find the answer yourself instead of having someone tell you. -Avoid non-phreaking things like getting Credit Card numbers, Warez, and other stupid things like that. They have no place in the phreak scene. -Most phreak programs suck and I wouldn't worry about them. Besides a few wardialers, the rest do nothing. Especially, the calling card generators and such. However, you learn best by experimenting so if you want to go ahead. Just don't be surprised if they don't work. -If you live outside the US, don't expect everyone to know about foreign subject matter. I've never been to another continent, so I don't know anything about other countries phone systems. -Try to avoid hacker politics. It really sucks but the H/P scene is not immune to politics. Much like it is in the real world, it's not what you know, but who you know. You'll see this a lot with the media whores and the popular people in the scene. They really don't care about the scene and they are just there to look good and feed their egos. -So you've read everything and you feel like your ready to hop into the scene and start getting involved. The two best ways to interact with other phreaks are newsgroups and chatrooms. I don't like chatrooms at all. Most of the people act like five year olds and no one ever talks about the subject that the room is about. However, some people like IRC and you should check it out if you have the time. The best newsgroup is alt.phreaking. It's nothing like it use to be, but it's better then anything else out there in my opinion. Whatever NG you get into, lurk before you post. Watch what happens and who's who. This way you'll get a feel for the attitude of the people there and maybe even learn from other people's mistakes. The same can be said about chatrooms, lurk before you get into it. Also, before you post to a newsgroup, read the old posts that are archived on deja.com. Chances are, someone has already asked your question a hundred times. -Try to forget about Redboxing, Blueboxing, and any other box for that matter. There's so much more to phreaking besides boxes and ripping off the phone company. A large number of phreaks never really break the law maliciously, like myself. Being a phreak is about learning, exploring and asking questions about why things are the way they are with a certain tellecommunications system. Besides finding security holes and exploits that you read about in a H/P text file, learn about the legal side of phreaking, namely the telephone system and the telecommunications system industry. Keep track of new technology and do some research. The legal side of phreaking is just as exciting as the illegal side. While breaking the law may be necessary at certain times to explore a theory, think before you do it. -Don't be afraid to go against the norm. The stupid phreakers far out number the good phreakers. Don't take a cue from a lot of those people out there. Just be yourself and don't try to play up to others to get them to like you and keep in mind that a lot of people out there just suck. That may sound rather obvious but a lot of people in the H/P scene do things because it's the cool things to do. -Give back to the scene. Once your in the scene for a while and you've acquired some considerable knowledge, give back to the scene. Write and article or a letter to your favorite zine. Become a regular on a newsgroups. Start a webpage (but make sure it's original and not just a bunch of files that you can get from 100's of other sites), or help out someone with an already established site. At least email the people at your favorite sites with your comments and suggestions. Even if it's something like, hey, this link is broken, your giving back to the community. We put a lot of time into out sites and so do a lot of other people. We do it all for free and out only payment is your suggestions and comments. If you are going to email us or anyone else, keep it intelligent. Talking like a child and cursing someone off isn't going to accomplish anything. If the page really sucks, give the webmaster some tips to improve it. When you do become old and wise, don't put down others who are just starting out, remember that you were there too once. At least point them in the right direction or ignore them if they are really annoying. Notes on ANI by Suess (short and to the point) Seuss is the webmaster of the alt.phreaking FAQ (http://members.tripod.com/~SeusslyOne/) and the Clandestine Files (http://members.tripod.com/~seussbeta/) Bulk vs. Realtime ANI: ANI is sent to the receiving party in one of two ways, either in realtime or in bulk. Realtime ANI is the service where ANI is sent before the call is completed. Bulk ANI is sent to the receiving party with the bill. Obviously bulk ANI is cheaper (No ANI decoder needed), but less secure. ANI Transmission: ANI can be sent through either digital or analog trunks, though in different formats. ANI from an analog trunk is in the format KP-NPA-NXX-XXXX-I-ST (That's the letter I, its the information digit that specifies what class of service you're on). ANI is sent across digital trunks in the packet headers of the call. ANI II: ANI II is a relatively recent development in CLID. ANI II identifies the class of service of a calling party (home phone, COCOT, payphone, PBX, etc). A list of ANI II digits can be obtained from NANPA.com. ANI Spoofing: ANI can be spoofed, usually through a technique called op-diversion (calling the RBOC operator and having them put you through to an 800 number). Op diversion causes ANI to fall off the table, though the ANI II digits remain. If, however, you were to engage in a complex rerouting scheme of op-diverting to a major IXC, dialing to an LEC, and back to an IXC once or twice both your ANI and ANI II digits will be lost!. This trick requires the plant test (direct dial) numbers of a few different RBOCs and IXCs, and a calling card, but has incredible potential. Voice Over IP Surveillance with the TTC Fireberd 500 DNA.323 by Seuss Description: Voice Over IP (VoIP) applications using the RTP protocol are vulnerable to eavesdropping with the TTC DNA.323, an off-the-shelf VoIP analyzer. This software runs under either a Microsoft Windows 9X/NT platform with a NIC that supports promiscuous mode or a TTC Fireberd 500 test platform. When the software is installed and when the "capture" feature is started, the NIC is set to promiscuous mode and all intercepted packets will be stored in a buffer for analysis. When the capture is completed, the NIC is restored to normal mode. The buffer can now be filtered to segregate RTP (voice carrying) packets, and these packets can be in turn reassembled decoded and decompressed for playback. Captures may be filtered by specific MAC or IP address to single out conversations. DNA.323 may be downloaded from: http://www.ttc.com/products/html/p_list/fb500_dna.html Impact: All VoIP platforms using RTP and lacking encryption capabilities are affected by the threat of surveillance via the Fireberd DNA.323. Detection: Detection of the DNA.323 analyzer is an uncertain proposition at best. Standard promiscuous mode detection (i.e. running a program to detect NICS in promiscuous mode such as AntiSniff, or utilizing OS specific techniques) is possible, but falls victims to software that's not currently capturing packets. Concepts of Echelon Sending Your Privacy to /dev/null by PhoneTap (http://www.felons.org) ECHELON \'ech e lon\ noun: (1) a formation of units or individuals (2) the US National Security Agency's secret global surveillance network, which intercepts many of the world's telephone calls, faxes and emails, making them available for keyword searching by agencies of the five member UKUSA intelligence alliance. Introduction: Imagine a world where every email, telephone call, fax or other assorted communication you make is being closely scrutinized by the Government. It shouldn't take much imagination, after all.. you're already there. In the late 1980's the United States began work on a global surveillance system called "Echelon". This highly secret project was funded under the premise that it could be used to capture the conversations, emails, and faxes of terrorists, drug lords and other high powered criminals. Monitoring stations all over the world would ensure that no communication went un-sniffed and under the watchful ears of the Echelon computers, bad guys and their evil plots would be flagged and investigated. Unlike similar technologies put into use during the cold war, the Echelon system is aimed at non-military targets; focusing on businesses, organizations, and governments spanning the entire globe. I am going to try to bring the facts on this system to you in this article and do my best to weed out the standard whips of paranoia that follows this subject. I think that the only way too fully understand the implications of this high powered eavesdropping system is to scare away the shadows it's hidden in. "At the same time, that capability at any time could be turned around on the American people and no American would have any privacy left, such [is] the capability to monitor everything: telephone conversations, telegrams, it doesn't matter. There would be no place to hide. If this government ever became a tyranny, if a dictator ever took charge in this country, the technological capacity that the intelligence community has given the government could enable it to impose total tyranny, and there would be no way to fight back, because the most careful effort to combine together in resistance to the government, no matter how privately it was done, is within the reach of the government to know. Such is the capability of this technology... I don't want to see this country ever go across the bridge. I know the capacity that is there to make tyranny total in America, and we must see to it that this agency and all agencies that possess this technology operate within the law and under proper supervision, so that we never cross over that abyss. That is the abyss from which there is no return." -Senator Frank Church How it works The Echelon system is comprised of well documented, not so sneaky listening posts located allover the world. The most famous of these posts is Menwith Hill. The NSA Menwith Hill station comprised of 22 Sat terminals, that covers nearly 5 acres is un-deniably the largest, and most powerful station that is publicly known to exist anywhere today. During the Persian Gulf conflict, Menwith station received accommodations from the NSA as "Station of the Year" for the major roll that it played in the Gulf Conflict. This in itself is testimony to the power of the UKUSA network. Menwith station is located in Northern England. The Persian Gulf is several thousand Kilometers away. It's eavesdropping ability coupled with its ability to intercept microwave transmissions is a key example of the power of Echelon. Menwith station and others intercept microwave and short range communications. Several other stations whose jobs are to feed data from satellites into the global network include Bad Aibling Station in Germany and the CIA powered Station Pine Gap. These and an additional network dedicated to interception of long range communications feed data into a large computer dictionary system where the information is sorted, split into several categories, and logged for later review. The dictionary computers are actually a large, highly organized network that splits the data up according to various categories where it is then sent under powerful encryption to computer systems belonging to the five agencies that comprise Echelon. This is where the captured data undergoes the watchful eyes of SigInt analysts in Washington, Cheltenham, Ottawa, Canberra and Wellington. The data is filtered into different categories each with a corresponding index number. These categories make it much simpler for the analysts to find whatever subjects it is that they want to look over that day. For instance, the index number 1234 may be assigned to any data related to the discussion of encryption methods and the number 9876 may be assigned to any data that is linked to political discussion in Cuba. Point. Click. Spy. Can you protect yourself? Echelon Countermeasures. There is no sure-fire data that I can put into this part of the article. No way I can assure that the methods covered will help to escape the Echelon system. Encryption seems to be the most effective way to be able to bypass the scrutiny of the Echelon system and still be able to communicate electronically. If your data travels via any of the ways I discussed in the above article you are a target of Echelon listening posts. Most likely, you will be overlooked. And no matter what you say or type it is highly unlikely that it will ever come back to haunt you because of actions taken by somebody at Menwith Hill or its counterparts. Face it, you're not important. The Echelon system must log millions of Giga-bytes of data every day. After filtering, this is considerably reduced. But the sheer amount of flags being triggered in everyday conversation is staggering. Too much to be processed and read word for word. If you are a Drug Lord, a presidential assassin, a terrorist, a terrorist sympathizer, or a enemy political figure you may have cause to fear the Echelon deities. However, if you are a Drug Lord, or any of the things above, here are a few methods I would suggest to evade the network and jail, prison, execution, or whatever it is that you may have faced if I did not write this informing article. -Common Sense. Consider nothing private. Ever. -Method of Communication. If you wish to discuss something major and you can do it in person, do it. There is no reason to open yourself up beyond what every day life exposes you to. Think of all the ways you can discuss whatever it is you're hiding before you send off that email. Try to avoid using any mediums that require open-air transmission of your data and this does include most of the Internet. -Encrypt. If you MUST discuss something private over the Internet, encrypt the data. Use real encryption, then use older and/or weaker algorithms over that. Automated encryption will break the top layer and assume the crypto wasn't broken at all. This should be under common sense. Any data you send over the phone lines or network systems is vulnerable to Echelon, Hackers, Idiot Sys Admin, and of course you're own family, friends, etc. I suggest Pretty Good Privacy. And remember, you can always code your data into a .GIF picture or another binary which is called Stego (http://www.stego.com). But do not rely on Security through Obscurity. It's always better to encrypt. If echelon isn't watching, we probably are. (c)1999 PhoneTap [Phone Punx] Cyberpunk Culture by Mohawk -Review: Tom Clancy's Netforce I was in the video store a few weeks ago and I saw Tom Clancy's Netforce. I was amazed when I read the back of the box. FBI vs. Organized crime and everyone's a computer geek using the Internet to further their own goals. Sounds pretty damn cool to me. Then I thought, why is there only two copies of this new release and why haven't I heard a thing about it? Then again, they only had two copies of Strangeland and that's my favorite movie so I got it anyway. It had to be one of the worst movies I've ever seen. Not only is it bad, it's long. The whole computer geeks using the Internet stuff gets old really fast and they don't really do a lot with it. I've never read anything by Tom Clancy, (I don't really read books at all), but I know that he's really popular. From the people I talked to, his book is a hell of a lot better then the movie and they are surprised he let his name be attached to the movie. While some of the people in the movie do some "hacking" it really isn't an issue and there are no real hackers in the movie. Basically, it reminds me of a really bad movie of the week, combining the same stupid crime drama we've seen a hundred times before, with computers thrown into the mix for good measure. I wouldn't even recommend renting it. Just don't waste your time watching this movie unless you're getting paid for it. Instead of hitting the premium channel, it made its debut on the sci-fi channel so you could probably catch it on there. If you've seen it and you think I'm way off with this review, please email me and let me know what you liked about it. -Hackers, Phreakers, and the Media The MTV special, True Life: Hackers aired in October. A lot of people, including myself, knew it would suck and of course it did. I'm sure most of us have seen it or have at least read about it. The show accomplished nothing and a lot of people are feeling the negative impact. I've heard of a ton of backlash of hatemail going to the people involved in the show, namely Shamrock and Mantis. This led Shamrock to issue a press release to Hacker News explaining his actions. According to him, it was all a hoax gone wrong. Most people think he's just saying that because of all the hatemail he got. Parse has yet to hold a show since the special. Personally I don't really care what's goin on. Whatever the case may be, a lot of people are pissed off. I've been saying for years that MOST of the media sucks and that you should be careful when you deal with them. The funny thing is, some of the people saying not to deal with the media, are the biggest media whores ever. The H/P scene has been way out of the underground for years. We can no longer ignore the media. Becoming isolationists will only feed the hysteria and misunderstanding that makes up the public's image of hackers. While the public may never fully understand the H/P scene, that is no reason not to try. If you ever have a chance to talk to someone in the media or express yourself in some sort of media outlet you should make an effort to let the public know that the H/P scene is as diverse as the world itself. While speaking with the media, be careful what you say. ANYTHING can be edited and taken out of context. Some of the PPN staff knows first hand about that. I suggest getting everything in writing. Tell them that they are not to edit things you say to make it seem your saying something else. Remember to get it all in writing. This way, you can take action against them if they go against it. I would also suggest that you do some research on the people your dealing with. Have they dealt with the H/P scene before? What was the outcome? It's important to check their track record. Look at some of the other stories they've done and see how they present different subjects. If everything checks out, proceed with caution. Think with your head and not your ego. Out of all the scumbags in the media, one really kick ass person is Lydia Zajc of Reuters. Her article "Smashing The Stereotype Of The Villainous Hacker" was one such a great article that I felt compelled to email her and thank her. She got back to me a few days later and thanked my for the letter and talked some other stuff I mentioned in my letter. I was really amazed that someone in Reuters would write an article like that. That proves that the media and hackers both have stereotypes to which there are important exceptions that we all should keep in mind. -Using what you know Most of us have to go out and get a career sooner or later. I've talked about this before but it's important to think about your future. I know you've all heard it over and over again from people that probably don't care about what you think. I've been through the whole process and can speak from experience. However, if you already have a career you should still read this article, it may help you out. No matter how young you are, it's never too early to start thinking about your career. Do you really like the H/P scene? Is it your passion? Then you should continue with it. Some of you amaze me with how much you know and the devotion you have to the scene. That type of knowledge and devotion should be put to good use. While you may not be able to get a job where you can actually hack or phreak something, you can still probably get a job where you'll be able to exercise your skills that you've accumulated over the years. Throughout the entire time before you start your career, you'll hear tons of people trying to tell you what you should do. The thing is, only you should decide what you should do for the rest of your life. While some money is always good, the most important thing should be your happiness. I'd rather do a job that I love then get a job for more money that I hate. You should enjoy work, not dread it. It should be your passion. If not, you probably won't get anything out of it. You might make more money, but you'll be so stressed out from work, that you'll still be unhappy with your life. Don't let anyone tell you that you can't do it. You can do anything you want. You may really have to push yourself, but you can do it. Like I said before, it's never to early to start. You'll probably change your mind several times from the time you start until the time you start your career but it will still help you. You'd be amazed how many people are in college and graduate school and they still have no clue what they are going to do. They're just going to school killing time and money. Parents, teachers, guidance counselors, etc. don't know anything, well most of them anyway. They like to think that they are more knowledgeable because they are older and are in a position of authority. You should do your best in all your school work and not screw around. College students especially screw around all the time. Even if you go into advanced schooling, it'll go by really fast. You have the rest of your life to screw around. Likewise, you'll have the rest of your life to deal with the decisions you make during your school years. So how do you find the career of your dreams? First decide what you're interested in. Whether it's the phones, computers, or something else, you can find information on any type of career on the Internet. The amount of information you have available to you is insane. I wish I had it years ago to help me out. I made it through ok, but the Internet would have saved me a lot of time. You can find a job, do research on companies, research careers, find out what schools to go to, etc. I also suggest you email some people in the field you want to go into. Ask them any questions you may have about the career field they're in. Once you decide what you want to do, you'll want to think about what school you want to go to. The better your grades are, the more of a choice you'll have. There's a ton of factors that go into picking a school. I'm not going to go into them here. Whether you're picking out a college or graduate school, don't rely on your guidance counselors/advisors. They may be helpful, but they may also be clueless as to what you need to do to get into school. Depending on where you go and for what, the application process may be lengthy. I suggest you stay a step ahead to avoid any problems. Even if you don't want to just go into telecommunications/computer industry, you can still apply your H/P knowledge to whatever field you choose. For example, if you go into law enforcement, you can use what you know about the H/P scene and specialize in computer related crime. Since you know about the culture of hackers, and not just their methods, you'll have an advantage over your colleagues. With the way phones and computers will continue to impact our lives, the way you can use your H/P knowledge in any field will continue to grow. Also, don't be afraid to make up your own career. It may be a little difficult, but don't be afraid to be innovative. Just because it doesn't exist, doesn't mean you can't create it. If you have any unique career advice or if you have any questions, feel free to email me. -Free Internet update/What isn't free? Last issue I told you about Alta Vista's free Internet access. It has since been released over the Internet. Which is kind of strange. Free Internet access but you need Internet access to get it. I haven't heard a lot about it since it's debut. No one seemed to really care. There are a few other free ISPs out there but Alta Vista is the only one that offers service in my area. There is a lot of busy signals and the connection speeds are pretty bad. I doubt this will have an impact for a while. They are still undecided if they will release the software on CD. Once they do that, I'm sure a lot of new people will sign up. I like the ad bar though. You can customize it to bring you weather, scores, news, stocks, etc. It's pretty cool and it's not that annoying. It's handy to have an account incase your primary ISP is down. As I predicted, there is no security check and anyone can provide false information and have unrestricted Internet Access. Right now, people that need to have anonymous Internet access already have their means of doing so but this will probably invite more people to commit crimes over the Internet. It should be interesting to see where this leads in the next year. I'm sure it will have some sort of major impact over time. Internet access isn't just the only thing that is free lately. Free long distance and voicemail is becoming very popular lately. Some industry analysts expect long distance to be free sooner or later. I have already seen H/P articles describing security hole exploits of these free services. I suggest you use these exploits while you can but do it in moderation. If you do it too much, it will get killed off. It seems everything will be free eventually as long as you listen to/view ads and give out personal information. It seems that these companies don't think of any security issues in the rush to get the service out there to the people. The more easy you make breaking the law, the more people will do it. Free services may be really cool, but they may also be inviting trouble. -Business Convention Tips In October I attended Fall Internet World 99 in New York City. I've been to all different type of conventions and expos so I though I knew what to expect. I was dead wrong. It's only been a few years since Al Gore invented the Internet (sarcasm!) but the of growth of the industry is just insane. I've never seen so many people and business crammed in to one place. Everyone had a cell phone attached to their heads. Most of the business people there were pretty dumb though. They only know how to pitch a sale to you and can't answer technical questions. I tried to asked the Map Quest people a few questions related to my CLLI article from last issue and they looked at me like I was nuts. They had no clue what I was talking about. There were some really cool presentations though. All in all, I had a good time though and I walked away with a ton of freebies. If you find yourself going to a business con, there are a few things to keep in mind. Find the website of the con and try to do some planning. Figure out who you want to talk to, and where they're located. If you only have one day at the con, budget all your time, it'll go by fast. If there are any keynote speakers you want to check out, but you miss it, you might be able to watch them else where. Zdtv.com had all FIW99 keynote speakers on their website. You can get some really cool freebies at cons. I walked away with more stuff then I could carry. I had to drag my bags around by the end of the day. Don't be afraid to ask for stuff from people. I got about 5 shirts from people that weren't really giving them out, but had a few to spare. The smaller unknown companies give out better stuff then the larger companies. You can meet some cool people at a business con and learn a lot of stuff but some cons are just so crowded and filled with people that just want to sell you stuff. In that case, you should just resort to getting as many free things as you can. Letters Answered by Mohawk and Seuss From: A lot of different people Do you know X about ? >We get a lot of letters about H/P topics in other countries. Everyone in the staff lives in the US and we don't know a lot about other countries systems. There's an H/P scene in most countries so I suggest you find a person/site from your country or the closest thing to it. From Y.G. I need any available (which is probably a lot, judging by the stuff you've got in your site...) information about programming the NOKIA 6100 Series phones. Thanx >Hacking Nokias has turned into a subculture all its own, and there are a slew of websites on it. We have several people researching nokias right now, and with any luck their findings will make it to the next issue. From: TOURNEYPLAY I also know that phone companies push three numbers that tells u what your phone number is please tell me. I have bell atlantic. Thankz >You're looking for your ANAC number. The number changes from place to place, but either 990 or 958 should work. From: CAT Hi, just learning here. Any articles or advice on obtaining private voice mail password in a home? I read about war dialers. This would be long distance-400 miles away. GTE passwords can be up to 13 numbers long -- jeeez! Not much written or addressed on this subject. Thanx >Let me get this straight. You want info on hacking VMBs. Have you looked? Every other phone phreak in the world has written something about VMB hacking. Perhaps you should set your sights on a system other than GTE. From: prestochango Hello there, I'm very much interested in vmbs, what im looking for are vmb's of any media companies such as mtv, abc, fox, ap, nbc, usatoday, etc.. im also looking for vmbs of any major companies. i currently have thousands of accounts on dozens of systems, and would like to setup a trade with you guys, if you have what im looking for. >Where on the site did you even get an idea that we would ever do that? You do realize that you are breaking the law. I wouldn't suggest you mess with corporations. Thousands of accounts? I can understand finding out security holes in certain systems but what does trading stolen VMB accounts have anything to do with phreaking. All your doing is theft. From: Jackie Where can I find listings of unlisted numbers and cell phone numbers?? >Customer Name and Address lookups. For cellphones, try and hunt down who hooked it up, and bug them. From: Peter I have recorded the tones of a quarter on to a recording machine. I went to a payphone at work and tried it. It did not work. I am thinking that they may be cocot phones. But they look like pay phones. What do you think. >I refuse to answer red box questions. That subject has beaten to death several times over and it doesn't have much to do with phreaking. As far as COCOT's go, it should be pretty easy to tell. Look under who owns the phone. If it's your RBOC then it's a bell phone. If it's says some other company, whose address is usually a PO Box, then it's a COCOT. From: Sirkuit Wh0re Hey, I saw the Phone Punx page for the first time today and I just wanted to extend my appreciation for the message you put forth. You're damn right about the scene being screwed up. >Thank you. I am glad that someone appreciates what we do. Getting simple letters like this means so much to all of us. We work really hard to bring you the best content we possibly can and letters like this is our only payment. We really appreciate your letter. From: TT Hey, good article on DATU's in issue 2 of ppn. I'm a Lucent Installer in California, and finally got the DATU number and password. It helps out SO much in my day-to-day work. Pac Bell is making us do so much of their work lately, they don't even show up when a customer is adding lines to their systems, so the High-Level tone has saved me many times in finding the binding post at the MPOE. Also have found that you can enter any number in the prefix served by the DATU, including non-working numbers and DID numbers. When you get to the Audio Monitor part of the test, you will hear a distinctive continious tone if the number is non-working, and a clicking if it is a DID number. Good work on the 'zine. I look forward to future issues >Thanks for the letter. It's great to hear from someone in the telecom industry. I always wondered what a professional would think of the zine. Thanks for the tip. Hope you enjoyed this issue. I'd like to hear from other professionals. Email us if you work in the telecom industry. From: Pete PPN, Its really great to FINALLY find a site that has updated, useful information. I've been interested in phones since I first read about Cap'n Crunch years ago, but got really discouraged only finding way outdated files - blueboxing, pre-ESS info, other 'golden age' info. PPN has been a great 'teacher' for me. I'm still in the gathering info stage, haven't tried much yet. I'm actually more into learning the practice than malaciously using it -of course it is sometimes necessary to field test, and field work is the ONLY way to learn more and keep up to date. I think I have the basic works on how calls are made, how they get from point A to B and the systems used. But, I have run into a few questions and things that need clarifications: PBX's seem to be the easiest way to get LD calls through, but sometimes the least interesting way - brute-force the code and you're in. Are there ways to phreak like you used to in blue-boxing -i.e. linking to many different trunks and cables/satellites etc.? I may have completely missed something in my reading, if so yell at me and tell me what article of yours to check. I found your site totally by chance, just got a book, "Steal this computer book, what they won't tell you about the internet" by Wallace Wang. Its an awesome book that brings out all aspects of computers and undergrounds - he does it in a third person view that doesn't look down on or put people on pedistals, just tells it how it is and lets you do what you want with the info. Anyway in the past week I've grabbed all of your texts and now have a brain cramp from info overload! Any help you can lend would greatly be appreciated. Thanks again for the site. Its the first one that seems to be out to help out not only experienced people but even the beginners. How do I get on the mailing list? Thanks >Thanks for the letter. It's great to hear about how we've helped you. We try to update everything as often as possible. Were only on issue three and I'm already planning on updating the last two issue. One day I might get around to updating OCPP but it's not really a priority. I'm glad you're not into the malicious aspect of phreaking which is usually just blatant law breaking and not really phreaking. Telephone companies have really been cracking down on long distance fraud and there's nothing unique I can think of that hasn't been written about a hundred times. I'll have to check out that book, thanks. If you're just beginning, I suggest you read my newbie article in this issue. I suggest downloading all the texts and such you can right away. H/P sites come and go pretty fast sometimes. However, take your time reading them. The FAQ should help you out a lot. You have all the time in the world to learn about phreaking. Don't get discouraged from your mistakes, we all make them. Just learn from them and move on. To get on the mailing list, email ocpp@hotmail.com. From: Lydia Zajc Hello Mohawk! Thanks so much for e-mail -- it was very, very kind of you to take the time to write. I originally wrote another article before the one you read, and attempted to get in touch with some hackers for a more balanced perspective. The hackers all e-mailed back, but it was too late. So, I thought they deserved a story of their own. I don't think it was brave of me to write about them; really I think it's harder for them, and for you, to speak up and expose yourselves to scrutiny in order to round out a stereotype. Cheers, Lydia Zajc >This was in response to an email I wrote to her thanking her for writing such a great article. This just reinforces how cool she is and the respect I have for her. Copyright 1999 Phone Punx Network. Feel free to distribute this issue however, do not modify this file in any way. All issues are free and are not allowed to be sold in any form. If you are selling issues you can only charge what it cost to reproduce them. Keep the information free. All works are owned by the PPN and/or the authors of the article. If you feel that you own the copyright to a work printed in this issue and have not given the permission of the author to republish it, please email us.