NAb1OO1LM AYVM!

N1b
HIhO8IOOI8O!Pm8IOd8m
ANOA1LLYLL!M1O !N1
H Pu8I8I8

5NDY1RFAYFHN FH151: 2600 FAYFHN5,

FX,%1DDL15LAND,NYTT53.
2600 (ISSN 0749-3851) is published quarterly b 2600 Enerprises In., 7 Strong's
Lan, Setaukt, NY 11733. Second clss postage permit paid at Setaukt, New York.
POSTMASTER: Send adress changes to
260, P.O. Box 752, Middle Island, NY 1 1 953-0752.
Copyright (c) 1 990, 260 Enterprises, Inc.
Yearly SUbscrpton: U.S. ad Caaa -- $1 8 individual, $45 corprate.
Overseas $30 individual, $65 corprate.
Back issues available for 1 984, 1 985, 1 986, 1987, 1988, 1 989
at $25 pr year, $30 pr year oversea.
ADDRESS ALL SUBSCRIPTION CORRESPONDENCE TO:
260 Subscription Dept., P.O. Box 752, Middle Islad, N 1 1 953-0752.
FOR LETTERS AND ARTICLE SUBMISSIONS, WRITE TO:
2600 Editorial Det., P.O. Box 99, Middle Island, N 1 1 953-099.
NETWORK ADDRESSES: 260well.sf.ca.us, 26Odasysl.UUCP.
2600 Ofice Line: 516-751-260,2600 FAX Line: 516-751-268
lV YlV Vl1Ll^
A year ago, we told the stories of
Kevin Mitnick and Herbert Zinn, two
hackers who had been sent to prison. It
was then, ad still is tody, a very disturb
ing chain of events: mischief makers and
explorers imprisoned for playing with the
wrong toys ad for aking too many ques
tions. We said at the time that it was
important for all hackers to stand up to
such gross injustices. After all, they
could't lock us all up.
It now appears that such an endeavor
may indeed be on the agendas of some
very powerful U.S. govermental agen
cies. And even more frightening is the
realization that these agencies don't partic
ularly care who or what gets swept up
along with the hackers, as long as all of
the hackers get swept up. Apparently,
we're considered even more of a threat
tha we had previously supsed.
In retrospect, this doesn't come as a
great deal of a surprise. In fact, it now
seems to mae all too much sense. You no
longer have to be paanoid or of a particu
la political mindset to pint to the many
parallels that we've all been witesses to.
Censorship, clampdowns, "voluntary"
urine tests, lie detectors, handwriting aal
ysis, surveillance cameras, exaggerated
crises that invariably lead to curtailed free
doms .... All of this together with the over
all view that if you're innocent, you've got
nothing to hide. And all made so much
more effective through the magic of high
tech. Who would you target d te biggest
ptential roadblock if not te people who
underst and the technology at work? It
appears the biggest threats to the system
are those capable of manipUlating it.
What we're about to tell you is fright
enng, plain ad simple. You don't have to
be a hacker to understand t. The words
and ideas are easily translatable to any
time and ay culture.
Crackdown
"We can now expect a crackdown o . .!
just hope that I can pull through this one
and that my friends can also. This is the
time to watch yourself. No matter what
you are ito .... Aparently the goverent
has seen the last straw in their point of
view .... I think they ae going after all the
'teachers' ... and b that is where their ener-
Sprng 1990 2600 Magazne Page 3
gies will be put: to stop all hackers, ad
stop people b ef or e they can become
theats."
This was one of the reactions on a
computer bulletin bad to a series of raids
on hackers, rad tat had sted in 1 989
and spread rapidly into early 1 990.
Atlanta, St. Louis, and New York were
major tagets in what wa then an undeter
mined investigation.
This in itself wouldn't have ben espe
cially alaming, since raids on hackers ca
almost be defined db ",ommonplace. But
this one was different. For the very first
time, a hacker newsletter had also been
shut down.
Ph rack was an electronic newsletter
published out of St. Louis and distributed
worldwide. It dealt with hacker and phone
phreak matters and could be found on
nearly all hacker bulletin boards. While
deaing with sensitive material, the editors
were very caefl not to publish ayting
illegal (credit cad numbers, passwords,
Sprint codes, etc.). We describd "Phrack
"Apparently, we're
considered even more
of a threat than we had
previously supposed."
World News" (a regular column of
Phrack) in our Summer 1 989 edition a "a
must-read for many hackers". In many
ways Phrack resembled 2600, with the
exception of bing sent via electonic mail
instead of U.S. Mail. That distinction
would prove to b Phrack's undoing.
It now tr out that all incoming and
outgoing electonic mail used by Phrack
was being monitored by the authorities.
Every piece of mail going in and every
piece of mail coming out. These were not
piated mailboxes that were beig used by
a couple of hackers. These had been
obtained legally through the school the
lH YlH
two Phrac k editors were attending.
Privacy on such mailboxes, though not
guaranteed, could always be assumed.
Never again.
It's fairly obvious that none of this
would have hapened, none of tis could
have happened had Phrack been a non
electonic magazie. A printed magazine
would not be intimidated into giving up its
mailing list as Phrak was. Had a pinted
magazine been shut down in this fashion
after having all of their mail opened ad
read, even the most thick-headed sensa
tionalist media types would have caught
on: hey, isn't that a violation of t First
Amendment?
Those media people who understood
what wa hapening ad saw the implica
tions were very quickly drowned out in the
hysteria that followed. Indictments were
being haded out. Publisher/editor Craig
Neidorf, known in the hacker world as
Knight Lightning, was hit with a seven
count indictment accusing him of partici
pating in a scheme to steal information
about the enhanced 91 1 system run by
Bell South. Quickly, headlines screamed
that hackers had broken into the 91 1 sys
tem ad were interfering with emergency
telephone calls to the police. Oe newspa
per reprt said there were no indications
that ayone had died or been injured as a
result of the intrusions. What a relief. Too
ba it wan't tre.
In actuality there have been very
grievous injuries suffered as a result of
these intrusions. The intrusions we're
referring to are those of the goverment
and the media. The injuries have been suf
fered by the defendants who will have
great difficulty resuming normal lives
even if all of this is forgotten tomorow.
Ad if it's not forgotten, Craig Neidorf
could go to jail for more tha 30 yeas ad
be fined $ 1 22,000. And for what? Let's
look at the indictment:
"It was ... part of the scheme that
defendan Neidorf utilizing a comuer at
Page 4 2600 Magazine Spring 1990
LYP1llU
the University of Missouri in Columbia,
Missouri would and did receive a copy of
the stolen E911 text fle from def endant
[Robert J.] Riggs [loated in Atlant a and
kown in the hacker world as Prophet)
through the Lkort [Illinois) comuter
bulletin board system through the use of
an inerstate computer data ntwork.
"It was further part of the schem that
defenant Neidrf would and did edit an
retype the E911 Practice text fle at the
request of the dfendant Riggs in ordr to
conceal the source of the E911 Practice
tet file - and to prepare it for publication
in a comuter hackr newsletter.
"It was further part of the schem that
defendant Neidorf would and did transfer
the stolen E911 Pratice text fle through
the use of U inerstate couter bulletin
board sstem used by defenant Riggs in
Lockort, Illinois.
"It was further part of the scheme that
the defenans Riggs and Neidorf would
publish inf ormation to other computer
hackers which could be used to gain
unauthorized access t o emergency 911
computer systems in the United States
and thereby disrut or halt 911 service i n
portions of the United States."
Basi cal l y, Nei dorf is being charged
with receiving a stolen document. There i s
nothing anywhere in the indictment that
even suggests he entered any computer
illegaly. So his crimes are receiving, edit
ing, and transmitting.
Now what is contained in this docu
ment ? Informati on about how t o gai n
unauthorized access t o, disrupt, or halt 91 1
s ervi ce? Hardly. The document (erro
neously referred to as "91 1 software" by
the media which caused all knd of mis
underst andi ngs) is quoted i n Phrack
Volume 2, Number 24 and makes for one
of the dullest aticles ever to appar in the
newsletter. According to the indictment,
the value of tis 20k doument is $79,49.
[See related story, page 37]
Short l y after the i ndi ct ment s were
haded down, a membr of the Lgion of
Doom kow d Erik Bloodaxe issued a
public statement. "[A group of three hack
ers] ended up pulling files off [a Souter
Bell system] for them to look at. This is
usually standard procedure: you get on a
system, look around for interesting text,
buffer it, and maybe print it out for pster
ity. No member of LOD has ever (to my
knowl edge) broken into another system
and used any information gained from it
"They are going after
all the 'teachers'."
for personal gain of any kind ... with the
exception of maybe a big bost in hi s rep
utation aound the underground. [A hack
er] took the documentation to te system
and wrote a file about it. There are actual
ly two files, one is d overview, te oter
is a gloss ary. The information is hardly
something anyone coul d poss ibly gain
anything from except knowledge about
how a certain apet of te telephone com
pay works. "
He went on to say tat Neidorf would
have had no way of knowing whether or
not te file contained proprietary informa
tion.
Prosecutors refsed to say how hackers
could benefit from the information, nor
would they cite a motive or reveal any
actual damage. In addition, i t's wi del y
spcul ated that much of this information is
readily available as reference material.
I all of the indictment, te Legion of
Doom i s defined as "a closely kit grou
of computer hackers involved in: a) dis
rupting telecomunications by entering
comput eriz ed telephone switches and
changing the routing on th circuits of the
comuterized swit ches; b) stealing pro
prietar comuter source cod a infor
mation from comanies and individuals
that owned the code an informaion; c)
Spring 1990 2600 Magazine Page S
stealing and ndifing credit inormation
on individual s mai nt ai ned i n cr edit
bur eau comput er s; d) f r audulent ly
obtaining nne an property fr om com
panies by altering the comuterized infor
mation used by the companies; e)
disseminting informtion with r espect to
their methods of attacking comut ers to
other computer hackers i n an effort t o
avoid the focu of law enforcemn agen
ci es and t elecommunicati on security
experts."
Ironically, since the Legion of Doom
isn't a closely knit group, it's unlikely tat
anyone will b able to defend te group's
name against these chages ay defen
dants will naturally b preoccupied with
their own defenses. (Incidentally, Neidorf
was not a part of te Legion of Doom, nor
was Phrack a publication of LOD, as ha
been reported. )
The Hunt Intensies
After leang of te Phrack electonic
mail surveillance, one of the system opera
tors of The Phoenix Project, a computer
bulletin board in Austin, Texa, decided to
take action to protect the privacy of his
users. "I will be adding a secure encryp
tion routine into the e-mail in the next 2
weeks - I haven't decided exactly how to
"All incoming and
outgoing electronic mail
used by Phrack was being
monitored by the
authorities. "
impl ement it , but it 'l l l et t wo peopl e
exchange mail encrypted by a password
only known to the two of tem . . . . Anyway,
I do not think I am due to be busted . . .!
don't do anything but run a bard. Still,
there is tat pssibility. I asume that my
lines ae all tapped until proven oterwise.
lV YlV
There is some question to te wisdom of
leaving te bard up at all, but I have per
sonally phoned several goveent inves
tigators ad ivited them to join us here on
te bad. If I bgin to feel tat the boad
is putting me in any kind of danger, I'll
pull it down with no notice - I hope every
one uderstands . It looks like it's sweeps
time again for te feds. Let ' s hope all of us
are still around in 6 monts to talk about
it. "
The new security was never impl e
mented. The Phoenix Proj ect was seized
withi days .
And the clampdown intensified still
furter. O March 1, the offices of Steve
Jackson Games, a publishing company in
Austin, were raided by the Secret Service.
According to the Associated Press, the
home of the managing editor was also
searched. The police and Secret Service
seized books, mauals, computers, techni
c al equipment, and other documents.
Agents also seized the final draft of a sci
ence fction game written by the company.
According to the Austi n Amer i can
Statesman, the authorities were tying to
determine whether the game was being
used as a handbok for computer crime.
Callers to the Illuinat i bulleti board
(run by Steve Jackson Games), received
te following message:
"Before the stat of work on Mach I,
S t eve Jackson Games was vi si ted by
agents of te United States Secret Service.
They searched the building thoroughly,
tore opn several boxes in te warehouse,
broke a few locks, and damaged a couple
of fling cabinets (which we would gladly
have let them examine, had they let us into
te building), answered te phone discour
teously at best, and confiscated some com
puter equipment, including the computer
that te BBS was rnng on at te time.
'So fa we have not received a clear
explaation of what the Secret Service wa
looking for, what they expcted t o fnd, or
much of anyting else. We are fairly cer-
Page 6 2600 Magazine Spring 1990
Hl11L1lP
tain that Steve Jackson Games i not the
taget of whatever investigation is bing
conducted; in any case, we have done
nothing illegal ad have nothing whatso
eve to hde. Howeve, te euipment tat
was seized is apaently considered to b
evidence in whatever they're investigat
ing, so we aen't likely to get it bak ay
time soon. It could be a month, it could b
never.
"To minimize the pssibility that this
system will be confiscated as well, we
have set it up to display this bulletin, and
that's all. There is no message bae at pe
sent. We lplogiz for the inconvenience,
and we wish we daed d more than this."
Apparently, one of te system opra
tors of The Phoeni Pr oject wa also affil
iate with Steve Jackson Games. And tat
was all the authorities needed.
Raids contiued throughout the country
with reprt of more than a dozen bulletin
boards being shut down. In Atlanta, the
paprs reported that tree loal LOD hack
ers faced 40 yeas i prison and a $2 mil
lion fne.
Another stateent from a Legion of
Doom member (he Mentor, also a system
operator of The Phoeni Pr oject) attempt
ed to explain the situation:
"LOD wa forme to bing togeter the
best minds from the computer under
ground - not to do ay damage or for pr
sonal profit, but to share expriences and
disCUS computig. The goup ha always
maintained the highest etical standards ....
On may ocaions, we have acted to pre
vent abuse of systems ..o . I have known the
people involved in this 9 1 1 case for may
years, ad there was absolutely no intent
to interfere with or molest the 9 1 1 system
in any maner. While we have occasional
ly entered a computer that we weren't sup
posed to b in, it is grounds for expulsion
from the group and social ostacism to d
any damage to a system or to attempt to
commit fraud for prsonal profit.
"The biggest crime that ha been com-
mitted i that of curiosity .... We have be n
instrumental in closing many security
holes in the pat, and ha hopd t contn
ue to do so in te ftue. Te list of com
puter security people who count us as
0 member of LOL
has ever broken into
another system and used
any inormation for per
sonal gain."
allies i long, but must remain aonymous.
If ay of them choose to identif them
selves, we would appreciate te suprt."
And The Plot Thickens
Meanwhile, in Lockport, Illinois, a
strange tale was unfolding. The public
UNIX system known as lolnt that had
been used to transmit the 9 1 1 files had
also ben seized. What's particularly odd
here is that, according to the electronic
newsletter Telecom Di gest, the system
oprator, Rich Andrews, ha been coopr
ating with federal authorities for over a
year. Andews found the files on his sys
tem nearly two yeas ago, forWarded tem
to AT&T, and wa subsequently contacted
by the authorities. He cooperated fully.
Why, then, was his system seized as well?
Andrews claimed it was all part of the
ivestigation, but added, "One way to get
[hackers] is by shutting down the sites
they use to distibute stuff."
The lolnl raid caused outage in the
bulletin bard world, particularly among
administrators ad users of public UNI
systems.
Cliff Figallo, system administator for
The Well, a public UNIX system in
California, voiced his concern. "The
assumption that federal agents ca seize a
system owner's equipment a evidence i
spite of the owner's lack of proven
involvement in the alleged illegal activi-
(cao/|oac4aogc34)
Spring 1990 2600 Magazine Page 7
H 5C15
by The Q
MIZAR is a Bell system used by the
RCMAC ( Recent Change Memory
Administration Center), also known as
the CIC in some areas. Its purpose is
to process Recent Change Messages.
Before we go into more detail, we will
need to familiarize you with some
terms.
First off, every Central Office (Wire
Center, End Office, whatever) houses
one or more switches, whether elec
tromechanical, electronic (analog), or
digital. Each switch is respnsible for
controlling various aspects of tele
phone service for one or more (usually
more) exchanges. Switches in gener
al can be classified into two main
types: mechanical and SPCS. Thusly,
SCC's (Switching Control Centers) are
divided into separate branches. There
%/Z /3 d
/D|l|033 CDOld/O/OQ
d w0dl|| O
|03OU|C03.
are the E & M SCC (electromechani
cal) and the SPC SCC, which handle
Stored Program Control Switches.
The latter are computer controlled by
software, whether they are older ver
sions such as the 1 or 1 A ESS (which
use crossbars to complete calls) or
digital switches such as the 5ESS or
OMS100. Henceforth in this article,
we will refer to SPCS switches as
"electronic" switches, whether analog
or digital.
Basically speaking, a switch's
memory can be thought of in three
main parts: Call Store (CS), Program
Store, and Recent Change. In gener
al, a Recent Change Message is a
batch of commands which tell the
switch to perform an action on a facili
ty (a TN, an DE, TRKGRP, etc.) The
Program Store can be thought of as
"ROM" memory. This program con
trols things behind the scenes such as
interpreting and processing your cm
mands, etc. Usually at the end of the
day, Recent Changes which were pro
cessed that ,day are copied into the
Call Store, which is a permanent
memory storage area, somewhat
" finalizing" the Recent Changes
(although they could always be
changed again). The 5ESS is similar
to this, though i has many operational
differences in processing Recent
Changes, and Recent Changes are
called " SERVORO's" on OMS
machines and go into tables when pro
cessed.
Now that you are somewhat famil
iarized with some basic terminology,
we will proceed in describing the oper
ation of the MIZAR system. Like we
said earlier, MIZAR processes Recent
Change Messages (orders), which can
be computer generated (by COSMOS,
FACS flow-thru, etc.) or manually
entered by the CIC. CIMAP (Circuit
Installation Maintenance Assist
Package) is a SUb-system used by
both the frame technicians and CIC.
"CIMAPs" are primarily generated for
new connection (NC) type orders. At
the CIC there are three main types of
orders processed: changes on a facili
ty, snips, and restorals. Changes
could be, for instance, modifications of
line attributes. Snips are complete
Page 2600 Magazine Spring 1990
.ZAH
disconnects (CD's) which must be car
ried out on a switch in order to com
plete a CD type order. "Snip" is < term
referring to what was done at the
frame, i.e. a cable and pair's termina
tion at the CO was snipped from the
frame, hence a disconnect. "Restoral"
is just the oppsite of a snip. A cable
and pair is being "restored", i.e. recon
nected to the frame, and must now be
activated at the switch and will hence
be in-service once again.
On the average, a single MIZAR
system_handles Recent Change pro
cessing for about 20 switches (and it
can handle more than that).
Every day, MIZAR logs into COS
MOS automatically, usuaily at the end
of the day, to retrieve Recent Change
Messages which must be carried out
in order to complete a pending service
order. COSMOS takes a service
order, and based on what is required,
is able to generate an RCM from its
tables in lusr/rcmap (on PDP-11's) or
Icosmos/rcmap (on 3820S or
Amdahl's) which provides COSMOS
with information concerning what type
of switching equipment is associated
with the wire center in effect and uses
these tables to create the RCM
accordingly. There are four main com
mands on COSMOS associated with
Recent Changes. They are: RCS (to
obtain a Recent Change Summary),
RCR (to obtain a Recent Change
Report), which would allow you to dis
play an RCM if one was associated
with a specific serice order (all based
on the filter options you specify for the
search), RED (Recent change EDitor),
which allows you to edit a Recent
Change Message pending, and lastly,
RCP (Recent Change Packager),
which generates an RCM for one or
more service orders to be processed
by MIZAR.
After MIZAR retrieves RCM's f rom
COSMOS, etc. it connects to t he
desired switch's recent change chan
nel and the message is processed on
the swit ch. MIZAR can connect to
switches in various ways, depending
The coupled power of
LLCNLC and a small
B!0y of switches to do
your bidding is d |/Cd-
sure worth its weight in
gold.
W
upon its configuration. Switches may
be accessed on dialup lines, X.25, or
by dedicated hardwired connections.
Switches can be accessed for the pur
pose of manually processing service
orders with the ONS command. Once
on the desired switch, it would be
proper to utilize the RCM processing
servi ce provided through the MIZAR
software, which will cause the service
order to be properl y logged t o
MIZAR's swi tch log (locat ed i n
I tmp/ swXX. out, wher e XX is t he
numerical code assigned t o that
switch), so t hct all will be up to date
and accurate. However, if the RCM is
entered t|aight onto the switch with
out letting MIZAR's log know, then an
"unaccount ed for" RC will be pro
cessed wi thout ever bei ng logged
(except of course on the switch's roll
back). COSMOS can be manually
accessed wi th the ONC command.
Orders can bp queued and have their
statuses c heLked with t he
ORI/ORSNFY/etc. commands.
When one first logs into MIZAR it
Spring 1990 2600 Magazine Page 9
WHAJ.lZAH LA^
should be noted that the login would
be RCxx or RSxx, where xx repre
sents the account number belonging
to that specific RCMAC (CIC). For
example, RC01, RS02, etc.
Passwords, of course, could be any
thing within the standard Unix eight
character limit. After receiving a login
message, you will be prompted with
an "SW?" and a "UIO?". SW stands
for what switch you wish to be logged
in as (i.e. once logged in, any transac
tions would be reflected upon t hat
actual switch). Hitting "?" will provide
you with the list of switch identifiers
available. They can be two letters
(like on COSMOS) or more (which is
usually the case, as part of the identifi
er indicates t he type of electronic
switch).
The UIO must be a valid three leter
code which would authorize that par
ticular user to perform transactions
with the desired switch. Typical UIO's
to be aware of are "all" and "any"
which usually will work in conjunction
with any switch you try to log in under.
SW and U 10 must be provided for the
purpose of setting up environment
variables used by the MIZAR software.
This is done in your .profile.
The typical MIZAR user's com
mands are located in the path
/mms/mms (and are all three letters
long). It should be noted that CFS on
MIZAR is meant to be accurate and up
to date with COSMOS'.
Some useful MIZAR commands
are: MAR, which lists a MIZAR Activity
Report, telling you what MIZAR's up
to. MAB, Manually Adjust Blackout
periods, is an important cmmand. In
some areas, MIZAR classifies switch
es as being in a "blackout period" at a
cerain time late in the day (usually the
evening), as probably no one would be
on that late, or possibly work is being
done on the switch. Establishing a
blackout period disables normal users
from accessing a particular switch
from MIZAR. On the other hand, MAB
can be used to ENABLE a switch, and
remove it from th e blackout state.
However, the CIC usually closes at
6PM (sometimes staying open as late
as 9PM), and logins at such a late
time would be foolish as you may
jeopardize your future access. SOR,
for Switch Data Repor, allows you to
list out useful information about the
switches you specify - for instance,
the NPA and exchanges this particular
switch handles (including thousands of
groups of DID and IBN blocks), its WC
name on COSMOS, its configuration
as a FACS/SOAC machine, MIZAR's
times to call COSMOS, any preset
blackout periods, whether AIS or E911
is available to t he switch, all valid
UIO's for login to MIZAR, and user
names and/or passwords for switches
that require them (such as the 5ESS
or OMS100), as well as other useful
information. WCH ( Wire center
CHange) allows you to change to
another wire center (hence, further
transactions apply to that wire center).
As you may have noticed from this
aricle, MIZAR is a very useful system
indeed. It's a fortress containing a
weal th of resources. The coupled
power of COSMOS and a small army
of switch es to do your bidding is a
treasure worh its weight in gold.
This article was meant to familiarize
the reader with the MIZAR manage
ment system. We welcome any ques
tions you may have, and we will take
pride in providing further articles on
similar Bell systems and subjects, so
as to better inform the curious mind.
Bar Simpson is one rad dude.
Page 10 2600 Magazine Spring 1990
\
Opemona
_
m ` ,"..
U M$
.
As we went to press, the larges hacker raid in histor stared happning. There are't
many detils we CDgive you in this isue excpt to sy that this i. the first one we kno
of that h a O. 150 Seet Serice aget were involved and tes of thousnds of
disks have besize. This is all in addition to the raids spoken of elsehere in this
isue. Lok for more details on this in the summer issue. And fel fe to snd us
clippings from your loc! ppr .
These are the brain waves of a normal American teenager.
These are the brain waves of the same teenager after hacking.
When you hack, you're overusing YO!r brain
and are liable to fnd out things you shouldn't.
dlrAkYlkSdIrl0kAdACLlk-lkllAVlkICA
Sprng 1990 2600 Magazne Page 11
Here is an example of the truly
horrible activities the Legion of
Doom engaged in. An educational
aricle such as this is a mst dan
gerous weapon indeed, paricular
ly from the standpoint of those
who want the workings and capa
bilities of technology kept secret.
by Phantom Phreaker
and Doon1 Pmphet
Le
g
ion of Doom!
There have been many rumrs
and false informat ion going around
about ho w pho ne ph r eaks a re
cau ght for u sing blue boxes. The
purpose of t his article is to dispel
the rumors and myt hs circulat ing
about t his topiC.
When a pe r son a tt e mpt s t o
access the t elephone network wit h
a blue box, they first must have an
area t hat they can u se to gain
acce ss t o an in- band Sing l e
Frequency ( SF) t rnk. This is done
by dialing direct or through a l ong
distance service. At t he appropri
ate t ime, the person sends a 2600
Hz t one t hrou gh t he t el ephone
where it is registered by the termi
nat ing switching equ ipment as a
disconnect signal . The terminating
swit ch ing equ ipment o r t r u nk s
l eading to t his office will be reset if
they recognize the 2600 Hz tone.
The effect of doing t his i s a wink,
or an interrpt ion in circuit. A wink
is heard aft er t he person sends
2600 Hz, and it sounds l ike a quiet
"chirp" or sometimes a "kerchunk".
From here, the person can Signal
to a t runk with Mu l ti- Fr equency
toll ftaub
tones in specific formats, depend
ing upon what the user wished t o
accomplish. Each t ime t he u se r
sends 2600 Hz, t he t runk will be
reset and wil l send a wink back
toward the user. AT&T call s these
winks "Sho rt Su perv isory
Transitions" or SST' s.
I f a pe r so n' s cent r al o ffice
equipment is a Norhern Tel ecom
DMS swit ch or an AT&T ESS
swit ch, t he SST cau sed by t he
2600 Hz wil l be detected at t hat
office and an output repor will be
issued frm that specific switching
system. I n No. 1 and No. 1 A ESS
switches, these reports are called
SI G I RR r epo rt s, o r " SI Gnal
I rregularity" reports. They will be
output with the appropriate infor
mat ion rel ating to the subscriber
who initiated t he SST. A sample
SI GI r eport from a No. 1 A ESS
switch is included for an example.
* 32 SIG IRR 69 0 0 0 0 0 0
000 5551111 B8**3*BBBBBBBBB
We are u nfa mil iar wit h t he
details of these repors, but in t his
case, 555 1 1 1 1 seems to be t he
Direct ory Number t hat originat ed
t he SST. Su ffice it to say t hat
t hese report s do ex ist and t hat
they do help detect people trying
to use bl ue boxes. SIGI is a stan
dar d fe at u r e in a l l 1 A ESS
machines. We' re not su re about
No. 1 ESS, but nearl y all the other
ESS machines most l ikely have
SIGI or somet hing similar to it.
I n the case of NTl ' s DMS- 1 00
Page 12 2600 Magazine Spring 1990
switch, the feature is called
"BLUEBOX". The BLUEBOX fea
ture in OMS-100 is not standard. It
can be implemented only by telco
personnel activating it via a MAP
(Maintenance and Analysis
Position) channel. The OMS-100
repors are more detailed than the
1 A ESS repors, possibly due to
the fact that the OMS-100 switch is
much newer than the 1 A. OMS will
recogni?e the trunk wink and then
output a report. The system further
checks for the presence of M F
tones. If the MF tones are present,
and are followed by an ST Signal,
another report is then generated
by the switch. The calling number
and call ed number (in MF) can
then be recorded on AMA tape for
f urther investigation by security
personnel. In areas wi th past
instances of toll fraud (blue box
usage) and in major cities, it can
be assumed the BLUEBOX series
of features would be implemented.
In rural and small town areas,
there is less of a chance of this
feature being present. The plain
fact that this feature exists should
be enough to keep you from trying
anything foolish.
Since most electronic/digital
switching systems have provisions
in them to catch blue boxers, one
may wonder how to box safel y.
The safest method of blue boxing
would be to not let an SST show
up on your line. This can be
accomplished by boxing through a
long distance service via dialup
(Feature Group A or B). The only
catch is that the long distance ser
vice that you use must not send
back a wink when you attempt to
box over its network. If an FG-B
accessible trunk running from a toll
office to an alternate carrier's facil
ities recognizes your 2600 Hz tone
and disconnects, then SI GI or
BLUEBOX would indicate your
existence and you could be pun
ished for your crime. So, if you
must try such things, they are best
done from someone else's line or
from a coinphone.
STAFF
Editor-In-Chief
Emmanuel Goldstein
Artwork
Holly Kaufman Spruch
Photo Salvation
Ken Copel
Design
Zelda and the Right Thumb
Writers: Eric Corley, John Drake,
Paul Estev, Mr. French, The Glitch,
The Infidel, Log Lady, The Plague,
The Q, David Ruderman, Bernie S.,
Lou Scan non, Silent Switchman,
Mr. Upsetter, Violence, and the
faithful anonymous bunch.
Remte Osratins: Go. C. Tiou
Spring 1990 2600 Magazine Page 13
BUILDING P DTMF DECODEH
by B/Square IC1. Data valid (pin 14) goes high
and Mr. Upsetter 7 usec. after data is on bus caus-
Imagine this scenario: you are i ng the R/W input of the RAM,
l istening to your scanner, moni- IC2, to go low and the CLK1 input
taring a neighbor using his cord- (pin 14) of the counter, IC5, to go
less phone. He i s accessing his high by way of IC3, the XOR. At
bank-by-phone account. He enters thi s time, the di gi t recei ved is
his password, and you hear the displayed on LED1 while precondi
whole thing. But the only problem tions (to write the data to memo-
is that he entered the password ry) are establ i shed. 45 msec.
using touch tones. How do you after the tone ends, DV goes low,
know which numbers he entered? wri ti ng the data i nto RAM and
Or think of this: you're doing an i ncrement i ng the counter one
investigation and recording telephone count. Code has been written into
calls. The person under surveillance is address 00 of the RAM with the
making calls with a touch tone phone next address presented to AO, 5,
and you have tapes of everything. But 6, 7 of the RAM. 4.56 msec. after
how do you find out what numbers DV goes low, the outputs D1, 2,
were dialed? 4, 8 of the decoder clear. This
One answer to these problems sequence wi l l cont i nue unt i l
would be to buy a commercial DTMF addresses 00 through 15 contain
(touch tone) decoder or a similar data. At thi s ti me, the counter
device called a pen register. These recycles and data will be written
items could cost you a few hundred over what was previousl y stored.
dollars. The other solution is to build To read out the contents of
the handy "snatch 'n latch" DTMF memory, S3 i s opened, causing
decoder presented here for abut $35 pins 1 and 2 of the counter to go
to $45. hi gh. Thi s reset s the count er
This circuit uses a single chip address bus to 00. The data in
to decode 12 or al l 16 DTMF address 00 of the RAM i s pre
tones, as selected by the user. Up sented to IC6, the BCD to 7-seg-
to 16 tones are stored in the cir- ment dri ver. I C6 converts the
cuit's static RAM memory. Once RAM output data to a digit which
the tones are in memory, the user is read out on LED1. When S2 is
reads them out one by one on the closed, pin 12 of IC4, the Schmitt
circuit's LED display. The circuit trigger, goes high. This causes pin
can be hooked up to a telephone 14 of the counter to go from low
l i ne, a scanner, or a t ape t o high by way of the XOR. This
recorder. Now let's take a look at increments the counter and pre-
how this little device works. sents the next address to the
Theory of Operation RAM, and the next digit is read
OTMF signals are coupled to pin out. S2 is repeatedly pressed until
9 of IC1, the OTMF decoder chip, all the contents of memory have
by .01 uf capacitor C1. The tones been displayed.
are band split sampled and a coded Circuit Construction
output is placed on 01, 2, 4, 8, of There are two different tech-
Page 14 2600 Magazine Spring 1990
V
"
5b
50

Q
1
l? |Lb

't
L2 l
I
I1 0{
{2
Bl8/B28
!
{8
. 02 --
,_B
II2 .
lN 2
l

. 0
b

"
-
.
.
08
fR0M lI?
A _ l

L1
8
8IN
IL1
B
I
l

-
0
lq
c
e
8N1
l_

--
-.

.. l
2 b
l?
lA

1
lA

?
A r ' 4700
.
d
lq
l
-.
l
8
.
lA 8
9

-
lN

l l

l9
f
I
_
0

lA
c.

^
bo
$4
1
~
+
;:

- --
81
J.579 MBz
9P
b
J
8
|| |_| | |_
L
. .
|
N
| l | |
. k . .
B

$2
g ; M}4 !Vl1
$IqblNLI
niques you can use to construct
your own DTMF decoder. These
are wire wrap and soldering. In
fact, before you decide to build a
permanent unit, you may want to
put the circuit together on a plas
tic breadboard. The authors have
built units in these three ways and
they all worked equally well.
There are some i mpor t ant
t hi ngs t o consi der bef ore you
start. I t i s very important that
you take some time to figure out
where you are going to place the
IC's to facilitate a "clean" pro
ject . This means, for example,
that you shouldn't put IC1 on the
opposite side of the board from
IC2 because they have a data bus
running between them. This may
complicated, but it is impor
tant to figure out a good parts
layout before you start soldering
things together. Also, it is a good
idea to buy all the parts, including
PC board, encl osure, sockets,
switches, et c. before you get
started on a permanent unit so
you can plan how you are going to
put everything together. In addi
tion, unless you are a soldering
whiz, it is highly recommended
that you use sockets for all the
I C' s. Thi s al so makes t rou
bleshooting the device and replac
ing IC's easier.
This project uses CMOS IC's,
whi ch ar e st at i c sensi t i ve.
Theoretically you and your sol
dering iron should be grounded
when handling the IC's. If you
don't have an anti-static work-
HOW TOCONSTHUCT
foil when not in use.
Assembly is readily achieved
using 30 gauge hand wire wrap on
the back plane of a "universal"
PC board (available from Jameco,
Radio Shack). Once the layout of
the IC's is determined, solder two
opposing pins of each socket to the
board and methodically wire pin to
pin keeping in mind that the pin
out is reversed on the wiring side
of the board. The crystal can be
mounted horizontally or vertical
ly, but the 7805 regulator should
be mounted horizontally for low
profile. The 30 gauge wire is sol
dered directly to the switches and
jack. Doublechecking your work at
various stages will assure a func
tional device at power-up. Before
you insert the IC's into the sock
ets, check all connections with a
continuity meter. Should the cir
cuit not operate, suspect your
work before questioning the IC's.
The advantage of wire wrap is
that it is easier to correct your
mistakes.
Assembly by soldering is quite
simil ar to wire wrap. A board
wi t h a pat t ern such as Radi o
Shack pIn 276-162 i s recom
mended. Solder the IC sockets to
the board once you decide on a
good l ayout . Sol der the other
parts i n place. Solder small gauge
wires from pin to pin on the com
ponent side of the board. Use
small jumpers made from compo
nent leads for short connections
on the component side and the sol
der side. Check all connections
station handy, don't worry about with a continuity meter.
it too much. Try not to touch the When you put the IC's in their
pins of the IC's and store them in sockets, remember to put them in
conductive foam or piece of tin the correct way, not backwards.
Page 16 2600 Magazine Spring 1990
YOUHVEHYOWNTOUCH TONEDECODEH
As good circuit design practice
you may want to put .1 uf capaci
tors between the power supply
pins of each IC and ground. The
device will work without them,
however.
After you are done with the
PCB, think about where you are
going to put the LED display, input
jack, and switches on your enclo
sure. Assembly and disassembly
will be easier if all of these things
are attached to one half of your
box.
because any new numbers that
come in will erase the old ones. )
There are a few other helpful
hints that can make using the
decoder easier. First of all, install
that switch to turn the LED dis
play on and off. You only need the
display when you' re reading out
numbers, and switching it off will
prolong battery life. Also, while
reading out the numbers, you
might want to remove the device
from the phone line or whatever it
is hooked up to. If the decoder
Usng the Decoder happens to receive a tone while
Using t he " snatch 'n l atch" you're reading out the numbers in
isn't too hard, but there are a few memory, the tone will be stored
details about its operation that we in whatever memory location you
need to observe. When you first happen to be at and generally
turn the unit on, be sure to hit the make things confusing.
reset switch. This ensures that One feature of the "snatch 'n
the tones (or rather the data sent latch" that makes it less attractive
from the decoder to memory) will than commercial models is that it can
be stored i n t he first memory only store 16 tones. I f more than 16
location. Then you sit back and tones are read by the decoder, the
wai t f or some DTMF tones to counter resets the RAM to the first
come down the line. When they do, memory location and the excess tones
the device will snatch 'em and are read into memory, erasing the
stash 'em in the memory. When previous ones. This is a problem since
the tones have stopped, hit the information is lost. If you anticipate
reset switch. You will see num- reading in more than 16 tones at one
ber on the display, which is the time, you can record the tones on tape
number stored in the first memo- and play them back a few at a time into
ry location. Hit the sequence but- the decder.
ton and t he numbers i n the When using the decoder with a
subsequent memory locations will tape recorder, hook it up to the
be read out. Once you've read out earphone jack and adjust the vol
all the numbers and written them ume so the decoder will read the
down somewhere, hit the reset tones off the tape. The decoder
switch again. You are ready to isn't terribly picky about input
start all over again. The numbers levels, but th90retically the input
will be in memory as long as the level should be less than the sup
power is on and new numbers ply voltage, which is 5 volts DC.
haven't been written over the old When using the decoder with a
ones. ( That's why you may want scanner, it's best to hook it up to
t o wr i t e down t he number s, a "tape out" jack i f it has one.
Spring 1990 2600 Magazine Page
BUlLDlNG P DTMFDECODEH
Otherwise you can hook it up to
the earphone jack. The decoder
works like a charm when hooked
up directly to a phone line (paral
lel connected), as the capacitor on
the input of the DTMF decoder IC
blocks the phone line's DC voltage.
However, if you are going to hook
up the "snatch 'n l at ch" to the
phone line for any extended period
of time, circuitry must be added
to the input to protect the device
from the ringing voltage. 90 volts
AC on the line will surely wreak
havoc on the CMOS IC's.
Applications
The DTMF decoder has many
interesting uses. Basically, any
time you hear a tone and want to
k now what it i s, hook up t he
decoder and let i t go to work.
When it is hooked up to a phone
line, the number dialed can be
decoded. You can also decode
DTMF tones (e.g. passwords) used
for services like bank-by-phone,
credit card veri f i cati on, voice
mail systems, etc. Calling card
numbers can be obtained in the
same way if they are entered by
touch tone. If you monitor cord
l ess or cell ular phones with a
scanner, you can hear a lot of this
type of DTMF tone use. With a
scanner you can also decode such
t hi ngs as access t ones for
repeaters. DTMF signaling i s so
widespread there's no doubt that
you will discover other useful
applications.
The "snat ch 'n l atch" DTMF
decoder presented here is a cost
effective circuit that is an invalu
abl e tool f or t he t el ephone
experimenter. We hope this arti
cle will start you on your way
towards building your own.
Parts List
C1- . 01 uf
C2- . 05 uf
R1- 220K, ohm, 1/4 watt
R2- 1M ohm, 1/4 watt
R3- 4 .7K ohm, 1/4 watt
RN 1- 4 70 ohm
X1- 3.579 MHz colorburst,
HC-18 case
S1, 54- 5P5T switch
52 - momentary , normally
open
53- momentary , normally
closed
LE D1- 7 segment, common
cathode
IC1- 5512 02, DTMF decoder
IC2- 5101, 256x 4 5RAM
IC3- CD 4070, quad XOR
IC4- 74C14, hex schmitt
trigger
IC5- 74C93, ripple counter
I C 6 - 74 C 4 8 , BCD to 7 - s e g
ment
IC7- 7805, 5V regulator
Misc. parts: 1/8 Inch jack,
IC sockets, PC board, 9V
battery and clip, . 1 uf
capac itors, enclosure,
mounting hardware.
All of the IC' s except for IC1
ar e avail abl e f rom Jameco
El ect roni cs, 135 5 Shoreway
Road, Belmont, CA 94002 (415)
592-8097. They also have sock
ets, the crystal, and other parts.
Some parts are also available
f rom Mouser Electroni cs. Call
800-992-9943 for a free catalog.
The SSI202 DTMF decoder Ie is
available from W.E.B. , PO Box
2771, Spring Valley, CA 92077
for $12. 95 plus $2. 50 postage
and handling.
Page 18 2600 Magazine Spring 1990
bILVH UCX UCHN IN U.W.
by Tamlyn Gam
There wa< an article abut the con
struction of a silver box in the Winter
!98/0 issue a'd it led me to wonder
how this would work in the United
Kingdom and Europ.
Much of the LKis still using pulse
dialing and the use of tone phones is
only just spreading. (Most still convert
the tone to a pulse for the sake of the
antiquated phone system.) As the use
of tone sysems spreads, now at an
increasing pace, there would seem to
be a rich aea for experiment here. It
is not easy to come across a tone
phone over here so I had to look for
another source for the box pats. The
main use here of tones is to .:ontrol
remote devices over telephone lines.
These services which are common in
the LS are only just beginning to
come into general use here, but we are
now able to use tone controlled
answerphones ad tone controlled ser
vices such as voice banks and bank
services. With the lack of tone
exchanges and phones, the suppliers
of such services have been offering
small tone generators to prospective
customers (sometimes free). Any
hacker worth his salt will have one or
three.
I dug out one of mine and pulled it
to pieces and, yes, it was run by a
508T chip. A quick look at the circuit
showed it to be the same as te phone
described in the earlier article, so I fil
ted a changeover switch as suggested
and am now the proud owner of a sil
ver bx.
I am not sure just what I can do
with it but time will tell. The received
wisdom is that the extra tones are not
used in te LK,but I see tat the tele
phone workers are equippd wit tone
generators having Ib buttons. An
"innocent" question as to what all
those extra buttons were for has not
yet yielded resull' -but it will. In the
meantime I will poke the extra tones
about to see what they do and report
back. I do work in an office with an
internal tone phone service with
national links to the public network so
I have lots of places to experiment. I
will report back here and in the mean
time will see what our US colleagues
tu up as tey blaze the trail.
LISTENlNG IN
by Mf. U5ellef
Every now and then, those of us
who take the time to be observant
stumble across something remark
able. Let me relate to you one of
those experiences. It was an all
too lazy sunny afternoon in
Southern California. I was bored,
and I decided to listen to my
Realistic PRO-2004 scanner. I
flipped it on and scanned through
the usual federal government, mili
tary aviation, and cordless phone
frequencies, but there was no
good action to be found. l hap
pened across S0me scrambled
DEA transmissions and a droning
cordless phone conversation by
some neighbors I could not identi
fy. So for a change I scanned
Spring 1990 2600 Magazine Page 19
LISTENING TO PHONE CALLS

"

0
M
''

'

o
uS

l 7mS OCCur8 Wlh OuI

o e

e
l|

=|r~ =||1

^^" " ^^
`

`

"

""^
P/' "

o
|
b
fhe
|

|a
r
o

tq

s
.

s o(m

|

as

wree ea

`
S PP u
l0 |/

" , ,
.

^ |^I00

'^^~
" ' ^


, ,
through the marine radi o channels .
The scanner stopped on marine
radi o channel 26, whi ch is used for
shi p-t o- shore t elephone calls. A
man was r eadi ng off hi s calli ng
card number to the operator, who
gladly accepted and connected hi s
call. Calling card numbers over the
airaves! I was shocked - aston
i shed that such a lack of security
could not only exist , but be accept
ed pract ice. I began moni t or i ng
marine telephone to find out more,
and it turns out that using a calling
card for billing i s commonplace on
VHF marine radiotelephone.
People u se calli ng car ds fo r
billi ng all t he t i me. That ' s what
they are for. But is it that big of a
deal? You bet it is. Mar ine t ele
phone uses two frequencies, one
for the ship and one for the shore
st ation. The shore stat i on t rans
mit s bot h sides of the conversation
at considerable power, enough to
offer reliable communicati ons up
t o 50 mi les ofshore. Anyone with
a st andard poli ce t ype scanne r
cost ing as lit tle as $1 00 can listen
in. People using marine radiotele
phone can be broadcast i ng t hei r
calling card number t o a potent ial
audience of t housands. And t hat
j ust shouldn't be happening.
But it i s. And there is no doubt
that calling card fraud is occurring
becau se of t his lack of secur it y.
From the phone company' s ( many
Bell and non- Bell companies pro
vide mar ine t ele phone se rvice)
poi nt of view it must be a trade-off
Page 20 2600 Magazine Sprng 1990
ONTHE HADIO
f or cust omer conve nie nce. You
see, t her e j ust ar en' t t hat many
ways to bil l a ship-to- shore call .
Most cal ls are coll ect, a f ew are
bill ed to the ship if t hey have an
accou nt , and a few go t o t hird
part y numbers or ot h e r special
accounts.
Sometimes t he operators have
trouble verifying billing informat ion.
I monitored one man, who af t er
racki ng- u p $40 wo rt h of AT&T
charges was inf or med t hat t hey
cou l dn' t accept his int ernat ional
accou nt nu mber . The oper at or
f inally coaxed him into giving an
address for billing. Calls are ofen
billed to t hird pary numbers wit h
out verif icat ion. But calling cards
make billing easy for both t he cus
t omer and t h e phone co mpany
involved.
I t woul d also be t ricky f or a
company to not allow calling card
use. Doing so would be an incon
venience to customers and would
force them to admit a lack of com
municat ions s ecurity. Of course
people using marine radio should
already realize t hat their conversa
tions aren't privat e, but announc
i ng t h e f act wou ldn' t h e lp t h e
phone company at all. In f act , peo
ple may place l ess calls.
The conve nience of f e red by
calling cards makes them an easy
target for fraud. They can be used
by anyone f rom any phone and
with a variety of different l ong dis
tance carriers via 1 0XXX numbers.
No red or blue box hardware nec-
essary here , just 1 4 digits. But of
course , the number won't be valid
f o r long aft e r all t hose st r ange
ch ar ge s st art showing up on
someone' s bill. I t should be noted
t hat when a calling card is used ,
the number called, time and date
of call, and location ( and often, the
number) from which the call was
placed are printed on t he bill. A
f raudulent user could be caught
via t hat informat ion if t hey were
careless. Also, some long distance
companies may cont act the owner
of t he card if t hey notice an unusu
ally high number of charges on t he
card.
Long distance companies bear
t he br unt of t he bil l s caused by
calling card fraud. However, if you
r ead t he f ine print , t h e car ds
ofered by many companies have
a cerain minimum amount that t he
cust omer must pay, say $25 or
$50. (Editor' s note: We have yet to
hear of a case where a phone
company got away wit h charging a
cust o mer wh en t h e only t h ing
stolen was a number and not t he
card itself . )
So wh at ' s t he mo r al of t he
story? Simple. 6 damU Cat6/u/
wha| yOu $ay Ov6taUytad|O, and
t hat includes cordless and cellular
telephones. If you are using a call
ing card, enter it with touch tones.
If you happe n t o mak e V H F
marine radi ot elephone cal l s, bill
collect or char ge to your phone
nu mber as you would to a t hird
party number - wit hout t he l ast
(cao/|oac4aoagc33)
Sprng 1990 2600 Magazne Page 21
MPA WM UU
LU WM $20, 000.
That's the amount of money you'll save i f you buy the much heralded
E91 1 documentation from us instead of through Bell South. While
they' ve priced this six page document at $79,49, we'll give it to you for
only $59,49! - That's a savings of over 25%.
Imagine the thrill 0/owning a phrase like: "When an occasional aU zero
condiwn i reported, the SSC/MAC should dipatch SSIM/I&M to
routine equipment on a 'chronic' troublesweep. " (Those words by them
selves would easily sell/or several hundred dolars.)
You know that oters like this aren' t made very often. You also know
that this kind of information is a treasure well worth dying for which
can' t be found in stores anywhere. U' s a commonly known fact that
understanding how the phone company works is a major step towards
World Conquest.
So take that step today. Before your neighbor does o
MAKE CHCKS OUT TO " 2600 UNBELIEVABLE OR" .
(AVOID SENDING CASH THROUGH T MAIL.) Tms OFFER EDS JUI_Y 31.
Oh5 N1 lNLLLOh 1AX ANO 5HlUL.
( bI qobeeoe ( i nternet Bcanner In Shel l )
,
. !t:m
n
tiei !e::;o:81 !!S wfg:IIP!!d l
n
a frl:LL
, cal l ed UNIxEs
t A oompl ete l i s t i ng of eyftems ( i ncl udi ng bth Unixea and non-Unix ba.ad
, sY 3tems wi l l be round In . a l l - systems
,
, Pl ease note l Thi s Is a .simpl i f ied- veraion written in approxiaately 1 hour.
I t [ * Z " $ 4 " J } then
echo "\nUsage l b19. cheeae xxx xxx xxx xxx"
exit
eI se
purJ -$) l a+drl ..$2 addr2-$l r addrl-$4
fi
export prefi x addrl .++-. addr3
whi t . :
do
if [ -f /tmp/atop. acn J t then
break
f l
echo "\n\r\n\r\n" I telnat , ( prefi x) . $ ( addU) . $ ( addr: ) . ' ( addr3 ) " >/t.p/ . ohx1ts
sl .ep .:
k i l l :
cat /tmPI . chkIt P . a l l . systels
x-' qrep " 1091 n l " Itmp/ . chk1t'
i t [ " $x" J ' then
echo " ' date' P $ ( pref i x) . $ ( addrl ) . $ t addr2 ) . $ ( addr3 ) 7 . UNIX!!
fl
i
f
:

+
-:.., .+ + l' , addr3-0
f l
done
If [ $addr2 -qt 255 J I then
addrl-' expr :adtrl l' . .++-:-:
i f t :.++-: -gt 255 11 then
DNB-1
fl
B GBT THB MOST DTBRBSTDG FA FOR MES
AOUND. SEND YOURS T I--2 ATIMB.
Page 22 2600 Magazine Spring 1990
ne mS up d a t e
Morrcn/cnccd
On May 4, Robrt Moris, whose run
away worm created havoc on the Internet
ove the fal of 1 988, wa sentenced to thre
years ' probation, a $ 10,000 fne, and 40
hours of community service. He could have
reci ve up. to fve yeas in prson along with
a $250,00 fne.
While it seems pretty stage to sentenc
somboy fo what wa, in effect, a scientfc
exprmnt gone awr, it certanly is a relief
that coler heads seemed to prevail in this
imprtant cae. After all, Mors culd have
wound up in prson. We can only hope tis
isn' t the excepton to the rule, or worse, a
case of special teatmnt because his father
works for the NSA.
A/bunu Cu//ub/c
For may yeas, the stange and myster
ous Euroan county of Albania wa cm
pletely unreachable by telephone, at least
from the United States. But all of that sud
denly changed on May I, when AT&T stat
ed providing oprator asisted calls there. It' s
rumored that direct dia serice will stt in
the fall. If so, the county ce is 355. The
cal shown below was made from Canada.
Now there ae only three countries that are
unreachabl e from t he Uni ted St ates :
Vi et nam, Cambodi a, and Nort h Korea.
(Actually, it IS possible to call those places
from here - can you fgure out how?)
No. D8te Ca| |ed lrom
Ca| | | ng number \ b
Ca||ed to
going through opators overses, not when
using MCI Call USA, the MCI equivalent of
- Mel CONF I DENTIAL
00 NOT SHOW CUSTOMERS
AT&T' s USA Direct.
I n a sect i on on fraud, MCI s tat es,
"Because there will b no automated valida
ton of the Interatonal Numbr, fraud is a
potental issue. However, it should b noted
that AT&T ha oprated this servic for over
20 yes without validaton of its interaton
al number." That should paint a pretty cler
picture of the effectve and immdiate solu
tons some companies come up with when
faed with potenta securty problem.
Ncwork1c/Ku/cIncrcuc
New York Telephone is asking for som
of the most outageous rate increases in i ts
history. Apart from lowerng the nighttme
discount rate to 50 pcent (from 6 prcent)
and te evening rate to 25 from 35, the com
pany plans to double the charges for most
clases of message-rate service. For instanc,
if you py $8 a mnth fo a crtn type of
service, you can lok forward to pying $1 6
or more i n t he future. Not onl y that but
charges to local directory assistance from
payphones (curent y free) wll b ini tated at
a cst of 50 cents per request. The two fre
Tme 8t8 MI n. Amount
FbBS SCCCN ALBAN|ASPR
\ 0 AM PS I 6Z8 .
|cH5LN
78
MCIInccar/]
In intera memo leaked to 2600, MCI
admits that there i s very little security for
their interatonal caling cards. The "inter
national number" is defned as a 17 to 1 9
digit numbr comsed of the Telecommuni
catons Industy Identfer (89), the country
code (from one to three digits), an MCI
issuer identfer (222 o 950), the subscriber
number (the sam a the frst ten digits of the
MCI 14 digit domstc numbr), and a check
digit. The interatonal number !s used when
requests every customer gets each month wll
be elimnated. And an unprecedented 50 cnt
charge will apply to all calls b the operator
that don' t wnd up in a call bing proessed!
The Public Service Comission cn deny the
rate increase, but if they don' t, these outa
geous rates will go into effect next January.
lar/hcrmorc. . .
us Sprnt has redesigned teir bills. And,
if you have a 50 access code, you' ll be
delighted to know that they prnt your code
on every page!
Sprng 1990 2600 Magazine Page 23
yOU VOIOUud IhO OHici J
C|ogtngLtc
Dear 2600:
In reference to your REMOBS
art i cl e by The I nfi del i n t he
Autumn 1 989 i ssue , t he author
di storted the true defi ni ti on of
Remote Obseration i n the digital
age.
The REMOBS i s a hardware
device manufactured by TelTone
and numerous other el ectronics
manufacturers. To say that . it is a
Bell standard piece of equipment
coul d not be furt her from t he
truth. A tical REMOBS ranges in
cost from $800 to $ 1 200 and i s
always attached to te cable and
pair in question at the frame (in
t he cent ral offi ce) . The fac t
remains that the REMOBS i s not
totally silent. It is a mechanical
device that uses cross- connect cir
cuits to tap into a line, which obvi
ously results in clicks and noises.
Unlike The I nfdel's notion that a
REMOBS can mqnitor any line i n
an echange, it is limited to a min
imal number of subscriber l i nes
and i s restricted to guidlines set
forth by the FCC. Ma Bell uses a
series of circuits kown as "no test
trunks" to monitor lines for test
ing, and linemen in particular use
software driven monitoring devices
[ on LMOS) . Whether or not the
observer will be heard depends
upon the software selection.
To say you don't actually "con
nect" to a customer's line and sim
ply monitor it is totally wrong. It is
impossible to listen in on a conver
sation i there is no physical con
nection to the remote line you wish
to obsere (with the exception of
cellular and cordless, etc. ) .
MODI
Masters of Deception
New York City
And don' t Jorget satell ites and
microwave l inks. It ' s qui te a bi t
harder to zero in on a particular
conversation but t hre' s also a lot
more to chose fom with vitually
chance ojbing cauht. In addi
t in, DMS- 1 00 switches seem to be
gai ning a reputat ion Jar inadver
tently al lowing access to othr con
vrsatins. Te story i always the
same: you' re having a can versa
t id and all oj a sudden you' re
connected to arwther convrsatin.
You can hear thm but t hy can' t
hear you. They hang up and you
get anot her conversation. And so
on. I t here are "cl icks" in these
i nst ances, nobody seems to be
hearing them. Which brings us to
an interest ing point. I t here are
t el l t al e sounds i nv ol ved, how
many oj us know what t hey
mean? Is every click on our l ines
someone ea vesdroppi ng ? OJ
course not. Are monitoring devices
becoming more sophist icated and
l ess " noi syH ? Absol utely. These
Jacts, coupled with the increasing
numer oj ways to listen, assures
l ojth Jact that no phone conver
sat ion can be consiered secure.
WOS Lu|CH!HQ.
Dear 2600:
I am t he vi c t i m of an
"Information Source" that has me
puzzled. My phones (according to
Ma Bell) were not bugged and I
know for a fact that no bugs were
planted in my ofce. There was no
i l l egal tap on my phone t hat I
Page 24 2600 Magazine Spring 1990
ZOUUc|Icis COUmu
could detect.
Someone mentioned a new tap
that is put into effect by j ust dial
ing my number. There is no ring
and the listener can hear all t hat
goe s on in t he room whe re t he
phone is. There is also no record of
the phone call . This sounds like a
combination black box and some
other devi ce.
Can you clue me in?
W
Upstate New York
A harmonica bug, al so known
as an inity transmitter, i s uual
ly pl aced i n t he earpiece oj t he
phone. A particular Jrequency sent
over the phone t riggers t hem t o
st art transmit t in. I t his was the
case here, you should have been
able to Jind it. although some have
been made to l ook l i ke phone
ucks. Keep i n mind that this i not
a tap, but a bug. In ot her words, it
works even when t he phone isn' t
in use, monitoring t he rom, not
t he phone line. We're unaware oj
any "service" that allows someone
to call in and do t his wi thout flTst
hav i ng physica l access to t he
phone. There are mai nt enance
Junct ions wi t hin the t elephone
company that al l ow l i nes to be
monitored wit hout having to instal l
eqUipment, but t hese aren' t sup
posed t o b used outsie t he com
pany. Somehow t hat does n' t
sound very reassuring, dos i?
tuCtOX C/!
Dear 2600:
Athough we are i n the twilight
of the blue box era, I 'm sure many
readers would be interested in an
excellent blue box I C. The chi p is
the TeItone M- 993 MuIt ifrequency
Tone Generator. It generates all 1 2
MF tones usi ng a standard 3. 58
Mhz colorburst crstal.
Thi s chip offers several advan
tages to bl ue box deSigners. Al
blue box tones are generated accu
rat ely by one I C (except for 2600
HI and no adjustment or tuni ng i s
required. I t does have one di sad
vantage, however. The I C has a 4
bit binary input for tone selection,
meani ng i t i sn' t easily interfaced
with a keypad.
The IC is also expensive, costing
anywhere from $1 4 to $25 for si n
gl e pi e c e s . I have found two
sources: Hi gh Technology Semi
conductors in California (71 4) 259-
7733 and Al mo El ectroni cs with
outlets coast t o coast (800) 525-
6666. Other Teltone distributors
sel l i t t oo. Tel tone Corp. can be
reached at (206) 827-9626.
Some distributors will give elec
t roni cs compani es free sampl es
and spec sheets.
Mr. Upsetter
LuQS Wun|cd
Dear 2600:
I f, as The Dark Overlord says,
t here are many weaknesses i n
UNIX, why don' t you print a few? I
fre que nt ly see messages on
Arpanet saying things like "Maj or
security bug found in Xindows,
serice representative will contact
yo ur si t e wi t h det ai l s , di s abl e
XWindows unti l then" (no, this is
not a real messdge) . and there are
evident ly l at e of admi ni strators
who know lots of easy- to- exploit
bugs/holes in various op systems.
Why don' t you publish them? To
Spring 1990 2600 Magazine Page 25
my knowledge 2600 has LUL
published any specific security
holes - not even the rhosts bug
that the Worm exploited. which
everybody except me seems to
know about. For i nstance . Bill
Lndreth said he broke into a VA
running VMS using a rapid-fre
command replacement: a progrm
in C which submitted a command.
Waited until it was apprved. and
thel wrote a different command
into the VMS bufers before it was
execut ed. Someone must have
details: formats. specifc memor
locations. and timing - maybe a
similar program.
I kow people who have a . COM
fle on VMS which allows them to
send mail messages with bogus
"From: " felds. They are unwilling
to supply me with it for fear of los
ing their jobs. Can someone pro
vide a listing? How about ways of
faking Apanet mailer headings? (A
practice ver common on Aprl 1 )
I was recently on a VA running
VS on which I had read privs for
AUTHORIZE. EX. I copied it into
my director. created a fake tem
plate of users. passwords. and
privileges. and tred to redefne the
appropriate logicals that I could
then SET HOST and login using
my fake AUTORZE. DAT and get
a bogus account pinted at a real
director with rea privs. I had no
success. Can anyone with access
to VS manuas tell i this is ps
sible. and if so. what logicals to
redefne?
Chrlie Brow
IhO IsIOIIOIs
QuesnnsondIn]o
Dear 2600:
I have a lt to get of of my mind
afer reading your Winter 89-90
issue. I haven't had computer for
months now I'e been out of the
phreak/hack scene for quite a
while.
1 . What are some of the ways
that blue and red boxes can be
used and detected on DMS-200
and other new switching systems?
2. When scanning (war-dialing).
how many numbers per minute
dos it take to trtp a waring fag
at the CO?
3. Are test numbers called from
a difernt area code billed?
4. Are there any other
hack/phreak publications past or
present?
5. Does anyone have. or has
there been printed, a listing of
Telenet Network User Addresses
(NUA)?
6. Wat is the Summercon. as
l i sted in the wi nter i ssue' s
Marketplace?
7. I have recently gotten my
hands on an M- 242A REMOBS
unit. I have no idea what i t does or
how to work it. Any info will be
appreciated.
Lst of all. here are some inter
esting numbers in the 704 area
code: ANI : 3 1 1 . ringback: 340-
7. Here are some rather difer
ent co nu: 704-334- 1 051 .
704- 334-0745. These paphones.
C LL1LHS, | BX99, M| DDLL | SLAND, NY J J 953
Page 26 2600 Magazine Spring 1990
OIhO nnOIOs
if not pi cked up within approxi
mately 8 rings, will answer with a
computer connect tone, followed in
about 5 seconds by a ver strange
tone.
GB
First oJ, a DMS- 200 is a tol l
switch, meanin it's ue only Jor
lon ditance switching and not in
central oJJices. The #4 ESS is
another example oj this. Check
elsewhere in this issu Jor details
on hw blu bors are detete.
In some places, scanning has
been made i l legal . It would be
hard, thuh, Jor somne to fre a
comlait aainst youJor scanni
sice the whle pupse is to call
ever numbr one an only once.
It's not likely to be thught oj as
hrassmnt by anyon wh gets a
single phn call jm a scannin
computer. Some central oJJices
hav be known to react strne
ly when people start scanning.
Sometims you're unable to get a
dialtone Jor hours oer you start
scanning. But thre is no unior
policy. The best thing to do is to
Jirst Jind out i you' ve got SOne
cray law saying you can' t do it.
I as is l ikely, there is no such
law, th only way to fn out wht
happens is t give it a tr.
Test numbers wi l l al most
always bill whn called fom out
side the area they' re meant Jor.
Smtimes they evn bill lally/
We know ojno other puliation
in this country that dos exactly
what we do, but there are some
that hav som similaritiS. Wn
we Jind out about them and get
ahol d oj a copy, we general l y
spread the word.
Get t i ng a l i st i ng oj Tel enet
addresses i s l ike gett ing a tele
phne bok. It would b outdated
th mment you set eyes upn it.
But thre are many partil litins
ftin arund, an i we get one
in the Jut ure we' l l share it as
we' v done i n t h past.
Re: Sumrcon, it's an annual
gathrin ojAmrian hackers and
phreaks. The detai l s wi l l be
announced whn we hav them.
Fnally, the REMOBS unit you
have will only work Jrm WHIN
the central ofIe. Those units are
used Jor monitoring t runks, not
indiviual lines, an they're really
rather outdate. Still, it can' t hut
to have one lyi ng around t he
huse . . . .
\ctAnothcrTrcot
Dear 2600:
I t hi nk you mi ght fi nd t hi s
interesting. It was extracted from
the RSKS Digest on USENET.
wThe Prodig Serices pUbli ca
tion, Poiy Star (olume III, No.
1 ) recently showcased a ' maj or
benefi t ' . The Prodigy syst em
accesses remote subscribers' disks
to check the Prodig software ver
sion used, and when necessary,
downloads the latest programs.
This process is automatic when
subscriber link to the netork.
WI asked Prodig how they pro
tect against the possibility of ater
i ng subs cri bers' non- Prodi gy
programs, or reading their person
al data. Prodi g's less-than-reas
suring respol1se was essentially ( 1 )
we don' t look at other programs,
and (2) you can boot from a foppy
disk. According to Prodig, the fea-
Sprng 1990 2600 Magazne Page 27
Ihis isyOui0hJB0O
tu cannot be disabled. "
I t hi nk i t i s obvi ous how t o
make use of this "feature" for other
purposes. Let us hope that thi s
"feature" i s removed from one of
the newly downloaded versions . . . .
fn
RcoLoxwocs
Dear 260:
Since the foneco strike i n New
York, the outdor payphones tat
were vandal i zed and are now
repai red do not al l ow red box
usage. Even afer putting i n the
frst coin, using the box results in
a recorded request to deposit the
balance due. Tey must have done
somethi ng with the coi n detect
rel ay setup. I ndoor phones i n
bUilding lobbies and stores still
seem to work okay.
Cuou
Thruhout most oJNew York, a
new relay system known L MRS
has been installed over the last
year. You may hav notied a di
Jerence in the way the dial tone
appears. Some phones may not
have been swi tched over yet .
We're loking Jor more inJoration
on t his , as wel l as ways oj
bypassin th disadvantages.
Dear 260:
Your latest issue on building a
si lver box using a Radio Shack
dialer was quite god. I would like
to know if a modifcation can be
made with a pocket Rdio Shack
dialer to build a red box.
Please reply by letter since I' m
not sure if my subscri pt ion is
expired.
Rode Isand
Thre wouldn't be muh pint to
making a red box out oj a Radio
Shack dialer since a red bo only
makes a single combinat ion oj
tones (I 700 h and 2200 h. One
60 millisecond pulse indicates a
nikel, two 60 millisecond puses
indicate a dime, and fve 35 mil
lisecond pulses separated by 35
mi l liseconds indicate a quarter.
These tones are not Jound on a
touh tone pad, whereas th silv .
box tones are. Our Summer I 988
edition has red bo plans Jor thse
who are interested. It should be
noted, t hough, t hat many red
boes are nothin mor than tap
recorders wit h t he appropriate
tones c u.
There' s no way we can reply
individually to all oj the questin
we get. It 's u to you to ke track
oj when your subscritin is near
ing an end. That i nJormat ion
should be on your maiing label.
Whi l e we ' re on the subject,
Jolks, a coule oj words oj adVice.
When you move, l et us know
BEFORE your ol d address
becomes inval id. The post ofce
does not Jorward magazines.
Instead, thy send L notiIation
oj your new address, a service
th charge L Jor. And you wind
u missing an issue Jor no god
reason. Also, those oj you using
aliases: make sure you' re able to
get mail under that name. Tre is
nothing more fustratin than tr
i ng to contact someone whose
issues keep coming back to us,
especially whn thy're comlain
ing to L about not getting what
thy pai Jorl i you have to use a
Jake name or handle, just make
sure th post oJe knows about i
Page 2S 2600 Magazine Sprng 1990
O OO hOJid
we can all get on with our livs.
5uggcs t| ons ono
Qucst|ons
Dear 2600:
Glad to see your you covering
phones again. Ver much enjoyed
the fortress phone article and had
a few questions about It.
Green box tones : when are
these tones to be sent? When you
are still talking? After you hang up
and pick up the phone again?
Red box or green box tones: do
they have to be sine wave tones or
will square wave tones work?
Just what are tol l free 950
calls?
Wat is bige bxing and how is
it useful? How about an article for
remedials like me?
Redneck 1
S Lus Obispo, CA
Green bx tones are simly MF
tones ued in a dif erent way. For
instance, K is the stnal to spit
out the chane. ' MF nwber 2
is the signal to collect the coins.
There are other tones Jor obscure
Junct ions which nobody real ly
uses these days. Keep in mi nd
that thse tones are only used on
analo switches. The tones must
be sent fom t h calle part. Th
person you cal l bl asts KP, you
han u, and you chane shuld
come back, prou ided i t hasn' t
already drppd.
Either si ne waue or square
waue tons workJutfme.
950's are toll fee numbers that
pruide you with access to the dial
tones oj other long distance com
panies. It's neessar to enter an
authriation coe beJore or after
entering the number you want to
call. These dial tones only accept
touh tones, not pulse. 950- 1 022
blngs to MCI, 950 I 033 belns
to Sprint. an thre are many oth
ers foting arou Jut waitin to
b discovred.
Beige boxing is nothing more
than using someone else' s phone
l ine to make a call. This i done
quite a bit in dormitories, where
it 's Jairly easy to get acess to the
phone cl oset and do some
reWirin.
Dear 2600:
Keep up the god work. I like a
balance between telephony and
computers : software and hard
ware . The i nternati onal i nfo i s
valuable. You ought t o combine
this and one of the other maga
zines into a real, full- blown rag
l ike Data Communications. How
about a feature on the AT System
75/85 PBX?
Satisfed Cutomer
We'll lok into that PBX an see
i t here' s anyt hing part icul arly
iterestig about it. At th moment.
we haue little interest in lokin or
readin lie Data Communicatins.
Dear 2600:
I have asked you before , but
has any new information come up
on publications similar to yours in
t he Uni t ed Ki ngdom or t he
Netherlands? I admire your persis
tence and philosophy, and hope
that you will continue for as long
as you feel moved to do so.
A Overseas F
Tere hs been talk oj a puli
catin staring in Enland Jar some
time. We' l l let you know i any-
Spring 1990 2600 Magazine Page 29
thin develops. In the Netherlands,
thre's Hack-T at P B 22953,
I I 00DL Amsterdam.
Dear 2600:
Would you be i nterested i n an
article about computer viruses? I
have an Apple, so everting con
cerning it would be based on Apple
assembly l anguage. The arti cl e
would cover how t o make, destroy,
and detect viruses on the Apple,
and i n general. I might supply a
si mpl e source code for a non
destruct ive self-repl i cati ng pro
gram, i f you are interested.
Somewhere i the Midwest
We're swried you h to ask.
We're waitig by the maibox.
IO|c|IhOncS
Dear 2600:
I recently came across a very
maj or s ec uri ty probl em whe n
using private phone systems such
as i n hotels.
Most of these have a Stati on
Message Detail Recorder (SMDR)
whi ch keeps trac k of al l di gi t s
ent ered at your exte ns i on. At
checkout time these numbers are
compared, either electronically or
by hand, with a rate chart and the
bill gets calculated.
Since I generally use alterative
common carriers for long distance
calls, I almost always have a local.
free (950) access number.
Recently, one i nstitution tried
charging me excessive amounts,
claiming that I had accessed some
of t he ot her, ahem, spe ci al
exchanges (anything above zero is
wrong, but I ' ll grant them the 25
cents if they insist) so I asked to
see the printout.
OIIOis IOi
I discovered, to my ver major
di smay, that the paper had the
950 calling number an my secu
ngcode, as well as the fnal num
ber diaed.
On checking further, I discov
ered thi s is not only a common
feature of SMDH's, but is also on
many private coin phones.
Ver curi ous, and ver worri
some.
I found a way to (sometimes) get
around thi s. Most of the listings
are limited to 20 or so characters,
so I will punch in some random
characters, and hit the octothorpe
for a new dialtone. That way. the
hotel printout merely gets the frst.
defective, series.
Thi s probl em certai nly rai ses
some curious questions . . . .
DB
New York City
Why do you t hink so many
phone phreaks work in hotels?
1hc lOC|S On
! 069B
Dear 2600:
On pages 42 and 43 of your
wonderful Autumn 1 989 issue i s a
comprehe ns i ve l i st of carri er
access codes, and i n the third col
umn on page 43 is a footnote, the
fourth and ffh sentences of which
read as follows: " 1 0698. for exam
ple. is used to route local calls via
New York Telephone. But since all
local calls are routed through New
York Telephone ayway. it doesn't
really sere much purpose except
to occasi onally get around PBX
restrictions. "
The se cond sent enc e of t he
Page 30 2600 Magazine Spring 1990
IhO sQiu_ O VVU
quoted portion above is simply
wide of the mark. bcaus you are
supposed to use 1 0698 i you want
to route certain interstate inter
lTA cals via New York Telephone
instead of via AT&T or another
long distance carrie!. Al local calls
- in fact. all calls. including local.
toll. and long distance calls. which
bth orginate an terminate with
in a LATA ( "Local Access and
Tansport Area") mut be car
ried by the local Bell Operating
Company ( BOC) . in accordance
with Judge Grene's decre in the
antitrust case which resulted in
the breakup of the Bell System.
Those kinds of cal l s are often
referred to as "intra-lTA calls".
Conversely. all calls which orgi
nate in one lTA and terinate in
another lTA ("interlTA calls")
mut. unless the decree cares out
an exception. be carried by AT&T
or an alterate long distance cari
er. As Judge Greene put it in his
opinion deciding many of the lTA
questions: "Most simply. a lTA
marks the boundari es beyond
which a Bell Operating Company
may not carr telephone calls . "
That's why the geographic delin
eation of the lTA was impor
tant to the BOs. (Judge Greene's
opinion deciding many of the lTA
questions may be found bginning
at page 990 of vol ume 569 of
"Federal Supplement". which is a
series of reports of decisions in the
lower Federl courts. )
Tere ar to eceptions to the
general inter-lTA cal rle which
Judge Greene recogni zed and
i ncorporated i nto the modified
fnal judgement (the MFJ) . Both of
the exceptions are in or close to
our own backard (spaking as a
resident of Manhattan) . Both of
te approved moifcations recog
nize and continue a practice which
is decades old. and is referred to
by Judge Greene in his opinion
deciding the question as the "limit
e corrdor exception".
One of the l i mi ted corri dor
exceptions is between fve north
ern counti es in New Jersey
(Bergen. Essex. Hudson. Passaic.
and Union Counti es) and New
York City (the fve boroughs of
Manhattan. Bronx. Brooklyn.
Queens. ad Staten Island) . Befor
the breakup. the New York State
prtion of the coridor consisted of
all the tertor in Numberng Plan
Areas ("NPA") 21 2. 51 6. and 91 4.
but in his deciSion. Judge Greene
cut the tertor dow to New York
Cit only (which at that time was
NPA 2 1 2. but now consi sts of
NPAs 2 1 2 and 7 1 8) . I n Judge
Greene' s words. "The exception
would allow New York Telephone
and New Jersey Bell to continue
their direct swtching of trafc and
private line demand between New
York and New Jersey via Class
Five. local trnks. a current 'priv
leged business' arrngement which
would be scaled down from 5 1 6
and 9 1 4 to New York Cit only. "
(Judge Greene's opinion explaining
why he decided to make a moif
cation of the fnal judgement as to
the northern corridor appears at
page 1 0 1 8 of vol ume 569 of
"Federal Supplement". )
The other coridor exception is
beteen Philadelphia ad its sub
urbs in Pennsylvania, ad Camden
Sprng 1990 2600 Magazne Page 31
and its suburbs in New Jersey. I n
Pennsylvania, the territory com
pri ses five count i es : Buc ks ,
Chester, Delaware, Montgomery,
and Philadelphia. In New Jersey,
t here are t hree count i e s :
Burl i ngt on, Camde n, and
Gloucester. (Judge Greene's opin
ion explaining why he decided to
make another modifcation of the
fnal j udgement as to the souther
corridor appears at pages 1 0 1 9
and 1 02 1 - 1 023 of volume 569 of
"Federal Supplement". )
I suppose that i n the early days
when calls were handled by live
operators, the high volume of calls
in te two corridors prompted New
Jersey Bell to fnd ways to speed
up the calling process by bypass
i ng AT&T Long Li nes , and New
York Telephone, i n the northern
coridor, and Bell of Pennsylvania,
in the southern corridor, were will
ing to oblige. (One of your readers
who is a real old-timer may be able
to give us the corect exlanation. )
At any rate, this venerable practice
has persisted, and was incorporat
ed into the MFJ by Judge Greene.
As a consequence, now if you
want to make a northern corridor
call from an equal acess central
ofce in New Jersey to New York
Cit and bypass AT&T (or whatev
er long distance company has been
chosen) , you can do so by first
dialing "ten NJB" ( 1 0652) and then
dialing 1 -21 2 plus the Manhattan
or Bronx phone number or 1 -71 8
pl us t he Brooklyn, Queens , or
Staten Island number.
In New York Cit, if you want to
bypass the long distance company
and use New York Telephone, you
!OIIOis, IOOdOJ0K,
must frst dial "ten N ( 1 0698) to
have the call be listed on the New
York Tel ephone secti on of your
phone bi l l . New York Telephone
hints at how to do this in te white
pages, but, surpri singly, doesn' t
give the 1 0698 access code.
In Pennsylvania, you must dial
" t en BPA" ( 1 0272) to make a
"Jersey Li nk" cal l vi a Bel l of
Pennsylvania. To make a "Pennsy
Link" call from New Jersey, you
would precede the call with "ten
NJB" ( 1 0652) .
So, the codes 1 0272, 1 0652,
and 1 0698 are legitimate access
codes, but only for a limited pur
pose: to make corridor calls via. a
BOC instead of via a long distance
carrier.
The Cout M
MorcNctuork
2000Rto_s
Dear 2600:
I, too, had a similar experience
with Netork 2000 and the Sprint
card l ast s ummer i n a mal l i n
Nashua, New Hampshire (Winter
89-90, Ltters) .
The adverti si ng at the Sprint
booth menti oned only the FaN
card, and sai d not hi ng about
changing long di stance carriers.
When I asked the woman about
getting the FN card, she gave me
an appli cat i on to fi l l out . But
before I signed it, I noticed i n the
fne print that I was agreeing to
change my long distance carrier to
Sprint.
I asked the woman if I had read
the application right. She at frst
sai d no, I was applyi ng for the
Page 32 2600 Magazine Spring 1990
uud iuIOHuIiOu
FaN card only. When pressed,
however, she finally admitted i t,
saying, "Well, wouldn' t you rather
have Sprint?" Only when I declined
did she tum the form over, where
there was another application for
the FaN car only.
Needl e s s to say, you know
whi ch form was face up on the
tabl e, and whi ch form you were
told to fll out when you asked for
the FaN card. I t' s i mpossi bl e to
tell who the perpetrators were :
Network 2000 or their reps.
On anot her not e , ANI i n
Nashua, NH (and maybe all of 603)
was 1 - 200- 222- 1 1 1 1 as of l ast
summer (or maybe i t was j ust 200-
222- 1 1 1 1 ) . Oddly enough, i t was
given to me freely over the phone
by a NEX tech weenie.
The Iron Warrior
No Fied Adress
'cnSt|tucMO|cr|
Dear 2600:
I t took cl ose to s ix weeks to
re c ei ve my l ast orde r of bac k
issues. Do you think customs was
pulling some stunts because when
I received the parcel i t was in a
pl ast i c bag and t he t op of t he
envel ope was ripped and sealed
with scotch tape. I s thi s how you
sent them out?
A Dedicated Subscriber
It may take a few weeks to get
back issus, but thy shouldn' t be
in a plastic bag or opened i any
way. It could have been customs,
t he post office, or some crazed
indi Vidual that at t acked it some
where along th line.
Readers: i anyt hing is wrong
with your issues, tell us. I t here
are blank or smudged pages, i t' s
ent irely our faul t . I your issues
are mangled or riped, U' s prba
bl y the post ofIe. In that case, tell
l AD fIe a comlaint wUh them.
L| STEN| NGIN (cao/|oac4]aojagc2I)
four cal l i ng card di gi ts . For the most part
radi o cmmunicati ons are easy to i ntercpt,
and keepi ng them secure i s up to you.
For t hose of you wi th scanners who
woul d l i ke t o check out mari ne tel ephone,
here are the frequenci es al located by the
FCC. Moni tori ng mar i ne t el ephone i s a
good way to get an i nsi de l ook at tel ephone
company operati on s. I f you l i ve near the
east or west coast, the Mi ssi ssi ppi Ri ver or
t he Great Lakes, there wi l l be mari ne radi o
acti vi ty . Dur i ng dayl i ght hours you may
hear transmi ssi ons from hundreds of mi l es
away due to tropospheri c ducti ng propaga
tion.
VHF Mari ne Radi otel ephone
Frequencies
Channel Ship Shore
24 1 57. 200 1 61 . 800
84 1 57. 225 1 61 . 825
25 1 57. 250 1 61 . 850
85* 1 57.275 1 61 .875
26 1 57.300 1 61 .900
86 1 57. 325 1 61 .925
27 1 57. 350 1 61 .950
87 1 57.375 1 61 .975
28 1 57.400 1 62.000
88* 1 57. 425 1 62.025
These frequenci es are al l ocated for
uses other than mari ne radi otel ephone i n
certai n areas.
Sprng 1990 2600 Magazne Page 33
(:on/inucJ]rompagc )
ties ( and regardless of the possi bi l i ty that
the system is part of the owner ' s l i vel i
hood) is scar y to me ad should be to any
one responsi ble for running a system such
as ti s. "
Here i s a s ampling of some of t he com
ments seen around the country after the
lolnet sei zure:
" As admi n i s tr at or for Zygot ,
should ] st art readi ng my users ' mai l to
make sure t hey aren' t s ayi ng anyt hi ng
naughty? Shoul d I snoop through al l the
files to make sure everyone is bei ng good?
This whole affair i s rather chi l l ing. "
" Fr om what ] have not ed wi t h
respect to Jo/net,there was a seri ous erime
commi tted there -by the [ federal author
i ti es] . I f they busted a system wi th emai l
on i t , the El ect r oni c Communi c at i on
Pri vacy Act comes i nto pl ay. Everyone
who had emai l dated l ess than I SO days
ol d on the system i s enti tled to sue each of
t he peopl e i nvolved i n t he sei zure for at
l east $ 1 , 000 pl us l egal fees and court
costs . Unl ess, of course, t he [ authori t i es)
di d i t by t he book, and got warrants to
i nterfere wi th the emai l of al l who had
accounts on the systems. I f they di d, there
arc s tri ct l i mi ts on how long they have to
i nfom the users . "
"Inti midation, threats, di sruption of
work and school , ' hi t l i sts ' , and seri ous
l egal charges are all part of t he t act i cs
bei ng used i n this ' wi tch-hunt' . That ought
t o i ndi c at e t hat per haps the us e o f
pseudonyms wasn' t such a bad i dea after
al l . "
"There ae ci vi l ri ghts ad ci vi l li b
ert i e s i s s ues here t ha t hav e yet to be
addressed. And they probably won' t even
be rai sed so long as everyone acts on the
assumpti on that all hackers ae cri mi nals
and vandal s and need to be squashed, at
whatever coSI. . . .
HI am di sturbed, on pri nci pl e, at the
conduct of at l eas t some of the federal
1PlH1LP
ivesti gations now going on. ] know sev
eral popl e who' ve taken their systems out
of publ i c access just because they can' t
risk the sei zure of their equipment (as evi
dence or for any oter reason). I f you're a
Usenet si te, you may recei ve megabytes of
new data every day, but you have no com-
Ihc//ggcs/:r/mc
/ha/has/cco
:omm///cd/s/ha/
o]:ar/os/(.
mon carri er protecti on in the event t hat
someone puts illegal i nformation onto the
Net ad thence into your system. "
I ncreased Restri cti ons
But despi te the outpourings of concer
for what ha d h appened, many s ys t em
admi ni strators and bulletin b0ard operators
fel t compel l ed to t i ght en the control of
thei r systems and t o make free speech a
l i t tl e mor e di ffi cul t, for their own protec
tion.
Bi l l Kuykendal l, system admi ni strator
for !he Po|nt, d publ i c UNIX system i n
Chi cago, made t he fol l owi ng announce
ment to the users of hi s system:
"Today, there i s no l aw or preceden t
whi ch affords me . . . the same legal ri ghts
that other common carri ers have agai nst
prosecution should some other party (you)
usc my property ( !he Po|nt) for i l l egal
activi ti es. That worries me . . . .
" ] ful l y i nt end t o expl ore t he l egal
questions rai sed here. In my opinion, the
ri ghts to free assembly and free speech
woul d b threatened i f the owners of pub
lic meeting pl aces were charged wi th te
respnsibil i ty of poli ci ng all conversati ons
held in the hallways ad l avatori es of their
faci li ti es for references to i llegal acti vi ti es.
"Under such l aws, all privately owned
meet i ng pl aces woul d be forced out of
exi stence, and the right to meet and speak
Page 3. 2600 Magazine Spring 1990
APU 1P1H1L^
freely would vanish wit tem. The com
mon sense of this reasoning has not yet
been applied to electonic meeting places
by the l egi s l ature . Thi s i ssue must be
forced, or electronic bul letin bards will
cease U exist.
"I the meatime, I intend to continue
to operate The Poin with as li ttle ri sk to
myself as pssible. Terefore, I am imple
menting a few new plicies:
"No user will be allowed to post any
message, public or private, until his name
and addess ha ben adequately verified.
Most users in the metropol i tan Chicago
area have already been validated though
the telephone number directory servi ce
provided by lI l inoi s Bell . Those of you
who recei ved val i dation notices s t ating
that your i nfor mat i on had not been
cheeked due t o a lack of time on my part
wi l l now have to wai t unt i l I get ti me
before being allowed U pst.
"Out of state addresses cannot be val i
dated i n the manner abve . . . . The short
term solution for users outide te Chicago
area is to find a s ys tem cl oser to home
than The Poin.
"Some of the planned enhancements to
The Poin are simply not going to happen
until the legal i ssues are resolved. There
wi l l be no s hel l acces s and no fi l e
upload/download facility for now.
"My apologies to all who feel inconve
nienced by these pl i ci es, but under the
circumstances, I think your compl aints
would be most effective i f made to your
state and federal legislators. Please do so! "
These restri ct i ons were echoed on
other l arge syst ems, whi l e a number of
smaller hacker bulletin bards disappeaed
altogether. We' ve been told by some in the
hacker world that this is only a phase, tat
the hacker boards wi l l be back and that
users wi l l once agai n be able to speak
without having teir words and identi ties
"regi stered". But there' s also a nagging
suspicion, the feel ing that something i s
very di fferent now. A pUblication has been
shut down. Hundreds, if not tousands, of
naes have been seized from mailing list
and will , no doubt, b investigated. Te
facts in the 9 1 1 story have been twi sted
and mi srepresented beyond recogniti on,
thanks to ignorance and sens ational i sm.
People and organi zations t hat have had
contact with any of the suspct are opn
to investigation themselves. And, around
te country, computer operators ad users
are becoming more paanoid ad less will
ing to allow free specho I te face of all
of ti s, the belief that democracy will tri
umph i n the end seems hopelessly naive.
Yet , i t ' s s omethi ng we dare not s t op
believing i n. Mere fai th i n the system,
however, is not enough.
We hop tat someday we' ll b able to
laugh at the absurdities of today. But, for
now, l et ' s concentrate on the facts and
make sure they stay in te forefront.
m
W
ere there brea-is involving te
E9 1 1 system? If so, te entire story must
be revealed. How did the hackers get in?
W
hat did they have access to?
W
hat coul d
they have done?
W
hat did they actual l y
do? Any securi ty holes that were revealed
should already have been closed. If there
1/]ac|s|n/|911
s|cj/chccnm|s|cJ
ano/srcrcscn|cJ
hcnJrcccgn|||cn,
|bnk|c|gncranccan
scnsa||cna/|so.
are more, why do they still exist? Could
the original hoies have been closed ealier
and, if so, why weren' t they? Any hacker
who caused damage to the system should
be held accountable. Period. Almost every
hacker around seems to agree with this . So
what is the problem? The glaring fact tat
Spring 1990 2600 Magazine Page 35
YllN1l 1M V' b
there doesn' t appear to have been any
actual damage. Just the usual assortment
of gaping securit holes tat never seem to
get fixed. Shoddiness in design i s some
thing that shouldn' t be overlooked in a
Pu///ug/hcb/amcou
/hchackcrs]or]ud/ng
/hc]aws/sauo/hcrwa,
o]sa,/ug/hc]/aws
shou/drcma/u
uudc/cc/cd.
system as important as E91 1 . Yet that
aspect of the case i s being side-stepped.
Putting te blame on the hackers for find
ing the faws is another way of saying the
faws should remain udetected.
Under no circumstace should the
Phrack newsktter or ay of i ts editors b
hel d as cri mi nal s for printing materi al
leaked t o them. Every publication of any
v alue has had documents given to tem
that were not originally intended for public
consumption. That' s how news stories are
made. Shutting down Phrack sends a very
ominous message to publishers ad editors
across the nation.
Finally, the pri vacy of computer
users must be respected by the govern
ment. It' s ironic that hackers ae portrayed
(clip ad savc)
as the ones who brea into systems, read
private mail, and screw up inocent peo
pl e. Yet i t ' s the federal authorities who
seem to have carte blanche in tat depat
ment. Just what did te Secret Service do
on tese computer systems? What did they
gain access to? Whose mail did they read?
And what allowed them to do tis?
Take Exception
It' s very easy U throw up your hands
and s ay i t ' s all too much. But the facts
indicat U us tat we' ve come face to face
wi th a very cri tical moment in history.
What comes out of this could b a trend
setting precedent, not only for computer
users, but for the fee press ad every citi
zen of te United States. Complacency at
tis stage will b most detrimental.
We also realize tat one of te quickest
ways of losing credibi li ty is to be shrill
and conspiracy-minded. We hope we' re
not coming across in tis way because we
trul y believe there i s a significat threat
here. If Phrack is successflly shut down
ad its editors sent to prison for writing a
article, 2600 could easily be next. And so
could scores of other publications whose
existece ruffes some feathers. We can
nt allow tis to happen.
I the past, we' ve called for people to
spread the word on various issues. More
times than not, the resul ts have ben felt.
Never has it been more important than
now. To be silent at tis stage is to accept
a very grim ad dark fture.
WHAT MAKESTALLWRTHWHLE
(CMPLETEANDLNARDGlD)
" Congress shall make no law respecting an establishment of
religion, or prohibiti ng the free exercise thereof; or abridging the
freedom of speech, or of the press; or the ri ght of the people
peaceably to assemble, and to petition the Government for a
redress of ,evances. "
Page 36 2600 Magazine Spring 1990
0 scoop o n 1 1
Documentationonthe E911 System
March1988
$79,449, 6 pages
Bell SouthStandard Practice
660-225-104SV
Review by Emmanuel Goldstein
It ot herise would have been a
quickl y forgott en text publ ished in
a hacker newsletter. But due to a"
of t he commot ion, t he Be" Sout h
E91 1 document is now very much
in t h e pu bl ic e y e . Copie s a re
extr

mel y e a sy t o come by,

despite Be" Sout h' s asserion that
the whol e t hing is worth $79,449.
Whil e we can't publ ish the actu
al document, we can repor on its
contents since it' s becom a news
story in it seH. But don' t get excited.
Ther e real l y isn ' t al l t hat much
here.
Ce rt a in acronyms ar e int ro
duced, among t hem Publ ic Safety
Answer ing Poi nt ( PSAP) , a l so
known a s Eme rge n cy Se rvice
Bureau ( ESB) . Th is is what you
get ( i n tel co l ingo) when you dial
91 1 . The imporance of close coor
inat ion between t hese agencies
I S st r esse d . Se l ect ive ro ut ing
al lows t he 91 1 cal l t o be routed to
the proper PSAP. The 1 A ESS is
used as t he tandem office for t his
rout ing. Cert ain service s made
avail abl e wit h E91 1 incl ude Forced
Disconnect , Al t ernat i ve Rout ing,
Se l ect ive Rou t i ng , Se l ect ive
Transf er , Def au l t Rout ing, Night
Serv i c e , Aut o mat ic N u mb e r
I de nt i f icat i o n , a nd Aut omat ic
Locati on I dent if icat ion.
We l earn of t he existence of t he
E9 1 1 I mpl ementat ion Team, t he
b rave me n and wome n f ro m
Network Marketing who hel p with
conf igurat ion in the difficuH cutover
period. This t eam is in charge of
forming an ongoing mai ntenance
subcommittee. We wouldn't want
t hat j u icy t idbit to get out , now
would we?
We l ear n t hat t he Swit ch ing
Control Center ( SCC) "is responsi
bl e for E91 1 /1 AESS transl at ions in
tandem central off ices". We' re not
exactl y shocked by this revel at ion.
We al so f ind out what is consid
ered a "priority one" t roubl e repor.
Any l ink down to the PSAP f its t his
def init ion. We also learn t hat when
ANI f ail s, the screens will display
a" zeroes.
We could go on but we real l y
don' t want to bore you. None of
t h is i nf o r mat ion wou l d al low a
hacker to gain access to such a
syst em. A" it affords is a chance to
u nd er st and t h e ad min ist rat ive
functions a l ittl e better. We' d l ike to
assume t hat any outside int erfer
ence to a 91 1 system is impossi
bl e. Doe s Be " Sou t h k n ow
otherise? In l ight of t heir touchi
ness on t he maUer , we have to
wonder.
We ' d be most i nt e re st ed in
hear ing f ro m peopl e wit h mor e
technical knowl edge on t he sub
j ect . What doe s t h is wh ol e
escapade tel l us? Pl ease write or
cal l so the f act s can be brought
forard.
Spring 1990 2600 Magazine Page 37
fun and gaDes
In a bi zarre stor t hat ' s sti l l i n
t he process of unfol di ng, hackers
at a 2600 meet i ng i n New York
City were monitored by i nvest i ga
ti ve agents of some sor and then
harassed by a mob of pol i ce.
Du ri ng t he meet i ngs, we get
quite a few phone cal l s at the pay
phones f rom peopl e al l over t he
wor ld . Whi l e one of us was on
such a call , t he strange man i n the
suit hol di ng a deskphone was fi rst
not i ced. Not hi ng u nu su al t here ;
got e mbarrassed and di s ap
peared.
Ten mi nut es l at er , cl ose t o a
dozen cops suddenly materi al ized
hho was fhlssfrangeman?
hhywashewafchlngus?
And whafwas fhedeskphonelor?

; i
Ci ti corp i s f i l l ed wi t h su spi ci ous

and unusual ki nds of peopl e. (We

.
fit ri ght i n. ) But then we managed
;
WW
to overhear what he was sayi ng.
He was descri bi ng what the peo-
Ihls man loundanlceposffokan
pi e at the meet ing l ooked l i ke!
agalnsflor fwohours.
We st ared watching hi m v6ty
closel y. So cl osely t hat we' re sure
h e soon r e al i zed wh at a b ad
undercover invest i gator he was.
We vi deot aped hi m. We took
hi s pict ure. We recorded hi s voi ce.
We even t ri ed to be f ri endl y but he
on the scene. They demanded to
know who we were t al ki ng to on
t he phone. Fri ends, we tol d them.
Then they told us to hang up.
"We know you' re pranking 91 1 , "
one of t hem sai d to one of u s .
Page 38 2600 Magazine Sprng 1990
at a Z meeting
"Right now we' re t rying to decide
whether or not to lock you up. "
Pranking 9 1 1 ? They had to be
kidding! M aybe a group of five
year olds would be doing that, but
UO| a group of hackers that knew
all about 91 1 tracing capabilities.
More imporantly, it was something
none of us would ever waU|to do.
We told them this and we asked
if they had actually received calls
from this location. Did ANI spit out
those numbers down at headquar
ters?
The leader of the cops seemed
to get conf used at this point and
Clos to a dozen cops
suddenly materialzed.
stared conferring with some of the
others . Then, just as quickl y as
they had arrived, they left.
What was it all about? We may
never know for s ur e. But we do
know that intimidation tactics and
frame-ups will ultimately fail.
Incidentally, 2600 meetings take
place in the public lobby of Citicorp
in New York City ( 5 3 rd Street
.he leader of the cops
seemed to get confused.
between 3rd and Lexington) from
5 to 8 pm on the first Friday of the
month. Those payphone numbers
are: 21 2-223-901 1 , 21 2-223-8927,
21 2-308-8044, 21 2-308- 81 62, and
21 2-308-8 1 84.
There wi l l be sever al 2600
meetings in California this summer
invol vi ng American and Dutch
hackers. For more inf ormation or
to meet up with us whil e we' re
over there, call 2600 at 5 1 6-75 1 -
2600.
Relax, it c(uld be an innocent
tourist taking pictures
of aI the cops.
Spring 1990 2600 Magazine Page 39
Da t a network I den t i t i ca t i on Codes
Most X. 25 based public data network
around te world ae iterconnected using
the CCIT X.75 protocol. A addessing
scheme for globa data networks is the
X. 1 21 standad. Under tis stadad, a
host address consist of 14 digit.
3110 9140123 01
DNIC NUA PORT
The above exaple address is the sae
as 91 41 23. 01 on Telenet. The NUA is the
Net work Us er Addres s o f t he ho s t
machine on that network. The DNI C for
Telenet is 3 1 10. The PORT is opti onal and
can be excl uded becaus e mos t hos t
machines will "hunt" from port t o port.
A DNIC (Data Network Identi fication
Code) is a 4 di gi t code tat is used O iden
tify te network which will connect you to
a host machine. A DNIC is used as a pre
fi x before the NUA ( Net work Us er
Address) . The first di gi t of the DNl C i s
one of 7 designated world zones.
Usi ng DNIC' s i s fairly s i mpl e. For
example, i f I was connected to Telenet ad
wanted to reach a host on the Austr i an
DATEX-P network I would use:
@ C 2322<NUA>,<NUl>,<PASSWORIh
The NUl ad PASSWORD are option
al if the host machine is willing to accept
collect call s. Your NUl ad PASSWORD
is your account that you have set up wit
Te1enet. It is very similar to a PC Pursuit
account . In fac t , if you hav e a PCP
account, you can us e that t o connect to
foreign hosts.
The following is a list of DNC' s along
wi t their countries ad network.
Country DNIC Network
Antigua 343 Aganet
Argentina 7220 ARP AC
Argentina 7222 ARP AC
Austali a 5052 AUSP AC
Austalia 5053 Data Access
Austia 2322 DATEX- P
Austia 2329 RA
Bahanas 3640 BaTelCo
Baai 4263 BAHNET
Barbados
Belgium
Bermuda
Brazil
Brazil
Canada
Canada
Canada
Canada
Cayman
I sl ads
Chile
Chile
Chile
Chile
China
Colombia
Costa Rica
Denmak
Domini can
3423
2062 DCS
3503 Bermudanet
7240 Interdata
7241 Renpac
3020 Datapac
3025 Globcat
3028 CNCP
3 1 06 Tymnet Caada
3463 l DAS
3 1 04 Entel
7302 Entel
7303 Chile-PAC
7305 VTR
4600 PTELCOM
3 1 07 DAPAQ
7 1 22 RACSAPAC
2382 Datapak
Rep 3700 \J DTS- l
Egypt 6020 ARENTO
Finland 2442 Datapak
Fr Antilles 3400 Dompac
Fr Gui ana 7420 Dcmpac
France 20S0 Transpac
France 208 1 NTI
Gabon 6282 Gabonpac
Germany F. R. 2624 DATEX-P
Greece
Greenland
Guam
Guatemal a
Honduras
Hong Kong
Hong Kong
Hungary
Icelad
Indonesia
Ireland
Israel
Italy
Italy
Ivory Coast
Jaaica
Japan
Japan
Japan
2022
2901
535 1
7043
70S0
4542
4545
2621
2740
5 1 0t
2724
425 1
2222
2227
6 1 22
3380
4401
4406
4408
Helpak
KANUPAX
PCINET
GAUTEL
HONDUTEL
ITELPAK
DATAPAK
DATEXL
Icepak
SKDP
Eirpac
Isranet
Itapac
Italcable
SYTRANPACI
Jamintel
NT DDX
NISnet
KDD Venus-P
/cao//oac4aoagc42)
Page 40 2600 Magazine Spring 1990
200 MatKotg0Oc
2600 WIL BE HAVING WET COAST but stictly telephones). Complete 7 issue
MEETINGS during t he month of Jul y. 1 1 4 page set . $1 5 ppd. Have photo copy
Haker from Holland wl also b ther. Call mahine self-sere key counter. Would like
51 6-751 -2600 to fnd out where exactly we1l to trade for red box minus its I C' S. Pete
be or to make suggestions as to where we Has, P.O. Box 702, Kent, Ohio 44240.
should go. WANTED: Red bx kit, plas, and asem-
VMS HACKERS: Fo sae: comlet set of bled units. Also, other unique proucts. For
DEC V AS mu i go cdto. Mot educatonal purpses only. Pleae snd infor-
m fo VMS rvo 4.2 5 fo 4.4. Ecllet mati on and prices t o: TJ, 2 1 Rosemont
for "explorng"; includes System Manager's Avenue, Johnston, RI 0291 9.
Refen, Gud To VAS Syt Sut, THE CHESHIRE CATALYST, former
a D M rut K Roe Wal gt, P.O. editor of te TAP newslettr, has dates avail-
Box 4, L NJ 06-4. able b letur in Europ in late August ad
WANTED: Red box plans, kits, etc. Also ealy Septembr. For lecture fees ad infor-
back issues of Phrack, Syndicate Reports, mati on on seminars to be given, write to:
and ay other hack/phreak publictons, ele- Rc Ch, P.O. 8 61, Ca Cve
tronic or pri nt HUSA 32.
wanted. - Send KEEP WATCH-
i nformati on and
Do you have somethin
g
to sel l ? Are
I
G
t SC
prices to Greg B. ,
you l oo
kin
g for somethin
g
to buy?
O
r
TAP BACK
22 1 1 O' Hara Dr. , ISUE, cmlet
Charlotte, NC
trade? This I s the pl ace! The Zb00
set Vol 1 - 91 of
28273.
Marketplace is free to subscribers!
QUAITY copes
TAP MAGAZINE
Send your ad to: Zb00 Marketplace,
from originals.
now has a BBS
P
.O. B
ox Middl e I sland, N1 T T

4
Icushmc
open for publ i c
Incl ude your address l abel .
and indexes. $10
abuse at 502-499- pstd. Via UPS
893 3. We al so
O
nly peopl e pl ease, n
o businesses.
o Frst Clas M.
have free i s s ues . Copy of 1 971
You send us a 25 Eu ace '1
cent s tamp and we send you our current
issue. Fancy huh? Mail to TAP, P. O. Box
20264, Lousville KY 4025G0264.
SUBSCRIBE TO CYBERTEK, a maga
zine centred upon technology with topics on
computer security. Send $1 0 for a one year
subscripton b Cybrtek Magazine, PO Box
64, Brewster, NY 1 0509.
NEEDED: I nfo on speech encryption
(Digicom, Crypto). Send to Hack Tic, P. O.
Box 22953, 1 1 00 DL, Amsterdam, The
Netherands.
CYBERPUNKS, HACKERS, PHREAKS,
Libertari ans , Di scordi ans , Sol di ers of
Fortune, and General l y Naught y People:
Protect your data! Send me a buck and I'll
send you an IBM PC fopy with some nify
shaeware encrypton routnes and a copy of
my paper " Cros s bows to Cryptography:
Techno-Thwarting t he State. " Chuck, The
LibrTech Poject, 8726 S. Sepulveda Blvd. ,
Suite B-253, Los Angeles, CA 9045.
RARE TEL BACK ISSUE SET (like TA
St of t lte Blu Bx" $5 & la SASE
w/45 cnt of st. Pt G., P Box 43, Mt
L NJ 054. We mt Og!
FOR SALE: Manua for stepping switches
(c) 1 964. Tis is a tue collecto's itm, with
detaled explanatons, diagras, theory, and
practi cal hints. $ 1 5 or trade for Applecat
Tone Recognition program. FOR SALE:
Genuine Bell phone hadset. Orange w/tone,
pulse, mute, listen-talk, status lights. Fully
functiona. Box clip and blt clip included.
$90 OBO. Please pos t to S. Foxx, POB
3 145 1 , River Staton, Rohester, NY 1 4627.
2600 METINGS. First Frday of the month
at the Citcor Center--fom 5 to 8 pm in the
lobby near the payphones, 1 53 E 53rd St. ,
NY, btwen Lex & 3rd. Com by, drp off
articles, ask questions. Call 5 1 6-75 1 -2600
for more i nfo Payphone numbers at
Citcor: 21 2-223- 901 1 , 212-223-8927, 21 2-
308-804, 21 2-308- 81 62, 212-308-81 84.
Deadl i ne for Summer Marketpl ace:
7/1190.
Spring 1990 2600 Magazne Page 41
Da t a network I den t i f i ca t i on Codes
(conined fom page 40)
Japan 41 0 N+CI U. Kigdom 2342 BT PSS
Korea Rep 4501 DACOM-NET U. Kingdom 2350 Mercury
Kuwait 4263 U. Kigdom 2352 Hull
Lebanon 41 55 SODETEL U. S. Virgin I 3320 UDTS-I
Luxemburg 2704 Luxpac UAE 3 1 04 IMPACS
Mal aysia 5021 Maynet UAE 4243 EM DAN
Matius 61 70 MauriData Uruguay 7482
Mexico 3340 TELEPAC USA 31 06 Tymnet
N. Atilles 3620 USA 3 1 1 0 Telenet
N. Marianas 535 1 PCInet USA 3 1 26 Autonet
Netherlads 201 Datanet- l USA 31 34 Accunet
Neterlads 209 Datanet- l USA 3 1 35 Alascom
New USA 3 1 35 Alaskanet
Caledoni a 5460 Tompac USA 3 1 39 Netexpress
New Zealand 5301 Pacnet USSR 2502 Iasnet
Norway 2422 Datapa Zimbabwe 6482 Zimnet
Panama 71 41
Panama 71 42 INTELPAQ Here is the same list in DNIC order, U
Peru 3 1 0 IMPACS help give you a sense of how te codes are
Phil ippines 5 1 5 1 CAPWIRE allocated.
Philippines 5 1 52 PGC DNIC Network Country
Phil ippines 5 1 54 GMCR 2022 Helpak Greece
Philippines 5 1 56 ETPI 201 Datanet- l Neterlands
Polynesia 5470 Tompac 209 Datanet- l Neterlands
Portugal 2680 Telepac 2062 DCS Belgium
Portugal 2682 SABD 2080 Traspac France
Puerto Rico 330 UDTS-I 208 1 NTI France
Puerto Rico 3301 PRTC 2145 Ibrpac Spain
Qatar 4271 DOH PAC 2222 Itapac Italy
Reunion 6470 Dompac 2227 Italcable Italy
San Maino 2922 X-NET 2284 Telepac Switzerlad
Saudi Arabia 4263 Bahnet 2322 DATEX-P Austri a
Singapre 5252 Telepac 2329 RA Austria
Sout Africa 6550 Saponet 2341 BTl IPSS U. Kingdom
Sout Africa 6559 Saponet 2342 BT PSS U. Kingdom
Spain 2145 Iberpac 2350 Mercury U. Kingdom
Sweden 2402 Datapak 2352 Hull U. Kingdom
Swi tzerland 2284 Telepac 2382 Datapa Denmak
Taiwa 4872 PACNET 2402 Datapa Sweden
Taiwan 4877 UDAS 2422 Datapa Norway
Thailand 520 IDAR 242 Datapak Finland
Tortola, BVI 3483 2502 Ianet USSR
Trinidad 3740 Textel 2621 DATEXL Hungary
Trinidad 3745 Datanett 2624 DATEX-P Germany F. R.
Tunisia 6050 RED25 2680 Telepac Portugal
Turkey 2862 Turpac 2682 SABD Portugal
Turks BW 3763 2704 Luxpac Luxemburg
U. Kingdom 2341 BTl IPSS 2724 Eirpac Ireland
Page 42 2600 Magazine Spring 1990
( nnH : s ) Of B8 W0l 0
2740 Icepak Iceland 441 0 NI-I Japan
2862 Turpac Turkey 4501 DACOM-NET
2901 KAUPAX Greenlad Korea Rep
2922 X-NET San Marino 4542 INELP AK Hong Kong
3020 Datapac Caada 4545 DAT AP AK Hong Kong
3025 Globdat Canada 4600 PELCOM China
3028 CNCP Canada 4872 PACNET Taiwan
3 1 0 Entel Chile 4877 UDAS Taiwan
3 1 0 IMPACS Pe1 5021 Maynet Malaysi a
3 1 0 IMPACS UAE 5052 AUSPAC Austral i a
3 1 06 Tymnet USA 5053 Data Access Australia
3 1 06 Tymnet Canada 5 1 01 SKDP Indonesia
Canada 5 1 5 1 CAPWIRE Philippines
3 1 07 DAPAQ Colombia 5 1 52 PGC Philippines
3 1 10 Telenet USA 5 1 54 GMCR Philippines
3 1 26 Autonet USA 5 1 56 ETPI Philippines
3 1 34 Accunet USA 520 IDAR Thailand
3 1 35 Alacom USA 5252 Telepac Singapre
3 1 35 Alakaet USA 5301 Pacnet New Zeaad
3 1 39 Netexpress USA 535 1 PCIE Gua
330 UDTS-I Puerto Rico 535 1 PCInet N. Mariaas
3301 PRTC Puerto Rico 5460 Tompac New Caledoni a
3320 UDTS-I U. S. Virgin I 5470 Tompac Polynesia
3340 TELEPAC Mexico 6020 ARENTO Egypt
3380 Jamintel Jamaica 6050 RED25 Tuni si a
340 Dompac Fr Antilles 61 22 SYTRANPACI
3423 Barbados Ivory Coast
3443 Agaet Anti gua 6 1 70 Mauri Data Mauritius
3463 IDAS Cayma Islands 6282 Gabonpac Gabon
3483 Tortol a, BVI 6470 Dompac Reunion
3503 Bermudanet Bermuda 6482 Zimnet Zimbabwe
3620 N. Atilles 6550 Sapnet South Afica
3640 BaTelCo Bahaas 6559 Sapnet South Afica
370 UDTS-I Dominican Rep 703 GAUTEL Guatemala
3740 Textel Trinidad 7080 HONDUTEL
3745 Datanett Trinidad Honduras
3763 Turks BWI 71 22 RACSAP AC Costa Rica
41 55 SODETEL Lebanon 7 1 41 Paama
4243 EMDAN UAE 7 142 INELP AQ Paama
4251 Israet Israel 7220 ARPAC Argentina
4263 Kuwait 7222 ARPAC Agentina
4263 BAHNET Barain 7240 Interdata Brazil
4263 Bahet Saudi Aabia 721 Renpac Brazil
4271 DOH PAC Qatar 7302 Entel Chile
4401 NT DDX Japan 7303 Chile PAC Chile
4406 NISnet Japan 7305 VTR Chile
4408 KDD Venus-P 7420 Dompac Fr Guiana
Japa 7482 Uruguay
Spring 1990 2600 Magazine Page 43
l00ut0u C0d0
0 uIC0 545 SA Santa Roa
The following u a list of all exchanges for area 546 SA Santa Roa
code 707, whi ch runs from the north end of San 552 SO Vallejo
Francisco Bay to te Oregon border along the wild, 553 SO Vallejo
widy Nor Coast of Califoria. This could be usefl 554 SO Vallejo
] you' r looking for "hidden" exchange, ANI , ring- 557 SO Vallejo
back, PacTel tet nwbrs, or just moem tones here in 571 SA Santa Roa
Sillycon Valley Nort. 573 SA Santa Roa
Pop and org centers are (i no special order) Santa 574 TR Mad River
Rosa, Petaluma , Fairfield- Suisun, Eureka, Vacaville, 574 SA Santa Roa
Vallejo, Napa, and Benecia. County codes are: NA 575 SA Santa Roa
(Napa) , N (Mendocino), LA (Lake), SA (Sonoma) , 576 SA Santa Roa
MA ( Marin), HU (Humboldt) , DN (Del Norte) , TR 577 SA Santa Roa
(Trnity), and SO (Solano). 578 SA Santa Roa
579 SA Santa Roa
224 NA Napa 5 84 SA Santa Roa
226 NA Napa 5 85 SA Santa Roa
247 N Piercy 5 86 SA Santa Roa
252 NA Napa ZV Petrolia
253 NA Napa 632 SA Cazadero
255 NA Napa 62 SO Vallejo
257 NA Napa 63 SO Vallejo
258 NA Napa SO Vallejo
263 LA Lakeor 65 SO Vallejo
270 SA Santa Roa SO Vallejo
274 LA Nice 68 SO Vallejo
275 LA Uppr Lake 66 SA Petluma-Roner Par
277 LA Kelseyville 668 Blue Lake
279 LA Kelseyville (77 Trinidad
374 SO Rio Vista 722 1 Pepprwoo
422 SO Fairfield-Suisun 725 11 Foruna
423 SO Fairfeld-Suisun 733 HU Loleta
424 SO Fairfeld-Suisun 743 N Potter Valley
425 SO Fairield-Suisun 74 ME Hopland
426 SO Fairfield-Suisun 745 SO Beneia
427 SO Fairfield- Suisun 746 SO Beneia
428 SO Fairfield-Suisun 747 SO Benecia
429 SO Fairfield- Suisun 762 SA Petaluma
431 SA Heldsburg 763 SA Petaluma
433 SA Healdsburg 76 IIU Rio Dell (Scota)
437 SO Fairfield-Suisun 3 SA Petaluma
442 11 Eureka 768 I lU Hydeville
443 Eurka 777 I IV Bridgevile
44 U Eurka 778 SA Petaluma
445 1 Eurka 785 SA Timbr Cove
446 SO Vacaville 786 \ Ferdale
447 SO Vacaville 792 SA Petaluma
448 SO Vacaville 794 SA Petaluma
449 SO Vacaville 795 SA Petaluma
457 DN Crcent City 822 HU Arcata
458 DN Crscent City 823 SA Sebastapol
b N Ukiah 826 HU Arcata
482 DN Klamath 829 SA Sebastapol
485 ME Ukiah 833 SA Kenwod
487 DN Smith River 838 SA Windsor
488 Orick 839 1 Arcata
523 SA Santa Roa 847 SA Timbr Cove
52 SA Santa Roa 857 SA Geyserville
526 SA Santa Roa 86 SO Fairfield-Suisun
2 Z SA Santa Roa 865 SA Monte Rio
528 SA Santa Roa 869 SA Guereville
538 SA Santa Roa 874 SA Occidental
`^V SA Santa Roa 875 SA Bodega Bay
542 SA Santa Roa 876 SA Valley Ford
(c0n|inaeJ0nae 1)
Page 44 2600 Magazine Spring 1990
100( | c v ' c w
The Cuckoo's Egg
By Clifford Stoll
Published by Doubleday
$19. 95, 326 pages
ISBN 0- 385-24946-2
Reviewby Dr. Will iams
Anybody who's somebody nowa
days seems to write a book. Whether
it' s a celebrity, athlete, or
entrepreneur, they all want to tell their
story. Clifford Stoll is no exception to
thi s latest craze. I n a release by
Doubl e
d
ay , Stoll shares all of hi s
exper i ences while employed at
Berkeley Labs.
In case you might have missed one
of Stoll's wri tten articles, TV inter
views, or lecture circuit appearances,
The Cuckoo's Egg is about a year
long effort to apprehend Mark Hess.
Hess was a West German hacker
breaki ng into compu ters all over
Europe, North Ameri ca, and Japan
through a tangled web of computer
networks. Until his capt ure, Stoll
watched Hess attempt to break into
over 400 computer sites on Mi lnet and
Arpanet. Hess was successful in about
40 of his attempts.
Stoll first became aware of the
hacker's presence when he discov
ered a 75 cent accounting error in the
Unix system he was administeri ng .
One thing led to another, and he real
ized an unauthorized user was on his
system. I nstead of getting rid of the
account and locking out the hacker,
Stoll methodi cally kept notes and
records on the hacker's every move.
Stoll alerted all the government agen
cies that he thought could act upn the
case. He started performing traces
with the help of Tymnet, a data carrier
on which Hess was placing his calls.
As his activities grew, the more
interest government agencies showed
in Hess. It became apparent t he hack
er was com i ng from E uro pe and
showed a strong taste for documents
concerning the Star Wars proj ect. The
slow wheels of bureaucracy stared to
move. The FBI , the only agency with
the authority to act on the case, offi
ciall y asked for help from West
Germany. With their help, the FBI was
able to q u i ckly clamp down on the
identity of the hacker. He was arrested
nearly one year afer Stoll first discov
ered the accou nt ing error in his sys-
' ter.
The Cuckoo's Egg excels i n gi ving
detai l into the inner workings of the
people i nvolved in capt uri ng Mark
Hess. Stoll provi des all of the glori ous
detai l of all the agencies involved in
the case, what thei r role was, what
their response was to the i ntrusi ons,
and what their actions were. He teils
what the CIA sai d and di d, as well as
the NSA and FBI . Everybody' s role
and their relevance to the case is dis
cussed.
The CUckoo's Egg provi des excel
lent advi ce for any network hacker.
Stoll explains what traces took place,
how long they took to perform, and
what the stu mbl ing blocks were i n
catching the hacker. Stol l tells how
many system ad mi nistrators knew
thei r systems were act ually bei ng
atacked. If the hacker did succeed in
penetrating the system, Stoll describes
how many system administrators real
ized i t and what t hey d i d once they
found out. By seeing the strong and
weak spots of system operators and
nets, a networ k hacker is more able to
act in a manner which is prudent to his
securi ty, while maki ng hi m aware of
more opprtunities.
Stoll mentions the techniques used
by the hacker to gain access to a sys-
Spring 1990 2600 Magazine Page 4S
[' | ' \ ' c 1
t em, and t he security flaws exploited.
The security fl aws are not descri bed in
det ai l, but anyone fami li ar wi t h t h e
computer systems ment i oned should
already be aware of them.
The Cuckoo's Egg does take Stoll's
reacti ons a bi t too far at t imes. Stoll
says t h e hacker managed to break
into an account when all the hacker
d i d was log i nto a guest account .
(Acount name: Guest or Anonymous.
No password. ) He fails to consider that
t hese accunts are set up precisely for
guests, regardless of whet her or not
t hey l og in for malicious reasons.
Stol l also makes too big a deal out
of ol d security holes. He is shocked to
l earn t he Gnu- Emacs holes, which go
back to t he early 80's (see some of the
TAP issues) . The X-Preserve hole for
t he vi ed i tor is another discovery to
Stol l , even though that hole i s equally
well known. Stoll's real shock comes
at learning t hat anybody can take a
publ i c readabl e encrypted password
f i l e , and use t he same password
encrypt i on scheme as t he host com
puter to make d i cti onary guesses at
passwords. This met hod is perhaps
t he oldest of them all.
The Cuckoo's Egg also suffers in
part from i ts "novelist" approach at
t i mes. Perhaps as a way to stretch out
t he materi al, the book is full of irrele
vant aspects of St oll' s l i fe and
t houghts which have nothi ng to do
wi th t he matter at hand. He constantly
bores t he reader wi th personal interac
t i ons between him and his wife-to-be,
descri bes how he spent Halloween,
Christ mas, and every ot her day, and
continual l y interjects his own "cut esi e"
observat i ons of li fe. Stoll also brings
back so many i mmat eri al anal ogi es
and stories from his grad school days
t hat t he reader would t hink he spent
t he bett er par of ei ght years j ust to get
h i s mast er' s d egree. Most hackers
read ing t he book could h ardly gi ve a
rip about Stoll's personal life.
From the security standpoint, The
Cucko's Egg stands alone. No other
book goes into the gripping detail of
the operat i ons used to catch Mark
Hess. To Stoll' s credi t , he kept a
detailed lab book of every act i vi ty,
conversat ion, and contact during the
ent ire affai r. His notes made for an
accurate retelling. Any hacker working
on a net would benefi t from reading
t his book by learning abut the weak
spots in the networks as well as how
to avoid being tracked down as Mark
Hess was.
0 (cao/|oac4]omagc44)
877 M El
878 M Toale
882 M Point Arena
884 M Gualala
886 SA Annapolis
887 SA Fortvile
894 SA Cloverdale
895 M Boonville
923 Garbrille
925 M Legett
926 AldeIoint
928 LA Cobb Mountai
935 SA Sonoma
937 M Mendocino
938 SA Sonoma
942 NA Calistoga
943 Miranda (Myers Fat)
94 NA Yountville
946 Wett
961 M For Bragg
963 NA St. Helena
96 M For Bragg
965 NA St. Helena
96 NA Lake Beresa
967 NA St. Helena
983 M Covelo
984 M Laytonville
986 H Whitethor
987 L Middletown
994 LA Lower Lake
995 L Lower Lake
996 SA Sonoma
998 LA Clerlake Oaks
Only ONE exchange in the entire ar coe that begns
wit 3? We suspect THAT might be a god plac to go
hunting.
Page 46 2600 Magazine Spring 1990
IT'S EASY
I n fact , it ' s never been eas ier t o renew your
subscripti on to Z o J J . Just look at your mai l
ing label to find out when your last i s sue
wi l l be . I f you have two or fewer i s sues
remaining, it ' s probably a good i dea to renew
now and avoid al l the heartache that usual ly
goes al ong with wait ing unt i l your subscrip
ti on has lapsed . ( We don ' t pester you with a
lot of . reminders l ike other magaz ines . ) And by
renewing for multiple years , you can cheerful
ly ignore al l o f the warnings ( and occasional
price increase s ) that appear on Page + .
l Nl Vl OPLOLl l LN
. 1 year/$1 8 . 2 years/$33 . 3 years/$48
LLLPc OL| l LN
. 1 year/$45 . 2 years/$85 . J years/$1 25
LVccP OL| l LN
. 1 year, i ndi vi dual/$30 . 1 year, corporate/$65
Ll cl McOLl | LN
. $260 (you' l l never have to deal wi th thi s agai n)
PLb l Oc (never out of date)
. 1 984/$25 . 1 985/$25 . 1 986/$25 . 1 987/$25
. 1 988/$25 . 1 989/$25
(OVERSEAS:ADD$ PERYEAR OF BACK|SSUES)
LPL PMLON cNLLLc.
I
take a look
r
I
I
I
I
I
I
L
- - - - - - - -
- -
,
loryour protccIion
lacts aboutmiar
howbluc boxcrs arc caught
build a touch tonc dccodcr
listcninginviavhl
ncws updatc
lcttcrs
thc 1 1 documcnt
lun at thc ZO
QQ
mccting
dnic codcs
ZO
QQ
markctpIacc
thc 1
Q
1 arcacodc
thc cuckoo s cgg
I
1 Z
1
4
I
1 H
ZC
I
Z4
C

I
CC
4
Q
I
41
44
I
4
O
- - - - - - - - - _ .
LLL|L LLP |LPLL
00Magazne
PO Box 7
Mdde Island, N I I9b8 U.S.A.
Foradg and Address Corection Requested
LOD^ < 1 3 0 0
|C|m| ! |P|L !
L5! C!OkC!, N 1
1 ! 7oo
| 'o| 43b \