Guide to: Hacking, Carding Phreaking By: The Dark Lord Introduction: ~~~~~~~~~~~~~~ This is a text file is Made By The Mickey Mouse Club and would ask that it would be distibuted to others for there use. This file is going to go into depth on how to Hack, Phreak, and card. There will be information that should help everyone, Hopefully!! Hacking: ~~~~~~~~~~ Hacking is a long hard process, unless you get lucky. There are many programs and aids out to make the job a lot easier, but the concept is the same no matter how you use it. First, at least on most things that you hack, you need to get some type of account or vacancy, etc... This is done by randomly entering numbers and or letters until you come up with the proper combination to find the account. Knowing the size of the account number makes this job one-hundred times easier. Thats why I suggest you find out from someone who allready has one or card one. By carding the account, it will die quickly but at least it will give you the length of the account numbers (More on that topic will be expained in the carding section). The accound numbers, do not always just contain numbers or have numbers at all in it. If it has a mix, it makes it a hell of a lot harder to get. You will just have to experiment to find out what charactors are contained in the account. Some Examples of ones that do have mixes of numbers and letters would be Pc Persuit accounts. The forms of them are usuall as such: Account: Pgp014764g Password: 23632k It looks from these that you are pretty much screw because of the way letters are mixed with numbers, thats what makes having a program so much easier. In a lot of circumstances, getting the account is the hardest part that is why having a good background of the system is a major plus in your favor. Once you have got the account, it is time to get the password for this account. Once again having the length and such makes this process not only easier, but faster. just keep entering random passwords of the length or the thought length in until you get a stoke of luck and get it. You MUST remember that 99.5 out of 100 times, this is a long process, and you have to have patience. If you don't you might as well forget ever getting on to the system or have someone else do it for you. Once you have gotten the password, look it over long and hard. Write it down and keep it, examine it. 99% of the time there is a pattern to all the account passwords. Things to look at is the password in reference to the account number. check to see if things have been added to the end or beginning like 00 or 01 or 99 of 0010 thing like that. If you see no relations, - 141 - the only other way to really find out the pattern in to get another one. Look at both of them together, see if there the same or it account 400's password is 3456 and 402's password is 3458 (they go in order) then just those as a reference to other passwords, take away so much from accounts with a lower number and add the required amounts to accounts with a higher number, etc.... But bassicly, LOOK FOR A PATTERN! Once you have got the password and the account, you have got yourself a passage way in. Although this is what you do to succeed, you have to take many precautions. They do NOT like us messing with the system and they obviously want you to pay just like the others, so they will take necessary means to nail you. They trace like you wouldn't belive. They will trace right as you get on, if you happen to be unlucky, you will never know when they are doing it either, you must ALWAYS be aware of the dangers and take precautions! Even on things that you wouldn't think that they would trace you but, be carfull. Whether they trace depends on a couple of things, here are a few major ones: 1. There bank balance 2. There desire to catch you 3. The amount of infestation in there system There are things that you can do to protect yourself, these are not all of them and none of them are sure fire ways, but hey, cutting down your chances of getting caught makes a world of difference, because remember, All the fun is taken away if you caught. Some things to do to protect yourself is: 1. Use a diverter 2. Use false information about you 3. Never stay On-line too long 4. Call during late or early hours, were there is most likely no one monitoring the system 5. Don't call frequently or during the same hours, regulate it Once again these are not all of them but these are some of the "More" helpfull things. If you follow all the step, you can reduce the change of getting caught by about 40%. f you do get caught there is not a whole lot that you can do, but some tips are, first, don't reveal any information on what you have done. Deny all charges. Sencond, plea bargin with knowladge of things, like hacked sytems etc.. But never admit that you did it. Three, and most important, get a GOOD LAWYER!!!!!!! DIFFERENT TYPES OF SYSTEMS: Pc Persuit Cp\m, Trw, Unix, Vmb, Vms - 142 - These are just a few systems, if I made a complete list There would be pratically no end to it, there are millions. Phreaking: ~~~~~~~~~~ Phreaking, Ahhhwwww, the wonderfull world of phreaking. Well to start with Phreaking is "The use of Telecommunications to others besides people of the Phone Company". Well thats my version of the definition at least. Using codes is wuit easy, there are different parts to it, the Dial-up, the code, and the number. First you will have to dial in the dial-up and on most dial ups you will get a tone or a buzz or click or something to that effect. Once you hear this, and you will know when you hear it you dial in the code. Sometime you will get another tone or beep etc. and when you do that is when you dial in the number. If you do not get another tone or whatever you just dial in the number right after you enter the code. You might have to have a test dial up to see how the tones go. In dialing the number once agian the nubers differ. You must enter the area code and then the nuber. Some require that you have a one before the area code but most that I have used do not. You can tell if the code worked right after the number has been put in not just by the error recording that you get but if right off the bat the phone begins to ring, it doesn't work. A code can also be busy. If it is busy it could mean that the code is dead or that too many people are using it at once. You might experiance this often. There are numbers that make phreaking much safer, they are called diverters. What the do is when the number that you have dial is being traced it diverts it to that number. Unless this is virgin or nobody else uses it, you will find that with in a couple of days after it is out, it will be busy, that is the annoyance about diverters, and they are also hard to get. Hacking is also put into play in phreaking by using programs to get dial ups and the codes. Getting these are done in the same way you hack anything else. Just get a program like code thief or code hacker, or make one yourself, it is quite easy. There is a danger with useing the codes. If you hack a code yourself, not just the code but the dial up amd no one else has it you can pretty well bet that it is safe. A newly hacked dial-up/code is considered "Virgin". those Ma bell is not having the problem with people phreaking off of it so they don't bother doing anything with it. But after a while, it will either Die (No Longer work) or they will start tracing off of it. The whole pain about it is, is you will never positively no when they started doing traces or things like that. The codes might be being traced but you are getting the luck of the draw. On most codes they don't trace on every call, they just file it away and watch for like the 50th or 100th caller and then that person gets nailed. You might think if they do trace every 100 calls, that means you have a 1 in 100 chance of getting caught and those are really good odds. Well the odd is 100 to 1 but the is a lot of people that live in areas that they can call with that code. If you figure about 10 million people could use it then about 100,000 - 143 - of them are. 100,000, hummmmmmm, how odes your odds look now. In a couple minute time spand 99 peoplecould have used it, and lucky you might be the 100th caller. A lot of times the take like every hundered calls and then when they get the 100th caller, that don't just trace one, they trace 100, 101, 102, 103, 104 200, 201, 202 etc. So you chances of getting caught when the heat is on the code is pretty good. There are a couple different types of codes and the two major ones are 1-800's and 950's. 800's can pretty much be dialed from anywhere in the states, but 950's stay in certain areas. Some 950 dial ups are: 9501001 9500266 9500355 9501388 And there are others, but like take me for example, where I live you cannot use 9500266. It will tell you that you cannot use that number from your dialing range or it just won't work. You might get to the point where the dial-up works but not the code. If this is the case it will say: "Invalid authorization Code" Some examples of 1-800's are as follows: 1-800-255-2255 1-800-759-2345 1-800-959-8255 There are many others but those are just a few, very few. There are also 1-800's and others that will send you directly to the operator, you must tell her the code and the number you are dialing. These are NEVER safe to use. but in one case they are alot better. I am out of town a lot so I have to use pay phones right? Well, you are safe with anything with pay phones, so that is a good way to call people. The real good thing them though, is since you must go throught th operator, the codes stay valid for up to 10 times as long as the others. But thenm again another draw back is it is not a line that you want to give real names or numbers over. Because these are often tapped, since the operator know that you used the code, they will listen in quite often, and you will never even notice. Another problem experianced with them is if you are what MMC calls "Petite Flowers", our home made word for , someone that sounds like a little kid, then they really give you a hastle about using the code. I have had a lot of people ask me if the person you are calling with the codes can get busted. The answer is "No". They cannot do anything to the person, just ask him who is calling him with the codes, and they rarely do that. Just let the person you are talking to, if they don't already know, not to tell anyone that you are calling with the codes. The phone companies do have to option of setting up a trace on that persons line and bust you when you do call - 144 - him with a code. I have never seen this done but do be aware that the phone companies are made up of intellegent adults and they are very smart and can and will nail you in many ways. I am a firm beliver that you should share a the information that you other phreakers and hackers as they should do the same with you. I also see an execption, inexperianced people. They can run it for everyone be not have the knowladge and screwing up. I realize that they need someway to build themselves up to a good phreaker but be cautions in what you give to them. Codes die really often and you really have to keep up with the phone company. Its kinda of a pain to keep up with it on your own as quickly as they work but thats why there is phreaking communities and groups such as Fhp and MMC, the gives the edge to the phreakers in the way that, you have help in keeping up with the phone companies, and in most cases if the groups or communities are working well together, you can eve stay one step ahead of good 'ole Ma bell and others. You really need to find ways of getting codes either from getting acess to the phreaking sections on the pirate boards you call or throught friends, Vmb's Loops, Confrences, etc., just try to find a good connection to people that are into phreaking too. Carding: ~~~~~~~~~ Although everything talked about in the text file to this point is illegal, and you will get busted if you get caught, this is one one the one that you can get in some major shit over. About the only thing I have talked about that this falls short of is hacking a government compter, and thats one of the Grand daddies of them all. Well, although it is a major crime, it is really cool!!!! This is the process in which you find the card number of someone and use it to purchase things. In order to card, there are a few things that you must have or it will not work. You will need to have........ 1. The Card Number 2. The Experation date 3. Card type (Master Card, Visa, etc...) Those are the main things tha you will need. Having the name of the owner is very helpfull but it is not a must. You can get by without it. You have to order everything you want by mail. A couple of "Beginner" carder that I talked to didn't understand how you would do it, but thats when they had the misconception that you actually go to the store and purchase things. That is a complete No, no. You do everything from a phone ordering service. When you call make sure that you are a t a pay phone. Don't do it your house or anywhere where it can come back to you. When you order the merchandice, once again do send it to anywhere that it can come back to you like your home, work, etc. Find a vacant house or building or anywhere else that you can send it to. Also, don't send it to a P.O. box that you have, just as dangerous. - 145 - When you do order it and you think its around the time that you will be reciving it, check the mailbox frequently. But do it during odd hours. I mean, hows it going to look you taking a package from a vacant house? Most bills are sent at the end of the month or at the biginning, so try to time it to where the bill won't come to the person untill a couple of days after you have recived the package. Ok heres how to figure it. I have found out that the bills are sent out up around the 26-30th of the month, so they will actually recive the bill around the 31-4th. Have it sent right after you think the bill has been sent. Find what you want, but try to order it from the place that guarentees the fastest delivery. When you order the item, make sure they have it in stock and don't have to get the item in first. Order the highest class of delivery but not COD or next day service. Thats cutting it too close. It should take around 2-4 weeks before you get it and if you timed it right, then it sound get there right before the person gets the bill. You need to have it in your possesion before the bill gets to the person because if they complain, they can keep it from being sent, or watch who actually gets it even while its going throught the mail process. Don't order more than a couple of things or overcharge the card, if the people at the Credit card office, see irregular charging on the card, they will follow up on it. To actually order the item you will call up the place that you will be ordering from, and when the operator answers let her know what you need to as far as what you are purchasing, etc. When she ask how you will be paying just tell her "Charge" and the the type of card like Master Card, Visa, ect. Then Tell them your name, if you don't know the name of the actuall owner of the card, Make up a false name that has NO relation to your name, not the same first, last middle what ever, nothing relating to your real name. Then continue answering all the operators questions, address (Not your own remember!) state, area code etc. They will also ask for your phone number. Make one up, not your own. If something happens to go wrong as far as delivery or if they are checking if you are who you say, then your screwed, unless of course, hehehe, the number is ALWAYS busy. Find the busiest number there is and leave them that. When they ask for the card number and experation, just tell them and do what all else you need. Wish them a good day, and hope you get it. Ok heres how you check if the card is good, and how much money can be charged on the card....... 1. Dail 1-800-554-2265 2. it will ask for the type of the card. you must put in 10 for Master Card and 20 for Visa, I am not sure about the others. 3. Next it will ask for the Identification. You will need to enter 1067 4. After all that you will have to enter the Mecrchant number, which you will either need to put in 24 or 52. One of them should work. - 146 - 5. You will then have to enter (When Prompted) the card number itself. 6. Next, the experation date of the card. 7. Last but not least the amount you want to try to get on the card. The procedure for this is enter dollars, astricks, then cents. (Example:) 100*30 = One hundred dollars and thirty cents. One thing I do need to mention, after you type in everything you must press pound (#). Like when it asks you for the type of card, if you had a Master Card you would put: 10#. when it asked for identification you would enter 1067#. If it says invalid, that either means that the card is no good or you can't charge that amount on the card. Try it again, but try a lower amount. If you get down to $1 and it still doesn't work, hehehe, you can probably guess that the card is no good. You might not be ordering just merchandice you might be ordering accounts and things like that and if you are, fine, but you have to remember, the accounts do not stay good for very long, the owner of the card gets the bill, complains and its no longer any good. And when you card and account, Nine out of ten times, they won't kill the account, they will trace in and that is when you butts really in a sling. So carding accounts and things, isn't the safest way to go, of course. nothing we have talked about it, right? Conclusion: ~~~~~~~~~~~~~~ Well thats about it for now, there should be a BIG newsletter by The mickey Mouse Club comming out soon that you have to be sure NOT to miss. I sincerely hope that you have gotten alot out of this newsletter and I would like to ask for suggestions and Ideas to make MMC a better orginazation. At this time myself and Cardiac Arresst have a Vmb at: 1-800-444-7207 [Ext] 4001. All ideas and suggestions, please bring there. Also, since your making the trip anyways, bring along some phreaking codes and all and any types of accounts. I would be greatly appreciated by: The Mickey Mouse Club. - 147 - LOD/H BUST By Pizza Man " U.S. computer investigation targets Austinites " ------------------------------------------------------ [ The above caption high-lighted the Saturday March 17, 1990 edition of the Austin American-Statesman [ Austin, Texas ]. The article has been copied in its entirety, and the main point for typing this up was because of the involvement of the LOD/H throughout the article. ] The U.S. Secret Service has seized computer equipment from two Austin homes and a local business in the past month as part of a federal investigation into electronic tampering with the nation's 911 emergency network. Armed Secret Service agents, accompanied by officers from the Austin Police Department, took the equipment in three March 1 raids that sources say are linked to a nationwide federal inquiry coordinated by the Secret Service and the U.S. attorney's office in Chicago. While federal officials have declined to comment on the investigation - which focuses on a bizarre mix of science fiction and allegations of high-tech thievery - the Austin American-Statesman has learned that the raids targeted Steve Jackson Games, a South Austin publisher of role-playing games, and the home of Loyd Blankenship, managing editor at the company. A second Austin home, whose resident was acquainted with Jackson officials, also was raided. Jackson said there is no reason for the company to be investigated Steve Jackson Games is a book and game publisher of fiction, he said, and it is not involved in any computer-related thefts. The agents, executing search warrants now sealed by a judge from public view, took computer equipment, including modems, printers, and monitors, as well as manuals, instruction books and other documents. The equipment has been forwarded to federal officials in Chicago. The Secret Service, best-known for protecting the president, has jurisdiction in the case, government officials say, because damage to the nation's telephone system could harm the public's welfare. In addition, the system is run by American Telephone & Telegraph Co., a company involved in the nation's defense. The 911 investigation already has resulted in the indictment of two computer "hackers" in Illinois and sources say federal authorities now are focusing on Austin's ties to a shadowy underground computer user's group known as the Legion of Doom. The hackers, who live in Georgia and Missouri, where indicted in Chicago. they are believed to be members of the Legion of Doom and are charged with seven counts, including interstate transportation of stolen property, wire fraud, and violations of the Computer Fraud and Abuse Act of 1986. The government alleges that the defendants stole a computerized copy of Bell South's system that controls 911 emergency calls in nine states. The information was then transferred to a computer - 148 - bulletin board and published in a hacker publication known as Phrack! A trial in the case is scheduled to begin in June. U.S. agents also have seized the final drafts of a science fiction game written by the Austin-based game company. Sources say the agents are trying to determine whether the game - a dark, futuristic account of a world where technology has gone awry - is being used as a handbook for computer crime. Steve Jackson, the owner of the local company and a well-known figure in the role-playing game industry, said neither he nor his company has been involved in tampering with the 911 system. No one in Austin has been indicted or arrested as a result of the investigation. "It is an on-going investigation. That is all I can say," said Steve Beauchamp, special agent-in-charge of the Secret Service Austin field office. "Until we can put it all together, we just do not comment," he said. Bob Rogers, Jackson's Dallas attorney, said federal officials have assured him that neither Jackson nor Jackson Games is the target of the probe. The authorities would not tell Rogers whether the inquiry focused on other company employees. As for the science fiction game, called Cyberpunk, Jackson said federal authorities have mistaken a fictional work for a technical manual [E.N. Why does this sound all too familiar?] . "It's not a manual for computer crime any more than a Reader's Digest story on how to burglar-proof your house is a manual for burglars," said Jackson, 36. "It's kind of like the hints you get on safe-cracking from a James Bond movie." Blankenship, the author of the book, said his attorney has advised him not to comment on the book or the Secret Service investigation. Jackson said he guesses his company was linked to the 911 probe by its use of a computer bulletin board system, called Usenet. The board, one of hundreds throughout the country, is a sort of electronic Town Square, where personal computer users from throughout the world can tap into the system via phone lines and a modem. The network, free and relatively unregulated, is an information exchange where users can post information, exchange electronic messages and debate with keyboards everything from poetry and politics to nuclear war. One of the world's largest networks - boasting more than 600,000 users - Usenet was tapped by Chinese students in North America to organize support for students during the pro-democracy demonstrations last year. The network also was infected in 1988 by a now-famous computer "virus" unleashed by college student Robert Morris. Jackson said his company has maintained a bulletin board on the Usenet network on which it posts advanced copies of its role-playing games. The firm posts the games and requests that the users of the network comment on the text and propose improvements. The Jackson bulletin board, called Illuminati, greets users with the - 149 - company's logo and a message that states: "Welcome to the World's Oldest and Largest Secret Conspiracy." Over the past several months, the company has been posting drafts of Cyberpunk for review. The resident of the second Austin home raided by the Secret Service was acquainted with Jackson and had made comments about the game on Usenet. He asked to remain anonymous. Typical of Cyberpunk literature, the game is set in a bleak future, much like the world portrayed in Max Headroom, formerly a network television program. Computers and technology control people's thoughts and actions and are viewed both as a means of oppression and as a method of escape. Portions of Jackson's Cyberpunk viewed by the Austin American Statesman include a detailed discussion on penetrating government computer networks and a list of fictitious programs used to break into closed networks. Bruce Sterling, an Austin science fiction writer and one of the world's best-known Cyberpunk writers, said Jackson's game and its computer-related discussions are hardly unusual for the genre. "Cyberpunk is thriller fiction." Sterling said. "It deals to a great extent with the romance of crime in the same way that mysteries or techno-thrillers do." He said the detailed technical discussions in the Jackson games are what draws people to them. "That's the charm of simulating something that's supposed to be accurate. If it's cooked up out of thin air, the people who play these games are going to lose interest." Jackson, though, said he has been told by Secret Service agents that they view the game as a user's guide to computer mischief. He said they made the comments where he went to the agency's Austin office in an unsuccessful attempt to reclaim some of his seized equipment. "As they were reading over it, they kept making outraged comments," Jackson said. "When they read it, they became very, very upset. "I said, 'This is science fiction.' They said, 'No. This is real.'" The text of the Cyberpunk games, as well as other computer equipment taken from Jackson's office, still has not been returned. The company now is working to rewrite portions of the book and is hoping to have it printed next month. In addition to reviewing Cyberpunk, sources say federal authorities currently are investigating any links between local computer hackers and the Legion of Doom. The sources say some of the 911 information that is the subject of Chicago indictments has been traced to Austin computers. Jackson's attorney said federal officials have told him that the 911 information pilfered from Bell South has surfaced on a computer bulletin board used at Steve Jackson games. But the information apparently has not been traced to a user. Jackson said that neither he nor any of his employees is a member of the Legion of Doom. Blankenship, however, did consult with the group in the course of researching the writing the Cyberpunk game, Jackson said. Further, the group is listed in the game's acknowledgments for its aid in providing technical information used in Cyberpunk. For these reasons he believes Blankenship is - 150 - a local target of the federal probe, though none of the investigators has yet confirmed his suspicion. "My opinion is that he is (being investigated)," Jackson said, "If that's the case, that's gross. he had been doing research for what he hoped would be a mass-market book on the computer underground," Jackson said. The other Austin resident raided by the authorities, who asked to remain anonymous, acknowledged that he is the founding member of the Legion of Doom and that copies of the 911 system had surfaced on the group's local bulletin board. The 20-year-old college student said the information hardly posed any threat to the 911 system. "It was nothing," he said. "It was garbage, and it was boring." In the Chicago indictment accuses the group of a litany of electronic abuses, including: disrupting telephone service by changing the routing of telephone calls; stealing and modifying individual credit histories; stealing money and property from companies by altering computer information; and disseminating information about attacking computers to other computer hackers. The Austin Legion of Doom member said his group's worst crime is snooping through other people's computers. "For the most part, that's all we do," he said. "No one's out ripping off people's credit cards. No one's out to make any money. "We're just out to have fun." The group member said the fact that the legion is shrouded in mystery adds to its mystique - and to the interest law enforcement agents have in cracking the ring. "It's an entirely different world," the student said. "It's a very strange little counter-culture. "Everybody who exists in that world is familiar with the Legion of Doom," he said. "Most people are in awe or are intimidated by it." A shadowy gang of computer hackers with ties to Austin has become the target of a massive federal probe into the nation's high-tech underground. Federal and local authorities involved in the inquiry seized evidence from three Austin homes and a business in March. They say some action on the local cases, possibly including indictments or arrests, is expected in the next month. The computer crime crackdown - the largest ever launched by the U.S. government - has resulted in the temporary disbanding of the Legion of Doom, a notorious national group of young computer hobbyists with at least two Austin members. State and federal investigators say the 6-year-old group, which once boasted more than 150 members in nearly every U.S. state, has been connected to a string of computer crimes in Texas, Georgia, Arizona, Illinois, California and New Jersey. Officials say group members have electronically stolen money and long-distance telephone access numbers, changed credit reports, planted datadestroying computer viruses in government networks, attempted to tamper with hospital patient records, and distributed information that, if used, could have debilitated the nation's 911 emergency response network. So far, only four Legion of Doom members have been indicted for the crimes, and none has gone to trial. However, an investigation team - 151 - coordinated by Assistant U.S. Attorney William Cook in Chicago and including the secret Service, the U.S. Department of Justice, the FBI and a handful of state attorney generals, has in the past six months raided the homes and businesses of about a dozen suspected legion members across the country. In Austin, Secret Service agents, local police and officers from the University of Texas Police Department seized computer equipment and documents from three homes as part of the probe. One local business, a role-playing game- publishing company called Steve Jackson Games, also was raided in the March crackdown, but officials say the firm is not a primary target of the hacker investigation. The firm is believed to have been raided because investigators wanted to examine equipment used by an employee. The search warrants used in the raids remain sealed from public view, and Secret Service and UTPD officials declined to comment on the case. Law enforcement sources say one of the targets of the Austin investigation is a juvenile who is not believed to be a member of the hacker group. The two other Austinites under investigation are legion members, authorities say, and have been linked to the 911 probe centered in Chicago. According to law enforcement sources, the two men helped circulate information about the 911 system's software through a national bulletin board network that hackers could call by using a telephone, a computer and a modem. In addition, details about ways to tamper with the emergency system were published in Phrack, a legion newsletter. While no one in Austin has been indicted or arrested, officials said they expect some action on the local cases in the next month. And state and federal authorities involved in the national investigation say they are preparing dozens of additional indictments aimed at the entire membership roster of the Legion of Doom. "It doesn't matter whether you commit a burglary by telephone or by breaking into a building," said Gail Thackeray, an assistant attorney general in Arizona, one of a handful of state investigators working solely on computer crime. "Did they expect that the rest of us would sit by and let every idiot kid in America break into our 911 system?" she said. "I do not respect the right of hackers to learn what they want to learn at the expense of the rest of us." Thackeray, who helped investigate a hacker's attempt to break into the computer system at the Barrow Neurological Institute in Phoenix, said the recent legion crackdown is a result of improved coordination among law enforcement agencies with jurisdiction over computer crime. In addition, she said, the effort has been boosted by a new breed of investigators with computing expertise. Because of the potential for widespread damage to both government and business computer systems, officials say the hacker probe has caught the eye of the Justice Department, which is pushing U.S. attorneys throughout the country to beef up their computer crime-fighting capacity. "There is a push on Capitol Hill to shore up our activity in this area," said an assistant U.S. attorney who asked not to be named. "I think this is the beginning of a boom." Said Thackeray: "There's more computer crime going on out there than any one agency can - 152 - handle. We're totally flooded." For members of the Legion of Doom, the unwanted law enforcement attention is nothing new. Formed in 84 and named for a gang at took on Superman and other heroes in the television cartoon Superfriends, the group has survived two other waves of criminal investigations. The first, in 1985, resulted in the Arrrest and conviction of five of the legion's founders for credit card fraud and theft by wire. After a brief resurgence, group members again were arrested en masse in 1987, only to revive again in 88. But according to investigators familiar with the group, pressure form the recent legion crackdown is the most intense to date. Several of the investigators said the legion has shut down, at least for now. A history of the group written by one of its founders and obtained by the Austin American- Statesman seems to bear out investigators' suspicions. The 10- page document recounts significant developments in the group's history, from its founding in 1984 (an event "that would ulti- mately change the face of the computer underground forever," the brochure states), to its current, besieged status. The pamphlet acknowledges that "there is no indication that points to a resurgence in the future" and ends with the words "Legion of Doom (84-90)." The brochure also takes potshots at federal investiga- tors and the media, often accused by legion members of exaggera- ting their crimes and sensationalizing the group. "The Legion of Doom has been called everything from 'organized crime' to a 'communist threat to national security' to an 'international conspiracy of computer terrorists bent on destroying the nation's 911 service,'" the brochure states. "Nothing comes closer to the actual truth than 'bored adolescents with too much spare time.'" Finally, the legion history includes an "alumni" list that conttains the code names of 38 current and former members. According to the legion's own accounting, 14 of the 38 people on the list have either been convicted of computer crimes or are under investigation. Officials familiar with the group say the legion's characterization of itself as a clique of bored whiz kids is inaccurate. Instead, they portray group members as sophisticated and organized malcontents who do not accept conventional concepts of respect and trust. "These are not just wacky kids," Thackeray said. "They have absolute contempt for the rest of us." "They are constantly in a high-level skill kind of game, part of a thrill. They've totally lost touch with reality." William Murray, a systems security fellow for the Ernst & Young accounting firm, said even though hackers take advantage of the tremendous power of personal computers, they still view their crimes as an electronic game of cat and mouse. "This whole sense of excitement and joy is not tempered," Murray said. "Nobody has told them that they have a responsibility for polite behavior." Some states, including Arizona, are developing treatment programs for hackers. Patterned after Alcoholics Anonymous and drug-treatment centers, the programs are aimed at rehabilitating hackers who have grown dependent on their craft. "It is absolutely addictive behavior," Thackeray said. "When they get their hands on tools as powerful as these computers, they lost all judgement." - 153 - Operation "Sun-Devil" by Phreak_Accident ===================== May 9th and 10th brought on two day thats would be marked in every hackers history book. The reason we assume these days will be important to many, is that maybe it's time we opened are eyes and saw the witch hunt currently in progress. In less than 48 hours, 150 Secret Service men and other law officials served 30 search warrents in 14 cities around the nation (This thing was hudge). Operation "Sun-Devil" (As the Attorney General in Phoenix called it), was a success on their part. "The investigation though is not over, and there are more warrents to be executed.", said Jim Folwer of L.A's Secret Service. Any details of the investigation are not being given out at this time. The Asst. Attorney General of Pheonix told Phrack Inc. that there were other problems involving the investigation and that it was an ongoing investigation for the last TWO years. It is my understanding that Gail Thackeray and the Secret Service are not, taking this lightly. She told Phrack inc. that they are not distinquishing pirates, hackers, or phreakers. Basically, it's any kid with a modem that calls a BBS with an alias. Yes, we are the witches, and we are being hunted. The following are Two news releases obtianed via fax through the U.S. Secret Service for Phrack Inc. N E W S R E L E A S E FOR IMMEDIATE RELEASE CONTACT: Gail Thackeray ------------------------ Assitant Attorney General May 9, 1990 @ 11:00 A.M. (602) 542-4266 Attorney General Bob Corbin announced today that in connection with an eighteen-month joint investigation into computer crime conducted with the United States Secret Service and the United States Attorney's office, the Arizona Attorney General's office has executed seven search warrants in which computers, electronic bulletin boards, telephone test equipment and records have been seized. The Organized Crime and Racketeering Division investigation involved complaints by Arizona and out of state victims of substantial financial losses resulting from credit card fraud and theft of long distance telephone and data communications services, and by victims of attacks on computer systems operated by government agencies, private corporations, telephone companies, financial institutions, credit bureaus, and a hospital. The Arizona Attorney General's office received information and technical assistance from the Glendale, Arizona Police Department's Computer Crime Unit, and from many private sector sources, including Bellcore (Bell Communications Research), American Express, Communications carriers U.S. Sprint, AT&T, MCI,Com Systems, MidAmerican Communications, LDL Communications, and Shared Use Network. Without the cooperation of these companies and of numerous federal, - 154 - state and local law enforcement agencies around the country, this investigation would have been impossible. The privacy of our citizens and the health of our economy depend upon secure, reliable computer systems. Computer fraud and attempts to compromise senstitive public and private computer systems will not be tolerated. Individuals who commit these offenses in Arizona can expect to be prosecuted. .end. P R E S S R E L E A S E FOR IMMEDIATE RELEASE Contact: Wendy Harnagel Wednesday, May 9, 1990 United States Attorney's Office ---------------------- (602) 379-3011 PHOENIX -- Stephen M. McNamee, United States Attorney District of Arizona, Robert K. Corbin, Attorney General for the State of Arizona, and Henry R. Potosky, Acting Special Agent in Charge of the United States Secret Service Office in Phoenix, today announced that approximately twenty-seven search warrants were executed on Monday and Tuesday, May 7 and 8, 1990, in various cities across the nation by 150 Secret Service agents along with state and local law enforcement officials. The warrants were issued as a part of Operation Sundevil, which was a two year investigation into alleged illegal computer hacking activities. The United States Secret Service, in cooperation with the United States Attorney's Office, and the Attorney General for the State of Arizona, established an operation utilizing sophisticated investigative techniques, targeting computer hackers who were alleged to have trafficked in and abuse stolen credit card numbers, unauthorized long distance dialing codes, and who conduct unauthorized access and damage to computers. While the total amount of losses cannot be calculated at this time, it is estimated that the losses may run into the millions of dollars. For example, the unauthorized accessing of long distance telephone credit cards have resulted in uncollectible charges. The same is true of the use of stolen credit card numbers. Individuals are able to utilize the charge accounts to purchase items for which no payment is made. Federal search warrants were executed in the following cities: Chicago, IL - Cincinatti, OH - Detroit, MI - Los Angeles, CA Miami, FL - Newark, NJ - New York, NY - Phoenix, AZ - Pittsburgh, PA - Plano, TX - Richmond, VA - San Diego, CA San Jose, CA Unlawful computer hacking imperils the health and welfare of individuals, corporations and government agencies in the United States who rely on computers and telephones to communicate. Technical and expert assistance was provided to the United States - 155 - Secret Service by telecommunication companies including Pac Bel, T&T, Bellcore, Bell South, MCI, U.S. Sprint, Mid-American, Southwestern Bell, NYNEX, U.S. West, and by the many corporate victims. All are to be commended for their efforts for their efforts in researching intrusions and documenting losses. McNamee and Corbin expressed concern that the improper and alleged illegal use of computers may become the White Collar crime of the 1990's. McNamee and Corbin reiterated that the state and federal government will vigorously pursue criminal violations of statutes under their jurisdiction. Three individuals were arrested yesterday in other jurisdictions on collateral or independent state charges. The investigations surrounding the activities of Operation Sundevil are continuing. The investigations are being conducted by agents of the United States Secret Service and Assistant United States Attoryney Tim Holtzen, District of Arizona, and Assistant Arizona Attorney General Gail Thackery. .end. _________________________________________________________________ RIPCO May 8th, 1990 ----- ------------- Operation Sun-Devil claimed more than just a few "Codelords" around the states, it claimed one of the oldest and more popular boards. Nobody knows when or if RIPCO shall return. Reportedly, Dr. Ripco was charge on a hand-gun violation after his house was searched. Phrack inc. can't comment on this. The following is the exact transcript of the message left on RIPCO's answering maching after Operation Sun-Devil. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This is 528-5020. As you are probably aware, on May 8, the Secret Service conducted a series of raids across the country. Early news reports indicate these raids involved people and computers that could be connected with credit card and long distance toll fraud. Although no arrests or charges were made, Ripco BBS was confiscated on that morning. It's involvement at this time is unknown. Since it is unlikely that the system will ever return, I'd just l say goodbye, and thanks for your support for the last six and a half years. It's been interesting, to say the least. Talk to ya later. {Dr. Ricpo} *** END OF VOICE MESSAGE *** _________________________________________________________________ {C}omputer {E}mergency {R}esponse {T}eam ---------------------------------------- Some call it "Internet Police" -- Others call it "just stupid." CERT however is a mix. But I do give them credit -- After all, have your number one goal being 'making the Internet more secure' has to be a tough task. Therefore, we give them credit. However, - 156 - CERT is funded by DARPA, which is a government agency. And anything in my book that the government runs is bad news. Yes, the government pays the 6 man salary and keep their hot-line active 24 hours a day. Ahh.. What do you know about CERT? "Nothing" you say? Well, the following is the press release and other reprints of information about CERT. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Richard Pethia DEAR XXXXXXXXX, I have been reviewing our correspondence files and have discovered that your request for information may not have been filled. I apologize for the delay and hope that the information is still useful to you. If, after reading the following, you have additional questions or would like to subscribe to one of our information lists, please send email with your question/request. The Computer Emergency Response Team (CERT) was established by the Defense Advanced Research Projects Agency in November of 1988 to serve members of the Internet Research community. The press release below describes the general role of the CERT. More specifically, the CERT supports individual Internet sites by: -Working with site personnel to help resolve individual computer security incidents. Contact potentially affected sites to warn them of possible security breaches. Work with sites to change the conditions that allowed incidents to occur. -Issuing advisories that alert the community to specific system vulnerabilities or intrusion techniques, as well as the methods to protect against them. -Working with the community and system (primarily Unix) vendors to reslove specific system vulnerabilities. -Maintaining and operating moderated mailing lists that: (1) provide a discussion forum for tools and techniques to improve the security of Unix systems, and (2) provide a discussion forum and alert mechanism for PC viruses, trojan horses, etc. Over the past year we have developed hundreds of working relationships with members of the Internet and other communities and have established an extensive information collection and dissemination network. Because of this network of cooperating individuals and organizations, we are often able to advise the community of problems allowing them to take corrective action before being affeceted by those problems. No. 597-88 (202) 695-0192 (Info.) (202) 697-3189 (Copies) IMMEDIATE RELEASE 12 6, 1988 (202) 697-5737 (Public/Industry) DARPA ESTABLISHES COMPUTER EMERGENCY RESPONSE TEAM The Defense Advanced Research Projects Agency (DARPA) announced - 157 - today that it has established a Computer Emergency Response Team (CERT) to address computer security concerns of research users of the Internet, which includes ARPANET. The Coordination Center for the CERT is located at the Software Engineering Institute (SEI), Carnegie Mellon University, Pittsburgh, PA. In providing direct service to the Internet community, the CERT will focus on the special needs of the research community and serve as a prototype for similar operations in other computer communities. The National Computer Security Center and the National Institute of Standards and Technology will have a leading role in coordinating the creation of these emergency response activities. The CERT is intended to respond to computer security threats such as the recent self-replicating computer program ("computer virus") that invaded many defense and research computers. The CERT will assist the research network communities in responding to emergency situations. It will have the capability to rapidly establish communications with experts working to solve the problems, with the affected computer users and with government authorities as appropriate. Specific responses will be taken in accordance with DARPA policies. It will also serve as a focal point for the research community for identification and repair of security vulnerabilities, informal assessment of existing systems in the research community, improvement to emergency response capability, and user security awareness. An important element of this function is the development of a network of key points of contact, including technical experts, site managers, government action officers, industry contacts, executive level decision-makers and investigative agencies, where appropriate. Because of the many network, computer, and systems architectures and their associated vulnerabilities, no single organization can be expected to maintain an in-house expertise to respond on its own to computer security threats, particularly those that arise in the research community. As with biological viruses, the solutions must come from an organized community response of experts. The role of the CERT Coordination Center at the SEI is to provide the supporting mechanisms and to coordinate the activities of experts in DARPA and associated communities. The SEI has close ties to the Department of Defense, to defense and commercial industry, and to the research community. These ties place the SEI in a unique position to provide coordination support to the software experts in research laboratories and in industry who will be responding in emergencies and to the communities of potentially affected users. The SEI is a federally-funded research and development center, operating under DARPA sponsorship with the Air Force Systems Command (Electronic Systems Division) serving as executive agent. Its goal is to accelerate the transition of software technology to defense systems. Computer security is primarily a software - 158 - problem, and the presence of CERT at the SEI will enhance the technology transfer mission of the SEI in security-related areas. -END- QUESTIONS AND ANSWERS: DARPA ESTABLISHES CERT, 12/6/88 Q: Can you provide background on earlier break-ins? A: On November 2, 1988, thousands of computers connected to unclassified DoD computer networks were attacked by a virus. Although the virus did not damage or compromise data, it did have the effect of denying service to thousands of computer users. The computer science research community associated with the Defense Advanced Research Projects Agency (DARPA), along with many other research laboratories and military sites that use these networks, quickly responded to this threat. They developed mechanisms to eliminate the infection, to block the spread of the self-replicating program, and to immunize against further attack by similar viruses. Software experts from the University of California at Berkeley, with important contributions from the Massachusetts Institute of Technology and other network sites, rapidly analyzed the virus and developed immunization techniques. These same software experts also provided important assistance in the more recent Internet intrusion of 27-28 November. As the events unfolded, DARPA established an ad hoc operation center to help coordinate the activities of software experts working around the clock and to provide information to appropriate government officials. The operations center had three main tasks. It facilitated communications among the many groups affected, it ensured that government organizations were promptly informed of developments, and it provided initial technical analysis in DoD. Although the threat was contained quickly, a more maliciously designed virus could have done serious damage. The recent events serve as a warning that our necessarily increasing reliance on computers and networks, while providing important new capabilities, also creates new kinds of vulnerabilities. The Department of Defense considers this an important national issue that is of major concern in both the defense and commercial sectors. The DoD is developing a technology and policy response that will help reduce risk and provide an emergency reaction response. Q: Who will be on the CERT? A: The CERT will be a team of over 100 experts located throughout the U.S. whose expertise and knowledge will be called upon when needed. When not being called upon, they will continue their normal daily work. As noted in the release, these experts will include: technical experts, site managers, government action officers, industry contacts, executive-level decision-makers and representatives from investigative agencies. recommendations that will be acted upon by DoD authorities. - 159 - Q: Is the CERT fully operational now? A: We are in the very early stages of gathering people for the CERT. We are first concentrating on collecting technical experts. A staff is in place at SEI, but details are still being worked out. Q: Will there just be one CERT? A: The intent is that each major computer community may decide to establish its own CERT. Each CERT will therefore serve only a particular community and have a particular technical expertise. (The DARPA/SEI CERT will serve, for example, the research community and have expertise in Berkeley-derived UNIX systems and other systems as appropriate.) The National Computer Security Center and the National Institute of Standards and Technology will support the establishment of the CERTs and coordinate among them. Q: What are the special needs of the research community that their CERT will serve? A: The special challenge of the research community is improving the level of computer security without inhibiting the innovation of computer technology. In addition, as is often DARPA's role, their CERT will serve as a prototype to explore the CERT concept so that other groups can learn and establish their own. Q: Does the CERT Coordination Center have a press point of contact? A: No. Their function is to serve as a nerve center for the user community. .end _________________________________________________________________ USA Today and the devil ----------------------- Many controversies have been made of the article printed in USA Today after Operation Sun-Devil took it's toll. Phrack inc. tried to contact the author, and with no luck she wast accepting phone calls. Please remember, this is only a USA Today article -- C'mon, get real USAT. byline 'Debbie Howlett, USA Today' reads: A network of computer hackers operating in 14 cities -- which bilked phone companies of $50 million -- has been unplugged, police say. - 160 - "We're not talking about somebody who played Space Invaders too many times," says Tim Holtzen, spokesman for the U.S. attorney in Phoenix. The hackers -- the largest such ring discovered in the USA --broke into phone company and bank computer systems to obtain account numbers and run up an unknown total in debts, police say. "The main thing is the life-threatening information these computer hackers were trying to get into," says Richard Adams of the Secret Service. "It goes beyond being monetary to totally mischievous." The ring was uncovered 18 months ago, when members tried and failed to infiltrate computers at Barrows Neurological Institute in Phoenix. They later tried to block incoming calls to the 911 emergency service in Chicago. The motivation? "The primary reason is as kind of a malicious hobby." says Gary Chapman of Computer Professionals for Social Responsibility. "People are interested in testing their skills against security measures." But, Adams says, "I hate to minimize it by saying it was just for kicks." Police seized 40 computers and 23,000 disks during searches Tuesday in 14 cities, officials said Wednesday. Five men, between the ages of 19 and 24, have been arrested. What's been uncovered so far, says Holtzen, may be "just the tip of the iceberg." - 161 - THE ART OF INVESTIGATION By The Butler There are many ways to obtain information about individuals. I am going to cover some of the investigative means of getting the low down on people whom you wish to know more about. Some of the areas I will cover are: Social Security Checks Driving/Vehicular Records Police Reports FBI Records Insurance Records Legal Records Credit Bureau Checks Probate Records Real Estate Records Corporate Records Freedom Of Information Act Governmental Agency Records Maps Tax Records To obtain information from some organizations or some individuals one must be able to "BULLSHIT"!!! Not only by voice but in writing. Many times you must write certain governmental bodies requesting info and it can only be done in writing. I can't stress enough the need for proper grammer and spelling. For you to obtain certain information about another person you must first get a few KEY pieces of info to make your investigation easier. The persons Full Name, Social Security Number, Date & Place of Birth will all make your search easier and more complete. First of all in most cases you will know the persons name you want to investigate. If not you must obtain it any way you can. First you could follow them to their home and get their address. Then some other time when they are gone you could look at their mail or dig through their trash to get their Full Name. While in their trash you might even be able to dig up more interesting info like: Bank Accout Numbers, Credit Card Numbers, Social Security Number, Birth Day, Relatives Names, Long Distance Calls Made, etc. If you can't get to their trash for some reason take their address to your local library and check it against the POLKS and COLES Directories. This should provide you with their Full Name, Phone Number, Address, and how long they have lived at the current location. You can also check the Local Phone Book, Directory Assistance, - 162 - City Directories, Post Office, Voter Registration, Former Neighbors, Former Utilities (water, gas, electric, phone, cable, etc.) If you know someone who works at a bank or car dealer you could have them run a credit check which will reveal all of their credit cards and if they have ever had any late payments or applied for any loans. If you are brave enough you could even apply for a loan impersonating the individual under investigation The Credit Bureau also has Sentry Services that can provide deceased social security numbers, postal drop box address and known fraudulent information. You can get an individuals driving record by sending a letter to your states Department of Revenue, Division of Vehicles. You can also get the following: Driver Control Bureau For Driving Record send Name, Address, Date of Birth and usually a $1 processing fee for a 5 year record. Titles & Registration Bureau For ownership information (current and past). Driver License Examination Bureau To see what vision was rated. Motor Carrier Inspection & Registration Bureau To check on licensing and registration of trucks/trucking companies. Revocation Dept Can verify if someone's driver's license has ever been suspended or revoked. You can even obtain a complete vehicle history by sending the vehicle description, identification # for the last registered owner, and a small fee. Send this info to your states Dept of Vehicles. It is best to contact them first to get their exact address and fees. I would advise using a money orders and a P.O. Box so they cannot trace it to you without a hassle. Police Records All Police and Fire Records are Public record unless the city is involved. You can usually get everything available from the police dept including: Interviews, maps, diagrams, misc reports, etc. FBI Records If the individual you are inquiring about is deceased the FBI will provide some info if you give them Full Name, SSN, Date & Place of Birth. Contact you local FBI office to get the details. - 163 - Real Estate Records Recorder of Deeds offices in each county maintain land ownership records. Most are not computerized and you have to manually search. Then you must review microfilm/fiche for actual deeds of trust, quit claim deeds, assignments, mortgage, liens, etc. A title company can run an Ownership & Equity (O&E) search for a fee ($80-$100) which will show ownership, mortgage info, easements, taxes owned, taxes assessed, etc. Most county assessors will provide an address and value of any real property if you request a search by name. Social Security Records Social Security Administrator Office of Central Records Operations 300 North Greene Street Baltimore, Maryland 21201 301-965-8882 Title II and Title XVI disability claims records, info regarding total earnings for each year, detailed earnings information show employer, total earnings, and social security paid for each quarter by employer. Prices are approximately as follows: 1st year of records $15.00 2nd-5th year of records $ 2.50 per person 6th-10th year of records $ 2.00 per person 11th-15th year of records $ 1.50 per person 16th-on year of records $ 1.00 per person ** Call for verification of these prices. ** Social Security records are a great source of information when someone has been relatively transient in their work, or if they are employed out of a union hall. If you want to review a claim file, direct your request to the Baltimore office. They will send the file to the social security office in your city for you to review and decide what you want copies of. The first three digits of a social security number indicate the state of application. - 164 - The Social Security Number SSA has continually emphasized the fact that the SSN identifies a particular record only and the Social Security Card indicates the person whose record is identified by that number. In no way can the Social Security Card identify the bearer. From 1946 to 1972 the legend "Not for Identification" was printed on the face of the card. However, many people ignored the message and the legend was eventually dropped. The social security number is the most widely used and carefully controlled number in the country, which makes it an attractive identifier. With the exception of the restrictions imposed on Federal and some State and local organizations by the Privacy Act of 1974, organizations requiring a unique identifier for purposes of controlling their records are not prohibited from using (with the consent of the holder) the SSN. SSA records are confidential and knowledge of a person's SSN does not give the user access to information in SSA files which is confidential by law. Many commercial enterprises have used the SSN in various promotional efforts. These uses are not authorized by SSA, but SSA has no authority to prohibit such activities as most are not illegal. Some of these unauthorized uses are: SSN contests; skip-tracers; sale or distribution of plastic or metal cards; pocketbook numbers (the numbers used on sample social security cards in wallets); misleading advertising, commercial enterprises charging fees for SSN services; identification of personal property. The Social Security Number (SSN) is composed of 3 parts, XXX-XX-XXXX, called the Area, Group, and Serial. For the most part, (there are exceptions), the Area is determined by where the individual APPLIED for the SSN (before 1972) or RESIDED at time of application (after 1972). The areas are assigned as follows: 000 unused 387-399 WI 528-529 UT 001-003 NH 400-407 KY 530 NV 004-007 ME 408-415 TN 531-539 WA 008-009 VT 416-424 AL 540-544 OR 010-034 MA 425-428 MS 545-573 CA 035-039 RI 429-432 AR 574 AK 040-049 CT 433-439 LA 575-576 HI 050-134 NY 440-448 OK 577-579 DC 135-158 NJ 449-467 TX 580 VI Virgin Islands 159-211 PA 468-477 MN 581-584 PR Puerto Rico 212-220 MD 478-485 IA 585 NM 221-222 DE 486-500 MO 586 PI Pacific Islands* 223-231 VA 501-502 ND 587-588 MS 232-236 WV 503-504 SD 589-595 FL 237-246 NC 505-508 NE 596-599 PR Puerto Rico 247-251 SC 509-515 KS 600-601 AZ - 165 - 252-260 GA 516-517 MT 602-626 CA 261-267 FL 518-519 ID *Guam, American Samoa, 268-302 OH 520 WY Northern Mariana Islands, 303-317 IN 521-524 CO Philippine Islands 318-361 IL 525 NM 362-386 MI 526-527 AZ 627-699 unassigned, for future use 700-728 Railroad workers through 1963, then discontinued 729-899 unassigned, for future use 900-999 not valid SSNs, but were used for program purposes when state aid to the aged, blind and disabled was converted to a federal program administered by SSA. As the Areas assigned to a locality are exhausted, new areas from the pool are assigned. This is why some states have non-contiguous groups of Areas. The Group portion of the SSN has no meaning other than to determine whether or not a number has been assigned. SSA publishes a list every month of the highest group assigned for each SSN Area. The order of assignment for the Groups is: odd numbers under 10, even numbers over 9, even numbers under 9 except for 00 which is never used, and odd numbers over 10. For example, if the highest group assigned for area 999 is 72, then we know that the number 999-04-1234 is an invalid number because even Groups under 9 have not yet been assigned. The Serial portion of the SSN has no meaning. The Serial is not assigned in strictly numerical order. The Serial 0000 is never assigned. Before 1973, Social Security Cards with pre-printed numbers were issued to each local SSA office. The numbers were assigned by the local office. In 1973, SSN assignment was automated and outstanding stocks of pre-printed cards were destroyed. All SSNs are now assigned by computer from head-quarters. There are rare cases in which the computer system can be forced to accept a manual assignment such as a person refusing a number with 666 in it. A pamphlet entitled "The Social Security Number" (Pub. No.05-10633) provides an explanation of the SSN's structure and the method of assigning and validating Social Security numbers. Tax Records If you can find out who does the individuals taxes you might be able to get copies from them with the use of creative social engineering. If you want to run a tax lien search there is a service called Infoquest. 1-800-777-8567 for a fee. Call with a specific request. - 166 - Post Office Records If you have an address for someone that is not current, always consider writing a letter to the postmaster of whatever post office branch services the zip code of the missing person. Provide them the name and the last known address and simply ask for the current address. There might be a $1 fee for this so it would be wise to call first. City Directory, Polk's, Cole's, etc. Information in these directories is contained alphabetically by name, geographically by street address, and numerically by telephone number, so if you have any of those three pieces of info, a check can be done. The Polk's directory also shows whether the person owns their home or rents, their marital status, place of employment, and a myriad of other tidbits of information. However, these books are not the be-all and end-all of the information as they are subject to public and corporate response to surveys. These directories are published on a nationwide basis so if you are looking for someone outside of your area, simply call the public library in the area you have an interest and they also can perform a crisscross check for you. You can also call a service owned by Cole's called the National Look up Library at 402-473-9717 and either give a phone number and get the name & address or give the address and get the name and phone number. This is only available to subscribers, which costs $183.00 dollars for 1991. A subscriber gets two free lookups per day and everyone after that costs $1.25. A subscriber can also mail in a request for a lookup to: National Look Up Library 901 W. Bond Street Lincoln, NE 68521-3694 A company called Cheshunoff & Company can, for a $75 fee, obtain a 5-year detailed financial analysis of any bank. 505 Barton Springs Road Austin, Texas 78704 512-472-2244 Professional Credit Checker & Nationwide SSN-locate. !Solutions! Publishing Co. 8016 Plainfield Road Cincinnati, Ohio 45236 513-891-6145 1-800-255-6643 Top Secret Manuals - 167 - Consumertronics 2011 Crescent Drive P.O. Drawer 537-X Alamogordo, New Mexico 88310 505-434-0234 Federal Government Information Center is located at 1520 Market Street St. Louis, Missouri 1-800-392-7711 U.S. Dept of Agriculture has located aerial photos of every inch of the United States. 2222 West 2300 S. P.O. Box 36010 Salt Lake City, Utah 84130 801-524-5856 To obtain general information regarding registered agent, principals, and good standing status, simply call the Corporate Division of the Secretary of State and they will provide that information over the phone. Some corporate divisions are here: Arkansas Corporate Division 501-371-5151 Deleware Corporate Division 302-736-3073 Georgia Corporate Division 404-656-2817 Indiana Corporate Division 317-232-6576 Kansas Corporate Division 913-296-2236 Louisiana Corporate Division 504-925-4716 Missouri Corporate Division 314-751-4936 New York Corporate Division 518-474-6200 Texas Corporate Division 512-475-3551 Freedom Of Information The Freedom of Information Act allows the public to request information submitted to, or generated by, all executive departments, military departments, government or government controlled corporations, and regulatory agencies. Each agency, as described above, publishes in the Federal Register, descriptions of its central and field organizations and places where and how requests are to be directed. Direct a letter to the appropriate person designated in the Federal Register requesting reasonably described records be released to you pursuant to the Freedom of Information Act. Be sure to follow each agency's individually published rules which state the time, place, fees, and procedures for the provisions of information. The agency should promptly respond. - 168 - How to Find Information About Companies, Ed. II, 1981, suggests, "Government personnel you deal with sometimes become less helpful if you approach the subject by threatening the Freedom of Information Act action - it's best to ask for the material informally first." While this will probably enable you to find the correct person to send your request to, be prepared to spend at least half an hour on the phone talking to several people before you find the person who can help you. The book also has a brief description of what each governmental agency handles. If you want to see if someone you are trying to locate is a veteran, has a federal VA loan, or receives some sort of disability benefit, use Freedom of Information and provide the person's SSN. You will get a bill but you can ask for a fee waiver if this contributes to a public understanding of the operation of the government. You can also request an opportunity to go through the files yourself and then decide what you want copied. Insurance Records PIP carrier records (may contain statements, medical records, new doctors/hospital names, records of disability payments, adjuster's opinions, applications for insurance coverage, other claim info, etc.) Health insurance records (may contain medical records, record of bills, new doctors/hospital names, pre-existing conditions information, info regarding other accidetns/injuries, etc.) Often you will have to go through the claims office, the underwriting dept, and the business office to get complete records as each individual dept maintains its own seperate files. Workers Compensation Some states will let you simply request records. Just submit your request including the SSN and Birthdate, to the Department of Human Resources, Division of Worker's Compensation. They will photocopy the records and send you the copies. Other states require an authorization to obtain these records. You can always call your local Private Investigator pretending you are a student doing a research paper on the methods of getting personal information about people or even trash his place to find tips on tracking down people. - 169 - Frankie's Fireside Phreak Primer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A few words of advice that apply to phreaks every-where. Whether a telecom veteran, or a K0dez Kid, the following guidelines may keep you out of trouble and make life in the Computer Underground a little more pleasant. Brought to you by the CULT, o'course. >> A CULT Publication by High Priest and Scribe, Franken Gibe << -cDc- Cult of the Dead Cow Dissemination Council -cDc- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=I think we could all use a little refresher on Phreak Safety and Hygiene. It seems that phreaks are getting more and more careless...and it's when you think you can't get caught that...yeah: You do. Most of you know these, or think about them occasionally, but try to put the following stuff into practice. A Safe Phreak is an Informed Phreak; A Safe Phreak is a Phreak who Respects the Telecom Medium. Those are trite epigrams, but very true. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 1) Due to the proliferation of Traffic Pattern Monitoring software among independent carriers, it is DEADLY to scan. If you must scan, NEVER use big name IC's (notably MCI [Real Time Toll Fraud Detection System], U.S. Sprint [those 950's are NOT fun-and-games], etc). If you MUST scan, remember these few commandments: A) Thou shalt never scan sequencially. B) Thou shalt never scan in predictable or detectable patterns. C) Thou shalt never scan a single access port all night, in closely-spaced increments. Best not to scan. Best to have some little kid who doesn't know you scan. 2) Alternate codes as MUCH as you can. Using a code-a-call isn't a bad idea if you have those kinds of resources. Coupled with the no-scanning doctrine, though, notebooks full of codes will not be so common. 3) This is the important corollary to number 2...NEVER EVER EVER overuse codes, nor use codes that you've abused earlier in a given month later on in the same month (generally, after the 20th, when d'bills start to roll out). 4) Do as MUCH remote phreaking as is humanly possible. If you can roll your computer out to some fortress fone, and hook up an acoustic coupler, AND not attract attention...Go for it. (Heck, I'd do it!) 5) Local access ports and AT&T WATS access ports are generally safer than 950's. WATS #'s owned by Ind. Carriers are DEADLY. Here's a little list of advantages and disadvantages of all the above... - 170 - A) Local Access Ports: Depending on the size of the LDS, these ports can be more or less safe. Almost NEVER have any sort of ANI hooked up, but if abuse becomes notable, they CAN install an incoming trap, discover a phreak's Central Office Code, and then put an outgoing trap in his CO. After that, it's only a matter of time. Traffic Pattern software can give an LDS a good idea of what action it needs to take. B) AT&T WATS numbers: Not a free ride by ANY means, but generally pretty safe. According to No Severance, AT&T WATS lines receive no ANI information. Like the local ports, the area from which a phreak is calling can be determined, but abuse would have to be pretty dramatic. Between local and AT&T WATS, I'd take WATS ("But what about the 800 Excessive Calling List?" Well, if it exists, then it's best not to use WATS too much...i.e. Do NOT Scan). C) Most 950's are safe, contrary to popular belief. There are a number of Feature Groups into which these numbers fall. I don't really remember what they are, and it doesn't really matter. I just wouldn't be too anxious to use these 'cause they're sorta bizarre, and they're VERY abused (never a good thing). But if you must, it's better than... D) Independent Carrier-Owned WATS numbers: God, DO NOT use these. When an IC owns its own carrier, it receives KP + II + 10Dig (YOUR phone number) + ST. In other words, these guys are generally ANI equipped. How can you tell? Well, if you've got an 800 access port, and the exchange is NXX (i.e., you've got a number :1-800-NXX-XXXX), then FIRST dial 1-800-NXX-0000. If you get the "You have reached the AT&T Long Distance Network" recording, the # is AT&T. If you get a "Your call cannot be completed " recording, DO NOT use that WATS number. Simple. 6) [or whatever number...sigh] PLEASE...for your own good, and that of Phreakdom, DO NOT advertise what you do. Yeah, some kids at school might think it's pretty k-radical. Those same kids are the ones to nark, or to mention stuff to the friendly administrators should they ask around. The less non-phreaks know the better. Keep your MOUTH SHUT. That reminds me of poor Disk Demon [of 915]. The kid really wasn't expecting trouble, but he made the fatal mistake of talking: probably to someone he trusted, and probably he didn't say much. All he mentioned was bringing a pirated disk to school the next day over the phone which was all the cops needed to search his house, and bam...they have him with telecom fraud evidence. The cops don't need much to get a warrant to monitor your telfo. It's a scary reality in a nation that takes less and less seriously the Bill of Rights. - 171 - 8) NEVER phreak voice calls. Sigh. I know, I'm sure there are a thousand screams of "Oh, COME ON, that's going too far". Okay, let me qualify that, then. Voice-phreak only if you're 1) sure you're not monitored (and who is ever sure?) and 2) know that the recipient can handle possible threats and unpleasantness from the friendly operator who may give him a buzz. Feds and investigators ain't stupid...or at least, not THAT stupid. As long as no one admits anything, it's okay. But the minute you start voice-phreaking, you open a lot of loose ends. Some suggestions, then, for voice phreaking: A) Try to remain anonymous. Not too hard. B) IF you're talking to strangers, don't mention where you're calling from, much less leave a number. Yeah, just common sense. C) Don't talk about phreaking over the line if you don't think the line is secure. Duh! D) If you trust the kid you're calling, tell him you've phreaked a call to him. Ask him if it's "cool". Make sure he can handle possible (and usually improbable) inquiries. Make sure his 'rents know NOTHING. 9) That's another thing. This doesn't have to do with safe phreaking, but with keeping phreaks safe. Know what you'll say if you ever get called by an operator or investigator type. If you have a bbs or data line, great. If not, have a story ready and rehearsed. When you think about it, it IS kinda hard for these people to believe that you don't know WHO called you for 5 hours last Sunday night...be prepared. (Ee! Boy scouts rule.) This file was just to be a short set of definitions for those of you who don't know all the phreaking terms. This was requested by a few people on a small 312 board called The Magnetic Field Elite (312-966-0708, call, board has potential) like The Don. But I have decided against making this small file that is common in many places but instead to make something that I have never seen before. Not just a common file but one of high technical use. With a printout of this you will never need to missout on a definition again. But that's not all. The file will discuss, indepth, the working of each of these operations below. If you are viewing this file simply for the sake of finding one meaning I suggest that you get the entire thing and then never need to call and view phreak files again. Topic 1: The Phone/Modem Scince phreaking is impossible without a phone or modem you I will start with the most important and most complex part of phreaking. The Phone. Now, the phone is a device that transfer sounds as sound enters a receiver, is transfered to an amount of - 172 - voltage, sent through the telephone lines and decode back to sound. A modem is based on a universal language of sounds transfered through the modem. Modem stands for the work Modulator/Demodulator. This is like receiveing and sending. Now, with most modems, before connecting, tones just are just the same as the tones that a common phone can make. But the phone can make many tones and some have purposes that are very useful, tones that are reserved for At&t, and thus dangerous. To go through all the tone would be senseless and a book on tones alone could be written (Hmm...maybe I could...) so I will not go into that. But, assuming that you know what a box is I will explain what the odd types of modems can do. If you own an Apple Cat modem you may use it to generate any tone. This is very useful. Some people are against the Cat for various. I will remain neutral on the topic but if you have no understand then phreak the way you see easiest and safest. The ther way is by using an acoustic modem. You may modify a phone to make certain tones and you may make then send these tones through the acoustic modem by placing the headset of the phone on the acoustic's couplers. You may also attempt to make the box modfications directly to the modem but if you error and damage the modem alot of money is wasted while you could have used an acoustic and messed up a twenty dollar phone. Basicaly the common phone can make 18 tones. For example, when you press a number on the phone two tones are made together and make the signal for the number or charater you hit. This is the entire phone to line explantion of the phone. Now the actual internal working of the phone is very complex and can be best under stood by getting a book from the library on it. Topic 2: The Calling of Numbers When you call a local number as soon as you hit a number other than one you the phone knows that you are calling localy. Once seven digits are entered the numbers are sent to the nearest switching station and you call goes out. The station deter mines the units per minute and start billing as soon as the called phone answers. All calls are automaticaly one minute long. If you hit a one as the first digit you dial the phone recignizes this as a long distance call and sends you to either the At&t switching station or to another long distance service if you have chose to use other than At&t. If you are using a At&t the call goes through the long distance switching station where unit per minute is determined and then it is refured to the number you called. The call may be slowed down depending on how many times the switching station changes between you and the place you are calling. If it changes between ESS and X-Bar (described below) one it would go through fast. If it changed between them 50 times it would be a very slow call going through. Plus the sound quality may decrease but that is not a fact, just an understanding I have come to when callign long distance with At&t. If you are calling through any other service, such as MCI, Alnet, Teleco, US Sprint or any of the other endless companies, - 173 - then things are not the same for long distance calls. You call first goes to the company you call through and price of call is determined by any of the ways a company determines price. The call then goes out through the lines to the long distance companie's station nearest to the number you dialed and tres to go though. If the number is too far away from a station you may get a "The number you have dialed cannot be reached from your calling area." Thus, you have the basic information of how call goes out. Now to get to phreaking and the real reson you read this file. Topic 3: The Long Distance Company and Codes. The way of using a different long distance company or not paying a quarter when calling from a payphone. Using the phone card or the code.Names for these numbers: 950's, 800's, Extenders, PBX's, 950 ports, Port, Code port, (Company name) port The above mentioned names are the phreaks lifeline. They are places where you call and enter a code, then the area code of the place you want to call and finally the number for the place you want to call. When the code is entered it is checked if it is valid and then the person how owns the code pays for the call. If the code is not valid you normaly get a message saying that the code you entered is not valid. When a call goes through it is the same as a normal long distance call except that it is charged to the owner of the card. Some places may require that you enter a nine or a one before you enter the code. Now, the phreak uses these places by calling them over and over again until they get a code. But they do this with a computer and a program such as Hack-a-Matic, Hacking Construction Set (often called HCS), Hack This Buddy, Intellihacker (Old), C at-(and then a name, for the Apple Cat. Has to many names to list), and some others. These are all Apple programs but there are also code hackers for the Commodor 64, 128, Amiga, IBM (of course) and so on. Most computers have them. One thing I have found useful is to use a Radio Shack portable computer with a built in modem and hack from other houses, this is much safer. Secrity in these companies run from really tough (MCI) to sad (like the places that tryo to scare off hackers with tape recordings). 950 ports in the ESS area are set up to trace and could do so very easily but for some reson they are against it. Possibly the time and modey to cheack the calls and pay for tracing. Places have gotton tougher though, if three people get busted off a number in one week and this has never happened before then you can almost be sure that they have stepped up security and that it is time to use a new port. Now I will discuss some of the things used by the Phreak. Topic 4: The Loop - 174 - Loops, although they may seem fun they are really rather useless. They work as follows. Two numbers are looped together. Usually they are almost the same just a digit different from one another. If you call the lower number you will wait a few secounds and then hear a 1000mhz. tone. If you call the higher number you will hear nothing. If you can one number (dosen't matter which) and someone else calls the other number you will be able to talk to each other. The purpose of these is to test trunk lines. This way they could make sure there was no break in each trunk. Now the old purpose for loops was that they where free to call so one person would call one and another would call the other and they would get to talk for free. Also, one person might call one number and just wait and talk to whoever called the other number. Like a two line bridge. Today you cannot call these without being charged because the phone company caught on. But you can split a phone call with these so if there is a loop between you and a person you want to talk to you can only pay for half by calling the loop. And the phone company dosen't care because either way they get their money. The billing service for a loop is one all by itself, not like normal local calling and for this reson I might almost belive the rumor that Blue Box tones can be used to call loops. The loops billing service didn't exist awhile back so a call to one was free. Now, if you call this new billing system picks it up. But the loops billing system is just something that At&t scraped together and there are most likly some holes in the system (like not recording blue box tone generation numbers). Topic 5: The Diverter The diverter has been a very simple, yet incredibly usefulthing through the years. To use one you must call, after hours and let someone answer the phone, don't answer them, let them hang up and get a faint dialtone. Then you dial again and call from the diverter. Before, you could use a diverter and call through it. The you would only be charged for the call to the diverter, not the one after it. That bill went to the diverter itself. But they fix this problem easily and now you still get charged if you are in the ESS area. Also before, you could use a diverter to call a number that traces and instead of being traced to your number it is traced to the diverter. But ESS eliminated that too. But you can still use a diverter to call hard to reach numbers. Like if you called a place and it gave you a "The number you have dial cannot be reach from your calling area" then if you knew of a diverter in the area of the number you could call through it to the unreachable number and get through. The way a diverter works is after hours when you call a place the call is forwarded to another place. Then, when you don't answer the person at the other place hangs up and your call tries to disconnect from the forwared number and you end up at the diverter with it's dialtone. - 175 - HACKING TYMNET AS MOST OF YOU ALREADY KNOW, TYMNET IS AN INFORMATION SYSTEM ACCESSABLE BY COMPUTERS WITH MODEMS FROM ALMOST ANYWHERE IN THE COUNTRY. TYMNET INCLUDES MANY SUB-SYSTEMS OF INFORMATION WHICH CAN BE USEFUL FOR BUSINESSES OR JUST PHUN. ONE SUB-SYSTEM WHICH I WILL WRITE A SEPARATE ARTICLE ON IS THE ATPCO'S ELECTRONIC TARIFF SYSTEM. BUT FOR NOW, I'LL MAKE ALL OF YOU EXPERTS IN TYMNET SO YOU CAN HAVE AS MUCH PHUN AS YOURS TRUELY. ACCESS NUMBERS -------------- FOR YOUR LOCAL ACCESS NUMBER YOU COULD CALL THE NICE PERSON AT 800-336-0149 AND REQUEST IT FOR YOUR AREA. IF YOU LIVE NEAR A METROPOLITAN AREA ASK FOR THAT AREA CODE SINCE THEY RARELY HAVE ACCESS NUMBERS FOR OUT-OF-CITY AREAS. FOR THOSE OF YOU IN THE 914 AREA YOU CAN USE: POUGHKEEPSIE : 914-473-0401 WHITE PLAINS : 914-684-6075 LOGGING IN TO TYMNET -------------------- 1. WHEN YOU HAVE CONNECTED WITH THE NETWORK, THE FOLLOWING REQUEST WILL BE DISPLAYED: PLEASE TYPE YOUR TERMINAL IDENTIFIER ENTER YOUR TERM.IDENTIFIER ACCORDING TO THE FOLLOWING CHART: KEY: IDENT = IDENTIFIER ASC = ASCII EBCD = EBCD CORRESPONDENCE = CARRIAGE RETURN SPEEDS ARE GIVEN IN CPS (CHARACTERS PER SECOND). TO TRANSLATE TO BAUD RATE JUST MULTIPLY BY 10. IDENT CODE SPEED TERMINAL TYPE ----- ---- ----- ------------- A ASC 30,120 PERSONAL COMP. WITH CRT [ MOST EVERYBODY AT HOME WILL USE THIS OPTION SO IF YOU AREN'T SURE USE A ] B ASC 15 ALL TERMINALS C ASC 30 IMPACT PRINTMRS D ASC 10 ALL TERMINALS E ASC 30 THERMAL PRINTERS F ASC 15 IN BETA TERMINALS 30 OUT G ASC 30,120 BELT PRINTERS G.E. TERMINET I ASC 120 MATRIX PRINTERS P EBCD 14.8 SELECTRIC-TYPE TERMINALS (E.G., 2741) - 176 - IF THE MESSAGE DOES NOT APPEAR JUST WAIT A FEW SECONDS THEN ENTER IT. NOTE THAT ONLY P IDENTIFIERS NEED A THEM BUT SINCE MOST OF YOU WON'T BE USING P FORGET IT. 2. TYMNET WILL THEN DISPLAY THE NUMBER OF THE REMOTE ACCESS NODE TO WHICH YOU ARE CONNECTED, FOLLOWED BY THE NUMBER OF YOUR PORT ON THE NODE, AND WILL DISPLAY THIS REQUEST: -NNNN-PPP- PLEASE LOG IN: 3. TYPE YOUR USER NAME AND THIS USER NAME SEEMS TO BE THE ABBREVIATION FOR THE COMPANY WHO OWNS THE SUB-SYSTEM. FOR EXAMPLE, FOR ELECTRONIC TARIFF THE USER NAME IS ATP WHICH STANDS FOR AIRLINE TARIFF PUBLISHING, THE COMPANY THAT RUNS THE ELECTRONIC TARIFF. 4. TYMNET WILL THEN REQUEST: PASSWORD: TYPE YOUR PASSWORD AND . THE PASSWORD MAY NOT BE DISPLAYED ON YOUR SCREEN. 5. TYMNET WILL THEN DISPLAY SOME CHARACTER OR MESSAGE INDICATING THAT YOU HAVE LOGGED ON. SINCE BUSINESSES DON'T REALLY GET COMPLICATED WITH PASSWORDS AND THE SUCH, JUST ENTER VALID USER NAMES AND FOR PASSWORDS YOU CAN FORGET CTRL-CHARACTERS... PASSWORDS HAVE A LENGTH OF 8 CHARACTERS (AS FAR AS I KNOW). TYMNET CONTROL CHARACTERS ------------------------- CTRL-CHAR OPERATION -------- --------- H HALF-DUPLEX P EVEN PARITY R ALLOWS THE TERMINAL TO CONTROL THE INCOMING FLOW OF DATA WITH X-ON/OFF CHARACTERS (SEE BELOW) S X-OFF CHARACTER Q X-ON CHARACTER ACCESSING DATAPAC ----------------- THE STANDCRD PROCEDURE FOR ACCESSING A HOST ON THE DATAPAC NETWORK IS DESCRIBED BELOW. TYMNET'S INFORMATION DIRECTORY INCLUDES FILES OF MATERIAL ABOUT DATAPAC AND TYMNET'S INTERNATIONAL SERVICES. - 177 - LOGGKNG IN TO DATAPAC --------------------- 1. DIAL-UP TYMNET (SEE ABOVE) 2. ENTER YOUR TERMINAL IDENTIFIER 3. AT THE "PLEASE LOG IN:" PROMPT, ENTER THE LOG-IN COMMAND, SPECIFYING: THE DATAPAC NETWORK (DPAC), A SEMICOLON (A SECOND SEMICOLON WILL ECHO AT YOUR END) , THE DATAPAC NETWORK IDENTIFICATION CODE (3020), THE 8-DIGIT HOST ADDRESS AND . E.G., DPAC;;3020HOST ADDRESS IF YOU NEED TO ENTER FUTHER USER DATA ENTER A COLON AFTER THE HOST ADDRESS THEN A . E.G., DPAC;;3020HOST ADDRESS:USER DATA 5. DATAPAC WILL THEN DISPLAY A MESSAGE OR CHARACTER TO SHOW THAT YOU ARE ON-LINE. THIS LITTLE BIT OF INFORMATION SHOULD GET SOME OF YOU GOING. MY EXPERIENCES WITH TYMNET HAVE BEEN MAINLY RESTRICTED TO THE ATPCO SYSTEM SO COMMANDS MAY DIFFER. - 178 - THE PHREAKER'S HANDBOOK #1 by Phortune 500 ---------------------------------------------- a useful source for the phreaker covering both the basics and advances of phreaking GENERAL NOTE ------------ The purpose of this newsletter is purely educational. It has been released in order to teach and advance the knowledge of today's declining phreaks. However, the author does not take any responsibility over the misuse of the herein contained information, and the newsletter itself does not encourage or support the above type of activity. Also, any wrong or old information in this document is not to the responsibility of the author, and the reader accepts any consequences due to information that may be mistaken in this manner. NOTE TO ABUSERS --------------- All information contained within this document was intended towards educational purposes. Any misuse or illegal use of the information contained in this document is strictly at the misuser's risk. The author assumes NO responsibility of the reader's actions following the release this document (in otherwords, you're on your own if you get nailed!) TPH Issue #1, Volume 1 Release Date::July 3, 1989 Introduction To TPH #1 ====================== This phile was written for beginning as well as those uninformed "advanced" phreaks who need something as a reference when reading or writing philes concerning phreaking or fone phraud. Of course, you could be a beginning phreak and use this phile to B.S. your way into a big group by acting like you know a lot, or something, but that is up to you. Anyway, I compiled this listing phrom various sources, the majority is listed as references at the end of this phile. This phile's only goal is to educate and inform. Any illegal or fraudulent activity is neither encouraged nor supported by the author of this phile, not by the majority of the >TRUE< phreaking community. The author assumes NO responsibility for the actions of the reader. Also, I know that some of the stuff covered in this release of TPH will be old and outdated; however, I will try to clean that up by the next release of TPH, and will notify you, the reader, of the changes due to these revisions. - 179 - The Phreak's Vitals: ==================== True Definition Of The Phreaker ------------------------------- "Many people think of phone phreaks as slime, out to rip off Bell for all she is worth. Nothing could be further from the truth! Granted, there are some who get their kicks by making free calls; however, they are not true phone phreaks. Real phone phreaks are 'telecommunications hobbyists'who experiment, play with, and learn from the phone system. Occasionally, this experimenting and a need to communicate with other phreaks, without going broke, leads to free calls. The free calls are but a small subset of a >TRUE< phone phreak's activities." - Wise Words Of The Magician The Phone Phreak's Ten Commandments ----------------------------------- I. Box thou not over thine home telephone wires, for those who doest will surely bring the wrath of the Chief Specialent down upon thy head. II. Speakest thou not of important matters over thine home telephone wires, for to do so is to risk thine right of freedom. III. Use not thine own name when speaking to other phreaks, for that every third phreak is an FBI agent is well known. IV. Let not overly many people know that thy be a phreak, as to do so is to use thine own self as a sacrificial lamb. V. If thou be in school, strive to get thine self good grades, for the authorities well know that scholars never break the law. VI. If thou workest, try to be an employee and impressest thine boss with thine enthusiasm, for important employees are often saved by their own bosses. VII. Storest thou not thine stolen goodes in thine own home, for those who do are surely non-believers in the Bell System Security Forces, and are not long for this world. VIII.Attractest thou not the attention of the authorities, as the less noticeable thou art, the better. IX. Makest sure thine friends are instant amnesiacs and willst not remember thou hast called illegally, for their cooperation with the authorities willst surely lessen thine time for freedom on this earth. X. Supportest thou TAP, as it is thine newsletter, and without it, thy work would be far more limited. The Phreaker's Glossary ======================= 1XB - No.1 Crossbar system. See XBAR for more information. - 180 - 2600 - A hack/phreak oriented newsletter that periodically was released and still is being released. See Phile 1.6 for more information on the magazine and ordering. 4XB - No.4 Crossbar system. See XBAR for more information. 5XB - No.5 Crossbar system. The primary end office switch of Bell since the 60's and still in wide use. See XBAR for more detail. 700 Services - These services are reserved as an advanced forwarding system, where the forwarding is advanced to a user-programed location which could be changed by the user. 800 Exceptional Calling Report - System set up by ESS that will log any caller that excessively dials 800 numbers or directory assistance. See ESS for more information. 800 Services - Also known as WATS. These services often contain WATS extenders which, when used with a code, may be used to call LD. Many LD companies use these services because they are toll-free to customers. Most 800 extenders are considered dangerous because most have the ability to trace. 900 Services - Numbers in the 900 SAC usually are used as special services, such as TV polls and such. These usually are $.50 for the first minute and $.35 for each additional minute. Dial (900)555-1212 to find out what the 900 services currently have to offer. 950 - A nationwide access exchange in most areas. Many LD companies have extenders located somewhere on this exchange; however, all services on this exchange are considered dangerous due to the fact that they ALL have the ability to trace. Most 950 services have crystal clear connections. ACCS - Automated Calling Card Service. The typical 0+NPA+Nxx+xxxx method of inputting calling cards and then you input the calling card via touch tones. This would not be possible without ACTS. ACD - Automatic Call Distributor. ACD Testing Mode - Automatic Call Distributor Test Mode. This level of phreaking can be obtained by pressing the "D" key down after calling DA. This can only be done in areas that have the ACD. The ACD Testing Mode is characterized by a pulsing dial tone. From here, you can get one side of a loop by dialing 6, the other side is 7. You may also be able to REMOB a line. All possibilities of the ACD Test have not been experimented with. See silver box for more details. - 181 - ACTS - Automated Coin Toll Service. This is a computer system that automates phortress fone service by listening for red box tones and takes appropriate action. It is this service that is commonly heard saying, "Two dollars please. Please deposit two dollars for the next three minutes." Also, if you talk for more than three minutes and then hang up, ACTS will call back and demand your money. ACTS is also responsible for ACCS. Alliance - A teleconferencing system that is apart from AT&T which allows the general public to access and use its conferencing equipment. The equipment allows group conversations with members participating from throughout the United States. The fone number to Alliance generally follows the format of 0-700-456-x00x depending on the location the call originates from and is not accessible direct by all cities/states. AMA - Automated Message Accounting. Similar to the CAMA system; see CAMA for more info. analog - As used for a word or data transmission, a continuously varying electrical signal in the shape of a wave. ANI - Automatic Number Identification - This is the system you can call, usually a three digit number or one in the 99xx's of your exchange, and have the originating number you are calling from read to you by a computer. This is useful if you don't know the number you are calling from, for finding diverters, and when you are playing around with other fone equipment like cans or beige boxes. The ANI system is often incorporated into other fone companies such as Sprint and MCI in order to trace those big bad phreaks that abuze codez. ANIF - Automatic Number Identification Failure. When the ANI system of a particular office fails. APF - All PINs Fail. This is a security measure which is designed to frustrate attempts at discovering valid PINs by a hacking method. aqua box - A box designed to drain the voltage of the FBI lock-in- trace/trap-trace so you can hang up your fone in an emergency and phrustrate the Pheds some more. The apparatus is simple, just connect the two middle wires of a phone wire and plug, which would be the red and green wires if in the jack, to the cord of some electrical appliance; ie, light bulb or radio. KEEP THE APPLIANCE OFF. Then, get one of those line splitters that will let you hook two phone plugs into one jack. Plug the end of the modified cord into one jack and your fone into the other. THE APPLIANCE MUST BE OFF! Then, when the Pheds turn their lame tracer on and you find that you can't hang up, remove your fone from the - 182 - jack and turn the appliance ON and keep it ON until you feel safe; it may be awhile. Then turn it off, plug your fone back in, and start phreaking again. Invented by: Captain Xerox and The Traveler. BAUDOT - 45.5 baud. Also known as the Apple Cat Can. BEF - Band Elimination Filter. A muting system that will mute the 2600 Hz tone which signals hang-up when you hang up. beige box - An apparatus that is a home-made lineman's handset. It is a regular fone that has clips where the red and green wires normally connect to in a fone jack. These clips will attach to the rings and tips found in many of MA's output devices. These are highly portable and VERY useful when messing around with cans and other output devices the fone company has around. Invented by: The Exterminator and The Terminal Man. BITNET - Nationwide system for colleges and schools which accesses a large base of education-oriented information. Access ports are always via mainframe. bit stream - Refers to a continuous series of bits, binary digits, being transmitted on a transmission line. black box - The infamous box that allows the calling party to not be billed for the call placed. We won't go in depth right now, most plans can be found on many phreak oriented BBS's. The telco can detect black boxes if they suspect one on the line. Also, these will not work under ESS. bleeper boxes - The United Kingdom's own version of the blue box, modified to work with the UK's fone system. Based on the same principles. However, they use two sets of frequencies, foreword and backwards. Blotto box - This box supposedly shorts every fone out in the immediate area, and I don't doubt it. It should kill every fone in the immediate area, until the voltage reaches the fone company, and the fone company filters it. I won't cover this one in this issue, cuz it is dangerous, and phreaks shouldn't destroy MA's equipment, just phuck it up. Look for this on your phavorite BBS or ask your phavorite phreak for info if you really are serious about seriously phucking some fones in some area. blue box - An old piece of equipment that emulated a true operator placing calls, and operators get calls for free. The blue box seizes an open trunk by blasting a 2600 Hz tone through the line after dialing a party that is local or in the 800 NPA so calls will be local or free for the blue - 183 - boxer. Then, when the blue boxer has seized a trunk, the boxer may then, within the next 10-15 seconds, dial another fone number via MF tones. These MF tones must be preceded by a KP tone and followed with a ST tone. All of these tones are standardized by Bell. The tones as well as the inter-digit intervals are around 75ms. It may vary with the equipment used since ESS can handle higher speeds and doesn't need inter-digit intervals. There are many uses to a blue box, and we will not cover any more here. See your local phreak or phreak oriented BBS for in depth info concerning blue boxes and blue boxing. Incidentally, blue boxes are not considered safe anymore because ESS detects "foreign" tones, such as the 2600 Hz tone, but this detection may be delayed by mixing pink noise of above 3000 Hz with the 2600 Hz tone. To hang up, the 2600 Hz tone is played again. Also, all blue boxes are green boxes because MF "2" corresponds to the Coin Collect tone on the green box, and the "KP" tone corresponds to the Coin Return tone on the green box. See green box for more information. Blue boxing is IMPOSSIBLE under the new CCIS system slowly being integrated into the Bell system. blue box tones - The MF tones generated by the blue box in order to place calls, emulating a true operator. These dual tones must be entered during the 10-15 second period after you have seized a trunk with the 2600 Hz tone. 700: 1 : 2 : 4 : 7 : 11 : KP= Key Pulse parallel Frequencies 900: ** : 3 : 5 : 8 : 12 : ST= STop 2= Coin Collect 1100: ** : ** : 6 : 9 : KP : KP2= Key Pulse 2 KP= Coin Return 1300: ** : ** : ** : 10 :KP2 : **= None (green box tones) 1500: ** : ** : ** : ** : ST : : 900:1100:1300:1500:1700: 75ms pulse/pause BLV - Busy Line Verification. Allows a TSPS operator to process a customer's request for a confirmation of a repeatedly busy line. This service is used in conjunction with emergency break-ins. BNS - Billed Number Screening. break period - Time when the circuit during pulse dialing is left pen. In the US, this period is 40ms; foreign nations may use 33ms break periods. break ratio - The interval pulse dialing breaks and makes the loop when dialing. The US standard is 10 pulses per second. - 184 - When the circuit is opened, it is called the break interval. When the circuit is closed, it is called the make interval. In the US, there is a 60ms make period and a 40ms break period. This is often referred to as a 60% make interval. Many foreign nations have a 67% make interval. bridge - I don't really understand this one, but these are important phreak toys. I'll cover them more in the next issue of TPH. British Post Office - The United Kingdom's equivalent to Ma Bell. busy box - Box that will cause the fone to be busy, without taking it OFF-HOOK. Just get a piece of fone wire with a plug on the end, cut it off so there is a plug and about two inches of fone line. Then, strip the wire so the two middle wires, the tip and the ring, are exposed. Then, wrap the ring and the tip together, tape with electrical tape, and plug into the fone jack. The fone will be busy until the box is removed. cans - Cans are those big silver boxes on top of or around the telephone poles. When opened, the lines can be manipulated with a beige box or whatever phun you have in mind. calling card - Another form of the LD service used by many major LD companies that composes of the customers fone number and a PIN number. The most important thing to know when questioned about calling cards are the area code and the city where the calling card customer originated from. CAMA - Centralized Automatic Message Accounting. System that records the numbers called by fones and other LD systems. The recording can be used as evidence in court. CC - Calling Card. CC - Credit Card. CCIS - Common Channel Inter-office Signaling. New method being incorporated under Bell that will send all the signaling information over separate data lines. Blue boxing is IMPOSSIBLE under this system. CCITT - The initials of the name in French of the International Telegraph and Telephone Consultative Committee. At CCITT representatives of telecommunications authorities, operators of public networks and other interested bodies meet to agree on standards needed for international intermarrying of telecommunications services. CCS - Calling Card Service. - 185 - CCSS - Common Channel Signalling System. A system whereby all signalling for a number of voice paths are carried over one common channel, instead of within each individual channel. CDA - Coin Detection and Announcement. CF - Coin First. A type of fortress fone that wants your money before you receive a dial tone. Channel - A means of one-way transmission or a UCA path for electrical transmission between two or more points without common carrier, provided terminal equipment. Also called a circuit, line, link, path, or facility. cheese box - Another type of box which, when coupled with call forwarding services, will allow one to place free fone calls. The safety of this box is unknown. See references for information concerning text philes on this box. clear box - Piece of equipment that compromises of a telephone pickup coil and a small amp. This works on the principal that all receivers are also weak transmitters. So, you amplify your signal on PP fortress fones and spare yourself some change. CN/A - Customer Name And Address. Systems where authorized Bell employees can find out the name and address of any customer in the Bell System. All fone numbers are listed on file, including unlisted numbers. Some CN/A services ask for ID#'s when you make a request. To use, call the CN/A office during normal business hours, and say that you are so and so from a certain business or office, related to customers or something like that, and you need the customer's name and address at (NPA)Nxx-xxxx. That should work. The operators to these services usually know more than DA operators do and are also susceptible to "social engineering." It is possible to bullshit a CN/A operator for the NON PUB DA number and policy changes in the CN/A system. CO Code - Central Office code which is also the Nxx code. See Nxx for more details. Sometimes known as the local end office. conference calls - To have multiple lines inter-connected in order to have many people talking in the same conversation on the fone at once. See Alliance and switch crashing for more information. credit operator - Same as TSPS operator. The operator you get when you dial "0" on your fone and phortress fones. See TSPS for more information. - 186 - CSDC - Circuit Switched Digital Capability. Another USDN service that has no ISDN counterpart. DA - Directory Assistance. See directory assistance. DAO - Directory Assistance Operator. See directory assistance. data communications - In telefone company terminology, data communications refers to an end-to-end transmission of any kind of information other than sound, including voice, or video. Data sources may be either digital or analog. data rate - The rate at which a channel carries data, measured in bits per second, bit/s, also known as "data signalling rate." data signalling rate - Same as "data rate." See data rate. DCO-CS - Digital Central Office-Carrier Switch. DDD - Direct Distance Dialed. Dial-It Services - See 900 Services. digital - A method to represent information to be discrete or individually distinct signals, such as bits, as opposed to a continuously variable analog signal. digital transmission - A mode of transmission in which all information to be transmitted is first converted to digital form and then transmitted as a serial stream of pulses. Any signal, voice, data, television, can be converted to digital form. Dimension 2000 - Another LD service located at (800)848-9000. directory assistance - Operator that you get when you call 411 or NPA-555-1212. This call will cost $.50 per call. These won't know where you are calling from, unless you annoy them, and do not have access to unlisted numbers. There are also directory assistance operators for the deaf that transfer BAUDOT. You can call these and have interesting conversations. The fone number is 800-855-1155, are free, and use standard Telex abbreviations such as GA for Go Ahead. These are nicer than normal operators, and are often subject to "social engineering" skills (bullshitting). Other operators also have access to their own directory assistance at KP+NPA+131+ST. diverter - This is a nice phreak tool. What a diverter is is a type of call forwarding system done externally, apart from the fone company, which is a piece of hardware that will foreword the call to somewhere else. These can be found on many 24 hour plumbers, doctors, etc. When you call, you will often hear - 187 - a click and then ringing, or a ring, then a click, then another ring, the second ring often sounds different from the first. Then, the other side picks the fone up and you ask about their company or something stupid, but DO NOT ANNOY them. Then eventually, let them hang up, DO NOT HANG UP YOURSELF. Wait for the dial tone, then dial ANI. If the number ANI reads is different from the one you are calling from, then you have a diverter. Call anywhere you want, for all calls will be billed to the diverter. Also, if someone uses a tracer on you, then they trace the diverter and you are safe. Diverters can, however, hang up on you after a period of time; some companies make diverters that can be set to clear the line after a set period of time, or click every once in a while, which is super annoying, but it will still work. Diverters are usually safer than LD extenders, but there are no guarantees. Diverters can also be accessed via phortress fones. Dial the credit operator and ask for the AT&T CREDIT OPERATOR. They will put on some lame recording that is pretty long. Don't say anything and the recording will hang up. LET IT HANG UP, DO NOT HANG UP. Then the line will clear and you will get a dial tone. Place any call you want with the following format: 9+1+NPA+Nxx+xxxx, or for local calls, just 9+Nxx+xxxx. I'd advise that you call ANI first as a local call to make sure you have a diverter. DLS - Dial Line Service. DNR - Also known as pen register. See pen register. DOV - Data-Over-Voice. DSI - Data Subscriber Interface. Unit in the LADT system that will concentrate data from 123 subscribers to a 56k or a 9.6k bit-per-second trunk to a packet network. DT - Dial tone. DTF - Dial Tone First. This is a type of fortress fone that gives you a dial tone first. DTI - Digital Trunk Interface. DTMF - Dual-Tone-Multi-Frequency, the generic term for the touch tone. These include 0,1,2,3,4,5,6,7,8,9 as well as A,B,C,D. See silver box for more details. DVM - Data Voice Multiplexor. A system that squeezes more out of a transmission medium and allows a customer to transmit voice and data simultaneously to more than one receiver over the existing telefone line. - 188 - emergency break-in - Name given to the art of "breaking" into a busy number which will usually result in becoming a third party in the call taking place. end office - Any class 5 switching office in North America. end-to-end signalling - A mode of network operation in which the originating central office, or station, retains control and signals directly to each successive central office, or PBX, as trunks are added to the connection. ESS - Electronic Switching System. "The phreak's nightmare come true." With ESS, EVERY SINGLE digit you dial is recorded, even mistakes. The system records who you call, when you call, how long you talked, and, in some cases, what you talked about. ESS is programed to make a list of people who make excessive 800 calls or directory assistance. This is called the "800 Exceptional Calling Report." ESS can be programed to print out logs of who called certain numbers, such as a bookie, a known communist, a BBS, etc. ESS is a series of programs working together; these programs can be very easily changed to do whatever the fone company wants ESS to do. With ESS, tracing is done in MILLISECONDS and will pick up any "foreign" tones on the line, such as 2600 Hz. Bell predicts the whole country will be on ESS by 1990! You can identify an ESS office by the functions, such as dialing 911 for help, fortress fones with DT first, special services such as call forwarding, speed dialing, call waiting, etc., and ANI on LD calls. Also, black boxes and Infinity transmitters will NOT work under ESS. extender - A fone line that serves as a middleman for a fone call, such as the 800 or 950 extenders. These systems usually require a multi- digit code and have some sort of ANI to trace suspicious calls with. facsimile - A system for the transmission of images. The image is scanned at the transmitter, reconstructed at the receiving station, and duplicated on some form of paper. Also known as a FAX. FAX - See facsimile for details. FiRM - A large cracking group who is slowly taking the place of PTL and the endangered cracking groups at the time of this writing. fortress phone - Today's modern, armor plated, pay fone. These may be the older, 3 coin/coin first fones or the newer, 1 coin/DT first fones. There are also others, see CF, DTF, and PP. Most phortresses can be found in the 9xxx or 98xx series of your local Nxx. - 189 - gateway city - See ISC. Gestapo - The telefone company's security force. These nasties are the ones that stake out misused phortresses as well as go after those bad phreaks that might be phucking with the fone system. green base - A type of output device used by the fone company. Usually light green in color and stick up a few feet from the ground. See output device for more information. green box - Equipment that will emulate the Coin Collect, Coin Return, and Ringback tones. This means that if you call someone with a fortress fone and they have a green box, by activating it, your money will be returned. The tones are, in hertz, Coin Collect=700+1100, Coin Return=1100+1700, and Ringback=700+1700. However, before these tones are sent, the MF detectors at the CO must be alerted, this can be done by sending a 900+1500 Hz or single 2600 Hz wink of 90ms followed by a 60ms gap, and then the appropriate signal for at least 900ms. gold box - This box will trace calls, tell if the call is being traced, and can change a trace. grey box - Also known as a silver box. See silver box. group chief - The name of the highest ranking official in any fone office. Ask to speak to these if an operator is giving you trouble. high-speed data - A rate of data transfer ranging upward from 10,000 bits per second. H/M - Hotel/Motel. ICH - International Call Handling. Used for overseas calls. ICVT - InComing Verification Trunk. IDA - Integrated Digital Access. The United Kingdom's equivalent of ISDN. IDDD - International Direct Distance Dialing - The ability to place international calls direct without processing through a station. Usually, one would have to place the call through a 011, station, or a 01, operator assisted, type of setup. IDN - Integrated Digital Networks. Networks which provide digital access and transmission, in both circuit switched and packet modes. - 190 - in-band - The method of sending signaling information along with the conversion using tones to represent digits. INS - Information Network System. Japan's equivalent of ISDN. Intercept - The intercept operator is the one you get connected to when there are not enough recordings available to tell you that the number has been disconnected or changed. These usually ask what number you are calling and are the lowest form of the operator. intermediate point - Any class 4X switching office in North America. Also known as an RSU. international dialing - In order to call across country borders, one must use the format PREFIX + COUNTRY CODE + NATION #. The prefix in North America is usually 011 for station-to-station calls or 01 for operator-assisted calls. If you have IDDD, you don't need to place this prefix in. INTT - Incoming No Test Trunks. INWARD - An operator that assists your local TSPS '0' operator in connecting calls. These won't question you as long as the call is within their service area. The operator can ONLY be reached by other operators or a blue box. The blue box number is KP+NPA+121+ST for the INWARD operator that will help you connect to any calls in that area ONLY. INWATS - Inward Wide Area Telecommunications Service. These are the 800 numbers we are all familiar with. These are set up in bands; 6 total. Band 6 is the largest, and you can call band 6 INWATS from anywhere in the US except the state where the call is terminated. This is also why some companies have a separate 800 number for their state. Band 5 includes the 48 contiguous states. All the way down to band 1, which only includes the states contiguous to that one. Understand? That means more people can reach a band 6 INWATS as compared to the people that can access a band 1 INWATS. IOCC - International Overseas Completion Centre. A system which must be dialed in order to re-route fone calls to countries inaccessible via dialing direct. To route a call via IOCC with a blue box, pad the country code to the RIGHT with zeroes until it is 3 digits. Then KP+160 is dialed, plus the padded country code, plus ST. IPM - Interruptions Per Minute. The number of times a certain tone sounds during a minute. - 191 - ISC - Inter-Nation Switching Centers. Most outgoing calls from a certain numbering system will be routed through these gateway cities" in order to reach a foreign country. SDN - Integrated Services Digital Network. ISDN is a lanned hierarchy of digital switching and transmission ystems. Synchronized so that all digital elements speak the same language" at the same speed, the ISDN would provide voice, data, nd video in a unified manner. TT - This is another large LD service. The extenders owned by his company are usually considered dangerous. The format is CC-ESS#,(NPA)Nxx-xxxx,1234567. kpk - Key Pulse. Tone that must be generated before inputting a one number using a blue box. This tone is, in hertz, 1100+1700. P2 - Key Pulse 2. Tone that is used by the CCITT SYSTEM 5 for pecial international calling. This tone is, in hertz, 1300+1700. ADT - Local Area Data Transport. LADT is a method by which ustomers will send and receive digital data over existing customer oop wiring. Dial-Up LADT will let customers use their lines or occasional data services; direct access LADT will transmit imultaneous voice and data traffic on the same line. LAN - Local Area Network. LAPB - Link Access Protocol Balanced. LD - Long Distance leave Word And Call Back - Another new type of operator. local loop - When a loop is connected between you and your CO. his occurs when you pick the fone up or have a fone OFF-HOOK. Loop - A pair or group of fone lines. When people call these lines, they can talk to each other. Loops consist of two or more numbers, they usually are grouped close together somewhere in the Nxx-99xx portions of your exchange. The lower number in a loop is the tone side of the loop, or the singing switch. The higher number is always silent. The tone disappears on the lower # when someone dials the other side of the loop. If you are the higher #, you will have to listen to the clicks to see if someone dialed into the loop. There also are such things as Non- Supervised loops, where the call is toll-free to the caller. Most loops will be muted or have annoying clicks at connection, but otherwise, you might find these useful - 192 - goodies scanning the 99xx's in your exchange. Some loops allow multi-user capability; thus, many people can talk to each other at the same time, a conference of sorts. Since loops are genuine test functions for the telco during the day, most phreaks scan and use them at night. MA - Ma Bell, the Bell Telesys Company. Telco, etc. See Ma Bell for more information. Ma Bell - The telephone company. The Bell Telesys Phone Company. The company you phreak and hack with. The company that doesn't like you too much. The company you often phuck with, and sometimes phuck up. The company that can phuck u up if u aren't careful. make period - The time when, during pulse dialing, the circuit is closed. In the US, this period is 60ms; however, foreign nations may use a 67ms make period. Make periods are also referred to in percentages, so a 60ms make period would be 60%, a 67ms as 67%. marine verify - Another type of operator. MCI - Yet another LD service that owns many dial-ups in most areas. However, the codes from various areas may not be interchangeable. Not much is known about MCI; however, MCI probably has some sophisticated anti-phreak equipment. The format is ACC-ESS#,12345,(NPA)Nxx-xxxx. MCI Execunet - The calling card equivalent of the regular MCI LD service, but the codes are longer and interchangeable. For the local access port near you, call (800)555-1212. The format for the port will be ACC-ESS#,1234567,(NPA)Nxx-xxxx. Metrofone - Owned by Western Union. A very popular system among fone phreaks. Call Metrofone's operator and ask for the local access number at (800)325-1403. The format is ACC-ESS#,CODE,(NPA)Nxx-xxxx. Metrofone is alleged to place trap codes on phreak BBS's. MF - Multi-Frequency. These are the operator and blue box tones. An MF tone consists of two tones from a set of six master tones which are combined to produce 12 separate tones. These are NOT the same as touch tones. See blue box tones for frequencies. mobile - A type of operator. NAP/PA - North American Pirate/Phreak Association. A large group of bbs boards which include a lot of pirates/phreakers. I'm not quite sure where the group will go from here. - 193 - NON PUB DA - A reverse type of CN/A bureau. You tell the service the name and the locality, they will supply the fone number. However, they will ask for you name, supervisor's name, etc. Use your social engineering skills here (aka, bullshitting skills). You also can get detailed billing information from these bureaus. NPA - Numbering Plan Area. The area code of a certain city/state. For example, on the number (111)222-3333, the NPA would be 111. Area codes never cross state boundaries sans the 800, 700, 900, and special exchanges. Nxx - The exchange or prefix of the area to be dialed. For example of the number (111)222-3333, the Nxx would be 222. OGVT - OutGoing Verification Trunk. OFF-HOOK - To be on-line, to have the switchhook down. To have a closed connection. At this point, you also have a local loop. ON-HOOK - To be off-line, to have the switchhook up. To have an open connection. ONI - Operator Number Identification. Identifies calling numbers when an office is not equipped with CAMA, the calling number is not automatically recorded by CAMA, or has equipment failures, such as ANIF. OPCR - Operator Actions Program. Standard TBOC or equivalent "0" operator. OPEN - Northern Telecom's Open Protocol Enhanced Networks World Program. OSI - Open System Interconnection. Form of telecommunication architechture which will probobly fail to SNA. OST - Originating Station Treatment. OTC - Operating Telefone Company. out-of-band - Type of signaling which sends all of the signaling and supervisory informations, such as ON and OFF HOOK, over separate data links. output device - Any type of interface such as cans, terminal sets, remote switching centers, bridging heads, etc., where the fone lines of the immediate area are relayed to before going to the fone company. These often are those cases painted light green and stand up from the ground. Most of these can be opened with a 7/16 hex driver, turning the security bolt(s) 1/8 of an inch counter-clockwise, and opening. Terminals on - 194 - the inside might be labeled "T" for tip and "R" for ring. Otherwise, the ring side is usually on the right and the tip side is on the left. OUTWATS - Outward Wide Area Telecommunications Service. These are WATS that are used to make outgoing calls ONLY. Paper Clip Method - This method of phreaking was illustrated in the movie War Games. What a phortress fone does to make sure money is in a fone is send an electrical pulse to notify the fone that a coin has been deposited, for the first coin only. However, by simply grounding the positive end of the microphone, enough current and voltage is deferred to the ground to simulate the first quarter in the coin box. An easy way to accomplish this is to connect the center of the mouthpiece to the coin box, touch tone pad, or anything that looks like metal with a piece of wire. A most convenient piece of wire is a bend out of a paper clip. Then you can send red box tones through the line and get free fone calls! Also, telco modified fones may require you to push the clip harder against the mouthpiece, or connect the mouthpiece to the earpiece. If pressing harder against the mouthpiece becomes a problem, pins may be an easier solution. PBX - Private Branch eXchange. A private switchboard used by some big companies that allow access to the OUTWATS line by dialing a 8 or a 9 after inputting a code. PCM - Pulse Code-Modulated trunks. PC Pursuit - A computer oriented LD system, comparable to Telenet, which offers low access rates to 2400 baud users. Hacking on this system is virtually impossible due to the new password format. pen register - A device that the fone company puts on your line if they suspect you are fraudulently using your fone. This will record EVERY SINGLE digit/rotary pulse you enter into the fone as well as other pertinent information, which may include a bit of tapping. Also known as DNR. Phortune 500 - An elite group of users currently paving the way for better quality in their trade. PHRACK - Another phreak/hack oriented newsletter. See reference section, phile 1.6 for more information. PHUN - Phreakers and Hackers Underground Network. They also release a newsletter that is up to #4 at the time of this writing. See phile 1.6 for more information on finding this phile. - 195 - PIN - Personal Identification Number - The last four digits on a calling card that adds to the security of calling cards. plant tests - test numbers which include ANI, ringback, touch tone tests, and other tests the telco uses. Post Office Engineers - The United Kingdom's fone workers. PP - Dial Post-Pay Service. On phortress fones, you are prompted to pay for the call after the called party answers. You can use a clear box to get around this. PPS - Pulses Per Second. printmeter - The United Kingdom's equivalent of a pen register. See pen register for more info. PTE - Packet Transport Equipment. PTL - One of the bigger cracking groups of all time. However, the group has been dying off and only has a few nodes as of this writing. PTS - Position and Trunk Scanner. PTT - Postal Telephone Telegraph. pulse - See rotary phones. purple box - This one would be nice. Free calls to anywhere via blue boxing, become an operator via blue box, conference calling, disconnect fone line(s), tap fones, detect traces, intercept directory assistance calls. Has all red box tones. This one may not be available under ESS. rainbow box - An ultimate box. You can become an operator. You get free calls, blue box. You can set up conference calls. You can forcefully disconnect lines. You can tap lines. You can detect traces, change traces, and trace as well. All incoming calls are free. You can intercept directory assistance. You have a generator for all MF tones. You can mute and redial. You have all the red-box tones. This is an awesome box. However, it does not exist under ESS. RAO - Revenue Accounting Office. The three digit code that sometimes replaces the NPA of some calling cards. RBOC - Regional Bell Operating Company. red box - Equipment that will emulate the red box tone generated for coin recognition in all phortress fones. - 196 - red box tones - Tones that tell the phortress fone how much money was inserted in the fone to make the required call. In one slot fones, these are beeps in pulses; the pulse is a 2200+1700 Hz tone. For quarters, 5 beep tones at 12-17 PPS, for dimes it is 2 beep tones at 5-8.5 PPS, and a nickel causes 1 beep tone at 5-8.5 PPS. For three slot fones, the tones are different. Instead of beeps, they are straight dual tones. For a nickel, it is one bell at 1050-1100 Hz, two bells for a dime, and one gong at 800 Hz for a quarter. When using red box tones, you must insert at least one nickel before playing the tones, cuz a ground test takes place to make sure some money has been inserted. The ground test may be fooled by the Paper Clip Method. Also, it has been known that TSPS can detect certain red box tones, and will record all data on AMA or CAMA of fraudulent activity. regional center - Any class 1 switching office in North America. REMOB - Method of tapping into lines by entering a code and the 7 digit number you want to monitor, from ACD Test Mode. A possibility of this may be mass conferencing. ring - The red wire found in fone jacks and most fone equipment. The ring also is less positive than the tip. When looking at a fone plug on the end of typical 4 wire fone line from the top, let's say the top is the side with the hook, the ring will be the middle-right wire. Remember, the ring is red, and to the right. The three "R's" revived! ring-around-the-rosy - 9 connections in tandem which would cause an endless loop connection and has never occurred in fone history. ringback - A testing number that the fone company uses to have your fone ring back after you hang up. You usually input the three digit ringback number and then the last four digits to the fone number you are calling from. ring trip - The CO process involved with stopping the AC ringing signal when a fone goes OFF-HOOK. rotary phone - The dial or pulse phone that works by hooking and un-hooking the fone rapidly in secession that is directly related to the number you dialed. These will not work if another phone with the same number is off-hook at the time of dialing. Rout & Rate - Yet another type of operator; assists your TSPS operator with rates and routings. This once can be reached at KP+800+141+1212+ST. RPE - Remote Peripheral Equipment. - 197 - RQS - The Rate Quote System. This is the TSPS operator's rate/quote system. This is a method your '0' operator gets info without dialing the rate and route operator. The number is KP+009+ST. RSU - Remote Switching Unit. The class 4X office that can have an unattended exchange attached to it. RTA - Remote Trunk Arrangement. SAC - Special Area Code. Separate listing of area codes, usually for special services such as TWX's, WATS, or DIAL-IT services. SCC - Specialized Common Carriers. Common Nxx numbers that are specialized for a certain purpose. An example is the 950 exchange. sectional center - Any class 2 switching office in North America. service monitoring - This is the technical name of phone tapping. SF - Supervision Control Frequency. The 2600 Hz tone which seizes any open trunk, which can be blue boxed off of. short-haul - Also known as a local call. signalling - The process by which a caller or equipment on the transmitting end of a line in: forms a particular party or equipment at the receiving end that a message is to be communicated. Signalling is also the supervisory information which lets the caller know the called know the called party is ready to talk, the line is busy, or the called party has hung up. silver box - Equipment that will allow you to emulate the DTMF tones A,B,C,D. The MF tones are, in hertz, A=697+1633, B=770+1633, C=852+1633, D=941+1633. These allow special functions from regular fones, such as ACD Testing Mode. Skyline - Service owned by IBM, Comsat, and AEtna. It has a local access number in the 950 exchange. The fone number is 950-1088. The code is either a 6 or 8 digit number. This company is alleged to be VERY dangerous. SNA - System Network Architechture, by IBM. A possible future standard of architechture only competed by OSI. SOST - Special Operator Service Treatment. These include calls which must be transferred to a SOST switchboard before they can be processed; services such as conferences, appointments, mobile, etc. - 198 - SPC - Stored Program Control. Form of switching the US has heavily invested in. Sprint - One of the first LD services, also known as SPC. Sprint owns many extender services and is not considered safe. It is common knowledge that Sprint has declared war on fone phreakers. SSAS - Station Signaling and Announcement System. System on most fortress fones that will prompt caller for money after the number, usually LD numbers, has been dialed, or the balance due before the call will be allowed to connect. stacking tandems - The art of busying out all trunks between two points. This one is very amusing. STart - Pulse that is transmitted after the KP+NPA+Nxx+xxxx through operator or blue boxed calls. This pulse is, in hertz, 1500+1700. station # - The last four digits in any seven digit fone number. STD - Subscriber Trunk Dialing. Mechanism in the United Kingdom which takes a call from the local lines and legimately elevates it to a trunk or international level. step crashing - Method of using a rotary fone to break into a busy line. Example, you use a rotary fone to dial Nxx-xxx8 and you get a busy signal. Hang up and dial Nxx-xxx7 and in between the last pulse of your rotary dial and before the fone would begin to ring, you can flash your switchhook extremely fast. If you do it right, you will hear an enormous "CLICK" and all of a sudden, you will cut into your party's conversation. STPS - Signal Transfer PointS. Associated with various switching machines and the new CCIS system. switchhook - The button on your fone that, when depressed, hangs the fone up. These can be used to emulate rotary dial fones if used correctly. SxS - Step-By-Step. Also known as the Strowger Switch or the two-motion switch. This is the switching equipment Bell began using in 1918. However, because of its limitations, such as no direct use of DTMF and maintenance problems, the fone company has been upgrading since. You can identify SxS switching offices by lack of DTMF or pulsing digits after dialing DTMF, if you go near the CO it will sound like a typewriter testing factory, lack of speed calling, lack of special services like call forwarding and call waiting, and fortress fones want your money first, before the dial tone. - 199 - TAP - The "official" phone phreak's newsletter. Previously YIPL. T&C - Time and Charge. tapping - To listen in to a phone call taking place. The fone company calls this "service monitoring." TASI - Time Assignment Speech Interpolation. This is used on satellite trunks, and basically allows more than one person to use a trunk by putting them on while the other person isn't talking. Telenet - A computer-oriented system of relay stations which relay computer calls to LD numbers. Telenet has a vast array of access ports accessible at certain baud rates. Tel-Tec - Another LD company that usually give out a weak connection. The format is (800)323-3026,123456,(NPA)Nxx-xxxx. Tel-Tex - A subsidiary of Tel-Tec, but is only used in Texas. The number is *800)432-2071 and the format is the same as above. terminal - A point where information may enter or leave a communication network. Also, any device that is capable of sending and/or receiving data over a communication channel. tip - The green wire found in fone jacks and most fone equipment. The tip is the more positive wire compared to the ring. When looking at a fone plug from the top, lets say the hook side is the top, the tip will be the middle wire on the left. toll center - Any class 4 switching office located in North America. toll point - Any class 4P switching office in North America. Toll LIB - Reverse CN/A bureau. See NON PUB DA for more info. touch tone phone - A phone that uses the DTMF system to place calls. touch tone test - This is another test number the fone company uses. You dial the ringback number and have the fone ring back. Then, when you pick it up, you will hear a tone. Press your touch-tone digits 1-0. If they are correct, the fone will beep twice. trace - Something you don't want any fone company to do to you. This is when the fone company you are phucking with flips a - 200 - switch and they find the number you are calling from. Sometimes the fone company will use ANI or trap and trace methods to locate you. Then the local Gestapo home in and terminate the caller if discovered. trap and trace - A method used by the FBI and some step offices that forces a voltage through the line and traces simultaneously, which mean that you can't hang up unless the Pheds do, and pray you aren't calling from your own house. Trap and trace is also known as the lock-in-trace. trap codes - Working codes owned by the LD company, not a customer, that, when used, will send a "trouble card" to Ma Bell, no matter what company the card is coming from, and ESS will immediately trace the call. Trap codes have been in use for some time now, and it is considered safer to self-hack codes opposed to leeching them off of BBS's, since some LD companies post these codes on phreak oriented BBS's. Travelnet - Service owned by GM that uses WATS as well as local access numbers. Travelnet also accepts voice validation for its LD codes. TSPS - Traffic Service Position System. Operator that usually is the one that obtains billing information for Calling Card or 3rd number calls, identifies called customer on person-to-person calls, obtains acceptance of charges on collect calls, or identifies calling numbers. These operators have an ANI board and are the most dangerous type of operator. TWX - Telex II consisting of 5 teletypewriter area codes. These are owned by Western Union. These may be reached via another TWX machine running at 110 baud. You can send TWX messages via Easylink (800)325-4122. USDN - United States Digital Network. The US's version of the ISDN network. videotext - Generic term for a class of two-way, interactive data distribution systems with output typically handled as in teletext systems and input typically accepted through the telephone or public data network. WATS - Wide Area Telecommunications Service. These can be IN or OUT, see the appropriate sections. WATS Extender - These are the LD companies everyone hacks and phreaks off of in the 800 NPA. Remember, INWATS + OUTWATS = WATS Extender. white box - This is a portable DTMF keypad. - 201 - XBAR - Crossbar. Crossbar is another type of switching equipment the fone company uses in some areas. There are three major types of Crossbar systems called No.1 Crossbar (1XB), No.4 Crossbar (4XB), and No.5 Crossbar (5XB). 5XB has been the primary end office switch of MA since the 60's and is still in wide use. There is also Crossbar Tandem (XBT) used for toll-switching. XBT - Crossbar Tandem. Used for toll-switching. See XBAR. YIPL - The classic "official" phreak's magazine. Now TAP. Other Fone Information ====================== Voltages & Technical Stuff -------------------------- When your telephone is ON-HOOK, there is 48 volts of DC across the tip and the ring. When the handset of a fone is lifted a few switches close which cause a loop to become connected between you and the fone company, or OFF-HOOK. This is also known as the local loop. Once this happens, the DC current is able to flow through your fone with less resistance. This causes a relay to energize which causes other CO equipment to realize that you want service. Eventually, you will end up with a dial tone. This also causes the 48 VDC to drop down to around 12 VDC. The resistance of the loop also drops below the 2500 ohm level; FCC licensed telephone equipment must have an OFF-HOOK impedance of 600 ohms. When your fone rings, the telco sends 90 volts of pulsing AC down the line at around 15-60 Hz, usually 20 Hz. In most cases, this causes a metal armature to be attracted alternately between two electromagnets; thus, the armature often ends up striking two bells of some sort, the ring you often hear when non-electronic fones receive a call. Today, these mechanical ringers can be replaced with more modern electronic bells and other annoying signaling devices, which also explains why deaf people can have lights and other equipment attached to their fones instead of ringers. When you dial on a fone, there are two common types of dialing, pulse and DTMF. If you are like me, you probably don't like either and thought about using MF or blue box tones. Dialing rotary breaks and makes connections in the fone loop, and the telco uses this to signal to their equipment that you are placing a call. Since it is one fone that is disconnecting and reconnecting the fone line, if someone else picks up another fone on the same extension, both cannot make pulse fone calls until one hangs up. DTMF, on the other hand, is a more modern piece of equipment and relies on tones generated by a keypad, which can be characterized by a 0,1,2,3,4,5,6,7,8,9/A,B,C,D keypad. Most fones don't have - 202 - an A,B,C,D keypad, for these frequencies are used by the telco for test and other purposes. Scanning Phun Fone Stuff ------------------------ Scanning is the act of either randomly or sequentially dialing fone numbers in a certain exchange when you are looking for several different things. These things could be carriers, extenders, ANI, "bug tracers," loops, as well as many other interesting "goodies" the fone company uses for test purposes. When scanning for carriers, your local BBS probably has some scanning programs, as these became popular after the movie WARGAMES, but what these do are to call every fone in an exchange, or a specified range of fone numbers in certain exchanges to look for possible carriers and other interesting computer equipment. So, if your computer finds a carrier, or what seems like a carrier, it will either print it out or save it in some file for later reference. With these carriers one finds, one can either call them and find out what each is or, if one of them is interesting, one can hack or attempt to break into some interesting systems available, not to the general public, of course. Scanning telephone "goodies" requires time and patience. These goodies usually cannot be traced by most unmodified modems, as the frequencies and voice transmissions cannot be differentiated from other disturbances, such as the annoying operator saying, "We're sorry... blah blah..". Anyway, to scan these, you usually get a regular carrier scanner and, with the modem speaker on, sit by your wonderful computer and listen in on the scanning for any interesting tones, voices, or silences, which could be telco fone phun numbers, for us of course! Then write these down, and spread them around, use, abuze, etc. if you dare. Anyway, most telefone goodies are located in the 99xx suffixes of any fone exchange. If you found everything you think in the exchanges you have scanned, try the 0xxx and 1xxx suffixes in that order. You might even find loops, ANI, and other phun things if you mess around enough. References & Suggested Reading ============================== The following is a list of references and suggested reading for the beginning, as well as advanced phreak. See you local fone phreak for these, or call your local phreak oriented BBS for information regarding these publications. 2600 Magazine Aqua Box, The By Captain Xerox & The Traveler - 203 - Basic Alliance Teleconferencing By The Trooper Bell Hell By The Dutchman & The Neon Knights Better Homes And Blue Boxing By Mark Tabas BIOC Agent 003's Course In Basic Telecommunications By BIOC Agent 003 History Of British Phreaking, By Lex Luthor & The Legion Of Doom Home Phone Tips By 13th Floor Enterprises How To Build A Blotto Box By The Traveler How To Build A Cheese Box By Mother Phucker Introducing The Beige Box - Construction & Use By The Exterminator and The Terminal Man Integrated Services Digital Network [ISDN] By Zander Zan LOD/H Technical Journal Loops I've Known And Loved By Phred Phreak PHRACK Magazine Edited By Taran King and Knight Lightning UMCVMB - 204 - 950's: The Real Story: by Jester Ever heard (actually, seen) people on various hacking boards around the country telling you how you are going to get caught for sure if you use the in state-WATS (950) telephone numbers to make your phreaks off of? This file is to tell you what the story is with 950's and how to SAFELY use them. The 950 prefix was created by the old Bell System for all the SSC's (Specialized Common Carrier), or Extenders as they are called, to place their services upon. This was done for the long distance company's benefit so they could have the same dialup in all cities across the USA. For some reason, the Long Distance companies rejected the 950 prefix in favor of local lines and 1-800 numbers. Disadvantages to 950's are that they are run on a special ESS of their own that can trace you call before you can say 'shit!'. But tracing only occurs on special occasions. The companies on 950's will only trace when the computer controlling the calls sees that there is an unusually high number of calls to the extender on that particular day. The computer then will auto-trace every 100th call or so. Which means that, if used in moderation, 950's are fantastic! Advantages: By having the same dialup in all cities, you can go on vacation and just hack codez to use for while you are there on your favorite 950 extender. Being a free call (in most cases, some phones not) from a pay phone, this is very advantageous. Also, and anyone who has used a 950 knows this, the connections on 950 extenders are VERY clear usually, making for excellent error-free data transfer on AE lines, etc. With the breakup of the Bell System in January of 1984, the 950 prefix was supposed to be dragged down with it and the companies were supposed to have switched over to either local or 1-800 numbers, but as is very typical of the phone company, they never got around to it. Here is the list of the 950's that are currently in use in the U.S. : 950-1000..........Southern Pacific Communications 950-1022..........MCI Exec-U-Net 950-1033..........U.S. Telephone 950-1044..........AllNet 950-1066..........Lexitel 950-1088..........SBS Skyline Personally, I favor the use of 950-1088, because it has many users and the codez (which, by the way are 6 digits, but they are switching over to 8 igits) are easy to hack out from a pay phone. You may want to try the other services so you can have a few codez from each available for use. - 205 - Automatic Number Identifier: By Jester Automatic Number Identification Automatic Number Identification (ANI) is nothing more than automatic means for immediately identifying the Directory Number of a calling subscriber. This process made it possible to utilize CAMA* (Centralized Automatic Message Accounting) systems in SxS, Panel, and Xbar #1 offices. The identity of the calling line is determined by ANI circuits installed in the types of CO's mentioned above. Xbar#5 offices have their own AMA (Automatic Message Accounting) equipment and utilize an AMA translator for automatically identifying the calling line. Before ANI was developed, each subscriber line (also called a local loop) had a mechanical marking device that kept track of toll charges. These devices were manually photographed at the end of the billing period and the amount of the subscribers bill was determined from that. This process was time consuming, so a new system (ANI) was developed. The major components of the ANI system used in SxS and Crossbar #1 are: Directory number network and bus arrangement* for connecting the sleeve (the lead that is added to the R(ing) and T(ip) wires of a cable pair at the MDF* (Main Distribution Frame)); A lead of each line number through an identifier connector to the identifier circuit; Outpulser and Identifier connector circuit to seize an idle Identifier; Identifier circuit to ascertain the calling party's number and send it to the outpulser for subsequent transmission through the outpulser link to the ANI outgoing trunk; An ANI outgoing trunk to a Tandem office equipped with a CAMA system. The following is a synopsis of the ANI operations with respect to a toll call through a #1Xbar office. The call is handled in the normal manner by the CO equipment and is routed through an ANI outgoing trunk to a Tandem office. The identification process starts as soon as all digits of the called number are received by the CAMA sender in the Tandem office and when the district juncture in the Xbar office advances to its cut-through position (a position of the connecting circuits or paths between the line-link and trunk-link frames in the CO). Upon receiving the start identification signal from the CAMA equipment, the ANI outgoing trunk (OGT) establishes a connection through an outpulser link to an idle outpulser circuit. An idle identifier is then seized by the outpulser circuit through an internal Identifier connector unit. Then the identifier through the connector unit connects to the directory number network and bus system. - 206 - At the same time, the identifier will signal the ANI trunk to apply a 5800Hz identification tone to the sleeve lead of the ANI trunk. The tone is transmitted at a two-volt level over the S lead paths through the directory number network and bus system. It will be attenuated or decreased to the microvolt range by the time the identifier circuit is reached, necessitating a 120dB voltage amplification by the amplifier detector equipment in the identifier to insure proper digit identification and registration operations. A single ANI installation can serve as many as six CO's in a multi-office building. The identifier starts its search for the calling line number by testing or scanning successively the thousands secondary buses of each CO. When the 5800Hz signal is detected, the identifier grounds corresponding leads to the outpulser, to first register the digit of the calling office and then the thousands digit of the calling subscriber's number. The outpulser immediately translates the digit representing the calling office code into its own corresponding three digit office code. The identifier continues its scanning process successively on the groups of hundreds, tens, and units secondary buses in the calling office, and the identified digits of the calling number are also registered and translated in the outpulser's relay equipment for transmission to the tandem office. The outpulser is equipped with checking and timing features to promptly detect and record troubles encountered (This process may be responsible for some of the cards found while trashing). Upon completion of the scanning process, it releases the identifier and proceeds to outpulse in MF tones the complete calling subscriber's number to the CAMA equipment in the tandem office in the format of KP+X+PRE+SUFF+ST where the X is an information digit. The information digits are as follows: 0-Automatic Identification (normal) 1-Operator Identification (ONI)* 2-Identification Failure (ANIF)* (There is also other types of outpulsing of ANI information if the calling line has some sort of restriction on it). When all digits have been transmitted and the ANI trunk is cut-through for talking, the outpulser releases. In the tandem office, the calling party's number is recorded on tape in the CAMA equipment together with other data required for billing purposes. This information, including the time of when the called station answered and the time of disconnect, goes on AMA tapes. The tapes themselves are usually standard reel to reel magnetic tape, and are sent to the Revenue Accounting Office or RAO at the end of the billing period. - 207 - So, to sum the entire ANI process up: The toll call is made. The CO routes the call through ANI trunks where an idle identifier is seized which then connects to the directory number network and bus system while signalling the ANI trunk to apply the needed 5800Hz tone to the Sleeve. The identifier begins a scanning process and determines the calling office number and the digits of the calling subscriber's number, which is sent by way of the outpulser in MF tones to the CAMA equipment in the tandem office. The call information is recorded onto AMA tapes and used to determine billing. Note that your number does show up on the AMA tape, if the circumstances are correct, (any toll call, whether it is from a message-rate line or from a flat-rate line). However, the AMA tapes do not record the calling line number in any separated format. They are recorded on a first-come, first-serve basis. Misc. Footnotes (denoted by an asterisk in the main article) --------------- * ANIF-Automatic Number Identification Failure. This is when the ANI equipment does not work properly, and could occur due to a wide variety of technicalities. When ANIF occurs, something called ONI (Operator Number Identification) is used. The call is forwarded to a TSPS operator who requests the calling line number by saying something similar to 'What number are you calling from?' * CAMA-Centralized Automatic Message Accounting. CAMA is a system that records call details for billing purposes. CAMA is used from a centralized location, usually a Tandem office. CAMA is usually used to serve class 5 End Offices in a rural area near a large city which contains a Tandem or Toll Office. CAMA is similar to LAMA, except LAMA is localized in a specific CO and CAMA is not. * The Directory Number Network and bus system is a network involved with the ANI process. It is a grid of vertical and horizontal buses, grouped and classified as Primary or Secondary. There are 100 vertical and 100 horizontal buses in the Primary system. In the Secondary system, there are two sub-groups: Bus system #1 and Bus system #2, both of which have ten horizontal and vertical buses. These buses as a whole are linked to the Identifier in the ANI trunk and are responsible for identifying tens, hundreds, thousands and units digits of the calling number (After the Identifier begins its scanning process). * MDF-Main Distribution Frame. This is the area where all cable pairs of a certain office meet, and a third wire, the Sleeve wire, is added. The Sleeve wire is what is used in gathering ANI - 208 - information, as well as determining a called lines status (off/on hook) in certain switching systems by presence of voltage. (voltage present on Sleeve, line is busy, no voltage, line is idle.) * ONI-Operator Number Identification. See ANIF footnote. NOTE: There are also other forms of Automatic Message Accounting, such as LAMA (Local Automatic Message Accounting). LAMA is used in the class 5 End Office as opposed to CAMA in a Toll Office. If your End Office had LAMA, then the ANI information would be recorded at the local level and sent from there. The LAMA arrangement may be computerized, in which it would denoted with a C included (LAMA-C or C-LAMA). - 209 -