English version

Домой   Новости   Радио   Карточки   Кодграберы   Мобилки   Телефония   АТС   Пейджинг   Транки   Жучки   Форум


Журнал Phrack Magazine #11

                               ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #1 of 12


         Welcome to Issue Eleven of the Phrack Inc. electronic newsletter.
This issue, I was a bit more reliable about getting the issue out (yes, only 3
days late!).  This issue did not come together as easily as I would have hoped
due to a number of people being difficult to get a hold of or getting their
files, but I filled their places in with other files, so if you had been told
you would have a file in this issue, get in contact with me so that it will be
featured in Issue Twelve.  The following files are featured in this edition of
Phrack Inc.:

#1  Index to Phrack Eleven by Taran King (1.7K)
#2  Phrack Pro-Phile VIII on Wizard of Arpanet by Taran King (6.8K)
#3  PACT: Prefix Access Code Translator by The Executioner (7.6K)
#4  Hacking Voice Mail Systems by Black Knight from 713 (6.0K)
#5  Simple Data Encryption or Digital Electronics 101 by The Leftist (4.1K)
#6  AIS - Automatic Intercept System by Taran King (15.9K)
#7  Hacking Primos I, II, III by Evil Jay (6.7K)
#8  Telephone Signalling Methods by Doom Prophet (7.3K)
#9  Cellular Spoofing By Electronic Serial Numbers donated by Amadeus (15.2K)
#10 Busy Line Verification by Phantom Phreaker (10.0K)
#11 Phrack World News X by Knight Lightning
#12 Phrack World News XI by knight Lightning

                                            Taran King
                                   Sysop of Metal Shop Private

                               ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #2 of 12

                          ==Phrack Pro-Phile VIII==

                      Written and Created by Taran King


         Welcome to Phrack Pro-Phile VIII.  Phrack Pro-Phile is created to
bring info to you, the users, about old or highly important/controversial
people.  This month, I bring to you one of the older and high profile phreaks
of the past...

                              Wizard of Arpanet

         Wizard of Arpanet is one of the older of the phreak/hack generation.
His main accomplishments include running Inner Circle and Secret Service BBS.

                       Handle: Wizard of Arpanet
                     Call him: Eric
                 Past handles: The Hacker and The Priest
                Handle Origin: A real programmer on Arpanet was called The
                               Wizard and Eric took his handle from him.
                Date of Birth: 02/26/69
Age in 9 days of this writing: 18 years old
                       Height: 6'1"
                       Weight: 150 lbs
                    Eye color: Blue
                   Hair color: Dishwaterish blond
                    Computers: Atari 400, Commodore 64
            Sysop/Co-sysop of: Secret Service

         Wizard of Arpanet started as your average BBS caller.  He eventually
called Central Processing Unit (a local board to him), and there were these
funny numbers on the board.  He called and tried to connect with his modem,
but they turned out to be Sprint dial-ups.  The CPU Sysop informed him of what
to do and he started calling national BBSs.  Boards that helped him to advance
include the Twilight Zone (the sysop was the guy that wrote T-Net), OSUNY,
Dragon's Lair, and Delta BBS.  Wizard organized various groups which included
(from earliest to most recent): PHA (Phreakers and Hackers of America) -
(included Deep Throat, Phreak King, and Psycho Killer), The Inner Circle (1st
one) (included Shockwave Rider, and Satan Knight aka Redrum), and The 2nd
Inner Circle (included The Cracker, Mr. America, Napoleon Bonapart, Stainless
Steal Rat, Big Brother, Mr. Xerox, Bootleg, Maxwell Wilke, Mandrake The
Magician, and Zaphod Beeblebrox).

         Eric got the number to Arpanet from Dark Dante, and got on the MIT
Research System from looking through TAC News.  One night he got like 50-60
accounts on the Unix and changed all of the passwords to WIZARD.

         Stainless Steal Rat, the Sysop of Delta BBS, and The Myth were all up
from NJ one weekend, and they were staying the weekend at John Maxfield's
house.  They went to John's office.  Wizard asked Maxfield if he could use his
computer to print out some things he had with him and he printed out some
stuff from the Stanford Artificial Intelligence address list for Arpanet.
John was amazed.  "Wow," he said, "I have prime evidence on you." (TK: This
may not for sure be an exact quote).  He then proceeded to bust our friend,
Eric, the next week.  He also had a lot of stuff from AUTOVON from some fellow
in Washington and started playing with the FTS lines (Federal Telephone
System) which he found from, none other than, John Maxfield.  They had found
the default passwords for TeleMail too, and got the administrator accounts and
set up their own BBS on Nassau and Coca-Cola systems plus anywhere else
possible.  And all of a sudden, it all came down when Mandrake decided to
crash parts of TeleMail.  Enter, Federal Bureau of Investigations.  They had
been monitoring Eric for 6 months looking for some evidence to get him on.
And thus, they got it.  Nothing really happened, but he had to get a lawyer
and he got some publicity in the paper.  After 90 days, everything they had
taken, with the exception of a few documents, was sent back.  During those 90
days, Eric worked as a computer security consultant at a bank making $200 an
hour (2 hours...).

         The only "phreaks" he's met are Stainless Steal Rat and Cable Pair.

         Eric has been mentioned on local TV/News, in newspapers, USA Today,
NY Times, Washington Post, Books, and Britannica Encyclopedia (look under


         Interests: Music (preferably jazz, reggae, new wave), Eastern
                    philosophy (Zen Buddhism), reading Jack Kerouac books (a
                    great beatnik writer), driving aimlessly, slowly becoming
                    a social recluse, physics, and Greek mathematicians.

Eric's Favorite Things

                    Women: The pursuit thereof (Karen Wilder).
                    Foods: Chinese.
                     Cars: BMW 320-I.
                   Artist: Salvador Dali.
Plans for next few months: Next year and a half - travelling to Montreal in
                           April for a week of leisure, then jetting back to
                           beautiful Detroit and continuing his studies at
                           Eisenhower High School.

Most Memorable Experiences

Realizing all at once that everything you did 3 years ago was stupid.
Growing into a new person.
Gaining morals and new ideas and a new outlook.

Some People to Mention

Tuc (For telling him about boxing).
Tom Tone (For calling him on his first conference).
Magnetic Surfer (Talking to him for the first time after Sherwood Forest went
                 down voice).
John Maxfield (Meeting him).
Stainless Steal Rat (Meeting him...with John Maxfield).
Dark Dante (One of the legends phreakdom).


         Always follow your instinct and not your desire for you will be
sorry because you will be lying to yourself.


I hope you enjoyed this file.  Look forward to more Phrack Pro-Philes coming
in the near future.  ...And now for the regularly taken poll from all

Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks?  No, says Eric, he considers them a new
breed of intellect.  Thanks for your time, Eric.

                                            Taran King
                                   Sysop of Metal Shop Private

                               ==Phrack Inc.==

                     Volume Two, Issue Eleven, Phile #3 of 12

             .___.                                              .___.
             |___|                                              |___|
             |                                                  |
            /^\                                                /^\
            \^/               ^                 ^              \^/
            |S|  P          ^[+]The Executioner[+]^         P  |S|
            |e| PLP       ^[+]PhoneLine Phantoms![+]^      PLP |e|
            |x|  P _____[+]The Network Technicians[+]______ P  |x|
            |y|   ^        ------------------------       ^    |y|
            |-|  [+] PACT: Prefix Access Code Translator [+]   |-|
            |T|   ^ ====================================  ^    |T|
            |N|  [+]Written for PHRACK Inc. Issue Eleven.[+]   |N|
            |T|                                                |T|
            |-|_______.  Call Phreak Klass, Room 2600  ._______|-|
            |PHRACK XI| [806][799][0016] Login:EDUCATE |PHRACK XI|
            --------| |________________________________| |--------

     The PACT (Prefix Access Code Translator) feature provides preliminary
translation data for features using access codes that are prefixed by a
special code. A standard numbering and dialing plan requires that individual
line and small business customers' (custom) calling use prefixed access code
dialing for feature access.  PACT is offered on a per office basis. The PACT
is NOT used for the interpretation of Centrex dialing customers.
     When a call is originated by the customer, a call register is used to
store the data about the call. The customer dials a prefix and a 2 digit
access code (table a). The PACT then looks at the digits to determine what
action should take place. Reorder or special service error messages will be
heard if you enter an unassigned code. If the code is accepted, then that
particular action will be performed. The PACT consists of the PACT head table
and the prefixed access code translator. The PACT feature allows the dialing
of a special code for a prefix. These are the '*' and '#'. If you have rotary,
then '11' and '12' are used respectively. To use PACT, the prefix must be
followed by a 2-digit code. This combination is then defined in terms of type
and subtype (table b).

                                   TABLE A
         | Access Code            |        Description of function  |
         | *2X - *3X (x= 0-9)     | Growth to 2 or 3 digit codes    |
         |                        | (Future may call for these)     |
         |                        |                                 |
         | *4X - *5X - *7X        | Local Area Signalling Services  |
         |                        |                                 |
         |       *72              | Call Forwarding Activation      |
         |                        |                                 |
         |       *73              | Call Forwarding Deactivation    |
         |                        |                                 |
         |       *74              | 1-digit speed dialing           |
         |                        |                                 |
         |       *75              | 2-digit speed dialing           |
         |                        |                                 |
         |       #56              | Circuit Switched Digital        |
         |                        | Capability                      |

    The subtranslator is always built 100 words long. A word is a binary code
which, when sent as a whole, act as a command. One word is equal to a 2-digit
access code. This subtranslator contains the PTW (Primary Translation Word).
The PTW contains the feature type subtype and feature subtype index to
determine the function of the dialed code. The feature subtype allows four
subtype tables to exist for feature type 31 (LASS). Index 0 is for LASS. Index
1 is used for LASS on a pay per usage basis. Index 2 and 3 are currently not

                       TABLE B (written in report form)

Feature Type: 0 (Unassigned)

Feature Type: 1 (1-digit abbr. dialing)

   Subtypes: 0 (Speed Call)
             1 (Change the Speed Call List)
             2 (Invalid)

Feature Type: 2 (2-digit dialing.)

   Subtypes: (Same as Feature 1)

Feature Type: 3 (Circuit Switch Digital Capability)

   Subtype: 1 (CSDC 56 kilo bit service)

Feature Type: 4 (Usage Sensitive 3-way)

Feature Type: 5 (Cancel Call Waiting)

Feature Type: 20 (Call Forwarding Activate)

Feature Type: 21 (Call Forwarding deactivate)

Feature Type: 22 (Project Acct. Service (Autoplex))

Feature Type: 26 (Customer changeable Inter LATA carrier)

Feature Type: 27 (Voice/Data Protection)

Feature Type: 28 (MDS-Message Desk Service)

   Subtypes: 0 (MDS activation)
             1 (MDS deactivation)

Feature Type: 30 (Residence Data Facility Pooling)

Feature Type: 31 (Local Area Signalling Services-LASS)
[index 0]

   Subtypes: 0 (AR-Automatic Recall {Incoming Calls})
             1 (AR-Outgoing calls)
             2 (AR activation incoming/outgoing)
             3 (AR deactivation)
             4 (Customer Originated Trace Activation)
             5 (Distinctive Alert Activation)
             6 (ICLID activation)
             7 (Selective Call Rejection Activation)
             8 (Selective Call Forwarding activation)
             9 (Private Call Activation)
            10 (Distinctive Alert -OFF)
            11 (ICLID-OFF)
            12 (SCR-OFF)
            13 (SCF-OFF)
            14 (Private Call-OFF)
            15 (Distinctive Alert ON/OFF) toggle for opposite
            16 ICLID toggle on/off
            17 SCR toggle on/off
            18 SCF toggle on/off
            19 Private Call on/off
            20 Selective Call Acceptance-ON
            21 SCA OFF
            22 SCA toggle on/off
            23 (Computer Access Restriction) on
            24 CAR off
            25 CAR on/off
         26-31 (reserved for future LASS functions)

Index 1 Pay Per View

       subtype: 0 (Order placement)
                1 (Order Cancel)

     The PACT function is extremely important for LASS functions. PACT is what
lets you tell your switch what you want done. Without the PACT, communication
between you and your CO would not exist. PACT is the base foundation for the
use access codes.
         = If you have any questions or comments, please leave mail =
         = either on Phreak Klass Room 2600 or at 214-733-5283.     =
         = (c) The Executioner/PLP/TNT                              =

                               ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #4 of 12

             +=+         Hacking Voice Mail Systems          +=+
             +=+           Written for Phrack XI             +=+
             +=+         by:-> Black Knight from 713         +=+

Voice Mail is a relatively new concept and not much has been said about it.
It is a very useful tool for the business person and the phreak.  The way it
works is that somebody wishing to get in touch with you calls a number,
usually a 1-800, and punches in on his touch-pad your mailbox number and then
he is able to leave a message for you.  Business experts report that this
almost totally eliminates telephone tag.  When a person wishes to pick up his
message all he needs to do is call the number enter a certain code and he can
hear his messages, transfer them, and do other misc. mailbox utilities.

Most VMSs are similar in the way they work.  There are a few different ways
the VMSs store the voice.  One way is that the voice is recorded digitally and
compressed and when heard it is reproduced back into the voice that recorded
it. Another method that is slower and uses more space, but costs less, stores
the voice on magnetic tape, the same type that is used to store data on a
computer, and then runs the tape at a slow speed.  Using this method the voice
does not need to be reproduced in any way and will sound normal as long as the
tape is running at a constant speed.  On some of the newer VMSs the voice is
digitally recorded and is transformed from the magnetic tape at about 2400
bits per second.

There are many different types and versions of voice mail systems.  Some of
the best and easiest to get on will be discussed.

These are direct dial (you don't have to enter a box number).  To get on one
of these, first have a number to any box on the system.  All of the other
boxes will be on the same prefix; just start scanning them until you find one
that has a message saying that person you are calling is not available.  This
usually means that the box has not been assigned to anybody yet.  Before the
nice lady's voice tells you to leave the message, hit #.  You will then be
prompted for your password.  The password will usually be the same as the last
four digits of the box's number or a simple number like 1000, 2000, etc.  Once
you get on, they are very user friendly and will prompt you with a menu of
options.  If you can't find any empty boxes or want to do more, you can hack
but the system administrators box, which will usually be 9999 on the same
prefix as the other boxes, will allow you to hear anybody's messages and
create and delete boxes.

Sperry Link
These systems are very nice.  They will usually be found on an 800 number.
These are one of the hardest to get a box on because you must hack out a user
ID (different from the person's box number) and a password.  When it answers,
if it says, "This is a Sperry Link voice station.  Please enter your user ID,"
you will have to start trying to find a valid user ID.  On most Sperrys it
will be a five digit number.  If it answers and says, "This is an X answering
service," you first have to hit *# to get the user number prompt.  Once you
get a valid user number will have to guess the password on most systems, it
will be 4 digits.  Once you get in, these are also very user friendly and have
many different options available.

This is probably one of the worst VMSs but it is by far the easiest to get
yourself a box.  When it answers you can hit * for a directory of the boxes on
it (it will only hold 23).  If you hit # you will be given a menu of options
and when you choose an option you will then be prompted for your ID number.
The ID number on an RSVP system will just about always be the same as the
mailbox number, which are always only 2 digits.

The Aspen voice message systems made by Octel Telecommunications is in my
opinion the BEST VMS made.  To get a box on an Aspen, you need to find an
empty box.  To find an empty box, scan the box numbers and if one says, "You
entered XXXX.  Please leave a message at the tone," then this is an empty box.
You next just press # and when prompted for your box number enter the number
of the empty box and friendly voice of the nice lady will guide you through
all of the steps of setting up your box.  She first tells you what you can do
with the box and then will prompt you with, "Please enter the temporary
password assigned to you by your system manager."  This password will usually
be 4 digits long and the same as the box number like 1000, etc.  Once you get
on their are many things you can do.  You can make a distribution list where
if you want to leave a certain message to more than one person, you can enter
the list number and all of the boxes on the list will get the message. You can
also have the system call you and notify you that you have new messages. These
systems also have what they call "Information center mailboxes" that are
listen only and can also have a password on them so the person calling has to
enter the password before he hears the greeting message.  Aspen VMSs have a
system managers mailbox that will just about give you total control of the
whole system and let you listen to people's mail, create and delete boxes, and
many other things.

Thank you for reading this file and if you would like to get in touch with me
VIA VOICE MAIL call 1-800-222-0311 and hit *2155.

                        //--Black Knight from 713--\\
                        |     for PHRACK XI (1987)  |

                               ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #5 of 12

                           {Simple Data Encryption}
                               By:{The Leftist}


Well, it's been awhile since I've done one of my activities files. This time
I've switched from chemistry to electronics. Hopefully, I will be writing
more files similar to this one. Also, I have devised a more sophisticated
encryption device, which I may release in the future

Do you run a BBS, living in fear that the "feds" are gonna log on, and fool
you into giving them a password? Do you wish that you could limit exactly WHO
logs onto your board? Well, this file is just for you..


1:9 volt battery

1: 74hc/hct04 cmos hex inverter 

Some basic knowledge of electronics might help, and some wire would be helpful
too. If you want to be fancy you can even splurge and get a 9 volt connector.

Note: Although it is not required that you put this on an etched PC board, you
can do this quite easily, and it makes for a much cleaner job.

Ok, the basic idea behind this scheme is this:

Data coming to and going from your modem is translated as 1's and 0's. This
represents highs and lows, which translate out to code which your computer
recognizes as valid data. Now, if you could switch all those 1's to 0's, and
0's to 1's, then you would have a simple way of encrypting your data. That's
exactly what the hex inverter does. If it sees a 0, it makes it a 1. If it
sees a 1, it makes it a 0. So, what you want to do is have an inverter on your
send line, and an inverter on your receive line. The computer you are
connected to must also have inverters on its send and receive, or all you will
see will be garbage! I tried to be as non-technical as possible in this for
all you non-technical types out there.


Hold the chip, and look at it. There should be a little notch in one end. Hold
it as illustrated in the schematic:

(80 columns)

       |                             |
      14 13 11 12 10 9 8             |
       |  |  |  |  | |  |            |
       __________________            |
      |                  |           |_ to positive on battery
      \   74hc/hct04     |
      /                  |
      |__________________|             to negative on battery
       |  |  |  |  |  | |              |
       1  2  3  4  5  6 7______________|
       |  |  |  |
       |  |  |  |_________________________________to computer port
       |  |  |_______________________________from modem
       |  |________________________________________________to modem conn.
       |________________________________________________ from computer port

Ok, hook the + 9volts up to pin 14, and the negative up to pin 7.
There are 6 inverters on this chip. For this, we will be using only 2 of them.

Find the wire coming from your computer to the send data line on your modem.
Sever this wire, and hook one side of it to pin 1. Hook the other end of it to
pin 2. Next, find the receive data line, and sever it. Hook one end of it to
pin 3, the other end to pin 4. That's about it.. if you want to use the other
inverters on the chip, here's the complete pinouts.

Pin#            Name and function
----            -----------------
1,3,5,9,11,13   Data inputs
2,4,6,8,10,12   Data outputs
7               Ground
14              VCC

Remember, that your BBS modem must have one of these devices on it, as well as
the user calling. I have tested this on Smartmodems, and it does work. If you
have an internal modem, this may be a little difficult for you.

                               ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #6 of 12

                            Taran King Presents...

                       AIS - Automatic Intercept System

             The DAIS II System by Computer Consoles Incorporated

         Computer Consoles Incorporated (CCI) manufactures various hardware
appliances to be used in conjunction with phone companies switches as well as
other aspects of the companies' uses, plus computer systems such as their own
Unix-supporting systems.
         DAIS II is the Distributed Automatic Intercept System, which is the
system used to announce if the subscriber has dialed a non-working number.
This is what you hear, in action, when you dial a wrong number and get the 3
tones plus the announcement or the ONI (Operator Number Identification)
intercept operator ("What number did you dial?").
         The information from this file comes mostly from an instructional
manual sent to me by CCI, who can be reached at 800-833-7477 or 716-482-5000
directly, or may be written to at 97 Humbolt Street, Rochester, NY, 14609.

         Most definitely any person who has used a telephone in his life has,
by some means or another, come across the dreaded 3 tones, leading up to the
ever-so-cumbersome announcement telling of the disconnected or non-working
number.  This file will go into how the whole system works.
         After dialing the non-working number, the telco's Class 5 End Office
routes the call to DAIS II.

ANI Calls
         Provided that the End Office has Automatic Number Identification
(ANI) equipment, the equipment then identifies the digits of the called number
and sends them to the intercept system.
         The system receives the called number from the end office, retrieves
information for that number from the intercept database, formulates the
message, and delivers it to the customer in an automated announcement.  These
announcements can either be standardized or tailored to the independent
telephone companies' needs.  If further assistance is required, the caller can
then stay on the line and wait for an operator to come onto the line.

ONI Calls
         When the End Office is primitive, and they don't have the ANI
equipment to do the above ritual, operators are directly involved.  These
operators are also called into action when there is an ANI or DAIS II failure.
         When the ONI (Operator Number Identification) call comes in, DAIS II
routes the call to the operator.  The operator asks for the number that the
customer called and then keys it into her KDT (Keyboard Display Terminal).
After she hits the command key, the number's information is searched for in
the intercept database, the message is formulated, and the automated response
is announced.  Once again, if the caller needs further assistance, an operator
will return to the line to help the subscriber.

         Operators will return to the line for any number of reasons.  They
include the following:

Unsuccessful Searches - After DAIS II receives the called number from ANI
                        equipment or from an operator, it searches the
                        database to find the intercept message associated with
                        the telephone number.  The database contains all
                        10,000 line numbers for each exchange in the calling
                        area.  If the system cannot complete the search, the
                        number was either keyed in incorrectly or there is a
                        problem in the system.  The call is then routed to an
                        operator and displays the intercepted number
                        (including NPA) on the KDT screen along with a message
                        indicating why the search could not be completed.  If
                        the number was keyed in wrong, the operator will
                        correct the number, or else she will ask the
                        subscriber to re-dial the number.
Aborted Announcements - If a search is given successful but for one reason or
                        another the automated announcement cannot be given,
                        the call is routed to an operator.  The KDT display
                        shows the intercepted number, the appropriate
                        information for a verbal response, and the message,
                        "VERBAL REPORT."  In this case, the operator quotes
                        the message to the caller rather than activating the
                        automated response.
Reconnects            - If a customer remains on the line for more information
                        after receiving the automated announcement, the system
                        routes the call to an operator.  The operator's KDT
                        display shows the called number plus other pertinent
                        information given to the caller in the previous
                        announcement.  From here, the operator can respond
                        verbally to the customer's needs, or activate the
                        automated system again.  The DAIS II system allows up
                        to 4 reconnects per call, but the possible number of
                        reconnects available ranges from 0-3.  With 1
                        reconnect, the operator must report verbally.
Split Referrals       - If a number has been changed but replaced with two
                        numbers, this is called a "split referral."  When the
                        database finds 2 or more numbers, the DAIS II system
                        routes the customer to an operator, displaying the old
                        number and new listings on the KDT screen.  The
                        operator then asks which number they are looking for
                        and keys in the command key to activate the
                        announcement, or else they do the announcement

Operator Searches
         Situations may arise where the subscriber needs more information
than was given by the automated announcement, or believes the information to
be invalid.  DAIS II provides for operators to have access to both the
intercept and the DA databases at all times as long as the system
administrator, who judges the extent to which operators can use the
cross-search capability, allows it.

Components Of The System
         The telco's Class 5 End Offices contain switching equipment that
routes calls to DAIS II.  If the office has ANI equipment, the switch routes
the called digits to the intercept system in the form of multi-frequency
tones.  The end offices route calls to DAIS II on dedicated (direct) trunks.
These direct trunks can carry ANI traffic or ONI traffic, but not both.

         If trunk concentrators are used, the concentrator trunks to DAIS II
may carry ANI calls, ONI calls, or both, depending on the types of trunks
coming into the concentrators from the end offices.  The call is identified as
ANI or ONI through MF tones transmitted by the concentrators.

         If an operator must be involved (due to ONI or further assistance),
DAIS II routes the call to the telco's ACD (Automatic Call Distributor), which
is a switching device that routes calls to any available operator.

         The intercept data base resides on disk in the ARS (Audio Response
System).  ARS processors known as Audio Response Controllers (ARCs) search the
intercept database.  If a call requires an operator's services, the Marker
Decoder Unit (MDU) provides ACD routing information to the ARC.

         The DAIS II Automatic Intercept Communications Controllers (AICCs)
route messages between the ARCs and the DAIS II subsystems.  An intercept
subsystem that is housed at the same location as the database is called a
Colocated Automated Intercept System (CAIS).  A subsystem located at a
distance from the database is known as a Local Automated Intercept System
(LAIS).  Each subsystem can provide automated announcements without using
expensive trunking to route ANI calls to a centralized intercept office.  Only
calls that require operator assistance are routed on trunks to the ARS site.
Because those trunks are only held white the operator identifies the number
and are released before the announcement begins, trunk requirements are
reduced.  The automated announcement is always given by the intercept

         Each CAIS or LAIS site contains a Trunk Time Switch (TTS) and DAIS II
Audio Response Units (DARUs).  Intercept trunks from the concentrators and the
Class 5 End Offices terminate at the TTS.  When an ONI call comes in on one of
these trunks, the TTS routes it to the ACD.  When an ANI call comes in, the
TTS routes the called number to the ARC.  After the ARC retrieves the
appropriate message from the database, it sends that information back to the
TTS, which connects a DARU port to the trunk on which the call came in.  Then,
the DARU produces an automated announcement of the message and delivers it to
the caller.  ARS hardware generates only DA announcements whereas DAIS II
hardware generates only intercept announcements.

Automatic Intercept Communications Controller (AICC)
         The AICC routes messages between the ARC and the TTS.  Two units are
required to enhance system reliability.  Each pair of AICCs can communicate
with up to 4 CAIS or LAIS subsystems.

         The AICCs are similar to the Audio Communications Controllers (ACCs)
in the ARS system, but AICCs use a Bisynchronous Communications Module (BSCM)
instead of a LACIM.

         An AICC can be equipped with up to 8 BSCMs, each of which handles one
synchronous communication line to the TTS.  The BSCM models selected depend on
the location of the AICC with respect to the CAIS/LAIS sites.  Standard SLIMs
(Subscriber Line Interface Modules) are required for communication with the

Trunk Time Switch (TTS)
         The TTS has two types of components: the Peripheral Modules (PMs) and
the Common Controls (CCs).

         The PM contains the printed circuit boards that provide the link
between the end office's ANI trunks and the ARC and between the ONI trunks and
the ACD.  The activity of the PM is under direction of the CC

         A PM rack contains five types of circuit boards: Multi-frequency
Receivers (MFRs), Analog Line Front Ends (ALFEs), T1 Front Ends (T1FEs),
Peripheral Module Access Controllers (PMACs), and Multi-purpose Peripheral
Devices (MPPDs).

         The MFRs translate the intercepted number from multi-frequency tones
to ASCII digits for ANI calls; for ONI calls that come through a trunk
concentrator, the MFRs translate the tones sent by the concentrator to
indicate an ONI call.  Based on the tones, the MFR determines the type of
call: regular, trouble, etc.

         ALFEs convert incoming analog data to digital form so that it can be
switched on the digital network.  They also convert outgoing digital data back
to analog.  Incoming ALFEs provide the link between the TTS and the analog
trunks from the Class 5 End Offices.  Outgoing ALFEs provide the link between
the TTS and the analog trunks to the ACD.
         ALFE is subdivided into two types for both incoming and outgoing:
ALFE-A (contains the control logic, PCM bus termination, and ports for 8
trunks) and ALFE-B (contains ports for 16 trunks, but must be paired with an
ALFE-A in order to use the control logic and PCM bus on the backplane).
ALFE-As can be used without ALFE-Bs, but not vice versa.
         Incoming ALFEs support E&M 2-wire, E&M 4-wire, reverse battery, and
3-way signalling trunks.  Outgoing ALFEs support E&M 2-wire, reverse battery,
and high-low trunking.

         T1FEs provide the links between the TTS and the D3-type T1 spans from
the end offices.  They also link the DARU VOCAL board ports and the TTS.  Each
board has 24 ports in order to handle a single T1 span which carries 24 voice

         PMAC is based on a Motorola 68000 microprocessor that directs and
coordinates data flow within the PM.

         MPPD boards provide bus termination and the system clocks for the
digital network.  The MPPD contains a master and a secondary clock, which are
synchronized with the frequency of an incoming T-1 span.  The module also
contains its own clock for use when T-1 synchronization is not available or
         The MPPD also generates the ringing tones, busy signals, and reorder
tones heard by the customer and sends the zip (alert) tone to the operator.

         The CC controls the interaction between the PM components and the
DARU.  It contains the Office Dependent Data Base (ODDB), which is a system
table that describes the configuration of the TTS.  The CC uses the ODDB to
determine whether an incoming call is an ANI or ONI trunk.
         The CC sets up paths through the digital network in order to
coordinate the resources of the CAIS/LAIS.  It receives messages from the
PMAC, stores information necessary for returning a response to the appropriate
trunk, and controls message routing to and from the ARC or the operator.  It
also synchronizes the TTS and the Directory Assistance System (DAS) for
operator-caller communications.
         The CC is a Power-series standalone processor that contains a central
processing unit (CPU-2), based on the Motorola 68000 microprocessor.  The
processor also contains distributed intelligence for controlling the memory
subsystem, the IO (input/output) subsystem, and the disk/tape subsystem.  Each
CC includes a Winchester disk drive, a quarter-inch tape drive, and additional
miscellaneous hardware.

DAIS II Audio Response Unit (DARU)
         The DARU contains the VOCAL boards that produce automated
announcements, which are compiled from a vocabulary stored in RAM.  A
CAIS/LAIS contains 1 to 3 DARUs, each with 48 ports.
         If a CAIS/LAIS houses more than one DARU, the units are multi-dropped
together.  One DARU is always linked to the ARCs (either directly or by modems
and telephone lines) so that the announcement vocabulary can be downloaded
from the ARCs if necessary.


         Much of the information in this file is copied verbatim from the
instructional booklet sent to me by CCI.  Their documentation is extremely
in-depth and well written, and, with some looking over, is easy to
understand. Much of the information in here is confusing with all of the
acronyms used as well as technical terms, but if you cross-reference acronyms
throughout the file, you should be able to see what it stands for.  Also, if
you don't understand what something does, just think of it in terms of use by
the telephone company in the context used and you can generally get an idea
of what it does or is used for.  I hope you enjoyed this file and continue to
read Phrack Inc. files to learn more about the system we use and experience.
Any constructive suggestions are welcomed directly or indirectly.

                                            Taran King


                               ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #7 of 12

                    !                                   !
                    #     Hacking Primos I, II, III     #
                    !                                   !
                    #          (I&II  Revised)          #
                    !                                   !
                    #            By Evil Jay            #
                    !                                   !

    Author Note:

   Ugg! I looked at my first file after it was released and saw a lot of
  misspellings, errors and other screw-ups and was completely embarrassed. I
  did not have time to edit the file and I was also writing the second file
  which dealt with gaining privileges. I threw these two files at Taran King
  who in turn merged them together. So I humbly apologize for all of the
  errors in the last file. In this file I will revise the old file and
  continue with some more methods of gaining access and also list out some
  very basic commands for beginners. As I said before, if you have any
  questions you can reach me on any board I am currently inhabiting. Hope to
  hear from you...

    *** Gaining Access From Scratch ***

   I made a mistake in my last file and stated that FAM was not a default. FAM
  is a default, but it can be taken out by the system administrators.

 To get a listing of every possible account on a system, it is really quite
 easy. They are located in the MFD directories. Type:

A MFD  (Without the "<" and ">" signs)

Or just:


 Then type LD and hit return. Now, you will see a listing of files and
 underneath should be a listing of directories appropriately named
 Directories. These directories are valid User IDs. However, I believe that
 directories that have an "*" character in them cannot be logged in to.

   *** Getting Higher Access Revised ***

  SYS1 is the highest system level there is. Meaning unless commands have to
 be entered from the supervisors terminal, you can usually do anything with an
 account that has SYS1 access. Also, I should clarify that SYS1 will not
 always be the name of the highest access available. It could be named SYSTEM
 or anything for that matter.

  You are looking for a file with the extension .CPL - look for this file
 under any of the SYS1 directories. When you find one, SLIST it. You are
 looking for a line similar to:


It could look like:


LIB is the directory (user id) name.

XXX is the password to that directory (user id).

 When you have this, log into that account with the directory name and
 password. If your lucky you'll gain access to that account. I have noticed
 that a lot of high access accounts sometimes have the password XXXXXX or X.
 Try these, I am unsure as to whether they are actual defaults or not.

  Ah, the revision is done! Now some more ways to gain access...

   *** The Trojan Horse ***

  Providing you have access, you may or may not be able to edit a file in a
 high access directory. If you can't then try the above technique and try to
 hack a higher level account.

  You will first want to learn the Command Processing Language (CPL). Type
 HELP CPL for a list of commands and then play around and try to write your
 own programs. If you don't have a manual handy, look at other CPL programs in
 other directories you can access. Once you know CPL, all you have to do is
 edit a CPL file in a high access dir. Add your own high level commands to the
 program. Then replace the old file, logoff and wait until the operator(s)
 decide to run your program. Hopefully, if everything goes well your routines
 will help you with whatever you wanted. However it would be a good idea to
 have your TH write a file to your directory telling you whether it has been
 ran or not. I will discuss different Trojan Horses in later issues of Phrack.

  Once on a Prime it is pretty easy to get other accounts so don't worry about
 it. Just worry about getting on in the first place. Patience is definitely
 required since many systems (particularly versions 19 up) tend to hang up
 after the first invalid id/password combo.

     *** Basic Commands For Beginners ***

  This is a list of basic commands you can use once on a Prime system. I will
  not go in-depth on a command, because you can do that for yourself by



This will list out the contents of a file on a directory. Type in the full
file name (plus extension).


This will attach you to another directory. For a full explanation type HELP


This will list all the files and subdirectories in a directory.


Commands add up on the stack, and eventually after a pre-determined amount of
commands you will get a message telling you that you are "now at command level
XX". This command will release all those pent up commands in the stack.


This will run a file with the extension ".CPL".


This will run a file with the extension ".COM"


This will run a file with the extension ".SEG"


This will give you a listing of users and other information currently on the


This will give you the status of the system and other information.


This is a text editor.


Does just what it says it does.


Deletes a file.


I think this is pretty obvious.


This will log you out and take you back to the login process, providing there
is no logins-over-logins set by the administrators.

This is a very small list, but will probably help the beginner greatly when
he/she first logs on. Hope you enjoyed this issue...Look for Hacking Primos
Part IV in Phrack, 12. Mebbe'.

                    !                                   !
                    #           A Phrack,Inc            #
                    !                                   !
                    #           Presentation            #
                    !                                   !

                               ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #8 of 12

                         Telephone Signalling Methods

                           Written by Doom Prophet

   This file explains the basic signalling methods in use by the telephone
system and is intended for general understanding. The text that follows is not
highly technical since this file is for basic understanding and aimed at less
experienced phreaks. Still, the more experienced readers may want to read it
as a review on the information.

    Analog--Analog signals are those that have continuously and smoothly
varying amplitude or frequency.  Speech signals are of this type when you
consider tone, pitch and volume levels that vary according to the person
speaking. When a person speaks into the transmitter on a telephone, the voice
signals are made up of acoustical energy, which are then converted into
electrical energy for transmission along a transmission medium.

    Analog carrier facilities may operate over different media, such as wire
lines, multi-wire cable, coaxial cable, or fiber optic cable. Copper wire is
the most commonly used for subscriber loops.

    A technique that allows for many signals to be sent along the same
transmission path is called Multiplexing. Analog signals use Frequency
Division Multiplexing or FDM.

    Digital--Instead of the voice signal being processed as an analog signal,
it is converted into a digital signal and handled with digital circuits
throughout the transmission process. When it arrives at the CO that serves the
called telephone, it is converted back to analog to reproduce the original
voice transmission.

    Pulse Code Modulation or PCM is when the binary signal is transmitted in
serial form. Binary coding represents bits or binary digits at 0 and 1 levels.
These levels have a definite time relationship with one another. Time Division
Multiplexing or TDM is the type of multiplexing, sometimes abbreviated as MUX,
done for digital transmission.

    Metallic--Metallic facilities carry only one Voice Frequency (VF) channel.
Typically, a metallic facility is used to connect business or residential
lines to a CO. Coaxial cable can be used to transmit both Analog and Digital
signals as well as Metallic signals.

    VF channels have a 4000 Hz bandwidth, from 0 to 4000 Hz. However, the
in-band range of the voice frequency is between 200 and 3400 Hz. Signals that
are out of this frequency range but still within the VF channel are out of
band signals. A supervisory equivalent to 2600 for out of band is 3700 Hz. The
amount of VF channels vary according to the transmission facilities that are
being used.

    CCIS (Common Channel Interoffice Signalling) is where control or
supervisory signals are sent on a separate data link between switching
offices. CCIS links operate at 4800 bps, or baud. Signal Transfer Points in
the switch send the supervisory information over the dedicated link. This
prevents supervisory tones from subscriber stations to register with the
telephone network as a change in trunk status.

    Reverse Battery Signalling- When the called end answers, the polarity and
condition of the Ring and Tip leads is reversed to indicate the status of the
connection. Conditions for a call being placed, but not yet answered, is
ground on the Tip and battery (the CO battery current is flowing through) on
the Ring.  When the called party answers, by the action of relays in the
switching equipment, current is reversed in the calling subscriber loop and
battery is placed on the Tip and ground on the Ring, which remains during the

    E and M- Leads connecting switching equipment to trunk circuits are termed
the E and M leads, for receive and transmit. The E lead reflects the far-end
or terminating end condition of the trunk. Ground on the E lead indicates that
a signal has been received from the other end. The E lead is open when the
trunk is idle. The M lead reflects the the near end condition of the trunk. It
is grounded when the trunk is idle, and goes to battery condition when the
called party goes off hook. Long interoffice and short haul toll trunks use
this signalling method.

    It should be noted that AC signalling is Alternating Current, and is used
on the intertoll network, and interoffice and short haul toll trunks. DC, or
direct current, is used on two wire or intraoffice connections, and local
interoffice trunks.

    Single Frequency (SF)- Single Frequency is an in-band 2600 Hz signalling
system. When a four wire trunk is idle, and is equipped for SF in band
signalling, a 2600 Hz tone is being transmitted in both directions. When the
trunk is seized at an originating position, the M lead is changed from ground
to battery state. This removes the 2600 Hz supervisory tone from the outgoing
trunk pair. The loss of the 2600 Hz will be detected at the far end by the SF
signalling unit, changing the far end E lead condition from open to ground,
causing switching equipment to function. When ground is restored to the M
lead, replacing 2600 on the near end trunk, the pulsing of address information

    Multi-Frequency (MF)- The MF pulsing method uses AC signals in the voice
frequency range, and transmits address information between COs by combinations
of only 2 of 5 frequencies. MF is used for the sending of address information,
as mentioned before. Other signalling methods are still required for trunk
control and supervision. There are six MFs comprising MF codes. These are 200
Hz apart in the 700-1700 range. Two frequencies are sent at once, thus
explaining the term 'Multi frequency.'

    MF pulsing is initiated by manual keysets and the TSPS switchboard, or by
MF outpulsing senders in ESS and Xbar. MF pulsing is very rapid and only
occurs when a connection is being established. KPs, or Key Pulses, are used as
a signal to start MF pulsing. STs, or STart tones are used as a signal to
indicate the end of MF pulsing.

    As an example of MF signalling, take a toll switchboard trunk connected to
a Xbar Central Office. The operator selects an idle trunk, and presses the KP
button on the keyset to signal the distant sender or register link equipment
to connect to a MF receiver. The S lamp on the keyset will light when the far
end is ready to receive MF pulses. After keypulsing the digits of the called
number, the operator presses the ST button, which indicates the end of pulsing
and disconnects the keyset from the operator's cord circuit and extinguishes
the KP and S lamps.

    At the terminating CO, the two MF tones of each digit are amplified and
limited in the MF receiver unit associated with the incoming sender and
register circuit. The frequencies are selected by channel filters in the MF
receiver and then detected. The DC voltage that results will operate the
proper channel relays to continue with the process of placing the call.

                               ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #9 of 12

     The following is reprinted from the November 1985 issue of Personal
     Communications Technology magazine by permission of the authors and
     the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct.,
     Fairfax, VA  22032, 703/352-1200.

     Copyright 1985 by FutureComm Publications Inc.   All rights reserved.


    by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr.

What's the greatest security problem with cellular phones? Is it privacy of
communications?  No.

Although privacy is a concern, it will pale beside an even greater problem:

'Spoofing' is the process through which an agent (the 'spoofer') pretends to
be somebody he isn't by proffering false identification, usually with intent
to defraud.  This deception, which cannot be protected against using the
current U.S. cellular standards, has the potential to create a serious
problem--unless the industry takes steps to correct some loopholes in the
present cellular standards.

Compared to spoofing, the common security concern of privacy is not so severe.
Most cellular subscribers would, at worst, be irked by having their
conversational privacy violated.  A smaller number of users might actually
suffer business or personal harm if their confidential exchanges were
compromised.  For them, voice encryption equipment is becoming increasingly
available if they are willing to pay the price for it.

Thus, even though technology is available now to prevent an interloper from
overhearing sensitive conversations, cellular systems cannot--at any
cost--prevent pirates from charging calls to any account. This predicament is
not new to the industry.  Even though cellular provides a modern,
sophisticated quality mobile communications service, it is not fundamentally
much safer than older forms of mobile telephony.

History of Spoofing Vulnerability

The earliest form of mobile telephony, unsquelched manual Mobile Telephone
Service (MTS), was vulnerable to interception and eavesdropping.  To place a
call, the user listened for a free channel.  When he found one, he would key
his microphone to ask for service: 'Operator, this is Mobile 1234; may I
please have 555-7890.'  The operator knew to submit a billing ticket for
account number 1234 to pay for the call.  So did anybody else listening to the
channel--hence the potential for spoofing and fraud.

Squelched channel MTS hid the problem only slightly because users ordinarily
didn't overhear channels being used by other parties.  Fraud was still easy
for those who turned off the squelch long enough to overhear account numbers.

Direct-dial mobile telephone services such as Improved Mobile Telephone
Service (IMTS) obscured the problem a bit more because subscriber
identification was made automatically rather than by spoken exchange between
caller and operator.  Each time a user originated a call, the mobile telephone
transmitted its identification number to the serving base station using some
form of Audio Frequency Shift Keying (AFSK), which was not so easy for
eavesdroppers to understand.

Committing fraud under IMTS required modification of the mobile--restrapping
of jumpers in the radio unit, or operating magic keyboard combinations in
later units--to reprogram the unit to transmit an unauthorized identification
number. Some mobile control heads even had convenient thumb wheel switches
installed on them to facilitate easy and frequent ANI (Automatic Number
Identification) changes.

Cellular Evolution

Cellular has evolved considerably from these previous systems.  Signaling
between mobile and base stations uses high-speed digital techniques and
involves many different types of digital messages.  As before, the cellular
phone contains its own Mobile Identification Number (MIN), which is programmed
by the seller or service shop and can be changed when, for example, the phones
sold to a new user.  In addition, the U.S. cellular standard incorporates a
second number, the 'Electronic Serial Number' (ESN), which is intended to
uniquely and permanently identify the mobile unit.

According to the Electronic Industries Association (EIA) Interim Standard
IS-3-B, Cellular System Mobile Station--Land Station Compatibility
Specification (July 1984), 'The serial number is a 32-bit binary number that
uniquely identifies a mobile station to any cellular system.  It must be
factory-set and not readily alterable in the field.  The circuitry that
provides the serial number must be isolated from fraudulent contact and
tampering.  Attempts to change the serial number circuitry should render the
mobile station inoperative.'

The ESN was intended to solve two problems the industry observed with its
older systems.

First, the number of subscribers that older systems could support fell far
short of the demand in some areas, leading groups of users to share a single
mobile number (fraudulently) by setting several phones to send the same
identification.  Carriers lost individual user accountability and their means
of predicting and controlling traffic on their systems.

Second, systems had no way of automatically detecting use of stolen equipment
because thieves could easily change the transmitted identification.

In theory, the required properties of the ESN allow cellular systems to check
to ensure that only the correctly registered unit uses a particular MIN, and
the ESNs of stolen units can be permanently denied service ('hot-listed').
This measure is an improvement over the older systems, but vulnerabilities

Ease of ESN Tampering

Although the concept of the unalterable ESN is laudable in theory, weaknesses
are apparent in practice.  Many cellular phones are not constructed so that
'attempts to change the serial number circuitry renders the mobile station
inoperative.'  We have personally witnessed the trivial swapping of one ESN
chip for another in a unit that functioned flawlessly after the switch was

Where can ESN chips be obtained to perform such a swap?  We know of one recent
case in the Washington, D.C. area in which an ESN was 'bought' from a local
service shop employee in exchange for one-half gram of cocaine.  Making the
matter simpler, most manufacturers are using industry standard Read-Only
Memory (ROM) chips for their ESNs, which are easily bought and programmed or

Similarly, in the spirit of research, a west coast cellular carrier copied the
ESN from one manufacturer's unit to another one of the same type and
model--thus creating two units with the exact same identity.

The ESN Bulletin Board

For many phones, ESN chips are easy to obtain, program, and install.  How does
a potential bootlegger know which numbers to use?  Remember that to obtain
service from a system, a cellular unit must transmit a valid MIN (telephone
number) and (usually) the corresponding serial number stored in the cellular
switch's database.

With the right equipment, the ESN/MIN pair can be read right off the air
because the mobile transmits it each time it originates a call.  Service shops
can capture this information using test gear that automatically receives and
decodes the reverse, or mobile-to-base, channels.

Service shops keep ESN/MIN records on file for units they have sold or
serviced, and the carriers also have these data on all of their subscribers.
Unscrupulous employees could compromise the security of their customers'

In many ways, we predict that 'trade' in compromised ESN/MIN pairs will
resemble what currently transpires in the long distance telephone business
with AT&T credit card numbers and alternate long-distance carrier (such as
MCI, Sprint and Alltel) account codes.  Code numbers are swapped among
friends, published on computer 'bulletin boards' and trafficked by career
criminal enterprises.

Users whose accounts are being defrauded might--or might not--eventually
notice higher-than-expected bills and be reassigned new numbers when they
complain to the carrier.  Just as in the long distance business, however, this
number 'turnover' (deactivation) won't happen quickly enough to make abuse
unprofitable.  Catching pirates in the act will be even tougher than it is in
the wireline telephone industry because of the inherent mobility of mobile

Automating Fraud

Computer hobbyists and electronics enthusiasts are clever people.  Why should
a cellular service thief 'burn ROMs' and muck with hardware just to install
new IDs in his radio?  No Herculean technology is required to 'hack' a phone
to allow ESN/MIN programming from a keyboard, much like the IMTS phone thumb
wheel switches described above.

Those not so technically inclined may be able to turn to mail-order
entrepreneurs who will offer modification kits for cellular fraud, much as
some now sell telephone toll fraud equipment and pay-TV decoders.

At least one manufacturer is already offering units with keyboard-programmable
MINs.  While intended only for the convenience of dealers and service shops,
and thus not described in customer documentation, knowledgeable and/or
determined end users will likely learn the incantations required to operate
the feature.  Of course this does not permit ESN modification, but easy MIN
reprogrammability alone creates a tremendous liability in today's roaming

The Rolls Royce of this iniquitous pastime might be a 'Cellular Cache-Box.' It
would monitor reverse setup channels and snarf ESN/MIN pairs off the air,
keeping a list in memory.  Its owner could place calls as on any other
cellphone.  The Cache-Box would automatically select an ESN/MIN pair from its
catalog, use it once and then discard it, thus distributing its fraud over
many accounts.  Neither customer nor service provider is likely to detect the
abuse, much less catch the perpetrator.

As the history of the computer industry shows, it is not far-fetched to
predict explosive growth in telecommunications and cellular that will bring
equipment prices within reach of many experimenters.  Already we have seen the
appearance of first-generation cellular phones on the used market, and new
units can be purchased for well under $1000 in many markets.

How High The Loss?

Subscribers who incur fraudulent charges on their bills certainly can't be
expected to pay them.  How much will fraud cost the carrier?  If the charge is
for home-system airtime only, the marginal cost to the carrier of providing
that service is not as high as if toll charges are involved.  In the case of
toll charges, the carrier suffers a direct cash loss.  The situation is at its
worst when the spoofer pretends to be a roaming user.  Most inter-carrier
roaming agreements to date make the user's home carrier (real or spoofed)
responsible for charges, who would then be out hard cash for toll and airtime

We have not attempted to predict the dollar losses this chicanery might
generate because there isn't enough factual information information for anyone
to guess responsibly.  Examination of current estimates of long-distance-toll
fraud should convince the skeptic.


The problems we have described are basically of two types.  First, the ESN
circuitry in most current mobiles is not tamper-resistant, much less
tamper-proof.  Second and more importantly, the determined perpetrator has
complete access to all information necessary for spoofing by listening to the
radio emissions from valid mobiles because the identification information
(ESN/MIN) is not encrypted and remains the same with each transmission.

Manufacturers can mitigate the first problem by constructing mobiles that more
realistically conform to the EIA requirements quoted above.  The second
problem is not beyond solution with current technology, either.  Well-known
encryption techniques would allow mobiles to identify themselves to the
serving cellular system without transmitting the same digital bit stream each
time.  Under this arrangement, an interloper receiving one transmission could
not just retransmit the same pattern and have it work a second time.

An ancillary benefit of encryption is that it would reasonably protect
communications intelligence--the digital portion of each transaction that
identifies who is calling whom when.

The drawback to any such solution is that it requires some re-engineering in
the Mobile-Land Station Compatibility Specification, and thus new software or
hardware for both mobiles and base stations.  The complex logistics of
establishing a new standard, implementing it, and retrofitting as much of the
current hardware as possible certainly presents a tough obstacle, complicated
by the need to continue supporting the non-encrypted protocol during a
transition period, possibly forever.

The necessity of solving the problem will, however, become apparent.  While we
presently know of no documented cases of cellular fraud, the vulnerability of
the current standards and experience with similar technologies lead us to
conclude that it is inevitable.  Failure to take decisive steps promptly will
expose the industry to a far more expensive dilemma.  XXX

Geoffrey S. Goodfellow is a member of the senior research staff in the
Computer Science Laboratory at SRI International, 333 Ravenswood Ave., Menlo
Park, CA 94025, 415/859-3098.  He is a specialist in computer security and
networking technology and is an active participant in cellular industry
standardization activities.  He has provided Congressional testimony on
telecommunications security and privacy issues and has co-authored a book on
the computer 'hacking' culture.

Robert N. Jesse (2221 Saint Paul St., Baltimore, MD 21218, 301/243-8133) is an
independent consultant with expertise in security and privacy, computer
operating systems, telecommunications and technology management.  He is an
active participant in cellular standardization efforts.  He was previously a
member of the senior staff at The Johns Hopkins University, after he obtained
his BES/EE from Johns Hopkins.

Andrew H. Lamothe, Jr. is executive vice-president of engineering at Cellular
Radio Corporation, 8619 Westwood Center Dr., Vienna, VA 22180, 703/893-2680.
He has played a leading role internationally in cellular technology
development.  He was with Motorola for 10 years prior to joining American
TeleServices, where he designed and engineered the Baltimore/Washington market
trial system now operated by Cellular One.

A later note indicates that one carrier may be losing something like $180K per

                               ==Phrack Inc.==

                  Volume Two, Issue Eleven, Phile #10 of 12

                            BUSY LINE VERIFICATION

                         WRITTEN BY PHANTOM PHREAKER

    This file describes how a TSPS operator does a BLV (Busy Line
Verification) and an EMER INT (Emergency Interrupt) upon a busy line that a
customer has requested to be 'broken' into. I have written this file to
hopefully clear up all the misconceptions about Busy Line Verification and
Emergency Interrupts.

    BLV is 'Busy Line Verification'. That is, discovering if a line is
busy/not busy. BLV is the telco term, but it has been called Verification,
Autoverify, Emergency Interrupt, break into a line, REMOB, and others. BLV is
the result of a TSPS that uses a Stored Program Control System (SPCS) called
the Generic 9 program. Before the rise of TSPS in 1969, cordboard operators
did the verification process. The introduction of BLV via TSPS brought about
more operator security features. The Generic 9 SPCS and hardware was first
installed in Tucson, Daytona, and Columbus, Ohio, in 1979. By now virtually
every TSPS has the Generic 9 program.

    A TSPS operator does the actual verification. If caller A was in the 815
Area code, and caller B was in the 314 Area code, A would dial 0 to reach a
TSPS in his area code, 815. Now, A, the customer, would tell the operator he
wished an emergency interrupt on B's number, 314+555+1000. The 815 TSPS op who
answered A's call cannot do the interrupt outside of her own area code, (her
service area), so she would call an Inward Operator for B's area code, 314,
with KP+314+TTC+121+ST, where the TTC is a Terminating Toll Center code that
is needed in some areas. Now a TSPS operator in the 314 area code would be
reached by the 815 TSPS, but a lamp on the particular operators console would
tell her she was being reached with an Inward routing. The 815 operator then
would say something along the lines of  she needed an interrupt on
314+555+1000, and her customers name was J. Smith. Now, the 314 Inward (which
is really a TSPS) would dial B's number, in a normal Operator Direct Distance
Dialing (ODDD) fashion. If the line wasn't busy, then the 314 Inward would
report this to the 815 TSPS, who would then report to the customer (caller A)
that 314+555+1000 wasn't busy and he could call as normal. However if the
given number (in this case, 314+555+1000) was busy, then several things would
happen and the process of BLV and EMER INT would begin. The 314 Inward would
seize a Verification trunk (or BLV trunk) to the toll office that served the
local loop of the requested number (555+1000). Now another feature of TSPS
checks the line asked to be verified against a list of lines that can't be
verified, such as radio stations, police, etc. If the line number a customer
gives is on the list then the verification cannot be done, and the operator
tells the customer.

    Now the TSPS operator would press her VFY (VeriFY) key on the TSPS
console, and the equipment would outpulse (onto the BLV trunk)
KP+0XX+PRE+SUFF+ST. The KP being Key Pulse, the 0XX being a 'screening code'
that protects against trunk mismatching, the PRE being the Prefix of the
requested number (555), the SUFF being the Suffix of the requested number
(1000), and the ST being STart, which tells the Verification trunk that no
more MF digits follow. The screening code is there to keep a normal Toll
Network (used in regular calls) trunk from accidentally connecting to a
Verification trunk. If this screening code wasn't present, and a trunk
mismatch did occur, someone calling a friend in the same area code might just
happen to be connected to his friends line, and find himself in the middle of
a conversation. But, the Verification trunk is waiting for an 0XX sequence,
and a normal call on a Toll Network trunk does not outpulse an 0XX first.
(Example: You live at 914+555+1000, and wish to call 914+666+0000. The routing
for your call would be KP+666+0000+ST. The BLV trunk cannot accept a 666 in
place of the proper 0XX routing, and thus would give the caller a re-order
tone.) Also, note that the outpulsing sequence onto a BLV trunk can't contain
an Area Code. This is the reason why if a customer requests an interrupt
outside of his own NPA, the TSPS operator must call an Inward for the area
code that can outpulse onto the proper trunk. If a TSPS in 815 tried to do an
interrupt on a trunk in 314, it would not work. This proves that there is a
BLV network for each NPA, and if you somehow gain access to a BLV trunk, you
could only use it for interrupts within the NPA that the trunk was located in.

    BLV trunks 'hunt' to find the right trunks to the right Class 5 End Office
that serves the given local loop. The same outpulsing sequence is passed along
BLV trunks until the BLV trunk serving the Toll Office that serves the given
End Office is found.

    There is usually one BLV trunk per 10,000 lines (exchange). So, if a Toll
Office served ten End Offices, that Toll Office would have 100,000 local loops
that it served, and have 10 BLV trunks running from TSPS to that Toll Office.

    Now, the operator (in using the VFY key) can hear what is going on on the
line, (modem, voice, or a permanent signal, indicating a phone off-hook) and
take appropriate action. She can't hear what's taking place on the line
clearly, however. A speech scrambler circuit within the operator console
generates a scramble on the line while the operator is doing a VFY. The
scramble is there to keep operators from listening in on people, but it is not
enough to keep an op from being able to tell if a conversation, modem signal,
or a dial tone is present upon the line. If the operator hears a permanent
signal, she can only report back to the customer that either the phone is
off-hook, or there is a problem with the line, and she can't do anything about
it. In the case of caller A and B, the 314 Inward would tell the 815 TSPS, and
the 815 TSPS would tell the customer. If there is a conversation on line, the
operator presses a key marked EMER INT (EMERgency INTerrupt) on her console.
This causes the operator to be added into a three way port on the busy line.
The EMER INT key also deactivates the speech scrambling circuit and activates
an alerting tone that can be heard by the called customer. The alerting tone
that is played every 10 seconds tells the customer that an operator is on the
line. Some areas don't have the alerting tone, however. Now, the operator
would say 'Is this XXX-XXXX?' where XXX-XXXX would be the Prefix and Suffix of
the number that the original customer requesting the interrupt gave the
original TSPS. The customer would confirm the operator had the correct line.
Then the Op says 'You have a call waiting from (customers name). Will you
accept?'. This gives the customer the chance to say 'Yes' and let the calling
party be connected to him, while the previous party would be disconnected. If
the customer says 'No', then the operator tells the person who requested the
interrupt that the called customer would not accept. The operator can just
inform the busy party that someone needed to contact him or her, and have the
people hang up, and then notify the requesting customer that the line is free.
Or, the operator can connect the calling party and the interrupted party
without loss of connection.

    The charges for this service (in my area at least) run 1.00 for asking the
operator to interrupt a phone call so you can get through. There is an .80
charge if you ask the operator to verify whether the phone you're trying to
reach is busy because of a service problem or because of a conversation. If
the line has no conversation on it, there will be no charge for the

    When the customer who initiated the emergency interrupt gets his telephone
bill, the charges for the interrupt call will look similar to this:

12-1   530P     INTERRUPT  CL       314 555 1000  OD     1               1.00

    The 12-1 is December first of the current year; 530P is the time the call
was made to the operator requesting an interrupt; INTERRUPT CL is what took
place, that is, an interrupt call; 314 555 1000 is the number requested; OD
stands for Operator Dialed; the 1 is the length of the call (in minutes); and
the 1.00 is the charge for the interrupt.  The format may be different,
depending upon your area and telephone company.

    One thing I forgot to mention about TSPS operators. In places where a
Remote Trunking Arrangement is being used, and even places where they aren't
in use, you may be connected to a TSPS operator in a totally different area
code. In such a case, the TSPS that you reach in a Foreign NPA will call up an
inward operator for your Home NPA, if the line you requested an EMER INT on
was in your HNPA. If the line you requested EMER INT on was in the same NPA of
the TSPS that you had reached, then no inward operator would be needed and the
answering operator could do the entire process.

    Verification trunks seem to be only accessible by a TSPS/Inward operator.
However, there have been claims to people doing Emergency Interrupts with blue
boxes. I don't know how to accomplish an EMER INT without the assistance of an
operator, and I don't know if it can be done. If you really wish to
participate in a BLV/EMER INT, call up an Inward Operator and play the part of
a TSPS operator who needs an EMER INT upon a pre-designated busy line. Billing
is handled at the local TSPS so you will not have to supply a billing number
if you decide to do this.

    If you find any errors in this file, please try to let me know about it,
and if you find out any other information that I haven't included, feel free
to comment.

-End of file-

                                ==Phrack Inc.==

                   Volume Two, Issue Eleven, Phile #11 of 12

PWN                                                                         PWN
PWN                      *>=-{ Phrack World News }-=<*                      PWN
PWN                                                                         PWN
PWN                                 Issue X                                 PWN
PWN                                                                         PWN
PWN                      Written, Compiled, and Edited                      PWN
PWN                           by Knight Lightning                           PWN
PWN                                                                         PWN

Scan Man Revisited                                            January 19, 1987
The following is a reprint from TeleComputist Newsletter Issue Two;

                 SCAN MAN - FED OR PHREAK?  (The Other Side)

    TeleComputist is printing the statement Scan Man has made to us
[TeleComputist] in rebuttal to Phrack World News, whom previously printed an
article concerning Scan Man in Phrack Issue VIII.  Those of you who have seen
or read the article in Phrack VIII know that it basically covered information
and an intercepted memo alleging Scan Man of going after hackers and turning
in codes off his BBS (P-80 Systems, Charleston, West Virginia 304/744-2253) as
a TMC employee.  Please note that this statement should be read with the
article concerning Scan Man in Phrack Issue VIII to get the full

    Scan Man started off his statement claiming not to work for TMC, but
instead for a New York branch office of Telecom Management (a Miami based
firm).  He was flown in from Charleston, West Virginia to New York every week
for a four to five day duration.  Once in New York, Telecom Management made
available a leased executive apartment where Scan Man stayed as he worked.
His position in Telecom Management was that of a systems analyst, "...and that
was it!" Scan Man stated.  Scan Man also stated that he had never made it a
secret that he was working in New York and had even left messages on his BBS
saying this.

    He also went on to say that he had no part in the arrest of Shawn [of
Phreaker's Quest] (previously known as Captain Caveman) by TMC in Las Vegas.
Scan Man claimed to have no ties with TMC in Las Vegas and that they would not
even know him.  Scan Man then went on to say that Shawn had never replied to
previous messages Scan man had left asking for TMC codes.  Scan Man also said
that the messages about TMC were in no way related to him.  He claimed to have
no ties to TMC, which is a franchised operation which makes even TMC unrelated
except by name.

   Scan Man stated that he called Pauline Frazier and asked her about the
inquiry by Sally Ride [:::Space Cadet] who acted as an insider to obtain the
information in Phrack VIII.  He said that Pauline said nothing to the imposter
(Sally Ride) and merely directed him to a TMC employee named Kevin Griffo.
Scan Man then went on to say that the same day Sally Ride called Pauline
Frazier was the same day he received his notice.  And to that Scan Man made
the comment, "If I find out this is so heads will roll!"

    After that comment, Scan Man came up with arguments of his own, starting
off with the dates printed in Phrack VIII.  He claimed that the dates were off
and backed this up by saying Ben Graves had been fired six months previously
to the conversation with Sally Ride.  Scan Man then went on to ask why it had
taken Sally Ride so long to come forward with his information.  Scan Man made
one last comment, "It's a fucking shame that there is a social structure in
the phreak world!"  Meaning Sally Ride merely presented his information to
give himself a boost socially in the phreak world.

    This is how it ended.  We would like to say that TeleComputist printed the
statement by Scan Man to offer both sides of the story.  We make no judgements
here and take no sides.

       Reprinted with permission from TeleComputist Newsletter Issue 2

            Copyright (C) 1986 by J. Thomas.   All Rights Reserved
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Ok, that was Scan Man's side to the story, now that he had a few months to
come up with one.  Lets do a critical breakdown;

-*- "He was flown in from Charleston, West Virginia to New York every week for
    a four to five day duration."

    Gee, wouldn't that get awfully expensive?  Every week...and "made
    available a leased executive apartment..."   He must have been quite an
    asset to "Telecom Management" for them to spend such large amounts on him.
    Kinda interesting that he lived in Charleston, West Virginia (where
    surprisingly enough there is a branch of TMC) and flew to New York every

-*- "Scan Man claimed to have no ties with TMC in Las Vegas..."  Ok, I'll buy
    that.  Notice how he didn't say that he had no ties with TMC in
    Charleston.  Furthermore if he had no ties with TMC in Charleston why
    would they have his name in their company records?  Why would all those
    employees know him or dislike him for that matter?

-*- "Scan Man then went on to say that the same day Sally Ride called Pauline
    Frazier was the day he received his notice."  Well now, how can there be a
    connection between the two events at all when Scan Man works for Telecom
    Management and has "no ties with TMC" and claimed "not to work for TMC"?
    If TMC and Telecom Management are truly independent of each other then
    nothing Sally Ride said to Pauline Frazier could have affected him in ANY
    way. That is unless he did work for TMC in the first place.

-*- "...and back this up by saying that Ben Graves had been fired six months
    previously to the conversation with Sally Ride."  Well first of all, PWN
    did not give a date as to when Ben Graves was fired from TMC.  Second of
    all and more important, how does Scan Man know so much about TMC when he
    works for "Telecom Management" and has "...no ties with TMC..."?

The rest of his statements were highly debatable and he showed no proof as to
their validity.  As for why Sally Ride waited so long to come forward, well he
didn't wait that long at all, he came forward to myself in late May/early June
of 1986.  My decision was to do nothing because there wasn't enough proof.
After three months of research we had enough proof and the article was

With this attempt to cover up the truth, Scan Man has only given more
ammunition to the idea that he isn't what he claims to be.

                  Special Thanks to TeleComputist Newsletter

The Cracker Cracks Up?                                       December 21, 1986
         "Computer 'Cracker' Is Missing -- Is He Dead Or Is He Alive"

 By Tom Gorman of The Los Angeles Times

ESCONDIDO, Calif. -- Early one morning in late September, computer hacker Bill
Landreth pushed himself away from his IBM-PC computer -- its screen glowing
with an uncompleted sentence -- and walked out the front door of a friend's
home here.

He has not been seen or heard from since.

The authorities want him because he is the "Cracker", convicted in 1984 of
breaking into some of the most secure computer systems in the United States,
including GTE Telemail's electronic mail network, where he peeped at NASA
Department of Defense computer correspondence.

He was placed on three years' probation.  Now his probation officer is
wondering where he is.

His literary agent wants him because he is Bill Landreth the author, who
already has cashed in on the successful publication of one book on computer
hacking and who is overdue with the manuscript of a second computer book.

The Institute of Internal Auditors wants him because he is Bill Landreth the
public speaker who was going to tell the group in a few months how to make
their computer systems safer from people like him.

Susan and Gulliver Fourmyle want him because he is the eldest of their eight
children.  They have not seen him since May 1985, when they moved away from
Poway in northern San Diego county, first to Alaska then to Maui where they
now live.

His friends want him because he is crazy Bill Landreth, IQ 163, who has pulled
stunts like this before and "disappeared" into the night air -- but never for
more than a couple of weeks and surely not for 3 months.  They are worried.

Some people think Landreth, 21, has committed suicide.  There is clear
evidence that he considered it -- most notably in a rambling eight-page
discourse that Landreth wrote during the summer.

The letter, typed into his computer, then printed out and left in his room for
someone to discover, touched on the evolution of mankind, prospects for man's
immortality and the defeat of the aging process, nuclear war, communism versus
capitalism, society's greed, the purpose of life, computers becoming more
creative than man and finally -- suicide.

The last page reads:

"As I am writing this as of the moment, I am obviously not dead.  I do,
however, plan on being dead before any other humans read this.  The idea is
that I will commit suicide sometime around my 22nd birthday..."

The note explained:

"I was bored in school, bored traveling around the country, bored getting
raided by the FBI, bored in prison, bored writing books, bored being bored.  I
will probably be bored dead, but this is my risk to take."

But then the note said:

"Since writing the above, my plans have changed slightly.... But the point is,
that I am going to take the money I have left in the bank (my liquid assets)
and make a final attempt at making life worthy.  It will be a short attempt,
and I do suspect that if it works out that none of my current friends will
know me then.  If it doesn't work out, the news of my death will probably get
around. (I won't try to hide it.)"

Landreth's birthday is December 26 and his best friend is not counting on
seeing him again.

"We used to joke about what you could learn about life, especially since if
you don't believe in a God, then there's not much point to life," said Tom
Anderson, 16, a senior at San Pasqual High School in Escondido, about 30 miles
north of San Diego.  Anderson also has been convicted of computer hacking and
placed on probation.

Anderson was the last person to see Landreth.  It was around September 25 --
he does not remember exactly.  Landreth had spent a week living in Anderson's
home so the two could share Landreth's computer.  Anderson's IBM-PC had been
confiscated by authorities, and he wanted to complete his own book.

Anderson said he and Landreth were also working on a proposal for a movie
about their exploits.

"He started to write the proposal for it on the computer, and I went to take a
shower," Anderson said.  "When I came out, he was gone.  The proposal was in
mid-sentence.  And I haven't seen him since."

Apparently Landreth took only his house key, a passport, and the clothes on
his back.

Anderson said he initially was not concerned about Landreth's absence.  After
all this was the same Landreth who, during the summer, took off for Mexico
without telling anyone -- including friends he had seen just the night before
-- of his departure.

But concern grew by October 1, when Landreth failed to keep a speaking
engagement with a group of auditors in Ohio, for which he would have received
$1,000 plus expenses.  Landreth may have kept a messy room and poor financial
records, but he was reliable enough to keep a speaking engagement, said his
friends and literary agent, Bill Gladstone, noting that Landreth's second
manuscript was due in August and had not yet been delivered.

But, the manuscript never came and Landreth has not reappeared.

Steve Burnap, another close friend, said that during the summer Landreth had
grown lackadaisical toward life.  "He just didn't seem to care much about
anything anymore."
                        Typed for PWN by Druidic Death
                         From The Dallas Times Herald

Beware The Hacker Tracker                                       December, 1986
By Lamont Wood of Texas Computer Market Magazines

If you want to live like a spy in your own country, you don't have to join the
CIA or the M15 or the KGB.  You can track hackers, like John Maxfield of

Maxfield is a computer security consultant running a business called
BoardScan, which tracks hackers for business clients.  He gets occasional
death threats and taunting calls from his prey, among whom he is known as the
"hacker tracker," and answers the phone warily.

And although he has received no personal harassment, William Tener, head of
data security for the information services division of TRW, Inc., has found it
necessary to call in experts in artificial intelligence from the aerospace
industry in an effort to protect his company's computer files.  TRW is a juicy
target for hackers because the firm stores personal credit information on
about 130 million Americans and 11 million businesses -- data many people
would love to get hold of.

Maxfield estimates that the hacker problem has increased by a factor of 10 in
the last four years, and now seems to be doubling every year.  "Nearly every
system can be penetrated by a 14-year old with $200 worth of equipment," he
complains.  "I have found kids as young as nine years old involved in hacking.
If such young children can do it, think of what an adult can do."

Tener estimates that there are as many as 5,000 private computer bulletin
boards in the country, and that as many as 2,000 are hacker boards.  The rest
are as for uses as varied as club news, customer relations, or just as a hobby.
Of the 2,000 about two dozen are used by "elite" hackers, and some have
security features as good as anything used by the pentagon, says Maxfield.

The number of hackers themselves defies estimation, if only because the users
of the boards overlap.  They also pass along information from board to board.
Maxfield says he has seen access codes posted on an east coast bulletin board
that appeared on a west coast board less than an hour later, having passed
through about ten boards in the meantime.  And within hours of the posting of
a new number anywhere, hundreds of hackers will try it.

"Nowadays, every twerp with a Commodore 64 and a modem can do it, all for the
ego trip of being the nexus for forbidden knowledge," sighs a man in New York
City, known either as "Richard Cheshire" or "Chesire Catalyst" -- neither is
his real name.  Cheshire was one of the earliest computer hackers, from the
days when the Telex network was the main target, and was the editor of TAP, a
newsletter for hackers and phone "phreaks".  Oddly enough, TAP itself was an
early victim of the hacker upsurge.  "The hacker kids had their bulletin
boards and didn't need TAP -- we were technologically obsolete," he recalls.

So who are these hackers and what are they doing?  Tener says most of the ones
he has encountered have been 14 to 18 year old boys, with good computer
systems, often bright, middle class, and good students.  They often have a
reputation for being loners, if only because they spend hours by themselves at
a terminal, but he's found out-going hacker athletes.

But Maxfield is disturbed by the sight of more adults and criminals getting
involved.  Most of what the hackers do involves "theft of services" -- free
access to Compuserve, The Source, or other on-line services or corporate
systems.  But, increasingly, the hackers are getting more and more into credit
card fraud.

Maxfield and Cheshire describe the same process -- the hackers go through
trash bins outside businesses whose computer they want to break into looking
for manuals or anything that might have access codes on it.  They may find it,
but they also often find carbon copies of credit card sales slips, from which
they can read credit card numbers.  They use these numbers to order
merchandise -- usually computer hardware -- over the phone and have it
delivered to an empty house in their neighborhood, or to a house where nobody
is home during the day. Then all they have to do is be there when the delivery
truck arrives.

"We've only been seeing this in the last year," Maxfield complains.  "But now
we find adults running gangs of kids who steal card numbers for them.  The
adults resell the merchandise and give the kids a percentage of the money."

It's best to steal the card number of someone rich and famous, but since
that's usually not possible it's a good idea to be able to check the victim's
credit, because the merchant will check before approving a large credit card
sale.  And that's what makes TRW such a big target -- TRW has the credit
files.  And the files often contain the number of any other credit cards the
victim owns, Maxfield notes.

The parents of the hackers, meanwhile, usually have no idea what their boy is
up to -- he's in his room playing, so what could be wrong?  Tener recalls a
case where the parents complained to the boy about the high phone bill one
month.  And the next month the bill was back to normal.  And so the parents
were happy.  But the boy had been billing the calls to a stolen telephone
company credit card.

"When it happens the boy is caught and taken to jail, you usually see that the
parents are disgruntled at the authorities -- they still think that Johnny was
just playing in his bedroom.  Until, of course, they see the cost of Johnny's
play time, which can run $50,000 to $100,000.  But outside the cost, I have
never yet seen a parent who was really concerned that somebody's privacy has
been invaded -- they just think Johnny's really smart," Tener says.

TRW will usually move against hackers when they see a TRW file or access
information on a bulletin board.  Tener says they usually demand payment for
their investigation costs, which average about $15,000.

Tales of the damage hackers have caused often get exaggerated.  Tener tells of
highly publicized cases of hackers who, when caught, bragged about breaking
into TRW, when no break-ins had occurred.  But Maxfield tells of two 14-year
old hackers who were both breaking into and using the same corporate system.
They had an argument and set out to erase each other's files, and in the
process erased other files that cost about a million dollars to replace.
Being juveniles, they got off free.

After being caught, Tener says most hackers find some other hobby.  Some,
after turning 18, are hired by the firms they previously raided.  Tener says
it rare to see repeat offenders, but Maxfield tells of one 14-year-old repeat
offender who was first caught at age 13.

Maxfield and Tener both make efforts to follow the bulletin boards, and
Maxfield even has a network of double agents and spies within the hacker
community.  Tener uses artificial intelligence software to examine the day's
traffic to look for suspicious patterns.  TRW gets about 40,000 inquiries an
hour and has about 25,000 subscribers.  But that does not address the
underlying problem.

"The real problem is that these systems are not well protected, and some can't
be protected at all," Maxfield says.

Cheshire agrees.  "A lot of companies have no idea what these kids can do to
them," he says.  "If they would make access even a little difficult the kids
will go on to some other system."  As for what else can be done, he notes that
at MIT the first thing computer students are taught is how to crash the
system. Consequently, nobody bothers to do it.

But the thing that annoys old-timer Cheshire (and Maxfield as well) is that
the whole hacker-intruder-vandal-thief phenomenon goes against the ideology of
the original hackers, who wanted to explore systems, not vandalize them.
Cheshire defines the original "hacker ethic" as the belief that information is
a value-free resource that should be shared.  In practice, it means users
should add items to files, not destroy them, or add features to programs,
rather than pirate them.

"These kids want to make a name for themselves, and they think that they need
to do something dirty to do that.  But they do it just as well by doing
something clever, such as leaving a software bug report on a system," he

Meanwhile, Maxfield says we are probably stuck with the problem at least until
the phone systems converts to digital technology, which should strip hackers
of anonymity by making their calls easy to trace.

Until someone figures out how to hack digital phone networks, of course. -TCM

                        Typed for PWN by Druidic Death

                               ==Phrack Inc.==

                  Volume Two, Issue Eleven, Phile #12 of 12

PWN                                                                         PWN
PWN                      *>=-{ Phrack World News }-=<*                      PWN
PWN                                                                         PWN
PWN                                Issue XI                                 PWN
PWN                                                                         PWN
PWN                      Written, Compiled, and Edited                      PWN
PWN                           by Knight Lightning                           PWN
PWN                                                                         PWN

Computer Bulletin Boards                                       January 8, 1986
By The KTVI Channel 2 News Staff in St. Louis

Please keep in mind that Karen and Russ are anchor persons at KTVI.
All comments in []s are by me.-KL
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Karen:  If Santa Claus brought you a computer for Christmas, beware of seeing
        a few things you may not have bargained for.  Computer bulletin boards
        have spread by the thousands over the past few years and now some
        people are concerned that the electronic messages may have gotten a
        bit out of hand.

Russ:  In its simplest definition, a computer bulletin board is a program or
       message that can be accessed by other computers via telephone lines.
       Anyone who has a home computer and a modem can receive and transmit to
       computer bulletin boards.  There are thousands of them nationwide, but
       some are causing quite a stink [What a profound statement Russ].

               [Flash to a picture of a geeky looking teenager]

       Meet Jason Rebbe, he is a 16 year old computer whiz who a few months
       ago accidentally tapped into a bulletin board called Dr. Doom's Castle.
       [Sorry to break in here Russ, but why is this guy a computer whiz?
       Just because he has a computer?  Hey Russ, look a little closer, isn't
       Jason sitting in front of a Commodore-64?  I thought so.  Oh yeah one
       other thing, this BBS Dr. Doom's Castle has no known relation to Dr.
       Doom (512) or Danger Zone Private.]  Dr. Doom gives instructions on how
       to build bombs and guns [Lions and Tigers and Bears, oh my!].  Jason
       found the recipe for smoke bombs and tried to make one in his kitchen,
       it didn't work.  [Ba ha ha].

Jason:  I heard an explosion in the basement first and that's when I knew
        something was wrong.  I thought it would be really neat to just set it
        off someday when there was a lot of people around, just as a joke or a
        prank.  [Yeah, that would be K-Rad d00d!].  I didn't expect it to blow
        up my house.

Russ:  Jason wasn't hurt, but it cost about 2 grand [that's $2,000 to you and
       me] to repair the kitchen.  Jason's dad didn't take it well.

Bob Holloway:  Mad wasn't the word for it.  I, I was, I was past mad.

Russ:  Mr. Holloway called Southwestern Bell and AT&T to see what could be
       done about bulletin boards like Dr. Doom's Castle.  The answer was
       nothing.  The Bureau of Alcohol, Tobacco, and Firearms said the same

Daniel Hoggart (Bureau of Alcohol, Tobacco, and Firearms): There is no
               violation in publishing the information.  The violation only
               occurs when someone actually follows through on the
               instructions and actually constructs a bomb.

Russ:  Another bulletin board that is becoming more and more prevalent these
       days is the Aryian Nation.  This one [bulletin board] in Chicago says,
       "If you are an anti-Communist you have made the right connection...on
       the other hand, if you are consumed with such myths as
       Judeo-Christianity, you most definitely dialed the wrong number."

Stan Anderman (Anti-Defamation League):  Some of this really extreme hatred
              is an attempt to create an environment where violence becomes

Russ:  Like most computer bulletin boards the Aryian Nation message is legal
       and falls under free speech laws.  However, a bill is scheduled to go
       to congress this session outlawing the kinds of bulletin boards we saw
       here tonight.

       But, for the moment, hackers should not be too surprised if something
       unusual pops up on their computer terminal.  [Ahem, Russ, you did it
       again.  All computer users are *NOT* hackers.]

                  Typed For PWN's Usage by Knight Lightning

MIT Unix:  Victim or Aggressor?                  January 23 - February 2, 1987
Is the MIT system an innocent victim of hacker oppression or simply another
trap to capture unsuspecting hackers in the act?

It all started like this...

      [Some posts have been slightly edited to be relevant to the topic]

Name: Druidic Death
Date: 12:49 am  Mon Jan 20, 1986

Lately I've been messing around on MIT's VAX in there Physics Department.

Recently some one else got on there and did some damage to files.  However MIT
told me that they'll still trust us to call them.  The number is:


We have to agree to the following or we will be kicked off, they will create a
"hacker" account for us.

<1>  Use only GUEST, RODNEY, and GAMES.  No other accounts until the
     hacker one is made.  There are no passwords on these accounts.

<2>  Make sure we log off properly.  Control-D.  This is a UNIX system.

<3>  Not to call between 9 AM and 5 PM Eastern Standard Time.  This
     is to avoid tying up the system.

<4>  Leave mail to GEORGE only with UNIX questions (or C).  And leave our
     handles so he'll know who we are.

Name: Celtic Phrost
Date: 4:16 pm  Mon Jan 20, 1986

Thanks Death for the MIT computer, I've been working on getting into them for
weeks.  Here's another you can play around with:


Or use a WHO command at the logon to see other accounts, it has been a long
time since I played with that system, so I am unsure if the GUEST account
still works, but if you use the WHO command you should see the GUEST account
needed for applying for your own account.

Name: Celtic Phrost
Date: 5:35 pm  Mon Jan 20, 1986

Ok, sorry, but I just remembered the application account, its: OPEN
Gawd, I am glad I got that off my chest!

    -(A relieved)Celtic Phrost.

Also on that MIT computer Death listed, some other default accounts are:

          LONG          MIKE          GREG          NEIL          DAN

Get the rest yourself, and please people, LEAVE THEM UNPASSWORDED!

Name: Druidic Death #12
Date: 1:16 am  Fri Jan 23, 1987

MIT is pretty cool.  If you haven't called yet, try it out.  Just PLEASE make
sure you follow the little rules they asked us about! If someone doesn't do
something right the sysop leaves the gripe mail to me.  Check out my directory
under the guest account just type "cd Dru".  Read the first file.

Name: Ctrl C
Date: 12:56 pm  Sat Jan 24, 1987

MIT Un-Passworded Unix Accounts:   617-253-XXXX


And PLEASE don't change the Passwords....

         -=>Ctrl C<=-
MIT Again
Name: Druidic Death
Date: 1:00 pm  Wed Jan 28, 1987

Ok people, MIT is pissed, someone hasn't been keeping the bargain and they
aren't too thrilled about it.   There were only three things they asked us to
do, and they were reasonable too.  All they wanted was for us to not
compromise the security much more than we had already, logoff properly, not
leave any processes going, and call only during non-business hours, and we
would be able to use the GUEST accounts as much as we like.

Someone got real nice and added themselves to the "daemon" group which is
superusers only, the name was "celtic".  Gee, I wonder who that could have
been?  I'm not pissed at anyone, but I'd like to keep on using MIT's
computers, and they'd love for us to be on, but they're getting paranoid.
Whoever is calling besides me, be cool ok?  They even gave me a voice phone to
chat with their sysops with.  How often do you see this happen?

a little perturbed but not pissed...

Tsk, Celtic.
Name: Evil Jay
Date: 9:39 am  Thu Jan 29, 1987

Well, personally I don't know why anyone would want to be a superuser on the
system in question. Once you've been on once, there is really nothing that
interesting to look at...but anyway.

In trouble again...
Name: Celtic Phrost
Date: 2:35 pm  Fri Jan 30, 1987

...I was framed!! I did not add myself to any "daemon" group on any MIT UNIX.
I did call once, and I must admit I did hang up without logging off, but this
was due to a faulty program that would NOT allow me to break out of it, no
matter what I tried.  I am sure that I didn't cause any damage by that.

Major Problems
Name: Druidic Death
Date: 12:20 pm  Sat Jan 31, 1987

OK, major stuff going down.  Some unidentified individual logged into the
Physics Dept's PDP11/34 at 617-253-XXXX and was drastically violating the
"agreement" we had reached.  I was the one that made the "deal" with them.
And they even gave me a voice line to talk to them with.

Well, one day I called the other Physics computer, the office AT and
discovered that someone created an account in the superuser DAEMON group
called "celtic". Well, I was contacted by Brian through a chat and he told me
to call him.  Then he proceeded to nicely inform me that "due to unauthorized
abuse of the system, the deal is off".

He was cool about it and said he wished he didn't have to do that.  Then I
called George, the guy that made the deal and he said that someone who said he
was "Celtic Phrost" went on to the system and deleted nearly a year's worth of
artificial intelligence data from the nuclear fission research base.

Needless to say I was shocked.  I said that he can't believe that it was one
of us, that as far as I knew everyone was keeping the deal.  Then he (quite
pissed off) said that he wanted all of our names so he can report us to the
FBI.  He called us fags, and all sorts of stuff, he was VERY!! [underline
twice] PISSED! I don't blame him.  Actually I'm not blaming Celtic Phrost, it
very easily could have been a frame up.

But another thing is George thinks that Celtic Phrost and Druidic Death are
one and the same, in other words, he thinks that *I* stabbed him in the back.
Basically he just doesn't understand the way the hacker community operates.

Well, the deal is off, they plan to prosecute whoever they can catch.  Since
George is my best friend's brother I have not only lost a friend, but I'm
likely to see some legal problems soon.  Also, I can forget about doing my
graduate work at MIT.  Whoever did this damage to them, I hope you're happy.
You really messed things up real nice for a lot of people.

Celtic, I don't have any reason to believe you messed with them.  I also have
no reason to think you didn't.  I'm not making an accusation against you, but
WHOEVER did this, deserves to be shot as far as I'm concerned.  Until this
data was lost, they were on the verge of harnessing a laser-lithium produced
form of nuclear fission that would have been more efficient than using the
standard hydrogen.  Well, back to the drawing board now.

I realize that it's hard to believe that they would have data like this on
this system.  But they were quite stupid in many other areas too.  Leaving the
superuser account with no password??  Think about it.

It's also possible that they were exaggerating.  But regardless, damage seems
to have been done.

Name: Phreakenstein
Date: 1:31 am  Sun Feb 01, 1987

Heck! I dunno, but whoever it was, I think, should let himself (the s00per
K-rad elyte d00d he is) be known.

I wasn't on MIT, but it was pretty dumb of MIT to even let Hackers on.  I
wouldn't really worry though, they did let you on, and all you have to prove
is that you had no reason to do it.

I wonder...
Name: Ax Murderer #15
Date: 6:43 pm  Sun Feb 01, 1987

I highly doubt that is was someone on this system.  Since this is an elite
board, I think all the users are pretty decent and know right and wrong things
to do.  Could be that one of the users on this system called another system
and gave it out!??  Nahh...shooting the asshole is not enough, let's think of
something better.

Ax Murderer
It was stupid
Name: Druidic Death #12
Date: 9:21 pm  Sun Feb 01, 1987

It seems to me, or, what I gathered, they felt that there were going to be
hackers on the system to begin with and that this way they could keep
themselves basically safe.

I doubt that it was Celtic Phrost, I don't think he'd be an asshole like that.
But I can't say.  When I posted, I was pretty pissed about the whole deal.
I've calmed down now.  Psychic Warlord said something to me voice the other
day that made me stop and think.  What if this was a set up right from the
start? I mean, MIT won't give me specifics on just what supposedly happened,
Celtic Phrost denies everything, and the biggest part of it is what George
said to me.

"We can forgive you for what you did to us if you'll promise to go straight
and never do this again and just tell us who all of your friends are that are
on the system".

I didn't pay much attention to that remark at first, now I'm beginning to

I, of course, didn't narc on anyone.  (Who do I know??? hehe)

Name: Solid State
Date: 11:40 pm  Sun Feb 01, 1987

Well if they were serious about the FBI, I wouldn't take this too lightly.
Lately at Stanford there has been a lot of investigators that I've pinpointed
running around.  This is mainly due to the number of break-ins this summer.

Anyways, if a large college like MIT says they may call in the FBI, be wary,
but don't over-react.

Name: Delta-Master
Date: 7:15 am  Mon Feb 02, 1987

It wouldn't surprise me if it was some kind of setup, it's been done before.

Oh well...
Name: Evil Jay
Date: 8:56 am  Mon Feb 02, 1987

I think your all wrong.  The MIT lines have been around for a long time and
are widely known among the rodents.  Anyone with a g-file could hack out a
password on the system so it looks to me like someone just messed around and
just happened to use Phrost as a flunkie.  Oh well...

All posts taken from:
              /   )
              \___  |         |            __
                  \ |_   _   _|  _        (_   _   _        _
              (___/ | ) ( \ ( | (_) \/\/  __) | ) ( \ \/\/ | )

                "We're not ELITE...  we're just cool as hell."
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                 Information Provided indirectly/directly by

         Ax Murderer/Celtic Phrost/Ctrl C/Delta-Master/Druidic Death
                      Evil Jay/Phreakenstein/Solid State

Phortune 500:  Phreakdom's Newest Organization               February 16, 1987
For those of you who are in the least bit interested, Phortune 500 is a group
of telecommunication hobbyists who's goal is to spread information as well as
further their own knowledge in the world of telecommunications.  This new
group was formed by:

       Brew Associates/Handsomest One/Lord Lawless/The Renegade Chemist
             Quinton J. Miranda/Striker/The Mad Hacker/The Spiker

These eight members are also known as Board Of Directors (BOD).  They don't
claim to be *Elite* in the sense that they are they world's greatest hackers,
but they ARE somewhat picky about their members.  They prefer someone who
knows a bit about everything and has talents exclusive to him/herself.

One of the projects that Phortune 500 has completed is an individual password
AE type system.  It's called TransPhor.  It was written and created by Brew
Associates.  It has been Beta tested on The Undergraduate Lounge (Sysoped by
Quinton J. Miranda).   It is due to be released to the public throughout the
next few months.

Phortune 500 has been in operation for about 4 months, and has released two
newsletters of their own.  The Phortune 500 Newsletter is quite like the
"People" of contemporary magazines.  While some magazines cover the deep
technical aspects of the world in which we communicate, their newsletter tries
to cover the lighter side while throwing in information that they feel is "of
technical nature."   The third issue is due to be released by the end of this
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
             *>=-> The Phortune 500 Membership Questionnaire <-=<*

Note:  The following information is of a totally confidential nature.  The
       reason you may find this so lengthy and in depth is for our knowledge
       of you. We, with Phortune 500, feel as though we should know
       prospective members well before we allow them into our organization.
       Pending the answers you supply us, you will be admitted to Phortune 500
       as a charter member.  Please answer the following completely...

Handle                          :
First Name                      :
Voice Phone Number              :
Data Phone Number               :
City & State                    :
Age                             :
Occupation (If Applicable)      :
Place of Employment (Optional)  :
Work Phone Number   (Optional)  :
Computer Type                   :
Modem Type                      :
Interests                       :
Areas Of Expertise              :
References (No More Than Three) :
Major Accomplishments (If Any)  :
Answer In 50 Words Or Less;

^*^  What Is Phortune 500 in Your Opinion?

^*^  Why Do You Want To Be Involved With Phortune 500?

^*^  How Can You Contribute to Phortune 500?

Please answer each question to the best of your ability and then return to any
Phortune 500 Board of Directors Member Or a Phortune 500 BBS:

           The Private Connection (Limited Membership) 219-322-7266
           The Undergraduate AE   (Private Files Only) 602-990-1573

                           Information provided by

             Quinton J. Miranda & Phortune 500 Board Of Directors

PWN Quicknote
At the University of Rhode Island there is supposed to be some undercover
agent for Bay Bell.  Supposedly he hangs out at the library and watches for
people checking out the Bell Technical Journals.  Then he asks questions like,
'What do you want those for?' 'Do you know what 2600Hz is?' and other similar
questions. He isn't registered at the school and of course has no classes.
[Sounds bogus to me...oh well-KL].       Information by Asmodeus Rex (1/21/87)